feat: add security to bff

.gitignore

@@ -42,3 +42,6 @@ nb-configuration.xml
 # Plugin directory
 /.quarkus/cli/plugins/
 
+# Charts dependencies
+Chart.lock
+/src/main/helm/charts

pom.xml

@@ -86,6 +86,22 @@
             <groupId>io.quarkus</groupId>
             <artifactId>quarkus-oidc-client-reactive-filter</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.tkit.onecx.quarkus</groupId>
+            <artifactId>onecx-permissions</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.tkit.quarkus.lib</groupId>
+            <artifactId>tkit-quarkus-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-oidc-client-reactive-filter</artifactId>
+        </dependency>
         <!-- DEV -->
         <dependency>
             <groupId>io.quarkiverse.mockserver</groupId>
@@ -110,6 +126,11 @@
             <artifactId>swagger-parser</artifactId>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-keycloak-server</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
@@ -131,6 +152,7 @@
                     </execution>
                 </executions>
                 <configuration>
+                    <additionalProperties>onecx-permissions=true</additionalProperties>
                     <generatorName>jaxrs-spec</generatorName>
                     <apiNameSuffix>ApiService</apiNameSuffix>
                     <modelNameSuffix>DTO</modelNameSuffix>

src/main/helm/values.yaml

@@ -2,3 +2,17 @@ app:
   name: bff
   image:
     repository: "onecx/onecx-help-bff"
+  operator:
+    # Permission
+    permission:
+      enabled: true
+      spec:
+        permissions:
+          helps:
+            read: permission on all GET requests and POST search
+            write: permission on PUT, POST, PATCH requests, where objects are saved or updated
+            delete: permission on all DELETE requests
+    keycloak:
+      client:
+        enabled: true
+        password: "my-custom-password"

src/main/java/org/tkit/onecx/help/bff/rs/controller/HelpRestController.java

@@ -15,13 +15,13 @@
 import org.tkit.onecx.help.bff.rs.mappers.ProblemDetailMapper;
 import org.tkit.quarkus.log.cdi.LogService;
 
-import gen.org.tkit.onecx.help.bff.clients.api.HelpsInternalApi;
-import gen.org.tkit.onecx.help.bff.clients.model.Help;
-import gen.org.tkit.onecx.help.bff.clients.model.HelpAppIds;
-import gen.org.tkit.onecx.help.bff.clients.model.HelpPageResult;
-import gen.org.tkit.onecx.help.bff.clients.model.ProblemDetailResponse;
 import gen.org.tkit.onecx.help.bff.rs.internal.HelpsInternalApiService;
 import gen.org.tkit.onecx.help.bff.rs.internal.model.*;
+import gen.org.tkit.onecx.help.client.api.HelpsInternalApi;
+import gen.org.tkit.onecx.help.client.model.Help;
+import gen.org.tkit.onecx.help.client.model.HelpAppIds;
+import gen.org.tkit.onecx.help.client.model.HelpPageResult;
+import gen.org.tkit.onecx.help.client.model.ProblemDetailResponse;
 
 @ApplicationScoped
 @Transactional(value = Transactional.TxType.NOT_SUPPORTED)

src/main/java/org/tkit/onecx/help/bff/rs/mappers/HelpMapper.java

@@ -4,8 +4,8 @@
 import org.mapstruct.Mapping;
 import org.tkit.quarkus.rs.mappers.OffsetDateTimeMapper;
 
-import gen.org.tkit.onecx.help.bff.clients.model.*;
 import gen.org.tkit.onecx.help.bff.rs.internal.model.*;
+import gen.org.tkit.onecx.help.client.model.*;
 
 @Mapper(uses = { OffsetDateTimeMapper.class })
 public interface HelpMapper {

src/main/java/org/tkit/onecx/help/bff/rs/mappers/ProblemDetailMapper.java

@@ -4,8 +4,8 @@
 import org.mapstruct.Mapping;
 import org.tkit.quarkus.rs.mappers.OffsetDateTimeMapper;
 
-import gen.org.tkit.onecx.help.bff.clients.model.ProblemDetailResponse;
 import gen.org.tkit.onecx.help.bff.rs.internal.model.ProblemDetailResponseDTO;
+import gen.org.tkit.onecx.help.client.model.ProblemDetailResponse;
 
 @Mapper(uses = { OffsetDateTimeMapper.class })
 public interface ProblemDetailMapper {

src/main/openapi/openapi-help-bff.yaml

@@ -10,6 +10,10 @@ tags:
 paths:
   /helps:
     post:
+      x-onecx:
+        permissions:
+          helps:
+            - write
       tags:
         - helpsInternal
       description: Create new help
@@ -41,6 +45,10 @@ paths:
                 $ref: '#/components/schemas/ProblemDetailResponse'
   /helps/appIds:
     get:
+      x-onecx:
+        permissions:
+          helps:
+            - read
       tags:
         - helpsInternal
       summary: Get all application IDs to which help items are assigned
@@ -54,6 +62,10 @@ paths:
                 $ref: '#/components/schemas/HelpAppIds'
   /helps/{id}:
     get:
+      x-onecx:
+        permissions:
+          helps:
+            - read
       tags:
         - helpsInternal
       description: Return help by ID
@@ -74,6 +86,10 @@ paths:
         "404":
           description: Not found
     put:
+      x-onecx:
+        permissions:
+          helps:
+            - write
       tags:
         - helpsInternal
       description: Update help by ID
@@ -102,6 +118,10 @@ paths:
         "404":
           description: Help not found
     delete:
+      x-onecx:
+        permissions:
+          helps:
+            - delete
       tags:
         - helpsInternal
       description: Delete help by ID
@@ -117,6 +137,10 @@ paths:
           description: No Content
   /helps/search:
     post:
+      x-onecx:
+        permissions:
+          helps:
+            - read
       tags:
         - helpsInternal
       description: Search for helps

