[RELEASE] - Bump version

- add catch WebClientResponseException to registerDevice in DeviceRegistryService
- add handle BAD_REQUEST to WebClient deviceRegistryCreateDevice in WebClientCalls.kt

.github/workflows/release.yml

@@ -0,0 +1,12 @@
+name: Release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  release:
+    uses: swordsteel/hlaeja-common-workflows/.github/workflows/release.yml@master
+    secrets:
+      CI_BOT_PAT: ${{ secrets.CI_BOT_PAT }}
+    with:
+      TYPE: service

.github/workflows/run-checks.yml

@@ -0,0 +1,12 @@
+name: Pull request validation
+
+on:
+  pull_request:
+    paths-ignore:
+      - '.github/**'
+
+jobs:
+  validate:
+    uses: swordsteel/hlaeja-common-workflows/.github/workflows/run-checks.yml@master
+    secrets:
+      CI_BOT_PAT: ${{ secrets.CI_BOT_PAT }}

.gitignore

@@ -39,5 +39,5 @@ out/
 ### Kotlin ###
 .kotlin
 
-### cert ###
-cert/
+#### Hlæja ###
+/cert/

README.md

@@ -12,28 +12,28 @@ Classes and endpoints, to shape and to steer, Devices and sensors, their purpose
 | server.ssl.key-store                         | ✓  | HTTP Keystore                                |
 | server.ssl.key-store-type                    | ✓  | HTTP Cert Type                               |
 | server.ssl.key-store-password                | ✗  | HTTP Cert Pass                               |
+| jwt.public-key                               | ✓  | JWT public key file                          |
+| account-registry.url                         | ✓  | Account Register URL                         |
 | device-registry.url                          | ✓  | Device Register URL                          |
-| management.influx.metrics.export.api-version |          | InfluxDB API version                         |
-| management.influx.metrics.export.enabled     |          | Enable/Disable exporting metrics to InfluxDB |
-| management.influx.metrics.export.bucket      | ✓  | InfluxDB bucket name                         |
-| management.influx.metrics.export.org         | ✓  | InfluxDB organization                        |
-| management.influx.metrics.export.token       | ✗  | InfluxDB token                               |
-| management.influx.metrics.export.uri         | ✓  | InfluxDB URL                                 |
-| management.metrics.tags.application          | ✓  | Application instance tag for metrics         |
 
 *Required: ✓ can be stored as text, and ✗ need to be stored as secret.*
 
 ## Releasing Service
 
-Run `release.sh` script from `master` branch.
+Run release pipeline from `master` branch.
 
 ## Development Configuration
 
-
 ### Developer Keystore
 
 We use a keystore to enable HTTPS for our API. To set up your developer environment for local development, please refer to [generate keystore](https://github.com/swordsteel/hlaeja-development/blob/master/doc/keystore.md) documentation. When generating and exporting the certificate for local development, please store it in the `./cert/keystore.p12` folder at the project root.
 
+### Public RSA Key
+
+This service uses the public key from **[Hlæja Account Register](https://github.com/swordsteel/hlaeja-account-registry)** to identify users. To set up user identification for local development, copy the `public_key.pem` file from the `./cert` directory in **Hlæja Account Register** into the `./cert` directory of this project.
+
+*Note: For more information on generating RSA keys, please refer to our [generate RSA key](https://github.com/swordsteel/hlaeja-development/blob/master/doc/rsa_key.md) documentation.*
+
 ### Global Settings
 
 This services rely on a set of global settings to configure development environments. These settings, managed through Gradle properties or environment variables.

build.gradle.kts

@@ -1,22 +1,22 @@
-import com.bmuschko.gradle.docker.tasks.container.DockerCreateContainer
-
 plugins {
     alias(hlaeja.plugins.kotlin.jvm)
     alias(hlaeja.plugins.kotlin.spring)
-    alias(hlaeja.plugins.ltd.hlaeja.plugin.certificate)
-    alias(hlaeja.plugins.ltd.hlaeja.plugin.service)
+    alias(hlaeja.plugins.spring.boot)
     alias(hlaeja.plugins.spring.dependency.management)
-    alias(hlaeja.plugins.springframework.boot)
+    alias(hlaeja.plugins.certificate)
+    alias(hlaeja.plugins.service)
 }
 
