Feature/security (#15)

This pull request introduces a new modular security layer for the
project by adding a `core-security` module. The changes implement a
flexible policy-based authorization system integrated with Spring
Security and Azure AD JWT authentication. The security configuration is
now externalized, supporting public endpoints and dynamic policy
evaluation for API requests. The main areas of change are the addition
of new security components, policy evaluation infrastructure, and
configuration updates.

**Security configuration and integration:**

- Added a new `core-security` module with its own `pom.xml`, including
dependencies for Spring Security, OAuth2 resource server, and project
contracts.
- Introduced `SecurityConfig` and `SecurityProperties` to configure
Spring Security, define public endpoints, and integrate JWT
authentication with Azure AD.
[[1]](diffhunk://#diff-89b518b29fa9ec1944351e69efbcdba71e422c3a60243639e380ba2b7fdf9969R1-R53)
[[2]](diffhunk://#diff-a407cfaaee4141697d8cd945a003a242b17f4caf458d659f0f701b97cfdbb499R1-R20)
- Updated `application.yaml` to configure OAuth2 resource server with
Azure AD issuer and define public endpoints for health checks.

**Policy-based authorization system:**

- Implemented `PolicyAuthorizationManager`, `PolicyEngine`, and
`PolicyService` to support dynamic, rule-based authorization decisions
for API requests. These components resolve API definitions, retrieve
relevant policies, and evaluate them to allow or deny access.
[[1]](diffhunk://#diff-1330c45b35848910097a5c9083c330efbc5c978fdacbe80e768d6657573809beR1-R79)
[[2]](diffhunk://#diff-81f467c5c53592ee3767530c780ef2142885ae1fcf0ddae78b68cebdc45b831bR1-R49)
[[3]](diffhunk://#diff-c81749eb986f34aa144a64ef9d2e529ddb29c36d75a9c2f84d2815e038aa645dR1-R32)
- Added `PolicyContextFactory` to build policy evaluation contexts from
HTTP requests and JWT claims.

**Policy evaluators:**

- Added `AllowedClientsEvaluator` and `FlavorRestrictionEvaluator` as
concrete policy evaluators, supporting client-based and
request-body-based authorization rules, respectively.
[[1]](diffhunk://#diff-abc0ee53c28626c12e7bebda566921b0cdf787cef038bed9d4fde7cfd0c1b923R1-R47)
[[2]](diffhunk://#diff-512b30434a48bdd75e08d7bf935623cb31a354bb934066ad730cefd72735cd60R1-R54)

**Authentication flow enforcement:**

- Added `AuthTypeEnforcementFilter`, `AuthFlowResolver`, and
`AuthFlowValidator` to ensure that only allowed authentication flows
(e.g., OBO, client credentials) are accepted for each API, with
flow-specific validation.
[[1]](diffhunk://#diff-3cd26dad5f2149a5873f0b9e0a3dc21468cf1f84f949c18e353d6248185972e3R1-R75)
[[2]](diffhunk://#diff-0b949f9f721cec94f4e91188177fa3b549be489ef1404e3530bd417aa638cbc0R1-R22)
[[3]](diffhunk://#diff-34a386426c9c407d82e7e04c5dccbaaeec679c47d049077bedcae5d7d4e24fceR1-R11)

---------

Co-authored-by: Angel Martinez <angelmp.mail@gmail.com>

Author: jorge-romero

api-project-component-v0/src/main/java/org/opendevstack/apiservice/project/facade/MarketplaceExternalServicePlaceholder.java

