#1946 fix devops oauth subjects not being configured correctly with environment variable

thjaeckle · thjaeckle · commit c42857612ccc · 2024-05-31T09:55:07.000+02:00
Signed-off-by: Thomas Jäckle &lt;thomas.jaeckle@beyonnex.io&gt;
diff --git a/deployment/helm/ditto/Chart.yaml b/deployment/helm/ditto/Chart.yaml
@@ -16,7 +16,7 @@ description: |
   A digital twin is a virtual, cloud based, representation of his real world counterpart
   (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
 type: application
-version: 3.5.6  # chart version is effectively set by release-job
+version: 3.5.7-0  # chart version is effectively set by release-job
 appVersion: 3.5.6
 keywords:
   - iot-chart
diff --git a/deployment/helm/ditto/templates/gateway-deployment.yaml b/deployment/helm/ditto/templates/gateway-deployment.yaml
@@ -149,6 +149,12 @@ spec:
                 "{{ printf "%s%s%s%d=%s" "-Dditto.gateway.authentication.devops.oauth.openid-connect-issuers." $key ".auth-subjects." $index $subject }}"
                 {{- end }}
                 {{- end }}
+                {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.oauthSubjects }}
+                "{{ printf "%s%d=%s" "-Dditto.gateway.authentication.devops.devops-oauth2-subjects." $index $oauthSubject }}"
+                {{- end }}
+                {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.statusOauthSubjects }}
+                "{{ printf "%s%d=%s" "-Dditto.gateway.authentication.devops.status-oauth2-subjects." $index $oauthSubject }}"
+                {{- end }}
                 {{ join " " .Values.gateway.systemProps }}
             - name: CLUSTER_BS_REQUIRED_CONTACTS
               value: "{{ .Values.global.cluster.requiredContactPoints }}"
@@ -191,10 +197,6 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.gateway.config.authentication.devops.existingSecret | default ( printf "%s-gateway-secret" ( include "ditto.fullname" . )) }}
                   key: devops-password
-            {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.oauthSubjects }}
-            - name: DEVOPS_OAUTH2_SUBJECTS.{{ $index }}
-              value: "{{ $oauthSubject }}"
-            {{- end }}
             - name: DEVOPS_STATUS_SECURED
               value: "{{ .Values.gateway.config.authentication.devops.statusSecured }}"
             - name: STATUS_AUTHENTICATION_METHOD
@@ -204,10 +206,6 @@ spec:
                 secretKeyRef:
                   name: {{ .Values.gateway.config.authentication.devops.existingSecret | default ( printf "%s-gateway-secret" ( include "ditto.fullname" . )) }}
                   key: status-password
-            {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.statusOauthSubjects }}
-            - name: STATUS_OAUTH2_SUBJECTS.{{ $index }}
-              value: "{{ $oauthSubject }}"
-            {{- end }}
             - name: WS_SUBSCRIBER_BACKPRESSURE
               value: "{{ .Values.gateway.config.websocket.subscriber.backpressureQueueSize }}"
             - name: WS_PUBLISHER_BACKPRESSURE
diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/EndpointTestBase.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/EndpointTestBase.java
@@ -72,6 +72,7 @@
 import org.eclipse.ditto.internal.utils.cache.config.CacheConfig;
 import org.eclipse.ditto.internal.utils.cache.config.DefaultCacheConfig;
 import org.eclipse.ditto.internal.utils.config.DefaultScopedConfig;
+import org.eclipse.ditto.internal.utils.config.ScopedConfig;
 import org.eclipse.ditto.internal.utils.health.StatusInfo;
 import org.eclipse.ditto.internal.utils.health.cluster.ClusterStatus;
 import org.eclipse.ditto.internal.utils.http.DefaultHttpClientFacade;
@@ -127,9 +128,10 @@ public abstract class EndpointTestBase extends JUnitRouteTest {
 
     @BeforeClass
     public static void initTestFixture() {
-        final var dittoScopedConfig = DefaultScopedConfig.dittoScoped(createTestConfig());
+        final Config testConfig = createTestConfig();
+        final var dittoScopedConfig = DefaultScopedConfig.dittoScoped(testConfig);
         final var gatewayScopedConfig = DefaultScopedConfig.newInstance(dittoScopedConfig, "gateway");
-        final var actorSystem = ActorSystem.create(EndpointTestBase.class.getSimpleName(), createTestConfig());
+        final var actorSystem = ActorSystem.create(EndpointTestBase.class.getSimpleName(), testConfig);
         httpConfig = GatewayHttpConfig.of(gatewayScopedConfig);
         healthCheckConfig = DefaultHealthCheckConfig.of(gatewayScopedConfig);
         commandConfig = DefaultCommandConfig.of(gatewayScopedConfig);
@@ -144,7 +146,8 @@ public static void initTestFixture() {
         httpClientFacade =
                 DefaultHttpClientFacade.getInstance(actorSystem,
                         DefaultHttpProxyConfig.ofProxy(DefaultScopedConfig.empty("/")));
-        authorizationSubjectsProvider = JwtAuthorizationSubjectsProvider.get(actorSystem, ConfigFactory.empty());
+        authorizationSubjectsProvider = JwtAuthorizationSubjectsProvider.get(actorSystem,
+                ScopedConfig.dittoExtension(testConfig));
         jwtAuthenticationFactory = JwtAuthenticationFactory.newInstance(authConfig.getOAuthConfig(),
                 cacheConfig,
                 httpClientFacade,
diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/RootRouteTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/RootRouteTest.java
@@ -24,6 +24,14 @@
 import java.util.stream.Collectors;
 import java.util.stream.IntStream;
 