 dependencies {
     implementation(hlaeja.fasterxml.jackson.module.kotlin)
+    implementation(hlaeja.jjwt.api)
     implementation(hlaeja.kotlin.logging)
     implementation(hlaeja.kotlin.reflect)
     implementation(hlaeja.kotlinx.coroutines)
-    implementation(hlaeja.library.hlaeja.common.messages)
-    implementation(hlaeja.micrometer.registry.influx)
+    implementation(hlaeja.library.common.messages)
+    implementation(hlaeja.library.jwt)
     implementation(hlaeja.springboot.starter.actuator)
+    implementation(hlaeja.springboot.starter.security)
     implementation(hlaeja.springboot.starter.webflux)
 
     testImplementation(hlaeja.mockk)
@@ -30,17 +30,6 @@ dependencies {
 
 group = "ltd.hlaeja"
 
-fun influxDbToken(): String = config.findOrDefault("influxdb.token", "INFLUXDB_TOKEN", "")
-
-tasks {
-    named("containerCreate", DockerCreateContainer::class) {
-        withEnvVar("MANAGEMENT_INFLUX_METRICS_EXPORT_TOKEN", influxDbToken())
-    }
-    withType<ProcessResources> {
-        filesMatching("**/application.yml") { filter { it.replace("%INFLUXDB_TOKEN%", influxDbToken()) } }
-        onlyIf { file("src/main/resources/application.yml").exists() }
-    }
-    named("processResources") {
+tasks.named("processResources") {
     dependsOn("copyCertificates")
 }
-}

gradle.properties

@@ -1,6 +1,6 @@
 kotlin.code.style=official
-version=0.1.0
-catalog=0.7.0
+version=0.5.0-SNAPSHOT
+catalog=0.11.0
 docker.port.expose=8443
 container.port.expose=8443
 container.port.host=9040

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.14.3-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

gradlew

@@ -86,8 +86,7 @@ done
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
 # Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s
-' "$PWD" ) || exit
+APP_HOME=$( cd -P "${APP_HOME:-./}" > /dev/null && printf '%s\n' "$PWD" ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -115,7 +114,7 @@ case "$( uname )" in                #(
   NONSTOP* )        nonstop=true ;;
 esac
 
-CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
+CLASSPATH="\\\"\\\""
 
 
 # Determine the Java command to use to start the JVM.
@@ -206,7 +205,7 @@ fi
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
 # Collect all arguments for the java command:
-#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
 #     and any embedded shellness will be escaped.
 #   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
 #     treated as '${Hostname}' itself on the command line.
@@ -214,7 +213,7 @@ DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \
         -classpath "$CLASSPATH" \
-        org.gradle.wrapper.GradleWrapperMain \
+        -jar "$APP_HOME/gradle/wrapper/gradle-wrapper.jar" \
         "$@"
 
 # Stop when "xargs" is not available.

gradlew.bat

@@ -70,11 +70,11 @@ goto fail
 :execute
 @rem Setup the command line
 
-set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
+set CLASSPATH=
 
 
 @rem Execute Gradle
-"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %*
+"%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" -jar "%APP_HOME%\gradle\wrapper\gradle-wrapper.jar" %*
 
 :end
 @rem End local scope for the variables with windows NT shell

http/actuator.http

@@ -0,0 +1,5 @@
+### get actuator
+GET {{hostname}}/actuator
+
+### get actuator health
+GET {{hostname}}/actuator/health

http/authentication.http

@@ -0,0 +1,8 @@
+### account login
+POST {{hostname}}/login
+Content-Type: application/json
+
+{
+    "username": "username",
+    "password": "password"
+}

http/http-client.env.json

@@ -1,8 +1,10 @@
 {
   "development": {
-        "hostname": "https://localhost:8443"
+    "hostname": "https://localhost:8443",
+    "token": ""
   },
   "docker": {
-        "hostname": "https://localhost:9040"
+    "hostname": "https://localhost:9040",
+    "token": ""
   }
 }

http/registry.http

@@ -1,5 +1,6 @@
 ### register device for a type
 POST {{hostname}}/register
+Authorization: Bearer {{token}}
 Content-Type: application/json
 
