[RELEASE] - release version: 0.2.0

- add catch WebClientResponseException to registerDevice in DeviceRegistryService
- add handle BAD_REQUEST to WebClient deviceRegistryCreateDevice in WebClientCalls.kt

.gitignore

@@ -39,5 +39,5 @@ out/
 ### Kotlin ###
 .kotlin
 
-### cert ###
+#### Hlæja ###
-cert/
+/cert/

README.md

@@ -12,6 +12,8 @@ Classes and endpoints, to shape and to steer, Devices and sensors, their purpose
 | server.ssl.key-store                         | ✓  | HTTP Keystore                                |
 | server.ssl.key-store-type                    | ✓  | HTTP Cert Type                               |
 | server.ssl.key-store-password                | ✗  | HTTP Cert Pass                               |
+| jwt.public-key                               | ✓  | JWT public key file                          |
+| account-registry.url                         | ✓  | Account Register URL                         |
 | device-registry.url                          | ✓  | Device Register URL                          |
 | management.influx.metrics.export.api-version |          | InfluxDB API version                         |
 | management.influx.metrics.export.enabled     |          | Enable/Disable exporting metrics to InfluxDB |
@@ -29,11 +31,16 @@ Run `release.sh` script from `master` branch.
 
 ## Development Configuration
 
-
 ### Developer Keystore
 
 We use a keystore to enable HTTPS for our API. To set up your developer environment for local development, please refer to [generate keystore](https://github.com/swordsteel/hlaeja-development/blob/master/doc/keystore.md) documentation. When generating and exporting the certificate for local development, please store it in the `./cert/keystore.p12` folder at the project root.
 
+### Public RSA Key
+
+This service uses the public key from **[Hlæja Account Register](https://github.com/swordsteel/hlaeja-account-registry)** to identify users. To set up user identification for local development, copy the `public_key.pem` file from the `./cert` directory in **Hlæja Account Register** into the `./cert` directory of this project.
+
+*Note: For more information on generating RSA keys, please refer to our [generate RSA key](https://github.com/swordsteel/hlaeja-development/blob/master/doc/rsa_key.md) documentation.*
+
 ### Global Settings
 
 This services rely on a set of global settings to configure development environments. These settings, managed through Gradle properties or environment variables.

build.gradle.kts

@@ -11,12 +11,15 @@ plugins {
 
 dependencies {
     implementation(hlaeja.fasterxml.jackson.module.kotlin)
+    implementation(hlaeja.jjwt.api)
     implementation(hlaeja.kotlin.logging)
     implementation(hlaeja.kotlin.reflect)
     implementation(hlaeja.kotlinx.coroutines)
     implementation(hlaeja.library.hlaeja.common.messages)
+    implementation(hlaeja.library.hlaeja.jwt)
     implementation(hlaeja.micrometer.registry.influx)
     implementation(hlaeja.springboot.starter.actuator)
+    implementation(hlaeja.springboot.starter.security)
     implementation(hlaeja.springboot.starter.webflux)
 
     testImplementation(hlaeja.mockk)

gradle.properties

@@ -1,6 +1,6 @@
 kotlin.code.style=official
-version=0.1.0
+version=0.2.0
-catalog=0.7.0
+catalog=0.8.0
 docker.port.expose=8443
 container.port.expose=8443
 container.port.host=9040

http/authentication.http

@@ -0,0 +1,8 @@
+### account login
+POST {{hostname}}/login
+Content-Type: application/json
+
+{
+    "username": "username",
+    "password": "password"
+}

http/http-client.env.json

@@ -1,8 +1,10 @@
 {
-    "development": {
+  "development": {
-        "hostname": "https://localhost:8443"
+    "hostname": "https://localhost:8443",
-    },
+    "token": ""
-    "docker": {
+  },
-        "hostname": "https://localhost:9040"
+  "docker": {
-    }
+    "hostname": "https://localhost:9040",
+    "token": ""
+  }
 }

http/registry.http

@@ -1,5 +1,6 @@
 ### register device for a type
 POST {{hostname}}/register
+Authorization: Bearer {{token}}
 Content-Type: application/json
 
