Example 6 with Security
use of com.netflix.spinnaker.halyard.config.model.v1.security.Security in project halyard by spinnaker.
the class GateProfileFactory method setProfile.
@Override
public void setProfile(Profile profile, DeploymentConfiguration deploymentConfiguration, SpinnakerRuntimeSettings endpoints) {
super.setProfile(profile, deploymentConfiguration, endpoints);
Security security = deploymentConfiguration.getSecurity();
List<String> requiredFiles = backupRequiredFiles(security.getApiSecurity(), deploymentConfiguration.getName());
requiredFiles.addAll(backupRequiredFiles(security.getAuthn(), deploymentConfiguration.getName()));
requiredFiles.addAll(backupRequiredFiles(security.getAuthz(), deploymentConfiguration.getName()));
GateConfig gateConfig = getGateConfig(endpoints.getServices().getGate(), security);
gateConfig.getCors().setAllowedOriginsPattern(security.getApiSecurity());
profile.appendContents(yamlToString(gateConfig)).appendContents(profile.getBaseContents()).setRequiredFiles(requiredFiles);
}
Also used :
Security(com.netflix.spinnaker.halyard.config.model.v1.security.Security)
ApiSecurity(com.netflix.spinnaker.halyard.config.model.v1.security.ApiSecurity)
Example 7 with Security
use of com.netflix.spinnaker.halyard.config.model.v1.security.Security in project halyard by spinnaker.
the class DCOSAccountValidator method validateClusters.
private void validateClusters(final ConfigProblemSetBuilder problems, final DCOSAccount account) {
final NodeIterator children = account.getParent().getChildren();
Node n = children.getNext();
Set<String> definedClusters = new HashSet<>();
while (n != null) {
if (n instanceof DCOSCluster) {
definedClusters.add(((DCOSCluster) n).getName());
}
n = children.getNext();
}
final Set<String> accountClusters = account.getClusters().stream().map(c -> c.getName()).collect(Collectors.toSet());
accountClusters.removeAll(definedClusters);
accountClusters.forEach(c -> problems.addProblem(ERROR, "Cluster \"" + c.toString() + "\" not defined for provider").setRemediation("Add cluster to the provider or remove from the account").setOptions(Lists.newArrayList(definedClusters)));
Set<List<String>> credentials = new HashSet<>();
account.getClusters().forEach(c -> {
final List<String> key = Lists.newArrayList(c.getName(), c.getUid());
if (credentials.contains(key)) {
problems.addProblem(ERROR, "Account contains duplicate credentials for cluster \"" + c.getName() + "\" and user id \"" + c.getUid() + "\".").setRemediation("Remove the duplicate credentials");
} else {
credentials.add(key);
}
// we can connect without a password
if (Strings.isStringEmpty(c.getPassword()) && Strings.isStringEmpty(c.getServiceKeyFile())) {
problems.addProblem(WARNING, "Account has no password or service key. Unless the cluster has security disabled this may be an error").setRemediation("Add a password or service key.");
}
if (!Strings.isStringEmpty(c.getPassword()) && !Strings.isStringEmpty(c.getServiceKeyFile())) {
problems.addProblem(ERROR, "Account has both a password and service key").setRemediation("Remove either the password or service key.");
}
if (!Strings.isStringEmpty(c.getServiceKeyFile())) {
String resolvedServiceKey = ValidatingFileReader.contents(problems, c.getServiceKeyFile());
if (Strings.isStringEmpty(resolvedServiceKey)) {
problems.addProblem(ERROR, "The supplied service key file does not exist or is empty.").setRemediation("Supply a valid service key file.");
}
}
});
}
Also used :
NodeIterator(com.netflix.spinnaker.halyard.config.model.v1.node.NodeIterator)
DockerRegistryReference(com.netflix.spinnaker.halyard.config.model.v1.providers.containers.DockerRegistryReference)
NodeIterator(com.netflix.spinnaker.halyard.config.model.v1.node.NodeIterator)
Set(java.util.Set)
ERROR(com.netflix.spinnaker.halyard.core.problem.v1.Problem.Severity.ERROR)
Lists(com.beust.jcommander.internal.Lists)
DeploymentConfiguration(com.netflix.spinnaker.halyard.config.model.v1.node.DeploymentConfiguration)
ConfigProblemSetBuilder(com.netflix.spinnaker.halyard.config.problem.v1.ConfigProblemSetBuilder)
Collectors(java.util.stream.Collectors)
HashSet(java.util.HashSet)
DCOSAccount(com.netflix.spinnaker.halyard.config.model.v1.providers.dcos.DCOSAccount)
Component(org.springframework.stereotype.Component)
List(java.util.List)
WARNING(com.netflix.spinnaker.halyard.core.problem.v1.Problem.Severity.WARNING)
Strings(com.beust.jcommander.Strings)
Validator(com.netflix.spinnaker.halyard.config.model.v1.node.Validator)
DockerRegistryReferenceValidation.validateDockerRegistries(com.netflix.spinnaker.halyard.config.validate.v1.providers.dockerRegistry.DockerRegistryReferenceValidation.validateDockerRegistries)
DCOSCluster(com.netflix.spinnaker.halyard.config.model.v1.providers.dcos.DCOSCluster)
ValidatingFileReader(com.netflix.spinnaker.halyard.config.validate.v1.util.ValidatingFileReader)
Provider(com.netflix.spinnaker.halyard.config.model.v1.node.Provider)
Node(com.netflix.spinnaker.halyard.config.model.v1.node.Node)
Node(com.netflix.spinnaker.halyard.config.model.v1.node.Node)
List(java.util.List)
DCOSCluster(com.netflix.spinnaker.halyard.config.model.v1.providers.dcos.DCOSCluster)
HashSet(java.util.HashSet)
Example 8 with Security
use of com.netflix.spinnaker.halyard.config.model.v1.security.Security in project halyard by spinnaker.
