Feature/security

api-project-component-v0/src/main/java/org/opendevstack/apiservice/project/facade/MarketplaceExternalServicePlaceholder.java

@@ -0,0 +1,27 @@
+package org.opendevstack.apiservice.project.facade;
+
+import lombok.extern.slf4j.Slf4j;
+import org.opendevstack.apiservice.externalservice.api.ExternalService;
+import org.opendevstack.apiservice.project.model.Component;
+import org.opendevstack.apiservice.project.model.CreateComponentRequest;
+import org.springframework.stereotype.Service;
+
+@Service
+@Slf4j
+class MarketplaceExternalServicePlaceholder implements ExternalService {
+
+    @Override
+    public boolean isHealthy() {
+        return false;
+    }
+
+    public Component getProjectComponent(String projectId, String componentId) {
+        log.info("Get component with id '" + componentId + "' for project '" + projectId + "'");
+        return null;
+    }
+
+    public Component createProjectComponent(String projectId, CreateComponentRequest createComponentRequest) {
+        log.info("Creating component for project '" + projectId + "'" + " with request: " + createComponentRequest);
+        return null;
+    }
+}

api-project/src/main/java/org/opendevstack/apiservice/project/controller/ProjectController.java

@@ -7,6 +7,7 @@
 import org.opendevstack.apiservice.project.facade.ProjectsFacade;
 import org.opendevstack.apiservice.project.model.CreateProjectRequest;
 import org.opendevstack.apiservice.project.model.CreateProjectResponse;
+import org.opendevstack.apiservice.project.util.SecurityUtils;
 import org.opendevstack.apiservice.project.validation.ProjectRequestValidator;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
@@ -37,15 +38,16 @@ public class ProjectController implements ProjectsApi {
     @Override
     public ResponseEntity<CreateProjectResponse> createProject(@Valid @RequestBody CreateProjectRequest createProjectRequest) {
         projectRequestValidator.validate(createProjectRequest);
-        UUID clientId = UUID.fromString("00000000-0000-0000-0000-000000000001");
+        UUID clientId = SecurityUtils.getClientId();
+
         CreateProjectResponse projectResponse = projectsFacade.createProject(createProjectRequest, clientId);
         projectResponse.setLocation(API_BASE_PATH + "/" + projectResponse.getProjectKey());
         return ResponseEntity
                 .status(HttpStatus.OK)
                 .header(HTTP_HEADER_LOCATION, API_BASE_PATH)
                 .body(projectResponse);
     }
-    
+
     @GetMapping("/{projectKey}")
     @Override
     public ResponseEntity<CreateProjectResponse> getProject(@PathVariable String projectKey) {

api-project/src/main/java/org/opendevstack/apiservice/project/controller/advice/ProjectExceptionHandler.java

@@ -10,6 +10,7 @@
 import org.opendevstack.apiservice.project.model.CreateProjectResponse;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.http.converter.HttpMessageNotReadableException;
 import org.springframework.validation.FieldError;
 import org.springframework.web.bind.MethodArgumentNotValidException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -108,6 +109,17 @@ public ResponseEntity<CreateProjectResponse> handleAutomationPlatformException(
         return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).body(response);
     }
 
+    @ExceptionHandler(HttpMessageNotReadableException.class)
+    public ResponseEntity<CreateProjectResponse> handleHttpMessageNotReadableException(HttpMessageNotReadableException ex) {
+        log.error("Unexpected error: {}", ex.getMessage(), ex);
+        CreateProjectResponse response = new CreateProjectResponse();
+        response.setLocation(ProjectController.API_BASE_PATH);
+        response.setError(ErrorKey.BAD_REQUEST_BODY.getMessage());
+        response.setErrorKey(ErrorKey.BAD_REQUEST_BODY.getKey());
+        response.setMessage("An error occurred while processing the request.");
+        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(response);
+    }
+
     @ExceptionHandler(Exception.class)
     public ResponseEntity<CreateProjectResponse> handleGenericException(Exception ex) {
         log.error("Unexpected error: {}", ex.getMessage(), ex);

api-project/src/main/java/org/opendevstack/apiservice/project/util/SecurityUtils.java

