[Gepardec/mega#735] add token introspection and role based access for…

… sync and mail resource (mega-cron client)
Gepardec · Feb 19, 2024 · 1b2cda4 · 1b2cda4
1 parent bcdb187
commit 1b2cda4
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 7 deletions.
diff --git a/src/main/java/com/gepardec/mega/rest/api/MailResource.java b/src/main/java/com/gepardec/mega/rest/api/MailResource.java
@@ -11,6 +11,8 @@
 import org.eclipse.microprofile.openapi.annotations.security.*;
 import org.eclipse.microprofile.openapi.annotations.tags.Tag;
 
+import java.time.LocalDateTime;
+
 @Path("/mail")
 @Tenant("mega-cron")
 @Tag(name = "MailResource")
@@ -34,4 +36,8 @@ public interface MailResource {
     @GET
     @Path("/retrieveZepEmails")
     Response retrieveZepEmailsFromInbox();
+
+    @Path("/ping")
+    @GET
+    LocalDateTime ping();
 }
diff --git a/src/main/java/com/gepardec/mega/rest/api/SyncResource.java b/src/main/java/com/gepardec/mega/rest/api/SyncResource.java
@@ -16,6 +16,7 @@
 import org.eclipse.microprofile.openapi.annotations.security.*;
 import org.eclipse.microprofile.openapi.annotations.tags.Tag;
 
+import java.time.LocalDateTime;
 import java.time.YearMonth;
 
 @Path("/sync")
@@ -117,4 +118,8 @@ public interface SyncResource {
     @Path("/all")
     @GET
     Response syncAll(@QueryParam("from") YearMonth from, @QueryParam("to") YearMonth to);
+
+    @Path("/ping")
+    @GET
+    LocalDateTime ping();
 }
diff --git a/src/main/java/com/gepardec/mega/rest/impl/MailResourceImpl.java b/src/main/java/com/gepardec/mega/rest/impl/MailResourceImpl.java
@@ -4,13 +4,16 @@
 import com.gepardec.mega.notification.mail.receiver.MailReceiver;
 import com.gepardec.mega.rest.api.MailResource;
 import io.quarkus.security.Authenticated;
+import jakarta.annotation.security.RolesAllowed;
 import jakarta.enterprise.context.RequestScoped;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.core.Response;
 import org.slf4j.Logger;
 
+import java.time.LocalDateTime;
+
 @RequestScoped
-@Authenticated
+@RolesAllowed("mega-cron:mail")
 public class MailResourceImpl implements MailResource {
 
     @Inject
@@ -45,4 +48,9 @@ public Response retrieveZepEmailsFromInbox() {
 
         return Response.ok().build();
     }
+
+    @Override
+    public LocalDateTime ping() {
+        return LocalDateTime.now();
+    }
 }
diff --git a/src/main/java/com/gepardec/mega/rest/impl/SyncResourceImpl.java b/src/main/java/com/gepardec/mega/rest/impl/SyncResourceImpl.java
@@ -7,12 +7,13 @@
 import com.gepardec.mega.service.api.StepEntrySyncService;
 import com.gepardec.mega.service.api.SyncService;
 import io.quarkus.arc.properties.IfBuildProperty;
-import io.quarkus.security.Authenticated;
+import jakarta.annotation.security.RolesAllowed;
 import jakarta.enterprise.context.RequestScoped;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.core.Response;
 
 import java.time.LocalDate;
+import java.time.LocalDateTime;
 import java.time.YearMonth;
 import java.util.function.Function;
 
@@ -21,7 +22,7 @@
 
 @RequestScoped
 @IfBuildProperty(name = "mega.endpoint.test.enable", stringValue = "true", enableIfMissing = true)
-@Authenticated
+@RolesAllowed("mega-cron:sync")
 public class SyncResourceImpl implements SyncResource {
 
     @Inject
@@ -76,6 +77,11 @@ public Response syncAll(YearMonth from, YearMonth to) {
         return Response.ok("ok").build();
     }
 
+    @Override
+    public LocalDateTime ping() {
+        return LocalDateTime.now();
+    }
+
     private Response syncFromTo(Function<LocalDate, Boolean> syncFunction, YearMonth from, YearMonth to) {
         if (from == null) {
             return Response.ok(syncFunction.apply(getFirstDayOfCurrentMonth())).build();

diff --git a/src/main/resources/application.yaml b/src/main/resources/application.yaml
@@ -74,16 +74,24 @@ quarkus:
     timeout: "30s"
 
   oidc:
+    # for the default client (mega) we verify the access token locally
     auth-server-url: "${mega.oauth.issuer}"
     application-type: "service"
     token:
       audience: "${mega.oauth.client-id}"
+    # for the server to server client (mega-cron) we verify the token with token introspection
     mega-cron:
       auth-server-url: "${mega.oauth.issuer}"
       application-type: "service"
       token:
-        audience: "${mega.oauth.mega-cron.client-id}"
-
+        require-jwt-introspection-only: true
+      client-id: "${mega.oauth.mega-cron.client-id}"
+      credentials:
+        client-secret:
+          value: "${mega.oauth.mega-cron.client-secret}"
+      roles:
+        source: accesstoken
+        role-claim-path: "resource_access/mega-cron/roles"
 mp:
   openapi:
     filter: com.gepardec.mega.application.filter.MegaCronSecuritySchemaOASFilter
@@ -99,8 +107,8 @@ microprofile:
 mega:
   info:
     build:
-      version: "${revision}"
-      date: "${timestamp}"
+      version: "${revision:local}"
+      date: "${timestamp:2007-12-03T10:15:30}"
 
     git:
       branch: "${BRANCH:local}"