From bd856fa9a665943a7af18dc4769677ddc4db58b7 Mon Sep 17 00:00:00 2001 From: Antonio Tarricone <110115827+antoniotarricone@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:02:25 +0200 Subject: [PATCH 1/4] feat: Authentication for key vault use, by means of system-managed identity. (#68) --- .github/workflows/build-n-push-main.yml | 111 +++++++++++++++ .../bean/GetAccessTokenResponse.java | 14 +- .../azurekeyvault/client/AzureAuthClient.java | 17 +-- .../service/AzureAuthService.java | 24 +--- src/main/resources/application.properties | 69 ++++------ .../service/AzureKeyFinderTest.java | 126 ++++++++++-------- .../service/AzureTokenSignerTest.java | 16 +-- .../resource/RefreshTokensResourceTest.java | 32 ++++- .../TokenByClientSecretResourceTest.java | 76 +++++++---- .../resource/TokenByPasswordResourceTest.java | 32 ++++- .../TokenByPoyntTokenResourceTest.java | 32 ++++- 11 files changed, 361 insertions(+), 188 deletions(-) create mode 100644 .github/workflows/build-n-push-main.yml diff --git a/.github/workflows/build-n-push-main.yml b/.github/workflows/build-n-push-main.yml new file mode 100644 index 00000000..ac63e7f4 --- /dev/null +++ b/.github/workflows/build-n-push-main.yml @@ -0,0 +1,111 @@ +name: Build and push main + +on: + workflow_dispatch: + +jobs: + build_and_push_main: + runs-on: ubuntu-latest + + permissions: + id-token: write + packages: write + contents: write + + steps: + # + # Checkout the source code. + # + - name: Checkout the source code + uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab + with: + token: ${{ secrets.GIT_PAT }} + fetch-depth: 0 + + # + # Cache JDK. + # + - name: Cache JDK + if: steps.semantic.outputs.new_release_published == 'true' + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 + id: cache-jdk + with: + key: OpenJDK17U-jdk_x64_linux_hotspot_17.0.7_7.tar.gz + path: | + ${{ runner.temp }}/jdk_setup.tar.gz + ${{ runner.temp }}/jdk_setup.sha256 + + # + # Download JDK and verify its hash. + # + - name: Download JDK and verify its hash + if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-jdk.outputs.cache-hit != 'true' + run: | + echo "e9458b38e97358850902c2936a1bb5f35f6cffc59da9fcd28c63eab8dbbfbc3b ${{ runner.temp }}/jdk_setup.tar.gz" >> ${{ runner.temp }}/jdk_setup.sha256 + curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.7%2B7/OpenJDK17U-jdk_x64_linux_hotspot_17.0.7_7.tar.gz" -o "${{ runner.temp }}/jdk_setup.tar.gz" + sha256sum --check --status "${{ runner.temp }}/jdk_setup.sha256" + + # + # Setup JDK. + # + - name: Setup JDK + if: steps.semantic.outputs.new_release_published == 'true' + uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 + with: + distribution: "jdkfile" + jdkFile: "${{ runner.temp }}/jdk_setup.tar.gz" + java-version: "17" + cache: maven + + # + # Cache Maven. + # + - name: Cache Maven + if: steps.semantic.outputs.new_release_published == 'true' + uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 + id: cache-maven + with: + key: apache-maven-3.9.2-bin.tar.gz + path: | + ${{ runner.temp }}/maven_setup.tar.gz + ${{ runner.temp }}/maven_setup.sha256 + + # + # Download Maven and verify its hash. + # + - name: Download Maven and verify its hash + if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-maven.outputs.cache-hit != 'true' + run: | + echo "809ef3220c6d179195c06c324cb9a6d34d8ecba566c5cfd8eb83167bc034117d ${{ runner.temp }}/maven_setup.tar.gz" >> ${{ runner.temp }}/maven_setup.sha256 + curl -L "https://archive.apache.org/dist/maven/maven-3/3.9.2/binaries/apache-maven-3.9.2-bin.tar.gz" -o "${{ runner.temp }}/maven_setup.tar.gz" + sha256sum --check --status "${{ runner.temp }}/maven_setup.sha256" + + # + # Setup Maven. + # + - name: Setup Maven + if: steps.semantic.outputs.new_release_published == 'true' + run: | + mkdir ${{ runner.temp }}/maven + tar -xvf ${{ runner.temp }}/maven_setup.tar.gz -C ${{ runner.temp }}/maven --strip-components=1 + echo "github${{ secrets.GIT_USER }}${{ secrets.GIT_PAT }}" >> ${{ runner.temp }}/settings.xml + + # + # Build native executable. + # + - name: Build native executable + run: ${{ runner.temp }}/maven/bin/mvn clean package -Pnative -Dmaven.test.skip=false -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image@sha256:05baf3fd2173f6f25ad35216b6b066c35fbfb97f06daba75efb5b22bc0a85b9c -s ${{ runner.temp }}/settings.xml --no-transfer-progress + + # + # Build Docker image. + # + - name: Build Docker image + run: docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:main . + + # + # Push Docker image. + # + - name: Push Docker image + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + docker push -a ghcr.io/${{ github.repository }} \ No newline at end of file diff --git a/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/bean/GetAccessTokenResponse.java b/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/bean/GetAccessTokenResponse.java index 466983d0..aa7c0c56 100644 --- a/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/bean/GetAccessTokenResponse.java +++ b/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/bean/GetAccessTokenResponse.java @@ -35,14 +35,20 @@ public class GetAccessTokenResponse { /* * */ - @JsonProperty("expires_in") - private long expiresIn; + @JsonProperty("expires_on") + private long expiresOn; /* * */ - @JsonProperty("ext_expires_in") - private long extExpiresIn; + @JsonProperty("client_id") + private String clientId; + + /* + * + */ + @JsonProperty("resource") + private String resource; /* * diff --git a/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/client/AzureAuthClient.java b/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/client/AzureAuthClient.java index 9803b31b..c94ee11f 100644 --- a/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/client/AzureAuthClient.java +++ b/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/client/AzureAuthClient.java @@ -9,9 +9,8 @@ import