From 391e79fc97731626793063e1c6c6997ce4967e1e Mon Sep 17 00:00:00 2001 From: Carlos Esteban Feria Vila <2582866+carlosthe19916@users.noreply.github.com> Date: Tue, 2 Nov 2021 10:40:23 +0100 Subject: [PATCH 1/3] Add RBAC definitions to application.properties --- src/main/resources/application.properties | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index e53aabc1..3bb37ea5 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -4,9 +4,21 @@ quarkus.application.name=tackle-pathfinder quarkus.http.root-path = /pathfinder # requested to have the prototype html page to work quarkus.http.cors=true -quarkus.http.auth.policy.role-policy1.roles-allowed=user,admin -quarkus.http.auth.permission.roles1.paths=/pathfinder/* -quarkus.http.auth.permission.roles1.policy=role-policy1 + +quarkus.http.auth.policy.assessment-read-policy.roles-allowed=pathfinder:assessment:read +quarkus.http.auth.policy.assessment-write-policy.roles-allowed=pathfinder:assessment:write + +quarkus.http.auth.permission.assessment-read1.methods=GET +quarkus.http.auth.permission.assessment-read1.paths=/pathfinder/assessments/* +quarkus.http.auth.permission.assessment-read1.policy=assessment-read-policy +quarkus.http.auth.permission.assessment-read2.methods=POST +quarkus.http.auth.permission.assessment-read2.paths=/pathfinder/assessments/risks/*,/pathfinder/assessments/assessment-risk/*,/pathfinder/assessments/confidence/* +quarkus.http.auth.permission.assessment-read2.policy=assessment-read-policy + +quarkus.http.auth.permission.assessment-write.methods=POST,PATCH,PUT,DELETE +quarkus.http.auth.permission.assessment-write.paths=/pathfinder/assessments/* +quarkus.http.auth.permission.assessment-write.policy=assessment-write-policy + # 'q' endpoints must be permitted (e.g. the /q/metrics and /q/health endpoints) quarkus.http.auth.permission.permit1.paths=/pathfinder/q/* quarkus.http.auth.permission.permit1.policy=permit From ac40019ff00464e2d8955182124f35fc3a9fbbc2 Mon Sep 17 00:00:00 2001 From: Carlos Esteban Feria Vila <2582866+carlosthe19916@users.noreply.github.com> Date: Tue, 2 Nov 2021 13:44:05 +0100 Subject: [PATCH 2/3] Add RBAC definitions to application.properties --- src/main/resources/application.properties | 4 + .../resources/keycloak/quarkus-realm.json | 258 ++++++++++++------ 2 files changed, 186 insertions(+), 76 deletions(-) diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 3bb37ea5..584fed1d 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -5,6 +5,7 @@ quarkus.http.root-path = /pathfinder # requested to have the prototype html page to work quarkus.http.cors=true +quarkus.http.auth.policy.admin-policy.roles-allowed=admin quarkus.http.auth.policy.assessment-read-policy.roles-allowed=pathfinder:assessment:read quarkus.http.auth.policy.assessment-write-policy.roles-allowed=pathfinder:assessment:write @@ -23,6 +24,9 @@ quarkus.http.auth.permission.assessment-write.policy=assessment-write-policy quarkus.http.auth.permission.permit1.paths=/pathfinder/q/* quarkus.http.auth.permission.permit1.policy=permit +quarkus.http.auth.permission.remaining-endpoints.paths=/pathfinder/* +quarkus.http.auth.permission.remaining-endpoints.policy=admin-policy + # Flyway quarkus.flyway.migrate-at-start=true diff --git a/src/main/resources/keycloak/quarkus-realm.json b/src/main/resources/keycloak/quarkus-realm.json index 6b5e91e5..ac00630e 100644 --- a/src/main/resources/keycloak/quarkus-realm.json +++ b/src/main/resources/keycloak/quarkus-realm.json @@ -55,17 +55,58 @@ }, { "id" : "8c1abe12-62fe-4a06-ae0d-f5fb67dddbb0", "name" : "admin", - "composite" : false, + "composite" : true, "clientRole" : false, "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", - "attributes" : { } + "attributes" : { }, + "composites": { + "client": { + "backend-service": [ + "controls:write", + "inventory:application:write", + "inventory:application-import:write", + "inventory:application-dependency:write", + "inventory:application-review:write", + "pathfinder:assessment:write" + ] + } + } }, { + "id": "f777a295-e6bc-45d5-8d84-e476a9021242", + "name": "architect", + "composite": true, + "clientRole" : false, + "containerId": "11d78bf6-6d10-4484-baba-a1388379d68b", + "attributes" : { }, + "composites": { + "client": { + "backend-service": [ + "controls:write", + "inventory:application:write", + "inventory:application-import:write", + "inventory:application-dependency:write", + "inventory:application-review:write", + "pathfinder:assessment:write" + ] + } + } + },{ "id" : "5afce544-6a3c-495f-b805-fd737cf5081e", - "name" : "user", - "composite" : false, + "name" : "migrator", + "composite" : true, "clientRole" : false, "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", - "attributes" : { } + "attributes" : { }, + "composites": { + "client": { + "backend-service": [ + "controls:read", + "inventory:application:read", + "inventory:application-import:read", + "pathfinder:assessment:write" + ] + } + } }, { "id" : "bc431d62-a80a-425b-961a-0fb3fc59006d", "name" : "offline_access", @@ -253,6 +294,135 @@ "clientRole" : true, "containerId" : "0ac5df91-e044-4051-bd03-106a3a5fb9cc", "attributes" : { } + }, { + "id": "691daa33-980e-419a-a63f-c86d07a03dae", + "name": "controls:read", + "composite": false, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "574e82d1-9fc3-4166-bccd-f227afe02982", + "name": "controls:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "controls:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "5cf0b4ca-7e26-4f86-a3d3-6dab69243d33", + "name": "inventory:application:read", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "controls:read", + "pathfinder:assessment:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "f89d033f-1d90-4061-bfff-bf380aaa844a", + "name": "inventory:application:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "f0eb63c2-033f-447a-85bd-55c83f1e3619", + "name": "inventory:application-import:read", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "67082935-a948-4395-a0c8-a851773ca1ba", + "name": "inventory:application-import:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application-import:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "d8a18018-8ce5-497f-b7e3-de7b1112ac39", + "name": "inventory:application-dependency:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "3ed86dfd-d354-4d70-9467-a0b8270bb37c", + "name": "inventory:application-review:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read", + "pathfinder:assessment:write" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "caf1d234-b5e4-4cbe-8915-24a9a7cc7ab1", + "name": "pathfinder:assessment:read", + "composite": false, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "03f48fd4-de69-4baa-8177-cdab92d76209", + "name": "pathfinder:assessment:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read", + "pathfinder:assessment:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} } ], "broker" : [ { "id" : "d36865b0-7ade-4bcd-a7dc-1dacbd80f169", @@ -296,7 +466,7 @@ } }, "groups" : [ ], - "defaultRoles" : [ "uma_authorization", "offline_access" ], + "defaultRoles" : [ "uma_authorization", "offline_access", "migrator" ], "requiredCredentials" : [ "password" ], "otpPolicyType" : "totp", "otpPolicyAlgorithm" : "HmacSHA1", @@ -458,72 +628,8 @@ "authorizationSettings" : { "allowRemoteResourceManagement": true, "policyEnforcementMode": "ENFORCING", - "resources": [ - { - "name": "User