public Settings(UiSecurity uiSecurity) { setOverrideBaseUrl(uiSecurity.getOverrideBaseUrl()); if (uiSecurity.getSsl().isEnabled()) { scheme = "https"; } } }
public void setApacheSsl(String deploymentName, ApacheSsl apacheSsl) { UiSecurity uiSecurity = getUiSecurity(deploymentName); uiSecurity.setSsl(apacheSsl); }
@Override protected void executeThis() { String currentDeployment = getCurrentDeployment(); UiSecurity uiSecurity = new OperationHandler<UiSecurity>() .setOperation(Daemon.getUiSecurity(currentDeployment, false)) .setFailureMesssage("Failed to load UI security settings.") .get(); int originalHash = uiSecurity.hashCode(); uiSecurity.setOverrideBaseUrl(isSet(overrideBaseUrl) ? overrideBaseUrl : uiSecurity.getOverrideBaseUrl()); if (originalHash == uiSecurity.hashCode()) { AnsiUi.failure("No changes supplied."); return; } new OperationHandler<Void>() .setOperation(Daemon.setUiSecurity(currentDeployment, !noValidate, uiSecurity)) .setFailureMesssage("Failed to edit UI security settings.") .setSuccessMessage("Successfully updated UI security settings.") .get(); } }
@Override public void validate(ConfigProblemSetBuilder p, Security n) { DeploymentConfiguration deploymentConfiguration = n.parentOfType(DeploymentConfiguration.class); boolean localhostAccess = StringUtils.isEmpty(n.getApiSecurity().getOverrideBaseUrl()) || StringUtils.isEmpty(n.getUiSecurity().getOverrideBaseUrl()) ; switch (deploymentConfiguration.getDeploymentEnvironment().getType()) { case Distributed: if (localhostAccess) { p.addProblem(Problem.Severity.WARNING, "Your UI or API domain does not have override base URLs set " + "even though your Spinnaker deployment is a Distributed deployment on a remote cloud provider. " + "As a result, you will need to open SSH tunnels against that deployment to access Spinnaker.") .setRemediation("We recommend that you instead configure an authentication mechanism (OAuth2, SAML2, or x509) " + "to make it easier to access Spinnaker securely, and then register the intended Domain and IP addresses " + "that your publicly facing services will be using."); // TODO(lwander) point to a guide here } break; case LocalDebian: break; } } }
@Override protected Map<String, Object> getBindings(DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { Map<String, Object> bindings = new HashMap<>(); ApacheSsl ssl = deploymentConfiguration.getSecurity().getUiSecurity().getSsl(); bindings.put("passphrase", ssl.getSslCertificatePassphrase()); return bindings; }
@Override protected void executeThis() { String currentDeployment = getCurrentDeployment(); UiSecurity uiSecurity = new OperationHandler<UiSecurity>() .setOperation(Daemon.getUiSecurity(currentDeployment, false)) .setFailureMesssage("Failed to load UI security settings.") .get(); int originalHash = uiSecurity.hashCode(); uiSecurity.setOverrideBaseUrl(isSet(overrideBaseUrl) ? overrideBaseUrl : uiSecurity.getOverrideBaseUrl()); if (originalHash == uiSecurity.hashCode()) { AnsiUi.failure("No changes supplied."); return; } new OperationHandler<Void>() .setOperation(Daemon.setUiSecurity(currentDeployment, !noValidate, uiSecurity)) .setFailureMesssage("Failed to edit UI security settings.") .setSuccessMessage("Successfully updated UI security settings.") .get(); } }
