# HG changeset patch # User Severin Gehwolf # Date 1504001138 -7200 # Node ID 915993144f20c45fd92d9db532dbd50363f5d5e5 # Parent 75ca7e4f32265bf8ffa12870588897b643671f5d Explicitly require basic auth config. Reviewed-by: jkang Review-thread: http://icedtea.classpath.org/pipermail/thermostat/2017-August/024724.html diff -r 75ca7e4f3226 -r 915993144f20 agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentConfigsUtils.java --- a/agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentConfigsUtils.java Wed Aug 23 18:53:32 2017 +0200 +++ b/agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentConfigsUtils.java Tue Aug 29 12:05:38 2017 +0200 @@ -93,15 +93,14 @@ } Boolean keycloakEnabled = Boolean.valueOf(properties.getProperty(AgentProperties.KEYCLOAK_ENABLED.name())); - if (keycloakEnabled != null) { - configuration.setKeycloakEnabled(keycloakEnabled); - + configuration.setKeycloakEnabled(keycloakEnabled); + if (keycloakEnabled) { configuration.setKeycloakRealm(properties.getProperty(AgentProperties.KEYCLOAK_REALM.name())); configuration.setKeycloakUrl(properties.getProperty(AgentProperties.KEYCLOAK_URL.name())); configuration.setKeycloakClient(properties.getProperty(AgentProperties.KEYCLOAK_CLIENT.name())); - } else { - configuration.setKeycloakEnabled(false); } + Boolean basicAuthEnabled = Boolean.valueOf(properties.getProperty(AgentProperties.BASIC_AUTH_ENABLED.name())); + configuration.setBasicAuthEnabled(basicAuthEnabled); } } diff -r 75ca7e4f3226 -r 915993144f20 agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentProperties.java --- a/agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentProperties.java Wed Aug 23 18:53:32 2017 +0200 +++ b/agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentProperties.java Tue Aug 29 12:05:38 2017 +0200 @@ -45,5 +45,6 @@ KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT, + BASIC_AUTH_ENABLED, } diff -r 75ca7e4f3226 -r 915993144f20 agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentStartupConfiguration.java --- a/agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentStartupConfiguration.java Wed Aug 23 18:53:32 2017 +0200 +++ b/agent/core/src/main/java/com/redhat/thermostat/agent/config/AgentStartupConfiguration.java Tue Aug 29 12:05:38 2017 +0200 @@ -48,6 +48,7 @@ private String keycloakUrl; private String keycloakRealm; private String keycloakClient; + private boolean basicAuthEnabled; AgentStartupConfiguration() { } @@ -109,5 +110,13 @@ public void setKeycloakRealm(String keycloakRealm) { this.keycloakRealm = keycloakRealm; } + + public boolean isBasicAuthEnabled() { + return basicAuthEnabled; + } + + public void setBasicAuthEnabled(boolean basicAuthEnabled) { + this.basicAuthEnabled = basicAuthEnabled; + } } diff -r 75ca7e4f3226 -r 915993144f20 agent/core/src/main/java/com/redhat/thermostat/agent/http/HttpRequestService.java --- a/agent/core/src/main/java/com/redhat/thermostat/agent/http/HttpRequestService.java Wed Aug 23 18:53:32 2017 +0200 +++ b/agent/core/src/main/java/com/redhat/thermostat/agent/http/HttpRequestService.java Tue Aug 29 12:05:38 2017 +0200 @@ -133,9 +133,11 @@ try { if (agentStartupConfiguration.isKeycloakEnabled()) { request.header(HttpHeader.AUTHORIZATION.asString(), "Bearer " + getAccessToken()); - } else { + } else if (agentStartupConfiguration.isBasicAuthEnabled()) { request.header(HttpHeader.AUTHORIZATION.asString(), getBasicAuthHeaderValue()); + } else { + logger.warning("Neither KEYCLOAK_ENABLED=true nor BASIC_AUTH_ENABLED=true. Requests will probably fail."); } ContentResponse response = request.send(); int