feat(bundle-saas): support m2m authentication in SaaS (#345)

camunda · Mar 10, 2023 · 1515edb · 1515edb
1 parent d829925
commit 1515edb
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 3 deletions.
diff --git a/bundle/mvn/camunda-saas-bundle/pom.xml b/bundle/mvn/camunda-saas-bundle/pom.xml
@@ -16,6 +16,10 @@
       <artifactId>connector-runtime-bundle</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.camunda.connector</groupId>
       <artifactId>connector-gcp-security-manager</artifactId>

diff --git a/...da-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java b/...da-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.camunda.connector.runtime.security;
+
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+
+public class AudienceValidator implements OAuth2TokenValidator<Jwt> {
+  private final String audience;
+
+  AudienceValidator(String audience) {
+    this.audience = audience;
+  }
+
+  public OAuth2TokenValidatorResult validate(Jwt jwt) {
+    OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
+
+    if (jwt.getAudience().contains(audience)) {
+      return OAuth2TokenValidatorResult.success();
+    }
+    return OAuth2TokenValidatorResult.failure(error);
+  }
+}
diff --git a/...aas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java b/...aas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.camunda.connector.runtime.security;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtDecoders;
+import org.springframework.security.oauth2.jwt.JwtValidators;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.web.SecurityFilterChain;
+
+@EnableWebSecurity
+@Configuration
+public class SecurityConfiguration {
+
+  @Value("${camunda.connector.auth.audience}")
+  private String audience;
+
+  @Value("${camunda.connector.auth.issuer}")
+  private String issuer;
+
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.csrf()
+        .disable()
+        .authorizeRequests()
+        .antMatchers(HttpMethod.POST, "/inbound/**")
+        .permitAll()
+        .antMatchers("/actuator/**")
+        .permitAll()
+        .antMatchers("/inbound")
+        .hasAuthority("SCOPE_inbound:read")
+        .anyRequest()
+        .authenticated()
+        .and()
+        .oauth2ResourceServer()
+        .jwt();
+    return http.build();
+  }
+
+  @Bean
+  JwtDecoder jwtDecoder() {
+    NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuer);
+
+    OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
+    OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
+    OAuth2TokenValidator<Jwt> withAudience =
+        new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
+
+    jwtDecoder.setJwtValidator(withAudience);
+    return jwtDecoder;
+  }
+}
diff --git a/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties b/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties
@@ -10,7 +10,9 @@ camunda.connector.polling.enabled=true
 camunda.connector.polling.interval=5000
 camunda.connector.secrets.cache.millis=5000
 camunda.connector.webhook.enabled=true
-#spring.main.web-application-type=none
+
+camunda.connector.auth.audience=connectors.dev.ultrawombat.com
+camunda.connector.auth.issuer=https://weblogin.cloud.dev.ultrawombat.com/
 
 # Enforce local connection, even if cluster-id set (for Operate Auth)
 zeebe.client.connection-mode=ADDRESS
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
   <parent>
     <groupId>io.camunda.connector</groupId>
     <artifactId>connector-parent</artifactId>
-    <version>0.6.0</version>
+    <version>0.7.0-alpha3</version>
     <relativePath/>
   </parent>
 
@@ -19,7 +19,7 @@
   <inceptionYear>2022</inceptionYear>
 
   <properties>
-    <version.spring-zeebe>8.1.17</version.spring-zeebe>
+    <version.spring-zeebe>8.2.0-alpha1</version.spring-zeebe>
 
     <version.spring-boot>2.7.9</version.spring-boot>
     <version.spring-cloud-gcp-starter-logging>3.4.6</version.spring-cloud-gcp-starter-logging>
@@ -222,6 +222,18 @@
       <name>Connectors Snapshot Repository</name>
       <url>https://artifacts.camunda.com/artifactory/connectors-snapshots/</url>
     </repository>
+
+    <repository>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <id>zeebe-snapshots</id>
+      <name>Zeebe Snapshot Repository</name>
+      <url>https://artifacts.camunda.com/artifactory/zeebe-io-snapshots/</url>
+    </repository>
   </repositories>
 
 </project>