OZG-7014 add oauth2 resource server for jwt auth

Sub task: OZG-7225

OZG-7014 add oauth2 resource server for jwt auth
4fc19c5a · OZGCloud · 5cb34fca · 4fc19c5a · 4fc19c5a · 4fc19c5a
Commit 4fc19c5a authored 6 months ago by OZGCloud
--- a/fachstelle-server/pom.xml
+++ b/fachstelle-server/pom.xml
@@ -148,6 +148,10 @@
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-saml2-service-provider</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.hateoas</groupId>
 			<artifactId>spring-hateoas</artifactId>

--- a/fachstelle-server/src/main/java/de/ozgcloud/fachstelle/SecurityConfiguration.java
+++ b/fachstelle-server/src/main/java/de/ozgcloud/fachstelle/SecurityConfiguration.java
 package de.ozgcloud.fachstelle;

-import java.util.List;
-
+import de.ozgcloud.fachstelle.security.FachstelleLogoutSuccessHandler;
+import de.ozgcloud.fachstelle.security.InMemoryUserDetailService;
+import de.ozgcloud.fachstelle.security.SecurityProvider;
+import de.ozgcloud.fachstelle.security.UrlAuthenticationSuccessHandler;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.log4j.Log4j2;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpHeaders;
@@ -10,6 +14,7 @@ import org.springframework.security.authentication.AuthenticationTrustResolverIm
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
 import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
 import org.springframework.security.saml2.provider.service.web.DefaultRelyingPartyRegistrationResolver;
 import org.springframework.security.saml2.provider.service.web.authentication.OpenSaml4AuthenticationRequestResolver;
@@ -19,12 +24,7 @@ import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 import org.springframework.web.filter.CorsFilter;

-import de.ozgcloud.fachstelle.security.FachstelleLogoutSuccessHandler;
-import de.ozgcloud.fachstelle.security.InMemoryUserDetailService;
-import de.ozgcloud.fachstelle.security.SecurityProvider;
-import de.ozgcloud.fachstelle.security.UrlAuthenticationSuccessHandler;
-import lombok.RequiredArgsConstructor;
-import lombok.extern.log4j.Log4j2;
+import java.util.List;

 @Configuration
 @Log4j2
@@ -35,6 +35,7 @@ public class SecurityConfiguration {
    private final InMemoryUserDetailService userDetailsService;
    private final UrlAuthenticationSuccessHandler urlAuthenticationSuccessHandler;
    private final FachstellenProperties properties;
+    private final SpringJwtProperties springJwtProperties;

    @Bean
    public SecurityProvider securityProvider() {
@@ -59,12 +60,13 @@ public class SecurityConfiguration {
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(authorize -> authorize
-			.requestMatchers("/*", "/index**", "/success", "/actuator/**", "/error", "/favicon.ico", "/fonts/**", "/webjars/**", "/api/*", "/api",
+                        .requestMatchers("/*", "/index**", "/success", "/actuator/**", "/error", "/favicon.ico", "/fonts/**", "/webjars/**",
                                "/api/environment")
                        .permitAll()
-			.requestMatchers("/preregister", "/register").authenticated()
+                        .requestMatchers("/api", "/api/**", "/preregister", "/register").authenticated()
                        .anyRequest().denyAll());

+        http.oauth2ResourceServer(this::setOAuth2ResourceServer);
        http.saml2Login(samlLogin -> samlLogin.successHandler(urlAuthenticationSuccessHandler))
                .saml2Logout(Customizer.withDefaults())
                .logout(logoutConfigurer -> logoutConfigurer.logoutSuccessHandler(getLogoutSuccessHandler()));
@@ -72,6 +74,10 @@ public class SecurityConfiguration {
        return http.build();
    }

+    private void setOAuth2ResourceServer(OAuth2ResourceServerConfigurer<HttpSecurity> configurer) {
+        configurer.jwt().jwkSetUri(springJwtProperties.getJwkSetUri());
+    }
+
    FachstelleLogoutSuccessHandler getLogoutSuccessHandler() {
        var handler = new FachstelleLogoutSuccessHandler(userDetailsService);
        handler.setDefaultTargetUrl(properties.getLogoutSuccessUrl());
@@ -93,5 +99,4 @@ public class SecurityConfiguration {

