Merge pull request #80 from swisscom/feature/44097-replace-msal4j-with-nimbus-oauth2-sdk

#44097 removed msal4j and replace with nimbus oauth2 sdk; this allowe…

Author: rsteppac

README.md

@@ -140,13 +140,7 @@ The following environment variables can be set (to override their `dev` profile
 
 The application JRE has to be started with the following system properties:
 
-* `-Djdk.net.hosts.file=cdr-client-service/src/test/resources/msal4j_hosts`
-* `-Djavax.net.ssl.trustStore=cdr-client-service/src/test/resources/caddy_truststore.p12`
-* `-Djavax.net.ssl.trustStorePassword=changeit`
-
-The first property sets a custom hosts file to resolve external servers that MSAL4J has hardcoded as valid IdPs and
-redirect them to `localhost`. The other properties are used to make the JRE trust the SSL certificate presented by the  
-[caddy proxy](https://caddyserver.com/) server that we use to impersonate those servers.
+* currently none
 
 ### Hydraulic Conveyor
 

cdr-client-common/src/main/kotlin/com/swisscom/health/des/cdr/client/common/DTOs.kt

@@ -137,6 +137,9 @@ class DTOs {
             DISABLED(true),
             ERROR(true),
             BROKEN(true),
+            AUTHN_DENIED(true),
+            AUTHN_COMMUNICATION_ERROR(true),
+            AUTHN_UNKNOWN_ERROR(true),
             OFFLINE(false);
 
             val isOfflineCategory: Boolean
@@ -190,7 +193,7 @@ class DTOs {
                 cdrApi = Endpoint.EMPTY,
                 filesInProgressCacheSize = EMPTY_STRING,
                 idpCredentials = IdpCredentials.EMPTY,
-                idpEndpoint = URI("http://localhost:8080").toURL(),
+                idpEndpoint = URI("http://localhost").toURL(),
                 localFolder = EMPTY_STRING,
                 pullThreadPoolSize = 0,
                 pushThreadPoolSize = 0,

cdr-client-service/build.gradle.kts

@@ -29,16 +29,6 @@ idea {
     }
 }
 
-tasks.bootRun {
-    environment["JDK_JAVA_OPTIONS"] =
-        listOfNotNull(
-            environment["JDK_JAVA_OPTIONS"],
-            "-Djavax.net.ssl.trustStore=src/test/resources/caddy_truststore.p12",
-            "-Djavax.net.ssl.trustStorePassword=changeit",
-            "-Djdk.net.hosts.file=src/test/resources/msal4j_hosts"
-        ).joinToString(" ")
-}
-
 application {
     mainClass = "com.swisscom.health.des.cdr.client.CdrClientApplicationKt"
 }
@@ -63,7 +53,7 @@ dependencies {
     implementation(platform(libs.spring.boot.dependencies))
     implementation(platform(libs.spring.cloud.dependencies))
     implementation(libs.kache)
-    implementation(libs.msal4j)
+    implementation(libs.nimbusOAuth2Sdk)
     implementation(libs.okhttp)
     implementation(libs.kfswatch)
     implementation(libs.kotlin.logging)
@@ -100,8 +90,7 @@ dependencies {
 }
 
 configurations.configureEach {
-    // exclude globally so I don't have to explicitly exclude it from mockk and all of its transitive dependencies
-    exclude(module = "junit", group = "junit")
+    exclude(group = "junit", module = "junit")
 }
 
 kapt {
@@ -173,11 +162,6 @@ tasks.withType<Test> {
         includeEngines("junit-jupiter")
     }
     finalizedBy(jacocoTestReport)
-
-    jvmArgs(
-        // tests_hosts is used to redirect msal4j, which insists on talking to the Mothership, to our docker compose setup
-        "-Djdk.net.hosts.file=${layout.projectDirectory.file("src/test/resources/test_hosts").asFile.absolutePath}"
-    )
 }
 
