Merge pull request #59 from com-pas/basic_api_security

Added role based API access

Author: Dennis Labordus

app/pom.xml

@@ -81,6 +81,10 @@ SPDX-License-Identifier: Apache-2.0
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-hibernate-validator</artifactId>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc</artifactId>
+        </dependency>
 
         <!-- Test Dependencies -->
         <dependency>
@@ -98,6 +102,11 @@ SPDX-License-Identifier: Apache-2.0
             <artifactId>rest-assured</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-security-oidc</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-jacoco</artifactId>

app/src/main/java/org/lfenergy/compas/scl/data/rest/Constants.java

@@ -10,4 +10,9 @@ private Constants() {
     public static final String TYPE_PATH_PARAM = "type";
     public static final String ID_PATH_PARAM = "id";
     public static final String VERSION_PATH_PARAM = "version";
+
+    public static final String READ_ROLE = "Read";
+    public static final String CREATE_ROLE = "Create";
+    public static final String UPDATE_ROLE = "Update";
+    public static final String DELETE_ROLE = "Delete";
 }

app/src/main/java/org/lfenergy/compas/scl/data/rest/v1/CompasCommonResource.java

@@ -7,17 +7,21 @@
 import org.lfenergy.compas.scl.data.rest.v1.model.Type;
 import org.lfenergy.compas.scl.data.rest.v1.model.TypeListResponse;
 
+import javax.annotation.security.RolesAllowed;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.MediaType;
 import java.util.Arrays;
 import java.util.stream.Collectors;
 
+import static org.lfenergy.compas.scl.data.rest.Constants.READ_ROLE;
+
 @Path("/common/v1/")
 public class CompasCommonResource {
     @GET
     @Path("/type/list")
+    @RolesAllowed(READ_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public TypeListResponse list() {
         var response = new TypeListResponse();

app/src/main/java/org/lfenergy/compas/scl/data/rest/v1/CompasSclDataResource.java

@@ -9,6 +9,7 @@
 import org.lfenergy.compas.scl.data.rest.v1.model.*;
 import org.lfenergy.compas.scl.data.service.CompasSclDataService;
 
+import javax.annotation.security.RolesAllowed;
 import javax.inject.Inject;
 import javax.validation.Valid;
 import javax.ws.rs.*;
@@ -29,6 +30,7 @@ public CompasSclDataResource(CompasSclDataService compasSclDataService) {
     }
 
     @POST
+    @RolesAllowed(CREATE_ROLE)
     @Consumes(MediaType.APPLICATION_XML)
     @Produces(MediaType.APPLICATION_XML)
     public CreateResponse create(@PathParam(TYPE_PATH_PARAM) SclType type,
@@ -40,6 +42,7 @@ public CreateResponse create(@PathParam(TYPE_PATH_PARAM) SclType type,
 
     @GET
     @Path("/list")
+    @RolesAllowed(READ_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public ListResponse list(@PathParam(TYPE_PATH_PARAM) SclType type) {
         var response = new ListResponse();
@@ -49,6 +52,7 @@ public ListResponse list(@PathParam(TYPE_PATH_PARAM) SclType type) {
 
     @GET
     @Path("/{" + ID_PATH_PARAM + "}/versions")
+    @RolesAllowed(READ_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public VersionsResponse listVersionsByUUID(@PathParam(TYPE_PATH_PARAM) SclType type,
                                                @PathParam(ID_PATH_PARAM) UUID id) {
@@ -59,6 +63,7 @@ public VersionsResponse listVersionsByUUID(@PathParam(TYPE_PATH_PARAM) SclType t
 
     @GET
     @Path("/{" + ID_PATH_PARAM + "}")
+    @RolesAllowed(READ_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public GetResponse findByUUID(@PathParam(TYPE_PATH_PARAM) SclType type,
                                   @PathParam(ID_PATH_PARAM) UUID id) {
@@ -69,6 +74,7 @@ public GetResponse findByUUID(@PathParam(TYPE_PATH_PARAM) SclType type,
 
