#1946 fix devops oauth subjects not being configured correctly with e…

…nvironment variable Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
eclipse-ditto · Jun 10, 2024 · bd4e92d · bd4e92d
1 parent ccc4074
commit bd4e92d
Show file tree

Hide file tree

Showing 9 changed files with 72 additions and 38 deletions.
diff --git a/deployment/helm/ditto/templates/gateway-deployment.yaml b/deployment/helm/ditto/templates/gateway-deployment.yaml
@@ -149,6 +149,12 @@ spec:
                 "{{ printf "%s%s%s%d=%s" "-Dditto.gateway.authentication.devops.oauth.openid-connect-issuers." $key ".auth-subjects." $index $subject }}"
                 {{- end }}
                 {{- end }}
+                {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.oauthSubjects }}
+                "{{ printf "%s%d=%s" "-Dditto.gateway.authentication.devops.devops-oauth2-subjects." $index $oauthSubject }}"
+                {{- end }}
+                {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.statusOauthSubjects }}
+                "{{ printf "%s%d=%s" "-Dditto.gateway.authentication.devops.status-oauth2-subjects." $index $oauthSubject }}"
+                {{- end }}
                 {{ join " " .Values.gateway.systemProps }}
             - name: CLUSTER_BS_REQUIRED_CONTACTS
               value: "{{ .Values.global.cluster.requiredContactPoints }}"
@@ -191,10 +197,6 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.gateway.config.authentication.devops.existingSecret | default ( printf "%s-gateway-secret" ( include "ditto.fullname" . )) }}
                   key: devops-password
-            {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.oauthSubjects }}
-            - name: DEVOPS_OAUTH2_SUBJECTS.{{ $index }}
-              value: "{{ $oauthSubject }}"
-            {{- end }}
             - name: DEVOPS_STATUS_SECURED
               value: "{{ .Values.gateway.config.authentication.devops.statusSecured }}"
             - name: STATUS_AUTHENTICATION_METHOD
@@ -204,10 +206,6 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.gateway.config.authentication.devops.existingSecret | default ( printf "%s-gateway-secret" ( include "ditto.fullname" . )) }}
                   key: status-password
-            {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.statusOauthSubjects }}
-            - name: STATUS_OAUTH2_SUBJECTS.{{ $index }}
-              value: "{{ $oauthSubject }}"
-            {{- end }}
             - name: WS_SUBSCRIBER_BACKPRESSURE
               value: "{{ .Values.gateway.config.websocket.subscriber.backpressureQueueSize }}"
             - name: WS_PUBLISHER_BACKPRESSURE

diff --git a/...y/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/EndpointTestBase.java b/...y/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/EndpointTestBase.java
@@ -72,6 +72,7 @@
 import org.eclipse.ditto.internal.utils.cache.config.CacheConfig;
 import org.eclipse.ditto.internal.utils.cache.config.DefaultCacheConfig;
 import org.eclipse.ditto.internal.utils.config.DefaultScopedConfig;
+import org.eclipse.ditto.internal.utils.config.ScopedConfig;
 import org.eclipse.ditto.internal.utils.health.StatusInfo;
 import org.eclipse.ditto.internal.utils.health.cluster.ClusterStatus;
 import org.eclipse.ditto.internal.utils.http.DefaultHttpClientFacade;
@@ -127,9 +128,10 @@ public abstract class EndpointTestBase extends JUnitRouteTest {
 
     @BeforeClass
     public static void initTestFixture() {
-        final var dittoScopedConfig = DefaultScopedConfig.dittoScoped(createTestConfig());
+        final Config testConfig = createTestConfig();
+        final var dittoScopedConfig = DefaultScopedConfig.dittoScoped(testConfig);
         final var gatewayScopedConfig = DefaultScopedConfig.newInstance(dittoScopedConfig, "gateway");
-        final var actorSystem = ActorSystem.create(EndpointTestBase.class.getSimpleName(), createTestConfig());
+        final var actorSystem = ActorSystem.create(EndpointTestBase.class.getSimpleName(), testConfig);
         httpConfig = GatewayHttpConfig.of(gatewayScopedConfig);
         healthCheckConfig = DefaultHealthCheckConfig.of(gatewayScopedConfig);
         commandConfig = DefaultCommandConfig.of(gatewayScopedConfig);
@@ -144,7 +146,8 @@ public static void initTestFixture() {
         httpClientFacade =
                 DefaultHttpClientFacade.getInstance(actorSystem,
                         DefaultHttpProxyConfig.ofProxy(DefaultScopedConfig.empty("/")));
-        authorizationSubjectsProvider = JwtAuthorizationSubjectsProvider.get(actorSystem, ConfigFactory.empty());
+        authorizationSubjectsProvider = JwtAuthorizationSubjectsProvider.get(actorSystem,
+                ScopedConfig.dittoExtension(testConfig));
         jwtAuthenticationFactory = JwtAuthenticationFactory.newInstance(authConfig.getOAuthConfig(),
                 cacheConfig,
                 httpClientFacade,

