feat: add security and fix tests (#41)

* feat: add security and fix tests

* fix: formatting

docs/modules/onecx-search-config-svc/pages/onecx-search-config-svc-extensions.adoc

@@ -60,73 +60,73 @@ h| Version
 
 | https://quarkus.io/guides/liquibase[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-liquibase.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-smallrye-health
 
 | https://quarkus.io/guides/smallrye-health[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-smallrye-health.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-micrometer-registry-prometheus
 
 | https://quarkus.io/guides/telemetry-micrometer[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-micrometer-registry-prometheus.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-hibernate-orm
 
 | https://quarkus.io/guides/hibernate-orm[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-hibernate-orm.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-resteasy-reactive
 
 | https://quarkus.io/guides/resteasy-reactive[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-resteasy-reactive.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-resteasy-reactive-jackson
 
 | https://quarkus.io/guides/rest-json[Link]
 | 
-| 3.13.2
+| 3.13.3
 
 | quarkus-hibernate-validator
 
 | https://quarkus.io/guides/validation[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-hibernate-validator.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-jdbc-postgresql
 
 | https://quarkus.io/guides/datasource[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-jdbc-postgresql.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-smallrye-openapi
 
 | https://quarkus.io/guides/openapi-swaggerui[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-smallrye-openapi.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-smallrye-jwt
 
 | https://quarkus.io/guides/security-jwt-build[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-smallrye-jwt.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-oidc
 
 | https://quarkus.io/guides/security-oidc-bearer-token-authentication-tutorial[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-oidc.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-opentelemetry
 
 | https://quarkus.io/guides/opentelemetry[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-opentelemetry.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | tkit-quarkus-security
 
@@ -144,14 +144,20 @@ h| Version
 
 | https://quarkus.io/guides/cdi-reference[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-arc.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 | quarkus-container-image-docker
 
 | https://quarkus.io/guides/container-image[Link]
 | https://github.com/quarkusio/quarkusio.github.io/blob/develop/_generated-doc/latest/config/quarkus-container-image-docker.adoc[Link]
-| 3.13.2
+| 3.13.3
 
 
+| onecx-security
+
+| 
+| 
+| 0.26.0
+
 
 |===

pom.xml

@@ -40,6 +40,10 @@
       <groupId>org.tkit.onecx.quarkus</groupId>
       <artifactId>onecx-tenant</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.tkit.onecx.quarkus</groupId>
+      <artifactId>onecx-security</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.tkit.quarkus.lib</groupId>
       <artifactId>tkit-quarkus-jpa-tenant</artifactId>
@@ -139,6 +143,11 @@
       <artifactId>quarkus-test-keycloak-server</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.tkit.quarkus.lib</groupId>
+      <artifactId>tkit-quarkus-security-test</artifactId>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <plugins>
@@ -155,6 +164,7 @@
           <generateSupportingFiles>false</generateSupportingFiles>
           <addCompileSourceRoot>true</addCompileSourceRoot>
           <library>quarkus</library>
+          <additionalProperties>onecx-scopes=true</additionalProperties>
           <configOptions>
             <sourceFolder>/</sourceFolder>
             <openApiNullable>false</openApiNullable>

src/main/openapi/search-config-openapi-internal.yaml

@@ -10,6 +10,8 @@ tags:
 paths:
   /internal/searchConfig:
     post:
+      security:
+        - oauth2: [ ocx-sc:all, ocx-sc:write ]
       tags:
         - SearchConfigInternal
       summary: Creates the search config.
@@ -36,6 +38,8 @@ paths:
                 $ref: '#/components/schemas/ProblemDetailResponse'
   /internal/searchConfig/search:
     post:
+      security:
+        - oauth2: [ ocx-sc:all, ocx-sc:read ]
       tags:
         - SearchConfigInternal
       summary: Finds search configs by criteria.
@@ -62,6 +66,8 @@ paths:
                 $ref: '#/components/schemas/ProblemDetailResponse'
   /internal/searchConfig/load:
     post:
+      security:
+        - oauth2: [ ocx-sc:all, ocx-sc:read ]
       tags:
         - SearchConfigInternal
       summary: Finds search configs by product, app and page.
@@ -90,6 +96,8 @@ paths:
                 $ref: '#/components/schemas/ProblemDetailResponse'
   /internal/searchConfig/{id}:
     get:
+      security:
+        - oauth2: [ ocx-sc:all, ocx-sc:read ]
       tags:
         - SearchConfigInternal
       summary: Finds search configs by it's id.
@@ -111,6 +119,8 @@ paths:
         "404":
           description: Not found
     put:
+      security:
+        - oauth2: [ ocx-sc:all, ocx-sc:write ]
       tags:
         - SearchConfigInternal
       summary: Updates the search config.
@@ -144,6 +154,8 @@ paths:
         "404":
           description: Search-config not found
     delete:
+      security:
+        - oauth2: [ ocx-sc:all, ocx-sc:delete ]
       tags:
         - SearchConfigInternal
       summary: Deletes the search config.
@@ -165,6 +177,17 @@ paths:
               schema:
                 $ref: '#/components/schemas/ProblemDetailResponse'
 components:
+  securitySchemes:
+    oauth2:
+      type: oauth2
+      flows:
+        clientCredentials:
+          tokenUrl: https://oauth.simple.api/token
+          scopes:
+            ocx-sc:all: Grants access to all operations
+            ocx-sc:read: Grants read access
+            ocx-sc:write: Grants write access
+            ocx-sc:delete: Grants access to delete operations
   schemas:
     OffsetDateTime:
       format: date-time

src/main/resources/application.properties

@@ -3,6 +3,11 @@ quarkus.datasource.db-kind=postgresql
 quarkus.datasource.jdbc.max-size=8
 quarkus.datasource.jdbc.min-size=2
 
