Feature/p002271 6646 modification count and security

pom.xml

@@ -54,7 +54,10 @@
             <groupId>org.tkit.quarkus.lib</groupId>
             <artifactId>tkit-quarkus-rest</artifactId>
         </dependency>
-
+        <dependency>
+            <groupId>org.tkit.quarkus.lib</groupId>
+            <artifactId>tkit-quarkus-rest-context</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.mapstruct</groupId>
             <artifactId>mapstruct</artifactId>
@@ -72,6 +75,22 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-micrometer-registry-prometheus</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.tkit.onecx.quarkus</groupId>
+            <artifactId>onecx-permissions</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc-client-reactive-filter</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.tkit.quarkus.lib</groupId>
+            <artifactId>tkit-quarkus-security</artifactId>
+        </dependency>
 
         <!-- DEV -->
         <dependency>
@@ -97,6 +116,11 @@
             <artifactId>swagger-parser</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-keycloak-server</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -118,6 +142,7 @@
                     </execution>
                 </executions>
                 <configuration>
+                    <additionalProperties>onecx-permissions=true</additionalProperties>
                     <generatorName>jaxrs-spec</generatorName>
                     <apiNameSuffix>ApiService</apiNameSuffix>
                     <modelNameSuffix>DTO</modelNameSuffix>

src/main/helm/values.yaml

@@ -3,4 +3,14 @@ app:
   image:
     repository: "onecx/onecx-announcement-bff"
   db:
-    enabled: true
+    enabled: true
+  operator:
+    # Permission
+    permission:
+      enabled: true
+      spec:
+        permissions:
+          announcements:
+            read: permission on all GET requests and POST search
+            write: permission on PUT, POST, PATCH requests, where objects are saved or updated
+            delete: permission on all DELETE requests

src/main/java/org/tkit/onecx/announcement/bff/rs/controller/AnnouncementRestController.java

@@ -15,10 +15,10 @@
 import org.tkit.onecx.announcement.bff.rs.mappers.ProblemDetailMapper;
 import org.tkit.quarkus.log.cdi.LogService;
 
-import gen.org.tkit.onecx.announcement.bff.clients.api.AnnouncementInternalApi;
-import gen.org.tkit.onecx.announcement.bff.clients.model.*;
 import gen.org.tkit.onecx.announcement.bff.rs.internal.AnnouncementInternalApiService;
 import gen.org.tkit.onecx.announcement.bff.rs.internal.model.*;
+import gen.org.tkit.onecx.announcement.client.api.AnnouncementInternalApi;
+import gen.org.tkit.onecx.announcement.client.model.*;
 
 @ApplicationScoped
 @Transactional(value = Transactional.TxType.NOT_SUPPORTED)

src/main/java/org/tkit/onecx/announcement/bff/rs/mappers/AnnouncementMapper.java

@@ -4,8 +4,8 @@
 import org.mapstruct.Mapping;
 import org.tkit.quarkus.rs.mappers.OffsetDateTimeMapper;
 
-import gen.org.tkit.onecx.announcement.bff.clients.model.*;
 import gen.org.tkit.onecx.announcement.bff.rs.internal.model.*;
+import gen.org.tkit.onecx.announcement.client.model.*;
 
 @Mapper(uses = { OffsetDateTimeMapper.class })
 public interface AnnouncementMapper {

src/main/java/org/tkit/onecx/announcement/bff/rs/mappers/ProblemDetailMapper.java

@@ -4,8 +4,8 @@
 import org.mapstruct.Mapping;
 import org.tkit.quarkus.rs.mappers.OffsetDateTimeMapper;
 
-import gen.org.tkit.onecx.announcement.bff.clients.model.ProblemDetailResponse;
 import gen.org.tkit.onecx.announcement.bff.rs.internal.model.ProblemDetailResponseDTO;
+import gen.org.tkit.onecx.announcement.client.model.ProblemDetailResponse;
 
 @Mapper(uses = { OffsetDateTimeMapper.class })
 public interface ProblemDetailMapper {

