Merge branch 'main' into release

.github/workflows/release.yml

@@ -5,30 +5,31 @@
 # Author: Marco Massenzio ([email protected])
 #
 name: Release
-
 on:
   push:
-    branches: [ release ]
+    branches:
+      - release
 
-jobs:
-  create-tag:
-    runs-on: ubuntu-22.04
-    env:
-      AUTHOR: ${{ github.event.pusher.name }}
-    steps:
-    - uses: actions/checkout@v2
-    - name: Create a Release Tag
-      run: |
-        git config user.name "$AUTHOR"
-        git config user.email "<[email protected]>"
-        ./make-tag.sh
+env:
+  AUTHOR: ${{ github.event.pusher.name }}
+  EMAIL: ${{ github.event.pusher.email }}
+  KEYRING_FILE: /tmp/keyring.gpg
 
+jobs:
   release:
     runs-on: ubuntu-22.04
-    env:
-      KEYRING_FILE: /tmp/keyring.gpg
+
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+      - name: Create a Release Tag
+        run: |
+          git config user.name "$AUTHOR"
+          git config user.email "<$EMAIL>"
+          TAG=$(./get-version.sh)
+          git tag -a $TAG -m "Release $TAG"
+          git push --tags
+          echo TAG=${TAG} >> $GITHUB_ENV
+
       - uses: actions/setup-java@v1
         with:
           java-version: 17
@@ -54,3 +55,9 @@ jobs:
       - name: Publish to Sonatype
         run: |
           chmod +x gradlew && ./gradlew publish
+
+      # Creates a new release in GitHub, with auto-generated content.
+      - uses: ncipollo/release-action@v1
+        with:
+          tag: ${{ env.TAG }}
+          generateReleaseNotes: true

.github/workflows/verify.yml

@@ -20,7 +20,16 @@ jobs:
     - uses: actions/setup-java@v1
       with:
         java-version: 17
-    - name: Setup fake Credentials
-      run: cp gradle.properties.fake gradle.properties
+    - name: Setup fake Credentials for Tests
+      run: |
+        cp gradle.properties.fake gradle.properties
+        mkdir -p ~/.aws
+        cat <<EOF > ~/.aws/credentials
+        [default]
+        aws_access_key_id = fake
+        aws_secret_access_key = fake
+        EOF
     - name: Build & Test
-      run: chmod +x gradlew && ./gradlew build test
+      run: |
+        echo "keys: $(ls -l testdata)"
+        chmod +x gradlew && ./gradlew test

.gitignore

@@ -28,9 +28,8 @@ generated/
 
 # Key Material is never a good candidate for source control,
 # unless they are used for test purposes (only).
-*.pub
 *.pem
-!**/testdata/*.pem
+!**/testdata/test-key.*
 
 # Code Coverage
 .coverage
@@ -39,7 +38,6 @@ tests/cover
 # Gradle related files
 .gradle
 gradlew.bat
-build/
 !*/gradle/wrapper/gradle-wrapper.jar
 