diff --git a/...rvice/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/RootRouteTest.java b/...rvice/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/RootRouteTest.java
@@ -24,6 +24,14 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
+import org.apache.pekko.actor.ActorSystem;
+import org.apache.pekko.http.javadsl.model.HttpRequest;
+import org.apache.pekko.http.javadsl.model.StatusCodes;
+import org.apache.pekko.http.javadsl.model.headers.Location;
+import org.apache.pekko.http.javadsl.model.headers.RawHeader;
+import org.apache.pekko.http.javadsl.testkit.TestRoute;
+import org.apache.pekko.http.javadsl.testkit.TestRouteResult;
+import org.apache.pekko.stream.SystemMaterializer;
 import org.eclipse.ditto.base.model.headers.DittoHeaderDefinition;
 import org.eclipse.ditto.base.model.headers.DittoHeaders;
 import org.eclipse.ditto.base.model.json.JsonSchemaVersion;
@@ -70,15 +78,6 @@
 
 import com.typesafe.config.ConfigFactory;
 
-import org.apache.pekko.actor.ActorSystem;
-import org.apache.pekko.http.javadsl.model.HttpRequest;
-import org.apache.pekko.http.javadsl.model.StatusCodes;
-import org.apache.pekko.http.javadsl.model.headers.Location;
-import org.apache.pekko.http.javadsl.model.headers.RawHeader;
-import org.apache.pekko.http.javadsl.testkit.TestRoute;
-import org.apache.pekko.http.javadsl.testkit.TestRouteResult;
-import org.apache.pekko.stream.SystemMaterializer;
-
 /**
  * Tests {@link RootRoute}.
  */
@@ -137,12 +136,12 @@ public void setUp() {
         final var statusAndHealthProvider = DittoStatusAndHealthProviderFactory.of(routeBaseProperties.getActorSystem(),
                 clusterStatusSupplier,
                 healthCheckConfig);
+        final var dittoExtensionConfig =
+                ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config());
         final var devopsAuthenticationDirectiveFactory =
                 DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory,
-                        authConfig.getDevOpsConfig());
+                        authConfig.getDevOpsConfig(), dittoExtensionConfig);
         final var devOpsAuthenticationDirective = devopsAuthenticationDirectiveFactory.devops();
-        final var dittoExtensionConfig =
-                ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config());
         final var rootRoute = RootRoute.getBuilder(httpConfig)
                 .statsRoute(new StatsRoute(routeBaseProperties, devOpsAuthenticationDirective))
                 .statusRoute(new StatusRoute(clusterStatusSupplier,

diff --git a/.../org/eclipse/ditto/gateway/service/endpoints/routes/connections/ConnectionsRouteTest.java b/.../org/eclipse/ditto/gateway/service/endpoints/routes/connections/ConnectionsRouteTest.java
@@ -96,7 +96,7 @@ public void setUp() {
         final DevopsAuthenticationDirective devopsAuthenticationDirective = Mockito.mock(
                 DevopsAuthenticationDirective.class);
         Mockito.when(devopsAuthenticationDirective.authenticateDevOps(Mockito.any(), Mockito.any(), Mockito.any()))
-                .thenAnswer(a -> a.getArguments()[1]);
+                .thenAnswer(a -> a.getArguments()[2]);
         final var connectionsRoute = new ConnectionsRoute(routeBaseProperties, devopsAuthenticationDirective);
         final Route route =
                 extractRequestContext(ctx -> connectionsRoute.buildConnectionsRoute(ctx, dittoHeaders));

diff --git a/.../test/java/org/eclipse/ditto/gateway/service/endpoints/routes/devops/DevOpsRouteTest.java b/.../test/java/org/eclipse/ditto/gateway/service/endpoints/routes/devops/DevOpsRouteTest.java
@@ -14,28 +14,29 @@
 package org.eclipse.ditto.gateway.service.endpoints.routes.devops;
 
 import java.util.Collections;
+import java.util.UUID;
 
