chore: Disallow authenticated users from accessing internally controlled endpoints (#26494)

2023-08-21 18:31:46 +05:30 · 2023-08-21 18:31:46 +05:30 · 4e3c6efb6a
commit 4e3c6efb6a
parent 2042135b5f
1 changed files with 13 additions and 5 deletions
--- a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
@ -24,6 +24,7 @@ import org.springframework.security.config.annotation.method.configuration.Enabl
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
@ -42,6 +43,7 @@ import reactor.core.publisher.Mono;

 import java.time.Duration;
 import java.util.HashSet;
+import java.util.List;

 import static com.appsmith.server.constants.Url.ACTION_COLLECTION_URL;
 import static com.appsmith.server.constants.Url.ACTION_URL;
@ -94,6 +96,8 @@ public class SecurityConfig {
    @Value("${appsmith.internal.password}")
    private String INTERNAL_PASSWORD;

+    private static final String INTERNAL = "INTERNAL";
+
    /**
     * This routerFunction is required to map /public/** endpoints to the src/main/resources/public folder
     * This is to allow static resources to be served by the server. Couldn't find an easier way to do this,
@ -121,19 +125,23 @@ public class SecurityConfig {
    @Bean
    public SecurityWebFilterChain internalWebFilterChain(ServerHttpSecurity http) {
        return http.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/actuator/**"))
-                .authorizeExchange(authorizeExchangeSpec ->
-                        authorizeExchangeSpec.anyExchange().authenticated())
-                .httpBasic(httpBasicSpec -> httpBasicSpec.authenticationManager(authentication -> {
+                .httpBasic()
+                .authenticationManager(authentication -> {
                    if (INTERNAL_PASSWORD.equals(authentication.getCredentials().toString())) {
                        return Mono.just(UsernamePasswordAuthenticationToken.authenticated(
                                authentication.getPrincipal(),
                                authentication.getCredentials(),
-                                authentication.getAuthorities()));
+                                List.of(new SimpleGrantedAuthority(INTERNAL))));
                    } else {
                        return Mono.just(UsernamePasswordAuthenticationToken.unauthenticated(
                                authentication.getPrincipal(), authentication.getCredentials()));
                    }
-                }))
+                })
+                .and()
+                .authorizeExchange()
+                .anyExchange()
+                .hasAnyAuthority(INTERNAL)
+                .and()
                .build();
    }