Got rid of custom token fetch; implemented check for SAP-provisioned Solace Message Broker.

Author: t-bonk

cds-feature-advanced-event-mesh/src/main/java/com/sap/cds/feature/messaging/aem/client/AemManagementClient.java

@@ -13,8 +13,11 @@
 
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.node.ObjectNode;
+import com.sap.cds.feature.messaging.aem.client.binding.AemAuthorizationServiceView;
+import com.sap.cds.feature.messaging.aem.client.binding.AemEndpointView;
 import com.sap.cds.integration.cloudsdk.rest.client.JsonRestClient;
 import com.sap.cds.integration.cloudsdk.rest.client.JsonRestClientResponseException;
+import com.sap.cds.services.ServiceException;
 import com.sap.cloud.environment.servicebinding.api.ServiceBinding;
 import com.sap.cloud.sdk.cloudplatform.connectivity.ServiceBindingDestinationOptions;
 
@@ -33,17 +36,23 @@ public class AemManagementClient extends JsonRestClient {
 	public static final String ATTR_QUEUE_NAME = "queueName";
 	public static final String ATTR_SUBSCRIPTION_TOPIC = "subscriptionTopic";
 
-	private final ServiceBinding binding;
+	private final AemAuthorizationServiceView authorizationServiceView;
+	private final AemEndpointView endpointView;
 	private final String vpn;
 	private final String owner;
 
 	public AemManagementClient(ServiceBinding binding) {
 		super(ServiceBindingDestinationOptions.forService(binding).build());
-		this.binding = binding;
+		this.authorizationServiceView = new AemAuthorizationServiceView(binding);
+		this.endpointView = new AemEndpointView(binding);
 		this.vpn = getVpn();
 		this.owner = getOwner();
 	}
 
+	public String getEndpoint() {
+		return this.endpointView.getUri().orElseThrow(() -> new ServiceException("Management endpoint not available in binding"));
+	}
+
 	public void removeQueue(String queue) throws IOException {
 		logger.debug("Removing queue {}", queue);
 
@@ -139,7 +148,7 @@ public boolean isTopicSubscribed(JsonNode jsonNode, String queueName, String top
 	}
 
 	private String getVpn() {
-		return (String) this.binding.getCredentials().get("vpn");
+		return this.endpointView.getVpn().get();
 	}
 
 	private String getOwner() {

cds-feature-advanced-event-mesh/src/main/java/com/sap/cds/feature/messaging/aem/client/AemValidationClient.java

@@ -0,0 +1,26 @@
+package com.sap.cds.feature.messaging.aem.client;
+
+import java.io.IOException;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Map;
+
+import com.sap.cds.integration.cloudsdk.rest.client.JsonRestClient;
+import com.sap.cloud.environment.servicebinding.api.ServiceBinding;
+import com.sap.cloud.sdk.cloudplatform.connectivity.ServiceBindingDestinationOptions;
+
+public class AemValidationClient extends JsonRestClient {
+
+	public AemValidationClient(ServiceBinding binding) {
+		super(ServiceBindingDestinationOptions.forService(binding).build());
+	}
+
+	public void validate(String managementUri) throws IOException, URISyntaxException {
+		URI uri = new URI(managementUri);
+		String payload = this.mapper.writeValueAsString(Map.of("hostName", uri.getHost()));
+
+		// The response is not used, only the status code is relevant. If there is a status code not equal to 200,
+		// an exception is thrown which means that the validation failed.
+		postRequest("", payload, Map.of());
+	}
+}

cds-feature-advanced-event-mesh/src/main/java/com/sap/cds/feature/messaging/aem/client/binding/AemClientIdentity.java

@@ -0,0 +1,15 @@
+package com.sap.cds.feature.messaging.aem.client.binding;
+
+record AemClientIdentity(String clientId, String clientSecret)
+		implements com.sap.cloud.security.config.ClientIdentity {
+
+	@Override
+	public String getId() {
+		return this.clientId;
+	}
+
+	@Override
+	public String getSecret() {
+		return this.clientSecret;
+	}
+}

cds-feature-advanced-event-mesh/src/main/java/com/sap/cds/feature/messaging/aem/client/binding/AemOauth2PropertySupplier.java renamed to cds-feature-advanced-event-mesh/src/main/java/com/sap/cds/feature/messaging/aem/client/binding/AemManagementOauth2PropertySupplier.java

@@ -14,7 +14,7 @@
 import com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2ServiceBindingDestinationLoader;
 import com.sap.cloud.sdk.cloudplatform.connectivity.ServiceBindingDestinationOptions;
 
-public class AemOauth2PropertySupplier implements OAuth2PropertySupplier {
+public class AemManagementOauth2PropertySupplier implements OAuth2PropertySupplier {
 
 	private static boolean initialized = false;
 
@@ -27,12 +27,12 @@ public static synchronized void initialize() {
 			OAuth2ServiceBindingDestinationLoader.registerPropertySupplier(
 					options -> ServiceBindingUtils.matches(options.getServiceBinding(),
 							AemMessagingServiceConfiguration.BINDING_AEM_LABEL),
-					AemOauth2PropertySupplier::new);
+					AemManagementOauth2PropertySupplier::new);
 			initialized = true;
 		}
 	}
 