 {

src/main/kotlin/ltd/hlaeja/Application.kt

@@ -1,11 +1,13 @@
 package ltd.hlaeja
 
+import ltd.hlaeja.property.AccountRegistryProperty
 import ltd.hlaeja.property.DeviceRegistryProperty
 import org.springframework.boot.autoconfigure.SpringBootApplication
 import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.boot.runApplication
 
 @EnableConfigurationProperties(
+    AccountRegistryProperty::class,
     DeviceRegistryProperty::class,
 )
 @SpringBootApplication

src/main/kotlin/ltd/hlaeja/configuration/SecurityConfiguration.kt

@@ -0,0 +1,60 @@
+package ltd.hlaeja.configuration
+
+import ltd.hlaeja.security.JwtAuthenticationConverter
+import ltd.hlaeja.security.JwtAuthenticationManager
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder.AUTHENTICATION
+import org.springframework.security.config.web.server.ServerHttpSecurity
+import org.springframework.security.config.web.server.ServerHttpSecurity.AuthorizeExchangeSpec
+import org.springframework.security.config.web.server.ServerHttpSecurity.CsrfSpec
+import org.springframework.security.config.web.server.ServerHttpSecurity.FormLoginSpec
+import org.springframework.security.config.web.server.ServerHttpSecurity.HttpBasicSpec
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder
+import org.springframework.security.crypto.password.PasswordEncoder
+import org.springframework.security.web.server.SecurityWebFilterChain
+import org.springframework.security.web.server.authentication.AuthenticationWebFilter
+
+@Configuration
+@EnableWebFluxSecurity
+class SecurityConfiguration {
+    @Bean
+    fun passwordEncoder(): PasswordEncoder = BCryptPasswordEncoder()
+
+    @Bean
+    fun securityWebFilterChain(
+        serverHttpSecurity: ServerHttpSecurity,
+        jwtAuthenticationManager: JwtAuthenticationManager,
+        jwtAuthenticationConverter: JwtAuthenticationConverter,
+    ): SecurityWebFilterChain = serverHttpSecurity
+        .authorizeExchange(::authorizeExchange)
+        .httpBasic(::httpBasic)
+        .formLogin(::formLogin)
+        .csrf(::csrf)
+        .addFilterAt(
+            AuthenticationWebFilter(jwtAuthenticationManager).apply {
+                setServerAuthenticationConverter(jwtAuthenticationConverter)
+            },
+            AUTHENTICATION,
+        )
+        .build()
+
+    private fun csrf(
+        csrf: CsrfSpec,
+    ) = csrf.disable()
+
+    private fun formLogin(
+        formLogin: FormLoginSpec,
+    ) = formLogin.disable()
+
+    private fun httpBasic(
+        httpBasic: HttpBasicSpec,
+    ) = httpBasic.disable()
+
+    private fun authorizeExchange(
+        authorizeExchange: AuthorizeExchangeSpec,
+    ) = authorizeExchange
+        .pathMatchers("/login").permitAll()
+        .anyExchange().hasRole("REGISTRY")
+}

src/main/kotlin/ltd/hlaeja/controller/AuthenticationController.kt

@@ -0,0 +1,18 @@
+package ltd.hlaeja.controller
+
+import ltd.hlaeja.library.accountRegistry.Authentication
+import ltd.hlaeja.service.AuthenticationService
+import org.springframework.web.bind.annotation.PostMapping
+import org.springframework.web.bind.annotation.RequestBody
+import org.springframework.web.bind.annotation.RestController
+
+@RestController
+class AuthenticationController(
+    private val authenticationService: AuthenticationService,
+) {
+
+    @PostMapping("/login")
+    suspend fun addDevice(
+        @RequestBody request: Authentication.Request,
+    ): Authentication.Response = authenticationService.authenticate(request)
+}

src/main/kotlin/ltd/hlaeja/property/AccountRegistryProperty.kt

@@ -0,0 +1,8 @@
+package ltd.hlaeja.property
+
+import org.springframework.boot.context.properties.ConfigurationProperties
+
+@ConfigurationProperties(prefix = "account-registry")
+data class AccountRegistryProperty(
+    val url: String,
+)