@@ -0,0 +1,33 @@
+package org.opendevstack.apiservice.project.util;
+
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException;
+
+import java.util.UUID;
+
+public class SecurityUtils {
+
+    private SecurityUtils() {
+        // to avoid instantiation
+    }
+
+    public static UUID getClientId() {
+        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+
+        if (principal instanceof Jwt jwt) {
+            String clientId = jwt.getClaimAsString("azp");
+            if (clientId == null || clientId.isBlank()) {
+                clientId = jwt.getClaimAsString("appid");
+            }
+
+            if (clientId == null || clientId.isBlank()) {
+                throw new InvalidBearerTokenException("Client ID not found in token claims");
+            }
+
+            return UUID.fromString(clientId);
+        } else {
+            throw new InvalidBearerTokenException("Invalid authentication token");
+        }
+    }
+}

api-project/src/test/java/org/opendevstack/apiservice/project/controller/ProjectControllerTest.java

@@ -11,14 +11,17 @@
 import org.opendevstack.apiservice.project.validation.ProjectRequestValidator;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+
+import java.util.UUID;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
 
-import java.util.UUID;
-
 class ProjectControllerTest {
 
     @Mock
@@ -34,6 +37,14 @@ class ProjectControllerTest {
     void setup() {
         mocks = MockitoAnnotations.openMocks(this);
         sut = new ProjectController(projectsFacade, projectRequestValidator);
+
+        Jwt jwtToken = Jwt.withTokenValue("dummy-token")
+                .claim("appid", UUID.randomUUID().toString())
+                .claim("sub", "test-user")
+                .header("alg", "none")
+                .build();
+        JwtAuthenticationToken authentication = new JwtAuthenticationToken(jwtToken);
+        SecurityContextHolder.getContext().setAuthentication(authentication);
     }
 
     @AfterEach

application.yaml

@@ -40,6 +40,19 @@ spring:
     open-in-view: false
     show-sql: false
 
+spring:
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: https://sts.windows.net/${AZURE_TENANT_ID}/
+
+app:
+  security:
+    public-endpoints:
+      - /actuator/health
+      - /actuator/health/**
+
 management:
   endpoints:
     web:

core-contracts/src/main/java/org/opendevstack/apiservice/core/contracts/policy/PolicyTypes.java

@@ -9,6 +9,7 @@ public final class PolicyTypes {
 
     private PolicyTypes() {}
 
+    public static final String FLAVOR_RESTRICTION = "FLAVOR_RESTRICTION";
     public static final String ALLOWED_CLIENTS = "ALLOWED_CLIENTS";
     public static final String SCOPE_REQUIRED = "SCOPE_REQUIRED";
 }

core-security/pom.xml

@@ -0,0 +1,57 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.opendevstack.apiservice</groupId>
+    <artifactId>devstack-api-service</artifactId>
+    <version>0.0.3</version>
+  </parent>
+
+  <artifactId>core-security</artifactId>
+  <name>core-security</name>
+
+  <dependencies>
+    <dependency>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>    
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-security</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+    </dependency>
+
+
+    <dependency>
+      <groupId>org.opendevstack.apiservice</groupId>
+      <artifactId>core-contracts</artifactId>
+      <version>${project.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.projectlombok</groupId>
+      <artifactId>lombok</artifactId>
+      <scope>provided</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-test</artifactId>
+      <scope>test</scope>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-test</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>

core-security/src/main/java/org/opendevstack/apiservice/core/security/authorization/PolicyAuthorizationManager.java

