Merge "Add keycloak integration"

5 files changed, 132 insertions, 3 deletions

diff --git a/aai-traversal/pom.xml b/aai-traversal/pom.xml
index 45c8ec8..5a78953 100644
--- a/aai-traversal/pom.xml
+++ b/aai-traversal/pom.xml
@@ -95,6 +95,7 @@
 		<schema.version.api.default>v23</schema.version.api.default>
 		<schema.version.list>v10,v11,v12,v13,v14,v15,v16,v17,v18,v19,v20,v21,v22,v23</schema.version.list>
 		<schema.uri.base.path>/aai</schema.uri.base.path>
+		<keycloak.version>11.0.2</keycloak.version>
 		<!-- End of Default ONAP Schema Properties -->
 	</properties>
 	<profiles>
@@ -688,7 +689,26 @@
 			<groupId>org.codehaus.plexus</groupId>
 			<artifactId>plexus-utils</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.keycloak</groupId>
+			<artifactId>keycloak-spring-boot-starter</artifactId>
+		</dependency>
 	</dependencies>
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.keycloak.bom</groupId>
+				<artifactId>keycloak-adapter-bom</artifactId>
+				<version>${keycloak.version}</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
 	<build>
 		<resources>
 			<resource>
@@ -821,6 +841,15 @@
 		</pluginManagement>
 		<plugins>
 			<plugin>
+				<groupId>org.jacoco</groupId>
+				<artifactId>jacoco-maven-plugin</artifactId>
+				<configuration combine.children="append">
+					<excludes>
+						<exclude>**/*WebSecurityConfig.*</exclude>
+					</excludes>
+				</configuration>
+			</plugin>
+			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-clean-plugin</artifactId>
 				<version>2.4.1</version>
diff --git a/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java b/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java
new file mode 100644
index 0000000..c92d818
--- /dev/null
+++ b/aai-traversal/src/main/java/org/onap/aai/rest/security/WebSecurityConfig.java
@@ -0,0 +1,76 @@
+
+/**
+ * ============LICENSE_START=======================================================
+ * org.onap.aai
+ * ================================================================================
+ * Copyright (C) 2019 Nordix Foundation.
+ * Modifications Copyright (C) 2019 AT&T Intellectual Property.
+ * Modifications Copyright (C) 2020 Bell Canada.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * ============LICENSE_END=========================================================
+ */
+package org.onap.aai.rest.security;
+import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
+import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
+import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.web.servlet.ServletListenerRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Import;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+import org.springframework.security.web.session.HttpSessionEventPublisher;
+@Profile("keycloak")
+@KeycloakConfiguration
+@Import({KeycloakSpringBootConfigResolver.class})
+public class WebSecurityConfig extends KeycloakWebSecurityConfigurerAdapter {
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) {
+        KeycloakAuthenticationProvider keycloakAuthenticationProvider
+                = keycloakAuthenticationProvider();
+        keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(
+                new SimpleAuthorityMapper());
+        auth.authenticationProvider(keycloakAuthenticationProvider);
+    }
+    @Bean
+    public ServletListenerRegistrationBean<HttpSessionEventPublisher> httpSessionEventPublisher() {
+        return new ServletListenerRegistrationBean<>(new HttpSessionEventPublisher());
+    }
+    @Bean
+    @Override
+    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
+        return new RegisterSessionAuthenticationStrategy(
+                new SessionRegistryImpl());
+    }
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        super.configure(http);
+        http.authorizeRequests()
+                .antMatchers("/**")
+                .permitAll().and().csrf().disable();
+    }
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.ignoring().regexMatchers("^.*/util/echo$");
+    }
+}
diff --git a/aai-traversal/src/main/resources/application-keycloak.properties b/aai-traversal/src/main/resources/application-keycloak.properties
new file mode 100644
index 0000000..86adb59
--- /dev/null
+++ b/aai-traversal/src/main/resources/application-keycloak.properties
@@ -0,0 +1,13 @@
+spring.autoconfigure.exclude=\
+  org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
+  org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
+
+multi.tenancy.enabled=true
+keycloak.auth-server-url=http://localhost:8180/auth
+keycloak.realm=aai-traversal
+keycloak.resource=aai-traversal-app
+keycloak.public-client=false
+keycloak.principal-attribute=preferred_username
+
+keycloak.ssl-required=external
+keycloak.bearer-only=true
diff --git a/aai-traversal/src/main/resources/application.properties b/aai-traversal/src/main/resources/application.properties
index 14d6b64..a22f708 100644
--- a/aai-traversal/src/main/resources/application.properties
+++ b/aai-traversal/src/main/resources/application.properties
@@ -9,7 +9,11 @@ spring.jersey.type=filter
 spring.main.allow-bean-definition-overriding=true
 
 server.servlet.context-path=/
-spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
+spring.autoconfigure.exclude=\
+  org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
+  org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\
+  org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\
+  org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
 
 spring.jersey.application-path=${schema.uri.base.path}
 
@@ -27,7 +31,7 @@ server.basic.auth.location=${server.local.startpath}etc/auth/realm.properties
 
 server.port=8446
 server.ssl.enabled-protocols=TLSv1.1,TLSv1.2
-
+server.compression.excluded-user-agents=
 # By default spring boot jetty will exclude the following ciphers
 # We need to specifically add this to support tls v1.1
 server.ssl.ciphers=^.*_(MD5|SHA|SHA1)$
@@ -35,7 +39,10 @@ server.ssl.client-auth=want
 server.ssl.key-store-type=JKS
 
 # Start of Internal Specific Properties
+# Switch to one-way-ssl
 spring.profiles.active=production,one-way-ssl
+# Switch to keycloak
+#spring.profiles.active=production, keycloak
 ###
 server.certs.location=${server.local.startpath}etc/auth/
 server.keystore.name.pkcs12=aai_keystore
diff --git a/aai-traversal/src/test/resources/application-test.properties b/aai-traversal/src/test/resources/application-test.properties
index a433ab7..8994c2e 100644
--- a/aai-traversal/src/test/resources/application-test.properties
+++ b/aai-traversal/src/test/resources/application-test.properties
@@ -8,7 +8,11 @@ spring.application.name=aai-traversal
 spring.jersey.type=filter
 
 server.contextPath=/
-spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration
+spring.autoconfigure.exclude=\
+  org.springframework.boot.autoconfigure.jdbc.DataSourceAutoConfiguration,\
+  org.springframework.boot.autoconfigure.orm.jpa.HibernateJpaAutoConfiguration,\
+  org.keycloak.adapters.springboot.KeycloakAutoConfiguration,\
+  org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
 
 spring.jersey.application-path=${schema.uri.base.path}