io.smallrye.mutiny.Uni; import it.pagopa.swclient.mil.auth.azurekeyvault.bean.GetAccessTokenResponse; -import jakarta.ws.rs.Consumes; -import jakarta.ws.rs.FormParam; -import jakarta.ws.rs.POST; +import jakarta.ws.rs.GET; +import jakarta.ws.rs.HeaderParam; import jakarta.ws.rs.Path; import jakarta.ws.rs.PathParam; import jakarta.ws.rs.Produces; @@ -30,14 +29,10 @@ public interface AzureAuthClient { * @param scope * @return */ - @Path("/{tenantId}/oauth2/v2.0/token") - @POST - @Consumes(MediaType.APPLICATION_FORM_URLENCODED) + @Path("?resource={scope}&api-version=2019-08-01") + @GET @Produces(MediaType.APPLICATION_JSON) Uni getAccessToken( - @PathParam("tenantId") String tenantId, - @FormParam("grant_type") String grantType, - @FormParam("client_id") String clientId, - @FormParam("client_secret") String clientSecret, - @FormParam("scope") String scope); + @HeaderParam("x-identity-header") String identity, + @PathParam("scope") String scope); } diff --git a/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureAuthService.java b/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureAuthService.java index a4fbaa1f..00ca3f75 100644 --- a/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureAuthService.java +++ b/src/main/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureAuthService.java @@ -19,40 +19,28 @@ */ @ApplicationScoped public class AzureAuthService { - /* - * Grant types. - */ - private static final String CLIENT_CREDENTIALS = "client_credentials"; /* * Scope for authentication. */ private static final String VAULT = "https://vault.azure.net/.default"; + /* * */ @RestClient AzureAuthClient client; + /* * */ - @ConfigProperty(name = "azure-auth-api.tenant-id") - String tenantId; - /* - * - */ - @ConfigProperty(name = "azure-auth-api.client-id") - String clientId; - /* - * - */ - @ConfigProperty(name = "azure-auth-api.client-secret") - String clientSecret; - + @ConfigProperty(name = "azure-auth-api.identity") + String identity; + /** * @return */ public Uni getAccessToken() { Log.debug("Authenticating to Azure AD."); - return client.getAccessToken(tenantId, CLIENT_CREDENTIALS, clientId, clientSecret, VAULT); + return client.getAccessToken(identity, VAULT); } } diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 3cce516d..ed2c07da 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -10,16 +10,10 @@ quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss.SSS} [%X{requestId}] [%p] [%c{ %dev.quarkus.log.level=INFO %dev.quarkus.log.category."it.pagopa.swclient.mil.auth".level=DEBUG -%dev.quarkus.log.category."REQ_IN".level=INFO -%dev.quarkus.log.category."RESP_OUT".level=INFO %dev.quarkus.rest-client.logging.scope=all %dev.quarkus.rest-client.logging.body-limit=32768 %dev.quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG -%test.quarkus.rest-client.logging.scope=all -%test.quarkus.rest-client.logging.body-limit=32768 -%test.quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG - %test.quarkus.log.level=ERROR %test.quarkus.log.category."it.pagopa.swclient.mil.auth".level=DEBUG @@ -29,71 +23,56 @@ quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss.SSS} [%X{requestId}] [%p] [%c{ # ------------------------------------------------------------------------------ # Cryptoperiod of RSA keys in seconds (86400s = 1d) # ------------------------------------------------------------------------------ -%dev.cryptoperiod=86400 -%test.cryptoperiod=86400 +cryptoperiod=86400 %prod.cryptoperiod=${auth.cryptoperiod} # ------------------------------------------------------------------------------ # Key size (modulus) of RSA keys in bits # ------------------------------------------------------------------------------ -%dev.keysize=4096 -%test.keysize=4096 +keysize=4096 %prod.keysize=${auth.keysize} # ------------------------------------------------------------------------------ # Token configuration # ------------------------------------------------------------------------------ -%dev.access.duration=300 -%test.access.duration=300 -%prod.access.duration=${auth.access.duration} +access.duration=300 +refresh.duration=3600 -%dev.refresh.duration=3600 -%test.refresh.duration=3600 +%prod.access.duration=${auth.access.duration} %prod.refresh.duration=${auth.refresh.duration} -# +# ------------------------------------------------------------------------------ # Poynt integration -# +# ------------------------------------------------------------------------------ quarkus.rest-client.poynt-api.url=https://services-eu.poynt.net/ poynt-api.version=1.2 -# +# ------------------------------------------------------------------------------ # Authorization data repository (clients, roles) -# -%dev.quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net -%test.quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net +# ------------------------------------------------------------------------------ +quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net %prod.quarkus.rest-client.auth-data-repository.url=${auth.data.url} -# +# ------------------------------------------------------------------------------ # TTL for the authorization data cache -# -%test.quarkus.cache.enabled=false +# ------------------------------------------------------------------------------ quarkus.cache.caffeine.expire-after-write=1h +%test.quarkus.cache.enabled=false -# +# ------------------------------------------------------------------------------ # Azure Auth API -# -quarkus.rest-client.azure-auth-api.url=https://login.microsoftonline.com - -%dev.azure-auth-api.tenant-id=${AZURE_TENANT_ID} -%dev.azure-auth-api.client-id=${AZURE_CLIENT_ID} -%dev.azure-auth-api.client-secret=${AZURE_CLIENT_SECRET} - -%test.azure-auth-api.tenant-id=dummy -%test.azure-auth-api.client-id=dummy -%test.azure-auth-api.client-secret=dummy +# ------------------------------------------------------------------------------ +quarkus.rest-client.azure-auth-api.url=http://dummy +azure-auth-api.identity=dummy -%prod.azure-auth-api.tenant-id=${azure.tenant.id} -%prod.azure-auth-api.client-id=${azure.client.id} -%prod.azure-auth-api.client-secret=${azure.client.secret} +%prod.quarkus.rest-client.azure-auth-api.url=${IDENTITY_ENDPOINT} +%prod.azure-auth-api.identity=${IDENTITY_HEADER} -# +# ------------------------------------------------------------------------------ # Azure Key Vault API -# -%dev.azure-key-vault-api.version=7.4 -%test.azure-key-vault-api.version=7.4 -%prod.azure-key-vault-api.version=${auth.keyvault.api-version} +# ------------------------------------------------------------------------------ +azure-key-vault-api.version=7.4 +quarkus.rest-client.azure-key-vault-api.url=http://dummy -%dev.quarkus.rest-client.azure-key-vault-api.url=https://mil-d-appl-kv.vault.azure.net/ -%test.quarkus.rest-client.azure-key-vault-api.url=https://mil-d-appl-kv.vault.azure.net/ +%prod.azure-key-vault-api.version=${auth.keyvault.api-version} %prod.quarkus.rest-client.azure-key-vault-api.url=${auth.keyvault.url} \ No newline at end of file diff --git a/src/test/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureKeyFinderTest.java b/src/test/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureKeyFinderTest.java index 244bc4c8..76f7ce43 100644 --- a/src/test/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureKeyFinderTest.java +++ b/src/test/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureKeyFinderTest.java @@ -15,6 +15,7 @@ import java.util.List; import java.util.Optional; +import org.eclipse.microprofile.config.inject.ConfigProperty; import org.eclipse.microprofile.rest.client.inject.RestClient; import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; @@ -83,29 +84,40 @@ class AzureKeyFinderTest { /* * */ - private static final String KEY_URL = "https://mil-d-appl-kv.vault.azure.net/keys/"; + @ConfigProperty(name = "quarkus.rest-client.azure-key-vault-api.url") + String vaultBaseUrl; + + /* + * + */ + private String keyUrl; + /* * */ private static final String AZURE_ACCESS_TOKEN = "this_is_the_token"; private static final String AUTHORIZATION_HDR_VALUE = "Bearer " + AZURE_ACCESS_TOKEN; + /* * */ @InjectMock @RestClient AzureAuthClient authClient; + /* * */ @InjectMock @RestClient AzureKeyVaultClient keyVaultClient; + /* * */ @Inject AzureKeyFinder azureKeyFinder; + /* * */ @@ -172,6 +184,8 @@ class AzureKeyFinderTest { */ @BeforeAll void setup() { + keyUrl = vaultBaseUrl + (vaultBaseUrl.endsWith("/") ? "keys/" : "/keys/"); + now = Instant.now().getEpochSecond(); /* @@ -202,7 +216,7 @@ void setup() { Boolean.FALSE)); keyWithValidKid1 = new BasicKey( - KEY_URL + K1, + keyUrl + K1, new KeyAttributes( now - 300, now + 600, @@ -214,7 +228,7 @@ void setup() { Boolean.FALSE)); keyWithValidKid2 = new BasicKey( - KEY_URL + K2, + keyUrl + K2, new KeyAttributes( now - 300, now + 300, @@ -226,7 +240,7 @@ void setup() { Boolean.FALSE)); keyWithValidKidWithoutVersions = new BasicKey( - KEY_URL + K3, + keyUrl + K3, new KeyAttributes( now - 300, now + 300, @@ -238,7 +252,7 @@ void setup() { Boolean.FALSE)); keyBelogingToAnotherDomain = new BasicKey( - KEY_URL + K5, + keyUrl + K5, new KeyAttributes( now - 300, now + 300, @@ -250,7 +264,7 @@ void setup() { Boolean.FALSE)); keyWithoutDetails = new BasicKey( - KEY_URL + K6, + keyUrl + K6, new KeyAttributes( now - 300, now + 300, @@ -267,11 +281,11 @@ void setup() { nullVersionK1V1 = null; versionWithNullAttributesK2V1 = new BasicKey( - KEY_URL + K2 + "/" + K2_V1, + keyUrl + K2 + "/" + K2_V1, null); versionWithNullEnabledAttributeK1V2 = new BasicKey( - KEY_URL + K1 + "/" + K1_V2, + keyUrl + K1 + "/" + K1_V2, new KeyAttributes( now - 300, now + 300, @@ -283,7 +297,7 @@ void setup() { Boolean.FALSE)); versionWithFalseEnabledAttributeK2V2 = new BasicKey( - KEY_URL + K2 + "/" + K2_V2, + keyUrl + K2 + "/" + K2_V2, new KeyAttributes( now - 300, now + 300, @@ -295,7 +309,7 @@ void setup() { Boolean.FALSE)); versionWithNullCreationTimestampAttributeK1V3 = new BasicKey( - KEY_URL + K1 + "/" + K1_V3, + keyUrl + K1 + "/" + K1_V3, new KeyAttributes( null, now + 300, @@ -307,7 +321,7 @@ void setup() { Boolean.FALSE)); versionWithNotCoherentCreationTimestampAttributeK2V3 = new BasicKey( - KEY_URL + K2 + "/" + K2_V3, + keyUrl + K2 + "/" + K2_V3, new KeyAttributes( now + 300, now + 300, @@ -319,7 +333,7 @@ void setup() { Boolean.FALSE)); versionWithNullExpiredTimestampAttributeK1V4 = new BasicKey( - KEY_URL + K1 + "/" + K1_V4, + keyUrl + K1 + "/" + K1_V4, new KeyAttributes( now - 300, null, @@ -331,7 +345,7 @@ void setup() { Boolean.FALSE)); expiredVersionK2V4 = new BasicKey( - KEY_URL + K2 + "/" + K2_V4, + keyUrl + K2 + "/" + K2_V4, new KeyAttributes( now - 300, now - 100, @@ -343,7 +357,7 @@ void setup() { Boolean.FALSE)); versionWithNullNotBeforeAttributeK1V5 = new BasicKey( - KEY_URL + K1 + "/" + K1_V5, + keyUrl + K1 + "/" + K1_V5, new KeyAttributes( now - 300, now + 300, @@ -355,7 +369,7 @@ void setup() { Boolean.FALSE)); versionWithUnmetNotBeforeAttributeK2V5 = new BasicKey( - KEY_URL + K2 + "/" + K2_V5, + keyUrl + K2 + "/" + K2_V5, new KeyAttributes( now - 300, now + 300, @@ -391,7 +405,7 @@ void setup() { Boolean.FALSE)); versionWithNullDetailsK1V7 = new BasicKey( - KEY_URL + K1 + "/" + K1_V7, + keyUrl + K1 + "/" + K1_V7, new KeyAttributes( now - 300, now + 300, @@ -403,7 +417,7 @@ void setup() { Boolean.FALSE)); versionWithExpiredDetailsK2V7 = new BasicKey( - KEY_URL + K2 + "/" + K2_V7, + keyUrl + K2 + "/" + K2_V7, new KeyAttributes( now - 300, now + 300, @@ -415,7 +429,7 @@ void setup() { Boolean.FALSE)); versionWithDetailsWithNoRsaKeyTypeK1V8 = new BasicKey( - KEY_URL + K1 + "/" + K1_V8, + keyUrl + K1 + "/" + K1_V8, new KeyAttributes( now - 300, now + 300, @@ -427,7 +441,7 @@ void setup() { Boolean.FALSE)); versionWithDetailsWithNullOpsK2V8 = new