feat: authentication and authorization with keycloak (#42)

* feat: remove spring web flux and add spring web mvc * feat: user repository unit tests working * ci: autogenerated JaCoCo coverage badge * doc: update readme to remove web flux * feat: add authorization and authentication handlers * feat: integration tests passing with mocked user and authentication * feat: add documentation to security config class * feat: add jwt client roles from auth - partial * feat: handle roles from jwt decoded token * ci: add variable to keycloak server and workflow update * ci: fix missing keycloak server realm env var * fix: build service image with keycloak server variable * feat: add docker build args env var * feat: add cors handling to spring security * feat: correct version from main * feat: remove run-with-bd script * feat: add service authority to enable read and write from testing * doc: add steps to build and run with docker and docker-compose * feat: remove argument from docker image build * feat: remove docker build args from the workflow * feat: improve security config and enable csrf * feat: add csrf handler * feat: improve application properties file organization * feat: collectors to list code smell related to immutability * feat: remove unused import * feat: improve keycloak realm variable name Co-authored-by: Ci Bot <cibot@users.noreply.github.com>
bcgov · May 4, 2023 · 86a51a3 · 86a51a3
1 parent b81ebc7
commit 86a51a3
Show file tree

Hide file tree

Showing 11 changed files with 164 additions and 52 deletions.
diff --git a/.github/openshift/deploy.backend.yml b/.github/openshift/deploy.backend.yml
@@ -55,6 +55,9 @@ parameters:
   - name: DATABASE_PASSWORD
     description: Password for the database connection
     required: true
+  - name: KEYCLOAK_REALM_URL
+    description: Keycloak realm address
+    required: true
 objects:
   - apiVersion: v1
     kind: ImageStream
@@ -119,6 +122,8 @@ objects:
                   value: ${DATABASE_USER}
                 - name: DATABASE_PASSWORD
                   value: ${DATABASE_PASSWORD}
+                - name: KEYCLOAK_REALM_URL
+                  value: ${KEYCLOAK_REALM_URL}
               ports:
                 - containerPort: 8090
                   protocol: TCP

diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
@@ -231,6 +231,7 @@ jobs:
             -p DATABASE_USER=${{ secrets.DATABASE_USER }} \
             -p DATABASE_PASSWORD=${{ secrets.DATABASE_PASSWORD }} \
             -p ALLOWED_ORIGINS=${{ secrets.ALLOWED_ORIGINS }} \
+            -p KEYCLOAK_REALM_URL=${{ secrets.KEYCLOAK_REALM_URL }} \
             -p PROMOTE=${{ github.repository }}:${{ env.ZONE }}-service-api | oc apply -f -
           # Follow any active rollouts (see deploymentconfigs)
           #oc rollout status dc/${{ env.NAME }}-${{ env.ZONE }}-database -w
@@ -412,6 +413,7 @@ jobs:
             -p DATABASE_USER=${{ secrets.DATABASE_USER }} \
             -p DATABASE_PASSWORD=${{ secrets.DATABASE_PASSWORD }} \
             -p ALLOWED_ORIGINS=${{ secrets.ALLOWED_ORIGINS }} \
+            -p KEYCLOAK_REALM_URL=${{ secrets.KEYCLOAK_REALM_URL }} \
             -p PROMOTE=${{ github.repository }}:${{ env.PREV }}-service-api | oc apply -f -
 
           # Follow any active rollouts (see deploymentconfigs)

diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -13,6 +13,7 @@ on:
 env:
   REGISTRY: ghcr.io
   NAME: nrbestapi
+  KEYCLOAK_REALM_URL: ${{ secrets.KEYCLOAK_REALM_URL }}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -364,6 +365,7 @@ jobs:
             -p SERVICE_NAME=${{ secrets.SERVICE_NAME }} \
             -p DATABASE_USER=${{ secrets.DATABASE_USER }} \
             -p DATABASE_PASSWORD=${{ secrets.DATABASE_PASSWORD }} \
+            -p KEYCLOAK_REALM_URL=${{ secrets.KEYCLOAK_REALM_URL }} \
             -p PROMOTE=${{ github.repository }}:${{ env.ZONE }}-service-api | oc apply -f -
 
