Cleanup after updating Spring Boot

massenz · Oct 26, 2023 · a590da4 · a590da4
1 parent 2686640
commit a590da4
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 24 deletions.
diff --git a/jwt-opa/src/main/java/com/alertavert/opa/jwt/ApiTokenAuthenticationFactory.java b/jwt-opa/src/main/java/com/alertavert/opa/jwt/ApiTokenAuthenticationFactory.java
@@ -62,7 +62,7 @@ public Mono<Authentication> createAuthentication(String token) {
     log.debug("Authenticating token {}...", token.substring(0, Math.min(MAX_TOKEN_LEN_LOG, token.length())));
     try {
       DecodedJWT jwt = provider.decode(token);
-      List<? extends  GrantedAuthority> authorities = AuthorityUtils.createAuthorityList(
+      List<? extends GrantedAuthority> authorities = AuthorityUtils.createAuthorityList(
           jwt.getClaim(JwtTokenProvider.ROLES).asArray(String.class));
       String subject = jwt.getSubject();
 
@@ -72,6 +72,12 @@ public Mono<Authentication> createAuthentication(String token) {
     } catch (JWTVerificationException exception) {
       log.warn("Cannot validate API Token: {}", exception.getMessage());
       return Mono.error(new BadCredentialsException("API Token invalid", exception));
+    } catch (IllegalArgumentException exception) {
+      log.warn("The Token is malformed: {}", exception.getMessage());
+      return Mono.error(new BadCredentialsException("API Token malformed", exception));
+    } catch (Exception ex) {
+      log.error("Unexpected error while validating token: {}", ex.getMessage());
+      return Mono.error(new BadCredentialsException("API Token malformed"));
     }
   }
 }
diff --git a/jwt-opa/src/main/java/com/alertavert/opa/security/OpaReactiveAuthorizationManager.java b/jwt-opa/src/main/java/com/alertavert/opa/security/OpaReactiveAuthorizationManager.java
@@ -105,7 +105,7 @@ public Mono<AuthorizationDecision> check(
     String path = request.getPath().toString();
     for (String pattern : authRoutes) {
       if (pathMatcher.match(pattern, path)) {
-        log.debug("Route is allowed to bypass authorization");
+        log.debug("Route {} is allowed to bypass authorization (matches: {})", path, pattern);
         return Mono.just(new AuthorizationDecision(true));
       }
     }

diff --git a/webapp-example/src/main/java/com/alertavert/opademo/DbInit.java b/webapp-example/src/main/java/com/alertavert/opademo/DbInit.java
@@ -21,9 +21,7 @@
 import com.alertavert.opademo.api.UserController;
 import com.alertavert.opademo.data.User;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.context.annotation.Profile;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
@@ -35,19 +33,21 @@
 /**
  * Initializes the DB with a seed `admin` user and a random password, if it doesn't already exist.
  */
-@Profile("debug")
 @Slf4j
 @Component
 public class DbInit {
-  @Autowired
-  UserController controller;
+  private final UserController controller;
 
   @Value("${db.admin.username:admin}")
   String adminUsername;
 
   @Value("${db.admin.password}")
   String adminPassword;
 
+  public DbInit(UserController controller) {
+    this.controller = controller;
+  }
+
 
   @PostConstruct
   public void initDb() {
@@ -57,7 +57,7 @@ public void initDb() {
           adminUsername, adminPassword);
     }
     User admin = new User(adminUsername, adminPassword, "SYSTEM");
-
+    log.info("Creating admin user: {}", adminUsername);
     controller.create(admin)
         .doOnSuccess(responseEntity -> {
           if (!responseEntity.getStatusCode().equals(HttpStatus.CREATED)) {
@@ -76,6 +76,7 @@ public void initDb() {
             System.exit(1);
           }
         })
+        .onErrorComplete()
         .subscribe();
   }
 }
diff --git a/webapp-example/src/main/resources/application.yaml b/webapp-example/src/main/resources/application.yaml
@@ -101,7 +101,7 @@ keys:
   #       For a PASSPHRASE, the secret is simply read from SecretsManager/Vault
   #       The keypair is stored as a JSON-formatted secret, with two keys: "priv" and "pub".
   location: keypair
-  name: ../private/ec-key
+  name: private/ec-key
 
 logging:
   level:
@@ -131,7 +131,7 @@ routes:
     - "/health"
     - "/demo"
     - "/favicon.ico"
-    - "/login/reset/*"
+    #- "/login/reset/*"
 
   # These will require the user to authenticate, but will not
   # be subject to OPA Policies authorization check.

diff --git a/webapp-example/src/test/java/com/alertavert/opademo/api/LoginControllerTest.java b/webapp-example/src/test/java/com/alertavert/opademo/api/LoginControllerTest.java
@@ -38,17 +38,6 @@ class LoginControllerTest {
 
   User bob, pete;
 
-  /**
-   * Takes a User with the password field in plaintext, and converts into a hashed one, then saves
-   * it to the DB.
-   *
-   * @param user
-   * @return the same user, but with a hashed password
-   */
-  private Flux<User> hashPasswordAndSave(User user) {
-    return hashPasswordAndSaveAll(List.of(user));
-  }
-
   private Flux<User> hashPasswordAndSaveAll(List<User> users) {
     return repository.saveAll(
         users.stream()
@@ -83,7 +72,7 @@ public void validUserSuccessfullyLogin() {
   }
 
   @Test
-  public void validUserWrongPwdFailsLogin() {
+  void validUserWrongPwdFailsLogin() {
     client.get()
         .uri("/login")
         .header(HttpHeaders.AUTHORIZATION, LoginController.credentialsToHeader("bob:foo").block())
@@ -92,7 +81,7 @@ public void validUserWrongPwdFailsLogin() {
   }
 
   @Test
-  public void invalidUserFailsLogin() {
+  void invalidUserFailsLogin() {
     client.get()
         .uri("/login")
         .header(HttpHeaders.AUTHORIZATION,
@@ -102,7 +91,7 @@ public void invalidUserFailsLogin() {
   }
 
   @Test
-  public void validUserCanResetPassword() {
+  void validUserCanResetPassword() {
     client.get()
         .uri("/login/reset/pete")
         .exchange()