-	public AemOauth2PropertySupplier(@Nonnull ServiceBindingDestinationOptions options) {
+	public AemManagementOauth2PropertySupplier(@Nonnull ServiceBindingDestinationOptions options) {
 		this.binding = options.getServiceBinding();
 		this.authorizationServiceView = new AemAuthorizationServiceView(binding);
 		this.endpointView = new AemEndpointView(binding);
@@ -69,7 +69,7 @@ public URI getTokenUri() {
 	@Nonnull
 	@Override
 	public com.sap.cloud.security.config.ClientIdentity getClientIdentity() {
-		return new ClientIdentity(this.authorizationServiceView.getClientId().get(),
+		return new AemClientIdentity(this.authorizationServiceView.getClientId().get(),
 				this.authorizationServiceView.getClientSecret().get());
 	}
 
@@ -85,17 +85,4 @@ private boolean areOAuth2ParametersPresent(ServiceBinding binding) {
 				&& this.authorizationServiceView.getClientSecret().isPresent();
 	}
 
-	private record ClientIdentity(String clientId, String clientSecret)
-			implements com.sap.cloud.security.config.ClientIdentity {
-
-		@Override
-		public String getId() {
-			return this.clientId;
-		}
-
-		@Override
-		public String getSecret() {
-			return this.clientSecret;
-		}
-	}
 }

cds-feature-advanced-event-mesh/src/main/java/com/sap/cds/feature/messaging/aem/client/binding/AemValidationOAuth2PropertySupplier.java

@@ -0,0 +1,98 @@
+package com.sap.cds.feature.messaging.aem.client.binding;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Map;
+import java.util.Optional;
+
+import com.sap.cds.feature.messaging.aem.service.AemMessagingServiceConfiguration;
+import com.sap.cds.services.ServiceException;
+import com.sap.cds.services.utils.environment.ServiceBindingUtils;
+import com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2PropertySupplier;
+import com.sap.cloud.sdk.cloudplatform.connectivity.OAuth2ServiceBindingDestinationLoader;
+import com.sap.cloud.sdk.cloudplatform.connectivity.ServiceBindingDestinationOptions;
+import com.sap.cloud.security.config.ClientIdentity;
+
+public class AemValidationOAuth2PropertySupplier implements OAuth2PropertySupplier {
+
+	private static boolean initialized = false;
+
+	private final CredentialsView credentialsView;
+
+	public static synchronized void initialize() {
+		if (!initialized) {
+			OAuth2ServiceBindingDestinationLoader.registerPropertySupplier(
+					options -> ServiceBindingUtils.matches(options.getServiceBinding(),
+							AemMessagingServiceConfiguration.BINDING_AEM_VALIDATION_LABEL),
+					AemValidationOAuth2PropertySupplier::new);
+			initialized = true;
+		}
+	}
+
+	protected AemValidationOAuth2PropertySupplier(ServiceBindingDestinationOptions options) {
+		this.credentialsView = new CredentialsView(options.getServiceBinding().getCredentials());
+	}
+
+	@Override
+	public boolean isOAuth2Binding() {
+		return this.credentialsView.getServiceUri().isPresent()
+				&& this.credentialsView.getTokenUri().isPresent()
+				&& this.credentialsView.getClientId().isPresent()
+				&& this.credentialsView.getClientSecret().isPresent();
+	}
+
+	@Override
+	public URI getServiceUri() {
+		try {
+			return new URI(this.credentialsView.getServiceUri().get());
+		} catch (URISyntaxException e) {
+			throw new ServiceException("Invalid AEM Validation Service URI.", e);
+		}
+	}
+
+	@Override
+	public URI getTokenUri() {
+		String uri = this.credentialsView.getTokenUri().get();
+
+		try {
+			return new URI(uri);
+		} catch (URISyntaxException e) {
+			throw new ServiceException("Invalid AEM Validation Service token endpoint URI.", e);
+		}
+	}
+
+	@Override
+	public ClientIdentity getClientIdentity() {
+		return new AemClientIdentity(this.credentialsView.getClientId().get(), this.credentialsView.getClientSecret().get());
+	}
+
+	private record CredentialsView(Map<String, Object> credentials) {
+
+		public Optional<String> getServiceUri() {
+			return getHandshake().map(handshake -> (String) handshake.get("uri"));
+		}
+
+		public Optional<String> getTokenUri() {
+			return getOAuth2().map(oa2 -> (String) oa2.get("tokenendpoint"));
+		}
+
+		public Optional<String> getClientId() {
+			return getOAuth2().map(oa2 -> (String) oa2.get("clientid"));
+		}
+
+		public Optional<String> getClientSecret() {
+			return getOAuth2().map(oa2 -> (String) oa2.get("clientsecret"));
+		}
+
+		@SuppressWarnings("unchecked")
+		private Optional<Map<String, Object>> getHandshake() {
+			return Optional.ofNullable((Map<String, Object>) credentials.get("handshake"));
+		}
+
+		@SuppressWarnings("unchecked")
+		private Optional<Map<String, Object>> getOAuth2() {
+			return getHandshake().map(handshake -> (Map<String, Object>) handshake.get("oa2"));
+		}
+
+	}
+}

cds-feature-advanced-event-mesh/src/main/java/com/sap/cds/feature/messaging/aem/jms/AemMessagingConnectionProvider.java