 ### STS ###

README.md

@@ -197,7 +197,7 @@ Save both keys in a `private` folder (not under source control) and then point t
 secrets:
   keypair:
     private: "private/ec-key-1.pem"
-    pub: "private/ec-key-pub.pem"
+    pub: "private/ec-key.pub"
 ```
 
 You can use either an absolute path, or the relative path to the current directory from where you are launching the Web server.

aws-upload-keys.sh

@@ -3,44 +3,33 @@
 # Copyright (c) 2021 AlertAvert.com.  All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
 # Author: Marco Massenzio ([email protected])
-#
 
-#
-# Generates a Elliptict Cryptography keypair using openssl
-
-set -e
+set -eu
 
 function usage {
-  echo "Usage: $(basename $0) KEY [DIR]
-
-    KEY     the name of the key pair to upload, required;
+  echo "Usage: $(basename $0) KEY SECRET
 
-    DIR     optionally, a directory where the keypair is stored
+    KEY     the path to the key pair to upload, WITHOUT extension
+    SECRET  the name of the secret to create in AWS Secrets Manager
 
 This script uploads a key pair named 'KEY.pem' and 'KEY.pub' to AWS Secrets Manager,
 using the \$AWS_PROFILE env var to obtain the credentials and the region to upload to.
 
+Use \$AWS_ENDPOINT to specify a custom endpoint for the Secrets Manager service, if not using
+the default AWS endpoint (eg, when testing against a localstack container, you can use
+http://localhost:4566).
+
 The pair can be generated using the keygen.sh script.
 Requires the aws binary CLI (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
 "
 }
 
 KEY=${1:-}
-DIR=${2:-}
+SECRET=${2:-}
+ENDPOINT_URL=""
 
-if [[ -z ${KEY} || ${1:-} == "--help" || ${1:-} == "-h" ]]; then
+if [[ -z ${KEY} || -z ${SECRET} || ${1:-} == "-h" ]]; then
   usage
   exit 1
 fi
@@ -52,27 +41,37 @@ then
   exit 1
 fi
 
+if [[ -n ${AWS_ENDPOINT:-} ]]; then
+  ENDPOINT_URL="--endpoint-url ${AWS_ENDPOINT}"
+fi
 
 PRIV=${KEY}.pem
 PUB=${KEY}.pub
-if [[ -n ${DIR} && -d ${DIR} ]]; then
-  PRIV=${DIR}/${PRIV}
-  PUB=${DIR}/${PUB}
+if [[ ! -f ${PRIV} || ! -f ${PUB} ]]; then
+  usage
+  echo "ERROR: Cannot find ${PRIV} and/or ${PUB} keys"
+  exit 1
 fi
 
 out=$(mktemp /tmp/secret-XXXXXXXX.tmp)
 cat <<EOF >$out
 {
   "priv": "$(while read -r line; do if [[ ! ${line} =~ ^----- ]]; \
-      then echo -n ${line}; fi; done < $PRIV)",
-  "pub": "$(while read -r line; do [[ ${line} =~ ^----- ]] || echo -n ${line}; done < $PUB)",
-  "algorithm": "EC"
+        then echo -n ${line}; fi; done < ${PRIV})",
+  "pub": "$(while read -r line; do [[ ${line} =~ ^----- ]] || echo -n ${line}; \
+        done < ${PUB})"
 }
 EOF
 
-aws secretsmanager create-secret --name $KEY \
-  --description "Keypair $KEY generated by the $(basename $0) script" \
-  --secret-string file://$out
-
+set +e
+res=$(aws ${ENDPOINT_URL} secretsmanager create-secret --name ${SECRET} --output json \
+  --description "Elliptic Cryptography Keypair generated by the $(basename $0) script" \
+  --secret-string file://${out})
+if [[ $? != 0 ]]
+then
+    echo "[ERROR] Failed to upload ${SECRET}: keys have kept behind in ${out}"
+    exit 1
+fi
+arn=$(echo ${res}  | jq -r '.ARN')
 rm $out
-echo "[SUCCESS] Key Pair uploaded to AWS: ${KEY}"
+echo "${arn}"

docker-compose.yml

@@ -0,0 +1,40 @@
+# Copyright AlertAvert.com (c) 2022. All rights reserved.
+
+version: '3.2'
+
+services:
+  opa:
+    container_name: opa
+    hostname: opa
+    image: openpolicyagent/opa:0.42.2
+    command: run --server --addr :8181
+    ports:
+      - "8181:8181"
+    networks:
+      - backend
+
+  mongo:
+    container_name: "mongo"
+    image: "mongo:4"
+    hostname: mongo
+    ports:
+      - "27017:27017"
+    networks:
+      - backend
+    volumes:
+      - mongo_data:/data
+
+### INFRASTRUCTURE
+
+volumes:
+  mongo_data:
+
+# To connect to the servers in this stack, from a container run
+# via Docker, use `--network docker_backend`.
+# The hosts listed above will then be reachable at the given names,
+# on whatever ports are exposed.
+networks:
+  backend:
+    ipam:
+      config:
+      - subnet: 172.1.2.0/24

get-version.sh

@@ -3,16 +3,11 @@
 # Copyright (c) 2022 AlertAvert.com.  All rights reserved.
 # Author: Marco Massenzio ([email protected])
 #
-# Usage: get-version [build]
 # Extracts version from build.gradle
 #
-# build is the path to the build.gradle file, defaults to ./build.gradle
-
 set -eu
+workdir=$(dirname $0)
 
-build=${1:-build.gradle}
-