           # Follow any active rollouts (see deploymentconfigs)

diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
 FROM maven:3.8.6-openjdk-18-slim AS build
+
 COPY src /home/app/src
 COPY pom.xml /home/app
 RUN mvn --no-transfer-progress -f /home/app/pom.xml clean package

diff --git a/README.md b/README.md
@@ -312,6 +312,39 @@ the `status` property should have the value *UP*.
 Before writing your first line of code, and learn more about the checks, including
 tests, please take a moment and check out our [CONTRIBUTING](CONTRIBUTING.md) guide.
 
+## Quick look
+
+But if all you want is to take a quick look on the running service, you can do it by
+using Docker.
+
+Note that you'll need these environment variables:
+```
+NRBESTAPI_VERSION=local
+DATABASE_HOST=<host>
+DATABASE_PORT=<port>
+SERVICE_NAME=<service-name>
+DATABASE_USER=<user>
+DATABASE_PASSWORD=<pass>
+KEYCLOAK_REALM_URL=<realm-server-address>
+```
+
+Build the service:
+```
+docker build -t bcgov/nrbestapi-test-service-api:latest .
+```
+
+Then run with:
+```
+docker run -p 8090:8090 \
+  -e KEYCLOAK_REALM_URL=https://dev.loginproxy.gov.bc.ca/auth/realms/standard \
+  -t bcgov/nrbestapi-test-service-api:latest
+```
+
+However, if you have docker-compose you can do:
+```
+docker-compose --env-file .env -f ./docker-compose.yml up --build --force-recreate --no-deps
+```
+
 ## Getting help
 
 <<<<<<< HEAD

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -11,8 +11,8 @@ services:
       SERVICE_NAME: ${SERVICE_NAME}
       DATABASE_USER: ${DATABASE_USER}
       DATABASE_PASSWORD: ${DATABASE_PASSWORD}
+      KEYCLOAK_REALM_URL: ${KEYCLOAK_REALM_URL}
     hostname: service-api
-    network_mode: "host"
     dns: 142.22.202.100
     ports:
       - "8090:8090"

diff --git a/pom.xml b/pom.xml
@@ -73,26 +73,28 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-validation</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-jdbc</artifactId>
-		</dependency>
-
 		<dependency>
 			<groupId>org.projectlombok</groupId>
 			<artifactId>lombok</artifactId>
 			<optional>true</optional>
 		</dependency>
 
+		<!-- Authentication and Security -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-data-jpa</artifactId>
+			<artifactId>spring-boot-starter-oauth2-client</artifactId>
 		</dependency>
 
 		<!-- DevOps -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-web</artifactId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
+
+		<!-- DevOps -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-actuator</artifactId>
 		</dependency>
 
 		<!-- Database -->
@@ -110,11 +112,16 @@
 			<artifactId>ojdbc11</artifactId>
 		</dependency>
 
+		<!-- Testing -->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+		</dependency>
 	</dependencies>
 
 	<build>

diff --git a/src/main/java/ca/bc/gov/backendstartapi/config/SecurityConfig.java b/src/main/java/ca/bc/gov/backendstartapi/config/SecurityConfig.java
@@ -1,5 +1,7 @@
 package ca.bc.gov.backendstartapi.config;
 
+import ca.bc.gov.backendstartapi.util.ObjectUtil;
+import com.nimbusds.jose.shaded.json.JSONArray;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.List;
@@ -9,7 +11,7 @@
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AbstractAuthenticationToken;
-import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.core.GrantedAuthority;
@@ -22,7 +24,7 @@
 /** This class contains all configurations related to security and authentication. */
 @Configuration
 @EnableWebSecurity
-@EnableMethodSecurity(prePostEnabled = true)
+@EnableGlobalMethodSecurity(prePostEnabled = true)
 public class SecurityConfig {
 
