feat: P4PU-170 added login endpoint (#29)

* P4PU-170 added login endpoint * P4PU-170 fixed security for test * P4PU-170 removed auth controller not used updated csrf conf * P4PU-170 removed parenthesis * P4PU-170 moved secret to keyvault * P4PU-170 moved secret to keyvault * P4PU-170 fixed tests
pagopa · Jul 18, 2024 · 0b0fc0a · 0b0fc0a
1 parent ff06547
commit 0b0fc0a
Show file tree

Hide file tree

Showing 12 changed files with 134 additions and 18 deletions.
diff --git a/build.gradle.kts b/build.gradle.kts
@@ -42,6 +42,10 @@ dependencies {
 	compileOnly("org.projectlombok:lombok")
 	annotationProcessor("org.projectlombok:lombok")
 
+	// Spring Security
+	// https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-oauth2-client
+	implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
+
 	//	Testing
 	testImplementation("org.springframework.boot:spring-boot-starter-test")
 	testImplementation("org.junit.jupiter:junit-jupiter-api")

diff --git a/gradle.lockfile b/gradle.lockfile
@@ -11,6 +11,11 @@ com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.15.4=compileClasspath
 com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.4=compileClasspath
 com.fasterxml.jackson.module:jackson-module-parameter-names:2.15.4=compileClasspath
 com.fasterxml.jackson:jackson-bom:2.15.4=compileClasspath
+com.github.stephenc.jcip:jcip-annotations:1.0-1=compileClasspath
+com.nimbusds:content-type:2.2=compileClasspath
+com.nimbusds:lang-tag:1.7=compileClasspath
+com.nimbusds:nimbus-jose-jwt:9.24.4=compileClasspath
+com.nimbusds:oauth2-oidc-sdk:9.43.3=compileClasspath
 commons-fileupload:commons-fileupload:1.5=compileClasspath
 commons-io:commons-io:2.11.0=compileClasspath
 io.github.openfeign.form:feign-form-spring:3.8.0=compileClasspath
@@ -28,6 +33,8 @@ jakarta.activation:jakarta.activation-api:2.1.3=compileClasspath
 jakarta.annotation:jakarta.annotation-api:2.1.1=compileClasspath
 jakarta.validation:jakarta.validation-api:3.0.2=compileClasspath
 jakarta.xml.bind:jakarta.xml.bind-api:4.0.2=compileClasspath
+net.minidev:accessors-smart:2.5.1=compileClasspath
+net.minidev:json-smart:2.5.1=compileClasspath
 org.apache.commons:commons-lang3:3.13.0=compileClasspath
 org.apache.logging.log4j:log4j-api:2.21.1=compileClasspath
 org.apache.logging.log4j:log4j-to-slf4j:2.21.1=compileClasspath
@@ -39,6 +46,7 @@ org.bouncycastle:bcprov-jdk18on:1.77=compileClasspath
 org.codehaus.janino:commons-compiler:3.1.12=compileClasspath
 org.codehaus.janino:janino:3.1.12=compileClasspath
 org.openapitools:jackson-databind-nullable:0.2.6=compileClasspath
+org.ow2.asm:asm:9.6=compileClasspath
 org.projectlombok:lombok:1.18.32=compileClasspath
 org.slf4j:jul-to-slf4j:2.0.13=compileClasspath
 org.slf4j:slf4j-api:2.0.13=compileClasspath
@@ -52,6 +60,7 @@ org.springframework.boot:spring-boot-starter-actuator:3.2.5=compileClasspath
 org.springframework.boot:spring-boot-starter-aop:3.2.5=compileClasspath
 org.springframework.boot:spring-boot-starter-json:3.2.5=compileClasspath
 org.springframework.boot:spring-boot-starter-logging:3.2.5=compileClasspath
+org.springframework.boot:spring-boot-starter-oauth2-client:3.2.5=compileClasspath
 org.springframework.boot:spring-boot-starter-tomcat:3.2.5=compileClasspath
 org.springframework.boot:spring-boot-starter-web:3.2.5=compileClasspath
 org.springframework.boot:spring-boot-starter:3.2.5=compileClasspath
@@ -61,8 +70,14 @@ org.springframework.cloud:spring-cloud-context:4.1.2=compileClasspath
 org.springframework.cloud:spring-cloud-openfeign-core:4.1.1=compileClasspath
 org.springframework.cloud:spring-cloud-starter-openfeign:4.1.1=compileClasspath
 org.springframework.cloud:spring-cloud-starter:4.1.2=compileClasspath
+org.springframework.security:spring-security-config:6.2.4=compileClasspath
+org.springframework.security:spring-security-core:6.2.4=compileClasspath
 org.springframework.security:spring-security-crypto:6.2.4=compileClasspath
+org.springframework.security:spring-security-oauth2-client:6.2.4=compileClasspath
+org.springframework.security:spring-security-oauth2-core:6.2.4=compileClasspath
+org.springframework.security:spring-security-oauth2-jose:6.2.4=compileClasspath
 org.springframework.security:spring-security-rsa:1.1.2=compileClasspath
+org.springframework.security:spring-security-web:6.2.4=compileClasspath
 org.springframework:spring-aop:6.1.6=compileClasspath
 org.springframework:spring-beans:6.1.6=compileClasspath
 org.springframework:spring-context:6.1.6=compileClasspath

