feat: P4ADEV-1754 configuring inner security (#18)

.devops/deploy-pipelines.yml

@@ -179,4 +179,47 @@ stages:
                       curl -X POST \
                         -H "Content-type: application/json" \
                         --data '{"text": "*Attention: There is an error in pipeline $(System.DefinitionName) in step _deploy_!*\nCheck the logs for more details $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) to view the build results."}' \
-                        $(SLACK_WEBHOOK_URL)
+                        $(SLACK_WEBHOOK_URL)
+  - stage: stage_postman_test
+    displayName: 'Test_e2e_on_${{ variables.environment }}'
+    condition: or(eq(variables.environment, 'DEV'), eq(variables.environment, 'UAT'))
+    jobs:
+      - job: 'Run_Postman_collection_on_${{ variables.environment }}'
+        displayName: 'Run Postman collection on ${{ variables.environment }}'
+        pool:
+          name: $(selfHostedAgentPool)
+        steps:
+          - task: NodeTool@0
+            inputs:
+              versionSpec: '16.x'
+          - task: Npm@1
+            displayName: Install newman
+            inputs:
+              command: custom
+              customCommand: install -g newman
+          - task: DownloadSecureFile@1
+            displayName: 'download postman environment'
+            name: postman_env
+            inputs:
+              secureFile: $(postmanEnvFile)
+          - task: CmdLine@2
+            displayName: Run newman
+            continueOnError: true # Useful to avoid the skipping of result publishing task
+            inputs:
+              script: newman run postman/P4PA-PDND-Service API.postman_collection.json -e $(postman_env.secureFilePath) --reporters cli,junit --reporter-junit-export result/test-result.xml
+          - task: PublishTestResults@2
+            inputs:
+              testResultsFormat: 'JUnit'
+              testResultsFiles: '**/test-*.xml'
+              searchFolder: '$(System.DefaultWorkingDirectory)/result/'
+              testRunTitle: 'Publish Newman Test Results'
+          - task: 'Bash@3'
+            displayName: 'Send message on Slack'
+            condition: in(variables['Agent.JobStatus'], 'SucceededWithIssues', 'Failed')
+            inputs:
+              targetType: 'inline'
+              script: >
+                curl -X POST \
+                  -H "Content-type: application/json" \
+                  --data '{"text": "*Attention: There is an error in pipeline $(System.DefinitionName) in step _postman test_!*\nCheck the logs for more details $(System.CollectionUri)$(System.TeamProject)/_build/results?buildId=$(Build.BuildId) to view the build results."}' \
+                  $(SLACK_WEBHOOK_URL)

build.gradle.kts

@@ -32,17 +32,16 @@ val springDocOpenApiVersion = "2.7.0"
 val openApiToolsVersion = "0.2.6"
 val javaJwtVersion = "4.4.0"
 val jwksRsaVersion = "0.22.1"
-val nimbusJoseJwtVersion = "9.48"
-val jjwtVersion = "0.12.6"
 val wiremockVersion = "3.10.0"
 val wiremockSpringBootVersion = "2.1.3"
 val micrometerVersion = "1.4.1"
+val bouncycastleVersion = "1.79"
 
 dependencies {
 	implementation("org.springframework.boot:spring-boot-starter")
 	implementation("org.springframework.boot:spring-boot-starter-web")
 	implementation("org.springframework.boot:spring-boot-starter-actuator")
-	implementation("org.springframework.boot:spring-boot-starter-security")
+	implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
 	implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:$springDocOpenApiVersion")
 	implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
 	implementation("org.openapitools:jackson-databind-nullable:$openApiToolsVersion")
@@ -51,12 +50,13 @@ dependencies {
 	// validation token jwt
 	implementation("com.auth0:java-jwt:$javaJwtVersion")
 	implementation("com.auth0:jwks-rsa:$jwksRsaVersion")
-	implementation("com.nimbusds:nimbus-jose-jwt:$nimbusJoseJwtVersion")
-	implementation("io.jsonwebtoken:jjwt-api:$jjwtVersion")
 
 	compileOnly("org.projectlombok:lombok")
 	annotationProcessor("org.projectlombok:lombok")
 
