From a1bb83660e159d895a358f55127591d5d68734a2 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Wed, 8 Jan 2025 16:39:30 +0100 Subject: [PATCH 1/3] added security section to Helm chart #3779 --- sechub-solution/helm/sechub-server/Chart.yaml | 2 +- .../sechub-server/templates/deployment.yaml | 60 ++++++++++++---- .../helm/sechub-server/values.yaml | 70 +++++++++++++++---- 3 files changed, 106 insertions(+), 26 deletions(-) diff --git a/sechub-solution/helm/sechub-server/Chart.yaml b/sechub-solution/helm/sechub-server/Chart.yaml index 251befc2c..c71c21f79 100644 --- a/sechub-solution/helm/sechub-server/Chart.yaml +++ b/sechub-solution/helm/sechub-server/Chart.yaml @@ -9,4 +9,4 @@ type: application # This is the chart version. # This version number should be incremented each time you make changes to the chart and its templates. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.4.0 +version: 2.5.0 diff --git a/sechub-solution/helm/sechub-server/templates/deployment.yaml b/sechub-solution/helm/sechub-server/templates/deployment.yaml index 36af3aeaf..1931908c9 100644 --- a/sechub-solution/helm/sechub-server/templates/deployment.yaml +++ b/sechub-solution/helm/sechub-server/templates/deployment.yaml @@ -473,22 +473,58 @@ spec: - name: SERVER_TOMCAT_ACCESSLOG_PATTERN value: "{{ .Values.server.spring.embeddedTomcat.logging.accessLogFormat }}" {{- end }} -{{- if .Values.oauth2.enabled }} # ----------------------------------------------------------------------------------------------# -# - Scope: Oauth2 +# - Scope: security # --------------------------------------------------------------------------------------------- # # See https://mercedes-benz.github.io/sechub/latest/sechub-operations.html#section-general-configuration - - name: SECHUB_SECURITY_OAUTH2_MODE - value: "{{ .Values.oauth2.mode }}" - - name: SECHUB_SECURITY_OAUTH2_JWK_SET_URI - value: "{{ .Values.oauth2.jwt.uri }}" - - name: SECHUB_SECURITY_OAUTH2_OPAQUE_TOKEN_CLIENT_ID - value: "{{ .Values.oauth2.opaque_token.client_id }}" - - name: SECHUB_SECURITY_OAUTH2_OPAQUE_TOKEN_CLIENT_SECRET - value: "{{ .Values.oauth2.opaque_token.client_secret }}" - - name: SECHUB_SECURITY_OAUTH2_OPAQUE_TOKEN_INTROSPECTION_URI - value: "{{ .Values.oauth2.opaque_token.introspection_uri }}" + - name: SECHUB_SECURITY_SERVER_MODES + value: "{{ .Values.security.resourceServer.modes }}" + - name: SECHUB_SECURITY_SERVER_OAUTH2_MODE + value: "{{ .Values.security.resourceServer.oauth2.mode }}" + # OAuth2 mode can be either 'jwt' or 'opaque-token'. Exactly one must be active. +{{- if eq .Values.security.resourceServer.oauth2.mode "jwt" }} + - name: SECHUB_SECURITY_SERVER_OAUTH2_JWT_JWK_SET_URI + value: "{{ .Values.security.resourceServer.oauth2.jwt.jwkSetUri }}" +{{- else if eq .Values.security.resourceServer.oauth2.mode "opaque-token" }} + - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_CLIENT_ID + value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.clientId }}" + - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_CLIENT_SECRET + value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.clientSecret }}" + - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_INTROSPECTION_URI + value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.introspectionUri }}" {{- end }} + - name: SECHUB_SECURITY_LOGIN_ENABLED + value: "{{ .Values.security.login.enabled }}" +{{- if .Values.security.login.enabled }} + - name: SECHUB_SECURITY_LOGIN_LOGIN_PAGE + value: "{{ .Values.security.login.loginPage }}" + - name: SECHUB_SECURITY_LOGIN_REDIRECT_URI + value: "{{ .Values.security.login.redirectUri }}" + - name: SECHUB_SECURITY_LOGIN_MODES + value: "{{ .Values.security.login.modes }}" + {{- if contains "oauth2" .Values.security.login.modes }} + - name: SECHUB_SECURITY_LOGIN_OAUTH2_CLIENT_ID + value: "{{ .Values.security.login.oauth2.clientId }}" + - name: SECHUB_SECURITY_LOGIN_OAUTH2_CLIENT_SECRET + value: "{{ .Values.security.login.oauth2.clientSecret }}" + - name: SECHUB_SECURITY_LOGIN_OAUTH2_PROVIDER + value: "{{ .Values.security.login.oauth2.provider }}" + - name: SECHUB_SECURITY_LOGIN_OAUTH2_AUTHORIZATION_URI + value: "{{ .Values.security.login.oauth2.uri.authorization }}" + - name: SECHUB_SECURITY_LOGIN_OAUTH2_ISSUER_URI + value: "{{ .Values.security.login.oauth2.uri.issuer }}" + - name: SECHUB_SECURITY_LOGIN_OAUTH2_JWK_SET_URI + value: "{{ .Values.security.login.oauth2.uri.jwkSet }}" + - name: SECHUB_SECURITY_LOGIN_OAUTH2_REDIRECT_URI + value: "{{ .Values.security.login.oauth2.uri.redirect }}" + - name: SECHUB_SECURITY_LOGIN_OAUTH2_TOKEN_URI + value: "{{ .Values.security.login.oauth2.uri.token }}" + - name: SECHUB_SECURITY_LOGIN_OAUTH2_USER_INFO_URI + value: "{{ .Values.security.login.oauth2.uri.userInfo }}" + {{- end }} +{{- end }} + - name: SECHUB_SECURITY_ENCRYPTION_SECRET_KEY + value: "{{ .Values.security.encryption.secretKey }}" # ----------------------------------------------------------------------------------------------# # - Scope: storage # --------------------------------------------------------------------------------------------- # diff --git a/sechub-solution/helm/sechub-server/values.yaml b/sechub-solution/helm/sechub-server/values.yaml index 291e55c0c..9e929b2b3 100644 --- a/sechub-solution/helm/sechub-server/values.yaml +++ b/sechub-solution/helm/sechub-server/values.yaml @@ -155,19 +155,63 @@ go_mmproxy: # Choose a "go-mmproxy" docker image. See e.g. https://hub.docker.com/search?q=go-mmproxy image: "example.org/go-mmproxy:2.1.0" -oauth2: - # Enable Oauth2 authentication - # Explanation of the modes and parameters: Search for 'oauth2' in documentation - # https://mercedes-benz.github.io/sechub/latest/sechub-operations.html#section-general-configuration - enabled: false - # Choose either 'JWT' or 'OPAQUE_TOKEN' - mode: JWT - jwt: - uri: https://sso.example.org/JWKS - opaque_token: - client_id: insert_your_client_id_here - client_secret: insert_your_client_secret_here - introspection_uri: https://sso.example.org/introspect.oauth2 +security: + # This section configures the application (or server) to be able to authorize incoming requests + resourceServer: + # The authorization can be configured in 'classic' or 'oauth2' mode. While both are possible, at least + # one must be active. Classic mode enables SecHub API Token authorization via basic auth. + modes: classic,oauth2 + # classic: ... (To be implemented) + oauth2: + # OAuth2 authorization can be either 'jwt' or 'opaque-token'. Exactly one must be active. + mode: jwt + jwt: + # The location of the Json Web Key file. This is a meta data file necessary for JWT token validation. + jwkSetUri: https://sso.example.org/JWKS + opaqueToken: + # Client ID to use for token introspection. May be not the same client used for authentication. + clientId: insert_your_introspection_client_id_here + # Client secret to use for token introspection. + clientSecret: insert_your_introspection_client_secret_here + # This is the introspection endpoint of the IDP. For every incoming request this endpoint