Details
-
Story
-
Resolution: Done
-
Critical
-
None
-
None
-
False
-
-
False
Description
As a developer, I need to protect the different endpoints so they're only used for their intended uses.
Use information from the request headers to map them to defined openapi security schemes.
| Security Scheme | Description | Relevant headers |
|---|---|---|
| support | API is available for support operations | x-rh-identity |
| service | API is available for services | x-rh-swatch-psk |
| test | API is available for testing purposes (pre-production environments only) | x-rh-swatch-psk |
Note: the "test" role can be granted to any principal, but should only be granted in preprod environments, and this grant should disabled by default (via a template param/environment variable).
Additionally, a unit test should be added that ensures that all the request methods are annotated as specified in the API spec; i.e. the applied role annotations should match the io.swagger.annotations.Authorization values.
In order to prevent accidentally open API endpoints, let's also use quarkus.security.jaxrs.deny-unannotated-endpoints=true. This will ensure that keeping an endpoint completely open must be a deliberate, explicit choice.
There is code in "the monolith" that does this with spring security. This card should be used port it to quarkus. See https://quarkus.io/guides/security-authorization-of-web-endpoints-reference
QE note: Once this implemented, the test endpoints will be inaccessible until the follow up card is implemented.
Done:
- Test endpoints CANNOT be used in stage
Attachments
Issue Links
- blocks
-
SWATCH-851 Deploy swatch-contracts to prod
-
- Closed
-
-
-
- Closed
-