diff --git a/helm/values-dev.yaml b/helm/values-dev.yaml
@@ -30,6 +30,12 @@ microservice-chart:
   envConfig:
     ENV: "DEV"
     JAVA_TOOL_OPTIONS: "-Xms128m -Xmx4g -Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -Dio.netty.eventLoopThreads=100 -javaagent:/app/applicationinsights-agent.jar -Dapplicationinsights.configuration.file=/mnt/file-config-external/appinsights-config/applicationinsights.json -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
+    AUTH_CLIENT_ID: dev-arc-id
+    AUTH_CLIENT_REDIRECT_URI: https://dev.cittadini-p4pa.pagopa.it/auth-callback
+    AUTH_ISSUER_URI: https://dev.oneid.pagopa.it
+    AUTH_CLIENT_AUTHORIZATION_URI: https://dev.oneid.pagopa.it/login
+    AUTH_CLIENT_TOKEN_URI: https://dev.oneid.pagopa.it/oidc/token
+    AUTH_CLIENT_JWK_URI: https://dev.oneid.pagopa.it/oidc/keys
 
   keyvault:
     name: "arc-d-itn-cittadini-kv"

diff --git a/helm/values-prod.yaml b/helm/values-prod.yaml
@@ -30,7 +30,12 @@ microservice-chart:
   envConfig:
     ENV: "PROD"
     JAVA_TOOL_OPTIONS: "-Xms128m -Xmx4g -Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
-
+    AUTH_CLIENT_ID: TBD
+    AUTH_CLIENT_REDIRECT_URI: TBD
+    AUTH_ISSUER_URI: TBD
+    AUTH_CLIENT_AUTHORIZATION_URI: TBD
+    AUTH_CLIENT_TOKEN_URI: TBD
+    AUTH_CLIENT_JWK_URI: TBD
 
   keyvault:
     name: "arc-p-itn-cittadini-kv"

diff --git a/helm/values-uat.yaml b/helm/values-uat.yaml
@@ -30,7 +30,12 @@ microservice-chart:
   envConfig:
     ENV: "UAT"
     JAVA_TOOL_OPTIONS: "-Xms128m -Xmx4g -Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
-
+    AUTH_CLIENT_ID: TBD
+    AUTH_CLIENT_REDIRECT_URI: TBD
+    AUTH_ISSUER_URI: TBD
+    AUTH_CLIENT_AUTHORIZATION_URI: TBD
+    AUTH_CLIENT_TOKEN_URI: TBD
+    AUTH_CLIENT_JWK_URI: TBD
 
   keyvault:
     name: "arc-u-itn-cittadini-kv"

diff --git a/helm/values.yaml b/helm/values.yaml
@@ -68,7 +68,7 @@ microservice-chart:
   envSecret:
     APPLICATIONINSIGHTS_CONNECTION_STRING: appinsights-connection-string
     BIZ_EVENTS_SERVICE_API_KEY: pagopa-d-bizevents-trx-apimv1-subscription-key
-
+    AUTH_CLIENT_SECRET: oneidentity-client-secret
   # nodeSelector: {}
 
   # tolerations: []

diff --git a/openapi/pagopa-arc-be.openapi.yaml b/openapi/pagopa-arc-be.openapi.yaml
@@ -7,6 +7,37 @@ servers:
   - url: "http://localhost:8080/arc"
     description: Generated server url
 paths:
+  /login/oneidentity:
+    get:
+      tags:
+        - arc auth
+      summary: "Provide the authentication endpoint"
+      operationId: getAuthenticationEndpoint
+      responses:
+        '302':
+          description: "Redirect to the authentication endpoint"
+          headers:
+            Location:
+              description: >
+                The URL to redirect to, including the following query parameters:
+                - response_type: The type of response, e.g., "code".
+                - scope: The scope of the access request, e.g., "openid profile email".
+                - client_id: The client ID, e.g., "abc4hdRkqt3".
+                - state: An opaque value used to maintain state between the request and callback, e.g., "abc4hdRkqt3".
+                - redirect_uri: The URI to redirect to after authorization, e.g., "https://client.example.org/cb".
+              schema:
+                type: string
+        '401':
+          description: "Wrong or missing function key"
+        '429':
+          description: "Too many Requests"
+        '500':
+          description: "Service unavailable"
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorDTO'
+
   /transactions:
     get:
       tags:

diff --git a/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java b/src/main/java/it/gov/pagopa/arc/config/OAuth2LoginConfig.java
@@ -0,0 +1,24 @@
+package it.gov.pagopa.arc.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+public class OAuth2LoginConfig {
+
+  @Bean
+  public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+    http
+        .oauth2Login(oauth2Login -> oauth2Login
+            .authorizationEndpoint(authConfig -> authConfig.baseUri("/login"))
+            .redirectionEndpoint(redirection -> redirection.baseUri("/token/*"))
+        )
+        .authorizeHttpRequests(authorize -> authorize
+            .anyRequest()
+            .permitAll());
+    return http.build();
+  }
+
+}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -3,6 +3,25 @@ spring:
     name: ${artifactId}
     version: ${version}
   jmx.enabled: true
+  security:
+    enable-csrf: false
+    oauth2:
+      client:
+        registration:
+          oneidentity:
+            provider: oneidentity
+            client-id: \${AUTH_CLIENT_ID:}
+            client-secret: \${AUTH_CLIENT_SECRET:}
+            authorization-grant-type: authorization_code
+            redirect-uri: \${AUTH_CLIENT_REDIRECT_URI:}
+            scope: openid
+        provider:
+          oneidentity:
+            issuer-uri: \${AUTH_ISSUER_URI:}
+            authorization-uri: \${AUTH_CLIENT_AUTHORIZATION_URI:}
+            token-uri: \${AUTH_CLIENT_TOKEN_URI:}
+            user-name-attribute: sub
+            jwk-set-uri: \${AUTH_CLIENT_JWK_URI:}
 
 rest-client:
   biz-events:

diff --git a/src/test/java/it/gov/pagopa/arc/controller/TransactionsControllerTest.java b/src/test/java/it/gov/pagopa/arc/controller/TransactionsControllerTest.java
@@ -1,34 +1,35 @@
 package it.gov.pagopa.arc.controller;
 
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+
 import com.fasterxml.jackson.databind.ObjectMapper;
 import it.gov.pagopa.arc.controller.generated.ArcTransactionsApi;
 import it.gov.pagopa.arc.fakers.TransactionDetailsDTOFaker;
 import it.gov.pagopa.arc.model.generated.TransactionDetailsDTO;
 import it.gov.pagopa.arc.model.generated.TransactionsListDTO;
 import it.gov.pagopa.arc.service.TransactionsService;
 import it.gov.pagopa.arc.utils.TestUtils;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.core.io.FileSystemResource;
 import org.springframework.core.io.Resource;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.MvcResult;
 
-import java.nio.file.Files;
-import java.nio.file.Paths;
-
-import static org.mockito.ArgumentMatchers.anyInt;
-import static org.mockito.ArgumentMatchers.anyString;
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
-import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
-
 @WebMvcTest(value = {
         ArcTransactionsApi.class
 })
+@AutoConfigureMockMvc(addFilters = false)
 class TransactionsControllerTest {
     private static final int PAGE = 1;
     private static final int SIZE = 2;

diff --git a/src/test/java/it/gov/pagopa/arc/exception/ArcExceptionHandlerTest.java b/src/test/java/it/gov/pagopa/arc/exception/ArcExceptionHandlerTest.java
@@ -1,17 +1,20 @@
 package it.gov.pagopa.arc.exception;
 
+import static org.mockito.Mockito.doThrow;
+
 import ch.qos.logback.classic.LoggerContext;
 import it.gov.pagopa.arc.exception.custom.BizEventsInvocationException;
 import it.gov.pagopa.arc.exception.custom.BizEventsReceiptNotFoundException;
 import it.gov.pagopa.arc.exception.custom.BizEventsTransactionNotFoundException;
+import it.gov.pagopa.arc.utils.MemoryAppender;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.mock.mockito.SpyBean;
 import org.springframework.http.MediaType;
@@ -22,15 +25,13 @@
 import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
-import it.gov.pagopa.arc.utils.MemoryAppender;
-
-import static org.mockito.Mockito.doThrow;
 
 @ExtendWith({SpringExtension.class, MockitoExtension.class})
-@WebMvcTest(value = {ArcExceptionHandlerTest.TestController.class}, excludeAutoConfiguration = SecurityAutoConfiguration.class)
+@WebMvcTest(value = {ArcExceptionHandlerTest.TestController.class})
 @ContextConfiguration(classes = {
-        ArcExceptionHandlerTest.TestController.class,
-        ArcExceptionHandler.class})
+    ArcExceptionHandlerTest.TestController.class,
+    ArcExceptionHandler.class})
+@AutoConfigureMockMvc(addFilters = false)
 class ArcExceptionHandlerTest {
 
     public static final String DATA = "data";

diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
@@ -0,0 +1,5 @@
+rest-client:
+  biz-events:
+    baseUrl: \${BIZ_EVENTS_BASE_URL:}
+    api-key: \${BIZ_EVENTS_SERVICE_API_KEY:}
+    fake-fiscal-code: "HSLZYB90L59D030S"