+	//security
+	implementation("org.bouncycastle:bcprov-jdk18on:$bouncycastleVersion")
+
 	//	Testing
 	testImplementation("org.springframework.boot:spring-boot-starter-test")
 	testImplementation("org.springframework.security:spring-security-test")

gradle.lockfile

@@ -14,8 +14,8 @@ com.fasterxml.jackson.datatype:jackson-datatype-jdk8:2.18.2=compileClasspath
 com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.2=compileClasspath
 com.fasterxml.jackson.module:jackson-module-parameter-names:2.18.2=compileClasspath
 com.fasterxml.jackson:jackson-bom:2.18.2=compileClasspath
-com.nimbusds:nimbus-jose-jwt:9.48=compileClasspath
-io.jsonwebtoken:jjwt-api:0.12.6=compileClasspath
+com.github.stephenc.jcip:jcip-annotations:1.0-1=compileClasspath
+com.nimbusds:nimbus-jose-jwt:9.37.3=compileClasspath
 io.micrometer:context-propagation:1.1.2=compileClasspath
 io.micrometer:micrometer-commons:1.14.2=compileClasspath
 io.micrometer:micrometer-core:1.14.2=compileClasspath
@@ -47,6 +47,7 @@ org.apache.logging.log4j:log4j-to-slf4j:2.24.3=compileClasspath
 org.apache.tomcat.embed:tomcat-embed-core:10.1.34=compileClasspath
 org.apache.tomcat.embed:tomcat-embed-el:10.1.34=compileClasspath
 org.apache.tomcat.embed:tomcat-embed-websocket:10.1.34=compileClasspath
+org.bouncycastle:bcprov-jdk18on:1.79=compileClasspath
 org.jspecify:jspecify:1.0.0=compileClasspath
 org.openapitools:jackson-databind-nullable:0.2.6=compileClasspath
 org.projectlombok:lombok:1.18.36=compileClasspath
@@ -61,14 +62,17 @@ org.springframework.boot:spring-boot-autoconfigure:3.4.1=compileClasspath
 org.springframework.boot:spring-boot-starter-actuator:3.4.1=compileClasspath
 org.springframework.boot:spring-boot-starter-json:3.4.1=compileClasspath
 org.springframework.boot:spring-boot-starter-logging:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-security:3.4.1=compileClasspath
+org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.4.1=compileClasspath
 org.springframework.boot:spring-boot-starter-tomcat:3.4.1=compileClasspath
 org.springframework.boot:spring-boot-starter-web:3.4.1=compileClasspath
 org.springframework.boot:spring-boot-starter:3.4.1=compileClasspath
 org.springframework.boot:spring-boot:3.4.1=compileClasspath
 org.springframework.security:spring-security-config:6.4.2=compileClasspath
 org.springframework.security:spring-security-core:6.4.2=compileClasspath
 org.springframework.security:spring-security-crypto:6.4.2=compileClasspath
+org.springframework.security:spring-security-oauth2-core:6.4.2=compileClasspath
+org.springframework.security:spring-security-oauth2-jose:6.4.2=compileClasspath
+org.springframework.security:spring-security-oauth2-resource-server:6.4.2=compileClasspath
 org.springframework.security:spring-security-web:6.4.2=compileClasspath
 org.springframework:spring-aop:6.2.1=compileClasspath
 org.springframework:spring-beans:6.2.1=compileClasspath

helm/values-dev.yaml

@@ -10,7 +10,7 @@ microservice-chart:
   resources:
     requests:
       memory: "256Mi"
-      cpu: "40m"
+      cpu: "100m"
     limits:
       memory: "4Gi"
       cpu: "300m"

helm/values-prod.yaml

@@ -10,7 +10,7 @@ microservice-chart:
   resources:
     requests:
       memory: "256Mi"
-      cpu: "40m"
+      cpu: "100m"
     limits:
       memory: "4Gi"
       cpu: "300m"

helm/values-uat.yaml

@@ -10,7 +10,7 @@ microservice-chart:
   resources:
     requests:
       memory: "256Mi"
-      cpu: "40m"
+      cpu: "100m"
     limits:
       memory: "4Gi"
       cpu: "300m"

helm/values.yaml

@@ -65,6 +65,7 @@ microservice-chart:
 
   envSecret:
     APPLICATIONINSIGHTS_CONNECTION_STRING: appinsights-connection-string
+    JWT_TOKEN_PUBLIC_KEY: jwt-public-key
 