Resource", - "ownerManagedAccess": false, - "attributes": {}, - "_id": "df1b74a9-3f10-499d-a581-368de48e512b", - "uris": [ - "/api/users/*" - ] - }, - { - "name": "Administration Resource", - "ownerManagedAccess": false, - "attributes": {}, - "_id": "7124e2f1-e6dc-44b4-87ab-24b010090b97", - "uris": [ - "/api/admin/*" - ] - } - ], - "policies": [ - { - "id": "b8710fa6-160e-4de0-adf3-398c7007a0af", - "name": "Any User Policy", - "description": "Any user granted with the user role can access something", - "type": "role", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "roles": "[{\"id\":\"user\",\"required\":false}]" - } - }, - { - "id": "fcef30b2-68b2-4b78-9f3d-9162c6cdf5cb", - "name": "Only Administrators", - "description": "Only administrators can access", - "type": "role", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "roles": "[{\"id\":\"admin\",\"required\":false}]" - } - }, - { - "id": "3479dd56-02e9-4222-94fe-6a13cd065195", - "name": "User Resource Permission", - "type": "resource", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"User Resource\"]", - "applyPolicies": "[\"Any User Policy\"]" - } - }, - { - "id": "60188298-d55b-4066-b231-6a7c56ff7cc5", - "name": "Administration Resource Permission", - "type": "resource", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"Administration Resource\"]", - "applyPolicies": "[\"Only Administrators\"]" - } - } - ], + "resources": [], + "policies": [], "scopes": [], "decisionStrategy": "UNANIMOUS" } @@ -1585,7 +1691,7 @@ } ], "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], - "realmRoles" : [ "admin", "user" ], + "realmRoles" : [ "admin" ], "notBefore" : 0, "groups" : [ ] }, { @@ -1611,7 +1717,7 @@ } ], "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], - "realmRoles" : [ "user" ], + "realmRoles" : [ "admin" ], "notBefore" : 0, "groups" : [ ] }, { @@ -1637,7 +1743,7 @@ } ], "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], - "realmRoles" : [ "confidential", "user" ], + "realmRoles" : [ "confidential", "migrator" ], "notBefore" : 0, "groups" : [ ] }, { @@ -1650,7 +1756,7 @@ "type" : "password", "value" : "pedro" } ], - "realmRoles" : ["user"] + "realmRoles" : ["architect"] }, { "id" : "948c59ec-46ed-4d99-aa43-02900029b930", "createdTimestamp" : 1554245880023, From 56c053a671c5f6e8633a8f21eace522f16ae6194 Mon Sep 17 00:00:00 2001 From: Carlos Esteban Feria Vila <2582866+carlosthe19916@users.noreply.github.com> Date: Tue, 2 Nov 2021 14:03:56 +0100 Subject: [PATCH 3/3] update realm in k8s --- src/test/resources/test-deployment.yaml | 315 ++++++++++++++---------- 1 file changed, 181 insertions(+), 134 deletions(-) diff --git a/src/test/resources/test-deployment.yaml b/src/test/resources/test-deployment.yaml index 0dbba0f9..c5638f6a 100644 --- a/src/test/resources/test-deployment.yaml +++ b/src/test/resources/test-deployment.yaml @@ -322,17 +322,58 @@ data: }, { "id" : "8c1abe12-62fe-4a06-ae0d-f5fb67dddbb0", "name" : "admin", - "composite" : false, + "composite" : true, "clientRole" : false, "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", - "attributes" : { } + "attributes" : { }, + "composites": { + "client": { + "backend-service": [ + "controls:write", + "inventory:application:write", + "inventory:application-import:write", + "inventory:application-dependency:write", + "inventory:application-review:write", + "pathfinder:assessment:write" + ] + } + } }, { + "id": "f777a295-e6bc-45d5-8d84-e476a9021242", + "name": "architect", + "composite": true, + "clientRole" : false, + "containerId": "11d78bf6-6d10-4484-baba-a1388379d68b", + "attributes" : { }, + "composites": { + "client": { + "backend-service": [ + "controls:write", + "inventory:application:write", + "inventory:application-import:write", + "inventory:application-dependency:write", + "inventory:application-review:write", + "pathfinder:assessment:write" + ] + } + } + },{ "id" : "5afce544-6a3c-495f-b805-fd737cf5081e", - "name" : "user", - "composite" : false, + "name" : "migrator", + "composite" : true, "clientRole" : false, "containerId" : "11d78bf6-6d10-4484-baba-a1388379d68b", - "attributes" : { } + "attributes" : { }, + "composites": { + "client": { + "backend-service": [ + "controls:read", + "inventory:application:read", + "inventory:application-import:read", + "pathfinder:assessment:write" + ] + } + } }, { "id" : "bc431d62-a80a-425b-961a-0fb3fc59006d", "name" : "offline_access", @@ -513,7 +554,6 @@ data: } ], "security-admin-console" : [ ], "admin-cli" : [ ], - "tackle-ui": [], "backend-service" : [ { "id" : "df147a91-6da7-4bbc-866c-f30cf99b2637", "name" : "uma_protection", @@ -521,6 +561,135 @@ data: "clientRole" : true, "containerId" : "0ac5df91-e044-4051-bd03-106a3a5fb9cc", "attributes" : { } + }, { + "id": "691daa33-980e-419a-a63f-c86d07a03dae", + "name": "controls:read", + "composite": false, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "574e82d1-9fc3-4166-bccd-f227afe02982", + "name": "controls:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "controls:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "5cf0b4ca-7e26-4f86-a3d3-6dab69243d33", + "name": "inventory:application:read", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "controls:read", + "pathfinder:assessment:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "f89d033f-1d90-4061-bfff-bf380aaa844a", + "name": "inventory:application:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "f0eb63c2-033f-447a-85bd-55c83f1e3619", + "name": "inventory:application-import:read", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "67082935-a948-4395-a0c8-a851773ca1ba", + "name": "inventory:application-import:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application-import:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "d8a18018-8ce5-497f-b7e3-de7b1112ac39", + "name": "inventory:application-dependency:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "3ed86dfd-d354-4d70-9467-a0b8270bb37c", + "name": "inventory:application-review:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read", + "pathfinder:assessment:write" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "caf1d234-b5e4-4cbe-8915-24a9a7cc7ab1", + "name": "pathfinder:assessment:read", + "composite": false, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} + }, { + "id": "03f48fd4-de69-4baa-8177-cdab92d76209", + "name": "pathfinder:assessment:write", + "composite": true, + "composites": { + "client": { + "backend-service": [ + "inventory:application:read", + "pathfinder:assessment:read" + ] + } + }, + "clientRole": true, + "containerId": "0ac5df91-e044-4051-bd03-106a3a5fb9cc", + "attributes": {} } ], "broker" : [ { "id" : "d36865b0-7ade-4bcd-a7dc-1dacbd80f169", @@ -564,7 +733,7 @@ data: } }, "groups" : [ ], - "defaultRoles" : [ "uma_authorization", "offline_access" ], + "defaultRoles" : [ "uma_authorization", "offline_access", "migrator" ], "requiredCredentials" : [ "password" ], "otpPolicyType" : "totp", "otpPolicyAlgorithm" : "HmacSHA1", @@ -658,64 +827,6 @@ data: "defaultClientScopes" : [ "web-origins", "role_list", "profile", "roles", "email" ], "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ] }, { - "id": "7f2cd8e2-dac3-41d8-b88b-bcd179f2bd39", - "clientId": "tackle-ui", - "surrogateAuthRequired": false, - "enabled": true, - "alwaysDisplayInConsole": false, - "clientAuthenticatorType": "client-secret", - "secret": "**********", - "redirectUris": [ - "*" - ], - "webOrigins": [ - "*" - ], - "notBefore": 