     @GET
     @Path("/{" + ID_PATH_PARAM + "}/{" + VERSION_PATH_PARAM + "}")
+    @RolesAllowed(READ_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public GetResponse findByUUIDAndVersion(@PathParam(TYPE_PATH_PARAM) SclType type,
                                             @PathParam(ID_PATH_PARAM) UUID id,
@@ -80,6 +86,7 @@ public GetResponse findByUUIDAndVersion(@PathParam(TYPE_PATH_PARAM) SclType type
 
     @GET
     @Path("/{" + ID_PATH_PARAM + "}/scl")
+    @RolesAllowed(READ_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public String findRawSCLByUUID(@PathParam(TYPE_PATH_PARAM) SclType type,
                                    @PathParam(ID_PATH_PARAM) UUID id) {
@@ -89,6 +96,7 @@ public String findRawSCLByUUID(@PathParam(TYPE_PATH_PARAM) SclType type,
 
     @GET
     @Path("/{" + ID_PATH_PARAM + "}/{" + VERSION_PATH_PARAM + "}/scl")
+    @RolesAllowed(READ_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public String findRawSCLByUUIDAndVersion(@PathParam(TYPE_PATH_PARAM) SclType type,
                                              @PathParam(ID_PATH_PARAM) UUID id,
@@ -99,6 +107,7 @@ public String findRawSCLByUUIDAndVersion(@PathParam(TYPE_PATH_PARAM) SclType typ
 
     @PUT
     @Path("/{" + ID_PATH_PARAM + "}")
+    @RolesAllowed(UPDATE_ROLE)
     @Consumes(MediaType.APPLICATION_XML)
     @Produces(MediaType.APPLICATION_XML)
     public void update(@PathParam(TYPE_PATH_PARAM) SclType type,
@@ -109,6 +118,7 @@ public void update(@PathParam(TYPE_PATH_PARAM) SclType type,
 
     @DELETE
     @Path("/{" + ID_PATH_PARAM + "}")
+    @RolesAllowed(DELETE_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public void deleteAll(@PathParam(TYPE_PATH_PARAM) SclType type,
                           @PathParam(ID_PATH_PARAM) UUID id) {
@@ -117,6 +127,7 @@ public void deleteAll(@PathParam(TYPE_PATH_PARAM) SclType type,
 
     @DELETE
     @Path("/{" + ID_PATH_PARAM + "}/{" + VERSION_PATH_PARAM + "}")
+    @RolesAllowed(DELETE_ROLE)
     @Produces(MediaType.APPLICATION_XML)
     public void deleteVersion(@PathParam(TYPE_PATH_PARAM) SclType type,
                               @PathParam(ID_PATH_PARAM) UUID id,

app/src/main/resources/application.properties

@@ -21,3 +21,7 @@ basex.password          = ${BASEX_PASSWORD:admin}
 
 %dev.quarkus.log.level = DEBUG
 %dev.quarkus.log.category."org.lfenergy.compas.scl.data".level = DEBUG
+
+# Open ID Connect
+quarkus.oidc.auth-server-url = http://${KEYCLOAK_HOST:localhost}:${KEYCLOAK_PORT:8080}/auth/realms/${KEYCLOAK_REALM:compas}
+quarkus.oidc.client-id       = scl-data-service

app/src/test/java/org/lfenergy/compas/scl/data/rest/v1/CompasCommonResourceTest.java

@@ -5,16 +5,19 @@
 
 import io.quarkus.test.common.http.TestHTTPEndpoint;
 import io.quarkus.test.junit.QuarkusTest;
+import io.quarkus.test.security.TestSecurity;
 import org.junit.jupiter.api.Test;
 import org.lfenergy.compas.scl.data.model.SclType;
 
 import static io.restassured.RestAssured.given;
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.lfenergy.compas.scl.data.rest.Constants.READ_ROLE;
 
