Skip to content

Document security hardening and enable security for sda platform #163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jan 23, 2023
Merged

Document security hardening and enable security for sda platform #163

merged 4 commits into from
Jan 23, 2023

Conversation

JoergSiebahn
Copy link
Contributor

@JoergSiebahn JoergSiebahn commented Jan 18, 2023
edited
Loading

Note: Security is already available for auto configured services. Users of @EnableSdaPlatform get the security features as well now.

@JoergSiebahn JoergSiebahn requested a review from a team January 18, 2023 18:35
@github-actions
Copy link
Contributor

github-actions bot commented Jan 18, 2023
edited
Loading

Test Results

  49 files  ±0    49 suites  ±0   59s ⏱️ +7s
285 tests ±0  279 ✔️ ±0  6 💤 ±0  0 ±0 
303 runs  ±0  295 ✔️ ±0  8 💤 ±0  0 ±0 

Results for commit 001d08d. ± Comparison against base commit d56f4a6.

♻️ This comment has been updated with latest results.

@JoergSiebahn JoergSiebahn force-pushed the document-security-hardening-and-enable-security-for-sda-platform branch 2 times, most recently from 3cd4a7d to 9d18686 Compare January 19, 2023 08:26
@JoergSiebahn JoergSiebahn mentioned this pull request Jan 19, 2023
Closed
@JoergSiebahn JoergSiebahn force-pushed the document-security-hardening-and-enable-security-for-sda-platform branch 2 times, most recently from fa7a13b to 3e59468 Compare January 19, 2023 13:52
@JoergSiebahn JoergSiebahn mentioned this pull request Jan 20, 2023
Merged
1 task
@JoergSiebahn JoergSiebahn force-pushed the document-security-hardening-and-enable-security-for-sda-platform branch from 3e59468 to a5a1f3b Compare January 20, 2023 14:00
@JoergSiebahn JoergSiebahn force-pushed the document-security-hardening-and-enable-security-for-sda-platform branch from a5a1f3b to d87963f Compare January 20, 2023 14:41
@JoergSiebahn JoergSiebahn marked this pull request as ready for review January 20, 2023 14:41
christopher-cudennec
christopher-cudennec reviewed Jan 23, 2023
View reviewed changes
docs/security/index.md
attack the operating system after taking over from the container.

The default configuration is capable to run as no root, listening to ports 8080 and 8081.
Deployment checks must ensure, that the container is not configured with a root user.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want to give an example K8S deployment here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Imho that will just add boilerplate to this page and move the focus away from the list of addressed risks.

docs/security/index.md Outdated

## Risk: Loss of source IP address

We expect, the services built with sda-spring-boot-commons are deployed behind a proxy, e.g. an
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the -> that? Or "We assume that..."?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I „expect“ that. If you expose the service directly, you have to disable the filter.

docs/web/index.md
@@ -11,8 +11,7 @@ Features:
- [Jackson Object Mapping](#jackson)
- [Monitoring](#monitoring)
- [Tracing](#tracing)
- [Health Checks](#health-checks)
- [Testing](#testing)
- [Health Checks](#health-checks--actuator)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The bullet point list does not include "security". Should we add it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Imho not. These links are just anchors within the page. I would not mix it with links to different pages. I added the security page to the mkdocs. Whenever we provide github pages or Backstage docs, it will be visible in the main nav. But that's a separate PR.

...ons-web-autoconfigure/src/main/java/org/sdase/commons/spring/boot/web/EnableSdaPlatform.java
@EnableSdaRestGuide
@EnableSdaWebSecurity
@EnableSdaDocs
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would've preferred EnableSdaOpenApiDocs or similar but that's not part of the review / changes.

@JoergSiebahn JoergSiebahn force-pushed the document-security-hardening-and-enable-security-for-sda-platform branch from ed92c9c to 001d08d Compare January 23, 2023 08:07
@JoergSiebahn JoergSiebahn enabled auto-merge (rebase) January 23, 2023 08:19
@sonarqubecloud
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@JoergSiebahn JoergSiebahn merged commit 9018096 into master Jan 23, 2023
@JoergSiebahn JoergSiebahn deleted the document-security-hardening-and-enable-security-for-sda-platform branch January 23, 2023 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christopher-cudennec christopher-cudennec christopher-cudennec approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JoergSiebahn @christopher-cudennec