        return new CorsFilter(source);
    }
-
 }
--- a/fachstelle-server/src/main/java/de/ozgcloud/fachstelle/SpringJwtProperties.java
+++ b/fachstelle-server/src/main/java/de/ozgcloud/fachstelle/SpringJwtProperties.java
+package de.ozgcloud.fachstelle;
+
+import lombok.Getter;
+import lombok.Setter;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Setter
+@Getter
+@Configuration
+@ConfigurationProperties(prefix = SpringJwtProperties.PREFIX)
+public class SpringJwtProperties {
+
+	static final String PREFIX = "spring.security.oauth2.resourceserver.jwt";
+
+	/**
+	 * Jwt jwk set uri
+	 */
+	private String jwkSetUri = null;
+}
\ No newline at end of file
--- a/fachstelle-server/src/main/resources/application.yml
+++ b/fachstelle-server/src/main/resources/application.yml
@@ -27,6 +27,11 @@ spring:
  application:
    name: Fachstellenbeteiligung
  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: ${ozgcloud.oauth2.issuer-uri}
+          jwk-set-uri: ${spring.security.oauth2.resourceserver.jwt.issuer-uri}/protocol/openid-connect/certs
    saml2:
      relyingparty:
        registration:
@@ -49,5 +54,6 @@ ozgcloud:
    auth-server-url: ${keycloak.auth-server-url}
    realm: ${keycloak.realm}
    resource: ${keycloak.resource}
+    issuer-uri: ${ozgcloud.oauth2.auth-server-url}/realms/${ozgcloud.oauth2.realm}
  fachstellen-proxy:
    collaboration-manager-address-header: X-Grpc-Address
\ No newline at end of file
--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/SecurityConfigurationTest.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/SecurityConfigurationTest.java
@@ -8,6 +8,7 @@ import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -20,20 +21,19 @@ import static org.mockito.Mockito.*;
 @ExtendWith(MockitoExtension.class)
 class SecurityConfigurationTest {

+	@InjectMocks
+	private SecurityConfiguration securityConfiguration;
+
 	@Mock
-	InMemoryUserDetailService userDetailsService;
+	private InMemoryUserDetailService userDetailsService;
 	@Mock
-	UrlAuthenticationSuccessHandler urlAuthenticationSuccessHandler;
+	private UrlAuthenticationSuccessHandler urlAuthenticationSuccessHandler;

 	@Mock
-	FachstellenProperties fachstellenProperties;
-
-	private SecurityConfiguration securityConfiguration;
+	private FachstellenProperties fachstellenProperties;
+	@Mock
+	private SpringJwtProperties springJwtProperties;

-	@BeforeEach
-	void setUp() {
-		securityConfiguration = new SecurityConfiguration(userDetailsService, urlAuthenticationSuccessHandler, fachstellenProperties);
-	}

 	@Test
 	void shouldCreateSecurityProvider() {

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/attachment/AttachmentControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/attachment/AttachmentControllerITCase.java
@@ -28,6 +28,8 @@ import lombok.SneakyThrows;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/command/CommandControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/command/CommandControllerITCase.java
@@ -27,6 +27,8 @@ import lombok.SneakyThrows;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/historie/HistorieControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/historie/HistorieControllerITCase.java
@@ -29,6 +29,8 @@ import lombok.SneakyThrows;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/kommentar/KommentarByVorgangControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/kommentar/KommentarByVorgangControllerITCase.java
@@ -28,6 +28,8 @@ import lombok.SneakyThrows;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/kommentar/KommentarControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/kommentar/KommentarControllerITCase.java
@@ -28,6 +28,8 @@ import lombok.SneakyThrows;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/registration/FachstelleRegistrationControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/registration/FachstelleRegistrationControllerITCase.java
@@ -21,6 +21,8 @@ import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/representation/RepresentationControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/representation/RepresentationControllerITCase.java
@@ -28,6 +28,8 @@ import lombok.SneakyThrows;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/resource/OzgcloudResourceControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/resource/OzgcloudResourceControllerITCase.java
@@ -32,6 +32,8 @@ import lombok.SneakyThrows;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",

--- a/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/vorgang/VorgangControllerITCase.java
+++ b/fachstelle-server/src/test/java/de/ozgcloud/fachstelle/vorgang/VorgangControllerITCase.java
@@ -32,6 +32,8 @@ import lombok.SneakyThrows;
        "ozgcloud.fachstelle.login-redirect-url=http://login",
        "ozgcloud.fachstelle.cors=http://login;http://saml-idp",
        "ozgcloud.fachstellen-proxy.base-url=http://proxy",
+        "keycloak.auth-server-url=http://keycloak",
+        "keycloak.realm=fachstelle",
        "spring.security.saml2.relyingparty.registration.muk.entity-id=http://mock-idp",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].private-key-location=classpath:/mujina-test.key",
        "spring.security.saml2.relyingparty.registration.muk.signing.credentials[0].certificate-location=classpath:/mujina-test.crt",