   @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
@@ -42,10 +44,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         .csrf()
         .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
         .and()
-        .authorizeHttpRequests()
-        .requestMatchers("/api/**")
+        .authorizeRequests()
+        .antMatchers("/api/**")
         .authenticated()
-        .requestMatchers(HttpMethod.OPTIONS, "/**")
+        .antMatchers(HttpMethod.OPTIONS, "/**")
         .permitAll()
         .anyRequest()
         .permitAll()
@@ -62,28 +64,27 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
 
   private Converter<Jwt, AbstractAuthenticationToken> converter() {
     JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
-    converter.setJwtGrantedAuthoritiesConverter(roleConverter);
+    converter.setJwtGrantedAuthoritiesConverter(roleConverter());
     return converter;
   }
 
-  /**
-   * Parse the roles of a client from the JWT, if they're present; if not, subjects with service
-   * accounts are granted read and write permissions.
-   */
-  private final Converter<Jwt, Collection<GrantedAuthority>> roleConverter =
-      jwt -> {
-        if (!jwt.getClaims().containsKey("client_roles")) {
-          String sub = String.valueOf(jwt.getClaims().get("sub"));
-          return (sub.startsWith("service-account-nr-fsa"))
-              ? List.of(
-                  new SimpleGrantedAuthority("ROLE_user_read"),
-                  new SimpleGrantedAuthority("ROLE_user_write"))
-              : List.of();
+  private Converter<Jwt, Collection<GrantedAuthority>> roleConverter() {
+    return jwt -> {
+      final JSONArray realmAccess = (JSONArray) jwt.getClaims().get("client_roles");
+      List<GrantedAuthority> authorities = new ArrayList<>();
+      if (ObjectUtil.isEmptyOrNull(realmAccess)) {
+        String sub = String.valueOf(jwt.getClaims().get("sub"));
+        if (sub.startsWith("service-account-nr-fsa")) {
+          authorities.add(new SimpleGrantedAuthority("ROLE_user_read"));
+          authorities.add(new SimpleGrantedAuthority("ROLE_user_write"));
         }
-        final List<String> realmAccess = (ArrayList<String>) jwt.getClaims().get("client_roles");
-        return realmAccess.stream()
-            .map(roleName -> "ROLE_" + roleName)
-            .map(roleName -> (GrantedAuthority) new SimpleGrantedAuthority(roleName))
-            .toList();
-      };
+        return authorities;
+      }
+      realmAccess.stream()
+          .map(roleName -> "ROLE_" + roleName)
+          .map(SimpleGrantedAuthority::new)
+          .forEach(authorities::add);
+      return authorities;
+    };
+  }
 }
diff --git a/src/main/java/ca/bc/gov/backendstartapi/endpoint/UserEndpoint.java b/src/main/java/ca/bc/gov/backendstartapi/endpoint/UserEndpoint.java
@@ -11,6 +11,7 @@
 import lombok.Setter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -22,7 +23,7 @@
 /** This class exposes user related endpoints. */
 @NoArgsConstructor
 @RestController
-@RequestMapping("/users")
+@RequestMapping("/api/users")
 @Setter
 public class UserEndpoint {
 
