Merge remote-tracking branch 'origin/sprint' into sprint

# Conflicts: # docs/README.md
it-at-m · Apr 17, 2024 · 0de7404 · 0de7404
2 parents d43c9ba + 3449dd0
commit 0de7404
Show file tree

Hide file tree

Showing 17 changed files with 186 additions and 6 deletions.
diff --git a/RELEASENOTES.md b/RELEASENOTES.md
@@ -1,6 +1,11 @@
 # Release-Notes
 
-## Sprint 7 (05.03.2024 - 26.03.2024)
+## Sprint 9 (26.03.2024 - 16.04.2024)
+### Hinzugefügt
+- Security Absicherung
+- Deployment
+
+## Sprint 8 (05.03.2024 - 26.03.2024)
 ### Hinzugefügt
 - Archivierung
 - Url vorsignierte Adresse erstellen

diff --git a/docs/README.md b/docs/README.md
@@ -49,7 +49,19 @@ Das Profil erzeugt die Openapi Java Source Dateien im Maven _target_ Ordner.
 
 Die Openapi Quelle kann mit dem [Swagger Editor](https://editor.swagger.io) bearbeitet werden.
 
-## REST Schnittstelle
+## Security
+Wird die EAI im Security Modus gestartet, muss der Aufrufer der REST Schnittstelle ein gültigen OAuth 2.0 Token mitliefern, sonst wird die Anfrage mit dem HTTP Status Code 401 "Unauthorized" abgelehnt.
+Das gilt auch für einen abgelaufenen Token.
+
+Zu Testzwecken kann ein Token bsp.weise mit curl vom SSO Provider bezogen werden :
+
+curl \
+-d "client_id=[client_id]" \
+-d "client_secret=[client_secret]" \
+-d "grant_type=client_credentials" \
+"https://..."
+
+# REST Schnittstelle
 Mit dem [Swagger Editor](https://editor.swagger.io) kann die komplette [Openapi REST Beschreibung](https://github.com/it-at-m/mobidam-s3-eai/blob/sprint/src/main/resources/openapi_rest_s3_v1.yaml) angezeigt werden.
 Der Workflow für den Import von Dateien in FME sieht folgende Schritt vor:
 - Anzeigen von Inhalten eines S3 Buckets.

diff --git a/pom.xml b/pom.xml
@@ -168,6 +168,24 @@
             <version>1.7.0</version>
         </dependency>
 
+        <!-- Spring security -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-client</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-oauth2-jose</artifactId>
+        </dependency>
+
         <!-- Database -->
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -247,6 +265,14 @@
             <artifactId>jakarta.validation-api</artifactId>
             <version>3.0.2</version>
         </dependency>
+
+        <!-- Logging -->
+        <dependency>
+            <groupId>net.logstash.logback</groupId>
+            <artifactId>logstash-logback-encoder</artifactId>
+            <version>7.0.1</version>
+        </dependency>
+
     </dependencies>
 
     <build>

diff --git a/src/main/java/de/muenchen/mobidam/config/NoSecurityConfiguration.java b/src/main/java/de/muenchen/mobidam/config/NoSecurityConfiguration.java
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c): it@M - Dienstleister für Informations- und Telekommunikationstechnik
+ * der Landeshauptstadt München, 2022
+ */
+package de.muenchen.mobidam.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+
+@Configuration
+@Profile("no-security")
+@EnableWebSecurity
+public class NoSecurityConfiguration {
+
+    /**
+     * Disable security.
+     */
+    @Bean
+    public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
+        http
+                .headers(headers -> headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::disable))
+                .authorizeHttpRequests(request -> request.requestMatchers(AntPathRequestMatcher.antMatcher("/**")).permitAll().anyRequest().permitAll())
+                .csrf(AbstractHttpConfigurer::disable);
+        return http.build();
+    }
+}
diff --git a/src/main/java/de/muenchen/mobidam/config/SecurityConfiguration.java b/src/main/java/de/muenchen/mobidam/config/SecurityConfiguration.java
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c): it@M - Dienstleister für Informations- und Telekommunikationstechnik
+ * der Landeshauptstadt München, 2022
+ */
+package de.muenchen.mobidam.config;
+
+import static org.springframework.security.config.Customizer.withDefaults;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+
+/**
+ * The central class for configuration of all security aspects.
+ */
+@Configuration
+@Profile("!no-security")
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+@RequiredArgsConstructor
+public class SecurityConfiguration {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(final HttpSecurity http) throws Exception {
+
+        return http
+                .authorizeHttpRequests((requests) -> requests.requestMatchers(AntPathRequestMatcher.antMatcher("/**"),
+                        // allow access to /actuator/info
+                        AntPathRequestMatcher.antMatcher("/actuator/info"),
+                        // allow access to /actuator/health for OpenShift Health Check
+                        AntPathRequestMatcher.antMatcher("/actuator/health"),
+                        // allow access to /actuator/health/liveness for OpenShift Liveness Check
+                        AntPathRequestMatcher.antMatcher("/actuator/health/liveness"),
+                        // allow access to /actuator/health/readiness for OpenShift Readiness Check
+                        AntPathRequestMatcher.antMatcher("/actuator/health/readiness"),
+                        // allow access to /actuator/metrics for Prometheus monitoring in OpenShift
+                        AntPathRequestMatcher.antMatcher("/actuator/metrics"))
+                        .permitAll())
+                .authorizeHttpRequests((requests) -> requests.requestMatchers(AntPathRequestMatcher.antMatcher("/**"))
+                        .authenticated())
+                .oauth2ResourceServer(oauth2 -> oauth2
+                        .jwt(withDefaults()))
+                .build();
+
+    }
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -23,11 +23,11 @@ mobidam:
   s3:
     bucket-credential-config:
       x-itmkm82k:
-        access-key-env-var: MOBIDAM_X-ITMKM82K_ACCESS_KEY
-        secret-key-env-var: MOBIDAM_X-ITMKM82K_SECRET_KEY
+        access-key-env-var: MOBIDAM_ACCESS_KEY
+        secret-key-env-var: MOBIDAM_SECRET_KEY
       int-mdasc-mdasdev:
-        access-key-env-var: MOBIDAM_INT-MDASC-MDASDEV_ACCESS_KEY
-        secret-key-env-var: MOBIDAM_INT-MDASC-MDASDEV_SECRET_KEY
+        access-key-env-var: MOBIDAM_ACCESS_KEY
+        secret-key-env-var: MOBIDAM_SECRET_KEY
 
