From 691ecb031f0f76f0f902c8ca668790126a92a264 Mon Sep 17 00:00:00 2001 From: Chris Malloy Date: Tue, 17 Sep 2024 11:01:54 -0300 Subject: [PATCH] Added info --- .github/workflows/docker-publish.yml | 3 +++ .github/workflows/release.yml | 3 +++ README.md | 9 +++++++- pom.xml | 2 +- .../jasper/config/SecurityConfiguration.java | 22 +++++++++++++++++-- src/main/resources/banner.txt | 2 +- 6 files changed, 36 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 815b06cc..5aeea6eb 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -29,6 +29,9 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 + - name: Set Version + run: sed -i.bak "s/.*-SNAPSHOT<\/version>/${{ github.ref_name }}<\/version>/" pom.xml + # Install the cosign tool # https://github.com/sigstore/cosign-installer # - name: Install cosign diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 982159f5..9da93727 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,6 +30,9 @@ jobs: key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} restore-keys: ${{ runner.os }}-m2 + - name: Set Version + run: sed -i.bak "s/.*-SNAPSHOT<\/version>/${{ github.ref_name }}<\/version>/" pom.xml + - name: Build with Maven run: ./mvnw -B package -Dmaven.test.skip diff --git a/README.md b/README.md index e2536b3c..33a6d2a2 100644 --- a/README.md +++ b/README.md @@ -405,7 +405,7 @@ It supports the following configuration options: | `JASPER_CLEAR_CACHE_COOLDOWN_SEC` | Number of seconds to throttle clearing the config cache. | `2` | | `JASPER_PUSH_COOLDOWN_SEC` | Number of seconds to throttle pushing after modification. | `1` | | `JASPER_LOCAL_ORIGIN` | The origin of this server, unless overridden in a header or auth token. | `false` | -| `JASPER_ALLOW_LOCAL_ORIGIN_HEADER` | Allow overriding the local origin via the `Local-Origin` header. | `false` | +| `JASPER_ALLOW_LOCAL_ORIGIN_HEADER` | Allow overriding the local origin via the `Local-Origin` header. Only set this if you set in reverse proxy. | `false` | | `JASPER_ALLOW_USER_TAG_HEADER` | Allow pre-authentication of a user via the `User-Tag` header. | `false` | | `JASPER_ALLOW_USER_ROLE_HEADER` | Allows escalating user role via `User-Role` header. | `false` | | `JASPER_ALLOW_AUTH_HEADERS` | Allow adding additional user permissions via `Read-Access`, `Write-Access`, `Tag-Read-Access`, and `Tag-Write-Access` headers. | `false` | @@ -448,6 +448,13 @@ It supports the following configuration options: | `JASPER_OVERRIDE_SECURITY_SCIM_ENDPOINT` | Override the security scimEndpoint for all origins. | | | `JASPER_HEAP` | Set both max and initial heap size for the JVM. Only applies to the docker container. | `512m` | +### Multi-tenant +When run with the default settings, the local origin is set to `""`. This means all origins are visible. +If you change the local origin to something else, like `@other`, you can only see sub-origins, like `@other.one`. +You can change the local origin with a HTTP header to use the server in multi-tenant mode. If you login though a +reverse-proxy or gateway that sets the local origin back to `""` you will still be able to see all origins. +You can also run workers in their own origin as a sandbox. + ### Profiles Setting the active profiles is done through the `SPRING_PROFILES_ACTIVE` environment variable. Multiple profiles can be activated by adding them all as a comma diff --git a/pom.xml b/pom.xml index f502c0a1..347d67c8 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ jasper jasper - 1.2.0-SNAPSHOT + 1.2.479-SNAPSHOT jasper Knowledge graph server diff --git a/src/main/java/jasper/config/SecurityConfiguration.java b/src/main/java/jasper/config/SecurityConfiguration.java index 019db162..ab225ad5 100644 --- a/src/main/java/jasper/config/SecurityConfiguration.java +++ b/src/main/java/jasper/config/SecurityConfiguration.java @@ -37,6 +37,7 @@ import static jasper.security.AuthoritiesConstants.MOD; import static jasper.security.AuthoritiesConstants.USER; import static jasper.security.AuthoritiesConstants.VIEWER; +import static org.apache.commons.lang3.ArrayUtils.isEmpty; import static org.apache.commons.lang3.StringUtils.isNotBlank; @EnableWebSecurity @@ -74,6 +75,25 @@ void init() { logger.error("=================================================="); logger.error("=================================================="); } + logger.warn("=================================================="); + logger.warn("=================================================="); + logger.warn("DEFAULT ROLE: {}", props.getDefaultRole()); + logger.warn("DEFAULT READ ACCESS: {}", isEmpty(props.getDefaultReadAccess()) ? "" : String.join(", ", props.getDefaultReadAccess())); + logger.warn("DEFAULT WRITE ACCESS: {}", isEmpty(props.getDefaultWriteAccess()) ? "" : String.join(", ", props.getDefaultWriteAccess())); + logger.warn("DEFAULT TAG READ ACCESS: {}", isEmpty(props.getDefaultTagReadAccess()) ? "" : String.join(", ", props.getDefaultTagReadAccess())); + logger.warn("DEFAULT TAG WRITE ACCESS: {}", isEmpty(props.getDefaultTagWriteAccess()) ? "" : String.join(", ", props.getDefaultTagWriteAccess())); + logger.warn("MAX ROLE: {}", props.getMaxRole()); + logger.warn("MIN ROLE: {}", props.getMinRole()); + logger.warn("MIN WRITE ROLE: {}", props.getMinWriteRole()); + logger.warn("MIN CONFIG ROLE: {}", props.getMinConfigRole()); + logger.warn("MIN READ BACKUPS ROLE: {}", props.getMinReadBackupsRole()); + logger.warn("AUTH HEADERS: {}", props.isAllowAuthHeaders() ? "ENABLED" : "-"); + logger.warn("USER HEADERS: {}", props.isAllowUserTagHeader() ? "ENABLED" : "-"); + logger.warn("ROLE HEADERS: {}", props.isAllowUserRoleHeader() ? "ENABLED" : "-"); + logger.warn("ROLE HEADERS: {}", props.isAllowLocalOriginHeader() ? "ENABLED" : "-"); + logger.warn("ORIGIN HEADERS: {}", props.isAllowLocalOriginHeader() ? "ENABLED" : "-"); + logger.warn("=================================================="); + logger.warn("=================================================="); } private boolean profile(String profile) { @@ -126,8 +146,6 @@ public AuthenticationManager noopAuthenticationManager() { @Bean JWTConfigurer securityConfigurerAdapter() { - logger.info("Maximum Role: {}", props.getMaxRole()); - logger.info("Minimum Role: {}", props.getMinRole()); return new JWTConfigurer(props, tokenProvider, defaultTokenProvider, configs); } diff --git a/src/main/resources/banner.txt b/src/main/resources/banner.txt index 50a171d1..a3232a12 100644 --- a/src/main/resources/banner.txt +++ b/src/main/resources/banner.txt @@ -6,5 +6,5 @@ ${AnsiColor.160} | |__| | (_| \__ \ |_) | __/ | ${AnsiColor.124} \____/ \__,_|___/ .__/ \___|_| ${AnsiColor.88} | | ${AnsiColor.52} |_| -${AnsiColor.1} ${application.title} ${AnsiColor.DEFAULT}(${application.version}) +${AnsiColor.1} ${application.title} ${AnsiColor.DEFAULT}(${application.version}) ${AnsiColor.2} :: Spring Boot :: ${AnsiColor.DEFAULT}(${spring-boot.version})