0, - "bearerOnly": false, - "consentRequired": false, - "standardFlowEnabled": true, - "implicitFlowEnabled": false, - "directAccessGrantsEnabled": true, - "serviceAccountsEnabled": false, - "publicClient": true, - "frontchannelLogout": false, - "protocol": "openid-connect", - "attributes": { - "saml.assertion.signature": "false", - "saml.force.post.binding": "false", - "saml.multivalued.roles": "false", - "saml.encrypt": "false", - "backchannel.logout.revoke.offline.tokens": "false", - "saml.server.signature": "false", - "saml.server.signature.keyinfo.ext": "false", - "exclude.session.state.from.auth.response": "false", - "backchannel.logout.session.required": "true", - "client_credentials.use_refresh_token": "false", - "saml_force_name_id_format": "false", - "saml.client.signature": "false", - "tls.client.certificate.bound.access.tokens": "false", - "saml.authnstatement": "false", - "display.on.consent.screen": "false", - "saml.onetimeuse.condition": "false" - }, - "authenticationFlowBindingOverrides": {}, - "fullScopeAllowed": true, - "nodeReRegistrationTimeout": -1, - "defaultClientScopes": [ - "web-origins", - "role_list", - "profile", - "roles", - "email" - ], - "optionalClientScopes": [ - "address", - "phone", - "offline_access", - "microprofile-jwt" - ] - }, { "id" : "0ac5df91-e044-4051-bd03-106a3a5fb9cc", "clientId" : "backend-service", "surrogateAuthRequired" : false, @@ -784,72 +895,8 @@ data: "authorizationSettings" : { "allowRemoteResourceManagement": true, "policyEnforcementMode": "ENFORCING", - "resources": [ - { - "name": "User Resource", - "ownerManagedAccess": false, - "attributes": {}, - "_id": "df1b74a9-3f10-499d-a581-368de48e512b", - "uris": [ - "/api/users/*" - ] - }, - { - "name": "Administration Resource", - "ownerManagedAccess": false, - "attributes": {}, - "_id": "7124e2f1-e6dc-44b4-87ab-24b010090b97", - "uris": [ - "/api/admin/*" - ] - } - ], - "policies": [ - { - "id": "b8710fa6-160e-4de0-adf3-398c7007a0af", - "name": "Any User Policy", - "description": "Any user granted with the user role can access something", - "type": "role", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "roles": "[{\"id\":\"user\",\"required\":false}]" - } - }, - { - "id": "fcef30b2-68b2-4b78-9f3d-9162c6cdf5cb", - "name": "Only Administrators", - "description": "Only administrators can access", - "type": "role", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "roles": "[{\"id\":\"admin\",\"required\":false}]" - } - }, - { - "id": "3479dd56-02e9-4222-94fe-6a13cd065195", - "name": "User Resource Permission", - "type": "resource", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"User Resource\"]", - "applyPolicies": "[\"Any User Policy\"]" - } - }, - { - "id": "60188298-d55b-4066-b231-6a7c56ff7cc5", - "name": "Administration Resource Permission", - "type": "resource", - "logic": "POSITIVE", - "decisionStrategy": "UNANIMOUS", - "config": { - "resources": "[\"Administration Resource\"]", - "applyPolicies": "[\"Only Administrators\"]" - } - } - ], + "resources": [], + "policies": [], "scopes": [], "decisionStrategy": "UNANIMOUS" } @@ -1911,7 +1958,7 @@ data: } ], "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], - "realmRoles" : [ "admin", "user" ], + "realmRoles" : [ "admin" ], "notBefore" : 0, "groups" : [ ] }, { @@ -1934,7 +1981,7 @@ data: } ], "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], - "realmRoles" : [ "user" ], + "realmRoles" : [ "admin" ], "notBefore" : 0, "groups" : [ ] }, { @@ -1957,7 +2004,7 @@ data: } ], "disableableCredentialTypes" : [ "password" ], "requiredActions" : [ ], - "realmRoles" : [ "confidential", "user" ], + "realmRoles" : [ "confidential", "migrator" ], "notBefore" : 0, "groups" : [ ] }, {