Merge branch 'jwt' into main

Author: vcarluer

api/src/integrationTest/resources/application-test.yml

@@ -16,6 +16,12 @@ management:
 #        key: "ZmFrZS1rZXkK"
 #        uri: "https://faketestaccount.documents.azure.com:443/"
 csm:
+  platform:
+    authorization:
+      tenant-id-jwt-claim: "iss"
+      # Note that the way @Value works in Spring does not make it possible to inject this sole YAML list.
+      # Use CsmPlatformProperties instead !
+      allowed-tenants: ["test"]
     vendor: azure
     argo:
       base-uri: "https://argo-server.argo.svc.cluster.local:2746"

api/src/main/resources/application-azure.yml

@@ -10,8 +10,22 @@ management:
         readiness:
           include: "readinessState,cosmos,blobStorage"
 
+csm:
+  platform:
+    authorization:
+      principal-jwt-claim: "oid"
+      tenant-id-jwt-claim: "tid"
+
 azure:
-  # Required to auto-configure the beans provided by the Azure CosmosDB Spring Boot AutoConfiguration
+  # Required to auto-configure the beans provided by the Azure Spring Boot AutoConfigurations
+  activedirectory:
+    # tenantId is 'common' to use the login process of multi-tenant access
+    # See https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-starter-active-directory/ACCESS_TO_MULTI_TENANT_APP.md
+    tenant-id: common
+    client-id: ${csm.platform.azure.credentials.clientId}
+    client-secret: ${csm.platform.azure.credentials.clientSecret}
+    session-stateless: true
+    app-id-uri: ${csm.platform.azure.appIdUri}
   cosmos:
     allowTelemetry: ${csm.platform.azure.cosmos.allowTelemetry}
     connectionMode: ${csm.platform.azure.cosmos.connectionMode}

api/src/main/resources/application.yml

@@ -12,6 +12,12 @@ spring:
       enabled: false
     kubernetes:
       enabled: false
+security:
+  oauth2:
+    resource:
+      user-info-uri: https://graph.microsoft.com/oidc/userinfo
+      jwk:
+        key-set-uri: https://login.microsoftonline.com/common/discovery/v2.0/keys
 
 management:
   endpoint:
@@ -56,8 +62,15 @@ csm:
     images:
       scenario-fetch-parameters: cosmo-tech/fetch-scenario-parameters
       send-datawarehouse: cosmo-tech/azure-data-explorer-connector
+    authorization:
+      principal-jwt-claim: "sub"
+      tenant-id-jwt-claim: "iss"
+      # Note that the way @Value works in Spring does not make it possible to inject this sole YAML list.
+      # Use CsmPlatformProperties instead !
+      allowed-tenants: []
     vendor: azure
     azure:
+      appIdUri: "http://dev.api.cosmotech.com"
       credentials:
         tenantId:
         clientId:

build.gradle.kts

@@ -17,7 +17,7 @@ plugins {
   id("com.diffplug.spotless") version "5.12.5"
 
   id("org.springframework.boot") version "2.4.5" apply false
-  id("io.spring.dependency-management") version "1.0.11.RELEASE" apply false
+  id("io.spring.dependency-management") version "1.0.11.RELEASE"
 
   id("org.openapi.generator") version "5.1.1" apply false
 
@@ -76,6 +76,8 @@ subprojects {
   apply(plugin = "org.springframework.boot")
   apply(plugin = "io.spring.dependency-management")
 
+  dependencyManagement { imports { mavenBom("com.azure.spring:azure-spring-boot-bom:3.5.0") } }
+
   // Apply some plugins to all projects except 'common'
   if (name != "cosmotech-api-common") {
     apply(plugin = "org.openapi.generator")
@@ -119,9 +121,22 @@ subprojects {
 
     // TODO Extract those dependencies in a 'common/azure' sub-project,
     //  included dynamically if the 'platform' build property is 'azure'
-    implementation("com.azure.spring:azure-spring-boot-starter-cosmos:3.5.0")
-    implementation("com.azure.spring:azure-spring-boot-starter-storage:3.5.0")
     implementation("com.azure:azure-storage-blob-batch:12.9.1")
+    implementation("org.springframework.boot:spring-boot-starter-security")
+    implementation(
+        "org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:2.4.5")
+    implementation("org.springframework.security:spring-security-jwt:1.1.1.RELEASE")
+    implementation("com.azure.spring:azure-spring-boot-starter-cosmos")
+    implementation("com.azure.spring:azure-spring-boot-starter-storage")
+    implementation("com.azure.spring:azure-spring-boot-starter-active-directory")
+    // com.azure.spring:azure-spring-boot-starter-active-directory provides this dependency
+    // transitively,
+    // but its version is incompatible at runtime with what is expected by
+    // spring-security-oauth2-jose
+    implementation("com.nimbusds:nimbus-jose-jwt:9.9.3")
+    implementation("org.springframework.security:spring-security-oauth2-jose:5.5.0")
+    implementation("org.springframework.security:spring-security-oauth2-resource-server:5.5.0")
+    //    implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
 
     testImplementation(kotlin("test"))
     testImplementation("io.mockk:mockk:1.11.0")

common/src/main/kotlin/com/cosmotech/api/config/CsmPlatformProperties.kt

@@ -41,8 +41,26 @@ data class CsmPlatformProperties(
 
     /** Cosmo Tech core images */
     val images: CsmImages,
+
+    /** Authorization Configuration */
+    val authorization: Authorization = Authorization(),
 ) {
 
+  data class Authorization(
+
+      /** The JWT Claim to use to extract a unique identifier for the user account */
+      val principalJwtClaim: String = "sub",
+
+      /** The JWT Claim where the tenant id information is stored */
+      val tenantIdJwtClaim: String = "iss",
+
+      /**
+       * List of additional tenants allowed to register, besides the configured
+       * `csm.platform.azure.credentials.tenantId`
+       */
+      val allowedTenants: List<String> = emptyList()
+  )
+
   data class CsmImages(
       /** Container image to fetch Scenario Parameters */
       val scenarioFetchParameters: String,