feat(bundle-saas): support m2m authentication in SaaS

bundle/mvn/camunda-saas-bundle/pom.xml

@@ -16,6 +16,10 @@
       <artifactId>connector-runtime-bundle</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.camunda.connector</groupId>
       <artifactId>connector-gcp-security-manager</artifactId>

bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java

@@ -0,0 +1,23 @@
+package io.camunda.connector.runtime.security;
+
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+
+public class AudienceValidator implements OAuth2TokenValidator<Jwt> {
+  private final String audience;
+
+  AudienceValidator(String audience) {
+    this.audience = audience;
+  }
+
+  public OAuth2TokenValidatorResult validate(Jwt jwt) {
+    OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
+
+    if (jwt.getAudience().contains(audience)) {
+      return OAuth2TokenValidatorResult.success();
+    }
+    return OAuth2TokenValidatorResult.failure(error);
+  }
+}

bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java

@@ -0,0 +1,57 @@
+package io.camunda.connector.runtime.security;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtDecoders;
+import org.springframework.security.oauth2.jwt.JwtValidators;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.web.SecurityFilterChain;
+
+@EnableWebSecurity
+@Configuration
+public class SecurityConfiguration {
+
+  @Value("${camunda.connector.auth.audience}")
+  private String audience;
+
+  @Value("${camunda.connector.auth.issuer}")
+  private String issuer;
+
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.csrf()
+        .disable()
+        .authorizeRequests()
+        .antMatchers(HttpMethod.POST, "/inbound/**")
+        .permitAll()
+        .antMatchers("/inbound")
+        .hasAuthority("SCOPE_inbound:read")
+        .anyRequest()
+        .authenticated()
+        .and()
+        .oauth2ResourceServer()
+        .jwt();
+    return http.build();
+  }
+
+  @Bean
+  JwtDecoder jwtDecoder() {
+    NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuer);
+
+    OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
+    OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
+    OAuth2TokenValidator<Jwt> withAudience =
+        new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
+
+    jwtDecoder.setJwtValidator(withAudience);
+    return jwtDecoder;
+  }
+}