+quarkus.http.auth.permission.health.paths=/q/*
+quarkus.http.auth.permission.health.policy=permit
+quarkus.http.auth.permission.default.paths=/*
+quarkus.http.auth.permission.default.policy=authenticated
+
 quarkus.hibernate-orm.database.generation=validate
 quarkus.hibernate-orm.multitenant=DISCRIMINATOR
 quarkus.hibernate-orm.jdbc.timezone=UTC
@@ -30,8 +35,11 @@ onecx.permission.token.claim.path=realm_access/roles
 #%dev.tkit.rs.context.tenant-id.mock.default-tenant=test
 #%dev.tkit.rs.context.tenant-id.mock.data.org1=tenant100
 
-
+# TEST-IT
 quarkus.test.integration-test-profile=test
+quarkus.test.enable-callbacks-for-integration-tests=true
+
+# TEST
 %test.onecx.permission.token.verified=true
 %test.onecx.permission.token.claim.path=groups
 %test.tkit.rs.context.tenant-id.enabled=true

src/test/java/org/tkit/onecx/search/config/rs/internal/controllers/SearchConfigControllerInternalTenantTest.java

@@ -4,11 +4,13 @@
 import static jakarta.ws.rs.core.MediaType.APPLICATION_JSON;
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.jboss.resteasy.reactive.RestResponse.Status.*;
+import static org.tkit.quarkus.security.test.SecurityTestUtils.getKeycloakClientToken;
 
 import java.util.*;
 
 import org.junit.jupiter.api.Test;
 import org.tkit.onecx.search.config.test.AbstractTest;
+import org.tkit.quarkus.security.test.GenerateKeycloakClient;
 import org.tkit.quarkus.test.WithDBData;
 
 import gen.org.tkit.onecx.search.config.rs.internal.model.*;
@@ -18,6 +20,7 @@
 @QuarkusTest
 @TestHTTPEndpoint(SearchConfigControllerInternal.class)
 @WithDBData(value = "search-config-data.xml", deleteBeforeInsert = true, deleteAfterTest = true, rinseAndRepeat = true)
+@GenerateKeycloakClient(clientName = "testClient", scopes = "ocx-sc:all")
 class SearchConfigControllerInternalTenantTest extends AbstractTest {
 
     private Map<String, String> setupValues() {
@@ -42,6 +45,7 @@ void shouldGetSearchConfigsById() {
 
         var dto = given()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org1", null))
                 .get(configId)
                 .then()
@@ -54,6 +58,7 @@ void shouldGetSearchConfigsById() {
 
         given()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org2", null))
                 .get(configId)
                 .then()
@@ -81,6 +86,7 @@ void shouldCreateSearchConfig() {
         var searchConfigDTO = given()
                 .when()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .body(requestBody)
                 .header(APM_HEADER_PARAM, createToken("org2", null))
                 .post()
@@ -99,13 +105,15 @@ void shouldCreateSearchConfig() {
 
         given()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org1", null))
                 .get(searchConfigDTO.getId())
                 .then()
                 .statusCode(NOT_FOUND.getStatusCode());
 
         var dto = given()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org2", null))
                 .get(searchConfigDTO.getId())
                 .then()
@@ -134,6 +142,7 @@ void shouldUpdateModificationCount() {
         given()
                 .when()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org2", null))
                 .body(updateRequestBody)
                 .put(searchConfigId)
@@ -143,6 +152,7 @@ void shouldUpdateModificationCount() {
         var searchConfigDTO = given()
                 .when()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org1", null))
                 .body(updateRequestBody)
                 .put(searchConfigId)
@@ -166,13 +176,15 @@ void shouldDeleteById() {
         given()
                 .when()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org2", null))
                 .delete(configId)
                 .then()
                 .statusCode(NO_CONTENT.getStatusCode());
 
         given()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org1", null))
                 .get(configId)
                 .then()
@@ -181,13 +193,15 @@ void shouldDeleteById() {
         given()
                 .when()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org1", null))
                 .delete(configId)
                 .then()
                 .statusCode(NO_CONTENT.getStatusCode());
 
         given()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org1", null))
                 .get(configId)
                 .then()
@@ -206,6 +220,7 @@ void shouldFindByCriteria() {
         var responseDTO = given()
                 .when()
                 .contentType(APPLICATION_JSON)
+                .auth().oauth2(getKeycloakClientToken("testClient"))
                 .header(APM_HEADER_PARAM, createToken("org2", null))
                 .body(requestBody)
                 .post("/search")