-# Note the use of -E to enable "extended" RegExps syntax (* and ?).
-grep -E '^[[:blank:]]*version' ${build} |\
+grep -E '^[[:blank:]]*version' ${workdir}/jwt-opa/build.gradle |\
     sed -E 's/^[[:blank:]]*version[[:blank:]]*=?[[:blank:]]*//' |\
     sed "s/'//g" | sed 's/[[:blank:]]*$//'

jwt-opa/build.gradle

@@ -29,6 +29,7 @@ plugins {
 }
 
 ext {
+    awsSdkVersion = '2.17.102'
     jsonpathVersion = "2.5.0"
     lombokVersion = "1.18.22"
     minCoverageRatio = 0.80
@@ -37,7 +38,7 @@ ext {
 }
 
 group 'com.alertavert'
-version '0.8.0'
+version '0.9.0'
 
 // OpenJDK 17 LTS is the only Java version supported
 sourceCompatibility = JavaVersion.VERSION_17
@@ -47,6 +48,7 @@ if (JavaVersion.current() != JavaVersion.VERSION_17) {
 }
 
 repositories {
+    mavenLocal()
     mavenCentral()
 }
 
@@ -91,12 +93,18 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-security'
     implementation 'org.springframework.boot:spring-boot-starter-webflux'
 
+    // AWS SDK for Secrets Manager, see: https://docs.aws.amazon.com/code-samples/latest/catalog/code-catalog-javav2-example_code-secretsmanager.html
+    implementation "software.amazon.awssdk:secretsmanager:${awsSdkVersion}"
+
     testImplementation "com.jayway.jsonpath:json-path-assert:$jsonpathVersion"
     testImplementation "org.mockito:mockito-core:$mockitoVersion"
 
     // Test Containers: https://www.testcontainers.org/
     testImplementation "org.testcontainers:testcontainers:$tcVersion"
     testImplementation "org.testcontainers:junit-jupiter:$tcVersion"
+    testImplementation "org.testcontainers:localstack:$tcVersion"
+    testImplementation group: 'com.amazonaws', name: 'aws-java-sdk-core', version: '1.12.326'
+
 }
 
 jacocoTestCoverageVerification {

jwt-opa/src/main/java/com/alertavert/opa/Constants.java

@@ -31,6 +31,7 @@
  * All constants are grouped here for ease of reference.
  */
 @NoArgsConstructor(access = AccessLevel.PRIVATE)
+@ExcludeFromCoverageGenerated
 public class Constants {
   /**
    * Basic Authorization header type.
@@ -41,16 +42,17 @@ public class Constants {
    */
   public static final String BEARER_TOKEN = "Bearer";
 
-  /**
-   * The type of encryption accepted by the {@link com.alertavert.opa.jwt.JwtTokenProvider}
-   */
-  public static final String ELLIPTIC_CURVE = "EC";
+  /** Marker for a Public Key object */
+  public static final String PUBLIC_KEY = "PUBLIC KEY";
+
+  /** Marker for a Private Key object */
+  public static final String PRIVATE_KEY = "PRIVATE KEY";
 
   /**
-   * Passphrase-based encryption (see
-   * {@link com.alertavert.opa.configuration.KeyMaterialConfiguration}.
+   * The name of the Env Var which contains the name of the file storing the AWS API Token in a
+   * running EKS container.
    */
-  public static final String PASSPHRASE = "SECRET";
+  public static final String AWS_TOKEN_FILE = "AWS_WEB_IDENTITY_TOKEN_FILE";
 
   /** OPA API version */
   public static final String OPA_VERSION = "v1";
@@ -66,7 +68,7 @@ public class Constants {
   public static final String DEFAULT_HEALTH_ROUTE = "/health";
 
   /**
-   * The default login endpoing, by default only allowed using HTTP Basic auth, but will not
+   * The default login endpoint, by default only allowed using HTTP Basic auth, but will not
    * require a valid API Token and won't try to authorize access.
    */
   public static final String DEFAULT_LOGIN_ROUTE = "/login";
@@ -87,6 +89,14 @@ public class Constants {
 
   public static final String API_TOKEN = "api_token";
 
+  public static final String KEYPAIR_LOADED = "Keypair loaded from AWS Secrets Manager: "
+      + "secret-name = {}";
+  public static final String KEYPAIR_ERROR = "Cannot load secret from AWS: secret-name = {}, "
+      + "error = {}";
+
+  public static final String CREDENTIALS_PROVIDER_LOG = "Creating a {} Credentials Provider: {}";
+  public static final String CREDENTIALS_PROVIDER_ERROR = "Cannot create Credentials Provider: {}";
+
   /**
    * A completely inactive user, that needs to act as a placeholder when the `username` is not
    * found in the Users DB, and would trigger an exception in the Java Security HTTP Basic
@@ -109,4 +119,7 @@ public Collection<? extends GrantedAuthority> getAuthorities() {
   };
   public static final int MAX_TOKEN_LEN_LOG = 6;
   public static final ObjectMapper MAPPER = new ObjectMapper();
+  public static final String PEM_EXT = ".pem";
+  public static final String PUB_EXT = ".pub";
+
 }