Basic Spring-Boot sample app to create JWT tokens for dynamic log levels

This is work in progress. The JKS should be created automatically. API description
needs to be improved. Security (Basic-Auth) needs to be added.

Author: KarstenSchnitter

pom.xml

@@ -192,6 +192,7 @@
         <module>cf-java-logging-support-jersey</module>
         <module>cf-java-monitoring-custom-metrics-clients</module>
         <module>sample</module>
+        <module>sample-spring-boot</module>
     </modules>
 
     <dependencies>

sample-spring-boot/pom.xml

@@ -0,0 +1,131 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>sample-app-spring-boot</artifactId>
+	<name>sample-app-spring-boot</name>
+	<description>Logging Sample App for Spring Boot</description>
+	<parent>
+		<groupId>com.sap.hcp.cf.logging</groupId>
+		<artifactId>cf-java-logging-support-parent</artifactId>
+		<version>3.2.1</version>
+		<relativePath>../pom.xml</relativePath>
+	</parent>
+
+	<properties>
+		<java.version>11</java.version>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<maven.compiler.source>11</maven.compiler.source>
+		<maven.compiler.target>11</maven.compiler.target>
+		<spring.boot.version>2.3.4.RELEASE</spring.boot.version>
+	</properties>
+
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-dependencies</artifactId>
+				<version>${spring.boot.version}</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-actuator</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-logging</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+			<exclusions>
+				<exclusion>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-logging</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-configuration-processor</artifactId>
+			<optional>true</optional>
+		</dependency>
+
+		<!-- We're using the Servlet Filter instrumentation -->
+		<dependency>
+			<groupId>com.sap.hcp.cf.logging</groupId>
+			<artifactId>cf-java-logging-support-servlet</artifactId>
+			<version>${project.version}</version>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+			<exclusions>
+				<exclusion>
+					<groupId>org.junit.vintage</groupId>
+					<artifactId>junit-vintage-engine</artifactId>
+				</exclusion>
+			</exclusions>
+		</dependency>
+	</dependencies>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+	<profiles>
+		<profile>
+			<id>logback</id>
+			<activation>
+				<activeByDefault>true</activeByDefault>
+			</activation>
+
+			<dependencies>
+				<dependency>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-logging</artifactId>
+				</dependency>
+				<dependency>
+					<groupId>com.sap.hcp.cf.logging</groupId>
+					<artifactId>cf-java-logging-support-logback</artifactId>
+					<version>${project.version}</version>
+				</dependency>
+			</dependencies>
+		</profile>
+		<profile>
+			<id>log4j2</id>
+			<activation>
+				<activeByDefault>false</activeByDefault>
+			</activation>
+
+			<dependencies>
+				<dependency>
+					<groupId>org.springframework.boot</groupId>
+					<artifactId>spring-boot-starter-log4j2</artifactId>
+				</dependency>
+				<dependency>
+					<groupId>com.sap.hcp.cf.logging</groupId>
+					<artifactId>cf-java-logging-support-log4j2</artifactId>
+					<version>${project.version}</version>
+				</dependency>
+			</dependencies>
+		</profile>
+	</profiles>
+
+</project>

sample-spring-boot/src/main/java/com/sap/hcp/cf/logging/sample/springboot/SampleAppSpringBootApplication.java

@@ -0,0 +1,51 @@
+package com.sap.hcp.cf.logging.sample.springboot;
+
+import java.time.Clock;
+
+import javax.servlet.DispatcherType;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.web.servlet.config.annotation.EnableWebMvc;
+
+import com.sap.hcp.cf.logging.sample.springboot.keystore.KeyStoreDynLogConfiguration;
+import com.sap.hcp.cf.logging.servlet.dynlog.DynLogConfiguration;
+import com.sap.hcp.cf.logging.servlet.filter.RequestLoggingFilter;
+
+@SpringBootApplication
+@EnableWebMvc
+public class SampleAppSpringBootApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(SampleAppSpringBootApplication.class, args);
+	}
+
+	/**
+	 * Registers a customized {@link RequestLoggingFilter} with the servlet.
+	 * We inject our own dynamic logging configuration, that contains the public RSA key from our keystore.
+	 * 
+	 * @param dynLogConfig autowired with {@link KeyStoreDynLogConfiguration}
+	 * @return a registration of the {@link RequestLoggingFilter}
+	 */
+	@Bean
+	public FilterRegistrationBean<RequestLoggingFilter> loggingFilter(@Autowired DynLogConfiguration dynLogConfig) {
+		FilterRegistrationBean<RequestLoggingFilter> registrationBean = new FilterRegistrationBean<>();
+		registrationBean.setFilter(new RequestLoggingFilter(() -> dynLogConfig));
+		registrationBean.setName("request-logging");
+		registrationBean.addUrlPatterns("/*");
+		registrationBean.setDispatcherTypes(DispatcherType.REQUEST);
+		return registrationBean;
+	}
+
+	/**
+	 * Provides a global {@link Clock} instance. Useful for testing.
+	 * @return the global clock
+	 */
+	@Bean
+	public Clock clock() {
+		return Clock.systemUTC();
+	}
+}

sample-spring-boot/src/main/java/com/sap/hcp/cf/logging/sample/springboot/config/KeyStoreConfiguration.java