     PDND_SERVICE_PRIVATEKEY: piattaforma-unitaria-interop-priv
     PDND_SERVICE_PUBLICKEY: piattaforma-unitaria-interop-pub

src/test/postman/P4PA-PDND-Service API.postman_collection.json → postman/P4PA-PDND-Service API.postman_collection.json

@@ -1,43 +1,56 @@
 {
 	"info": {
-		"_postman_id": "07c1f103-1e5f-44fe-a5e3-00126c6ece77",
+		"_postman_id": "2474956e-ea82-4ca1-a3f4-19579b4b7f67",
 		"name": "P4PA-PDND-Service API",
 		"description": "API and Models.",
 		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
-		"_exporter_id": "29646859",
-		"_collection_link": "https://crimson-zodiac-456704.postman.co/workspace/Personal-Workspace~7804a326-503c-4623-9152-3f4c38f2d060/collection/29646859-07c1f103-1e5f-44fe-a5e3-00126c6ece77?action=share&source=collection_link&creator=29646859"
+		"_exporter_id": "15747968",
+		"_collection_link": "https://warped-astronaut-141685.postman.co/workspace/P4PA~9a8b7dd5-97b6-4dd0-b3f5-95f25fd0b455/collection/15747968-2474956e-ea82-4ca1-a3f4-19579b4b7f67?action=share&source=collection_link&creator=15747968"
 	},
 	"item": [
 		{
-			"name": "01.token",
+			"name": "00_login",
 			"item": [
 				{
-					"name": "01_getAuthToken",
+					"name": "00_authtoken jwt",
 					"event": [
 						{
 							"listen": "test",
 							"script": {
 								"exec": [
-									"var jsonData = pm.response.json();\r",
-									"pm.collectionVariables.set(\"token\", jsonData.accessToken);"
+									"pm=instrumentPmMethod(pm);\r",
+									"\r",
+									"pm.test(\"p4paAuth - 01_authtoken - Responses with 200\", function () {\r",
+									"    pm.response.to.have.status(200);\r",
+									"});\r",
+									"\r",
+									"pm.test(\"p4paAuth - 01_authtoken jwt - Verify response body\", function () {\r",
+									"    let jsonResponse = pm.response.json();\r",
+									"\r",
+									"    pm.expect(jsonResponse).have.property(\"accessToken\")\r",
+									"    pm.expect(jsonResponse).have.property(\"tokenType\")\r",
+									"    pm.expect(jsonResponse).have.property(\"expiresIn\")\r",
+									"});\r",
+									"\r",
+									"let jsonResponse = pm.response.json();\r",
+									"pm.collectionVariables.set(\"accessToken\", jsonResponse.accessToken);\r",
+									""
 								],
 								"type": "text/javascript",
 								"packages": {}
 							}
 						}
 					],
 					"request": {
-						"auth": {
-							"type": "noauth"
-						},
 						"method": "POST",
 						"header": [],
 						"url": {
-							"raw": "{{baseUrlAuth}}/auth/token?client_id=piattaforma-unitaria&grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token=e1d9c534-86a9-4039-80da-8aa7a33ac9e7&subject_issuer=soak-test&subject_token_type=FAKE-AUTH&scope=openid&client_secret",
+							"raw": "{{p4paAuthBaseUrl}}/payhub/auth/token?client_id=piattaforma-unitaria&grant_type=urn:ietf:params:oauth:grant-type:token-exchange&subject_token={{tokenExchange_subjectToken}}&subject_issuer={{tokenExchange_issuer}}&scope=openid&subject_token_type=urn:ietf:params:oauth:token-type:jwt",
 							"host": [
-								"{{baseUrlAuth}}"
+								"{{p4paAuthBaseUrl}}"
 							],
 							"path": [
+								"payhub",
 								"auth",
 								"token"
 							],
@@ -52,23 +65,19 @@
 								},
 								{
 									"key": "subject_token",
-									"value": "e1d9c534-86a9-4039-80da-8aa7a33ac9e7"
+									"value": "{{tokenExchange_subjectToken}}"
 								},
 								{
 									"key": "subject_issuer",
-									"value": "soak-test"
-								},
-								{
-									"key": "subject_token_type",
-									"value": "FAKE-AUTH"
+									"value": "{{tokenExchange_issuer}}"
 								},
 								{
 									"key": "scope",
 									"value": "openid"
 								},
 								{
-									"key": "client_secret",
-									"value": null
+									"key": "subject_token_type",
+									"value": "urn:ietf:params:oauth:token-type:jwt"
 								}
 							]
 						}
@@ -78,10 +87,10 @@
 			]
 		},
