pagopa · antoniotarricone · Oct 18, 2023 · Oct 18, 2023
@@ -0,0 +1,111 @@
+name: Build and push main
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build_and_push_main:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      packages: write
+      contents: write
+
+    steps:
+      #
+      # Checkout the source code.
+      #
+      - name: Checkout the source code
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        with:
+          token: ${{ secrets.GIT_PAT }}
+          fetch-depth: 0
+
+      #
+      # Cache JDK.
+      #
+      - name: Cache JDK
+        if: steps.semantic.outputs.new_release_published == 'true'
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        id: cache-jdk
+        with:
+          key: OpenJDK17U-jdk_x64_linux_hotspot_17.0.7_7.tar.gz
+          path: |
+            ${{ runner.temp }}/jdk_setup.tar.gz
+            ${{ runner.temp }}/jdk_setup.sha256
+
+      #
+      # Download JDK and verify its hash.
+      #
+      - name: Download JDK and verify its hash
+        if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-jdk.outputs.cache-hit != 'true'
+        run: |
+          echo "e9458b38e97358850902c2936a1bb5f35f6cffc59da9fcd28c63eab8dbbfbc3b  ${{ runner.temp }}/jdk_setup.tar.gz" >> ${{ runner.temp }}/jdk_setup.sha256
+          curl -L "https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.7%2B7/OpenJDK17U-jdk_x64_linux_hotspot_17.0.7_7.tar.gz" -o "${{ runner.temp }}/jdk_setup.tar.gz"
+          sha256sum --check --status "${{ runner.temp }}/jdk_setup.sha256"
+
+      #
+      # Setup JDK.
+      #
+      - name: Setup JDK
+        if: steps.semantic.outputs.new_release_published == 'true'
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2
+        with:
+          distribution: "jdkfile"
+          jdkFile: "${{ runner.temp }}/jdk_setup.tar.gz"
+          java-version: "17"
+          cache: maven
+
+      #
+      # Cache Maven.
+      #
+      - name: Cache Maven
+        if: steps.semantic.outputs.new_release_published == 'true'
+        uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8
+        id: cache-maven
+        with:
+          key: apache-maven-3.9.2-bin.tar.gz
+          path: |
+            ${{ runner.temp }}/maven_setup.tar.gz
+            ${{ runner.temp }}/maven_setup.sha256
+
+      #
+      # Download Maven and verify its hash.
+      #
+      - name: Download Maven and verify its hash
+        if: steps.semantic.outputs.new_release_published == 'true' && steps.cache-maven.outputs.cache-hit != 'true'
+        run: |
+          echo "809ef3220c6d179195c06c324cb9a6d34d8ecba566c5cfd8eb83167bc034117d  ${{ runner.temp }}/maven_setup.tar.gz" >> ${{ runner.temp }}/maven_setup.sha256
+          curl -L "https://archive.apache.org/dist/maven/maven-3/3.9.2/binaries/apache-maven-3.9.2-bin.tar.gz" -o "${{ runner.temp }}/maven_setup.tar.gz"
+          sha256sum --check --status "${{ runner.temp }}/maven_setup.sha256"
+
+      #
+      # Setup Maven.
+      #
+      - name: Setup Maven
+        if: steps.semantic.outputs.new_release_published == 'true'
+        run: |
+          mkdir ${{ runner.temp }}/maven
+          tar -xvf ${{ runner.temp }}/maven_setup.tar.gz -C ${{ runner.temp }}/maven --strip-components=1
+          echo "<settings><servers><server><id>github</id><username>${{ secrets.GIT_USER }}</username><password>${{ secrets.GIT_PAT }}</password></server></servers></settings>" >> ${{ runner.temp }}/settings.xml
+
+      #
+      # Build native executable.
+      #
+      - name: Build native executable
+        run: ${{ runner.temp }}/maven/bin/mvn clean package -Pnative -Dmaven.test.skip=false -Dquarkus.native.container-build=true -Dquarkus.native.builder-image=quay.io/quarkus/ubi-quarkus-mandrel-builder-image@sha256:05baf3fd2173f6f25ad35216b6b066c35fbfb97f06daba75efb5b22bc0a85b9c -s ${{ runner.temp }}/settings.xml --no-transfer-progress
+
+      #
+      # Build Docker image.
+      #
+      - name: Build Docker image
+        run: docker build -f src/main/docker/Dockerfile.native-micro -t ghcr.io/${{ github.repository }}:main .
+
+      #
+      # Push Docker image.
+      #
+      - name: Push Docker image
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+          docker push -a ghcr.io/${{ github.repository }}
@@ -35,14 +35,20 @@ public class GetAccessTokenResponse {
 	/*
 	 *
 	 */
-	@JsonProperty("expires_in")
-	private long expiresIn;
+	@JsonProperty("expires_on")
+	private long expiresOn;
 
