Test

phrocker · phrocker · commit fc4881cc14d4 · 2025-01-07T14:12:49.000-05:00
diff --git a/.gcp.env b/.gcp.env
@@ -1,4 +1,4 @@
-SENTRIUS_VERSION=1.0.15
+SENTRIUS_VERSION=1.0.16
 SENTRIUS_SSH_VERSION=1.0.2
 SENTRIUS_KEYCLOAK_VERSION=1.0.4
 SENTRIUS_AGENT_VERSION=1.0.11
diff --git a/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java b/api/src/main/java/io/sentrius/sso/config/SecurityConfig.java
@@ -12,6 +12,7 @@
 import io.sentrius.sso.core.services.UserService;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -38,6 +39,9 @@ public class SecurityConfig {
     private final CustomAuthenticationSuccessHandler successHandler;
     final UserService userService;
 
+    @Value("${https.required:true}") // Default is true
+    private boolean httpsRequired;
+
 
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
@@ -54,6 +58,13 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
             )
             .cors(Customizer.withDefaults());
 
+        if (httpsRequired) {
+            http.requiresChannel(channel -> channel
+                .requestMatchers("/actuator/**").requiresInsecure() // Allow HTTP for Actuator
+                .anyRequest().requiresSecure() // Force HTTPS for all other requests
+            );
+        }
+
 
         return http.build();
     }
diff --git a/api/src/main/resources/application.properties b/api/src/main/resources/application.properties
@@ -75,4 +75,5 @@ spring.security.oauth2.resourceserver.jwt.issuer-uri=http://192.168.1.162:8180/r
 spring.security.oauth2.client.provider.keycloak.issuer-uri=http://192.168.1.162:8180/realms/sentrius
 
 management.endpoints.web.exposure.include=health
-management.endpoint.health.show-details=always
+management.endpoint.health.show-details=always
+https.required=false
diff --git a/sentrius-chart/values.yaml b/sentrius-chart/values.yaml
@@ -65,6 +65,7 @@ sentrius:
       spring.security.oauth2.client.registration.keycloak.scope=openid,profile,email
       spring.security.oauth2.resourceserver.jwt.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius
       spring.security.oauth2.client.provider.keycloak.issuer-uri=http://sentrius-keycloak:30081/realms/sentrius
+      https.required=false
     dynamic: |
       auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor
       twopartyapproval.option.LOCKING_SYSTEMS=true
diff --git a/sentrius-gcp-chart/templates/configmap.yaml b/sentrius-gcp-chart/templates/configmap.yaml
@@ -108,6 +108,7 @@ data:
     spring.security.oauth2.client.provider.keycloak.issuer-uri=https://keycloak.{{ .Values.tenant }}.sentrius.cloud/realms/sentrius
     server.forward-headers-strategy=native
     https.redirect.enabled=true
+    https.required=true
   dynamic.properties: |
     auditorClass=io.sentrius.sso.automation.auditing.AccessTokenAuditor
     twopartyapproval.option.LOCKING_SYSTEMS=true
