Skip to content

Commit

Permalink
feat: Authentication for key vault use, by means of system-managed id…
Browse files Browse the repository at this point in the history
…entity. (#68)
  • Loading branch information
antoniotarricone authored Oct 18, 2023
1 parent 406e5ea commit bd856fa
Show file tree
Hide file tree
Showing 11 changed files with 361 additions and 188 deletions.
111 changes: 111 additions & 0 deletions .github/workflows/build-n-push-main.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
name: Build and push main

on:
workflow_dispatch:

jobs:
build_and_push_main:
runs-on: ubuntu-latest

permissions:
id-token: write
packages: write
contents: write

steps:
#
# Checkout the source code.
#
- name: Checkout the source code
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
with:
token: ${{ secrets.GIT_PAT }}
fetch-depth: 0

#
# Cache JDK.
#
- name: Cache JDK
if: steps.semantic.outputs.new_release_published == 'true'
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
id: cache-jdk
with:
key: OpenJDK17U-jdk_x64_linux_hotspot_17.0.7_7.tar.gz
path: |
${{ runner.temp }}/jdk_setup.tar.gz
${{ runner.temp }}/jdk_setup.sha256
#
# Download JDK and verify its hash.
#
- name: Download JDK and verify its hash
if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-jdk.outputs.cache-hit != 'true'
run: |
echo "e9458b38e97358850902c2936a1bb5f35f6cffc59da9fcd28c63eab8dbbfbc3b ${{ runner.temp }}/jdk_setup.tar.gz" >> ${{ runner.temp }}/jdk_setup.sha256
curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.7%2B7/OpenJDK17U-jdk_x64_linux_hotspot_17.0.7_7.tar.gz" -o "${{ runner.temp }}/jdk_setup.tar.gz"
sha256sum --check --status "${{ runner.temp }}/jdk_setup.sha256"
#
# Setup JDK.
#
- name: Setup JDK
if: steps.semantic.outputs.new_release_published == 'true'
uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2
with:
distribution: "jdkfile"
jdkFile: "${{ runner.temp }}/jdk_setup.tar.gz"
java-version: "17"
cache: maven

#
# Cache Maven.
#
- name: Cache Maven
if: steps.semantic.outputs.new_release_published == 'true'
uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
id: cache-maven
with:
key: apache-maven-3.9.2-bin.tar.gz
path: |
${{ runner.temp }}/maven_setup.tar.gz
${{ runner.temp }}/maven_setup.sha256
#
# Download Maven and verify its hash.
#
- name: Download Maven and verify its hash
if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-maven.outputs.cache-hit != 'true'
run: |
echo "809ef3220c6d179195c06c324cb9a6d34d8ecba566c5cfd8eb83167bc034117d ${{ runner.temp }}/maven_setup.tar.gz" >> ${{ runner.temp }}/maven_setup.sha256
curl -L "https://archive.apache.org/dist/maven/maven-3/3.9.2/binaries/apache-maven-3.9.2-bin.tar.gz" -o "${{ runner.temp }}/maven_setup.tar.gz"
sha256sum --check --status "${{ runner.temp }}/maven_setup.sha256"
#
# Setup Maven.
#
- name: Setup Maven
if: steps.semantic.outputs.new_release_published == 'true'
run: |
mkdir ${{ runner.temp }}/maven
tar -xvf ${{ runner.temp }}/maven_setup.tar.gz -C ${{ runner.temp }}/maven --strip-components=1
echo "<settings><servers><server><id>github</id><username>${{ secrets.GIT_USER }}</username><password>${{ secrets.GIT_PAT }}</password></server></servers></settings>" >> ${{ runner.temp }}/settings.xml
#
# Build native executable.
#
- name: Build native executable
run: ${{ runner.temp }}/maven/bin/mvn clean package -Pnative -Dmaven.test.skip=false -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image@sha256:05baf3fd2173f6f25ad35216b6b066c35fbfb97f06daba75efb5b22bc0a85b9c -s ${{ runner.temp }}/settings.xml --no-transfer-progress

#
# Build Docker image.
#
- name: Build Docker image
run: docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:main .

#
# Push Docker image.
#
- name: Push Docker image
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
docker push -a ghcr.io/${{ github.repository }}
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,20 @@ public class GetAccessTokenResponse {
/*
*
*/
@JsonProperty("expires_in")
private long expiresIn;
@JsonProperty("expires_on")
private long expiresOn;

/*
*
*/
@JsonProperty("ext_expires_in")
private long extExpiresIn;
@JsonProperty("client_id")
private String clientId;

/*
*
*/
@JsonProperty("resource")
private String resource;

/*
*
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,8 @@

import io.smallrye.mutiny.Uni;
import it.pagopa.swclient.mil.auth.azurekeyvault.bean.GetAccessTokenResponse;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.FormParam;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.HeaderParam;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
Expand All @@ -30,14 +29,10 @@ public interface AzureAuthClient {
* @param scope
* @return
*/
@Path("/{tenantId}/oauth2/v2.0/token")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Path("?resource={scope}&api-version=2019-08-01")
@GET
@Produces(MediaType.APPLICATION_JSON)
Uni<GetAccessTokenResponse> getAccessToken(
@PathParam("tenantId") String tenantId,
@FormParam("grant_type") String grantType,
@FormParam("client_id") String clientId,
@FormParam("client_secret") String clientSecret,
@FormParam("scope") String scope);
@HeaderParam("x-identity-header") String identity,
@PathParam("scope") String scope);
}
Original file line number Diff line number Diff line change
Expand Up @@ -19,40 +19,28 @@
*/
@ApplicationScoped
public class AzureAuthService {
/*
* Grant types.
*/
private static final String CLIENT_CREDENTIALS = "client_credentials";
/*
* Scope for authentication.
*/
private static final String VAULT = "https://vault.azure.net/.default";