@@ -0,0 +1,27 @@
+package org.opendevstack.apiservice.project.facade;
+
+import lombok.extern.slf4j.Slf4j;
+import org.opendevstack.apiservice.externalservice.api.ExternalService;
+import org.opendevstack.apiservice.project.model.Component;
+import org.opendevstack.apiservice.project.model.CreateComponentRequest;
+import org.springframework.stereotype.Service;
+
+@Service
+@Slf4j
+class MarketplaceExternalServicePlaceholder implements ExternalService {
+
+    @Override
+    public boolean isHealthy() {
+        return false;
+    }
+
+    public Component getProjectComponent(String projectId, String componentId) {
+        log.info("Get component with id '" + componentId + "' for project '" + projectId + "'");
+        return null;
+    }
+
+    public Component createProjectComponent(String projectId, CreateComponentRequest createComponentRequest) {
+        log.info("Creating component for project '" + projectId + "'" + " with request: " + createComponentRequest);
+        return null;
+    }
+}

api-project/src/main/java/org/opendevstack/apiservice/project/controller/ProjectController.java

@@ -7,6 +7,7 @@
 import org.opendevstack.apiservice.project.facade.ProjectsFacade;
 import org.opendevstack.apiservice.project.model.CreateProjectRequest;
 import org.opendevstack.apiservice.project.model.CreateProjectResponse;
+import org.opendevstack.apiservice.project.util.SecurityUtils;
 import org.opendevstack.apiservice.project.validation.ProjectRequestValidator;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -37,15 +38,16 @@ public class ProjectController implements ProjectsApi {
     @Override
     public ResponseEntity<CreateProjectResponse> createProject(@Valid @RequestBody CreateProjectRequest createProjectRequest) {
         projectRequestValidator.validate(createProjectRequest);
-        UUID clientId = UUID.fromString("00000000-0000-0000-0000-000000000001");
+        UUID clientId = SecurityUtils.getClientId();
+
         CreateProjectResponse projectResponse = projectsFacade.createProject(createProjectRequest, clientId);
         projectResponse.setLocation(API_BASE_PATH + "/" + projectResponse.getProjectKey());
         return ResponseEntity
                 .status(HttpStatus.OK)
                 .header(HTTP_HEADER_LOCATION, API_BASE_PATH)
                 .body(projectResponse);
     }
-    
+
     @GetMapping("/{projectKey}")
     @Override
     public ResponseEntity<CreateProjectResponse> getProject(@PathVariable String projectKey) {

api-project/src/main/java/org/opendevstack/apiservice/project/controller/advice/ProjectExceptionHandler.java

@@ -10,6 +10,7 @@
 import org.opendevstack.apiservice.project.model.CreateProjectResponse;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.http.converter.HttpMessageNotReadableException;
 import org.springframework.validation.FieldError;
 import org.springframework.web.bind.MethodArgumentNotValidException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -108,6 +109,17 @@ public ResponseEntity<CreateProjectResponse> handleAutomationPlatformException(
         return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(response);
     }
 
+    @ExceptionHandler(HttpMessageNotReadableException.class)
+    public ResponseEntity<CreateProjectResponse> handleHttpMessageNotReadableException(HttpMessageNotReadableException ex) {
+        log.error("Unexpected error: {}", ex.getMessage(), ex);
+        CreateProjectResponse response = new CreateProjectResponse();
+        response.setLocation(ProjectController.API_BASE_PATH);
+        response.setError(ErrorKey.BAD_REQUEST_BODY.getMessage());
+        response.setErrorKey(ErrorKey.BAD_REQUEST_BODY.getKey());
+        response.setMessage("An error occurred while processing the request.");
+        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(response);
+    }
+
     @ExceptionHandler(Exception.class)
     public ResponseEntity<CreateProjectResponse> handleGenericException(Exception ex) {
         log.error("Unexpected error: {}", ex.getMessage(), ex);

api-project/src/main/java/org/opendevstack/apiservice/project/util/SecurityUtils.java

@@ -0,0 +1,33 @@
+package org.opendevstack.apiservice.project.util;
+
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
+
+import java.util.UUID;
+
+public class SecurityUtils {
+
+    private SecurityUtils() {
+        // to avoid instantiation
+    }
+
+    public static UUID getClientId() {
+        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+
+        if (principal instanceof Jwt jwt) {
+            String clientId = jwt.getClaimAsString("azp");
+            if (clientId == null || clientId.isBlank()) {
+                clientId = jwt.getClaimAsString("appid");
+            }
+            
+            if (clientId == null || clientId.isBlank()) {
+                throw new InvalidBearerTokenException("Client ID not found in token claims");
+            }
+            
+            return UUID.fromString(clientId);
+        } else {
+            throw new InvalidBearerTokenException("Invalid authentication token");
+        }
+    }
+}

api-project/src/test/java/org/opendevstack/apiservice/project/controller/ProjectControllerTest.java

