From 696ebd9e433f2b6f890c6032a4febdb9d3ec8eb7 Mon Sep 17 00:00:00 2001
From: Rodrigo Lima <rodrigo.lima@yoppworks.com>
Date: Thu, 3 Sep 2020 11:54:27 -0400
Subject: Add keycloak integration

- The feature can be enabled by adding keycloak spring profile in application properties.

- Add keycloak springboot and spring security  adapter to pom
- Exclude keycloak and spring security autoconfiguration in application properties
- Add keycloak application properties that is activated when keycloak profile used
- Add WebSecurityConfig to config authorization

Issue-ID: AAI-3129
Signed-off-by: Rodrigo Lima <rodrigo.lima@yoppworks.com>
Change-Id: Iaa086b4075c03237388a997274d01bf8b8114b4d
---
 aai-resources/pom.xml                              | 30 +++++++-
 .../onap/aai/rest/security/WebSecurityConfig.java  | 86 ++++++++++++++++++++++
 .../main/resources/application-keycloak.properties | 16 ++++
 .../src/main/resources/application.properties      |  4 +-
 .../src/test/resources/application-test.properties |  6 +-
 5 files changed, 139 insertions(+), 3 deletions(-)
 create mode 100644 aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java
 create mode 100644 aai-resources/src/main/resources/application-keycloak.properties

diff --git a/aai-resources/pom.xml b/aai-resources/pom.xml
index 828b91a..a54f79d 100644
--- a/aai-resources/pom.xml
+++ b/aai-resources/pom.xml
@@ -77,7 +77,7 @@
         <schema.ingest.file>${project.basedir}/src/main/resources/application.properties</schema.ingest.file>
 
         <!-- End of Default ONAP Schema Properties -->
-
+        <keycloak.version>11.0.2</keycloak.version>
         <!-- Setting some default value to not complain by editor but it will be overridden by gmaven plugin -->
     </properties>
     <profiles>
@@ -607,7 +607,26 @@
             <groupId>org.apache.tinkerpop</groupId>
             <artifactId>gremlin-groovy</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-spring-boot-starter</artifactId>
+        </dependency>
     </dependencies>
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.keycloak.bom</groupId>
+                <artifactId>keycloak-adapter-bom</artifactId>
+                <version>${keycloak.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
     <build>
         <resources>
             <resource>
@@ -859,6 +878,15 @@
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <configuration combine.children="append">
+                    <excludes>
+                        <exclude>**/*WebSecurityConfig.*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
         </plugins>
     </build>
     <reporting>
diff --git a/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java b/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java
new file mode 100644
index 0000000..2b67c40
--- /dev/null
+++ b/aai-resources/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java
@@ -0,0 +1,86 @@
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright (C) 2019 Nordix Foundation.
+ * Modifications Copyright (C) 2019 AT&T Intellectual Property.
+ * Modifications Copyright (C) 2020 Bell Canada.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.rest.security;
+
+import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
+import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
+import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
+
+@Profile("keycloak")
+@KeycloakConfiguration
+@Import({KeycloakSpringBootConfigResolver.class})
+public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
+
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) {
+        KeycloakAuthenticationProvider keycloakAuthenticationProvider
+            = keycloakAuthenticationProvider();
+        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(
+            new SimpleAuthorityMapper());
+        auth.authenticationProvider(keycloakAuthenticationProvider);
+    }
+
+    @Bean
+    public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
+        return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher());
+    }
+
+    @Bean
+    @Override
+    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
+        return new RegisterSessionAuthenticationStrategy(
+            new SessionRegistryImpl());
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        super.configure(http);
+        http.authorizeRequests()
+            .antMatchers("/**")
+            .hasAnyRole("admin")
+            .anyRequest()
+            .permitAll().and().csrf().disable();
+    }
+
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.ignoring().regexMatchers("^.*/util/echo$");
+    }
+
+
+}
diff --git a/aai-resources/src/main/resources/application-keycloak.properties b/aai-resources/src/main/resources/application-keycloak.properties
new file mode 100644
index 0000000..538abfc
--- /dev/null
+++ b/aai-resources/src/main/resources/application-keycloak.properties
@@ -0,0 +1,16 @@
+
+spring.autoconfigure.exclude=\
+  org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
+  org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
+
+
+keycloak.auth-server-url=http://localhost:8180/auth
+keycloak.realm=aai-resources
+keycloak.resource=aai-resources-app
+keycloak.public-client=true
+keycloak.principal-attribute=preferred_username
+
+keycloak.ssl-required=external
+#keycloak.use-resource-role-mappings=true
+#keycloak.credentials.secret=cd18afc8-9c96-4723-b9b3-0017ad615500
+keycloak.bearer-only=true
\ No newline at end of file
diff --git a/aai-resources/src/main/resources/application.properties b/aai-resources/src/main/resources/application.properties
index 0366e33..86bc0d5 100644
--- a/aai-resources/src/main/resources/application.properties
+++ b/aai-resources/src/main/resources/application.properties
@@ -11,7 +11,9 @@ spring.main.allow-bean-definition-overriding=true
 server.servlet.context-path=/
 spring.autoconfigure.exclude=\
   org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
-  org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
+  org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\
+  org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\
+  org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
 
 spring.jersey.application-path=${schema.uri.base.path}
 
diff --git a/aai-resources/src/test/resources/application-test.properties b/aai-resources/src/test/resources/application-test.properties
index e8a4703..b96b9ce 100644
--- a/aai-resources/src/test/resources/application-test.properties
+++ b/aai-resources/src/test/resources/application-test.properties
@@ -11,7 +11,11 @@ server.servlet.context-path=/
 
 spring.jersey.application-path=${schema.uri.base.path}
 
-spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
+spring.autoconfigure.exclude=\
+  org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
+  org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\
+  org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\
+  org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
 
 spring.profiles.active=production
 #The max number of active threads in this pool
-- 
cgit 1.2.3-korg