 spring:
   application:
@@ -51,6 +51,15 @@ spring:
       hibernate:
         format_sql: true
         dialect: ...
+  security:
+    oauth2:
+      resource-server:
+        jwt:
+          issuer-uri: ${keycloak.auth-server-url}/realms/${realm}
+          jwk-set-uri: ${keycloak.auth-server-url}/realms/${realm}/protocol/openid-connect/certs
+
+realm: ...
+keycloak.auth-server-url: ...
 
 # https://docs.spring.io/spring-boot/docs/current/reference/html/actuator.html
 management:

diff --git a/src/test/java/de/muenchen/mobidam/TestConstants.java b/src/test/java/de/muenchen/mobidam/TestConstants.java
@@ -0,0 +1,13 @@
+/*
+ * Copyright (c): it@M - Dienstleister für Informations- und Telekommunikationstechnik
+ * der Landeshauptstadt München, 2022
+ */
+package de.muenchen.mobidam;
+
+import lombok.AccessLevel;
+import lombok.NoArgsConstructor;
+
+@NoArgsConstructor(access = AccessLevel.PRIVATE)
+public final class TestConstants {
+    public static final String SPRING_NO_SECURITY_PROFILE = "no-security";
+}
diff --git a/src/test/java/de/muenchen/mobidam/rest/S3ApiArchiveTest.java b/src/test/java/de/muenchen/mobidam/rest/S3ApiArchiveTest.java
@@ -6,6 +6,7 @@
 
 import de.muenchen.mobidam.Application;
 import de.muenchen.mobidam.Constants;
+import de.muenchen.mobidam.TestConstants;
 import org.apache.camel.EndpointInject;
 import org.apache.camel.Produce;
 import org.apache.camel.ProducerTemplate;
@@ -16,6 +17,7 @@
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 
 @CamelSpringBootTest
@@ -26,6 +28,7 @@
 @EnableAutoConfiguration
 @DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
 @TestPropertySource(properties = { "camel.route.common=mock:common" })
+@ActiveProfiles(TestConstants.SPRING_NO_SECURITY_PROFILE)
 class S3ApiArchiveTest {
 
     @Produce("http:127.0.0.1:8081/api")

diff --git a/src/test/java/de/muenchen/mobidam/rest/S3ApiFilesInFolderTest.java b/src/test/java/de/muenchen/mobidam/rest/S3ApiFilesInFolderTest.java
@@ -6,6 +6,7 @@
 
 import de.muenchen.mobidam.Application;
 import de.muenchen.mobidam.Constants;
+import de.muenchen.mobidam.TestConstants;
 import org.apache.camel.EndpointInject;
 import org.apache.camel.Produce;
 import org.apache.camel.ProducerTemplate;
@@ -16,6 +17,7 @@
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 
 @CamelSpringBootTest
@@ -26,6 +28,7 @@
 @EnableAutoConfiguration
 @DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
 @TestPropertySource(properties = { "camel.route.common=mock:common" })
+@ActiveProfiles(TestConstants.SPRING_NO_SECURITY_PROFILE)
 class S3ApiFilesInFolderTest {
 