+import org.apache.pekko.actor.ActorSystem;
+import org.apache.pekko.http.javadsl.model.HttpRequest;
+import org.apache.pekko.http.javadsl.model.StatusCodes;
+import org.apache.pekko.http.javadsl.model.headers.Location;
+import org.apache.pekko.http.javadsl.model.headers.RawHeader;
+import org.apache.pekko.http.javadsl.testkit.TestRoute;
+import org.apache.pekko.http.javadsl.testkit.TestRouteResult;
+import org.apache.pekko.stream.SystemMaterializer;
 import org.eclipse.ditto.base.model.headers.DittoHeaderDefinition;
 import org.eclipse.ditto.base.model.headers.DittoHeaders;
 import org.eclipse.ditto.base.model.json.JsonSchemaVersion;
@@ -70,15 +78,6 @@
 
 import com.typesafe.config.ConfigFactory;
 
-import org.apache.pekko.actor.ActorSystem;
-import org.apache.pekko.http.javadsl.model.HttpRequest;
-import org.apache.pekko.http.javadsl.model.StatusCodes;
-import org.apache.pekko.http.javadsl.model.headers.Location;
-import org.apache.pekko.http.javadsl.model.headers.RawHeader;
-import org.apache.pekko.http.javadsl.testkit.TestRoute;
-import org.apache.pekko.http.javadsl.testkit.TestRouteResult;
-import org.apache.pekko.stream.SystemMaterializer;
-
 /**
  * Tests {@link RootRoute}.
  */
@@ -137,12 +136,12 @@ public void setUp() {
         final var statusAndHealthProvider = DittoStatusAndHealthProviderFactory.of(routeBaseProperties.getActorSystem(),
                 clusterStatusSupplier,
                 healthCheckConfig);
+        final var dittoExtensionConfig =
+                ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config());
         final var devopsAuthenticationDirectiveFactory =
                 DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory,
-                        authConfig.getDevOpsConfig());
+                        authConfig.getDevOpsConfig(), dittoExtensionConfig);
         final var devOpsAuthenticationDirective = devopsAuthenticationDirectiveFactory.devops();
-        final var dittoExtensionConfig =
-                ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config());
         final var rootRoute = RootRoute.getBuilder(httpConfig)
                 .statsRoute(new StatsRoute(routeBaseProperties, devOpsAuthenticationDirective))
                 .statusRoute(new StatusRoute(clusterStatusSupplier,
diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/devops/DevOpsRouteTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/devops/DevOpsRouteTest.java
@@ -14,28 +14,29 @@
 package org.eclipse.ditto.gateway.service.endpoints.routes.devops;
 
 import java.util.Collections;
+import java.util.UUID;
 
+import org.apache.pekko.http.javadsl.model.ContentTypes;
+import org.apache.pekko.http.javadsl.model.HttpEntities;
+import org.apache.pekko.http.javadsl.model.HttpRequest;
+import org.apache.pekko.http.javadsl.model.RequestEntity;
+import org.apache.pekko.http.javadsl.model.StatusCodes;
+import org.apache.pekko.http.javadsl.server.Route;
+import org.apache.pekko.http.javadsl.testkit.TestRoute;
 import org.eclipse.ditto.base.api.devops.signals.commands.ExecutePiggybackCommand;
 import org.eclipse.ditto.base.model.headers.DittoHeaders;
 import org.eclipse.ditto.gateway.service.endpoints.EndpointTestBase;
 import org.eclipse.ditto.gateway.service.endpoints.directives.auth.DevopsAuthenticationDirectiveFactory;
 import org.eclipse.ditto.gateway.service.util.config.security.DefaultDevOpsConfig;
 import org.eclipse.ditto.gateway.service.util.config.security.DevOpsConfig;
+import org.eclipse.ditto.internal.utils.config.ScopedConfig;
 import org.eclipse.ditto.things.model.ThingId;
 import org.eclipse.ditto.things.model.signals.commands.query.RetrieveThing;
 import org.junit.Before;
 import org.junit.Test;
 
 import com.typesafe.config.ConfigFactory;
 
-import org.apache.pekko.http.javadsl.model.ContentTypes;
-import org.apache.pekko.http.javadsl.model.HttpEntities;
-import org.apache.pekko.http.javadsl.model.HttpRequest;
-import org.apache.pekko.http.javadsl.model.RequestEntity;
-import org.apache.pekko.http.javadsl.model.StatusCodes;
-import org.apache.pekko.http.javadsl.server.Route;
-import org.apache.pekko.http.javadsl.testkit.TestRoute;
-
 /**
  * Unit test for {@link DevOpsRoute}.
  */
@@ -47,11 +48,14 @@ public final class DevOpsRouteTest extends EndpointTestBase {
 