BasicKey( - KEY_URL + K2 + "/" + K2_V8, + keyUrl + K2 + "/" + K2_V8, new KeyAttributes( now - 300, now + 300, @@ -439,7 +453,7 @@ void setup() { Boolean.FALSE)); versionWithDetailsWithoutSignOpK1V9 = new BasicKey( - KEY_URL + K1 + "/" + K1_V9, + keyUrl + K1 + "/" + K1_V9, new KeyAttributes( now - 300, now + 300, @@ -451,7 +465,7 @@ void setup() { Boolean.FALSE)); versionWithDetailsWithoutVerifyOpK2V9 = new BasicKey( - KEY_URL + K2 + "/" + K2_V9, + keyUrl + K2 + "/" + K2_V9, new KeyAttributes( now - 300, now + 300, @@ -463,7 +477,7 @@ void setup() { Boolean.FALSE)); versionWithDetailsWithoutSignAndVerifyOpK1V10 = new BasicKey( - KEY_URL + K1 + "/" + K1_V10, + keyUrl + K1 + "/" + K1_V10, new KeyAttributes( now - 300, now + 300, @@ -475,7 +489,7 @@ void setup() { Boolean.FALSE)); versionWithValidDetailsK2V10 = new BasicKey( - KEY_URL + K2 + "/" + K2_V10, + keyUrl + K2 + "/" + K2_V10, new KeyAttributes( now - 300, now + 300, @@ -487,7 +501,7 @@ void setup() { Boolean.FALSE)); versionWithValidDetailsWithGreatestExpirationK1V11 = new BasicKey( - KEY_URL + K1 + "/" + K1_V11, + keyUrl + K1 + "/" + K1_V11, new KeyAttributes( now - 300, now + 600, @@ -499,7 +513,7 @@ void setup() { Boolean.FALSE)); versionWith500OnGetKeyK1V12 = new BasicKey( - KEY_URL + K1 + "/" + K1_V12, + keyUrl + K1 + "/" + K1_V12, new KeyAttributes( now - 300, now + 300, @@ -511,7 +525,7 @@ void setup() { Boolean.FALSE)); versionWith500OnGetKeyK1V12 = new BasicKey( - KEY_URL + K1 + "/" + K1_V12, + keyUrl + K1 + "/" + K1_V12, new KeyAttributes( now - 300, now + 300, @@ -523,7 +537,7 @@ void setup() { Boolean.FALSE)); versionWithoutDetailsK6V1 = new BasicKey( - KEY_URL + K6 + "/" + K6_V1, + keyUrl + K6 + "/" + K6_V1, new KeyAttributes( now - 300, now + 300, @@ -539,7 +553,7 @@ void setup() { */ expiredDetailsK2V7 = new DetailedKey( new KeyDetails( - KEY_URL + K2 + "/" + K2_V7, + keyUrl + K2 + "/" + K2_V7, "RSA", new String[] { "sign", "verify" @@ -558,7 +572,7 @@ void setup() { detailsWithNoRsaKeyTypeK1V8 = new DetailedKey( new KeyDetails( - KEY_URL + K1 + "/" + K1_V8, + keyUrl + K1 + "/" + K1_V8, "non-RSA", new String[] { "sign", "verify" @@ -577,7 +591,7 @@ void setup() { detailsWithNullOpsK2V8 = new DetailedKey( new KeyDetails( - KEY_URL + K2 + "/" + K2_V8, + keyUrl + K2 + "/" + K2_V8, "RSA", null, "this_is_the_modulus", @@ -594,7 +608,7 @@ void setup() { detailsWithoutSignOpK1V9 = new DetailedKey( new KeyDetails( - KEY_URL + K1 + "/" + K1_V9, + keyUrl + K1 + "/" + K1_V9, "RSA", new String[] { "verify" @@ -613,7 +627,7 @@ void setup() { detailsWithoutVerifyOpK2V9 = new DetailedKey( new KeyDetails( - KEY_URL + K2 + "/" + K2_V9, + keyUrl + K2 + "/" + K2_V9, "RSA", new String[] { "sign" @@ -632,7 +646,7 @@ void setup() { detailsWithoutSignAndVerifyOpK1V10 = new DetailedKey( new KeyDetails( - KEY_URL + K1 + "/" + K1_V10, + keyUrl + K1 + "/" + K1_V10, "RSA", new String[] {}, "this_is_the_modulus", @@ -649,7 +663,7 @@ void setup() { validDetailsK2V10 = new DetailedKey( new KeyDetails( - KEY_URL + K2 + "/" + K2_V10, + keyUrl + K2 + "/" + K2_V10, "RSA", new String[] { "verify", "sign" @@ -668,7 +682,7 @@ void setup() { validDetailsWithGreatestExpirationK1V11 = new DetailedKey( new KeyDetails( - KEY_URL + K1 + "/" + K1_V11, + keyUrl + K1 + "/" + K1_V11, "RSA", new String[] { "verify", "sign" @@ -721,8 +735,8 @@ void setup() { * */ private void mostCommonSetup() { - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, AZURE_ACCESS_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now + 3599, "", "", AZURE_ACCESS_TOKEN))); when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(Uni.createFrom().item(new GetKeysResponse(new BasicKey[] { @@ -814,8 +828,8 @@ void testFindPublicKeysWithNullAccessToken() { /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, null))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now + 3599, "", "", null))); /* * Test. @@ -834,7 +848,7 @@ void testFindPublicKeysWith401OnGetAccessToken() { /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) + when(authClient.getAccessToken(anyString(), anyString())) .thenReturn(Uni.createFrom().failure(new WebApplicationException(Response.status(Status.UNAUTHORIZED).build()))); /* @@ -932,8 +946,8 @@ void testFindPublicKeysWith401OnGetKeys() { /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, AZURE_ACCESS_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now + 3599, "", "", AZURE_ACCESS_TOKEN))); when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(Uni.createFrom().failure(new WebApplicationException(Response.status(Status.UNAUTHORIZED).build()))); @@ -991,7 +1005,7 @@ void testFindValidPublicKeyWithGreatestExpiration2() { DetailedKey validDetails1 = new DetailedKey( new KeyDetails( - KEY_URL + K1 + "/" + K1_V11, + keyUrl + K1 + "/" + K1_V11, "RSA", new String[] { "verify", "sign" @@ -1010,7 +1024,7 @@ void testFindValidPublicKeyWithGreatestExpiration2() { DetailedKey validDetails2 = new DetailedKey( new KeyDetails( - KEY_URL + K2 + "/" + K2_V10, + keyUrl + K2 + "/" + K2_V10, "RSA", new String[] { "verify", "sign" @@ -1067,7 +1081,7 @@ void testFindValidPublicKeyWithGreatestExpiration3() { DetailedKey validDetails1 = new DetailedKey( new KeyDetails( - KEY_URL + K1 + "/" + K1_V11, + keyUrl + K1 + "/" + K1_V11, "RSA", new String[] { "verify", "sign" @@ -1086,7 +1100,7 @@ void testFindValidPublicKeyWithGreatestExpiration3() { DetailedKey validDetails2 = new DetailedKey( new KeyDetails( - KEY_URL + K2 + "/" + K2_V10, + keyUrl + K2 + "/" + K2_V10, "RSA", new String[] { "verify", "sign" @@ -1139,8 +1153,8 @@ void testFindValidPublicKeyWithGreatestExpirationWithNoKeys() { /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, AZURE_ACCESS_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now + 3599, "", "", AZURE_ACCESS_TOKEN))); when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(Uni.createFrom().item(new GetKeysResponse(new