 @QuarkusTest
 @TestHTTPEndpoint(CompasCommonResource.class)
 class CompasCommonResourceTest {
     @Test
+    @TestSecurity(user = "test-user", roles = {READ_ROLE})
     void list_WhenCalled_ThenItemResponseRetrieved() {
         var response = given()
                 .when().get("/type/list")

app/src/test/java/org/lfenergy/compas/scl/data/rest/v1/CompasSclDataResourceTest.java

@@ -6,6 +6,7 @@
 import io.quarkus.test.common.http.TestHTTPEndpoint;
 import io.quarkus.test.junit.QuarkusTest;
 import io.quarkus.test.junit.mockito.InjectMock;
+import io.quarkus.test.security.TestSecurity;
 import io.restassured.http.ContentType;
 import org.junit.jupiter.api.Test;
 import org.lfenergy.compas.core.commons.ElementConverter;
@@ -39,6 +40,7 @@ class CompasSclDataResourceTest {
     private final ElementConverter converter = new ElementConverter();
 
     @Test
+    @TestSecurity(user = "test-user", roles = {READ_ROLE})
     void list_WhenCalled_ThenItemResponseRetrieved() {
         var type = SclType.SCD;
         var uuid = UUID.randomUUID();
@@ -64,6 +66,7 @@ void list_WhenCalled_ThenItemResponseRetrieved() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {READ_ROLE})
     void listVersionsByUUID_WhenCalled_ThenItemResponseRetrieved() {
         var type = SclType.SCD;
         var uuid = UUID.randomUUID();
@@ -90,6 +93,7 @@ void listVersionsByUUID_WhenCalled_ThenItemResponseRetrieved() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {READ_ROLE})
     void findByUUID_WhenCalled_ThenSCLResponseRetrieved() {
         var type = SclType.SCD;
         var uuid = UUID.randomUUID();
@@ -113,6 +117,7 @@ void findByUUID_WhenCalled_ThenSCLResponseRetrieved() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {READ_ROLE})
     void findByUUIDAndVersion_WhenCalled_ThenSCLResponseRetrieved() {
         var type = SclType.SCD;
         var uuid = UUID.randomUUID();
@@ -138,6 +143,7 @@ void findByUUIDAndVersion_WhenCalled_ThenSCLResponseRetrieved() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {READ_ROLE})
     void findRawSCLByUUID_WhenCalledOnlySCL_ThenSCLRetrieved() {
         var type = SclType.SCD;
         var uuid = UUID.randomUUID();
@@ -161,6 +167,7 @@ void findRawSCLByUUID_WhenCalledOnlySCL_ThenSCLRetrieved() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {READ_ROLE})
     void findRawSCLByUUIDAndVersion_WhenCalled_ThenSCLRetrieved() {
         var type = SclType.SCD;
         var uuid = UUID.randomUUID();
@@ -186,6 +193,7 @@ void findRawSCLByUUIDAndVersion_WhenCalled_ThenSCLRetrieved() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {CREATE_ROLE})
     void create_WhenCalled_ThenServiceCalledAndUUIDRetrieved() {
         var uuid = UUID.randomUUID();
         var type = SclType.SCD;
@@ -214,6 +222,7 @@ void create_WhenCalled_ThenServiceCalledAndUUIDRetrieved() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {UPDATE_ROLE})
     void update_WhenCalled_ThenServiceCalledAndNewUUIDRetrieved() {
         var uuid = UUID.randomUUID();
         var type = SclType.SCD;
@@ -240,6 +249,7 @@ void update_WhenCalled_ThenServiceCalledAndNewUUIDRetrieved() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {DELETE_ROLE})
     void deleteAll_WhenCalled_ThenServiceCalled() {
         var uuid = UUID.randomUUID();
         var type = SclType.SCD;
@@ -257,6 +267,7 @@ void deleteAll_WhenCalled_ThenServiceCalled() {
     }
 
     @Test
+    @TestSecurity(user = "test-user", roles = {DELETE_ROLE})
     void deleteVersion_WhenCalled_ThenServiceCalled() {
         var uuid = UUID.randomUUID();
         var type = SclType.SCD;