     @Produce("http:127.0.0.1:8081/api")

diff --git a/src/test/java/de/muenchen/mobidam/rest/S3ApiPresignedUrlTest.java b/src/test/java/de/muenchen/mobidam/rest/S3ApiPresignedUrlTest.java
@@ -6,6 +6,7 @@
 
 import de.muenchen.mobidam.Application;
 import de.muenchen.mobidam.Constants;
+import de.muenchen.mobidam.TestConstants;
 import org.apache.camel.EndpointInject;
 import org.apache.camel.Produce;
 import org.apache.camel.ProducerTemplate;
@@ -16,6 +17,7 @@
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 
 @CamelSpringBootTest
@@ -26,6 +28,7 @@
 @EnableAutoConfiguration
 @DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
 @TestPropertySource(properties = { "camel.route.common=mock:common" })
+@ActiveProfiles(TestConstants.SPRING_NO_SECURITY_PROFILE)
 class S3ApiPresignedUrlTest {
 
     @Produce("http:127.0.0.1:8081/api")

diff --git a/src/test/java/de/muenchen/mobidam/s3/S3ArchiveTest.java b/src/test/java/de/muenchen/mobidam/s3/S3ArchiveTest.java
@@ -8,6 +8,7 @@
 import com.robothy.s3.rest.bootstrap.LocalS3Mode;
 import de.muenchen.mobidam.Application;
 import de.muenchen.mobidam.Constants;
+import de.muenchen.mobidam.TestConstants;
 import de.muenchen.mobidam.repository.ArchiveRepository;
 import java.io.File;
 import java.net.URI;
@@ -28,6 +29,7 @@
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
@@ -48,6 +50,7 @@
 )
 @EnableAutoConfiguration
 @DirtiesContext
+@ActiveProfiles(TestConstants.SPRING_NO_SECURITY_PROFILE)
 class S3ArchiveTest {
 
     @Produce

diff --git a/src/test/java/de/muenchen/mobidam/s3/S3BucketTest.java b/src/test/java/de/muenchen/mobidam/s3/S3BucketTest.java
@@ -8,6 +8,7 @@
 import com.robothy.s3.rest.bootstrap.LocalS3Mode;
 import de.muenchen.mobidam.Application;
 import de.muenchen.mobidam.Constants;
+import de.muenchen.mobidam.TestConstants;
 import de.muenchen.mobidam.rest.ErrorResponse;
 import java.math.BigDecimal;
 import java.net.URI;
@@ -26,6 +27,7 @@
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.http.HttpStatus;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
@@ -51,6 +53,7 @@
 )
 @EnableAutoConfiguration
 @DirtiesContext
+@ActiveProfiles(TestConstants.SPRING_NO_SECURITY_PROFILE)
 class S3BucketTest {
 
     @Produce

diff --git a/src/test/java/de/muenchen/mobidam/s3/S3FileLimitTest.java b/src/test/java/de/muenchen/mobidam/s3/S3FileLimitTest.java
@@ -8,6 +8,7 @@
 import com.robothy.s3.rest.bootstrap.LocalS3Mode;
 import de.muenchen.mobidam.Application;
 import de.muenchen.mobidam.Constants;
+import de.muenchen.mobidam.TestConstants;
 import de.muenchen.mobidam.rest.BucketContentInner;
 import java.io.File;
 import java.net.URI;
@@ -27,6 +28,7 @@
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
@@ -48,6 +50,7 @@
 )
 @EnableAutoConfiguration
 @DirtiesContext
+@ActiveProfiles(TestConstants.SPRING_NO_SECURITY_PROFILE)
 class S3FileLimitTest {
 
     @Produce

diff --git a/src/test/java/de/muenchen/mobidam/s3/S3ObjectTest.java b/src/test/java/de/muenchen/mobidam/s3/S3ObjectTest.java
@@ -8,6 +8,7 @@
 import com.robothy.s3.rest.bootstrap.LocalS3Mode;
 import de.muenchen.mobidam.Application;
 import de.muenchen.mobidam.Constants;
+import de.muenchen.mobidam.TestConstants;
 import de.muenchen.mobidam.rest.BucketContentInner;
 import java.io.File;
 import java.net.URI;
@@ -27,6 +28,7 @@
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
@@ -47,6 +49,7 @@
 )
 @EnableAutoConfiguration
 @DirtiesContext
+@ActiveProfiles(TestConstants.SPRING_NO_SECURITY_PROFILE)
 class S3ObjectTest {
 
     @Produce

diff --git a/src/test/java/de/muenchen/mobidam/s3/S3PrefixTest.java b/src/test/java/de/muenchen/mobidam/s3/S3PrefixTest.java
@@ -8,6 +8,7 @@
 import com.robothy.s3.rest.bootstrap.LocalS3Mode;
 import de.muenchen.mobidam.Application;
 import de.muenchen.mobidam.Constants;
+import de.muenchen.mobidam.TestConstants;
 import de.muenchen.mobidam.rest.BucketContentInner;
 import java.io.File;
 import java.net.URI;
@@ -27,6 +28,7 @@
 import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.TestPropertySource;
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
@@ -47,6 +49,7 @@
 )
 @EnableAutoConfiguration
 @DirtiesContext
+@ActiveProfiles(TestConstants.SPRING_NO_SECURITY_PROFILE)
 class S3PrefixTest {
 
     @Produce