feat!: enhance security (#177)

Author: Pasichniuk

.ort.yml

@@ -0,0 +1,29 @@
+---
+excludes:
+  scopes:
+  - pattern: "annotationProcessor"
+    reason: "BUILD_DEPENDENCY_OF"
+    comment: "Packages to process code annotations only."
+  - pattern: "checkstyle"
+    reason: "DEV_DEPENDENCY_OF"
+    comment: "Packages for static code analysis only."
+  - pattern: "lombok"
+    reason: "DEV_DEPENDENCY_OF"
+    comment: "Packages from Project Lombok only."
+  - pattern: "test.*"
+    reason: "TEST_DEPENDENCY_OF"
+    comment: "Packages for testing only."
+resolutions:
+  rule_violations:
+    - message: "The declared license 'The BSD License' could not be mapped to a valid license or parsed as an SPDX expression. The license was found in package 'Maven:org.antlr:ST4:4.3.4'."
+      reason: 'CANT_FIX_EXCEPTION'
+      comment: "The dependency has 'The BSD License' license in github repo"
+    - message: "No license information is available for dependency 'Maven:org.antlr:ST4:4.3.4'."
+      reason: 'CANT_FIX_EXCEPTION'
+      comment: "The dependency has 'The BSD License' license in github repo"
+    - message: "The dependency 'Maven:com.github.jnr:jnr-posix:3.1.21' is licensed under the ScanCode 'copyleft' categorized license GPL-2.0-only."
+      reason: 'CANT_FIX_EXCEPTION'
+      comment: "The dependency has 'tri EPL/GPL/LGPL license' license in github repo"
+    - message: "The declared license 'GNU Lesser General Public License version 3' could not be mapped to a valid license or parsed as an SPDX expression. The license was found in package 'Maven:com.github.jnr:jffi:1.3.14'."
+      reason: 'CANT_FIX_EXCEPTION'
+      comment: "The dependency has 'Apache-2.0 license' license in github repo"

build.gradle

@@ -68,6 +68,7 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
 
     implementation 'com.azure:azure-identity:1.18.0'
+    implementation 'com.azure:azure-identity-extensions:1.2.7'
 
     implementation 'net.javacrumbs.shedlock:shedlock-spring:6.3.0'
     implementation 'net.javacrumbs.shedlock:shedlock-provider-jdbc-template:6.3.0'
@@ -78,6 +79,7 @@ dependencies {
     implementation 'org.flywaydb:flyway-core:11.14.0'
     implementation 'org.flywaydb:flyway-database-postgresql:11.14.0'
     implementation 'org.flywaydb:flyway-sqlserver:11.14.0'
+    implementation 'com.google.cloud.sql:postgres-socket-factory:1.28.0'
 
     implementation 'io.modelcontextprotocol.sdk:mcp:0.15.0'
     implementation 'com.google.cloud.tools:jib-core:0.27.3'
@@ -125,6 +127,7 @@ dependencies {
     testImplementation 'io.jsonwebtoken:jjwt:0.9.1'
     testImplementation 'org.assertj:assertj-core:3.27.7'
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testImplementation 'org.springframework.security:spring-security-test'
     testImplementation 'org.springframework.boot:spring-boot-testcontainers'
     testImplementation "org.testcontainers:junit-jupiter:${testcontainers_version}"
     testImplementation "org.testcontainers:testcontainers:${testcontainers_version}"

docs/configuration.md

@@ -1,26 +1,21 @@
 package com.epam.aidial.deployment.manager.configuration.datasource;
 
-import com.azure.core.credential.TokenCredential;
-import com.azure.core.credential.TokenRequestContext;
-import com.azure.core.implementation.AccessTokenCache;
+import com.zaxxer.hikari.HikariConfig;
+import com.zaxxer.hikari.HikariDataSource;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.jdbc.DataSourceBuilder;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
-import java.util.function.Supplier;
 import javax.sql.DataSource;
 
-@Configuration
 @Slf4j
+@Configuration
 @ConditionalOnProperty(name = "datasource.vendor", havingValue = "POSTGRES")
 public class PostgresConfiguration {
 