@@ -11,14 +11,17 @@
 import org.opendevstack.apiservice.project.validation.ProjectRequestValidator;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+
+import java.util.UUID;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
-import java.util.UUID;
-
 class ProjectControllerTest {
 
     @Mock
@@ -34,6 +37,14 @@ class ProjectControllerTest {
     void setup() {
         mocks = MockitoAnnotations.openMocks(this);
         sut = new ProjectController(projectsFacade, projectRequestValidator);
+
+        Jwt jwtToken = Jwt.withTokenValue("dummy-token")
+                .claim("appid", UUID.randomUUID().toString())
+                .claim("sub", "test-user")
+                .header("alg", "none")
+                .build();
+        JwtAuthenticationToken authentication = new JwtAuthenticationToken(jwtToken);
+        SecurityContextHolder.getContext().setAuthentication(authentication);
     }
 
     @AfterEach

application.yaml

@@ -40,6 +40,19 @@ spring:
     open-in-view: false
     show-sql: false
 
+spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: https://sts.windows.net/${AZURE_TENANT_ID}/
+
+app:
+  security:
+    public-endpoints:
+      - /actuator/health
+      - /actuator/health/**
+
 management:
   endpoints:
     web:

core-contracts/src/main/java/org/opendevstack/apiservice/core/contracts/policy/PolicyTypes.java

@@ -9,6 +9,7 @@ public final class PolicyTypes {
 
     private PolicyTypes() {}
 
+    public static final String FLAVOR_RESTRICTION = "FLAVOR_RESTRICTION";
     public static final String ALLOWED_CLIENTS = "ALLOWED_CLIENTS";
     public static final String SCOPE_REQUIRED = "SCOPE_REQUIRED";
 }

core-security/pom.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.opendevstack.apiservice</groupId>
+    <artifactId>devstack-api-service</artifactId>
+    <version>0.0.3</version>
+  </parent>
+
+  <artifactId>core-security</artifactId>
+  <name>core-security</name>
+
+  <dependencies>
+    <dependency>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>    
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-security</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+    </dependency>
+
+
+    <dependency>
+      <groupId>org.opendevstack.apiservice</groupId>
+      <artifactId>core-contracts</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.projectlombok</groupId>
+      <artifactId>lombok</artifactId>
+      <scope>provided</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-test</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-test</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>

core-security/src/main/java/org/opendevstack/apiservice/core/security/authorization/PolicyAuthorizationManager.java

