Merge pull request #5074 from vpavic:multiple-management-roles

* pr/5074:
  Polish contribution
  Support configuration of multiple management roles
This commit is contained in:
Stephane Nicoll
2016-05-23 18:40:57 +02:00
7 changed files with 75 additions and 14 deletions

View File

@@ -196,8 +196,8 @@ public class CrshAutoConfiguration {
// overridden by ConfigurationProperties.
SpringAuthenticationProperties authenticationProperties = new SpringAuthenticationProperties();
if (this.management != null) {
authenticationProperties.setRoles(
new String[] { this.management.getSecurity().getRole() });
List<String> roles = this.management.getSecurity().getRoles();
authenticationProperties.setRoles(roles.toArray(new String[roles.size()]));
}
return authenticationProperties;
}

View File

@@ -17,6 +17,8 @@
package org.springframework.boot.actuate.autoconfigure;
import java.net.InetAddress;
import java.util.Collections;
import java.util.List;
import javax.validation.constraints.NotNull;
@@ -33,6 +35,7 @@ import org.springframework.util.StringUtils;
*
* @author Dave Syer
* @author Stephane Nicoll
* @author Vedran Pavic
* @see ServerProperties
*/
@ConfigurationProperties(prefix = "management", ignoreUnknownFields = true)
@@ -160,9 +163,9 @@ public class ManagementServerProperties implements SecurityPrerequisite {
private boolean enabled = true;
/**
* Role required to access the management endpoint.
* Comma-separated list of roles that can access the management endpoint.
*/
private String role = "ADMIN";
private List<String> roles = Collections.singletonList("ADMIN");
/**
* Session creating policy to use (always, never, if_required, stateless).
@@ -177,12 +180,17 @@ public class ManagementServerProperties implements SecurityPrerequisite {
this.sessions = sessions;
}
public void setRole(String role) {
this.role = role;
public void setRoles(List<String> roles) {
this.roles = roles;
}
public String getRole() {
return this.role;
@Deprecated
public void setRole(String role) {
this.roles = Collections.singletonList(role);
}
public List<String> getRoles() {
return this.roles;
}
public boolean isEnabled() {

View File

@@ -124,7 +124,7 @@ public class ManagementWebSecurityAutoConfiguration {
public void init() {
if (this.management != null && this.security != null) {
this.security.getUser().getRole()
.add(this.management.getSecurity().getRole());
.addAll(this.management.getSecurity().getRoles());
}
}
@@ -296,8 +296,9 @@ public class ManagementWebSecurityAutoConfiguration {
// Permit access to the non-sensitive endpoints
requests.requestMatchers(new LazyEndpointPathRequestMatcher(
this.contextResolver, EndpointPaths.NON_SENSITIVE)).permitAll();
// Restrict the rest to the configured role
requests.anyRequest().hasRole(this.management.getSecurity().getRole());
// Restrict the rest to the configured roles
List<String> roles = this.management.getSecurity().getRoles();
requests.anyRequest().hasAnyRole(roles.toArray(new String[roles.size()]));
}
}

View File

@@ -163,6 +163,15 @@
"description": "Enable git info.",
"defaultValue": true
},
{
"name": "management.security.role",
"type": "java.lang.String",
"description": "Roles required to access the management endpoint.",
"defaultValue": "ADMIN",
"deprecation": {
"replacement": "management.security.roles"
}
},
{
"name": "spring.git.properties",
"type": "java.lang.String",

View File

@@ -16,8 +16,14 @@
package org.springframework.boot.actuate.autoconfigure;
import org.junit.After;
import org.junit.Test;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.boot.test.util.EnvironmentTestUtils;
import org.springframework.context.annotation.AnnotationConfigApplicationContext;
import org.springframework.context.annotation.Configuration;
import static org.assertj.core.api.Assertions.assertThat;
/**
@@ -28,6 +34,15 @@ import static org.assertj.core.api.Assertions.assertThat;
*/
public class ManagementServerPropertiesAutoConfigurationTests {
private AnnotationConfigApplicationContext context;
@After
public void close() {
if (this.context != null) {
this.context.close();
}
}
@Test
public void defaultManagementServerProperties() {
ManagementServerProperties properties = new ManagementServerProperties();
@@ -58,4 +73,32 @@ public class ManagementServerPropertiesAutoConfigurationTests {
assertThat(properties.getContextPath()).isEqualTo("");
}
@Test
@Deprecated
public void managementRoleSetRolesProperly() {
ManagementServerProperties properties = load("management.security.role=FOO");
assertThat(properties.getSecurity().getRoles()).containsOnly("FOO");
}
@Test
public void managementRolesSetMultipleRoles() {
ManagementServerProperties properties = load("management.security.roles=FOO,BAR,BIZ");
assertThat(properties.getSecurity().getRoles()).containsOnly("FOO", "BAR", "BIZ");
}
public ManagementServerProperties load(String... environment) {
AnnotationConfigApplicationContext ctx = new AnnotationConfigApplicationContext();
EnvironmentTestUtils.addEnvironment(ctx, environment);
ctx.register(TestConfiguration.class);
ctx.refresh();
this.context = ctx;
return this.context.getBean(ManagementServerProperties.class);
}
@Configuration
@EnableConfigurationProperties(ManagementServerProperties.class)
static class TestConfiguration {
}
}

View File

@@ -996,7 +996,7 @@ content into your application; rather pick only the properties that you need.
management.context-path= # Management endpoint context-path. For instance `/actuator`
management.port= # Management endpoint HTTP port. Use the same port as the application by default.
management.security.enabled=true # Enable security.
management.security.role=ADMIN # Role required to access the management endpoint.
management.security.roles=ADMIN # Comma-separated list of roles that can access the management endpoint.
management.security.sessions=stateless # Session creating policy to use (always, never, if_required, stateless).
# HEALTH INDICATORS (previously health.*)

View File

@@ -520,14 +520,14 @@ TIP: Generated passwords are logged as the application starts. Search for '`Usin
security password`'.
You can use Spring properties to change the username and password and to change the
security role required to access the endpoints. For example, you might set the following
security role(s) required to access the endpoints. For example, you might set the following
in your `application.properties`:
[source,properties,indent=0]
----
security.user.name=admin
security.user.password=secret
management.security.role=SUPERUSER
management.security.roles=SUPERUSER
----
TIP: If you don't use Spring Security and your HTTP endpoints are exposed publicly,