From ef687e8a996e7b95b067849b539ffaaed0b1c980 Mon Sep 17 00:00:00 2001 From: "Badr.NassLahsen" Date: Sat, 29 Jul 2023 15:19:04 +0200 Subject: [PATCH] Add property to prevent scanning all @Value annotation by default. --- README.md | 21 ++++---- .../springboot/constant/ConjurConstant.java | 6 ++- .../springboot/domain/ConjurProperties.java | 24 +++++++++ .../SpringBootConjurAutoConfiguration.java | 17 +++--- .../ConjurCloudProcessorScanTest.java | 53 +++++++++++++++++++ 5 files changed, 103 insertions(+), 18 deletions(-) create mode 100644 src/test/java/com/cyberark/conjur/springboot/processor/ConjurCloudProcessorScanTest.java diff --git a/README.md b/README.md index 5f07c137..ae5c5254 100644 --- a/README.md +++ b/README.md @@ -333,16 +333,17 @@ For example:`appliance_url` is `CONJUR_APPLIANCE_URL`, `account` is `CONJUR_ACCO If no other configuration is done (e.g. over system properties or CLI parameters), include the following environment variables in the app's runtime environment to use the Spring Boot Plugin. -| Name | Environment ID | Description | API KEY | JWT | -| ----------------------- | ----------------------- | -------------------------- | ------- | ---- | -| Conjur Account | CONJUR_ACCOUNT | Account to connect | Yes | Yes | -| API key | CONJUR_AUTHN_API_KEY | User/host API Key/password | Yes | No | -| Connection url | CONJUR_APPLIANCE_URL | Conjur instance to connect | Yes | Yes | -| User/host identity | CONJUR_AUTHN_LOGIN | User /host identity | Yes | No | -| SSL Certificate Path | CONJUR_CERT_FILE | Path to certificate file | Yes | Yes | -| SSL Certificate Content | CONJUR_SSL_CERTIFICATE | Certificate content | Yes | Yes | -| Path of the JWT Token | CONJUR_JWT_TOKEN_PATH | Path of the JWT Token | No | Yes | -| Conjur authenticator ID | CONJUR_AUTHENTICATOR_ID | Conjur authenticator ID | No | Yes | +| Name | Environment ID | Description | API KEY | JWT | +|-------------------------| --------------------- |-------------------------------------------------------------------------------------| ------- | ---- | +| Conjur Account | CONJUR_ACCOUNT | Account to connect | Yes | Yes | +| API key | CONJUR_AUTHN_API_KEY | User/host API Key/password | Yes | No | +| Connection url | CONJUR_APPLIANCE_URL | Conjur instance to connect | Yes | Yes | +| User/host identity | CONJUR_AUTHN_LOGIN | User /host identity | Yes | No | +| SSL Certificate Path | CONJUR_CERT_FILE | Path to certificate file | Yes | Yes | +| SSL Certificate Content | CONJUR_SSL_CERTIFICATE | Certificate content | Yes | Yes | +| Path of the JWT Token | CONJUR_JWT_TOKEN_PATH | Path of the JWT Token | No | Yes | +| Conjur authenticator ID | CONJUR_AUTHENTICATOR_ID | Conjur authenticator ID | No | Yes | +| Conjur Scan All @Values | CONJUR_SCANALLVALUES | Property to enable Conjur to scan for all `@Values` annotations - default is `false` | Yes | Yes | Only one CONJUR_CERT_FILE and CONJUR_SSL_CERTIFICATE is required. There are two variables to allow the user to specify the path to a certificate file or provide the certificate data directly in an environment variable. diff --git a/src/main/java/com/cyberark/conjur/springboot/constant/ConjurConstant.java b/src/main/java/com/cyberark/conjur/springboot/constant/ConjurConstant.java index 238abdf1..44c20d76 100644 --- a/src/main/java/com/cyberark/conjur/springboot/constant/ConjurConstant.java +++ b/src/main/java/com/cyberark/conjur/springboot/constant/ConjurConstant.java @@ -72,5 +72,9 @@ public class ConjurConstant { * The constant KUBERNETES_PREFIX. */ public static final String KUBERNETES_PREFIX = "kubernetes"; - + + /** + * The constant CONJUR_SCAN_ALL_VALUES. + */ + public static final String CONJUR_SCAN_ALL_VALUES = "conjur.scan-all-values"; } diff --git a/src/main/java/com/cyberark/conjur/springboot/domain/ConjurProperties.java b/src/main/java/com/cyberark/conjur/springboot/domain/ConjurProperties.java index bf2152ab..bfd48738 100644 --- a/src/main/java/com/cyberark/conjur/springboot/domain/ConjurProperties.java +++ b/src/main/java/com/cyberark/conjur/springboot/domain/ConjurProperties.java @@ -56,6 +56,11 @@ public class ConjurProperties{ */ private String authenticatorId; + /** + * The Scan all values. + */ + private boolean scanAllValues; + /** * Gets account. * @@ -218,6 +223,24 @@ public void setAuthenticatorId(String authenticatorId) { this.authenticatorId = authenticatorId; } + /** + * Is scan all values