-    private static final String AAD_DATABASE_SCOPE = "https://ossrdbms-aad.database.windows.net/.default";
-    private static final TokenRequestContext TOKEN_REQUEST_CONTEXT = new TokenRequestContext().addScopes(AAD_DATABASE_SCOPE);
-
     @Bean
     @ConditionalOnProperty(value = "datasource.auth.type", havingValue = "basic")
     public DataSource dataSource(@Value("${postgres.datasource.url}") String url,
@@ -37,19 +32,33 @@ public DataSource dataSource(@Value("${postgres.datasource.url}") String url,
 
     @Bean
     @ConditionalOnProperty(value = "datasource.auth.type", havingValue = "azure")
-    public DataSource managedAzureAuthTypeDataSource(@Value("${postgres.datasource.url}") String url,
-                                                     @Value("${postgres.datasource.driver-class-name}") String driverClassName,
-                                                     @Value("${postgres.datasource.username}") String username,
-                                                     TokenCredential tokenCredential) {
-        AccessTokenCache accessTokenCache = new AccessTokenCache(tokenCredential);
-        Supplier<String> passwordProvider = () -> accessTokenCache.getTokenSync(TOKEN_REQUEST_CONTEXT, true).getToken();
-
-        DynamicPasswordHikariDataSource dynamicPasswordHikariDataSource = new DynamicPasswordHikariDataSource(passwordProvider);
-        dynamicPasswordHikariDataSource.setDriverClassName(driverClassName);
-        dynamicPasswordHikariDataSource.setJdbcUrl(url);
-        dynamicPasswordHikariDataSource.setUsername(username);
-
-        return dynamicPasswordHikariDataSource;
+    public DataSource azureAuthTypeDataSource(@Value("${postgres.datasource.url}") String url,
+                                              @Value("${postgres.datasource.driver-class-name}") String driverClassName,
+                                              @Value("${postgres.datasource.username}") String username) {
+        HikariConfig hikariConfig = new HikariConfig();
+
+        hikariConfig.setUsername(username);
+        hikariConfig.setDriverClassName(driverClassName);
+        hikariConfig.setJdbcUrl(url);
+        hikariConfig.addDataSourceProperty("authenticationPluginClassName", "com.azure.identity.extensions.jdbc.postgresql.AzurePostgresqlAuthenticationPlugin");
+
+        return new HikariDataSource(hikariConfig);
+    }
+
+    @Bean
+    @ConditionalOnProperty(value = "datasource.auth.type", havingValue = "gcp")
+    public DataSource gcpAuthTypeDataSource(@Value("${postgres.datasource.url}") String url,
+                                            @Value("${postgres.datasource.driver-class-name}") String driverClassName,
+                                            @Value("${postgres.datasource.username}") String username) {
+        HikariConfig hikariConfig = new HikariConfig();
+
+        hikariConfig.setUsername(username);
+        hikariConfig.setDriverClassName(driverClassName);
+        hikariConfig.setJdbcUrl(url);
+        hikariConfig.addDataSourceProperty("socketFactory", "com.google.cloud.sql.postgres.SocketFactory");
+        hikariConfig.addDataSourceProperty("enableIamAuth", "true");
+
+        return new HikariDataSource(hikariConfig);
     }
 
 }

src/main/java/com/epam/aidial/deployment/manager/configuration/datasource/DynamicPasswordHikariDataSource.java

@@ -1,25 +1,18 @@
 package com.epam.aidial.deployment.manager.service.security;
 
 import com.epam.aidial.deployment.manager.configuration.logging.LogExecution;
+import com.epam.aidial.deployment.manager.web.security.UserSecurityDetails;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Value;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.oauth2.jwt.Jwt;
-import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.stereotype.Service;
 
-import java.util.Objects;
-
 @Slf4j
 @Service
 @LogExecution
 public class SecurityClaimsExtractor {
 