 jacoco {
@@ -252,13 +236,6 @@ tasks.register<Test>("integrationTest") {
     useJUnitPlatform {
         includeTags(Constants.INTEGRATION_TEST_TAG)
     }
-    environment["JDK_JAVA_OPTIONS"] =
-        listOfNotNull(
-            environment["JDK_JAVA_OPTIONS"],
-            "-Djavax.net.ssl.trustStore=src/test/resources/caddy_truststore.p12",
-            "-Djavax.net.ssl.trustStorePassword=changeit",
-            "-Djdk.net.hosts.file=src/test/resources/msal4j_hosts"
-        ).joinToString(" ")
     shouldRunAfter(tasks.test)
     // Ensure latest images get pulled
     dependsOn(tasks.composePull)

cdr-client-service/src/main/kotlin/com/swisscom/health/des/cdr/client/config/CdrClientContext.kt

@@ -3,11 +3,7 @@ package com.swisscom.health.des.cdr.client.config
 import com.mayakapps.kache.InMemoryKache
 import com.mayakapps.kache.KacheStrategy
 import com.mayakapps.kache.ObjectKache
-import com.microsoft.aad.msal4j.ClientCredentialFactory
-import com.microsoft.aad.msal4j.ClientCredentialParameters
-import com.microsoft.aad.msal4j.ConfidentialClientApplication
-import com.microsoft.aad.msal4j.IConfidentialClientApplication
-import com.swisscom.health.des.cdr.client.common.Constants.EMPTY_STRING
+import com.swisscom.health.des.cdr.client.config.OAuth2AuthNService.AuthNResponse
 import io.github.oshai.kotlinlogging.KotlinLogging
 import kotlinx.coroutines.CoroutineDispatcher
 import kotlinx.coroutines.Dispatchers
@@ -46,11 +42,35 @@ internal class CdrClientContext {
     @Bean
     fun okHttpClient(
         builder: OkHttpClient.Builder,
+        oAuth2AuthNService: OAuth2AuthNService,
         @Value($$"${client.connection-timeout-ms}") timeout: Long,
         @Value($$"${client.read-timeout-ms}") readTimeout: Long
     ): OkHttpClient =
         builder
             .connectTimeout(timeout, TimeUnit.MILLISECONDS).readTimeout(readTimeout, TimeUnit.MILLISECONDS)
+            .addInterceptor { chain ->
+                oAuth2AuthNService.getAccessToken()
+                    .let { authNResponse ->
+                        when (authNResponse) {
+                            is AuthNResponse.Success -> {
+                                chain
+                                    .request()
+                                    .newBuilder()
+                                    .run {
+                                        header("Authorization", "Bearer ${authNResponse.response.tokens.accessToken.value}")
+                                        build()
+                                    }.let { authenticatedRequest ->
+                                        chain.proceed(authenticatedRequest)
+                                    }
+                            }
+
+                            else -> chain.proceed(chain.request()) // unauthenticated call; will probably fail with 401/403
+                                .also { _ ->
+                                    logger.warn { "Authentication failed, proceeding unauthenticated; authentication response: '$authNResponse'" }
+                                }
+                        }
+                    }
+            }
             .addInterceptor { chain ->
                 val response: Response = chain.proceed(chain.request())
 
@@ -59,7 +79,7 @@ internal class CdrClientContext {
                     throw HttpServerErrorException(
                         message = "Received error status code '${response.code}'.",
                         statusCode = response.code,
-                        responseBody = response.body?.string() ?: EMPTY_STRING
+                        responseBody = response.body.string()
                     )
                 }
 
