diff --git a/deployment/helm/ditto/Chart.yaml b/deployment/helm/ditto/Chart.yaml index f9a9ce1093..0d0b88dee7 100644 --- a/deployment/helm/ditto/Chart.yaml +++ b/deployment/helm/ditto/Chart.yaml @@ -16,7 +16,7 @@ description: | A digital twin is a virtual, cloud based, representation of his real world counterpart (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc). type: application -version: 3.5.6 # chart version is effectively set by release-job +version: 3.5.7-0 # chart version is effectively set by release-job appVersion: 3.5.6 keywords: - iot-chart diff --git a/deployment/helm/ditto/templates/gateway-deployment.yaml b/deployment/helm/ditto/templates/gateway-deployment.yaml index 580e3d8115..f7e610a92c 100644 --- a/deployment/helm/ditto/templates/gateway-deployment.yaml +++ b/deployment/helm/ditto/templates/gateway-deployment.yaml @@ -149,6 +149,12 @@ spec: "{{ printf "%s%s%s%d=%s" "-Dditto.gateway.authentication.devops.oauth.openid-connect-issuers." $key ".auth-subjects." $index $subject }}" {{- end }} {{- end }} + {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.oauthSubjects }} + "{{ printf "%s%d=%s" "-Dditto.gateway.authentication.devops.devops-oauth2-subjects." $index $oauthSubject }}" + {{- end }} + {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.statusOauthSubjects }} + "{{ printf "%s%d=%s" "-Dditto.gateway.authentication.devops.status-oauth2-subjects." $index $oauthSubject }}" + {{- end }} {{ join " " .Values.gateway.systemProps }} - name: CLUSTER_BS_REQUIRED_CONTACTS value: "{{ .Values.global.cluster.requiredContactPoints }}" @@ -191,10 +197,6 @@ spec: secretKeyRef: name: {{ .Values.gateway.config.authentication.devops.existingSecret | default ( printf "%s-gateway-secret" ( include "ditto.fullname" . )) }} key: devops-password - {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.oauthSubjects }} - - name: DEVOPS_OAUTH2_SUBJECTS.{{ $index }} - value: "{{ $oauthSubject }}" - {{- end }} - name: DEVOPS_STATUS_SECURED value: "{{ .Values.gateway.config.authentication.devops.statusSecured }}" - name: STATUS_AUTHENTICATION_METHOD @@ -204,10 +206,6 @@ spec: secretKeyRef: name: {{ .Values.gateway.config.authentication.devops.existingSecret | default ( printf "%s-gateway-secret" ( include "ditto.fullname" . )) }} key: status-password - {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.statusOauthSubjects }} - - name: STATUS_OAUTH2_SUBJECTS.{{ $index }} - value: "{{ $oauthSubject }}" - {{- end }} - name: WS_SUBSCRIBER_BACKPRESSURE value: "{{ .Values.gateway.config.websocket.subscriber.backpressureQueueSize }}" - name: WS_PUBLISHER_BACKPRESSURE diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/EndpointTestBase.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/EndpointTestBase.java index 3a73685577..10a5aee5cf 100755 --- a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/EndpointTestBase.java +++ b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/EndpointTestBase.java @@ -72,6 +72,7 @@ import org.eclipse.ditto.internal.utils.cache.config.CacheConfig; import org.eclipse.ditto.internal.utils.cache.config.DefaultCacheConfig; import org.eclipse.ditto.internal.utils.config.DefaultScopedConfig; +import org.eclipse.ditto.internal.utils.config.ScopedConfig; import org.eclipse.ditto.internal.utils.health.StatusInfo; import org.eclipse.ditto.internal.utils.health.cluster.ClusterStatus; import org.eclipse.ditto.internal.utils.http.DefaultHttpClientFacade; @@ -127,9 +128,10 @@ public abstract class EndpointTestBase extends JUnitRouteTest { @BeforeClass public static void initTestFixture() { - final var dittoScopedConfig = DefaultScopedConfig.dittoScoped(createTestConfig()); + final Config testConfig = createTestConfig(); + final var dittoScopedConfig = DefaultScopedConfig.dittoScoped(testConfig); final var gatewayScopedConfig = DefaultScopedConfig.newInstance(dittoScopedConfig, "gateway"); - final var actorSystem = ActorSystem.create(EndpointTestBase.class.getSimpleName(), createTestConfig()); + final var actorSystem = ActorSystem.create(EndpointTestBase.class.getSimpleName(), testConfig); httpConfig = GatewayHttpConfig.of(gatewayScopedConfig); healthCheckConfig = DefaultHealthCheckConfig.of(gatewayScopedConfig); commandConfig = DefaultCommandConfig.of(gatewayScopedConfig); @@ -144,7 +146,8 @@ public static void initTestFixture() { httpClientFacade = DefaultHttpClientFacade.getInstance(actorSystem, DefaultHttpProxyConfig.ofProxy(DefaultScopedConfig.empty("/"))); - authorizationSubjectsProvider = JwtAuthorizationSubjectsProvider.get(actorSystem, ConfigFactory.empty()); + authorizationSubjectsProvider = JwtAuthorizationSubjectsProvider.get(actorSystem, + ScopedConfig.dittoExtension(testConfig)); jwtAuthenticationFactory = JwtAuthenticationFactory.newInstance(authConfig.getOAuthConfig(), cacheConfig, httpClientFacade, diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/RootRouteTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/RootRouteTest.java index 0ad0544dd6..63f09133ef 100755 --- a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/RootRouteTest.java +++ b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/RootRouteTest.java @@ -24,6 +24,14 @@ import java.util.stream.Collectors; import java.util.stream.IntStream; +import org.apache.pekko.actor.ActorSystem; +import org.apache.pekko.http.javadsl.model.HttpRequest; +import org.apache.pekko.http.javadsl.model.StatusCodes; +import org.apache.pekko.http.javadsl.model.headers.Location; +import org.apache.pekko.http.javadsl.model.headers.RawHeader; +import org.apache.pekko.http.javadsl.testkit.TestRoute; +import org.apache.pekko.http.javadsl.testkit.TestRouteResult; +import org.apache.pekko.stream.SystemMaterializer; import org.eclipse.ditto.base.model.headers.DittoHeaderDefinition; import org.eclipse.ditto.base.model.headers.DittoHeaders; import org.eclipse.ditto.base.model.json.JsonSchemaVersion; @@ -70,15 +78,6 @@ import com.typesafe.config.ConfigFactory; -import org.apache.pekko.actor.ActorSystem; -import org.apache.pekko.http.javadsl.model.HttpRequest; -import org.apache.pekko.http.javadsl.model.StatusCodes; -import org.apache.pekko.http.javadsl.model.headers.Location; -import org.apache.pekko.http.javadsl.model.headers.RawHeader; -import org.apache.pekko.http.javadsl.testkit.TestRoute; -import org.apache.pekko.http.javadsl.testkit.TestRouteResult; -import org.apache.pekko.stream.SystemMaterializer; - /** * Tests {@link RootRoute}. */ @@ -137,12 +136,12 @@ public void setUp() { final var statusAndHealthProvider = DittoStatusAndHealthProviderFactory.of(routeBaseProperties.getActorSystem(), clusterStatusSupplier, healthCheckConfig); + final var dittoExtensionConfig = + ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config()); final var devopsAuthenticationDirectiveFactory = DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, - authConfig.getDevOpsConfig()); + authConfig.getDevOpsConfig(), dittoExtensionConfig); final var devOpsAuthenticationDirective = devopsAuthenticationDirectiveFactory.devops(); - final var dittoExtensionConfig = - ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config()); final var rootRoute = RootRoute.getBuilder(httpConfig) .statsRoute(new StatsRoute(routeBaseProperties, devOpsAuthenticationDirective)) .statusRoute(new StatusRoute(clusterStatusSupplier, diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/connections/ConnectionsRouteTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/connections/ConnectionsRouteTest.java index 5725d8f174..b7f5621c74 100644 --- a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/connections/ConnectionsRouteTest.java +++ b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/connections/ConnectionsRouteTest.java @@ -96,7 +96,7 @@ public void setUp() { final DevopsAuthenticationDirective devopsAuthenticationDirective = Mockito.mock( DevopsAuthenticationDirective.class); Mockito.when(devopsAuthenticationDirective.authenticateDevOps(Mockito.any(), Mockito.any(), Mockito.any())) - .thenAnswer(a -> a.getArguments()[1]); + .thenAnswer(a -> a.getArguments()[2]); final var connectionsRoute = new ConnectionsRoute(routeBaseProperties, devopsAuthenticationDirective); final Route route = extractRequestContext(ctx -> connectionsRoute.buildConnectionsRoute(ctx, dittoHeaders)); diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/devops/DevOpsRouteTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/devops/DevOpsRouteTest.java index 0f3df31162..a70e43484a 100644 --- a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/devops/DevOpsRouteTest.java +++ b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/devops/DevOpsRouteTest.java @@ -14,13 +14,22 @@ package org.eclipse.ditto.gateway.service.endpoints.routes.devops; import