-    @Value("${config.rest.security.email-claim}")
-    private String emailClaim;
-
     public String getEmail() {
         SecurityContext context = SecurityContextHolder.getContext();
         if (context == null || context.getAuthentication() == null) {
@@ -28,13 +21,9 @@ public String getEmail() {
         }
         Authentication authentication = context.getAuthentication();
         log.trace("Authentication: {}", authentication);
-        if (context.getAuthentication() instanceof JwtAuthenticationToken jwtAuthenticationToken) {
-            Jwt token = jwtAuthenticationToken.getToken();
-            log.trace("token claims: {}", token.getClaims());
-            Object uniqueName = token.getClaims().get(emailClaim);
-            if (uniqueName != null) {
-                return Objects.toString(uniqueName);
-            }
+
+        if (authentication.getDetails() instanceof UserSecurityDetails(String email)) {
+            return email;
         }
         return null;
     }

src/main/java/com/epam/aidial/deployment/manager/configuration/datasource/PostgresConfiguration.java

@@ -0,0 +1,96 @@
+package com.epam.aidial.deployment.manager.web.security;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.collections4.ListUtils;
+import org.springframework.core.ParameterizedTypeReference;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.RequestEntity;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.ClaimAccessor;
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
+import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
+import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionException;
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenIntrospector;
+import org.springframework.web.client.RestTemplate;
+
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+@Slf4j
+@RequiredArgsConstructor
+public class DefaultOpaqueTokenIntrospector implements OpaqueTokenIntrospector {
+
+    private static final ParameterizedTypeReference<Map<String, Object>> STRING_OBJECT_MAP = new ParameterizedTypeReference<>() { };
+
+    private final RestTemplate restTemplate;
+    private final OpaqueTokenProviderConfig config;
+    private final MultiPathGrantedAuthoritiesConverter<ClaimAccessor> multiPathGrantedAuthoritiesConverter;
+    private final String principalClaim;
+    private final Set<String> emailClaims;
+
+    @Override
+    public OAuth2AuthenticatedPrincipal introspect(String token) {
+        Map<String, Object> attributes = introspectToken(token);
+
+        List<GrantedAuthority> grantedAuthorities = extractAuthorities(token, attributes);
+
+        Map<String, Object> newAttributes = new HashMap<>(attributes);
+        newAttributes.put(OpaqueTokenProviderConfig.IDP_CLAIM, config.getName());
+
+        return new OAuth2IntrospectionAuthenticatedPrincipal(
+                (String) attributes.get(principalClaim), newAttributes, grantedAuthorities);
+    }
+
+    private Map<String, Object> introspectToken(String token) {
+        HttpHeaders headers = new HttpHeaders();
+        headers.setBearerAuth(token);
+
+        RequestEntity<Void> requestEntity = RequestEntity.get(config.getUserInfoEndpoint())
+                .headers(headers)
+                .build();
+
+        ResponseEntity<Map<String, Object>> responseEntity = makeRequest(requestEntity);
+
+        if (responseEntity.getStatusCode() != HttpStatus.OK) {
+            log.debug("Introspection endpoint responded with {}. Provider: {}", responseEntity, config);
+            throw new OAuth2IntrospectionException("Introspection endpoint responded with " + responseEntity.getStatusCode());
+        }
+
+        return responseEntity.getBody();
+    }
+
+    private ResponseEntity<Map<String, Object>> makeRequest(RequestEntity<?> requestEntity) {
+        try {
+            return restTemplate.exchange(requestEntity, STRING_OBJECT_MAP);
+        } catch (Exception ex) {
+            log.debug("Token introspection request failed for provider {}", config, ex);
+            throw new OAuth2IntrospectionException(ex.getMessage(), ex);
+        }
+    }
+
+    private List<GrantedAuthority> extractAuthorities(String token, Map<String, Object> attributes) {
+        List<String> roleClaims = config.getRoleClaims();
+        if (isCustomizedRoleClaimsExtraction(roleClaims)) {
+            var converterName = roleClaims.getFirst();
+            var converter = OpaqueTokenCustomGrantedAuthoritiesConverters.CONVERTERS.get(converterName);
+            if (converter == null) {
+                log.debug("Unable to find custom granted authorities converter for provider {}", config);
+                throw new OAuth2IntrospectionException("Unable to find custom granted authorities converter: " + converterName);
+            }
+            var authorityExtractionContext = new OpaqueAuthorityExtractionContext(restTemplate, token, attributes, emailClaims);
+            return converter.apply(authorityExtractionContext);
+        } else {
+            return multiPathGrantedAuthoritiesConverter.convert(() -> attributes);
+        }
+    }
+
+    private boolean isCustomizedRoleClaimsExtraction(List<String> roleClaims) {
+        List<String> safeRoleClaims = ListUtils.emptyIfNull(roleClaims);
+        return safeRoleClaims.size() == 1 && safeRoleClaims.getFirst().startsWith("fn:");
+    }
+}

src/main/java/com/epam/aidial/deployment/manager/service/security/SecurityClaimsExtractor.java