 {

release.sh

@@ -1,89 +0,0 @@
-#!/bin/sh
-
-### This should be a pipeline, but for this example let use this ###
-
-check_active_branch() {
-  if [ "$(git rev-parse --abbrev-ref HEAD)" != "$1" ]; then
-    echo "Error: The current branch is not $1."
-    exit 1
-  fi
-}
-
-check_uncommitted_changes() {
-  if [ -n "$(git status --porcelain)" ]; then
-    echo "Error: There are uncommitted changes in the repository."
-    exit 1
-  fi
-}
-
-prepare_environment() {
-    git fetch origin
-}
-
-check_last_commit() {
-  last_commit_message=$(git log -1 --pretty=format:%s)
-  if [ "$last_commit_message" = "[RELEASE] - bump version" ]; then
-    echo "Warning: Nothing to release!!!"
-    exit 1
-  fi
-}
-
-check_differences() {
-  if ! git diff --quiet origin/"$1" "$1"; then
-    echo "Error: The branches origin/$1 and $1 have differences."
-    exit 1
-  fi
-}
-
-un_snapshot_version() {
-  sed -i "s/\($1\s*=\s*[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/" gradle.properties
-}
-
-current_version() {
-    awk -F '=' '/version\s*=\s*[0-9.]*/ {gsub(/^ +| +$/,"",$2); print $2}' gradle.properties
-}
-
-stage_files() {
-    for file in "$@"; do
-        if git diff --exit-code --quiet -- "$file"; then
-            echo "No changes in $file"
-        else
-            git add "$file"
-            echo "Changes in $file staged for commit"
-        fi
-    done
-}
-
-commit_change() {
-    stage_files gradle.properties
-    git commit -m "[RELEASE] - $1"
-    git push --porcelain origin master
-}
-
-add_release_tag() {
-  gitTag="v$(current_version)"
-  git tag -a "$gitTag" -m "Release version $gitTag"
-  git push --porcelain origin "$gitTag"
-}
-
-snapshot_version() {
-  new_version="$(current_version | awk -F '.' '{print $1 "." $2+1 ".0"}')"
-  sed -i "s/\(version\s*=\s*\)[0-9.]*/\1$new_version-SNAPSHOT/" gradle.properties
-}
-
-# check and prepare for release
-check_active_branch master
-check_uncommitted_changes
-prepare_environment
-check_last_commit
-check_differences master
-
-# un-snapshot version for release
-un_snapshot_version version
-un_snapshot_version catalog
-
-# release changes and prepare for next release
-commit_change "release version: $(current_version)"
-add_release_tag
-snapshot_version
-commit_change 'bump version'

src/main/kotlin/ltd/hlaeja/Application.kt

@@ -1,11 +1,13 @@
 package ltd.hlaeja
 
+import ltd.hlaeja.property.AccountRegistryProperty
 import ltd.hlaeja.property.DeviceRegistryProperty
 import org.springframework.boot.autoconfigure.SpringBootApplication
 import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.boot.runApplication
 
 @EnableConfigurationProperties(
+    AccountRegistryProperty::class,
     DeviceRegistryProperty::class,
 )
 @SpringBootApplication