@@ -0,0 +1,111 @@
+package org.opendevstack.apiservice.core.security.authorization;
+
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.HttpServletRequest;
+import org.opendevstack.apiservice.core.contracts.auth.AuthorizationDecision;
+import org.opendevstack.apiservice.core.contracts.policy.PolicyContext;
+import org.opendevstack.apiservice.core.contracts.policy.PolicyRule;
+import org.opendevstack.apiservice.core.contracts.registry.ApiDefinition;
+import org.opendevstack.apiservice.core.security.filter.AuthTypeEnforcementFilter;
+import org.opendevstack.apiservice.core.security.registry.ApiDefinitionResolver;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.function.Supplier;
+
+/**
+ * Spring Security AuthorizationManager that delegates authorization decisions to the policy engine.
+ */
+@Component
+public class PolicyAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
+
+    private final PolicyEngine policyEngine;
+    private final PolicyService policyService;
+    private final PolicyContextFactory contextFactory;
+    private final ApiDefinitionResolver resolver;
+
+    private final ObjectMapper objectMapper;
+
+    public PolicyAuthorizationManager(PolicyEngine policyEngine,
+                                      PolicyService policyService,
+                                      PolicyContextFactory contextFactory,
+                                      ApiDefinitionResolver resolver,
+                                      ObjectMapper objectMapper) {
+        this.policyEngine = policyEngine;
+        this.policyService = policyService;
+        this.contextFactory = contextFactory;
+        this.resolver = resolver;
+        this.objectMapper = objectMapper;
+    }
+
+    @Override
+    public org.springframework.security.authorization.AuthorizationDecision check(
+            Supplier<Authentication> authentication,
+            RequestAuthorizationContext context) {
+
+        HttpServletRequest request = context.getRequest();
+
+        Optional<ApiDefinition> apiDef = this.resolver.resolve(request);
+
+        if (apiDef.isPresent()) {
+            request.setAttribute(AuthTypeEnforcementFilter.API_DEFINITION_ATTR, apiDef.get());   
+        }
+
+        // Unknown routes are denied (fail-closed). Public API definitions are allowed.
+        if (apiDef.isEmpty()) {
+            return new org.springframework.security.authorization.AuthorizationDecision(false);
+        }
+
+        if (apiDef.get().isPublic()) {
+            return new org.springframework.security.authorization.AuthorizationDecision(true);
+        }
+
+        PolicyContext policyContext = contextFactory.create(apiDef.get(), request);
+        policyContext = policyContext.withRequestBody(extractRequestBody(request));
+
+        List<PolicyRule> rules = policyService.findPolicies(apiDef.get().getId(), policyContext.getClientId());
+
+        AuthorizationDecision decision = policyEngine.evaluate(policyContext, rules);
+
+        return new org.springframework.security.authorization.AuthorizationDecision(
+                decision != AuthorizationDecision.DENY
+        );
+    }
+
+    private Map<String, Object> extractRequestBody(HttpServletRequest request) {
+        if (!isJsonWriteRequest(request)) {
+            return Map.of();
+        }
+
+        try {
+            byte[] bytes = request.getInputStream().readAllBytes();
+            if (bytes.length == 0) {
+                return Map.of();
+            }
+            return objectMapper.readValue(bytes, new TypeReference<>() {
+            });
+        } catch (IOException ex) {
+            return Map.of();
+        }
+    }
+
+    private boolean isJsonWriteRequest(HttpServletRequest request) {
+        String method = request.getMethod();
+        if (!"POST".equalsIgnoreCase(method)
+                && !"PUT".equalsIgnoreCase(method)
+                && !"PATCH".equalsIgnoreCase(method)) {
+            return false;
+        }
+
+        String contentType = request.getContentType();
+        return contentType != null && contentType.toLowerCase().startsWith("application/json");
+    }
+}

core-security/src/main/java/org/opendevstack/apiservice/core/security/authorization/PolicyContextFactory.java

@@ -0,0 +1,34 @@
+package org.opendevstack.apiservice.core.security.authorization;
+
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.opendevstack.apiservice.core.contracts.policy.PolicyContext;
+import org.opendevstack.apiservice.core.contracts.registry.ApiDefinition;
+import org.opendevstack.apiservice.core.security.jwt.AzureJwtAuthenticationConverter;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+import java.util.Map;
+
+@Component
+public class PolicyContextFactory {
+
+    public PolicyContext create(ApiDefinition apiDefinition, HttpServletRequest request) {
+        var authentication = SecurityContextHolder.getContext().getAuthentication();
+
+        String clientId = null;
+        String subject = null;
+        Map<String, Object> claims = Map.of();
+
+        if (authentication instanceof JwtAuthenticationToken jwtAuth) {
+            Jwt jwt = jwtAuth.getToken();
+            clientId = AzureJwtAuthenticationConverter.extractClientId(jwt);
+            subject = jwt.getClaimAsString("sub");
+            claims = jwt.getClaims();
+        }
+
+        return new PolicyContext(clientId, subject, claims, apiDefinition, request);
+    }
+}