boolean. + * + * @return the boolean + */ + public boolean isScanAllValues() { + return scanAllValues; + } + + /** + * Sets scan all values. + * + * @param scanAllValues the scan all values + */ + public void setScanAllValues(boolean scanAllValues) { + this.scanAllValues = scanAllValues; + } + @Override public String toString() { return "ConjurProperties{" + @@ -230,6 +253,7 @@ public String toString() { ", sslCertificate='" + sslCertificate + '\'' + ", jwtTokenPath='" + jwtTokenPath + '\'' + ", authenticatorId='" + authenticatorId + '\'' + + ", scanAllValues=" + scanAllValues + '}'; } } \ No newline at end of file diff --git a/src/main/java/com/cyberark/conjur/springboot/processor/SpringBootConjurAutoConfiguration.java b/src/main/java/com/cyberark/conjur/springboot/processor/SpringBootConjurAutoConfiguration.java index c509c05c..323d9172 100644 --- a/src/main/java/com/cyberark/conjur/springboot/processor/SpringBootConjurAutoConfiguration.java +++ b/src/main/java/com/cyberark/conjur/springboot/processor/SpringBootConjurAutoConfiguration.java @@ -1,19 +1,21 @@ package com.cyberark.conjur.springboot.processor; -import static com.cyberark.conjur.springboot.constant.ConjurConstant.CONJUR_PREFIX; - +import com.cyberark.conjur.sdk.endpoint.SecretsApi; +import com.cyberark.conjur.springboot.core.env.AccessTokenProvider; +import com.cyberark.conjur.springboot.core.env.ConjurConnectionManager; +import com.cyberark.conjur.springboot.core.env.ConjurPropertySource; +import com.cyberark.conjur.springboot.domain.ConjurProperties; import org.slf4j.Logger; import org.slf4j.LoggerFactory; + import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import com.cyberark.conjur.sdk.endpoint.SecretsApi; -import com.cyberark.conjur.springboot.core.env.AccessTokenProvider; -import com.cyberark.conjur.springboot.core.env.ConjurConnectionManager; -import com.cyberark.conjur.springboot.core.env.ConjurPropertySource; -import com.cyberark.conjur.springboot.domain.ConjurProperties; +import static com.cyberark.conjur.springboot.constant.ConjurConstant.CONJUR_PREFIX; +import static com.cyberark.conjur.springboot.constant.ConjurConstant.CONJUR_SCAN_ALL_VALUES; @Configuration(proxyBeanMethods = false) @@ -60,6 +62,7 @@ ConjurProperties conjurProperties(){ @ConditionalOnMissingBean(ConjurPropertySource.class) + @ConditionalOnProperty(name = CONJUR_SCAN_ALL_VALUES) @Bean static ConjurCloudProcessor conjurCloudProcessor(SecretsApi secretsApi) { diff --git a/src/test/java/com/cyberark/conjur/springboot/processor/ConjurCloudProcessorScanTest.java b/src/test/java/com/cyberark/conjur/springboot/processor/ConjurCloudProcessorScanTest.java new file mode 100644 index 00000000..cd661a8e --- /dev/null +++ b/src/test/java/com/cyberark/conjur/springboot/processor/ConjurCloudProcessorScanTest.java @@ -0,0 +1,53 @@ +package com.cyberark.conjur.springboot.processor; + +import com.cyberark.conjur.springboot.annotations.ConjurPropertySource; +import org.junit.jupiter.api.Test; + +import org.springframework.boot.autoconfigure.EnableAutoConfiguration; +import org.springframework.boot.test.context.runner.WebApplicationContextRunner; + +import static org.assertj.core.api.Assertions.assertThat; + +public class ConjurCloudProcessorScanTest { + + private final WebApplicationContextRunner contextRunner = new WebApplicationContextRunner() + .withUserConfiguration(SampleApp.class); + + private final WebApplicationContextRunner contextRunnerConjurPropertySource = new WebApplicationContextRunner() + .withUserConfiguration(SampleAppConjurPropertySource.class); + @Test + public void scanning_not_loaded_by_default() { + contextRunner + .run(context -> assertThat(context) + .hasNotFailed() + .doesNotHaveBean("conjurCloudProcessor") + ); + } + + @Test + public void scanning_loaded_explicitly() { + contextRunner + .withPropertyValues("conjur.scan-all-values=true") + .run(context -> assertThat(context) + .hasNotFailed() + .hasBean("conjurCloudProcessor") + ); + } + + @Test + public void scanning_not_loaded_by_if_conjur_property_source_present() { + contextRunnerConjurPropertySource + .withPropertyValues("conjur.scan-all-values=true") + .run(context -> assertThat(context) + .hasNotFailed() + .doesNotHaveBean("conjurCloudProcessor") + ); + } + + @EnableAutoConfiguration + static class SampleApp {} + + @EnableAutoConfiguration + @ConjurPropertySource(value = "test") + static class SampleAppConjurPropertySource {} +}