src/main/kotlin/ltd/hlaeja/security/JwtAuthenticationConverter.kt

@@ -0,0 +1,55 @@
+package ltd.hlaeja.security
+
+import io.github.oshai.kotlinlogging.KotlinLogging
+import io.jsonwebtoken.JwtException
+import java.util.UUID
+import ltd.hlaeja.jwt.service.PublicJwtService
+import org.springframework.http.HttpStatus.UNAUTHORIZED
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.web.server.authentication.ServerAuthenticationConverter
+import org.springframework.stereotype.Component
+import org.springframework.web.server.ResponseStatusException
+import org.springframework.web.server.ServerWebExchange
+import reactor.core.publisher.Mono
+
+private val log = KotlinLogging.logger {}
+
+@Component
+class JwtAuthenticationConverter(
+    private val publicJwtService: PublicJwtService,
+) : ServerAuthenticationConverter {
+
+    companion object {
+        private const val BEARER = "Bearer "
+        private const val AUTHORIZATION = "Authorization"
+    }
+
+    override fun convert(
+        exchange: ServerWebExchange,
+    ): Mono<Authentication> = Mono.justOrEmpty(exchange.request.headers.getFirst(AUTHORIZATION))
+        .filter { it.startsWith(BEARER) }
+        .map { it.removePrefix(BEARER) }
+        .flatMap { token ->
+            try {
+                Mono.just(jwtAuthenticationToken(token))
+            } catch (e: JwtException) {
+                log.error(e) { "${e.message}" }
+                Mono.error(ResponseStatusException(UNAUTHORIZED))
+            }
+        }
+
+    private fun jwtAuthenticationToken(token: String) = publicJwtService.verify(token) { claims ->
+        JwtAuthenticationToken(
+            JwtUserDetails(
+                UUID.fromString(claims.payload["id"] as String),
+                claims.payload["username"] as String,
+            ),
+            token,
+            (claims.payload["role"] as String).split(",")
+                .map { SimpleGrantedAuthority(it) }
+                .toMutableList(),
+            true,
+        )
+    }
+}

src/main/kotlin/ltd/hlaeja/security/JwtAuthenticationManager.kt

@@ -0,0 +1,27 @@
+package ltd.hlaeja.security
+
+import org.springframework.security.authentication.ReactiveAuthenticationManager
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.AuthenticationException
+import org.springframework.stereotype.Component
+import reactor.core.publisher.Mono
+
+@Component
+class JwtAuthenticationManager : ReactiveAuthenticationManager {
+
+    override fun authenticate(
+        authentication: Authentication,
+    ): Mono<Authentication> = if (authentication is JwtAuthenticationToken) {
+        handleJwtToken(authentication)
+    } else {
+        Mono.error(object : AuthenticationException("Unsupported authentication type") {})
+    }
+
+    private fun handleJwtToken(
+        token: JwtAuthenticationToken,
+    ): Mono<Authentication> = if (token.isAuthenticated) {
+        Mono.just(token)
+    } else {
+        Mono.error(object : AuthenticationException("Invalid or expired JWT token") {})
+    }
+}

src/main/kotlin/ltd/hlaeja/security/JwtAuthenticationToken.kt

@@ -0,0 +1,28 @@
+package ltd.hlaeja.security
+
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.GrantedAuthority
+
+data class JwtAuthenticationToken(
+    private val jwtUserDetails: JwtUserDetails,
+    private val token: String,
+    private var authorities: MutableCollection<out GrantedAuthority>,
+    private var authenticated: Boolean = false,
+) : Authentication {
+
+    override fun getName(): String = "Bearer Token"
+
+    override fun getAuthorities(): MutableCollection<out GrantedAuthority> = authorities
+
+    override fun getCredentials(): Any = token
+
+    override fun getDetails(): Any? = null
+
+    override fun getPrincipal(): Any = jwtUserDetails
+
+    override fun isAuthenticated(): Boolean = authenticated
+
+    override fun setAuthenticated(isAuthenticated: Boolean) {
+        authenticated = isAuthenticated
+    }
+}

