From 911ed5ecca4c7a8701ef025deb4c385d1fc92243 Mon Sep 17 00:00:00 2001 From: Lazzaretti Date: Sun, 12 Mar 2023 22:45:05 +0100 Subject: [PATCH] chore(webserver): warn if security group is wet without a jwt secret (#1412) close #1395 --- .../configuration/authentifications/groups.md | 5 +++ .../org/akhq/configs/JwtSecurityWarning.java | 39 +++++++++++++------ 2 files changed, 33 insertions(+), 11 deletions(-) diff --git a/docs/docs/configuration/authentifications/groups.md b/docs/docs/configuration/authentifications/groups.md index 75e19a5bc..c34e4a01b 100644 --- a/docs/docs/configuration/authentifications/groups.md +++ b/docs/docs/configuration/authentifications/groups.md @@ -19,6 +19,11 @@ Define groups with specific roles for your users If you have `topics/create` or `connect/create` roles and you try to create a resource that doesn't follow the regexp, that resource **WILL** be created. ::: +::: warning +Please also set the `micronaut.security.token.jwt.signatures.secret.generator.secret` if you set a group. +If the secret is not set, the API will not enforce the group role, and the restriction is in the UI only. +::: + 3 defaults group are available : - `admin` with all right - `reader` with only read access on all AKHQ diff --git a/src/main/java/org/akhq/configs/JwtSecurityWarning.java b/src/main/java/org/akhq/configs/JwtSecurityWarning.java index 269ff86b3..30ff0f805 100644 --- a/src/main/java/org/akhq/configs/JwtSecurityWarning.java +++ b/src/main/java/org/akhq/configs/JwtSecurityWarning.java @@ -5,7 +5,9 @@ import lombok.extern.slf4j.Slf4j; import javax.annotation.PostConstruct; +import jakarta.inject.Inject; import jakarta.inject.Singleton; +import java.lang.Runnable; @Singleton @Slf4j @@ -21,20 +23,35 @@ public class JwtSecurityWarning { @Value("${micronaut.security.enabled:false}") protected Boolean enabled; + @Inject + protected SecurityProperties securityProperties; + @PostConstruct public void start() { if (enabled && secret.equals(DEFAULT)) { - log.warn(""); - log.warn("##############################################################"); - log.warn("# SECURITY WARNING #"); - log.warn("##############################################################"); - log.warn(""); - log.warn("You still use the default jwt secret."); - log.warn("This known secret can be used to impersonate anyone."); - log.warn("Please change 'micronaut.security.token.jwt.signatures.secret.generator.secret' configuration, or ask your administrator to do it !"); - log.warn(""); - log.warn("##############################################################"); - log.warn(""); + logSecurityWarning(() -> { + log.warn("You still use the default jwt secret."); + log.warn("This known secret can be used to impersonate anyone."); + log.warn("Please change 'micronaut.security.token.jwt.signatures.secret.generator.secret' configuration, or ask your administrator to do it !"); + }); + } else if (!enabled && securityProperties.getGroups() != null && !securityProperties.getGroups().isEmpty()){ + logSecurityWarning(() -> { + log.warn("You have set a security group config but did not set the jwt secret."); + log.warn("This means that the API request will not be checked against the security group config."); + log.warn("Please set the 'micronaut.security.token.jwt.signatures.secret.generator.secret' configuration, or ask your administrator to do it !"); + }); } } + + private static void logSecurityWarning(Runnable printBody) { + log.warn(""); + log.warn("##############################################################"); + log.warn("# SECURITY WARNING #"); + log.warn("##############################################################"); + log.warn(""); + printBody.run(); + log.warn(""); + log.warn("##############################################################"); + log.warn(""); + } }