src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt

@@ -0,0 +1,61 @@
+package ltd.hlaeja.configuration
+
+import ltd.hlaeja.security.authorize.publicPaths
+import ltd.hlaeja.security.converter.JwtAuthenticationConverter
+import ltd.hlaeja.security.manager.JwtAuthenticationManager
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder.AUTHENTICATION
+import org.springframework.security.config.web.server.ServerHttpSecurity
+import org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec
+import org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec
+import org.springframework.security.config.web.server.ServerHttpSecurity.FormLoginSpec
+import org.springframework.security.config.web.server.ServerHttpSecurity.HttpBasicSpec
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
+import org.springframework.security.crypto.password.PasswordEncoder
+import org.springframework.security.web.server.SecurityWebFilterChain
+import org.springframework.security.web.server.authentication.AuthenticationWebFilter
+
+@Configuration
+@EnableWebFluxSecurity
+class SecurityConfiguration {
+    @Bean
+    fun passwordEncoder(): PasswordEncoder = BCryptPasswordEncoder()
+
+    @Bean
+    fun securityWebFilterChain(
+        serverHttpSecurity: ServerHttpSecurity,
+        jwtAuthenticationManager: JwtAuthenticationManager,
+        jwtAuthenticationConverter: JwtAuthenticationConverter,
+    ): SecurityWebFilterChain = serverHttpSecurity
+        .authorizeExchange(::authorizeExchange)
+        .httpBasic(::httpBasic)
+        .formLogin(::formLogin)
+        .csrf(::csrf)
+        .addFilterAt(
+            AuthenticationWebFilter(jwtAuthenticationManager).apply {
+                setServerAuthenticationConverter(jwtAuthenticationConverter)
+            },
+            AUTHENTICATION,
+        )
+        .build()
+
+    private fun csrf(
+        csrf: CsrfSpec,
+    ) = csrf.disable()
+
+    private fun formLogin(
+        formLogin: FormLoginSpec,
+    ) = formLogin.disable()
+
+    private fun httpBasic(
+        httpBasic: HttpBasicSpec,
+    ) = httpBasic.disable()
+
+    private fun authorizeExchange(
+        authorizeExchange: AuthorizeExchangeSpec,
+    ) = authorizeExchange
+        .publicPaths().permitAll()
+        .anyExchange().hasAnyRole("REGISTRY", "ADMIN")
+}

src/main/kotlin/ltd/hlaeja/controller/AuthenticationController.kt

@@ -0,0 +1,18 @@
+package ltd.hlaeja.controller
+
+import ltd.hlaeja.library.accountRegistry.Authentication
+import ltd.hlaeja.service.AuthenticationService
+import org.springframework.web.bind.annotation.PostMapping
+import org.springframework.web.bind.annotation.RequestBody
+import org.springframework.web.bind.annotation.RestController
+
+@RestController
+class AuthenticationController(
+    private val authenticationService: AuthenticationService,
+) {
+
+    @PostMapping("/login")
+    suspend fun addDevice(
+        @RequestBody request: Authentication.Request,
+    ): Authentication.Response = authenticationService.authenticate(request)
+}

src/main/kotlin/ltd/hlaeja/property/AccountRegistryProperty.kt

@@ -0,0 +1,8 @@
+package ltd.hlaeja.property
+
+import org.springframework.boot.context.properties.ConfigurationProperties
+
+@ConfigurationProperties(prefix = "account-registry")
+data class AccountRegistryProperty(
+    val url: String,
+)

src/main/kotlin/ltd/hlaeja/security/authorize/PublicPaths.kt

@@ -0,0 +1,8 @@
+package ltd.hlaeja.security.authorize
+
+import org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec
+
+fun AuthorizeExchangeSpec.publicPaths(): AuthorizeExchangeSpec.Access = pathMatchers(
+    "/actuator/**",
+    "/login",
+)

src/main/kotlin/ltd/hlaeja/security/converter/JwtAuthenticationConverter.kt

@@ -0,0 +1,57 @@
+package ltd.hlaeja.security.converter
+
+import io.github.oshai.kotlinlogging.KotlinLogging
+import io.jsonwebtoken.JwtException
+import java.util.UUID
+import ltd.hlaeja.jwt.service.PublicJwtService
+import ltd.hlaeja.security.user.JwtAuthentication
+import ltd.hlaeja.security.user.JwtUserDetails
+import org.springframework.http.HttpStatus.UNAUTHORIZED
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.web.server.authentication.ServerAuthenticationConverter
+import org.springframework.stereotype.Component
+import org.springframework.web.server.ResponseStatusException
+import org.springframework.web.server.ServerWebExchange
+import reactor.core.publisher.Mono
+
+private val log = KotlinLogging.logger {}
+
+@Component
+class JwtAuthenticationConverter(
+    private val publicJwtService: PublicJwtService,
+) : ServerAuthenticationConverter {
+
+    companion object {
+        private const val BEARER = "Bearer "
+        private const val AUTHORIZATION = "Authorization"
+    }
+
+    override fun convert(
+        exchange: ServerWebExchange,
+    ): Mono<Authentication> = Mono.justOrEmpty(exchange.request.headers.getFirst(AUTHORIZATION))
+        .filter { it.startsWith(BEARER) }
+        .map { it.removePrefix(BEARER) }
+        .flatMap { token ->
+            try {
+                Mono.just(jwtAuthenticationToken(token))
+            } catch (e: JwtException) {
+                log.error(e) { "${e.message}" }
+                Mono.error(ResponseStatusException(UNAUTHORIZED))
+            }
+        }
+
+    private fun jwtAuthenticationToken(token: String) = publicJwtService.verify(token) { claims ->
+        JwtAuthentication(
+            JwtUserDetails(
+                UUID.fromString(claims.payload["id"] as String),
+                claims.payload["username"] as String,
+            ),
+            token,
+            (claims.payload["role"] as String).split(",")
+                .map { SimpleGrantedAuthority("ROLE_$it") }
+                .toMutableList(),
+            true,
+        )
+    }
+}