@@ -121,26 +141,6 @@ internal class CdrClientContext {
             }
         }
 
-    /**
-     * Creates and returns an instance of the MSAL4J client object through which we can obtain an OAuth2 token.
-     */
-    @Bean
-    fun confidentialClientApp(config: CdrClientConfig): IConfidentialClientApplication =
-        ConfidentialClientApplication.builder(
-            config.idpCredentials.clientId.id,
-            ClientCredentialFactory.createFromSecret(config.idpCredentials.clientSecret.value)
-        ).authority(config.idpEndpoint.toString())
-            // TODO: Implement application level retry of all remote calls and then comment in the line below
-            // .disableInternalRetries()
-            .build()
-
-    /**
-     * Creates and returns an instance of credentials to be used with the MSAL4J client to obtain an OAuth2 token.
-     */
-    @Bean
-    fun clientCredentialParams(config: CdrClientConfig): ClientCredentialParameters =
-        ClientCredentialParameters.builder(setOf(config.idpCredentials.scope.scope)).build()
-
     /**
      * Creates and returns a spring retry-template that retries on IOExceptions up to three times before bailing out.
      */
@@ -186,7 +186,13 @@ internal class CdrClientContext {
 
 }
 
-internal class HttpServerErrorException(message: String, val statusCode: Int, val responseBody: String) : RuntimeException(message)
+internal class HttpServerErrorException(message: String, val statusCode: Int, val responseBody: String) : RuntimeException(message, null, false, false) {
+    override fun toString(): String {
+        return "HttpServerErrorException(statusCode='$statusCode', responseBody='$responseBody', message='${message}')"
+    }
+}
+
+internal class WrongCredentialsException(message: String) : RuntimeException(message, null, false, false)
 
 sealed interface FileBusyTester {
     suspend fun isBusy(file: Path): Boolean

cdr-client-service/src/main/kotlin/com/swisscom/health/des/cdr/client/config/OAuth2AuthNService.kt

