Enable auth via URI query param for badge API

Allows API authentication via URI query param for badge requests as an alternative to header authentication because typical use cases for badges do not easily allow header injection. Requires stevespringett/Alpine#641 Signed-off-by: Kirill.Sybin <[email protected]>
DependencyTrack · Sep 1, 2024 · 1f592ae · 1f592ae
1 parent 871b47b
commit 1f592ae
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/src/main/java/org/dependencytrack/resources/v1/BadgeResource.java b/src/main/java/org/dependencytrack/resources/v1/BadgeResource.java
@@ -18,6 +18,7 @@
  */
 package org.dependencytrack.resources.v1;
 
+import alpine.server.auth.AllowApiKeyInQueryParameter;
 import alpine.server.auth.PermissionRequired;
 import alpine.server.resources.AlpineResource;
 import io.swagger.v3.oas.annotations.Operation;
@@ -52,7 +53,8 @@
 @Tag(name = "badge")
 @SecurityRequirements({
         @SecurityRequirement(name = "ApiKeyAuth"),
-        @SecurityRequirement(name = "BearerAuth")
+        @SecurityRequirement(name = "BearerAuth"),
+        @SecurityRequirement(name = "ApiKeyQueryAuth")
 })
 public class BadgeResource extends AlpineResource {
 
@@ -75,6 +77,7 @@ public class BadgeResource extends AlpineResource {
             @ApiResponse(responseCode = "404", description = "The project could not be found")
     })
     @PermissionRequired(Permissions.Constants.VIEW_BADGES)
+    @AllowApiKeyInQueryParameter
     public Response getProjectVulnerabilitiesBadge(
             @Parameter(description = "The UUID of the project to retrieve metrics for", schema = @Schema(type = "string", format = "uuid"), required = true)
             @PathParam("uuid") @ValidUuid String uuid) {
@@ -110,6 +113,7 @@ public Response getProjectVulnerabilitiesBadge(
             @ApiResponse(responseCode = "404", description = "The project could not be found")
     })
     @PermissionRequired(Permissions.Constants.VIEW_BADGES)
+    @AllowApiKeyInQueryParameter
     public Response getProjectVulnerabilitiesBadge(
             @Parameter(description = "The name of the project to query on", required = true)
             @PathParam("name") String name,
@@ -147,6 +151,7 @@ public Response getProjectVulnerabilitiesBadge(
             @ApiResponse(responseCode = "404", description = "The project could not be found")
     })
     @PermissionRequired(Permissions.Constants.VIEW_BADGES)
+    @AllowApiKeyInQueryParameter
     public Response getProjectPolicyViolationsBadge(
             @Parameter(description = "The UUID of the project to retrieve a badge for", schema = @Schema(type = "string", format = "uuid"), required = true)
             @PathParam("uuid") @ValidUuid String uuid) {
@@ -182,6 +187,7 @@ public Response getProjectPolicyViolationsBadge(
             @ApiResponse(responseCode = "404", description = "The project could not be found")
     })
     @PermissionRequired(Permissions.Constants.VIEW_BADGES)
+    @AllowApiKeyInQueryParameter
     public Response getProjectPolicyViolationsBadge(
             @Parameter(description = "The name of the project to query on", required = true)
             @PathParam("name") String name,

diff --git a/src/main/resources/openapi-configuration.yaml b/src/main/resources/openapi-configuration.yaml
@@ -23,6 +23,10 @@ openAPI:
       BearerAuth:
         type: http
         scheme: Bearer
+      ApiKeyQueryAuth:
+        name: apiKey
+        type: apiKey
+        in: query
 prettyPrint: true
 resourcePackages:
 - alpine.server.resources