 		{
-			"name": "02.citizen",
+			"name": "01_citizen",
 			"item": [
 				{
-					"name": "02_getCitizenData",
+					"name": "01_getCitizenData",
 					"event": [
 						{
 							"listen": "test",
@@ -329,6 +338,38 @@
 						}
 					]
 				}
+			],
+			"auth": {
+				"type": "bearer",
+				"bearer": [
+					{
+						"key": "token",
+						"value": "{{accessToken}}",
+						"type": "string"
+					}
+				]
+			},
+			"event": [
+				{
+					"listen": "prerequest",
+					"script": {
+						"type": "text/javascript",
+						"packages": {},
+						"exec": [
+							""
+						]
+					}
+				},
+				{
+					"listen": "test",
+					"script": {
+						"type": "text/javascript",
+						"packages": {},
+						"exec": [
+							""
+						]
+					}
+				}
 			]
 		}
 	],
@@ -359,7 +400,69 @@
 				"type": "text/javascript",
 				"packages": {},
 				"exec": [
-					""
+					"// START COMMON UTILITIES",
+					"",
+					"// global variable to use in order to skip tests",
+					"skipTests=false;",
+					"",
+					"// method to be invoked as first thing inside tests in order to instrument the \"pm\" variable:",
+					"// eg: pm = pm=instrumentPmMethod(pm);",
+					"instrumentPmMethod = (pm) => {",
+					"    const pmProxy = {",
+					"        get: function(pm, key) {",
+					"            if (key == 'test') {",
+					"                return (skipTests ? pm.test.skip : pm.test);",
+					"            }",
+					"            return pm[key];",
+					"        }",
+					"    };",
+					"",
+					"    return new Proxy(pm, pmProxy);",
+					"}",
+					"",
+					"// function to be used in order to retry the current request, configuring a maximum number of attempts and a fixed delay between each invoke",
+					"retryRequest = (pm, setTimeout, waitingMillis = 1000, maxAttempts = 30) => {",
+					"    if(!pm || !setTimeout){",
+					"        throw new Error(\"Invalid invoke to retryRequest function! Some required parameters are undefined: pm=\" + pm + \", setTimeout=\" + setTimeout)",
+					"    }",
+					"",
+					"    const retryVariableName = \"retry_\" + pm.info.requestId",
+					"    const attempt = (pm.variables.get(retryVariableName) ?? 0) + 1;",
+					"    if(attempt < maxAttempts) {",
+					"        console.info(pm.info.requestName + \" not ready, retrying [attempt \" + attempt + \"/\" + maxAttempts + \"] after \" + waitingMillis + \" ms\");",
+					"        pm.variables.set(retryVariableName, attempt)",
+					"        pm.execution.setNextRequest(pm.info.requestId);",
+					"        return setTimeout(()=>{}, waitingMillis);",
+					"    } else {",
+					"        pm.test(pm.info.requestName + \" not ready\", () => pm.expect.fail(attempt + \" attempts\"));",
+					"    }",
+					"}",
+					"",
+					"// function to be used in order to retry the current request until it returns a known response HTTP status code",
+					"retryWhenStatusCode = (pm, setTimeout, statusCode, waitingMillis, maxAttempts) => {",
+					"    if(pm.response.code == statusCode){",
+					"        console.log(\"Obtained \" + statusCode + \"! Performing retry...\")",
+					"        skipTests=true;",
+					"        return retryRequest(pm, setTimeout, waitingMillis, maxAttempts)",
+					"    }",
+					"}",
+					"",
+					"// XML utilities",
+					"xml2js = require('xml2js');",
+					"",
+					"parseXmlResponse = (response) => {",
+					"    let body;",
+					"    xml2js.parseString(response.text(), {",
+					"            ignoreAttrs: true, ",
+					"            explicitArray: false,",
+					"        }, function (err, result) {",
+					"            if(err){",
+					"                console.error(err)",
+					"            }",
+					"        body = result;",
+					"    });",
+					"    return body;",
+					"};"
 				]
 			}
 		}
@@ -383,6 +486,10 @@
 			"key": "baseUrlAuth",
 			"value": "https://api.dev.p4pa.pagopa.it/payhub-auth",
 			"type": "string"
+		},
+		{
+			"key": "accessToken",
+			"value": ""
 		}
 	]
 }