From 4e3c6efb6ad8d02b1fabd90de00248779a433a1c Mon Sep 17 00:00:00 2001
From: Nidhi <nidhi@appsmith.com>
Date: Mon, 21 Aug 2023 18:31:46 +0530
Subject: [PATCH] chore: Disallow authenticated users from accessing internally
 controlled endpoints (#26494)

---
 .../server/configurations/SecurityConfig.java  | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
index e6447cbead..e4d19a7c66 100644
--- a/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
+++ b/app/server/appsmith-server/src/main/java/com/appsmith/server/configurations/SecurityConfig.java
@@ -24,6 +24,7 @@ import org.springframework.security.config.annotation.method.configuration.Enabl
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
 import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.client.registration.ReactiveClientRegistrationRepository;
 import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.ServerAuthenticationEntryPoint;
@@ -42,6 +43,7 @@ import reactor.core.publisher.Mono;
 
 import java.time.Duration;
 import java.util.HashSet;
+import java.util.List;
 
 import static com.appsmith.server.constants.Url.ACTION_COLLECTION_URL;
 import static com.appsmith.server.constants.Url.ACTION_URL;
@@ -94,6 +96,8 @@ public class SecurityConfig {
     @Value("${appsmith.internal.password}")
     private String INTERNAL_PASSWORD;
 
+    private static final String INTERNAL = "INTERNAL";
+
     /**
      * This routerFunction is required to map /public/** endpoints to the src/main/resources/public folder
      * This is to allow static resources to be served by the server. Couldn't find an easier way to do this,
@@ -121,19 +125,23 @@ public class SecurityConfig {
     @Bean
     public SecurityWebFilterChain internalWebFilterChain(ServerHttpSecurity http) {
         return http.securityMatcher(new PathPatternParserServerWebExchangeMatcher("/actuator/**"))
-                .authorizeExchange(authorizeExchangeSpec ->
-                        authorizeExchangeSpec.anyExchange().authenticated())
-                .httpBasic(httpBasicSpec -> httpBasicSpec.authenticationManager(authentication -> {
+                .httpBasic()
+                .authenticationManager(authentication -> {
                     if (INTERNAL_PASSWORD.equals(authentication.getCredentials().toString())) {
                         return Mono.just(UsernamePasswordAuthenticationToken.authenticated(
                                 authentication.getPrincipal(),
                                 authentication.getCredentials(),
-                                authentication.getAuthorities()));
+                                List.of(new SimpleGrantedAuthority(INTERNAL))));
                     } else {
                         return Mono.just(UsernamePasswordAuthenticationToken.unauthenticated(
                                 authentication.getPrincipal(), authentication.getCredentials()));
                     }
-                }))
+                })
+                .and()
+                .authorizeExchange()
+                .anyExchange()
+                .hasAnyAuthority(INTERNAL)
+                .and()
                 .build();
     }