BasicKey[]{}))); @@ -1165,8 +1179,8 @@ void testFindValidPublicKeyWithGreatestExpirationWithNoKeysAndExpiredKeyIsCreate /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, AZURE_ACCESS_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now + 3599, "", "", AZURE_ACCESS_TOKEN))); when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(Uni.createFrom().item(new GetKeysResponse(new BasicKey[]{}))); @@ -1191,8 +1205,8 @@ void testFindValidPublicKeyWithGreatestExpirationWithNoKeysAndNonRsaKeyIsCreated /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, AZURE_ACCESS_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now + 3599, "", "", AZURE_ACCESS_TOKEN))); when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(Uni.createFrom().item(new GetKeysResponse(new BasicKey[]{}))); @@ -1217,8 +1231,8 @@ void testFindValidPublicKeyWithGreatestExpirationWithNoKeysAndKeyWithBadKidIsCre /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, AZURE_ACCESS_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now + 3599, "", "", AZURE_ACCESS_TOKEN))); when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(Uni.createFrom().item(new GetKeysResponse(new BasicKey[]{}))); @@ -1243,8 +1257,8 @@ void testFindValidPublicKeyWithGreatestExpirationWithNoKeysAndErrorOnCreation() /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, AZURE_ACCESS_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now + 3599, "", "", AZURE_ACCESS_TOKEN))); when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(Uni.createFrom().item(new GetKeysResponse(new BasicKey[]{}))); diff --git a/src/test/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureTokenSignerTest.java b/src/test/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureTokenSignerTest.java index 9408d8c4..15070a8a 100644 --- a/src/test/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureTokenSignerTest.java +++ b/src/test/java/it/pagopa/swclient/mil/auth/azurekeyvault/service/AzureTokenSignerTest.java @@ -369,8 +369,8 @@ void testVerify() throws JOSEException { /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, "this_is_the_token"))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now.getEpochSecond() + 3599, "", "", "this_is_the_token"))); when(keyVaultClient.verifySignature(anyString(), eq(KEY_NAME), eq(KEY_VERSION), any(VerifySignatureRequest.class))) .thenReturn(Uni.createFrom().item(new VerifySignatureResponse(Boolean.TRUE))); @@ -417,8 +417,8 @@ void testVerifyWithFailedVerification() throws JOSEException { /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, "this_is_the_token"))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now.getEpochSecond() + 3599, "", "", "this_is_the_token"))); when(keyVaultClient.verifySignature(anyString(), eq(KEY_NAME), eq(KEY_VERSION), any(VerifySignatureRequest.class))) .thenReturn(Uni.createFrom().item(new VerifySignatureResponse(Boolean.FALSE))); @@ -464,8 +464,8 @@ void testVerifyWithNullAccessToken() throws JOSEException { /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, null))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now.getEpochSecond() + 3599, "", "", null))); when(keyVaultClient.verifySignature(anyString(), eq(KEY_NAME), eq(KEY_VERSION), any(VerifySignatureRequest.class))) .thenReturn(Uni.createFrom().item(new VerifySignatureResponse(Boolean.TRUE))); @@ -511,8 +511,8 @@ void testVerifyWithNoSuchAlgorithmException() throws JOSEException { /* * Setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", 3599, 3599, "this_is_the_token"))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(Uni.createFrom().item(new GetAccessTokenResponse("Bearer", now.getEpochSecond() + 3599, "", "", "this_is_the_token"))); when(keyVaultClient.verifySignature(anyString(), eq(KEY_NAME), eq(KEY_VERSION), any(VerifySignatureRequest.class))) .thenReturn(Uni.createFrom().item(new VerifySignatureResponse(Boolean.TRUE))); diff --git a/src/test/java/it/pagopa/swclient/mil/auth/resource/RefreshTokensResourceTest.java b/src/test/java/it/pagopa/swclient/mil/auth/resource/RefreshTokensResourceTest.java index 29eaca2f..2d8a1da5 100644 --- a/src/test/java/it/pagopa/swclient/mil/auth/resource/RefreshTokensResourceTest.java +++ b/src/test/java/it/pagopa/swclient/mil/auth/resource/RefreshTokensResourceTest.java @@ -25,7 +25,9 @@ import java.util.Date; import java.util.List; +import org.eclipse.microprofile.config.inject.ConfigProperty; import org.eclipse.microprofile.rest.client.inject.RestClient; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestInstance; @@ -100,7 +102,17 @@ class RefreshTokensResourceTest { /* * */ - private static final String KEY_URL = "https://mil-d-appl-kv.vault.azure.net/keys/"; + @ConfigProperty(name = "quarkus.rest-client.azure-key-vault-api.url") + String vaultBaseUrl; + + /* + * + */ + private String keyUrl; + + /* + * + */ private static final String KEY_NAME = "auth0709643f49394529b92c19a68c8e184a"; private static final String KEY_VERSION = "6581c704deda4979943c3b34468df7c2"; private static final String KID = KEY_NAME + "/" + KEY_VERSION; @@ -135,6 +147,14 @@ class RefreshTokensResourceTest { @RestClient AzureAuthClient authClient; + /** + * + */ + @BeforeAll + void setup() { + keyUrl = vaultBaseUrl + (vaultBaseUrl.endsWith("/") ? "keys/" : "/keys/"); + } + @Test void testOk() throws InvalidKeySpecException, NoSuchAlgorithmException, JOSEException { /* @@ -152,8 +172,8 @@ void testOk() throws InvalidKeySpecException, NoSuchAlgorithmException, JOSEExce /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(TokenType.BEARER, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(TokenType.BEARER, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. @@ -163,16 +183,16 @@ void testOk() throws InvalidKeySpecException, NoSuchAlgorithmException, JOSEExce when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME, keyAttributes) + new BasicKey(keyUrl + KEY_NAME, keyAttributes) }))); when(keyVaultClient.getKeyVersions(AUTHORIZATION_HDR_VALUE, KEY_NAME)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME + "/" + KEY_VERSION, keyAttributes) + new BasicKey(keyUrl + KEY_NAME + "/" + KEY_VERSION, keyAttributes) }))); when(keyVaultClient.getKey(AUTHORIZATION_HDR_VALUE, KEY_NAME, KEY_VERSION)) - .