KOGITO-3291: Implement security at Quarkus level for Management Conso…

…le (apache#468)

* KOGITO-3291: Implement security at Quarkus level for Management Console

* KOGITO-3291: updated kogito-realm.json to map the user groups and remove comments

* KOGITO-3291: Removed keycloak integration from react

* KOGITO-3291: updated security commons testing

config/kogito-realm.json

@@ -843,6 +843,22 @@
       "authenticationFlowBindingOverrides": {},
       "fullScopeAllowed": true,
       "nodeReRegistrationTimeout": -1,
+      "protocolMappers": [
+        {
+          "name": "groups",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "user.attribute": "foo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groups",
+            "jsonType.label": "String"
+          }
+        }
+      ],
       "defaultClientScopes": [
         "web-origins",
         "role_list",

management-console/README.md

@@ -255,6 +255,6 @@ Start the management console at port 8380, (the keycloak client 'kogito-console-
 and enabling auth:
 
 ```
-mvn clean compile quarkus:dev -Dquarkus.http.port=8380 -Dkogito.auth.enabled=true
+mvn clean compile quarkus:dev -Dquarkus.http.port=8380 -Dquarkus.profile=keycloak
 ```
 

management-console/pom.xml

@@ -35,6 +35,10 @@
     </dependencies>
   </dependencyManagement>
   <dependencies>
+    <dependency>
+      <groupId>org.kie.kogito</groupId>
+      <artifactId>security-commons</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-vertx-web</artifactId>

management-console/src/main/java/org/kie/kogito/mgmt/VertxRouter.java

@@ -42,21 +42,9 @@ public class VertxRouter {
     String dataIndexHttpURL;
 
     @Inject
-    @ConfigProperty(name = "kogito.auth.enabled", defaultValue = "false")
+    @ConfigProperty(name = "quarkus.oidc.enabled", defaultValue = "false")
     String authEnabled;
 
-    @Inject
-    @ConfigProperty(name = "kogito.auth.keycloak.realm", defaultValue = "kogito")
-    String authKeycloakRealm;
-
-    @Inject
-    @ConfigProperty(name = "kogito.auth.keycloak.url", defaultValue = "http://localhost:8280")
-    String authKeycloakUrl;
-
-    @Inject
-    @ConfigProperty(name = "kogito.auth.keycloak.client.id", defaultValue = "kogito-console-quarkus")
-    String authKeycloakClientId;
-
     @Inject
     Vertx vertx;
 
@@ -68,10 +56,7 @@ public void init() {
                 .readFileBlocking("META-INF/resources/index.html")
                 .toString(UTF_8)
                 .replace("__DATA_INDEX_ENDPOINT__", "\"" + dataIndexHttpURL + "/graphql\"")
-                .replace("__KOGITO_AUTH_ENABLED__", authEnabled)
-                .replace("__KOGITO_AUTH_KEYCLOAK_REALM__", "\"" + authKeycloakRealm + "\"")
-                .replace("__KOGITO_AUTH_KEYCLOAK_URL__", "\"" + authKeycloakUrl + "\"")
-                .replace("__KOGITO_AUTH_KEYCLOAK_CLIENT_ID__", "\"" + authKeycloakClientId + "\"");
+                .replace("__KOGITO_AUTH_ENABLED__", authEnabled);
     }
 
     void setupRouter(@Observes Router router) {

management-console/src/main/resources/application.properties

@@ -1 +1,18 @@
-quarkus.http.cors=true
+quarkus.http.cors=true
+
+quarkus.oidc.enabled=true
+quarkus.oidc.tenant-enabled=false
+quarkus.http.auth.permission.roles1.paths=/*
+quarkus.http.auth.permission.roles1.policy=permit
+
+#enabled with the profile: 'keycloak' (-Dquarkus.profile=keycloak)
+%keycloak.quarkus.oidc.enabled=true
+%keycloak.quarkus.oidc.tenant-enabled=true
+%keycloak.quarkus.oidc.auth-server-url=http://localhost:8280/auth/realms/kogito
+%keycloak.quarkus.oidc.client-id=kogito-console-quarkus
+%keycloak.quarkus.oidc.credentials.secret=secret
+%keycloak.quarkus.oidc.application-type=web-app
+%keycloak.quarkus.oidc.logout.path=/logout
+%keycloak.quarkus.oidc.logout.post-logout-path=/
+%keycloak.quarkus.http.auth.permission.roles1.paths=/*
+%keycloak.quarkus.http.auth.permission.roles1.policy=authenticated

pom.xml

@@ -97,6 +97,7 @@
     <module>jobs-service</module>
     <module>data-index</module>
     <module>ui-packages</module>
+    <module>security-commons</module>
     <module>management-console</module>
     <module>trusty-ui</module>
     <module>task-console</module>