status = response.getStatus(); diff -r 75ca7e4f3226 -r 915993144f20 agent/core/src/test/java/com/redhat/thermostat/agent/config/AgentConfigsUtilsTest.java --- a/agent/core/src/test/java/com/redhat/thermostat/agent/config/AgentConfigsUtilsTest.java Wed Aug 23 18:53:32 2017 +0200 +++ b/agent/core/src/test/java/com/redhat/thermostat/agent/config/AgentConfigsUtilsTest.java Tue Aug 29 12:05:38 2017 +0200 @@ -36,6 +36,9 @@ package com.redhat.thermostat.agent.config; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertTrue; + import java.io.File; import java.io.IOException; import java.util.Properties; @@ -98,6 +101,16 @@ Assert.assertTrue(config.purge()); } + @Test + public void testIsBasicAuthEnabled() throws InvalidConfigurationException, IOException { + Properties sysProps = createSystemProperties(); + Properties userProps = createUserProperties(); + setConfigs(sysProps, userProps); + AgentStartupConfiguration config = AgentConfigsUtils.createAgentConfigs(); + assertTrue(config.isBasicAuthEnabled()); + assertFalse(config.isKeycloakEnabled()); + } + private Properties createSystemProperties(String configListenAddress) { return doCreateSystemProperties(configListenAddress); } @@ -110,7 +123,8 @@ Properties agentProperties = new Properties(); agentProperties.setProperty("DB_URL", "http://5.6.7.8:9002/world"); agentProperties.setProperty("SAVE_ON_EXIT", "false"); - agentProperties.setProperty("CONFIG_LISTEN_ADDRESS", "24.24.24.24:24"); + agentProperties.setProperty("BASIC_AUTH_ENABLED", "true"); + agentProperties.setProperty("KEYCLOAK_ENABLED", "false"); return agentProperties; } diff -r 75ca7e4f3226 -r 915993144f20 agent/core/src/test/java/com/redhat/thermostat/agent/http/HttpRequestServiceTest.java --- a/agent/core/src/test/java/com/redhat/thermostat/agent/http/HttpRequestServiceTest.java Wed Aug 23 18:53:32 2017 +0200 +++ b/agent/core/src/test/java/com/redhat/thermostat/agent/http/HttpRequestServiceTest.java Tue Aug 29 12:05:38 2017 +0200 @@ -109,7 +109,7 @@ @Test public void testRequestWithoutKeycloak() throws Exception { - AgentStartupConfiguration configuration = createNoKeycloakConfig(); + AgentStartupConfiguration configuration = createBasicAuthConfig(); HttpRequestService service = createAndActivateRequestService(configuration); @@ -177,7 +177,7 @@ @Test public void testRequestWithNullPayload() throws Exception { - AgentStartupConfiguration configuration = createNoKeycloakConfig(); + AgentStartupConfiguration configuration = createBasicAuthConfig(); HttpRequestService service = createAndActivateRequestService(configuration); @@ -193,8 +193,8 @@ } @Test - public void verifyNoKeycloakDefaultsToAuthBasic() throws Exception { - AgentStartupConfiguration configuration = createNoKeycloakConfig(); + public void verifyBasicAuthConfig() throws Exception { + AgentStartupConfiguration configuration = createBasicAuthConfig(); HttpRequestService service = createAndActivateRequestService(configuration); @@ -215,6 +215,29 @@ verify(httpRequest).send(); } + /** + * If no authentication settings are done, no authorization headers should + * get added. + * + * @throws Exception + */ + @Test + public void verifyNoAuthConfig() throws Exception { + AgentStartupConfiguration configuration = createNoAuthConfig(); + + HttpRequestService service = createAndActivateRequestService(configuration); + + service.sendHttpRequest(null, GATEWAY_URI, com.redhat.thermostat.agent.http.HttpRequestService.Method.GET); + + verify(client).newRequest(GATEWAY_URI); + verify(configuration).isKeycloakEnabled(); + verify(configuration).isBasicAuthEnabled(); + + verify(httpRequest, times(0)).header(eq(HttpHeader.AUTHORIZATION.asString()), anyString()); + verify(httpRequest).method(eq(HttpMethod.GET)); + verify(httpRequest).send(); + } + private