Merge pull request #13 from team-gogo/update/server-to-server-api-ip-filtering

[global] internal API의 security IP 필터링 추가

Author: vumrra

src/main/kotlin/gogo/gogobetting/global/config/PropertiesScanConfig.kt

@@ -0,0 +1,13 @@
+package gogo.gogobetting.global.config
+
+import gogo.gogobetting.global.security.SecurityProperties
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan
+import org.springframework.context.annotation.Configuration
+
+@Configuration
+@ConfigurationPropertiesScan(
+    basePackageClasses = [
+        SecurityProperties::class
+    ]
+)
+class PropertiesScanConfig

src/main/kotlin/gogo/gogobetting/global/config/SecurityConfig.kt

@@ -5,13 +5,17 @@ import gogo.gogobetting.global.filter.LoggingFilter
 import gogo.gogobetting.global.handler.CustomAccessDeniedHandler
 import gogo.gogobetting.global.handler.CustomAuthenticationEntryPointHandler
 import gogo.gogobetting.global.internal.user.stub.Authority
+import gogo.gogobetting.global.security.SecurityProperties
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.http.HttpMethod
+import org.springframework.security.authorization.AuthorizationDecision
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.http.SessionCreationPolicy
 import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
+import org.springframework.security.web.util.matcher.IpAddressMatcher
 import org.springframework.web.cors.CorsConfiguration
 import org.springframework.web.cors.CorsConfigurationSource
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource
@@ -21,7 +25,8 @@ class SecurityConfig(
     private val customAccessDeniedHandler: CustomAccessDeniedHandler,
     private val customAuthenticationEntryPointHandler: CustomAuthenticationEntryPointHandler,
     private val authenticationFilter: AuthenticationFilter,
-    private val loggingFilter: LoggingFilter
+    private val loggingFilter: LoggingFilter,
+    private val securityProperties: SecurityProperties
 ) {
 
     @Bean
@@ -57,14 +62,19 @@ class SecurityConfig(
             httpRequests.requestMatchers(HttpMethod.POST, "/betting/batch/cancel/{match_id}").hasAnyRole(Authority.USER.name, Authority.STAFF.name)
 
             // server to server
-            httpRequests.requestMatchers(HttpMethod.GET, "/betting/bundle").permitAll()
+            httpRequests.requestMatchers(HttpMethod.GET, "/betting/bundle").access { _, context -> hasIpAddress(context) }
 
             httpRequests.anyRequest().denyAll()
         }
 
         return http.build()
     }
 
+    private fun hasIpAddress(context: RequestAuthorizationContext): AuthorizationDecision {
+        val ALLOWED_IP_ADDRESS_MATCHER = IpAddressMatcher("${securityProperties.serverToServerIp}${securityProperties.serverToServerSubnet}")
+        return AuthorizationDecision(ALLOWED_IP_ADDRESS_MATCHER.matches(context.request))
+    }
+
     @Bean
     fun corsConfigurationSource(): CorsConfigurationSource {
         val configuration = CorsConfiguration()

src/main/kotlin/gogo/gogobetting/global/security/SecurityProperties.kt

@@ -0,0 +1,9 @@
+package gogo.gogobetting.global.security
+
+import org.springframework.boot.context.properties.ConfigurationProperties
+
+@ConfigurationProperties(prefix = "security.internal")
+class SecurityProperties(
+    val serverToServerIp: String,
+    val serverToServerSubnet: String,
+)