From 3870df285e0adbe797bb1e1dd7460bad81d217c7 Mon Sep 17 00:00:00 2001 From: github-actions Date: Wed, 15 Mar 2023 10:50:48 +0000 Subject: [PATCH 1/2] Update CWA-Parent to 2.0.2 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index af91838..d13d569 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ app.coronawarn cwa-parent - 2.0.1 + 2.0.2 From 85b7119e904f3b705aa84d38d43c452ce047b21a Mon Sep 17 00:00:00 2001 From: Morphyum Date: Thu, 16 Mar 2023 12:02:10 +0100 Subject: [PATCH 2/2] * removed unused security config --- .../config/TestOAuth2SecurityConfig.java | 171 ------------------ 1 file changed, 171 deletions(-) delete mode 100644 src/main/java/app/coronawarn/logupload/config/TestOAuth2SecurityConfig.java diff --git a/src/main/java/app/coronawarn/logupload/config/TestOAuth2SecurityConfig.java b/src/main/java/app/coronawarn/logupload/config/TestOAuth2SecurityConfig.java deleted file mode 100644 index e26c117..0000000 --- a/src/main/java/app/coronawarn/logupload/config/TestOAuth2SecurityConfig.java +++ /dev/null @@ -1,171 +0,0 @@ -/* - * Corona-Warn-App / cwa-log-upload - * - * (C) 2021 - 2022, T-Systems International GmbH - * - * Deutsche Telekom AG and all other contributors / - * copyright owners license this file to you under the Apache - * License, Version 2.0 (the "License"); you may not use this - * file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package app.coronawarn.logupload.config; - -import app.coronawarn.logupload.LogUploadHttpFilter; -import jakarta.servlet.http.HttpServletRequest; -import jakarta.servlet.http.HttpServletResponse; -import java.util.Collection; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; -import java.util.concurrent.ConcurrentHashMap; -import java.util.stream.Collectors; -import lombok.RequiredArgsConstructor; -import org.springframework.boot.test.context.TestConfiguration; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Profile; -import org.springframework.http.HttpHeaders; -import org.springframework.http.HttpMethod; -import org.springframework.security.config.annotation.web.builders.HttpSecurity; -import org.springframework.security.core.GrantedAuthority; -import org.springframework.security.core.authority.SimpleGrantedAuthority; -import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper; -import org.springframework.security.core.session.SessionRegistryImpl; -import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority; -import org.springframework.security.oauth2.core.user.OAuth2UserAuthority; -import org.springframework.security.web.SecurityFilterChain; -import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; -import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; -import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; -import org.springframework.session.MapSessionRepository; -import org.springframework.session.SessionRepository; -import org.springframework.session.web.http.CookieSerializer; -import org.springframework.session.web.http.DefaultCookieSerializer; - - -@TestConfiguration -@RequiredArgsConstructor -@Profile("test") -public class TestOAuth2SecurityConfig { - - private static final String REALM_ACCESS_CLAIM = "realm_access"; - private static final String ROLES_CLAIM = "roles"; - private static final String ROLE_C19LOG_INSPECTOR = "c19log_inspector"; - private static final String ACTUATOR_ROUTE = "/actuator/**"; - private static final String PUBLIC_API_ROUTE = "/api/**"; - private static final String PORTAL_ROUTE = "/portal/**"; - private static final String SWAGGER_ROUTE = "/v3/api-docs/**"; - - - private static final String SAMESITE_LAX = "Lax"; - private static final String OAUTH_TOKEN_REQUEST_STATE_COOKIE = "OAuth_Token_Request_State"; - private static final String SESSION_COOKIE = "SESSION"; - - private final LogUploadHttpFilter logUploadHttpFilter; - - @Bean - protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { - return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl()); - } - - /** - * FilterChain to manage access to Resources. - */ - @Bean - public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http - .addFilterBefore(logUploadHttpFilter, BasicAuthenticationFilter.class) - .headers().addHeaderWriter(this::addSameSiteToOAuthCookie) - .and() - .authorizeHttpRequests() - .requestMatchers(HttpMethod.GET, ACTUATOR_ROUTE).permitAll() - .requestMatchers(HttpMethod.POST, PUBLIC_API_ROUTE).permitAll() - .requestMatchers(HttpMethod.GET, SWAGGER_ROUTE).permitAll() - .requestMatchers(HttpMethod.GET, PORTAL_ROUTE).hasRole(ROLE_C19LOG_INSPECTOR) - .requestMatchers(HttpMethod.POST, PORTAL_ROUTE).hasRole(ROLE_C19LOG_INSPECTOR) - .anyRequest() - .authenticated() - .and() - .csrf().ignoringRequestMatchers(PUBLIC_API_ROUTE, SWAGGER_ROUTE); - - return http.build(); - } - - /** - * CookieSerializer. - */ - @Bean - public CookieSerializer defaultCookieSerializer() { - DefaultCookieSerializer cookieSerializer = new DefaultCookieSerializer(); - cookieSerializer.setCookieName(SESSION_COOKIE); - cookieSerializer.setSameSite(SAMESITE_LAX); - cookieSerializer.setUseHttpOnlyCookie(true); - return cookieSerializer; - } - - @Bean - public SessionRepository sessionRepository() { - return new MapSessionRepository(new ConcurrentHashMap<>()); - } - - private void addSameSiteToOAuthCookie(final HttpServletRequest request, final HttpServletResponse response) { - final Collection setCookieValues = response.getHeaders(HttpHeaders.SET_COOKIE); - for (String setCookie : setCookieValues) { - if (setCookie.contains(OAUTH_TOKEN_REQUEST_STATE_COOKIE)) { - response.setHeader(HttpHeaders.SET_COOKIE, addSameSiteStrict(setCookie)); - } - } - } - - private String addSameSiteStrict(String setCookie) { - return setCookie + "; SameSite=" + SAMESITE_LAX; - } - - /** - * AuthoritiesMapper maps OID roles to grantedAuthorities. - */ - @Bean - @SuppressWarnings("unchecked") - public GrantedAuthoritiesMapper userAuthoritiesMapperForKeycloak() { - return authorities -> { - Set mappedAuthorities = new HashSet<>(); - var authority = authorities.iterator().next(); - boolean isOidc = authority instanceof OidcUserAuthority; - - if (isOidc) { - var oidcUserAuthority = (OidcUserAuthority) authority; - var userInfo = oidcUserAuthority.getUserInfo(); - - if (userInfo.hasClaim(REALM_ACCESS_CLAIM)) { - var realmAccess = userInfo.getClaimAsMap(REALM_ACCESS_CLAIM); - var roles = (Collection) realmAccess.get(ROLES_CLAIM); - mappedAuthorities.addAll(generateAuthoritiesFromClaim(roles)); - } - } else { - var oauth2UserAuthority = (OAuth2UserAuthority) authority; - Map userAttributes = oauth2UserAuthority.getAttributes(); - - if (userAttributes.containsKey(REALM_ACCESS_CLAIM)) { - var realmAccess = (Map) userAttributes.get(REALM_ACCESS_CLAIM); - var roles = (Collection) realmAccess.get(ROLES_CLAIM); - mappedAuthorities.addAll(generateAuthoritiesFromClaim(roles)); - } - } - return mappedAuthorities; - }; - } - - Collection generateAuthoritiesFromClaim(Collection roles) { - return roles.stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role)).collect(Collectors.toList()); - } -}