@@ -0,0 +1,133 @@
+package com.swisscom.health.des.cdr.client.config
+
+import com.nimbusds.oauth2.sdk.AccessTokenResponse
+import com.nimbusds.oauth2.sdk.AuthorizationGrant
+import com.nimbusds.oauth2.sdk.ClientCredentialsGrant
+import com.nimbusds.oauth2.sdk.Scope
+import com.nimbusds.oauth2.sdk.TokenRequest
+import com.nimbusds.oauth2.sdk.TokenResponse
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication
+import com.nimbusds.oauth2.sdk.auth.ClientSecretPost
+import com.nimbusds.oauth2.sdk.auth.Secret
+import com.nimbusds.oauth2.sdk.http.HTTPResponse
+import com.nimbusds.oauth2.sdk.id.ClientID
+import com.swisscom.health.des.cdr.client.config.OAuth2AuthNService.AuthNState.AUTHENTICATED
+import com.swisscom.health.des.cdr.client.config.OAuth2AuthNService.AuthNState.DENIED
+import com.swisscom.health.des.cdr.client.config.OAuth2AuthNService.AuthNState.RETRYABLE_FAILURE
+import com.swisscom.health.des.cdr.client.config.OAuth2AuthNService.AuthNState.UNAUTHENTICATED
+import org.springframework.retry.support.RetryTemplate
+import org.springframework.stereotype.Service
+import java.io.IOException
+import java.net.URI
+import java.net.URL
+import kotlin.time.Clock
+import kotlin.time.ExperimentalTime
+
+@Service
+internal class OAuth2AuthNService @OptIn(ExperimentalTime::class) constructor(
+    private val config: CdrClientConfig,
+    private val retryIoErrors: RetryTemplate,
+    private val clock: Clock = Clock.System,
+) {
+
+    private var accessTokenAuthNResponse: AuthNResponse = AuthNResponse.NotAuthenticated
+
+    internal enum class AuthNState {
+        AUTHENTICATED,
+        UNAUTHENTICATED,
+        RETRYABLE_FAILURE,
+        FAILED,
+        DENIED;
+    }
+
+    internal sealed interface AuthNResponse {
+        data class Success(val response: AccessTokenResponse) : AuthNResponse
+        data class Deny(val error: WrongCredentialsException) : AuthNResponse
+        data class RetryableFailure(val error: IOException) : AuthNResponse
+        data class Failed(val error: IllegalStateException) : AuthNResponse
+        object NotAuthenticated : AuthNResponse
+    }
+
+    @Synchronized
+    internal fun currentAuthNState(): AuthNState =
+        when (accessTokenAuthNResponse) {
+            is AuthNResponse.Success -> AUTHENTICATED
+            is AuthNResponse.RetryableFailure -> RETRYABLE_FAILURE
+            is AuthNResponse.Failed -> AuthNState.FAILED
+            is AuthNResponse.Deny -> DENIED
+            is AuthNResponse.NotAuthenticated -> UNAUTHENTICATED
+        }
+
+    @OptIn(ExperimentalTime::class)
+    // could be improved with more fine-grained locking to avoid blocking all threads while a valid token is available and no renewal is required;
+    // but we have only five threads for uploads, one for downloads (all of which are mostly waiting for IO), and one for the service status check,
+    // so lock contention should be minimal
+    @Synchronized
+    internal fun getAccessToken(): AuthNResponse =
+        when (val currentTokenResponse = accessTokenAuthNResponse) {
+            is AuthNResponse.NotAuthenticated, is AuthNResponse.RetryableFailure -> {
+                getNewAccessToken(config.idpCredentials, config.idpEndpoint)
+            }
+
+            is AuthNResponse.Deny, is AuthNResponse.Failed -> {
+                currentTokenResponse
+            }
+
+            is AuthNResponse.Success -> {
+                val expiresOn = currentTokenResponse.response.customParameters["expires_on"] as Long?
+                if (expiresOn == null || clock.now().epochSeconds > expiresOn) {
+                    getNewAccessToken(config.idpCredentials, config.idpEndpoint)
+                } else {
+                    currentTokenResponse
+                }
+            }
+        }.also {
+            accessTokenAuthNResponse = it
+        }
+
+    private fun getNewAccessToken(idpCredentials: IdpCredentials, idpEndpoint: URL): AuthNResponse {
+        val clientGrant: AuthorizationGrant = ClientCredentialsGrant()
+        val clientID = ClientID(idpCredentials.clientId.id)
+        val clientSecret = Secret(idpCredentials.clientSecret.value)
+        // `ClientSecretBasic` is another option; it works in production, but our mock IdP is not set up to get the client id from the Basic Auth header,
+        // instead we use the form parameter `client_id`
+        val clientAuth: ClientAuthentication = ClientSecretPost(clientID, clientSecret)
+        val scope = Scope(idpCredentials.scope.scope)
+        val tokenEndpoint: URI = idpEndpoint.toURI()
+        val request = TokenRequest(tokenEndpoint, clientAuth, clientGrant, scope)
+
+        val authNResponse: AuthNResponse =
+            runCatching {
+                retryIoErrors.execute<HTTPResponse, Throwable> { _ ->
+                    request.toHTTPRequest().send()
+                }.run { TokenResponse.parse(this) }
+            }.fold(
+                onSuccess = { httpResponse: TokenResponse ->
+                    if (httpResponse.indicatesSuccess()) {
+                        AuthNResponse.Success(httpResponse.toSuccessResponse())
+                    } else {
+                        AuthNResponse.Deny(
+                            WrongCredentialsException(
+                                "Failed to login; client id: '${idpCredentials.clientId}'; IdP endpoint: '$idpEndpoint'; message: '${
+                                    httpResponse.toErrorResponse().toJSONObject()
+                                }'"
+                            )
+                        )
+                    }
+                },
+                onFailure = { t ->
+                    when (t) {
+                        is IOException -> AuthNResponse.RetryableFailure(t)
+                        else -> AuthNResponse.Failed(
+                            IllegalStateException(
+                                "Failed to login; client id: '${idpCredentials.clientId}'; IdP endpoint: '$idpEndpoint'; root cause: '$t'",
+                                t,
+                            )
+                        )
+                    }
+                }
+            )
+
+        return authNResponse
+    }
+}