src/main/kotlin/ltd/hlaeja/security/JwtUserDetails.kt

@@ -0,0 +1,8 @@
+package ltd.hlaeja.security
+
+import java.util.UUID
+
+data class JwtUserDetails(
+    val id: UUID,
+    val username: String,
+)

src/main/kotlin/ltd/hlaeja/service/AuthenticationService.kt

@@ -0,0 +1,52 @@
+package ltd.hlaeja.service
+
+import io.github.oshai.kotlinlogging.KotlinLogging
+import io.micrometer.core.instrument.Counter
+import io.micrometer.core.instrument.MeterRegistry
+import ltd.hlaeja.library.accountRegistry.Authentication
+import ltd.hlaeja.property.AccountRegistryProperty
+import ltd.hlaeja.util.accountRegistryAuthenticate
+import org.springframework.http.HttpStatus.INTERNAL_SERVER_ERROR
+import org.springframework.http.HttpStatus.SERVICE_UNAVAILABLE
+import org.springframework.stereotype.Service
+import org.springframework.web.ErrorResponseException
+import org.springframework.web.reactive.function.client.WebClient
+import org.springframework.web.reactive.function.client.WebClientRequestException
+import org.springframework.web.reactive.function.client.WebClientResponseException
+import org.springframework.web.server.ResponseStatusException
+
+private val log = KotlinLogging.logger {}
+
+@Service
+class AuthenticationService(
+    meterRegistry: MeterRegistry,
+    private val webClient: WebClient,
+    private val property: AccountRegistryProperty,
+) {
+
+    private val accountRegistrySuccess = Counter.builder("account.registry.success")
+        .description("Number of successful account registry calls")
+        .register(meterRegistry)
+
+    private val accountRegistryFailure = Counter.builder("account.registry.failure")
+        .description("Number of failed account registry calls")
+        .register(meterRegistry)
+
+    suspend fun authenticate(
+        request: Authentication.Request,
+    ): Authentication.Response = try {
+        webClient.accountRegistryAuthenticate(request, property)
+            .also { accountRegistrySuccess.increment() }
+    } catch (e: ErrorResponseException) {
+        accountRegistryFailure.increment()
+        throw e
+    } catch (e: WebClientRequestException) {
+        accountRegistryFailure.increment()
+        log.error(e) { "Error device registry" }
+        throw ResponseStatusException(SERVICE_UNAVAILABLE)
+    } catch (e: WebClientResponseException) {
+        accountRegistryFailure.increment()
+        log.error(e) { "Error device registry" }
+        throw ResponseStatusException(INTERNAL_SERVER_ERROR)
+    }
+}

src/main/kotlin/ltd/hlaeja/service/DeviceRegistryService.kt

@@ -6,11 +6,13 @@ import io.micrometer.core.instrument.MeterRegistry
 import ltd.hlaeja.library.deviceRegistry.Device
 import ltd.hlaeja.property.DeviceRegistryProperty
 import ltd.hlaeja.util.deviceRegistryCreateDevice
+import org.springframework.http.HttpStatus.INTERNAL_SERVER_ERROR
 import org.springframework.http.HttpStatus.SERVICE_UNAVAILABLE
 import org.springframework.stereotype.Service
 import org.springframework.web.ErrorResponseException
 import org.springframework.web.reactive.function.client.WebClient
 import org.springframework.web.reactive.function.client.WebClientRequestException
+import org.springframework.web.reactive.function.client.WebClientResponseException
 import org.springframework.web.server.ResponseStatusException
 
 private val log = KotlinLogging.logger {}
@@ -42,5 +44,9 @@ class DeviceRegistryService(
         registerDeviceFailure.increment()
         log.error(e) { "Error device registry" }
         throw ResponseStatusException(SERVICE_UNAVAILABLE)
+    } catch (e: WebClientResponseException) {
+        registerDeviceFailure.increment()
+        log.error(e) { "Error device registry" }
+        throw ResponseStatusException(INTERNAL_SERVER_ERROR)
     }
 }