java.util.Collections; +import java.util.UUID; +import org.apache.pekko.http.javadsl.model.ContentTypes; +import org.apache.pekko.http.javadsl.model.HttpEntities; +import org.apache.pekko.http.javadsl.model.HttpRequest; +import org.apache.pekko.http.javadsl.model.RequestEntity; +import org.apache.pekko.http.javadsl.model.StatusCodes; +import org.apache.pekko.http.javadsl.server.Route; +import org.apache.pekko.http.javadsl.testkit.TestRoute; import org.eclipse.ditto.base.api.devops.signals.commands.ExecutePiggybackCommand; import org.eclipse.ditto.base.model.headers.DittoHeaders; import org.eclipse.ditto.gateway.service.endpoints.EndpointTestBase; import org.eclipse.ditto.gateway.service.endpoints.directives.auth.DevopsAuthenticationDirectiveFactory; import org.eclipse.ditto.gateway.service.util.config.security.DefaultDevOpsConfig; import org.eclipse.ditto.gateway.service.util.config.security.DevOpsConfig; +import org.eclipse.ditto.internal.utils.config.ScopedConfig; import org.eclipse.ditto.things.model.ThingId; import org.eclipse.ditto.things.model.signals.commands.query.RetrieveThing; import org.junit.Before; @@ -28,14 +37,6 @@ import com.typesafe.config.ConfigFactory; -import org.apache.pekko.http.javadsl.model.ContentTypes; -import org.apache.pekko.http.javadsl.model.HttpEntities; -import org.apache.pekko.http.javadsl.model.HttpRequest; -import org.apache.pekko.http.javadsl.model.RequestEntity; -import org.apache.pekko.http.javadsl.model.StatusCodes; -import org.apache.pekko.http.javadsl.server.Route; -import org.apache.pekko.http.javadsl.testkit.TestRoute; - /** * Unit test for {@link DevOpsRoute}. */ @@ -47,11 +48,14 @@ public final class DevOpsRouteTest extends EndpointTestBase { @Before public void setUp() { + final var dittoExtensionConfig = + ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config()); final var devopsAuthenticationDirectiveFactory = - DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, getInsecureDevopsConfig()); + DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, getInsecureDevopsConfig(), + dittoExtensionConfig); final var authenticationDirective = devopsAuthenticationDirectiveFactory.devops(); devOpsRoute = new DevOpsRoute(routeBaseProperties, authenticationDirective); - final Route route = extractRequestContext(ctx -> devOpsRoute.buildDevOpsRoute(ctx, Collections.emptyMap())); + final Route route = extractRequestContext(ctx -> devOpsRoute.buildDevOpsRoute(ctx, UUID.randomUUID().toString(), Collections.emptyMap())); underTest = testRoute(route); } diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/stats/StatsRouteTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/stats/StatsRouteTest.java index b74cfdc0c7..aa97e7b7d1 100755 --- a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/stats/StatsRouteTest.java +++ b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/stats/StatsRouteTest.java @@ -31,6 +31,7 @@ import org.eclipse.ditto.gateway.service.security.authentication.jwt.JwtAuthenticationFactory; import org.eclipse.ditto.gateway.service.security.authentication.jwt.JwtAuthenticationProvider; import org.eclipse.ditto.gateway.service.util.config.security.DevOpsConfig; +import org.eclipse.ditto.internal.utils.config.ScopedConfig; import org.eclipse.ditto.thingsearch.model.signals.commands.query.CountThingsResponse; import org.junit.Before; import org.junit.Test; @@ -60,8 +61,10 @@ private void setUp(final ActorRef proxyActor) { final var devopsJwtAuthenticationFactory = JwtAuthenticationFactory.newInstance(devOpsConfig.getOAuthConfig(), cacheConfig, httpClientFacade, actorSystem); + final var dittoExtensionConfig = + ScopedConfig.dittoExtension(actorSystem.settings().config()); final var jwtAuthenticationProvider = JwtAuthenticationProvider.newInstance( - devopsJwtAuthenticationFactory.newJwtAuthenticationResultProvider(ConfigFactory.empty(), null), + devopsJwtAuthenticationFactory.newJwtAuthenticationResultProvider(dittoExtensionConfig, null), devopsJwtAuthenticationFactory.getJwtValidator()); final var routeBaseProperties = RouteBaseProperties.newBuilder(this.routeBaseProperties) .proxyActor(proxyActor) diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/status/OverallStatusRouteTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/status/OverallStatusRouteTest.java index a89d536803..89ff348af2 