security-commons/pom.xml

@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <artifactId>kogito-apps</artifactId>
+    <groupId>org.kie.kogito</groupId>
+    <version>1.0.0-SNAPSHOT</version>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <name>Kogito :: Security Commons</name>
+  <artifactId>security-commons</artifactId>
+
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>org.kie.kogito</groupId>
+        <artifactId>kogito-bom</artifactId>
+        <version>${project.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+      <dependency>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-bom</artifactId>
+        <version>${version.io.quarkus}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+  <dependencies>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-resteasy-jsonb</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-oidc</artifactId>
+    </dependency>
+
+    <!-- Testing -->
+    <dependency>
+      <groupId>org.kie.kogito</groupId>
+      <artifactId>kogito-test-utils</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.keycloak</groupId>
+      <artifactId>keycloak-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.quarkus</groupId>
+      <artifactId>quarkus-junit5</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-junit-jupiter</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>net.javacrumbs.json-unit</groupId>
+      <artifactId>json-unit-assertj</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.rest-assured</groupId>
+      <artifactId>rest-assured</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>io.quarkus</groupId>
+        <artifactId>quarkus-maven-plugin</artifactId>
+        <configuration>
+          <uberJar>true</uberJar>
+        </configuration>
+        <executions>
+          <execution>
+            <goals>
+              <goal>build</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-failsafe-plugin</artifactId>
+        <configuration>
+          <systemPropertyVariables>
+            <java.util.logging.manager>org.jboss.logmanager.LogManager</java.util.logging.manager>
+            <container.image.keycloak>${container.image.keycloak}</container.image.keycloak>
+          </systemPropertyVariables>
+        </configuration>
+        <executions>
+          <execution>
+            <id>default</id>
+            <goals>
+              <goal>integration-test</goal>
+            </goals>
+          </execution>
+          <execution>
+            <id>verify</id>
+            <goals>
+              <goal>verify</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+      <plugin>
+        <artifactId>maven-surefire-plugin</artifactId>
+        <executions>
+          <execution>
+            <goals>
+              <goal>test</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+
+    </plugins>
+  </build>
+</project>

security-commons/src/main/java/org/kie/kogito/security/UserResource.java

@@ -0,0 +1,82 @@
+/*
+ * Copyright 2020 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.kie.kogito.security;
+
+import java.util.Collections;
+import java.util.Set;
+
+import javax.inject.Inject;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import io.quarkus.security.Authenticated;
+import io.quarkus.security.credential.TokenCredential;
+import io.quarkus.security.identity.SecurityIdentity;
+import org.jboss.resteasy.annotations.cache.NoCache;
+
+@Path(UserResource.USER_PATH)
+@Authenticated
+public class UserResource {
+
+    public static final String USER_PATH = "/api/user";
+
+    @Inject
+    SecurityIdentity identity;
+
+    @GET
+    @Path("/me")
+    @Produces(MediaType.APPLICATION_JSON)
+    @NoCache
+    public User me() {
+        return new User(identity);
+    }
+
+    protected void setSecurityIdentity(SecurityIdentity securityIdentity) {
+        this.identity = securityIdentity;
+    }
+
+    public static class User {
+
+        private String userName = "Anonymous";
+        private Set<String> roles = Collections.emptySet();
+        private String token = "";
+
+        User(SecurityIdentity identity) {
+            if (identity != null &&
+                    identity.getPrincipal() != null &&
+                    identity.getCredential(TokenCredential.class) != null) {
+                this.userName = identity.getPrincipal().getName();
+                this.roles = identity.getRoles();
+                this.token = identity.getCredential(TokenCredential.class).getToken();
+            }
+        }
+
+        public String getUserName() {
+            return userName;
+        }
+
+        public Set<String> getRoles() {
+            return roles;
+        }
+
+        public String getToken() {
+            return token;
+        }
+    }
+}
+

security-commons/src/main/resources/application.properties

@@ -0,0 +1,17 @@
+quarkus.http.cors=true
+
+quarkus.oidc.enabled=true
+quarkus.oidc.tenant-enabled=false
+quarkus.http.auth.permission.roles1.paths=/*
+quarkus.http.auth.permission.roles1.policy=permit
+
+#enabled with the profile: 'keycloak' (-Dquarkus.profile=keycloak)
+%keycloak.quarkus.oidc.enabled=true
+%keycloak.quarkus.oidc.tenant-enabled=true
+%keycloak.quarkus.oidc.auth-server-url=http://localhost:8280/auth/realms/kogito
+%keycloak.quarkus.oidc.client-id=kogito-console-quarkus
+%keycloak.quarkus.oidc.credentials.secret=secret
+%keycloak.quarkus.oidc.application-type=web-app
+%keycloak.quarkus.oidc.logout.path=/logout
+%keycloak.quarkus.oidc.logout.post-logout-path=/api/user/me
+