@@ -0,0 +1,111 @@
+package org.opendevstack.apiservice.core.security.authorization;
+
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.HttpServletRequest;
+import org.opendevstack.apiservice.core.contracts.auth.AuthorizationDecision;
+import org.opendevstack.apiservice.core.contracts.policy.PolicyContext;
+import org.opendevstack.apiservice.core.contracts.policy.PolicyRule;
+import org.opendevstack.apiservice.core.contracts.registry.ApiDefinition;
+import org.opendevstack.apiservice.core.security.filter.AuthTypeEnforcementFilter;
+import org.opendevstack.apiservice.core.security.registry.ApiDefinitionResolver;
+import org.springframework.security.authorization.AuthorizationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.function.Supplier;
+
+/**
+ * Spring Security AuthorizationManager that delegates authorization decisions to the policy engine.
+ */
+@Component
+public class PolicyAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
+
+    private final PolicyEngine policyEngine;
+    private final PolicyService policyService;
+    private final PolicyContextFactory contextFactory;
+    private final ApiDefinitionResolver resolver;
+
+    private final ObjectMapper objectMapper;
+
+    public PolicyAuthorizationManager(PolicyEngine policyEngine,
+                                      PolicyService policyService,
+                                      PolicyContextFactory contextFactory,
+                                      ApiDefinitionResolver resolver,
+                                      ObjectMapper objectMapper) {
+        this.policyEngine = policyEngine;
+        this.policyService = policyService;
+        this.contextFactory = contextFactory;
+        this.resolver = resolver;
+        this.objectMapper = objectMapper;
+    }
+
+    @Override
+    public org.springframework.security.authorization.AuthorizationDecision check(
+            Supplier<Authentication> authentication,
+            RequestAuthorizationContext context) {
+
+        HttpServletRequest request = context.getRequest();
+
+        Optional<ApiDefinition> apiDef = this.resolver.resolve(request);
+
+        if (apiDef.isPresent()) {
+            request.setAttribute(AuthTypeEnforcementFilter.API_DEFINITION_ATTR, apiDef.get());   
+        }
+
+        // Unknown routes are denied (fail-closed). Public API definitions are allowed.
+        if (apiDef.isEmpty()) {
+            return new org.springframework.security.authorization.AuthorizationDecision(false);
+        }
+
+        if (apiDef.get().isPublic()) {
+            return new org.springframework.security.authorization.AuthorizationDecision(true);
+        }
+
+        PolicyContext policyContext = contextFactory.create(apiDef.get(), request);
+        policyContext = policyContext.withRequestBody(extractRequestBody(request));
+
+        List<PolicyRule> rules = policyService.findPolicies(apiDef.get().getId(), policyContext.getClientId());
+
+        AuthorizationDecision decision = policyEngine.evaluate(policyContext, rules);
+
+        return new org.springframework.security.authorization.AuthorizationDecision(
+                decision != AuthorizationDecision.DENY
+        );
+    }
+
+    private Map<String, Object> extractRequestBody(HttpServletRequest request) {
+        if (!isJsonWriteRequest(request)) {
+            return Map.of();
+        }
+
+        try {
+            byte[] bytes = request.getInputStream().readAllBytes();
+            if (bytes.length == 0) {
+                return Map.of();
+            }
+            return objectMapper.readValue(bytes, new TypeReference<>() {
+            });
+        } catch (IOException ex) {
+            return Map.of();
+        }
+    }
+
+    private boolean isJsonWriteRequest(HttpServletRequest request) {
+        String method = request.getMethod();
+        if (!"POST".equalsIgnoreCase(method)
+                && !"PUT".equalsIgnoreCase(method)
+                && !"PATCH".equalsIgnoreCase(method)) {
+            return false;
+        }
+
+        String contentType = request.getContentType();
+        return contentType != null && contentType.toLowerCase().startsWith("application/json");
+    }
+}

core-security/src/main/java/org/opendevstack/apiservice/core/security/authorization/PolicyContextFactory.java

@@ -0,0 +1,34 @@
+package org.opendevstack.apiservice.core.security.authorization;
+
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.opendevstack.apiservice.core.contracts.policy.PolicyContext;
+import org.opendevstack.apiservice.core.contracts.registry.ApiDefinition;
+import org.opendevstack.apiservice.core.security.jwt.AzureJwtAuthenticationConverter;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+
+import java.util.Map;
+
+@Component
+public class PolicyContextFactory {
+
+    public PolicyContext create(ApiDefinition apiDefinition, HttpServletRequest request) {
+        var authentication = SecurityContextHolder.getContext().getAuthentication();
+
+        String clientId = null;
+        String subject = null;
+        Map<String, Object> claims = Map.of();
+
+        if (authentication instanceof JwtAuthenticationToken jwtAuth) {
+            Jwt jwt = jwtAuth.getToken();
+            clientId = AzureJwtAuthenticationConverter.extractClientId(jwt);
+            subject = jwt.getClaimAsString("sub");
+            claims = jwt.getClaims();
+        }
+
+        return new PolicyContext(clientId, subject, claims, apiDefinition, request);
+    }
+}