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(KEY_URL + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); + .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(keyUrl + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); when(keyVaultClient.sign(eq(AUTHORIZATION_HDR_VALUE), eq(KEY_NAME), eq(KEY_VERSION), any(SignRequest.class))) .thenReturn(UniGenerator.item(new SignResponse(KID, EXPECTED_SIGNATURE))); diff --git a/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByClientSecretResourceTest.java b/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByClientSecretResourceTest.java index 4c75f799..e088c0a2 100644 --- a/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByClientSecretResourceTest.java +++ b/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByClientSecretResourceTest.java @@ -18,7 +18,9 @@ import java.time.Instant; import java.util.List; +import org.eclipse.microprofile.config.inject.ConfigProperty; import org.eclipse.microprofile.rest.client.inject.RestClient; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestInstance; @@ -85,7 +87,17 @@ class TokenByClientSecretResourceTest { /* * */ - private static final String KEY_URL = "https://mil-d-appl-kv.vault.azure.net/keys/"; + @ConfigProperty(name = "quarkus.rest-client.azure-key-vault-api.url") + String vaultBaseUrl; + + /* + * + */ + private String keyUrl; + + /* + * + */ private static final String KEY_NAME = "auth0709643f49394529b92c19a68c8e184a"; private static final String KEY_VERSION = "6581c704deda4979943c3b34468df7c2"; private static final String KID = KEY_NAME + "/" + KEY_VERSION; @@ -119,6 +131,14 @@ class TokenByClientSecretResourceTest { @RestClient AzureAuthClient authClient; + /** + * + */ + @BeforeAll + void setup() { + keyUrl = vaultBaseUrl + (vaultBaseUrl.endsWith("/") ? "keys/" : "/keys/"); + } + @Test void testOk() { /* @@ -136,8 +156,8 @@ void testOk() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(TokenType.BEARER, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. @@ -146,17 +166,17 @@ void testOk() { KeyAttributes keyAttributes = new KeyAttributes(now - 300, now + 600, now - 300, now - 300, Boolean.TRUE, KEY_RECOVERY_LEVEL, 0, Boolean.FALSE); when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) - .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME, keyAttributes) + .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[] { + new BasicKey(keyUrl + KEY_NAME, keyAttributes) }))); when(keyVaultClient.getKeyVersions(AUTHORIZATION_HDR_VALUE, KEY_NAME)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME + "/" + KEY_VERSION, keyAttributes) + new BasicKey(keyUrl + KEY_NAME + "/" + KEY_VERSION, keyAttributes) }))); when(keyVaultClient.getKey(AUTHORIZATION_HDR_VALUE, KEY_NAME, KEY_VERSION)) - .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(KEY_URL + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); + .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(keyUrl + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); when(keyVaultClient.sign(eq(AUTHORIZATION_HDR_VALUE), eq(KEY_NAME), eq(KEY_VERSION), any(SignRequest.class))) .thenReturn(UniGenerator.item(new SignResponse(KID, EXPECTED_SIGNATURE))); @@ -204,8 +224,8 @@ void testOkForAtm() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. @@ -215,16 +235,16 @@ void testOkForAtm() { when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME, keyAttributes) + new BasicKey(keyUrl + KEY_NAME, keyAttributes) }))); when(keyVaultClient.getKeyVersions(AUTHORIZATION_HDR_VALUE, KEY_NAME)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME + "/" + KEY_VERSION, keyAttributes) + new BasicKey(keyUrl + KEY_NAME + "/" + KEY_VERSION, keyAttributes) }))); when(keyVaultClient.getKey(AUTHORIZATION_HDR_VALUE, KEY_NAME, KEY_VERSION)) - .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(KEY_URL + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); + .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(keyUrl + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); when(keyVaultClient.sign(eq(AUTHORIZATION_HDR_VALUE), eq(KEY_NAME), eq(KEY_VERSION), any(SignRequest.class))) .thenReturn(UniGenerator.item(new SignResponse(KID, EXPECTED_SIGNATURE))); @@ -271,8 +291,8 @@ void testOkForPortal() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. @@ -282,16 +302,16 @@ void testOkForPortal() { when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME, keyAttributes) + new BasicKey(keyUrl + KEY_NAME, keyAttributes) }))); when(keyVaultClient.getKeyVersions(AUTHORIZATION_HDR_VALUE, KEY_NAME)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME + "/" + KEY_VERSION, keyAttributes) + new BasicKey(keyUrl + KEY_NAME + "/" + KEY_VERSION, keyAttributes) }))); when(keyVaultClient.getKey(AUTHORIZATION_HDR_VALUE, KEY_NAME, KEY_VERSION)) - .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(KEY_URL + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); + .