String getDecodedUserPass(String userPassEncoded) throws IOException { @SuppressWarnings("restriction") byte[] decodedBytes = new sun.misc.BASE64Decoder().decodeBuffer(userPassEncoded); @@ -235,7 +258,7 @@ HttpClientCreator creator = mock(HttpClientCreator.class); HttpClientFacade getClient = setupHttpClient(creator, getContent); - AgentStartupConfiguration configuration = createNoKeycloakConfig(); + AgentStartupConfiguration configuration = createBasicAuthConfig(); ConfigCreator configCreator = mock(ConfigCreator.class); when(configCreator.create(any(CommonPaths.class))).thenReturn(configuration); HttpRequestService service = new HttpRequestService(creator, configCreator, credsCreator); @@ -251,7 +274,7 @@ HttpClientCreator creator = mock(HttpClientCreator.class); HttpClientFacade getClient = setupHttpClient(creator, getContent); - AgentStartupConfiguration configuration = createNoKeycloakConfig(); + AgentStartupConfiguration configuration = createBasicAuthConfig(); ConfigCreator configCreator = mock(ConfigCreator.class); when(configCreator.create(any(CommonPaths.class))).thenReturn(configuration); HttpRequestService service = new HttpRequestService(creator, configCreator, credsCreator); @@ -281,15 +304,24 @@ public void failureThrowsRequestFailedException() throws Exception { Request request = mock(Request.class); when(client.newRequest(any(URI.class))).thenReturn(request); - AgentStartupConfiguration configuration = createNoKeycloakConfig(); + AgentStartupConfiguration configuration = createBasicAuthConfig(); doThrow(IOException.class).when(request).send(); HttpRequestService service = createAndActivateRequestService(configuration); service.sendHttpRequest("foo", GATEWAY_URI, com.redhat.thermostat.agent.http.HttpRequestService.Method.DELETE /*any valid method*/); } - private AgentStartupConfiguration createNoKeycloakConfig() { + private AgentStartupConfiguration createBasicAuthConfig() { + return createAuthConfig(true, false); + } + + private AgentStartupConfiguration createNoAuthConfig() { + return createAuthConfig(false, false); + } + + private AgentStartupConfiguration createAuthConfig(boolean isBasicAuthEnabled, boolean isKeycloakEnabled) { AgentStartupConfiguration configuration = mock(AgentStartupConfiguration.class); - when(configuration.isKeycloakEnabled()).thenReturn(false); + when(configuration.isKeycloakEnabled()).thenReturn(isKeycloakEnabled); + when(configuration.isBasicAuthEnabled()).thenReturn(isBasicAuthEnabled); return configuration; } diff -r 75ca7e4f3226 -r 915993144f20 distribution/config/agent.properties --- a/distribution/config/agent.properties Wed Aug 23 18:53:32 2017 +0200 +++ b/distribution/config/agent.properties Tue Aug 29 12:05:38 2017 +0200 @@ -2,8 +2,18 @@ # or rather will purge the db SAVE_ON_EXIT=true +# Keycloak configuration settings +# +# Set this to true in order to use Keycloak as the authentication +# and authorization provider. If set to true BASIC authentication +# will NOT be used. +KEYCLOAK_ENABLED=false # Keycloak server URL used for authentication of http requests -KEYCLOAK_ENABLED=false KEYCLOAK_URL=http://127.0.0.1:31000 KEYCLOAK_REALM=thermostat KEYCLOAK_CLIENT=thermostat-web-client + +# Set to true if basic authentication shall be used for +# HTTP requests. KEYCLOAK_ENABLED must be set to false as +# that provider takes precedence. +BASIC_AUTH_ENABLED=true