feat: add support for AD and add property for https (#37)

Closes #37
wearefrank · Feb 10, 2023 · 6cbff4d · 6cbff4d
1 parent b25d718
commit 6cbff4d
Show file tree

Hide file tree

Showing 4 changed files with 58 additions and 8 deletions.
diff --git a/charts/zaakbrug/templates/configmap.yaml b/charts/zaakbrug/templates/configmap.yaml
@@ -13,7 +13,20 @@ data:
   {{- $name := .Values.frank.dtap.stage | required (printf ".frank.dtap.stage is a required parameter") }}
   dtap.stage: {{ .Values.frank.dtap.stage }}
   dtap.side: {{ .Values.frank.dtap.side | default "cluster" }}
-  configurations.names: {{ .Values.frank.configurations.names | default "" }}
+  {{- with .Values.frank.configurations.names }}
+  configurations.names: {{ . }}
+  {{- end }}
+  application.security.http.authentication: {{ .Values.frank.security.http.authentication | toString | quote }}
+  application.security.http.transportGuarantee: {{ .Values.frank.security.http.enforceHttps | ternary "CONFIDENTIAL" "NONE" }}
+  {{- if .Values.frank.security.http.authentication }}
+  {{- with .Values.frank.security.http.ad }}
+  application.security.http.authenticators: AdAuthenticator
+  application.security.http.authenticators.AdAuthenticator.type: AD
+  application.security.http.authenticators.AdAuthenticator.baseDn: {{ .baseDn }}
+  application.security.http.authenticators.AdAuthenticator.url: {{ .url }}
+  servlet.IAF-API.authenticator: AdAuthenticator
+  {{- end }}
+  {{- end }}
   {{- if .Values.frank.credentials }}
 {{/*  credentialFactory.class: nl.nn.credentialprovider.FileSystemCredentialFactory*/}}
   credentialFactory.class: nl.nn.credentialprovider.PropertyFileCredentialFactory
@@ -183,6 +196,19 @@ data:
       {{- end }}
     </Context>
 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "zaakbrug.fullname" . }}-roles
+  labels:
+    {{- include "zaakbrug.labels" . | nindent 4 }}
+data:
+  ldap-role-mapping.properties: |
+    IbisTester={{ .Values.frank.security.http.ad.roles.tester }}
+    IbisAdmin={{ .Values.frank.security.http.ad.roles.admin }}
+    IbisDataAdmin={{ .Values.frank.security.http.ad.roles.dataAdmin }}
+    IbisObserver={{ .Values.frank.security.http.ad.roles.observer }}
+---
 {{- if .Values.zaakbrug.globals }}
 apiVersion: v1
 kind: ConfigMap
@@ -202,5 +228,5 @@ metadata:
   labels:
     {{- include "zaakbrug.labels" . | nindent 4 }}
 data:
-  Profiles.json: {{ .Values.zaakbrug.globals | toJson | quote }}
+  Profiles.json: {{ .Values.zaakbrug.profiles | toJson | quote }}
 {{- end }}
diff --git a/charts/zaakbrug/templates/deployment.yaml b/charts/zaakbrug/templates/deployment.yaml
@@ -47,6 +47,10 @@ spec:
               mountPath: /usr/local/tomcat/conf/Catalina/localhost/ROOT.xml
               subPath: context.xml
               readOnly: true
+            - name: {{ template "zaakbrug.fullname" . }}-roles
+              mountPath: /usr/local/tomcat/webapps/ROOT/WEB-INF/classes/ldap-role-mapping.properties
+              subPath: ldap-role-mapping.properties
+              readOnly: true
             {{- if .Values.zaakbrug.globals }}
             - name: {{ template "zaakbrug.fullname" . }}-globals
               mountPath: /opt/frank/configurations/Translate/Globals.json
@@ -73,6 +77,9 @@ spec:
             - name: http
               containerPort: 8080
               protocol: TCP
+            - name: https
+              containerPort: 8443
+              protocol: TCP
           livenessProbe:
             httpGet:
               path: /iaf/
@@ -84,6 +91,9 @@ spec:
         - name: {{ template "zaakbrug.fullname" . }}-config
           configMap:
             name: {{ template "zaakbrug.fullname" . }}-config
+        - name: {{ template "zaakbrug.fullname" . }}-roles
+          configMap:
+            name: {{ template "zaakbrug.fullname" . }}-roles
         - name: {{ template "zaakbrug.fullname" . }}-specifics
           configMap:
             name: {{ template "zaakbrug.fullname" . }}-specifics

diff --git a/charts/zaakbrug/values.yaml b/charts/zaakbrug/values.yaml
@@ -98,6 +98,7 @@ timeZone: Etc/UTC
 
 zaakbrug:
   zgw:
+    # Empty values aren't allowed, so at least fill in the protocol.
     baseurl: "http://localhost:8000/"
     endpoint:
       zaak: "zaken/api/v1/zaken"
@@ -136,6 +137,22 @@ zaakbrug:
           coalesceResultaat: "Toegekend"
 
 frank:
+  security:
+    http:
+      authentication: false
+      enforceHttps: false
+      # Only supports active directory for now
+      ad: {}
+#        # LDAP url e.g.: ldap://172.0.0.1
+#        url:
+#        # Base DN e.g.: DC=example,DC=com
+#        baseDn:
+#        # Roles to map to AD roles. e.g. dataAdmin: CN=FunctionalAdministrator,CN=Users,DC=example,DC=com
+#        roles:
+#          observer:
+#          dataAdmin:
+#          admin:
+#          tester:
   # Secret containing the contents of the credentials.properties
   credentials:
     # Secret name in the cluster
@@ -153,7 +170,7 @@ frank:
     name: "ZaakBrug"
   dtap:
     # (required) Options: LOC, DEV, TST, ACC, PRD
-    stage: LOC
+    stage:
     side: ""
   # Configurations to load.
   configurations:

diff --git a/src/main/resources/credentialprovider.properties b/src/main/resources/credentialprovider.properties
@@ -1,7 +1,4 @@
-# This file is inclomplete and doens't get used by the Docker image for some reason
-# TODO: I'll have to investigate more
-
 credentialFactory.class=nl.nn.credentialprovider.PropertyFileCredentialFactory
-
-# This has been added to the ENV in the Dockerfile
+# TODO: This file will work again if the resources folder will be able to overwrite the AppConstants.
+# TODO: Move property back from ENV in the Dockerfile to here.
 #credentialFactory.map.properties=/opt/frank/secrets/credentials.properties