@@ -9,8 +9,9 @@
 import org.apache.qpid.jms.JmsConnectionFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+
 import com.sap.cds.feature.messaging.aem.client.binding.AemEndpointView;
-import com.sap.cds.feature.messaging.aem.client.binding.AemOauth2PropertySupplier;
+import com.sap.cds.feature.messaging.aem.client.binding.AemManagementOauth2PropertySupplier;
 import com.sap.cds.services.ServiceException;
 import com.sap.cds.services.messaging.jms.BrokerConnection;
 import com.sap.cds.services.messaging.jms.BrokerConnectionProvider;
@@ -39,7 +40,7 @@ public AemMessagingConnectionProvider(ServiceBinding binding) {
 		super(binding.getName().get());
 		this.binding = binding;
 		this.endpointView = new AemEndpointView(binding);
-		OAuth2PropertySupplier supplier = new AemOauth2PropertySupplier(ServiceBindingDestinationOptions.forService(binding).build());
+		OAuth2PropertySupplier supplier = new AemManagementOauth2PropertySupplier(ServiceBindingDestinationOptions.forService(binding).build());
 		this.destination = OAuth2DestinationBuilder
 				.forTargetUrl(this.endpointView.getAmqpUri().get())
 				.withTokenEndpoint(supplier.getTokenUri().toString())

cds-feature-advanced-event-mesh/src/main/java/com/sap/cds/feature/messaging/aem/service/AemMessagingService.java

@@ -3,8 +3,10 @@
 import static com.sap.cds.feature.messaging.aem.client.AemManagementClient.ATTR_DEAD_MSG_QUEUE;
 
 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.util.Collections;
 import java.util.Map;
+import java.util.Optional;
 import java.util.function.Consumer;
 
 import org.apache.qpid.jms.message.JmsBytesMessage;
@@ -15,7 +17,9 @@
 import org.slf4j.LoggerFactory;
 
 import com.sap.cds.feature.messaging.aem.client.AemManagementClient;
+import com.sap.cds.feature.messaging.aem.client.AemValidationClient;
 import com.sap.cds.feature.messaging.aem.jms.AemMessagingConnectionProvider;
+import com.sap.cds.services.ServiceException;
 import com.sap.cds.services.environment.CdsProperties.Messaging.MessagingServiceConfig;
 import com.sap.cds.services.messaging.TopicMessageEventContext;
 import com.sap.cds.services.messaging.jms.BrokerConnection;
@@ -32,14 +36,20 @@ public class AemMessagingService extends AbstractMessagingService {
 
 	private final AemMessagingConnectionProvider connectionProvider;
 	private final AemManagementClient managementClient;
+	private final Optional<ServiceBinding> validationBinding;
 
 	private volatile BrokerConnection connection;
+	private volatile Boolean aemBrokerValidated = false;
+
+	@SuppressWarnings("OptionalUsedAsFieldOrParameterType")
+	protected AemMessagingService(ServiceBinding binding, Optional<ServiceBinding> validationBinding,
+			MessagingServiceConfig serviceConfig, AemMessagingConnectionProvider connectionProvider, CdsRuntime runtime) {
 
-	protected AemMessagingService(ServiceBinding binding, MessagingServiceConfig serviceConfig, AemMessagingConnectionProvider connectionProvider, CdsRuntime runtime) {
 		super(serviceConfig, runtime);
 
 		this.connectionProvider = connectionProvider;
 		this.managementClient = new AemManagementClient(binding);
+		this.validationBinding = validationBinding;
 	}
 
 	@Override
@@ -98,6 +108,7 @@ protected void registerQueueListener(String queue, MessagingBrokerQueueListener
 
 	@Override
 	protected void emitTopicMessage(String topic, TopicMessageEventContext messageEventContext) {
+		this.validate(this.managementClient.getEndpoint());
 		this.connection.emitTopicMessage("topic://" + topic, messageEventContext);
 	}
 
@@ -116,4 +127,23 @@ private String getMessageTopic(Message message) {
 		}
 		return null;
 	}
+
+	private void validate(String endpoint) {
+		synchronized (this.aemBrokerValidated) {
+			if (!this.aemBrokerValidated) {
+				ServiceBinding binding = this.validationBinding.orElseThrow(() -> new ServiceException("No binding for AEM Validation Service found."));
+				AemValidationClient validationClient = new AemValidationClient(binding);
+
+				try {
+					validationClient.validate(endpoint);
+					synchronized (this.aemBrokerValidated) {
+						this.aemBrokerValidated = true;
+					}
+				} catch (IOException | URISyntaxException e) {
+					throw new ServiceException("Failed to validate the AEM endpoint.", e);
+				}
+			}
+		}
+	}
+
 }