src/main/kotlin/ltd/hlaeja/security/manager/JwtAuthenticationManager.kt

@@ -0,0 +1,28 @@
+package ltd.hlaeja.security.manager
+
+import ltd.hlaeja.security.user.JwtAuthentication
+import org.springframework.security.authentication.ReactiveAuthenticationManager
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.AuthenticationException
+import org.springframework.stereotype.Component
+import reactor.core.publisher.Mono
+
+@Component
+class JwtAuthenticationManager : ReactiveAuthenticationManager {
+
+    override fun authenticate(
+        authentication: Authentication,
+    ): Mono<Authentication> = if (authentication is JwtAuthentication) {
+        handleJwtToken(authentication)
+    } else {
+        Mono.error(object : AuthenticationException("Unsupported authentication type") {})
+    }
+
+    private fun handleJwtToken(
+        token: JwtAuthentication,
+    ): Mono<Authentication> = if (token.isAuthenticated) {
+        Mono.just(token)
+    } else {
+        Mono.error(object : AuthenticationException("Invalid or expired JWT token") {})
+    }
+}

src/main/kotlin/ltd/hlaeja/security/user/JwtAuthentication.kt

@@ -0,0 +1,28 @@
+package ltd.hlaeja.security.user
+
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.GrantedAuthority
+
+data class JwtAuthentication(
+    private val jwtUserDetails: JwtUserDetails,
+    private val token: String,
+    private var authorities: MutableCollection<out GrantedAuthority>,
+    private var authenticated: Boolean = false,
+) : Authentication {
+
+    override fun getName(): String = "Bearer Token"
+
+    override fun getAuthorities(): MutableCollection<out GrantedAuthority> = authorities
+
+    override fun getCredentials(): Any = token
+
+    override fun getDetails(): Any? = null
+
+    override fun getPrincipal(): Any = jwtUserDetails
+
+    override fun isAuthenticated(): Boolean = authenticated
+
+    override fun setAuthenticated(isAuthenticated: Boolean) {
+        authenticated = isAuthenticated
+    }
+}

src/main/kotlin/ltd/hlaeja/security/user/JwtUserDetails.kt

@@ -0,0 +1,8 @@
+package ltd.hlaeja.security.user
+
+import java.util.UUID
+
+data class JwtUserDetails(
+    val id: UUID,
+    val username: String,
+)

src/main/kotlin/ltd/hlaeja/service/AuthenticationService.kt

@@ -0,0 +1,37 @@
+package ltd.hlaeja.service
+
+import io.github.oshai.kotlinlogging.KotlinLogging
+import ltd.hlaeja.library.accountRegistry.Authentication
+import ltd.hlaeja.property.AccountRegistryProperty
+import ltd.hlaeja.util.accountRegistryAuthenticate
+import org.springframework.http.HttpStatus.INTERNAL_SERVER_ERROR
+import org.springframework.http.HttpStatus.SERVICE_UNAVAILABLE
+import org.springframework.stereotype.Service
+import org.springframework.web.ErrorResponseException
+import org.springframework.web.reactive.function.client.WebClient
+import org.springframework.web.reactive.function.client.WebClientRequestException
+import org.springframework.web.reactive.function.client.WebClientResponseException
+import org.springframework.web.server.ResponseStatusException
+
+private val log = KotlinLogging.logger {}
+
+@Service
+class AuthenticationService(
+    private val webClient: WebClient,
+    private val property: AccountRegistryProperty,
+) {
+
+    suspend fun authenticate(
+        request: Authentication.Request,
+    ): Authentication.Response = try {
+        webClient.accountRegistryAuthenticate(request, property)
+    } catch (e: ErrorResponseException) {
+        throw e
+    } catch (e: WebClientRequestException) {
+        log.error(e) { "Error device registry" }
+        throw ResponseStatusException(SERVICE_UNAVAILABLE)
+    } catch (e: WebClientResponseException) {
+        log.error(e) { "Error device registry" }
+        throw ResponseStatusException(INTERNAL_SERVER_ERROR)
+    }
+}