+import org.apache.pekko.http.javadsl.model.ContentTypes;
+import org.apache.pekko.http.javadsl.model.HttpEntities;
+import org.apache.pekko.http.javadsl.model.HttpRequest;
+import org.apache.pekko.http.javadsl.model.RequestEntity;
+import org.apache.pekko.http.javadsl.model.StatusCodes;
+import org.apache.pekko.http.javadsl.server.Route;
+import org.apache.pekko.http.javadsl.testkit.TestRoute;
 import org.eclipse.ditto.base.api.devops.signals.commands.ExecutePiggybackCommand;
 import org.eclipse.ditto.base.model.headers.DittoHeaders;
 import org.eclipse.ditto.gateway.service.endpoints.EndpointTestBase;
 import org.eclipse.ditto.gateway.service.endpoints.directives.auth.DevopsAuthenticationDirectiveFactory;
 import org.eclipse.ditto.gateway.service.util.config.security.DefaultDevOpsConfig;
 import org.eclipse.ditto.gateway.service.util.config.security.DevOpsConfig;
+import org.eclipse.ditto.internal.utils.config.ScopedConfig;
 import org.eclipse.ditto.things.model.ThingId;
 import org.eclipse.ditto.things.model.signals.commands.query.RetrieveThing;
 import org.junit.Before;
 import org.junit.Test;
 
 import com.typesafe.config.ConfigFactory;
 
-import org.apache.pekko.http.javadsl.model.ContentTypes;
-import org.apache.pekko.http.javadsl.model.HttpEntities;
-import org.apache.pekko.http.javadsl.model.HttpRequest;
-import org.apache.pekko.http.javadsl.model.RequestEntity;
-import org.apache.pekko.http.javadsl.model.StatusCodes;
-import org.apache.pekko.http.javadsl.server.Route;
-import org.apache.pekko.http.javadsl.testkit.TestRoute;
-
 /**
  * Unit test for {@link DevOpsRoute}.
  */
@@ -47,11 +48,14 @@ public final class DevOpsRouteTest extends EndpointTestBase {
 
     @Before
     public void setUp() {
+        final var dittoExtensionConfig =
+                ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config());
         final var devopsAuthenticationDirectiveFactory =
-                DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, getInsecureDevopsConfig());
+                DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, getInsecureDevopsConfig(),
+                        dittoExtensionConfig);
         final var authenticationDirective = devopsAuthenticationDirectiveFactory.devops();
         devOpsRoute = new DevOpsRoute(routeBaseProperties, authenticationDirective);
-        final Route route = extractRequestContext(ctx -> devOpsRoute.buildDevOpsRoute(ctx, Collections.emptyMap()));
+        final Route route = extractRequestContext(ctx -> devOpsRoute.buildDevOpsRoute(ctx, UUID.randomUUID().toString(), Collections.emptyMap()));
         underTest = testRoute(route);
     }
 

diff --git a/...rc/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/stats/StatsRouteTest.java b/...rc/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/stats/StatsRouteTest.java
@@ -31,6 +31,7 @@
 import org.eclipse.ditto.gateway.service.security.authentication.jwt.JwtAuthenticationFactory;
 import org.eclipse.ditto.gateway.service.security.authentication.jwt.JwtAuthenticationProvider;
 import org.eclipse.ditto.gateway.service.util.config.security.DevOpsConfig;
+import org.eclipse.ditto.internal.utils.config.ScopedConfig;
 import org.eclipse.ditto.thingsearch.model.signals.commands.query.CountThingsResponse;
 import org.junit.Before;
 import org.junit.Test;
@@ -60,8 +61,10 @@ private void setUp(final ActorRef proxyActor) {
         final var devopsJwtAuthenticationFactory =
                 JwtAuthenticationFactory.newInstance(devOpsConfig.getOAuthConfig(), cacheConfig, httpClientFacade,
                         actorSystem);
+        final var dittoExtensionConfig =
+                ScopedConfig.dittoExtension(actorSystem.settings().config());
         final var jwtAuthenticationProvider = JwtAuthenticationProvider.newInstance(
-                devopsJwtAuthenticationFactory.newJwtAuthenticationResultProvider(ConfigFactory.empty(), null),
+                devopsJwtAuthenticationFactory.newJwtAuthenticationResultProvider(dittoExtensionConfig, null),
                 devopsJwtAuthenticationFactory.getJwtValidator());
         final var routeBaseProperties = RouteBaseProperties.newBuilder(this.routeBaseProperties)
                 .proxyActor(proxyActor)

