feat: secure admin console (#38)

* feat: add port filter * fix: admin ui * fix: admin ui * fix: admin ui * fix: admin ui * fix: admin ui Co-authored-by: Benthin Sanguino <Luis-Alberto.Benthin-Sanguino@t-systems.com>
corona-warn-app · Jun 11, 2020 · 7fc8dc6 · 7fc8dc6
1 parent 524e988
commit 7fc8dc6
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 717 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/Dockerfile b/Dockerfile
@@ -8,11 +8,12 @@ COPY . ${WORK_DIR}/
 RUN mkdir /opt/jboss/keycloak/themes/cwa
 RUN cp -r /opt/jboss/keycloak/themes/base/* /opt/jboss/keycloak/themes/cwa/
 RUN cp -r ${WORK_DIR}/src/themes/cwa/login /opt/jboss/keycloak/themes/cwa/
-RUN cp ${WORK_DIR}/src/standalone/configuration/standalone.xml /opt/jboss/keycloak/standalone/configuration/
 RUN cp ${WORK_DIR}/src/standalone/configuration/standalone-ha.xml /opt/jboss/keycloak/standalone/configuration/
 
 EXPOSE 8080
 EXPOSE 8443
+EXPOSE 7080
+EXPOSE 7443
 
 ENTRYPOINT [ "/opt/jboss/tools/docker-entrypoint.sh" ]
 

diff --git a/src/standalone/configuration/standalone-ha.xml b/src/standalone/configuration/standalone-ha.xml
@@ -671,10 +671,16 @@
         <https-listener name="https" socket-binding="https"
                         proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}"
                         security-realm="ApplicationRealm" enable-http2="true"/>
+        <http-listener name="http-admin" socket-binding="http-admin" redirect-socket="https"
+                       proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}" enable-http2="true"/>
+        <https-listener name="https-admin" socket-binding="https-admin"
+                        proxy-address-forwarding="${env.PROXY_ADDRESS_FORWARDING:false}"
+                        security-realm="ApplicationRealm" enable-http2="true"/>
         <host name="default-host" alias="localhost">
           <location name="/" handler="welcome-content"/>
           <http-invoker security-realm="ApplicationRealm"/>
           <filter-ref name="pragma"/>
+          <filter-ref name="portAccess"/>
         </host>
       </server>
       <servlet-container name="default" disable-caching-for-secured-pages="true">
@@ -686,6 +692,7 @@
       </handlers>
       <filters>
         <response-header name="pragma" header-name="Pragma" header-value="no-cache"/>
+        <expression-filter name="portAccess" expression="path-prefix('/auth/admin') and not (equals(%p, 7080) or equals(%p, 7443)) -> response-code(403)"/>
       </filters>
     </subsystem>
     <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
@@ -706,6 +713,8 @@
     <socket-binding name="ajp" port="${jboss.ajp.port:8009}"/>
     <socket-binding name="http" port="${jboss.http.port:8080}"/>
     <socket-binding name="https" port="${jboss.https.port:8443}"/>
+    <socket-binding name="http-admin" port="${jboss.admin.http.port:7080}"/>
+    <socket-binding name="https-admin" port="${jboss.admin.https.port:7443}"/>
     <socket-binding name="jgroups-mping" interface="private"
                     multicast-address="${jboss.default.multicast.address:230.0.0.4}" multicast-port="45700"/>
     <socket-binding name="jgroups-tcp" interface="private" port="7600"/>