100755 --- a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/status/OverallStatusRouteTest.java +++ b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/status/OverallStatusRouteTest.java @@ -28,6 +28,7 @@ import org.eclipse.ditto.gateway.service.health.DittoStatusAndHealthProviderFactory; import org.eclipse.ditto.gateway.service.health.StatusAndHealthProvider; import org.eclipse.ditto.gateway.service.util.config.security.DevOpsConfig; +import org.eclipse.ditto.internal.utils.config.ScopedConfig; import org.eclipse.ditto.internal.utils.health.cluster.ClusterStatus; import org.junit.Before; import org.junit.Test; @@ -49,16 +50,19 @@ public final class OverallStatusRouteTest extends EndpointTestBase { @Before public void setUp() { + final var dittoExtensionConfig = + ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config()); final Supplier clusterStateSupplier = createClusterStatusSupplierMock(); final StatusAndHealthProvider statusHealthProvider = DittoStatusAndHealthProviderFactory.of(system(), clusterStateSupplier, healthCheckConfig); final DevOpsConfig devOpsConfig = authConfig.getDevOpsConfig(); final DevopsAuthenticationDirectiveFactory devopsAuthenticationDirectiveFactory = - DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, devOpsConfig); + DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, devOpsConfig, + dittoExtensionConfig); final DevopsAuthenticationDirective authenticationDirective = devopsAuthenticationDirectiveFactory.status(); final OverallStatusRoute statusRoute = new OverallStatusRoute(clusterStateSupplier, statusHealthProvider, authenticationDirective); - statusTestRoute = testRoute(statusRoute.buildOverallStatusRoute(correlationId)); + statusTestRoute = testRoute(statusRoute.buildOverallStatusRoute("correlationId")); } @Test diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProviderTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProviderTest.java index 73b32bb421..4220caf1d6 100644 --- a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProviderTest.java +++ b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProviderTest.java @@ -23,6 +23,7 @@ import org.eclipse.ditto.base.model.auth.AuthorizationSubject; import org.eclipse.ditto.base.model.headers.DittoHeaders; import org.eclipse.ditto.gateway.service.security.authentication.AuthenticationResult; +import org.eclipse.ditto.internal.utils.config.ScopedConfig; import org.eclipse.ditto.jwt.model.ImmutableJsonWebToken; import org.eclipse.ditto.jwt.model.JsonWebToken; import org.junit.Test; @@ -49,8 +50,10 @@ public void assertImmutability() { @Test public void getAuthorizationContext() { + final var dittoExtensionConfig = + ScopedConfig.dittoExtension(ACTOR_SYSTEM.settings().config()); final JwtAuthenticationResultProvider underTest = - JwtAuthenticationResultProvider.get(ACTOR_SYSTEM, ConfigFactory.empty(), "regular"); + JwtAuthenticationResultProvider.get(ACTOR_SYSTEM, dittoExtensionConfig, null); final JsonWebToken jsonWebToken = ImmutableJsonWebToken.fromToken(JwtTestConstants.VALID_JWT_TOKEN); final AuthorizationSubject myTestSubj = AuthorizationSubject.newInstance("example:myTestSubj"); diff --git a/gateway/service/src/test/resources/test.conf b/gateway/service/src/test/resources/test.conf index 0cca17deb0..e659d1ae95 100755 --- a/gateway/service/src/test/resources/test.conf +++ b/gateway/service/src/test/resources/test.conf @@ -133,14 +133,34 @@ ditto { extensions { jwt-authorization-subjects-provider = { extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider + extension-config = { + role = regular + } } # The provider for JSON Web Token authentication results jwt-authentication-result-provider = { extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider # The provider for JSON Web Token authorization subjects extension-config = { + role = regular + jwt-authorization-subjects-provider = { + extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider + extension-config = { + role = regular + } + } + } + } + jwt-authentication-result-provider-devops = { + extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider + # The provider for JSON Web Token authorization subjects + extension-config = { + role = devops jwt-authorization-subjects-provider = { extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider + extension-config = { + role = devops + } } } }