 	/*
 	 *
 	 */
-	@JsonProperty("ext_expires_in")
-	private long extExpiresIn;
+	@JsonProperty("client_id")
+	private String clientId;
+
+	/*
+	 *
+	 */
+	@JsonProperty("resource")
+	private String resource;
 
 	/*
 	 *

@@ -9,9 +9,8 @@
 
 import io.smallrye.mutiny.Uni;
 import it.pagopa.swclient.mil.auth.azurekeyvault.bean.GetAccessTokenResponse;
-import jakarta.ws.rs.Consumes;
-import jakarta.ws.rs.FormParam;
-import jakarta.ws.rs.POST;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.HeaderParam;
 import jakarta.ws.rs.Path;
 import jakarta.ws.rs.PathParam;
 import jakarta.ws.rs.Produces;
@@ -30,14 +29,10 @@ public interface AzureAuthClient {
 	 * @param scope
 	 * @return
 	 */
-	@Path("/{tenantId}/oauth2/v2.0/token")
-	@POST
-	@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+	@Path("?resource={scope}&api-version=2019-08-01")
+	@GET
 	@Produces(MediaType.APPLICATION_JSON)
 	Uni<GetAccessTokenResponse> getAccessToken(
-		@PathParam("tenantId") String tenantId,
-		@FormParam("grant_type") String grantType,
-		@FormParam("client_id") String clientId,
-		@FormParam("client_secret") String clientSecret,
-		@FormParam("scope") String scope);
+		@HeaderParam("x-identity-header") String identity,
+		@PathParam("scope") String scope);
 }
@@ -19,40 +19,28 @@
  */
 @ApplicationScoped
 public class AzureAuthService {
-	/*
-	 * Grant types.
-	 */
-	private static final String CLIENT_CREDENTIALS = "client_credentials";
 	/*
 	 * Scope for authentication.
 	 */
 	private static final String VAULT = "https://vault.azure.net/.default";
+
 	/*
 	 *
 	 */
 	@RestClient
 	AzureAuthClient client;
+
 	/*
 	 *
 	 */
-	@ConfigProperty(name = "azure-auth-api.tenant-id")
-	String tenantId;
-	/*
-	 *
-	 */
-	@ConfigProperty(name = "azure-auth-api.client-id")
-	String clientId;
-	/*
-	 *
-	 */
-	@ConfigProperty(name = "azure-auth-api.client-secret")
-	String clientSecret;
-
+	@ConfigProperty(name = "azure-auth-api.identity")
+	String identity;
+
 	/**
 	 * @return
 	 */
 	public Uni<GetAccessTokenResponse> getAccessToken() {
 		Log.debug("Authenticating to Azure AD.");
-		return client.getAccessToken(tenantId, CLIENT_CREDENTIALS, clientId, clientSecret, VAULT);
+		return client.getAccessToken(identity, VAULT);
 	}
 }
@@ -10,16 +10,10 @@ quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss.SSS} [%X{requestId}] [%p] [%c{
 
 %dev.quarkus.log.level=INFO
 %dev.quarkus.log.category."it.pagopa.swclient.mil.auth".level=DEBUG
-%dev.quarkus.log.category."REQ_IN".level=INFO
-%dev.quarkus.log.category."RESP_OUT".level=INFO
 %dev.quarkus.rest-client.logging.scope=all
 %dev.quarkus.rest-client.logging.body-limit=32768
 %dev.quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG
 
-%test.quarkus.rest-client.logging.scope=all
-%test.quarkus.rest-client.logging.body-limit=32768
-%test.quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG
-
 %test.quarkus.log.level=ERROR
 %test.quarkus.log.category."it.pagopa.swclient.mil.auth".level=DEBUG
 