src/main/kotlin/ltd/hlaeja/service/DeviceRegistryService.kt

@@ -1,46 +1,37 @@
 package ltd.hlaeja.service
 
 import io.github.oshai.kotlinlogging.KotlinLogging
-import io.micrometer.core.instrument.Counter
-import io.micrometer.core.instrument.MeterRegistry
 import ltd.hlaeja.library.deviceRegistry.Device
 import ltd.hlaeja.property.DeviceRegistryProperty
 import ltd.hlaeja.util.deviceRegistryCreateDevice
+import org.springframework.http.HttpStatus.INTERNAL_SERVER_ERROR
 import org.springframework.http.HttpStatus.SERVICE_UNAVAILABLE
 import org.springframework.stereotype.Service
 import org.springframework.web.ErrorResponseException
 import org.springframework.web.reactive.function.client.WebClient
 import org.springframework.web.reactive.function.client.WebClientRequestException
+import org.springframework.web.reactive.function.client.WebClientResponseException
 import org.springframework.web.server.ResponseStatusException
 
 private val log = KotlinLogging.logger {}
 
 @Service
 class DeviceRegistryService(
-    meterRegistry: MeterRegistry,
     private val webClient: WebClient,
     private val deviceRegistryProperty: DeviceRegistryProperty,
 ) {
 
-    private val registerDeviceSuccess = Counter.builder("device.registry.success")
-        .description("Number of successful device registrations")
-        .register(meterRegistry)
-
-    private val registerDeviceFailure = Counter.builder("device.registry.failure")
-        .description("Number of failed device registrations")
-        .register(meterRegistry)
-
     suspend fun registerDevice(
         request: Device.Request,
     ): Device.Response = try {
         webClient.deviceRegistryCreateDevice(request, deviceRegistryProperty)
-            .also { registerDeviceSuccess.increment() }
     } catch (e: ErrorResponseException) {
-        registerDeviceFailure.increment()
         throw e
     } catch (e: WebClientRequestException) {
-        registerDeviceFailure.increment()
         log.error(e) { "Error device registry" }
         throw ResponseStatusException(SERVICE_UNAVAILABLE)
+    } catch (e: WebClientResponseException) {
+        log.error(e) { "Error device registry" }
+        throw ResponseStatusException(INTERNAL_SERVER_ERROR)
     }
 }

src/main/kotlin/ltd/hlaeja/util/WebClientCalls.kt

@@ -1,8 +1,14 @@
 package ltd.hlaeja.util
 
+import ltd.hlaeja.library.accountRegistry.Authentication
 import ltd.hlaeja.library.deviceRegistry.Device
+import ltd.hlaeja.property.AccountRegistryProperty
 import ltd.hlaeja.property.DeviceRegistryProperty
+import org.springframework.http.HttpStatus.BAD_REQUEST
+import org.springframework.http.HttpStatus.LOCKED
+import org.springframework.http.HttpStatus.NOT_FOUND
 import org.springframework.http.HttpStatus.REQUEST_TIMEOUT
+import org.springframework.http.HttpStatus.UNAUTHORIZED
 import org.springframework.web.reactive.function.client.WebClient
 import org.springframework.web.reactive.function.client.awaitBodyOrNull
 import org.springframework.web.server.ResponseStatusException
@@ -14,4 +20,17 @@ suspend fun WebClient.deviceRegistryCreateDevice(
     .uri("${property.url}/device".also(::logCall))
     .bodyValue(request)
     .retrieve()
+    .onStatus(BAD_REQUEST::equals) { throw ResponseStatusException(BAD_REQUEST) }
     .awaitBodyOrNull<Device.Response>() ?: throw ResponseStatusException(REQUEST_TIMEOUT)
+
+suspend fun WebClient.accountRegistryAuthenticate(
+    request: Authentication.Request,
+    property: AccountRegistryProperty,
+): Authentication.Response = post()
+    .uri("${property.url}/authenticate".also(::logCall))
+    .bodyValue(request)
+    .retrieve()
+    .onStatus(LOCKED::equals) { throw ResponseStatusException(UNAUTHORIZED) }
+    .onStatus(UNAUTHORIZED::equals) { throw ResponseStatusException(UNAUTHORIZED) }
+    .onStatus(NOT_FOUND::equals) { throw ResponseStatusException(NOT_FOUND) }
+    .awaitBodyOrNull<Authentication.Response>() ?: throw ResponseStatusException(REQUEST_TIMEOUT)