diff --git a/...ava/org/eclipse/ditto/gateway/service/endpoints/routes/status/OverallStatusRouteTest.java b/...ava/org/eclipse/ditto/gateway/service/endpoints/routes/status/OverallStatusRouteTest.java
@@ -28,6 +28,7 @@
 import org.eclipse.ditto.gateway.service.health.DittoStatusAndHealthProviderFactory;
 import org.eclipse.ditto.gateway.service.health.StatusAndHealthProvider;
 import org.eclipse.ditto.gateway.service.util.config.security.DevOpsConfig;
+import org.eclipse.ditto.internal.utils.config.ScopedConfig;
 import org.eclipse.ditto.internal.utils.health.cluster.ClusterStatus;
 import org.junit.Before;
 import org.junit.Test;
@@ -49,16 +50,19 @@ public final class OverallStatusRouteTest extends EndpointTestBase {
 
     @Before
     public void setUp() {
+        final var dittoExtensionConfig =
+                ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config());
         final Supplier<ClusterStatus> clusterStateSupplier = createClusterStatusSupplierMock();
         final StatusAndHealthProvider statusHealthProvider =
                 DittoStatusAndHealthProviderFactory.of(system(), clusterStateSupplier, healthCheckConfig);
         final DevOpsConfig devOpsConfig = authConfig.getDevOpsConfig();
         final DevopsAuthenticationDirectiveFactory devopsAuthenticationDirectiveFactory =
-                DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, devOpsConfig);
+                DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, devOpsConfig,
+                        dittoExtensionConfig);
         final DevopsAuthenticationDirective authenticationDirective = devopsAuthenticationDirectiveFactory.status();
         final OverallStatusRoute statusRoute =
                 new OverallStatusRoute(clusterStateSupplier, statusHealthProvider, authenticationDirective);
-        statusTestRoute = testRoute(statusRoute.buildOverallStatusRoute(correlationId));
+        statusTestRoute = testRoute(statusRoute.buildOverallStatusRoute("correlationId"));
     }
 
     @Test

diff --git a/...teway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProviderTest.java b/...teway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProviderTest.java
@@ -23,6 +23,7 @@
 import org.eclipse.ditto.base.model.auth.AuthorizationSubject;
 import org.eclipse.ditto.base.model.headers.DittoHeaders;
 import org.eclipse.ditto.gateway.service.security.authentication.AuthenticationResult;
+import org.eclipse.ditto.internal.utils.config.ScopedConfig;
 import org.eclipse.ditto.jwt.model.ImmutableJsonWebToken;
 import org.eclipse.ditto.jwt.model.JsonWebToken;
 import org.junit.Test;
@@ -49,8 +50,10 @@ public void assertImmutability() {
 
     @Test
     public void getAuthorizationContext() {
+        final var dittoExtensionConfig =
+                ScopedConfig.dittoExtension(ACTOR_SYSTEM.settings().config());
         final JwtAuthenticationResultProvider underTest =
-                JwtAuthenticationResultProvider.get(ACTOR_SYSTEM, ConfigFactory.empty(), "regular");
+                JwtAuthenticationResultProvider.get(ACTOR_SYSTEM, dittoExtensionConfig, null);
         final JsonWebToken jsonWebToken = ImmutableJsonWebToken.fromToken(JwtTestConstants.VALID_JWT_TOKEN);
         final AuthorizationSubject myTestSubj = AuthorizationSubject.newInstance("example:myTestSubj");
 

diff --git a/gateway/service/src/test/resources/test.conf b/gateway/service/src/test/resources/test.conf
@@ -133,14 +133,34 @@ ditto {
   extensions {
     jwt-authorization-subjects-provider = {
       extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider
+      extension-config = {
+        role = regular
+      }
     }
     # The provider for JSON Web Token authentication results
     jwt-authentication-result-provider = {
       extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider
       # The provider for JSON Web Token authorization subjects
       extension-config = {
+        role = regular
+        jwt-authorization-subjects-provider = {
+          extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider
+          extension-config = {
+            role = regular
+          }
+        }
+      }
+    }
+    jwt-authentication-result-provider-devops = {
+      extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider
+      # The provider for JSON Web Token authorization subjects
+      extension-config = {
+        role = devops
         jwt-authorization-subjects-provider = {
           extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider
+          extension-config = {
+            role = devops
+          }
         }
       }
     }