/*
*
*/
@RestClient
AzureAuthClient client;

/*
*
*/
@ConfigProperty(name = "azure-auth-api.tenant-id")
String tenantId;
/*
*
*/
@ConfigProperty(name = "azure-auth-api.client-id")
String clientId;
/*
*
*/
@ConfigProperty(name = "azure-auth-api.client-secret")
String clientSecret;

@ConfigProperty(name = "azure-auth-api.identity")
String identity;

/**
* @return
*/
public Uni<GetAccessTokenResponse> getAccessToken() {
Log.debug("Authenticating to Azure AD.");
return client.getAccessToken(tenantId, CLIENT_CREDENTIALS, clientId, clientSecret, VAULT);
return client.getAccessToken(identity, VAULT);
}
}
69 changes: 24 additions & 45 deletions src/main/resources/application.properties
Original file line number Diff line number Diff line change
Expand Up @@ -10,16 +10,10 @@ quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss.SSS} [%X{requestId}] [%p] [%c{

%dev.quarkus.log.level=INFO
%dev.quarkus.log.category."it.pagopa.swclient.mil.auth".level=DEBUG
%dev.quarkus.log.category."REQ_IN".level=INFO
%dev.quarkus.log.category."RESP_OUT".level=INFO
%dev.quarkus.rest-client.logging.scope=all
%dev.quarkus.rest-client.logging.body-limit=32768
%dev.quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG

%test.quarkus.rest-client.logging.scope=all
%test.quarkus.rest-client.logging.body-limit=32768
%test.quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG

%test.quarkus.log.level=ERROR
%test.quarkus.log.category."it.pagopa.swclient.mil.auth".level=DEBUG

Expand All @@ -29,71 +23,56 @@ quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss.SSS} [%X{requestId}] [%p] [%c{
# ------------------------------------------------------------------------------
# Cryptoperiod of RSA keys in seconds (86400s = 1d)
# ------------------------------------------------------------------------------
%dev.cryptoperiod=86400
%test.cryptoperiod=86400
cryptoperiod=86400
%prod.cryptoperiod=${auth.cryptoperiod}

# ------------------------------------------------------------------------------
# Key size (modulus) of RSA keys in bits
# ------------------------------------------------------------------------------
%dev.keysize=4096
%test.keysize=4096
keysize=4096
%prod.keysize=${auth.keysize}

# ------------------------------------------------------------------------------
# Token configuration
# ------------------------------------------------------------------------------
%dev.access.duration=300
%test.access.duration=300
%prod.access.duration=${auth.access.duration}
access.duration=300
refresh.duration=3600

%dev.refresh.duration=3600
%test.refresh.duration=3600
%prod.access.duration=${auth.access.duration}
%prod.refresh.duration=${auth.refresh.duration}

#
# ------------------------------------------------------------------------------
# Poynt integration
#
# ------------------------------------------------------------------------------
quarkus.rest-client.poynt-api.url=https://services-eu.poynt.net/
poynt-api.version=1.2

#
# ------------------------------------------------------------------------------
# Authorization data repository (clients, roles)
#
%dev.quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net
%test.quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net
# ------------------------------------------------------------------------------
quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net
%prod.quarkus.rest-client.auth-data-repository.url=${auth.data.url}

#
# ------------------------------------------------------------------------------
# TTL for the authorization data cache
#
%test.quarkus.cache.enabled=false
# ------------------------------------------------------------------------------
quarkus.cache.caffeine.expire-after-write=1h
%test.quarkus.cache.enabled=false

#
# ------------------------------------------------------------------------------
# Azure Auth API
#
quarkus.rest-client.azure-auth-api.url=https://login.microsoftonline.com

%dev.azure-auth-api.tenant-id=${AZURE_TENANT_ID}
%dev.azure-auth-api.client-id=${AZURE_CLIENT_ID}
%dev.azure-auth-api.client-secret=${AZURE_CLIENT_SECRET}

%test.azure-auth-api.tenant-id=dummy
%test.azure-auth-api.client-id=dummy
%test.azure-auth-api.client-secret=dummy
# ------------------------------------------------------------------------------
quarkus.rest-client.azure-auth-api.url=http://dummy
azure-auth-api.identity=dummy

%prod.azure-auth-api.tenant-id=${azure.tenant.id}
%prod.azure-auth-api.client-id=${azure.client.id}
%prod.azure-auth-api.client-secret=${azure.client.secret}
%prod.quarkus.rest-client.azure-auth-api.url=${IDENTITY_ENDPOINT}
%prod.azure-auth-api.identity=${IDENTITY_HEADER}

#
# ------------------------------------------------------------------------------
# Azure Key Vault API
#
%dev.azure-key-vault-api.version=7.4
%test.azure-key-vault-api.version=7.4
%prod.azure-key-vault-api.version=${auth.keyvault.api-version}
# ------------------------------------------------------------------------------
azure-key-vault-api.version=7.4
quarkus.rest-client.azure-key-vault-api.url=http://dummy

%dev.quarkus.rest-client.azure-key-vault-api.url=https://mil-d-appl-kv.vault.azure.net/
%test.quarkus.rest-client.azure-key-vault-api.url=https://mil-d-appl-kv.vault.azure.net/
%prod.azure-key-vault-api.version=${auth.keyvault.api-version}
%prod.quarkus.rest-client.azure-key-vault-api.url=${auth.keyvault.url}
Loading

0 comments on commit bd856fa

Please sign in to comment.