src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -24,6 +24,11 @@
       "name": "device-registry.url",
       "type": "java.lang.String",
       "description": "Url for device registry service."
+    },
+    {
+      "name": "account-registry.url",
+      "type": "java.lang.String",
+      "description": "Url for account registry service."
     }
   ]
 }

src/main/resources/application.yml

@@ -12,22 +12,20 @@ spring:
 
 management:
   endpoints:
-    enabled-by-default: false
+    access:
+      default: none
     web:
       exposure:
         include: "health,info"
   endpoint:
     health:
-      enabled: true
       show-details: always
+      access: read_only
     info:
-      enabled: true
-  influx:
-    metrics:
-      export:
-        api-version: v2
-        bucket: hlaeja
-        org: hlaeja_ltd
+      access: read_only
+
+jwt:
+  public-key: cert/public_key.pem
 
 ---
 ###############################
@@ -46,19 +44,12 @@ server:
     key-store-type: PKCS12
     key-store-password: password
 
+account-registry:
+  url: http://localhost:9050
+
 device-registry:
   url: http://localhost:9010
 
-management:
-  metrics:
-    tags:
-      application: register-api
-  influx:
-    metrics:
-      export:
-        enabled: false
-        token: %INFLUXDB_TOKEN%
-
 ---
 ##########################
 ### Docker environment ###
@@ -68,15 +59,6 @@ spring:
     activate:
       on-profile: docker
 
-management:
-  metrics:
-    tags:
-      application: register-api
-  influx:
-    metrics:
-      export:
-        uri: http://InfluxDB:8086
-
 server:
   port: 8443
   ssl:
@@ -85,6 +67,9 @@ server:
     key-store-type: PKCS12
     key-store-password: password
 
+account-registry:
+  url: http://AccountRegistry:8080
+
 device-registry:
   url: http://DeviceRegistry:8080
 

src/main/resources/logback-test.xml

@@ -1,11 +0,0 @@
-<configuration>
-  <appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
-    <encoder>
-      <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
-    </encoder>
-  </appender>
-  <root level="INFO">
-    <appender-ref ref="STDOUT"/>
-  </root>
-  <logger level="DEBUG" name="ltd.hlaeja"/>
-</configuration>

src/test/resources/application.yml

@@ -0,0 +1,6 @@
+jwt:
+  public-key: cert/valid-public-key.pem
+device-registry:
+  url: http://localhost
+account-registry:
+  url: http://localhost

src/test/resources/cert/valid-public-key.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZdlbISX729m5Ur1pVhg
+XIvazcgUt0T0G32ML0tfwQ4aWTfwPII0SQRThaN6eiiBMRa0V8JMih1LT8JmGgst
+dEx2nhMbVs/Osu8MhmP86c+HB/jPa1+0IR1TZKXoZoF52D2ZtoVf+mOWggAcm1R+
+V0Fj2cR/pgLkVt3GKUE2OokFC1iFUQFjThd1EzKcOv53TUek8FY8t66npQ4t3unD
+bXZKoGXMuXCqZVykMbGTUQFRuT3NAOXRrJP+UDeY2uM2Yk98J+8FtLDYD6jpmyi0
+ghv6k8pK1w1n5NI3atVv5ZMUeQZ36AXL8SZi1105mamhLVQ0e0JixoMOPh7ziFyv
+uwIDAQAB
+-----END PUBLIC KEY-----