@@ -0,0 +1,56 @@
+package com.sap.hcp.cf.logging.sample.springboot.config;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConfigurationProperties(prefix = "keystore.token")
+public class KeyStoreConfiguration {
+
+	private String location;
+	private String type;
+	private char[] password;
+	private String keyAlias;
+	private char[] keyPassword;
+
+	public String getType() {
+		return type;
+	}
+
+	public String getLocation() {
+		return location;
+	}
+
+	public char[] getPassword() {
+		return password;
+	}
+
+	public String getKeyAlias() {
+		return keyAlias;
+	}
+
+	public void setLocation(String location) {
+		this.location = location;
+	}
+
+	public void setType(String type) {
+		this.type = type;
+	}
+
+	public void setPassword(char[] password) {
+		this.password = password;
+	}
+
+	public void setKeyAlias(String keyAlias) {
+		this.keyAlias = keyAlias;
+	}
+
+	public void setKeyPassword(char[] keyPassword) {
+		this.keyPassword = keyPassword;
+	}
+
+	public char[] getKeyPassword() {
+		return keyPassword;
+	}
+
+}

sample-spring-boot/src/main/java/com/sap/hcp/cf/logging/sample/springboot/config/TokenDefaultsConfiguration.java

@@ -0,0 +1,31 @@
+package com.sap.hcp.cf.logging.sample.springboot.config;
+
+import java.time.Duration;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConfigurationProperties(prefix = "defaults.token")
+public class TokenDefaultsConfiguration {
+
+	private Duration expiration;
+	private String issuer;
+
+	public Duration getExpiration() {
+		return expiration;
+	}
+
+	public void setExpiration(String expiration) {
+		this.expiration = Duration.parse(expiration);
+	}
+
+	public String getIssuer() {
+		return issuer;
+	}
+
+	public void setIssuer(String issuer) {
+		this.issuer = issuer;
+	}
+
+}

sample-spring-boot/src/main/java/com/sap/hcp/cf/logging/sample/springboot/controller/TokenController.java

@@ -0,0 +1,70 @@
+package com.sap.hcp.cf.logging.sample.springboot.controller;
+
+import java.time.Clock;
+import java.time.Instant;
+import java.util.Optional;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+import com.sap.hcp.cf.logging.sample.springboot.config.TokenDefaultsConfiguration;
+import com.sap.hcp.cf.logging.sample.springboot.service.TokenGenerator;
+
+/**
+ * This controller provides and endpoint to create new JWT tokens. These token
+ * can be used as headers of HTTP request to dynamically switch the log level.
+ */
+@RestController
+public class TokenController {
+
+	private static final Logger LOG = LoggerFactory.getLogger(TokenController.class);
+
+	private Clock clock;
+	private TokenGenerator generator;
+	private TokenDefaultsConfiguration defaults;
+
+	public TokenController(@Autowired Clock clock, @Autowired TokenGenerator generator,
+			@Autowired TokenDefaultsConfiguration defaults) {
+		this.clock = clock;
+		this.generator = generator;
+		this.defaults = defaults;
+	}
+
+	/**
+	 * Return a JWT for changing the log level dynamically. It uses the keys
+	 * provided by the keystore to sign the JWT.
+	 * 
+	 * @param logLevel       the log level to use when JWT is applied
+	 * @param expiresAtParam (optional) the expiration of the JWT in epoch
+	 *                       milliseconds
+	 * @param packages       (optional) the comma-separated list of packages for
+	 *                       which the log levels should be changed
+	 * @return the signed JWT to be used as HTTP header
+	 */
+	@GetMapping("/token/{logLevel}")
+	public String createToken(@PathVariable("logLevel") String logLevel,
+			@RequestParam(name = "exp") Optional<Long> expiresAtParam,
+			@RequestParam(name = "p") Optional<String> packages) {
+		Instant expiresAt = getExpiryOrDefault(expiresAtParam);
+		Instant issuedAt = clock.instant();
+		return generator.create(logLevel, packages, expiresAt, issuedAt);
+	}
+
+	private Instant getExpiryOrDefault(Optional<Long> expiresAtParam) {
+		if (expiresAtParam.isPresent()) {
+			Instant result = expiresAtParam.map(Instant::ofEpochMilli).get();
+			LOG.debug("Using user provided expiration at {}.", result);
+			return result;
+		}
+		Instant result = clock.instant().plus(defaults.getExpiration());
+		LOG.debug("Using default expiration to calculate {}.", result);
+		return result;
+
+	}
+
+}

sample-spring-boot/src/main/java/com/sap/hcp/cf/logging/sample/springboot/keystore/KeyStoreDynLogConfiguration.java

@@ -0,0 +1,39 @@
+package com.sap.hcp.cf.logging.sample.springboot.keystore;
+
+import java.security.interfaces.RSAPublicKey;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import com.sap.hcp.cf.logging.servlet.dynlog.DynLogConfiguration;
+
+/**
+ * Provides the public key for JWT validation out of the keystore.
+ * Otherwise adheres to the configuration by environment variables.
+ *
+ */
+@Component
+public class KeyStoreDynLogConfiguration implements DynLogConfiguration {
+
+	private TokenKeyProvider keyProvider;
+	private String dynLogHeaderKey;
+
+	public KeyStoreDynLogConfiguration(@Autowired TokenKeyProvider keyProvider,
+			@Value("${DYN_LOG_HEADER:SAP-LOG-LEVEL}") String dynLogHeaderKey) {
+		this.keyProvider = keyProvider;
+		this.dynLogHeaderKey = dynLogHeaderKey;
+	}
+
+	@Override
+	public String getDynLogHeaderKey() {
+		return dynLogHeaderKey;
+	}
+
+	@Override
+	public RSAPublicKey getRsaPublicKey() {
+		String keyId = keyProvider.getPrivateKeyId();
+		return keyProvider.getPublicKeyById(keyId);
+	}
+
+}