     @Before
     public void setUp() {
+        final var dittoExtensionConfig =
+                ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config());
         final var devopsAuthenticationDirectiveFactory =
-                DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, getInsecureDevopsConfig());
+                DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, getInsecureDevopsConfig(),
+                        dittoExtensionConfig);
         final var authenticationDirective = devopsAuthenticationDirectiveFactory.devops();
         devOpsRoute = new DevOpsRoute(routeBaseProperties, authenticationDirective);
-        final Route route = extractRequestContext(ctx -> devOpsRoute.buildDevOpsRoute(ctx, Collections.emptyMap()));
+        final Route route = extractRequestContext(ctx -> devOpsRoute.buildDevOpsRoute(ctx, UUID.randomUUID().toString(), Collections.emptyMap()));
         underTest = testRoute(route);
     }
 
diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/status/OverallStatusRouteTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/endpoints/routes/status/OverallStatusRouteTest.java
@@ -28,6 +28,7 @@
 import org.eclipse.ditto.gateway.service.health.DittoStatusAndHealthProviderFactory;
 import org.eclipse.ditto.gateway.service.health.StatusAndHealthProvider;
 import org.eclipse.ditto.gateway.service.util.config.security.DevOpsConfig;
+import org.eclipse.ditto.internal.utils.config.ScopedConfig;
 import org.eclipse.ditto.internal.utils.health.cluster.ClusterStatus;
 import org.junit.Before;
 import org.junit.Test;
@@ -49,16 +50,19 @@ public final class OverallStatusRouteTest extends EndpointTestBase {
 
     @Before
     public void setUp() {
+        final var dittoExtensionConfig =
+                ScopedConfig.dittoExtension(routeBaseProperties.getActorSystem().settings().config());
         final Supplier<ClusterStatus> clusterStateSupplier = createClusterStatusSupplierMock();
         final StatusAndHealthProvider statusHealthProvider =
                 DittoStatusAndHealthProviderFactory.of(system(), clusterStateSupplier, healthCheckConfig);
         final DevOpsConfig devOpsConfig = authConfig.getDevOpsConfig();
         final DevopsAuthenticationDirectiveFactory devopsAuthenticationDirectiveFactory =
-                DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, devOpsConfig);
+                DevopsAuthenticationDirectiveFactory.newInstance(jwtAuthenticationFactory, devOpsConfig,
+                        dittoExtensionConfig);
         final DevopsAuthenticationDirective authenticationDirective = devopsAuthenticationDirectiveFactory.status();
         final OverallStatusRoute statusRoute =
                 new OverallStatusRoute(clusterStateSupplier, statusHealthProvider, authenticationDirective);
-        statusTestRoute = testRoute(statusRoute.buildOverallStatusRoute(correlationId));
+        statusTestRoute = testRoute(statusRoute.buildOverallStatusRoute("correlationId"));
     }
 
     @Test
diff --git a/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProviderTest.java b/gateway/service/src/test/java/org/eclipse/ditto/gateway/service/security/authentication/jwt/DefaultJwtAuthenticationResultProviderTest.java
@@ -50,7 +50,7 @@ public void assertImmutability() {
     @Test
     public void getAuthorizationContext() {
         final JwtAuthenticationResultProvider underTest =
-                JwtAuthenticationResultProvider.get(ACTOR_SYSTEM, ConfigFactory.empty(), "regular");
+                JwtAuthenticationResultProvider.get(ACTOR_SYSTEM, ConfigFactory.empty(), null);
         final JsonWebToken jsonWebToken = ImmutableJsonWebToken.fromToken(JwtTestConstants.VALID_JWT_TOKEN);
         final AuthorizationSubject myTestSubj = AuthorizationSubject.newInstance("example:myTestSubj");
 
diff --git a/gateway/service/src/test/resources/test.conf b/gateway/service/src/test/resources/test.conf
@@ -133,14 +133,34 @@ ditto {
   extensions {
     jwt-authorization-subjects-provider = {
       extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider
+      extension-config = {
+        role = regular
+      }
     }
     # The provider for JSON Web Token authentication results
     jwt-authentication-result-provider = {
       extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider
       # The provider for JSON Web Token authorization subjects
       extension-config = {
+        role = regular
+        jwt-authorization-subjects-provider = {
+          extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider
+          extension-config = {
+            role = regular
+          }
+        }
+      }
+    }
+    jwt-authentication-result-provider-devops = {
+      extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DefaultJwtAuthenticationResultProvider
+      # The provider for JSON Web Token authorization subjects
+      extension-config = {
+        role = devops
         jwt-authorization-subjects-provider = {
           extension-class = org.eclipse.ditto.gateway.service.security.authentication.jwt.DittoJwtAuthorizationSubjectsProvider
+          extension-config = {
+            role = devops
+          }
         }
       }
     }