src/main/resources/application.properties

@@ -1,22 +1,37 @@
+# AUTHENTICATED
+quarkus.http.auth.permission.health.paths=/q/*
+quarkus.http.auth.permission.health.policy=permit
+quarkus.http.auth.permission.default.paths=/*
+quarkus.http.auth.permission.default.policy=authenticated
+
+onecx.permissions.application-id=${quarkus.application.name}
+
 # PROD
 %prod.quarkus.rest-client.onecx_help_svc.url=http://onecx-help-svc:8080
+%prod.quarkus.oidc-client.client-id=${quarkus.application.name}
 
 # propagate the apm-principal-token from requests we receive
 org.eclipse.microprofile.rest.client.propagateHeaders=apm-principal-token
 
 # OIDC
-quarkus.oidc.enabled=false
 #quarkus.rest-client.onecx_help_svc_yaml.providers=io.quarkus.oidc.client.reactive.filter.OidcClientRequestReactiveFilter
 #quarkus.oidc-client.client-id=${quarkus.application.name}
 #quarkus.oidc-client.credentials.secret=
 #quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
 
 # DEV
 %dev.quarkus.rest-client.onecx_help_svc.url=http://onecx-help-svc
+%dev.quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
+%dev.quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
+%dev.quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
+%dev.quarkus.rest-client.onecx_permission.url=${quarkus.mockserver.endpoint}
+%dev.quarkus.rest-client.onecx-permission.url=${quarkus.mockserver.endpoint}
+%dev.quarkus.mockserver.devservices.config-file=src/test/resources/mockserver.properties
+%dev.quarkus.mockserver.devservices.config-dir=src/test/resources/mockserver
 
 # BUILD
 quarkus.openapi-generator.codegen.spec.onecx_help_svc_yaml.config-key=onecx_help_svc
-quarkus.openapi-generator.codegen.spec.onecx_help_svc_yaml.base-package=gen.org.tkit.onecx.help.bff.clients
+quarkus.openapi-generator.codegen.spec.onecx_help_svc_yaml.base-package=gen.org.tkit.onecx.help.client
 quarkus.openapi-generator.codegen.spec.onecx_help_svc_yaml.return-response=true
 quarkus.openapi-generator.codegen.input-base-dir=target/tmp/openapi
 quarkus.openapi-generator.codegen.spec.onecx_help_svc_yaml.additional-api-type-annotations=@org.eclipse.microprofile.rest.client.annotation.RegisterClientHeaders;
@@ -33,6 +48,17 @@ quarkus.test.integration-test-profile=test
 %test.quarkus.mockserver.devservices.config-file=/mockserver.properties
 %test.quarkus.mockserver.devservices.config-dir=/mockserver
 %test.quarkus.rest-client.onecx_help_svc.url=${quarkus.mockserver.endpoint}
+%test.tkit.rs.context.token.header-param=apm-principal-token
+%test.tkit.rs.context.token.enabled=false
+%test.quarkus.rest-client.onecx_help_svc.providers=io.quarkus.oidc.client.reactive.filter.OidcClientRequestReactiveFilter
+%test.tkit.rs.context.tenant-id.mock.claim-org-id=orgId
+%test.quarkus.rest-client.onecx_permission.url=${quarkus.mockserver.endpoint}
+%test.quarkus.rest-client.onecx-permission.url=${quarkus.mockserver.endpoint}
+%test.quarkus.keycloak.devservices.roles.alice=role-admin
+%test.quarkus.keycloak.devservices.roles.bob=role-user
+%test.quarkus.oidc-client.auth-server-url=${quarkus.oidc.auth-server-url}
+%test.quarkus.oidc-client.client-id=${quarkus.oidc.client-id}
+%test.quarkus.oidc-client.credentials.secret=${quarkus.oidc.credentials.secret}
 
 # PIPE CONFIG
 

src/test/java/org/tkit/onecx/help/bff/rs/AbstractTest.java

@@ -1,18 +1,30 @@
 package org.tkit.onecx.help.bff.rs;
 
+import org.eclipse.microprofile.config.ConfigProvider;
+
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
 
 import io.quarkiverse.mockserver.test.MockServerTestResource;
 import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.test.keycloak.client.KeycloakTestClient;
 import io.restassured.RestAssured;
 import io.restassured.config.ObjectMapperConfig;
 import io.restassured.config.RestAssuredConfig;
 
 @QuarkusTestResource(MockServerTestResource.class)
 public abstract class AbstractTest {
 
+    protected static final String ADMIN = "alice";
+
+    protected static final String USER = "bob";
+
+    KeycloakTestClient keycloakClient = new KeycloakTestClient();
+
+    protected static final String APM_HEADER_PARAM = ConfigProvider.getConfig()
+            .getValue("%test.tkit.rs.context.token.header-param", String.class);
+
     static {
         RestAssured.config = RestAssuredConfig.config().objectMapperConfig(
                 ObjectMapperConfig.objectMapperConfig().jackson2ObjectMapperFactory(