the class SecurityValidator method validate.
@Override
public void validate(ConfigProblemSetBuilder p, Security n) {
DeploymentConfiguration deploymentConfiguration = n.parentOfType(DeploymentConfiguration.class);
boolean localhostAccess = StringUtils.isEmpty(n.getApiSecurity().getOverrideBaseUrl()) || StringUtils.isEmpty(n.getUiSecurity().getOverrideBaseUrl());
switch(deploymentConfiguration.getDeploymentEnvironment().getType()) {
case Distributed:
if (localhostAccess) {
p.addProblem(Problem.Severity.WARNING, "Your UI or API domain does not have override base URLs set " + "even though your Spinnaker deployment is a Distributed deployment on a remote cloud provider. " + "As a result, you will need to open SSH tunnels against that deployment to access Spinnaker.").setRemediation("We recommend that you instead configure an authentication mechanism (OAuth2, SAML2, or x509) " + "to make it easier to access Spinnaker securely, and then register the intended Domain and IP addresses " + // TODO(lwander) point to a guide here
"that your publicly facing services will be using.");
}
break;
case LocalDebian:
break;
}
}
Also used :
DeploymentConfiguration(com.netflix.spinnaker.halyard.config.model.v1.node.DeploymentConfiguration)
Example 9 with Security
use of com.netflix.spinnaker.halyard.config.model.v1.security.Security in project halyard by spinnaker.
the class SecurityService method setSecurity.
public void setSecurity(String deploymentName, Security newSecurity) {
DeploymentConfiguration deploymentConfiguration = deploymentService.getDeploymentConfiguration(deploymentName);
deploymentConfiguration.setSecurity(newSecurity);
}
Also used :
DeploymentConfiguration(com.netflix.spinnaker.halyard.config.model.v1.node.DeploymentConfiguration)
Aggregations
ApiSecurity (com.netflix.spinnaker.halyard.config.model.v1.security.ApiSecurity)4
DeploymentConfiguration (com.netflix.spinnaker.halyard.config.model.v1.node.DeploymentConfiguration)3
UiSecurity (com.netflix.spinnaker.halyard.config.model.v1.security.UiSecurity)3
UpdateRequestBuilder (com.netflix.spinnaker.halyard.core.DaemonResponse.UpdateRequestBuilder)3
ProblemSet (com.netflix.spinnaker.halyard.core.problem.v1.ProblemSet)3
Path (java.nio.file.Path)3
RequestMapping (org.springframework.web.bind.annotation.RequestMapping)3
OperationHandler (com.netflix.spinnaker.halyard.cli.services.v1.OperationHandler)2
Security (com.netflix.spinnaker.halyard.config.model.v1.security.Security)2
Strings (com.beust.jcommander.Strings)1
Lists (com.beust.jcommander.internal.Lists)1
Node (com.netflix.spinnaker.halyard.config.model.v1.node.Node)1
NodeIterator (com.netflix.spinnaker.halyard.config.model.v1.node.NodeIterator)1
Provider (com.netflix.spinnaker.halyard.config.model.v1.node.Provider)1
Validator (com.netflix.spinnaker.halyard.config.model.v1.node.Validator)1
DockerRegistryReference (com.netflix.spinnaker.halyard.config.model.v1.providers.containers.DockerRegistryReference)1
DCOSAccount (com.netflix.spinnaker.halyard.config.model.v1.providers.dcos.DCOSAccount)1
DCOSCluster (com.netflix.spinnaker.halyard.config.model.v1.providers.dcos.DCOSCluster)1
ConfigProblemSetBuilder (com.netflix.spinnaker.halyard.config.problem.v1.ConfigProblemSetBuilder)1
DockerRegistryReferenceValidation.validateDockerRegistries (com.netflix.spinnaker.halyard.config.validate.v1.providers.dockerRegistry.DockerRegistryReferenceValidation.validateDockerRegistries)1
