spring-cloud-config icon indicating copy to clipboard operation
spring-cloud-config copied to clipboard
verified publisher icon spring-cloud

[WIP]Security enhancement.

Open ian4hu opened this issue 4 years ago • 5 comments

Working in progress. Suggestions and discuss are welcomed.

For #1902 #1796 .

As discussed in #1796 .

Main function

  • Use SecurityEnhancer to secure sensitive components accessed by controller/web.
    • SecurityEnhancer to wrap components with Secure metadata by @PreAuthorize on EnvRepoWithSecurity mark interface.
    • Spring Security will invoke AuthorityExtractor to extract authorities for a certain access to sensitive component (like EnvironmentRepository, ResourceRepository, Encryptor/Decryptor).
  • Use Spring Security to check authorities for requestor/client.

ian4hu avatar Jun 10 '21 16:06 ian4hu

This kind of change typically requires some design on our side before making a PR like this. We have prior art in the commercial side that we could base work on. I'm not sure we'll be able to merge this.

spencergibb avatar Jun 10 '21 16:06 spencergibb

This kind of change typically requires some design on our side before making a PR like this. We have prior art in the commercial side that we could base work on. I'm not sure we'll be able to merge this.

I made this PR for discussion more likely.

ian4hu avatar Jun 10 '21 16:06 ian4hu

Codecov Report

Merging #1906 (05cdb4f) into main (b1e795d) will increase coverage by 0.25%. The diff coverage is 85.83%.

Impacted file tree graph

@@             Coverage Diff              @@
##               main    #1906      +/-   ##
============================================
+ Coverage     78.13%   78.38%   +0.25%     
- Complexity     1325     1366      +41     
============================================
  Files           167      180      +13     
  Lines          4894     5011     +117     
  Branches        657      659       +2     
============================================
+ Hits           3824     3928     +104     
- Misses          807      818      +11     
- Partials        263      265       +2
Impacted Files Coverage Δ
...g/server/config/ConfigServerAutoConfiguration.java 100.00% <ø> (ø)
...erver/security/ConfigServerSecurityProperties.java 40.00% <40.00%> (ø)
...rver/config/ConfigServerSecurityConfiguration.java 60.00% <60.00%> (ø)
.../config/server/security/AbstractAccessRequest.java 70.00% <70.00%> (ø)
...nfig/server/security/EnvironmentAccessRequest.java 71.42% <71.42%> (ø)
.../config/server/security/ResourceAccessRequest.java 71.42% <71.42%> (ø)
...config/server/security/EncryptorAccessRequest.java 75.00% <75.00%> (ø)
...fig/server/security/DefaultAuthorityExtractor.java 84.21% <84.21%> (ø)
...ud/config/server/security/EnvRepoWithSecurity.java 90.00% <90.00%> (ø)
...er/config/ConfigServerEncryptionConfiguration.java 100.00% <100.00%> (ø)
... and 22 more

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update b1e795d...05cdb4f. Read the comment docs.

codecov[bot] avatar Jun 10 '21 16:06 codecov[bot]

I appreciate it, but such a large change should be discussed first. Had you done that I would have cautioned you not to do any work yet. We have code (closed source) that we would like to start with that you don't have access to

spencergibb avatar Jun 10 '21 16:06 spencergibb

will the close sourced solution be.considered to open?

ian4hu avatar Jun 10 '21 16:06 ian4hu