From 1515edb4f013452576479d666701032adc2953be Mon Sep 17 00:00:00 2001
From: Pavel Kotelevsky <38818382+chillleader@users.noreply.github.com>
Date: Fri, 10 Mar 2023 13:09:55 +0100
Subject: [PATCH] feat(bundle-saas): support m2m authentication in SaaS (#345)
---
bundle/mvn/camunda-saas-bundle/pom.xml | 4 +
.../runtime/security/AudienceValidator.java | 39 ++++++++++
.../security/SecurityConfiguration.java | 75 +++++++++++++++++++
.../src/main/resources/application.properties | 4 +-
pom.xml | 16 +++-
5 files changed, 135 insertions(+), 3 deletions(-)
create mode 100644 bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java
create mode 100644 bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java
diff --git a/bundle/mvn/camunda-saas-bundle/pom.xml b/bundle/mvn/camunda-saas-bundle/pom.xml
index b2696db1f2..3accc637f8 100644
--- a/bundle/mvn/camunda-saas-bundle/pom.xml
+++ b/bundle/mvn/camunda-saas-bundle/pom.xml
@@ -16,6 +16,10 @@
connector-runtime-bundle
${project.version}
+
+ org.springframework.boot
+ spring-boot-starter-oauth2-resource-server
+
io.camunda.connector
connector-gcp-security-manager
diff --git a/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java b/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java
new file mode 100644
index 0000000000..7425ba9220
--- /dev/null
+++ b/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.camunda.connector.runtime.security;
+
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+
+public class AudienceValidator implements OAuth2TokenValidator {
+ private final String audience;
+
+ AudienceValidator(String audience) {
+ this.audience = audience;
+ }
+
+ public OAuth2TokenValidatorResult validate(Jwt jwt) {
+ OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
+
+ if (jwt.getAudience().contains(audience)) {
+ return OAuth2TokenValidatorResult.success();
+ }
+ return OAuth2TokenValidatorResult.failure(error);
+ }
+}
diff --git a/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java b/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java
new file mode 100644
index 0000000000..b42be7f4ee
--- /dev/null
+++ b/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java
@@ -0,0 +1,75 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.camunda.connector.runtime.security;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtDecoders;
+import org.springframework.security.oauth2.jwt.JwtValidators;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.web.SecurityFilterChain;
+
+@EnableWebSecurity
+@Configuration
+public class SecurityConfiguration {
+
+ @Value("${camunda.connector.auth.audience}")
+ private String audience;
+
+ @Value("${camunda.connector.auth.issuer}")
+ private String issuer;
+
+ @Bean
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+ http.csrf()
+ .disable()
+ .authorizeRequests()
+ .antMatchers(HttpMethod.POST, "/inbound/**")
+ .permitAll()
+ .antMatchers("/actuator/**")
+ .permitAll()
+ .antMatchers("/inbound")
+ .hasAuthority("SCOPE_inbound:read")
+ .anyRequest()
+ .authenticated()
+ .and()
+ .oauth2ResourceServer()
+ .jwt();
+ return http.build();
+ }
+
+ @Bean
+ JwtDecoder jwtDecoder() {
+ NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuer);
+
+ OAuth2TokenValidator audienceValidator = new AudienceValidator(audience);
+ OAuth2TokenValidator withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
+ OAuth2TokenValidator withAudience =
+ new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
+
+ jwtDecoder.setJwtValidator(withAudience);
+ return jwtDecoder;
+ }
+}
diff --git a/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties b/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties
index 7fa68d8202..80805cf603 100644
--- a/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties
+++ b/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties
@@ -10,7 +10,9 @@ camunda.connector.polling.enabled=true
camunda.connector.polling.interval=5000
camunda.connector.secrets.cache.millis=5000
camunda.connector.webhook.enabled=true
-#spring.main.web-application-type=none
+
+camunda.connector.auth.audience=connectors.dev.ultrawombat.com
+camunda.connector.auth.issuer=https://weblogin.cloud.dev.ultrawombat.com/
# Enforce local connection, even if cluster-id set (for Operate Auth)
zeebe.client.connection-mode=ADDRESS
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 523ff910df..444df41ec2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
io.camunda.connector
connector-parent
- 0.6.0
+ 0.7.0-alpha3
@@ -19,7 +19,7 @@
2022
- 8.1.17
+ 8.2.0-alpha1
2.7.9
3.4.6
@@ -222,6 +222,18 @@
Connectors Snapshot Repository
https://artifacts.camunda.com/artifactory/connectors-snapshots/
+
+
+
+ false
+
+
+ true
+
+ zeebe-snapshots
+ Zeebe Snapshot Repository
+ https://artifacts.camunda.com/artifactory/zeebe-io-snapshots/
+