@@ -29,71 +23,56 @@ quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss.SSS} [%X{requestId}] [%p] [%c{
 # ------------------------------------------------------------------------------
 # Cryptoperiod of RSA keys in seconds (86400s = 1d)
 # ------------------------------------------------------------------------------
-%dev.cryptoperiod=86400
-%test.cryptoperiod=86400
+cryptoperiod=86400
 %prod.cryptoperiod=${auth.cryptoperiod}
 
 # ------------------------------------------------------------------------------
 # Key size (modulus) of RSA keys in bits
 # ------------------------------------------------------------------------------
-%dev.keysize=4096
-%test.keysize=4096
+keysize=4096
 %prod.keysize=${auth.keysize}
 
 # ------------------------------------------------------------------------------
 # Token configuration
 # ------------------------------------------------------------------------------
-%dev.access.duration=300
-%test.access.duration=300
-%prod.access.duration=${auth.access.duration}
+access.duration=300
+refresh.duration=3600
 
-%dev.refresh.duration=3600
-%test.refresh.duration=3600
+%prod.access.duration=${auth.access.duration}
 %prod.refresh.duration=${auth.refresh.duration}
 
-#
+# ------------------------------------------------------------------------------
 # Poynt integration
-#
+# ------------------------------------------------------------------------------
 quarkus.rest-client.poynt-api.url=https://services-eu.poynt.net/
 poynt-api.version=1.2
 
-#
+# ------------------------------------------------------------------------------
 # Authorization data repository (clients, roles)
-#
-%dev.quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net
-%test.quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net
+# ------------------------------------------------------------------------------
+quarkus.rest-client.auth-data-repository.url=https://mildconfst.blob.core.windows.net
 %prod.quarkus.rest-client.auth-data-repository.url=${auth.data.url}
 
-#
+# ------------------------------------------------------------------------------
 # TTL for the authorization data cache
-#
-%test.quarkus.cache.enabled=false
+# ------------------------------------------------------------------------------
 quarkus.cache.caffeine.expire-after-write=1h
+%test.quarkus.cache.enabled=false
 
-#
+# ------------------------------------------------------------------------------
 # Azure Auth API
-#
-quarkus.rest-client.azure-auth-api.url=https://login.microsoftonline.com
-
-%dev.azure-auth-api.tenant-id=${AZURE_TENANT_ID}
-%dev.azure-auth-api.client-id=${AZURE_CLIENT_ID}
-%dev.azure-auth-api.client-secret=${AZURE_CLIENT_SECRET}
-
-%test.azure-auth-api.tenant-id=dummy
-%test.azure-auth-api.client-id=dummy
-%test.azure-auth-api.client-secret=dummy
+# ------------------------------------------------------------------------------
+quarkus.rest-client.azure-auth-api.url=http://dummy
+azure-auth-api.identity=dummy
 
-%prod.azure-auth-api.tenant-id=${azure.tenant.id}
-%prod.azure-auth-api.client-id=${azure.client.id}
-%prod.azure-auth-api.client-secret=${azure.client.secret}
+%prod.quarkus.rest-client.azure-auth-api.url=${IDENTITY_ENDPOINT}
+%prod.azure-auth-api.identity=${IDENTITY_HEADER}
 
-#
+# ------------------------------------------------------------------------------
 # Azure Key Vault API
-#
-%dev.azure-key-vault-api.version=7.4
-%test.azure-key-vault-api.version=7.4
-%prod.azure-key-vault-api.version=${auth.keyvault.api-version}
+# ------------------------------------------------------------------------------
+azure-key-vault-api.version=7.4
+quarkus.rest-client.azure-key-vault-api.url=http://dummy
 
-%dev.quarkus.rest-client.azure-key-vault-api.url=https://mil-d-appl-kv.vault.azure.net/
-%test.quarkus.rest-client.azure-key-vault-api.url=https://mil-d-appl-kv.vault.azure.net/
+%prod.azure-key-vault-api.version=${auth.keyvault.api-version}
 %prod.quarkus.rest-client.azure-key-vault-api.url=${auth.keyvault.url}