@Override public void validate(ConfigProblemSetBuilder p, Security n) { DeploymentConfiguration deploymentConfiguration = n.parentOfType(DeploymentConfiguration.class); boolean localhostAccess = StringUtils.isEmpty(n.getApiSecurity().getOverrideBaseUrl()) || StringUtils.isEmpty(n.getUiSecurity().getOverrideBaseUrl()) ; switch (deploymentConfiguration.getDeploymentEnvironment().getType()) { case Distributed: if (localhostAccess) { p.addProblem(Problem.Severity.WARNING, "Your UI or API domain does not have override base URLs set " + "even though your Spinnaker deployment is a Distributed deployment on a remote cloud provider. " + "As a result, you will need to open SSH tunnels against that deployment to access Spinnaker.") .setRemediation("We recommend that you instead configure an authentication mechanism (OAuth2, SAML2, or x509) " + "to make it easier to access Spinnaker securely, and then register the intended Domain and IP addresses " + "that your publicly facing services will be using."); // TODO(lwander) point to a guide here } break; case LocalDebian: break; } } }
@Override protected Map<String, Object> getBindings(DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { Map<String, Object> bindings = new HashMap<>(); ApacheSsl ssl = deploymentConfiguration.getSecurity().getUiSecurity().getSsl(); bindings.put("passphrase", ssl.getSslCertificatePassphrase()); return bindings; }
public Settings(UiSecurity uiSecurity) { setOverrideBaseUrl(uiSecurity.getOverrideBaseUrl()); if (uiSecurity.getSsl().isEnabled()) { scheme = "https"; } } }
@Override protected Map<String, Object> getBindings(DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { TemplatedResource resource = new StringResource(SSL_TEMPLATE); Map<String, Object> bindings = new HashMap<>(); UiSecurity uiSecurity = deploymentConfiguration.getSecurity().getUiSecurity(); ApacheSsl apacheSsl = uiSecurity.getSsl(); bindings.put("cert-file", apacheSsl.getSslCertificateFile()); bindings.put("key-file", apacheSsl.getSslCertificateKeyFile()); String ssl = resource.setBindings(bindings).toString(); bindings.clear(); bindings.put("ssl", ssl); bindings.put("deck-host", endpoints.getServiceSettings(Type.DECK).getHost()); bindings.put("deck-port", endpoints.getServiceSettings(Type.DECK).getPort() + ""); return bindings; }
public void setApacheSsl(String deploymentName, ApacheSsl apacheSsl) { UiSecurity uiSecurity = getUiSecurity(deploymentName); uiSecurity.setSsl(apacheSsl); }
@Override protected Map<String, Object> getBindings(DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { TemplatedResource resource = new StringResource(SSL_TEMPLATE); Map<String, Object> bindings = new HashMap<>(); UiSecurity uiSecurity = deploymentConfiguration.getSecurity().getUiSecurity(); ApacheSsl apacheSsl = uiSecurity.getSsl(); bindings.put("cert-file", apacheSsl.getSslCertificateFile()); bindings.put("key-file", apacheSsl.getSslCertificateKeyFile()); String ssl = resource.setBindings(bindings).toString(); bindings.clear(); bindings.put("ssl", ssl); bindings.put("deck-host", endpoints.getServiceSettings(Type.DECK).getHost()); bindings.put("deck-port", endpoints.getServiceSettings(Type.DECK).getPort() + ""); return bindings; }
@Override protected void setProfile(Profile profile, DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { super.setProfile(profile, deploymentConfiguration, endpoints); ServiceSettings deckSettings = endpoints.getServiceSettings(Type.DECK); ServiceSettings gateSettings = endpoints.getServiceSettings(Type.GATE); ApacheSsl apacheSsl= deploymentConfiguration.getSecurity().getUiSecurity().getSsl(); Map<String, String> env = profile.getEnv(); if (apacheSsl.isEnabled()) { env.put("DECK_HOST", deckSettings.getHost()); env.put("DECK_PORT", deckSettings.getPort() + ""); env.put("API_HOST", gateSettings.getBaseUrl()); env.put("DECK_CERT", apacheSsl.getSslCertificateFile()); env.put("DECK_KEY", apacheSsl.getSslCertificateKeyFile()); env.put("PASSPHRASE", apacheSsl.getSslCertificatePassphrase()); } env.put("AUTH_ENABLED", Boolean.toString(deploymentConfiguration.getSecurity().getAuthn().isEnabled())); env.put("FIAT_ENABLED", Boolean.toString(deploymentConfiguration.getSecurity().getAuthz().isEnabled())); } }