src/main/kotlin/ltd/hlaeja/util/WebClientCalls.kt

@@ -1,8 +1,14 @@
 package ltd.hlaeja.util
 
+import ltd.hlaeja.library.accountRegistry.Authentication
 import ltd.hlaeja.library.deviceRegistry.Device
+import ltd.hlaeja.property.AccountRegistryProperty
 import ltd.hlaeja.property.DeviceRegistryProperty
+import org.springframework.http.HttpStatus.BAD_REQUEST
+import org.springframework.http.HttpStatus.LOCKED
+import org.springframework.http.HttpStatus.NOT_FOUND
 import org.springframework.http.HttpStatus.REQUEST_TIMEOUT
+import org.springframework.http.HttpStatus.UNAUTHORIZED
 import org.springframework.web.reactive.function.client.WebClient
 import org.springframework.web.reactive.function.client.awaitBodyOrNull
 import org.springframework.web.server.ResponseStatusException
@@ -14,4 +20,17 @@ suspend fun WebClient.deviceRegistryCreateDevice(
     .uri("${property.url}/device".also(::logCall))
     .bodyValue(request)
     .retrieve()
+    .onStatus(BAD_REQUEST::equals) { throw ResponseStatusException(BAD_REQUEST) }
     .awaitBodyOrNull<Device.Response>() ?: throw ResponseStatusException(REQUEST_TIMEOUT)
+
+suspend fun WebClient.accountRegistryAuthenticate(
+    request: Authentication.Request,
+    property: AccountRegistryProperty,
+): Authentication.Response = post()
+    .uri("${property.url}/authenticate".also(::logCall))
+    .bodyValue(request)
+    .retrieve()
+    .onStatus(LOCKED::equals) { throw ResponseStatusException(UNAUTHORIZED) }
+    .onStatus(UNAUTHORIZED::equals) { throw ResponseStatusException(UNAUTHORIZED) }
+    .onStatus(NOT_FOUND::equals) { throw ResponseStatusException(NOT_FOUND) }
+    .awaitBodyOrNull<Authentication.Response>() ?: throw ResponseStatusException(REQUEST_TIMEOUT)

src/main/resources/META-INF/additional-spring-configuration-metadata.json

@@ -24,6 +24,11 @@
       "name": "device-registry.url",
       "type": "java.lang.String",
       "description": "Url for device registry service."
+    },
+    {
+      "name": "account-registry.url",
+      "type": "java.lang.String",
+      "description": "Url for account registry service."
     }
   ]
 }

src/main/resources/application.yml

@@ -29,6 +29,9 @@ management:
         bucket: hlaeja
         org: hlaeja_ltd
 
+jwt:
+  public-key: cert/public_key.pem
+
 ---
 ###############################
 ### Development environment ###
@@ -46,6 +49,9 @@ server:
     key-store-type: PKCS12
     key-store-password: password
 
+account-registry:
+  url: http://localhost:9050
+
 device-registry:
   url: http://localhost:9010
 
@@ -85,6 +91,9 @@ server:
     key-store-type: PKCS12
     key-store-password: password
 
+account-registry:
+  url: http://AccountRegistry:8080
+
 device-registry:
   url: http://DeviceRegistry:8080
 

src/test/resources/application.yml

@@ -0,0 +1,6 @@
+jwt:
+  public-key: cert/valid-public-key.pem
+device-registry:
+  url: http://localhost
+account-registry:
+  url: http://localhost

src/test/resources/cert/valid-public-key.pem

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZdlbISX729m5Ur1pVhg
+XIvazcgUt0T0G32ML0tfwQ4aWTfwPII0SQRThaN6eiiBMRa0V8JMih1LT8JmGgst
+dEx2nhMbVs/Osu8MhmP86c+HB/jPa1+0IR1TZKXoZoF52D2ZtoVf+mOWggAcm1R+
+V0Fj2cR/pgLkVt3GKUE2OokFC1iFUQFjThd1EzKcOv53TUek8FY8t66npQ4t3unD
+bXZKoGXMuXCqZVykMbGTUQFRuT3NAOXRrJP+UDeY2uM2Yk98J+8FtLDYD6jpmyi0
+ghv6k8pK1w1n5NI3atVv5ZMUeQZ36AXL8SZi1105mamhLVQ0e0JixoMOPh7ziFyv
+uwIDAQAB
+-----END PUBLIC KEY-----