will be called. + introspectionUri: https://sso.example.org/introspect.oauth2 + # This config defines everything necessary for the application (or server) to be able to offer user authentication. + # With this a login page will be available on the application. + login: + # Whether or not the login is enabled or not + enabled: false + # Path under which the login page will be hosted on the application (or server). + # Must not collide with other existing paths. + loginPage: /login + # Defines the URI to which the user is redirected after successful login. + redirectUri: https://sechub-web.example.org/index.html + # The authentication can be configured in 'classic' or 'oauth2' mode. + # While both are possible, at least one must be active when login is enabled. + modes: classic,oauth2 + # classic: ... (To be implemented) + oauth2: + # Client credentials for authentication + clientId: insert_your_client_id_here + clientSecret: insert_your_client_secret_here + # Name of your IDP provider + provider: keycloak + uri: + # The endpoint where users are redirected to authenticate. Usually hosted by the IDP. + authorization: https://sso.example.org/authorization.oauth2 + # Represents the issuing authority + issuer: https://sso.example.org/ + # The endpoint that provides the JSON Web Key Set (JWKS) for verifying token signatures. + jwkSet: https://sso.example.org/realms/local-realm/protocol/openid-connect/certs + # The URL to which your IDP will redirect the user after they authenticate. This is an endpoint on the application. + redirect: https://sso.example.org/login/oauth2/code/keycloak + # The endpoint where the application exchanges an authorization code for an access token. + token: https://sso.example.org/realms/local-realm/protocol/openid-connect/token + # The endpoint used to retrieve user details (e.g., name, email, roles) based on the access token. + userInfo: https://sso.example.org/realms/local-realm/protocol/openid-connect/userinfo + encryption: + # Secret key used to encrypt the access token which is sent back to the user after sucessful authentication (or login). + # Must be AES256 compatible (256 bit / 32 byte) + secretKey: Insert-your-32-byte-string-here. storage: local: From e6ab99e35cfd98b77695de39cf260e514850e5cb Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Thu, 9 Jan 2025 15:37:15 +0100 Subject: [PATCH 2/3] adapted variable names in Helm chart #3779 --- .../sechub-server/templates/deployment.yaml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/sechub-solution/helm/sechub-server/templates/deployment.yaml b/sechub-solution/helm/sechub-server/templates/deployment.yaml index 1931908c9..e4838ecce 100644 --- a/sechub-solution/helm/sechub-server/templates/deployment.yaml +++ b/sechub-solution/helm/sechub-server/templates/deployment.yaml @@ -483,47 +483,47 @@ spec: value: "{{ .Values.security.resourceServer.oauth2.mode }}" # OAuth2 mode can be either 'jwt' or 'opaque-token'. Exactly one must be active. {{- if eq .Values.security.resourceServer.oauth2.mode "jwt" }} - - name: SECHUB_SECURITY_SERVER_OAUTH2_JWT_JWK_SET_URI + - name: SECHUB_SECURITY_SERVER_OAUTH2_JWT_JWKSETURI value: "{{ .Values.security.resourceServer.oauth2.jwt.jwkSetUri }}" {{- else if eq .Values.security.resourceServer.oauth2.mode "opaque-token" }} - - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_CLIENT_ID + - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUETOKEN_CLIENTID value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.clientId }}" - - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_CLIENT_SECRET + - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUETOKEN_CLIENTSECRET value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.clientSecret }}" - - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUE_TOKEN_INTROSPECTION_URI + - name: SECHUB_SECURITY_SERVER_OAUTH2_OPAQUETOKEN_INTROSPECTIONURI value: "{{ .Values.security.resourceServer.oauth2.opaqueToken.introspectionUri }}" {{- end }} - name: SECHUB_SECURITY_LOGIN_ENABLED value: "{{ .Values.security.login.enabled }}" {{- if .Values.security.login.enabled }} - - name: SECHUB_SECURITY_LOGIN_LOGIN_PAGE + - name: SECHUB_SECURITY_LOGIN_LOGINPAGE value: "{{ .Values.security.login.loginPage }}" - - name: SECHUB_SECURITY_LOGIN_REDIRECT_URI + - name: SECHUB_SECURITY_LOGIN_REDIRECTURI value: "{{ .Values.security.login.redirectUri }}" - name: SECHUB_SECURITY_LOGIN_MODES value: "{{ .Values.security.login.modes }}" {{- if contains "oauth2" .Values.security.login.modes }} - - name: SECHUB_SECURITY_LOGIN_OAUTH2_CLIENT_ID + - name: SECHUB_SECURITY_LOGIN_OAUTH2_CLIENTID value: "{{ .Values.security.login.oauth2.clientId }}" - - name: SECHUB_SECURITY_LOGIN_OAUTH2_CLIENT_SECRET + - name: SECHUB_SECURITY_LOGIN_OAUTH2_CLIENTSECRET value: "{{ .Values.security.login.oauth2.clientSecret }}" - name: SECHUB_SECURITY_LOGIN_OAUTH2_PROVIDER value: "{{ .Values.security.login.oauth2.provider }}" - - name: SECHUB_SECURITY_LOGIN_OAUTH2_AUTHORIZATION_URI + - name: SECHUB_SECURITY_LOGIN_OAUTH2_AUTHORIZATIONURI value: "{{ .Values.security.login.oauth2.uri.authorization }}" - - name: SECHUB_SECURITY_LOGIN_OAUTH2_ISSUER_URI + - name: SECHUB_SECURITY_LOGIN_OAUTH2_ISSUERURI value: "{{ .Values.security.login.oauth2.uri.issuer }}" - - name: SECHUB_SECURITY_LOGIN_OAUTH2_JWK_SET_URI + - name: SECHUB_SECURITY_LOGIN_OAUTH2_JWKSETURI value: "{{ .Values.security.login.oauth2.uri.jwkSet }}" - - name: SECHUB_SECURITY_LOGIN_OAUTH2_REDIRECT_URI + - name: SECHUB_SECURITY_LOGIN_OAUTH2_REDIRECTURI value: "{{ .Values.security.login.oauth2.uri.redirect }}" - - name: SECHUB_SECURITY_LOGIN_OAUTH2_TOKEN_URI + - name: SECHUB_SECURITY_LOGIN_OAUTH2_TOKENURI value: "{{ .Values.security.login.oauth2.uri.token }}" - - name: SECHUB_SECURITY_LOGIN_OAUTH2_USER_INFO_URI + - name: SECHUB_SECURITY_LOGIN_OAUTH2_USERINFOURI value: "{{ .Values.security.login.oauth2.uri.userInfo }}" {{- end }} {{- end }} - - name: SECHUB_SECURITY_ENCRYPTION_SECRET_KEY + - name: SECHUB_SECURITY_ENCRYPTION_SECRETKEY value: "{{ .Values.security.encryption.secretKey }}" # ----------------------------------------------------------------------------------------------# # - Scope: storage From 2634eb9f993cbe522786235b8b59bea4c3256313 Mon Sep 17 00:00:00 2001 From: Sven Dolderer Date: Fri, 10 Jan 2025 12:23:04 +0100 Subject: [PATCH 3/3] PR suggestion added #3779 --- sechub-solution/helm/sechub-server/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sechub-solution/helm/sechub-server/values.yaml b/sechub-solution/helm/sechub-server/values.yaml index 9e929b2b3..1061e8da4 100644 --- a/sechub-solution/helm/sechub-server/values.yaml +++ b/sechub-solution/helm/sechub-server/values.yaml @@ -194,7 +194,7 @@ security: clientId: insert_your_client_id_here clientSecret: insert_your_client_secret_here # Name of your IDP provider - provider: keycloak + provider: example-provider uri: # The endpoint where users are redirected to authenticate. Usually hosted by the IDP. authorization: https://sso.example.org/authorization.oauth2