src/main/openapi/openapi-announcement-bff.yaml

@@ -10,6 +10,10 @@ tags:
 paths:
   /announcements/search:
     post:
+      x-onecx:
+        permissions:
+          announcements:
+            - read
       tags:
         - AnnouncementInternal
       summary: Find announcements by criteria
@@ -37,6 +41,10 @@ paths:
                 $ref: '#/components/schemas/ProblemDetailResponse'
   /announcements:
     post:
+      x-onecx:
+        permissions:
+          announcements:
+            - write
       tags:
         - AnnouncementInternal
       summary: Create announcement
@@ -68,6 +76,10 @@ paths:
                 $ref: '#/components/schemas/ProblemDetailResponse'
   /announcements/appIds:
     get:
+      x-onecx:
+        permissions:
+          announcements:
+            - read
       tags:
         - AnnouncementInternal
       summary: Get all application IDs to which announcements are assigned
@@ -81,6 +93,10 @@ paths:
                 $ref: '#/components/schemas/AnnouncementApps'
   /announcements/{id}:
     get:
+      x-onecx:
+        permissions:
+          announcements:
+            - read
       tags:
         - AnnouncementInternal
       summary: Retrieve announcement by id
@@ -99,6 +115,10 @@ paths:
               schema:
                 $ref: '#/components/schemas/Announcement'
     delete:
+      x-onecx:
+        permissions:
+          announcements:
+            - delete
       tags:
         - AnnouncementInternal
       summary: Delete announcement
@@ -113,6 +133,10 @@ paths:
         "204":
           description: No content
     put:
+      x-onecx:
+        permissions:
+          announcements:
+            - write
       tags:
         - AnnouncementInternal
       summary: Patch/update announcement
@@ -211,7 +235,11 @@ components:
       required:
         - title
         - startDate
+        - modificationCount
       properties:
+        modificationCount:
+          format: int32
+          type: integer
         title:
           type: string
         content:

src/main/resources/application.properties

@@ -1,14 +1,22 @@
+# AUTHENTICATION
+quarkus.http.auth.permission.health.paths=/q/*
+quarkus.http.auth.permission.health.policy=permit
+quarkus.http.auth.permission.default.paths=/*
+quarkus.http.auth.permission.default.policy=authenticated
+onecx.permissions.application-id=${quarkus.application.name}
+
 # propagate the apm-principal-token from requests we receive
 org.eclipse.microprofile.rest.client.propagateHeaders=apm-principal-token
 
 # PROD
 %prod.quarkus.rest-client.onecx_announcement_svc.url=http://onecx-announcement-svc:8080
+%prod.quarkus.oidc-client.client-id=${quarkus.application.name}
 
 # BUILD
 quarkus.openapi-generator.codegen.input-base-dir=target/tmp/openapi
 
 quarkus.openapi-generator.codegen.spec.onecx_announcement_svc_yaml.config-key=onecx_announcement_svc
-quarkus.openapi-generator.codegen.spec.onecx_announcement_svc_yaml.base-package=gen.org.tkit.onecx.announcement.bff.clients
+quarkus.openapi-generator.codegen.spec.onecx_announcement_svc_yaml.base-package=gen.org.tkit.onecx.announcement.client
 quarkus.openapi-generator.codegen.spec.onecx_announcement_svc_yaml.return-response=true
 quarkus.openapi-generator.codegen.spec.onecx_announcement_svc.additional-api-type-annotations=@org.eclipse.microprofile.rest.client.annotation.RegisterClientHeaders;
 
@@ -27,7 +35,16 @@ quarkus.test.integration-test-profile=test
 %test.quarkus.mockserver.devservices.config-file=/mockserver.properties
 %test.quarkus.mockserver.devservices.config-dir=/mockserver
 %test.quarkus.rest-client.onecx_announcement_svc.url=${quarkus.mockserver.endpoint}
-
+%test.tkit.rs.context.token.header-param=apm-principal-token
+%test.tkit.rs.context.token.enabled=false
+%test.quarkus.rest-client.onecx_announcement_svc.providers=io.quarkus.oidc.client.reactive.filter.OidcClientRequestReactiveFilter
+%test.tkit.rs.context.tenant-id.mock.claim-org-id=orgId
+%test.quarkus.rest-client.onecx_permission.url=${quarkus.mockserver.endpoint}
+%test.quarkus.keycloak.devservices.roles.alice=role-admin
+%test.quarkus.keycloak.devservices.roles.bob=role-user
+%test.quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
+%test.quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
+%test.quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
 # PIPE CONFIG
 
 

src/test/java/org/tkit/onecx/announcement/bff/rs/AbstractTest.java

@@ -1,18 +1,30 @@
 package org.tkit.onecx.announcement.bff.rs;
 
+import org.eclipse.microprofile.config.ConfigProvider;
+
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 
 import io.quarkiverse.mockserver.test.MockServerTestResource;
 import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.test.keycloak.client.KeycloakTestClient;
 import io.restassured.RestAssured;
 import io.restassured.config.ObjectMapperConfig;
 import io.restassured.config.RestAssuredConfig;
 
 @QuarkusTestResource(MockServerTestResource.class)
 public abstract class AbstractTest {
 
+    protected static final String ADMIN = "alice";
+
+    protected static final String USER = "bob";
+
+    KeycloakTestClient keycloakClient = new KeycloakTestClient();
+
+    protected static final String APM_HEADER_PARAM = ConfigProvider.getConfig()
+            .getValue("%test.tkit.rs.context.token.header-param", String.class);
+
     static {
         RestAssured.config = RestAssuredConfig.config().objectMapperConfig(
                 ObjectMapperConfig.objectMapperConfig().jackson2ObjectMapperFactory(