@@ -42,6 +43,7 @@ public UserEndpoint(UserRepository userRepository) {
   @PostMapping(
       consumes = MediaType.APPLICATION_JSON_VALUE,
       produces = MediaType.APPLICATION_JSON_VALUE)
+  @PreAuthorize("hasRole('user_write')")
   public UserDto create(@Valid @RequestBody UserDto user) {
     return userRepository.save(user);
   }
@@ -55,6 +57,7 @@ public UserDto create(@Valid @RequestBody UserDto user) {
   @GetMapping(
       value = "/find-all-by-first-name/{firstName}",
       produces = MediaType.APPLICATION_JSON_VALUE)
+  @PreAuthorize("hasRole('user_read')")
   public List<UserDto> readByFirstName(@PathVariable("firstName") String firstName) {
     List<UserDto> userList = userRepository.findAllByFirstName(firstName);
     if (userList.isEmpty()) {
@@ -72,6 +75,7 @@ public List<UserDto> readByFirstName(@PathVariable("firstName") String firstName
   @GetMapping(
       value = "/find-all-by-last-name/{lastName}",
       produces = MediaType.APPLICATION_JSON_VALUE)
+  @PreAuthorize("hasRole('user_read')")
   public List<UserDto> readByLastName(@PathVariable("lastName") String lastName) {
     List<UserDto> userList = userRepository.findAllByLastName(lastName);
     if (userList.isEmpty()) {
@@ -88,6 +92,7 @@ public List<UserDto> readByLastName(@PathVariable("lastName") String lastName) {
    * @return a UserDto instance containing the found user or a 404 if not found.
    */
   @GetMapping(value = "/find/{firstName}/{lastName}", produces = MediaType.APPLICATION_JSON_VALUE)
+  @PreAuthorize("hasRole('user_read')")
   public UserDto readByUser(
       @PathVariable("firstName") String firstName, @PathVariable("lastName") String lastName) {
     Optional<UserDto> userDtoOp = userRepository.find(firstName, lastName);
@@ -104,6 +109,7 @@ public UserDto readByUser(
    * @return a Collection containing all found users or a 404 if not found.
    */
   @GetMapping(value = "/find-all", produces = MediaType.APPLICATION_JSON_VALUE)
+  @PreAuthorize("hasRole('user_read')")
   public Collection<UserDto> readAllUsers() {
     return userRepository.findAll();
   }
@@ -116,6 +122,7 @@ public Collection<UserDto> readAllUsers() {
    * @return a UserDto instance containing the removed user info.
    */
   @DeleteMapping(value = "/{firstName}/{lastName}", produces = MediaType.APPLICATION_JSON_VALUE)
+  @PreAuthorize("hasRole('user_write')")
   public UserDto deleteUser(
       @PathVariable("firstName") String firstName, @PathVariable("lastName") String lastName) {
     return userRepository.delete(new UserDto(firstName, lastName));

diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
@@ -1,12 +1,22 @@
+# Server and application
+spring.application.name = nr-fsa-service-api-4139
 server.port = 8090
-nrbestapi.version = ${NRBESTAPI_VERSION:#{'dev'}}
-server.allowed.cors.origins = ${ALLOWED_ORIGINS:#{'http://localhost:300*'}}
 
-spring.datasource.driver-class-name=oracle.jdbc.driver.OracleDriver
-spring.jpa.database-platform=org.hibernate.dialect.Oracle12cDialect
+# Key Cloak, authentication and security
+keycloak-auth = ${KEYCLOAK_REALM_URL:https://empty.com/auth}
+spring.security.oauth2.resourceserver.jwt.issuer-uri = ${keycloak-auth}
+spring.security.oauth2.resourceserver.jwt.jwk-set-uri = ${keycloak-auth}/protocol/openid-connect/certs
 
+# Database, datasource and JPA
+spring.datasource.driver-class-name=oracle.jdbc.driver.OracleDriver
 spring.datasource.url = jdbc:oracle:thin:@tcps://${DATABASE_HOST}:${DATABASE_PORT}/${SERVICE_NAME}
 spring.datasource.username = ${DATABASE_USER}
 spring.datasource.password = ${DATABASE_PASSWORD}
+spring.jpa.database-platform=org.hibernate.dialect.Oracle12cDialect
 
+# Actuator and ops
 management.endpoint.health.show-details = always
+
+# Others
+nrbestapi.version = ${NRBESTAPI_VERSION:#{'dev'}}
+server.allowed.cors.origins = ${ALLOWED_ORIGINS:#{'http://localhost:300*'}}