[#1119] api security check: requests all allow when security policy i…

…s not setting (#1120)
huaweicloud · Dec 5, 2023 · 3de36f7 · 3de36f7
1 parent e9f205b
commit 3de36f7
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/.../huaweicloud/governance/authentication/securityPolicy/SecurityPolicyAccessController.java b/.../huaweicloud/governance/authentication/securityPolicy/SecurityPolicyAccessController.java
@@ -14,7 +14,7 @@
  */
 package com.huaweicloud.governance.authentication.securityPolicy;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -49,6 +49,9 @@ public boolean isAllowed(AuthRequestExtractor extractor) throws Exception {
     if (StringUtils.isEmpty(currentServiceName)) {
       currentServiceName = authenticationAdapter.getServiceName(extractor.serviceId());
     }
+    if (StringUtils.isEmpty(securityPolicyProperties.getMode())) {
+      return true;
+    }
     return checkAllowAndDeny(currentServiceName, extractor);
   }
 

diff --git a/...weicloud/governance/authentication/securityPolicy/SecurityPolicyAccessControllerTest.java b/...weicloud/governance/authentication/securityPolicy/SecurityPolicyAccessControllerTest.java
@@ -34,6 +34,7 @@
 import com.huaweicloud.governance.authentication.AuthRequestExtractor;
 import com.huaweicloud.governance.authentication.AuthRequestExtractorUtils;
 import com.huaweicloud.governance.authentication.AuthenticationAdapter;
+import com.huaweicloud.governance.authentication.Const;
 import com.huaweicloud.governance.authentication.securityPolicy.SecurityPolicyProperties.Action;
 import com.huaweicloud.governance.authentication.securityPolicy.SecurityPolicyProperties.ConfigurationItem;
 
@@ -554,6 +555,19 @@ public void testUriSuffixNotMatch() throws Exception {
         .isAllowed(extractor));
   }
 
+  @Test
+  public void testPolicyIsNull() throws Exception {
+    AuthRequestExtractor extractor = createAuthRequestExtractor("/checkTokenPer/security/checkTokenSfu");
+    Assertions.assertTrue(getNoSettingAccessController()
+        .isAllowed(extractor));
+  }
+
+  private SecurityPolicyAccessController getNoSettingAccessController() {
+    securityPolicyProperties.setAction(null);
+    securityPolicyProperties.setMode(null);
+    return new SecurityPolicyAccessController(authenticationAdapter, securityPolicyProperties);
+  }
+
   private SecurityPolicyAccessController getAllowAccessController(String mode) {
     Action action = new Action();
     action.setAllow(buildAllow());