@@ -0,0 +1,98 @@
+package com.epam.aidial.deployment.manager.web.security;
+
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.collections4.CollectionUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.stereotype.Component;
+
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+
+@Slf4j
+@Component
+@ConditionalOnProperty(value = "config.rest.security.mode", havingValue = "oidc", matchIfMissing = true)
+public class IdentityProviderUtils {
+
+    private static final String V1_ISSUER_FORMAT = "https://%s/%s/";
+    private static final String V2_ISSUER_FORMAT = "https://%s/%s/v2.0";
+
+    private final Set<String> defaultAllowedRoles;
+    private final String defaultEmailClaim;
+    private final String defaultPrincipalClaim;
+    private final boolean requireEmail;
+
+    public IdentityProviderUtils(
+            @Value("${config.rest.security.default.allowedRoles}") Set<String> defaultAllowedRoles,
+            @Value("${config.rest.security.default.email-claim}") String defaultEmailClaim,
+            @Value("${config.rest.security.default.principal-claim}") String defaultPrincipalClaim,
+            @Value("${config.rest.security.require-email}") boolean requireEmail) {
+        this.defaultAllowedRoles = Set.copyOf(defaultAllowedRoles);
+        this.defaultEmailClaim = defaultEmailClaim;
+        this.defaultPrincipalClaim = defaultPrincipalClaim;
+        this.requireEmail = requireEmail;
+    }
+
+    public Set<String> getAcceptedIssuers(JwtProviderConfig config) {
+        final HashSet<String> acceptedIssuers = new HashSet<>();
+        var issuer = config.getIssuer();
+        if (isValidUrlWithProtocol(issuer)) {
+            acceptedIssuers.add(issuer);
+        } else if (!CollectionUtils.isEmpty(config.getAliases())) {
+            // Only for Azure provider
+            for (final var alias : config.getAliases()) {
+                final var issuerV1Format = String.format(V1_ISSUER_FORMAT, alias, issuer);
+                final var issuerV2Format = String.format(V2_ISSUER_FORMAT, alias, issuer);
+                acceptedIssuers.add(issuerV1Format);
+                acceptedIssuers.add(issuerV2Format);
+            }
+        }
+        return acceptedIssuers;
+    }
+
+    private boolean isValidUrlWithProtocol(final String urlString) {
+        if (StringUtils.isBlank(urlString)) {
+            return false;
+        }
+        try {
+            final var protocol = new URL(urlString).getProtocol();
+            return protocol != null && !protocol.isEmpty();
+        } catch (final MalformedURLException e) {
+            log.debug("Invalid url format for url: {}", urlString, e);
+            return false;
+        }
+    }
+
+    public Set<String> getAllowedRoles(Set<String> allowedRoles) {
+        Set<String> acceptedRoles = new HashSet<>(defaultAllowedRoles);
+        if (allowedRoles != null) {
+            acceptedRoles.addAll(allowedRoles);
+        }
+        return Set.copyOf(acceptedRoles);
+    }
+
+    public Set<String> getEmailClaims(List<String> emailClaims) {
+        Set<String> result = new LinkedHashSet<>();
+
+        if (!CollectionUtils.isEmpty(emailClaims)) {
+            result.addAll(emailClaims);
+        } else if (StringUtils.isNotBlank(defaultEmailClaim)) {
+            result.add(defaultEmailClaim);
+        }
+
+        return result;
+    }
+
+    public String getPrincipalClaim(String principalClaim) {
+        return StringUtils.defaultIfBlank(principalClaim, defaultPrincipalClaim);
+    }
+
+    public boolean isEmailRequired() {
+        return requireEmail;
+    }
+}