Expose actuator to anonymous for health and readiness checks

Author: Sheikah45

src/main/java/com/faforever/api/config/FafApiProperties.java

@@ -16,6 +16,7 @@ public class FafApiProperties {
    * The API version.
    */
   private String version;
+  private boolean allowAnonymous;
   private Jwt jwt = new Jwt();
   private OAuth2 oAuth2 = new OAuth2();
   private Async async = new Async();
@@ -258,11 +259,6 @@ public static class Smtp {
     private String password;
   }
 
-  @Data
-  public static class Anope {
-    private String databaseName;
-  }
-
   @Data
   public static class Rating {
     private int defaultMean;

src/main/java/com/faforever/api/config/security/MethodSecurityConfig.java

@@ -1,12 +1,18 @@
 package com.faforever.api.config.security;
 
 import com.faforever.api.security.method.CustomMethodSecurityExpressionHandler;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 
 @Configuration
+@ConditionalOnProperty(
+        value = "faf-api.allow-anonymous",
+        havingValue = "false",
+        matchIfMissing = true
+)
 @EnableMethodSecurity(securedEnabled = true)
 public class MethodSecurityConfig {
   @Bean

src/main/java/com/faforever/api/config/security/WebSecurityConfig.java

@@ -1,6 +1,8 @@
 package com.faforever.api.config.security;
 
+import com.faforever.api.config.FafApiProperties;
 import com.faforever.api.security.FafAuthenticationConverter;
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
@@ -20,10 +22,13 @@
 
 @Configuration
 @EnableWebSecurity
+@RequiredArgsConstructor
 public class WebSecurityConfig {
 
+  private final FafApiProperties fafApiProperties;
+
   @Bean
-  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+  public SecurityFilterChain securityFilterChain(HttpSecurity http) {
     final var bearerTokenResolver = new DefaultBearerTokenResolver();
     bearerTokenResolver.setAllowUriQueryParameter(true);
 
@@ -42,7 +47,8 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         "/swagger-ui/**",
         "/swagger-resources/**",
         "/v3/api-docs/**",
-        "/"
+        "/",
+        "/actuator/**"
       ).permitAll();
       // Webapp folder
       authorizeConfig.requestMatchers(
@@ -61,6 +67,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
         "/users/requestPasswordResetViaSteam",
         "/users/linkToSteam/**"
       ).permitAll();
+
+      if (fafApiProperties.isAllowAnonymous()) {
+        authorizeConfig.requestMatchers("/data/**").permitAll();
+      }
       authorizeConfig.anyRequest().authenticated();
     });
     // @formatter:on

src/main/java/com/faforever/api/security/ElideUser.java

@@ -24,7 +24,7 @@ public String getName() {
 
   @Override
   public boolean isInRole(String role) {
-    return fafAuthentication.hasRole(role);
+    return fafAuthentication != null && fafAuthentication.hasRole(role);
   }
 
   public Optional<Integer> getFafUserId() {

src/main/resources/config/application-local.yml

@@ -1,4 +1,5 @@
 faf-api:
+  allow-anonymous: true
   jwt:
     secretKeyPath: ${JWT_PRIVATE_KEY_PATH:test-pki-private.key}
     publicKeyPath: ${JWT_PUBLIC_KEY_PATH:test-pki-public.key}
@@ -86,8 +87,8 @@ spring:
     oauth2:
       resourceserver:
         jwt:
-          jwk-set-uri: https://hydra.faforever.com/.well-known/jwks.json
-          issuer-uri: https://hydra.faforever.com/
+          jwk-set-uri: http://hydra.faforever.localhost/.well-known/jwks.json
+          issuer-uri: http://ory-hydra:4444/
 logging:
   level:
     com.faforever.api: debug