From f5f773a90bffc45ed1b85165116e46641a5645d4 Mon Sep 17 00:00:00 2001 From: Jim Martens Date: Mon, 30 Oct 2023 13:30:17 +0100 Subject: [PATCH] Added logging and reformatted, updated drone config --- .drone.yml | 30 ++----- .../security/SpringPolicyEnforcer.kt | 81 ++++++++++--------- 2 files changed, 48 insertions(+), 63 deletions(-) diff --git a/.drone.yml b/.drone.yml index cfe5160..3ab1642 100644 --- a/.drone.yml +++ b/.drone.yml @@ -118,10 +118,13 @@ steps: - ssh-keyscan -H git.2martens.de > $HOME/.ssh/known_hosts 2>/dev/null - git clone ssh://giteajim@git.2martens.de:22/2martens/cloud-configuration.git . - git checkout main - - name: modify deployed image + - name: update image version image: alpine commands: - - sed -i -r "s/(wahlrecht_image_version:).*/\1\ ${DRONE_SEMVER}/" ansible/inventories/host_vars/api-server/public.yaml + - mkdir $HOME/bin + - wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 -O $HOME/bin/yq && chmod +x $HOME/bin/yq + - sed -i -r "s/(tag:).*/\1\ \"${DRONE_SEMVER}\"/" argocd/wahlrecht/${DRONE_DEPLOY_TO}/overwrite_values.yaml + - cd argocd/configserver/${DRONE_DEPLOY_TO} && $HOME/bin/yq '. *= load("overwrite_values.yaml")' default_values.yaml > values.yaml - name: save modified variable file image: alpine/git environment: @@ -134,32 +137,13 @@ steps: - touch $HOME/.ssh/known_hosts - chmod 600 $HOME/.ssh/known_hosts - ssh-keyscan -H git.2martens.de > $HOME/.ssh/known_hosts 2>/dev/null - - git add ansible/inventories/host_vars/api-server/public.yaml + - git add argocd/wahlrecht/${DRONE_DEPLOY_TO}/* - git diff-index --quiet HEAD || git commit -m "[Drone] Changed wahlrecht_image_version to ${DRONE_SEMVER}" - git push origin main - - name: deploy image - image: plugins/ansible:latest - volumes: - - name: cache - path: /root/.ansible - settings: - playbook: ansible/deploy_spring.yaml - inventory: ansible/inventories/production - galaxy: ansible/requirements.yaml - galaxy_force: false - private_key: - from_secret: private_ssh_key - vault_password: - from_secret: vault_password - -volumes: - - name: cache - host: - path: /var/lib/drone/cache/.ansible trigger: target: - - production + - test event: include: - promote diff --git a/module-server/src/main/kotlin/de/twomartens/wahlrecht/security/SpringPolicyEnforcer.kt b/module-server/src/main/kotlin/de/twomartens/wahlrecht/security/SpringPolicyEnforcer.kt index c1c96fa..661a1ae 100644 --- a/module-server/src/main/kotlin/de/twomartens/wahlrecht/security/SpringPolicyEnforcer.kt +++ b/module-server/src/main/kotlin/de/twomartens/wahlrecht/security/SpringPolicyEnforcer.kt @@ -13,53 +13,54 @@ import org.keycloak.representations.idm.authorization.Permission class SpringPolicyEnforcer(private val policyEnforcer: PolicyEnforcer, private val policyEnforcerConfig: PolicyEnforcerConfig) { - fun enforce(request: HttpRequest, response: HttpResponse): AuthorizationContext { - if (log.isDebugEnabled) { - log.debug("Policy enforcement is enabled. Enforcing policy decisions for path [{}].", request.uri) - } - val context = authorize(request, response) - if (log.isDebugEnabled) { - log.debug("Policy enforcement result for path [{}] is : {}", request.uri, if (context.isGranted) "GRANTED" else "DENIED") - log.debug("Returning authorization context with permissions:") - for (permission in context.permissions) { - log.debug(permission.toString()) - } - } - return context + fun enforce(request: HttpRequest, response: HttpResponse): AuthorizationContext { + if (log.isDebugEnabled) { + log.debug("Policy enforcement is enabled. Enforcing policy decisions for path [{}].", request.uri) } - - private fun authorize(request: HttpRequest, response: HttpResponse): AuthorizationContext { - val enforcementMode = policyEnforcerConfig.enforcementMode - return if (EnforcementMode.DISABLED == enforcementMode) { - createAuthorizedContext() - } else policyEnforcer.enforce(request, response) + val context = authorize(request, response) + if (log.isDebugEnabled) { + log.debug("Policy enforcement result for path [{}] is : {}", request.uri, if (context.isGranted) "GRANTED" else "DENIED") + log.debug("Returning authorization context with permissions:") + for (permission in context.permissions) { + log.debug(permission.toString()) + } } + return context + } - private fun createAuthorizedContext(): AuthorizationContext { - return object : ClientAuthorizationContext(policyEnforcer.authzClient) { - override fun hasPermission(resourceName: String, scopeName: String): Boolean { - return true - } + private fun authorize(request: HttpRequest, response: HttpResponse): AuthorizationContext { + val enforcementMode = policyEnforcerConfig.enforcementMode + log.debug("Authorize with enforcement mode: [{}]", enforcementMode) + return if (EnforcementMode.DISABLED == enforcementMode) { + createAuthorizedContext() + } else policyEnforcer.enforce(request, response) + } - override fun hasResourcePermission(resourceName: String): Boolean { - return true - } + private fun createAuthorizedContext(): AuthorizationContext { + return object : ClientAuthorizationContext(policyEnforcer.authzClient) { + override fun hasPermission(resourceName: String, scopeName: String): Boolean { + return true + } - override fun hasScopePermission(scopeName: String): Boolean { - return true - } + override fun hasResourcePermission(resourceName: String): Boolean { + return true + } - override fun getPermissions(): List { - return emptyList() - } + override fun hasScopePermission(scopeName: String): Boolean { + return true + } - override fun isGranted(): Boolean { - return true - } - } + override fun getPermissions(): List { + return emptyList() + } + + override fun isGranted(): Boolean { + return true + } } + } - companion object { - private val log = KotlinLogging.logger {} - } + companion object { + private val log = KotlinLogging.logger {} + } } \ No newline at end of file