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(keyUrl + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); when(keyVaultClient.sign(eq(AUTHORIZATION_HDR_VALUE), eq(KEY_NAME), eq(KEY_VERSION), any(SignRequest.class))) .thenReturn(UniGenerator.item(new SignResponse(KID, EXPECTED_SIGNATURE))); @@ -575,7 +595,7 @@ void test401OnGetAccessToken() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) + when(authClient.getAccessToken(anyString(), anyString())) .thenReturn(Uni.createFrom().failure(new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build()))); /* @@ -618,14 +638,14 @@ void test401OnGetKeys() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. */ when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) - .thenReturn(Uni.createFrom().failure(new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build()))); + .thenReturn(Uni.createFrom().failure(new WebApplicationException(Response.status(Response.Status.UNAUTHORIZED).build()))); /* * Test. @@ -667,8 +687,8 @@ void test401WithNullAccessToken() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, null))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", null))); /* * Test. @@ -710,8 +730,8 @@ void testExpiredKeyOnKeyCreation() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. @@ -721,7 +741,7 @@ void testExpiredKeyOnKeyCreation() { long now = Instant.now().getEpochSecond(); when(keyVaultClient.createKey(eq(AUTHORIZATION_HDR_VALUE), anyString(), any(CreateKeyRequest.class))) - .thenReturn(Uni.createFrom().item(new DetailedKey(new KeyDetails(KEY_URL + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), new KeyAttributes(now - 300, now - 100, now - 300, now - 300, Boolean.TRUE, KEY_RECOVERY_LEVEL, 0, Boolean.FALSE)))); + .thenReturn(Uni.createFrom().item(new DetailedKey(new KeyDetails(keyUrl + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), new KeyAttributes(now - 300, now - 100, now - 300, now - 300, Boolean.TRUE, KEY_RECOVERY_LEVEL, 0, Boolean.FALSE)))); /* * Test. @@ -763,8 +783,8 @@ void testErrorOnKeyCreation() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. diff --git a/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByPasswordResourceTest.java b/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByPasswordResourceTest.java index 4851aa4e..71c8559f 100644 --- a/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByPasswordResourceTest.java +++ b/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByPasswordResourceTest.java @@ -21,7 +21,9 @@ import java.util.Base64; import java.util.List; +import org.eclipse.microprofile.config.inject.ConfigProperty; import org.eclipse.microprofile.rest.client.inject.RestClient; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestInstance; @@ -92,7 +94,17 @@ class TokenByPasswordResourceTest { /* * */ - private static final String KEY_URL = "https://mil-d-appl-kv.vault.azure.net/keys/"; + @ConfigProperty(name = "quarkus.rest-client.azure-key-vault-api.url") + String vaultBaseUrl; + + /* + * + */ + private String keyUrl; + + /* + * + */ private static final String KEY_NAME = "auth0709643f49394529b92c19a68c8e184a"; private static final String KEY_VERSION = "6581c704deda4979943c3b34468df7c2"; private static final String KID = KEY_NAME + "/" + KEY_VERSION; @@ -138,6 +150,14 @@ class TokenByPasswordResourceTest { @RestClient AzureAuthClient authClient; + /** + * + */ + @BeforeAll + void setup() { + keyUrl = vaultBaseUrl + (vaultBaseUrl.endsWith("/") ? "keys/" : "/keys/"); + } + @Test void testOk() throws NoSuchAlgorithmException { /* @@ -167,8 +187,8 @@ void testOk() throws NoSuchAlgorithmException { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(TokenType.BEARER, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. @@ -178,16 +198,16 @@ void testOk() throws NoSuchAlgorithmException { when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[] { - new BasicKey(KEY_URL + KEY_NAME, keyAttributes) + new BasicKey(keyUrl + KEY_NAME, keyAttributes) }))); when(keyVaultClient.getKeyVersions(AUTHORIZATION_HDR_VALUE, KEY_NAME)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[] { - new BasicKey(KEY_URL + KEY_NAME + "/" + KEY_VERSION, keyAttributes) + new BasicKey(keyUrl + KEY_NAME + "/" + KEY_VERSION, keyAttributes) }))); when(keyVaultClient.getKey(AUTHORIZATION_HDR_VALUE, KEY_NAME, KEY_VERSION)) - .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(KEY_URL + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); + .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(keyUrl + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); when(keyVaultClient.sign(eq(AUTHORIZATION_HDR_VALUE), eq(KEY_NAME), eq(KEY_VERSION), any(SignRequest.class))) .thenReturn(UniGenerator.item(new SignResponse(KID, EXPECTED_SIGNATURE))); diff --git a/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByPoyntTokenResourceTest.java b/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByPoyntTokenResourceTest.java index 8e6a5aeb..b0c5fcef 100644 --- a/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByPoyntTokenResourceTest.java +++ b/src/test/java/it/pagopa/swclient/mil/auth/resource/TokenByPoyntTokenResourceTest.java @@ -17,7 +17,9 @@ import java.time.Instant; import java.util.List; +import org.eclipse.microprofile.config.inject.ConfigProperty; import org.eclipse.microprofile.rest.client.inject.RestClient; +import org.junit.jupiter.api.BeforeAll; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.TestInstance; @@ -82,7 +84,17 @@ class TokenByPoyntTokenResourceTest { /* * */ - private static final String KEY_URL = "https://mil-d-appl-kv.vault.azure.net/keys/"; + @ConfigProperty(name = "quarkus.rest-client.azure-key-vault-api.url") + String vaultBaseUrl; + + /* + * + */ + private String keyUrl; + + /* + * + */ private static final String KEY_NAME = "auth0709643f49394529b92c19a68c8e184a"; private static final String KEY_VERSION = "6581c704deda4979943c3b34468df7c2"; private static final String KID = KEY_NAME + "/" + KEY_VERSION; @@ -123,6 +135,14 @@ class TokenByPoyntTokenResourceTest { @RestClient PoyntClient poyntClient; + /** + * + */ + @BeforeAll + void setup() { + keyUrl = vaultBaseUrl + (vaultBaseUrl.endsWith("/") ? "keys/" : "/keys/"); + } + @Test void testOk() { /* @@ -146,8 +166,8 @@ void testOk() { /* * Azure auth. client setup. */ - when(authClient.getAccessToken(anyString(), anyString(), anyString(), anyString(), anyString())) - .