@Override protected void setProfile(Profile profile, DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) { super.setProfile(profile, deploymentConfiguration, endpoints); ServiceSettings deckSettings = endpoints.getServiceSettings(Type.DECK); ServiceSettings gateSettings = endpoints.getServiceSettings(Type.GATE); ApacheSsl apacheSsl= deploymentConfiguration.getSecurity().getUiSecurity().getSsl(); Map<String, String> env = profile.getEnv(); if (apacheSsl.isEnabled()) { env.put("DECK_HOST", deckSettings.getHost()); env.put("DECK_PORT", deckSettings.getPort() + ""); env.put("API_HOST", gateSettings.getBaseUrl()); env.put("DECK_CERT", apacheSsl.getSslCertificateFile()); env.put("DECK_KEY", apacheSsl.getSslCertificateKeyFile()); env.put("PASSPHRASE", apacheSsl.getSslCertificatePassphrase()); } env.put("AUTH_ENABLED", Boolean.toString(deploymentConfiguration.getSecurity().getAuthn().isEnabled())); env.put("FIAT_ENABLED", Boolean.toString(deploymentConfiguration.getSecurity().getAuthz().isEnabled())); } }
@Override public String installArtifactCommand(DeploymentDetails deploymentDetails) { String install = LocalDebianService.super.installArtifactCommand(deploymentDetails); String ssl = deploymentDetails.getDeploymentConfiguration().getSecurity().getUiSecurity().getSsl().isEnabled() ? "a2enmod ssl" : ""; return Strings.join("\n", install, ssl); }
@Override public String installArtifactCommand(DeploymentDetails deploymentDetails) { String install = LocalDebianService.super.installArtifactCommand(deploymentDetails); String ssl = deploymentDetails.getDeploymentConfiguration().getSecurity().getUiSecurity().getSsl().isEnabled() ? "a2enmod ssl" : ""; return Strings.join("\n", install, ssl); }
@Override public ServiceSettings buildServiceSettings(DeploymentConfiguration deploymentConfiguration) { Security security = deploymentConfiguration.getSecurity(); if (security.getUiSecurity().getSsl().isEnabled()) { setEnvTrue("DECK_HTTPS"); setEnv("DECK_CERT", security.getUiSecurity().getSsl().getSslCertificateFile()); setEnv("DECK_KEY", security.getUiSecurity().getSsl().getSslCertificateKeyFile()); setEnv("DECK_CA_CERT", security.getUiSecurity().getSsl().getSslCACertificateFile()); } if (security.getAuthn().isEnabled()) { setEnvTrue("AUTH_ENABLED"); setEnv("DECK_HOST", "0.0.0.0"); } if (security.getAuthz().isEnabled()) { setEnvTrue("FIAT_ENABLED"); } return new Settings(security.getUiSecurity()) .setArtifactId(getArtifactId(deploymentConfiguration.getName())) .setHost(security.getAuthn().isEnabled() ? "0.0.0.0" : getDefaultHost()) .setEnabled(true); }
@Override public ServiceSettings buildServiceSettings(DeploymentConfiguration deploymentConfiguration) { Security security = deploymentConfiguration.getSecurity(); if (security.getUiSecurity().getSsl().isEnabled()) { setEnvTrue("DECK_HTTPS"); setEnv("DECK_CERT", security.getUiSecurity().getSsl().getSslCertificateFile()); setEnv("DECK_KEY", security.getUiSecurity().getSsl().getSslCertificateKeyFile()); setEnv("DECK_CA_CERT", security.getUiSecurity().getSsl().getSslCACertificateFile()); } if (security.getAuthn().isEnabled()) { setEnvTrue("AUTH_ENABLED"); setEnv("DECK_HOST", "0.0.0.0"); } if (security.getAuthz().isEnabled()) { setEnvTrue("FIAT_ENABLED"); } return new Settings(security.getUiSecurity()) .setArtifactId(getArtifactId(deploymentConfiguration.getName())) .setHost(security.getAuthn().isEnabled() ? "0.0.0.0" : getDefaultHost()) .setEnabled(true); }