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, AZURE_TOKEN_DURATION, AZURE_TOKEN_DURATION, AZURE_TOKEN))); + when(authClient.getAccessToken(anyString(), anyString())) + .thenReturn(UniGenerator.item(new GetAccessTokenResponse(JsonPropertyName.TOKEN_TYPE, Instant.now().getEpochSecond() + AZURE_TOKEN_DURATION, "", "", AZURE_TOKEN))); /* * Azure key vault setup. @@ -157,16 +177,16 @@ void testOk() { when(keyVaultClient.getKeys(AUTHORIZATION_HDR_VALUE)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME, keyAttributes) + new BasicKey(keyUrl + KEY_NAME, keyAttributes) }))); when(keyVaultClient.getKeyVersions(AUTHORIZATION_HDR_VALUE, KEY_NAME)) .thenReturn(UniGenerator.item(new GetKeysResponse(new BasicKey[]{ - new BasicKey(KEY_URL + KEY_NAME + "/" + KEY_VERSION, keyAttributes) + new BasicKey(keyUrl + KEY_NAME + "/" + KEY_VERSION, keyAttributes) }))); when(keyVaultClient.getKey(AUTHORIZATION_HDR_VALUE, KEY_NAME, KEY_VERSION)) - .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(KEY_URL + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); + .thenReturn(UniGenerator.item(new DetailedKey(new KeyDetails(keyUrl + KEY_NAME + "/" + KEY_VERSION, KEY_TYPE, KEY_OPS, MODULUS, PUBLIC_EXPONENT), keyAttributes))); when(keyVaultClient.sign(eq(AUTHORIZATION_HDR_VALUE), eq(KEY_NAME), eq(KEY_VERSION), any(SignRequest.class))) .thenReturn(UniGenerator.item(new SignResponse(KID, EXPECTED_SIGNATURE))); From bb28370d31d77a4de5cb8eae853ea82c9a658947 Mon Sep 17 00:00:00 2001 From: Antonio Tarricone <110115827+antoniotarricone@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:13:36 +0200 Subject: [PATCH 2/4] fix: Workflow fixed. (#69) --- .github/workflows/build-n-push-main.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-n-push-main.yml b/.github/workflows/build-n-push-main.yml index ac63e7f4..42b18ce9 100644 --- a/.github/workflows/build-n-push-main.yml +++ b/.github/workflows/build-n-push-main.yml @@ -1,4 +1,4 @@ -name: Build and push main +name: Build and push on: workflow_dispatch: @@ -26,7 +26,6 @@ jobs: # Cache JDK. # - name: Cache JDK - if: steps.semantic.outputs.new_release_published == 'true' uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 id: cache-jdk with: @@ -39,7 +38,7 @@ jobs: # Download JDK and verify its hash. # - name: Download JDK and verify its hash - if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-jdk.outputs.cache-hit != 'true' + if: steps.cache-jdk.outputs.cache-hit != 'true' run: | echo "e9458b38e97358850902c2936a1bb5f35f6cffc59da9fcd28c63eab8dbbfbc3b ${{ runner.temp }}/jdk_setup.tar.gz" >> ${{ runner.temp }}/jdk_setup.sha256 curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.7%2B7/OpenJDK17U-jdk_x64_linux_hotspot_17.0.7_7.tar.gz" -o "${{ runner.temp }}/jdk_setup.tar.gz" @@ -49,7 +48,6 @@ jobs: # Setup JDK. # - name: Setup JDK - if: steps.semantic.outputs.new_release_published == 'true' uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 with: distribution: "jdkfile" @@ -61,7 +59,6 @@ jobs: # Cache Maven. # - name: Cache Maven - if: steps.semantic.outputs.new_release_published == 'true' uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 id: cache-maven with: @@ -74,7 +71,7 @@ jobs: # Download Maven and verify its hash. # - name: Download Maven and verify its hash - if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-maven.outputs.cache-hit != 'true' + if: steps.cache-maven.outputs.cache-hit != 'true' run: | echo "809ef3220c6d179195c06c324cb9a6d34d8ecba566c5cfd8eb83167bc034117d ${{ runner.temp }}/maven_setup.tar.gz" >> ${{ runner.temp }}/maven_setup.sha256 curl -L "https://archive.apache.org/dist/maven/maven-3/3.9.2/binaries/apache-maven-3.9.2-bin.tar.gz" -o "${{ runner.temp }}/maven_setup.tar.gz" @@ -84,7 +81,6 @@ jobs: # Setup Maven. # - name: Setup Maven - if: steps.semantic.outputs.new_release_published == 'true' run: | mkdir ${{ runner.temp }}/maven tar -xvf ${{ runner.temp }}/maven_setup.tar.gz -C ${{ runner.temp }}/maven --strip-components=1 @@ -100,7 +96,7 @@ jobs: # Build Docker image. # - name: Build Docker image - run: docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:main . + run: docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:${{ github.ref }} . # # Push Docker image. From 578e5592f96c480279753bbf625be46406d13542 Mon Sep 17 00:00:00 2001 From: Antonio Tarricone <110115827+antoniotarricone@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:30:24 +0200 Subject: [PATCH 3/4] chore: Fixed tag content. (#70) --- .github/workflows/build-n-push-main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-n-push-main.yml b/.github/workflows/build-n-push-main.yml index 42b18ce9..bca1bf6c 100644 --- a/.github/workflows/build-n-push-main.yml +++ b/.github/workflows/build-n-push-main.yml @@ -96,7 +96,9 @@ jobs: # Build Docker image. # - name: Build Docker image - run: docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:${{ github.ref }} . + run: | + BRANCH_NAME=${GITHUB_REF////_}" + docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:$BRANCH_NAME . # # Push Docker image. From 522ea3e1d6497c314412c4ce141c39410d0507e1 Mon Sep 17 00:00:00 2001 From: Antonio Tarricone <110115827+antoniotarricone@users.noreply.github.com> Date: Wed, 18 Oct 2023 17:40:54 +0200 Subject: [PATCH 4/4] Update build-n-push-main.yml --- .github/workflows/build-n-push-main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-n-push-main.yml b/.github/workflows/build-n-push-main.yml index bca1bf6c..07d3a526 100644 --- a/.github/workflows/build-n-push-main.yml +++ b/.github/workflows/build-n-push-main.yml @@ -97,7 +97,7 @@ jobs: # - name: Build Docker image run: | - BRANCH_NAME=${GITHUB_REF////_}" + BRANCH_NAME="${GITHUB_REF////_}" docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:$BRANCH_NAME . # @@ -106,4 +106,4 @@ jobs: - name: Push Docker image run: | echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin - docker push -a ghcr.io/${{ github.repository }} \ No newline at end of file + docker push -a ghcr.io/${{ github.repository }}