pagopa · LarissaASLeite · May 10, 2024 · May 7, 2024 · May 9, 2024 · May 9, 2024
@@ -20,4 +20,8 @@ COPY --from=buildtime /build/build/libs/*.jar /app/app.jar
 # The agent is enabled at runtime via JAVA_TOOL_OPTIONS.
 ADD https://github.com/microsoft/ApplicationInsights-Java/releases/download/3.5.2/applicationinsights-agent-3.5.2.jar /app/applicationinsights-agent.jar
 
-ENTRYPOINT ["sh", "-c", "java $JAVA_OPTS -jar /app/app.jar"]
+RUN chown -R nobody:nobody /app
+EXPOSE 8080
+USER 65534 # user nobody
+
+ENTRYPOINT ["java","-jar","/app/app.jar"]
@@ -50,17 +50,25 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-actuator'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	implementation 'org.springframework.boot:spring-boot-starter-validation'
-
 	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.5.0'
 	implementation 'org.codehaus.janino:janino:3.1.12'
 
-	//	Security fixes
+	// Security fixes
 	implementation 'org.yaml:snakeyaml:2.0'
 
+	// validation token jwt
+	implementation 'com.auth0:java-jwt:4.4.0'
+	implementation 'com.auth0:jwks-rsa:0.22.1'
+	implementation 'com.nimbusds:nimbus-jose-jwt:9.38-rc5'
+
+	// TESTS
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testImplementation 'org.junit.jupiter:junit-jupiter-api'
 	testImplementation 'org.junit.jupiter:junit-jupiter-engine'
 	testImplementation 'org.mockito:mockito-core'
+	testImplementation 'org.projectlombok:lombok'
+	testImplementation 'org.wiremock:wiremock-standalone:3.5.4'
+
 
 
 	compileOnly 'org.projectlombok:lombok:1.18.32'
@@ -69,12 +77,21 @@ dependencies {
 }
 
 
-tasks.named('test') {
+test {
 	useJUnitPlatform()
+	finalizedBy jacocoTestReport
+}
+
+jacocoTestReport {
+	dependsOn test
+	reports {
+		xml.required = true
+	}
 }
 
 processResources {
 	expand(project.properties)
+	exclude 'logback-spring.xml'
 }
 
 springBoot {

@@ -0,0 +1,6 @@
+dependencies:
+- name: microservice-chart
+  repository: https://pagopa.github.io/aks-microservice-chart-blueprint
+  version: 5.9.0
+digest: sha256:b614dd4be4c439e182fe5e7102e959fcda019413ddb2430be77c7a080bb13de1
+generated: "2024-05-08T12:16:12.9457229+02:00"
diff --git a/helm/charts/microservice-chart-5.9.0.tgz b/helm/charts/microservice-chart-5.9.0.tgz
@@ -29,7 +29,7 @@ microservice-chart:
 
   envConfig:
     ENV: "DEV"
-    JAVA_OPTS: "-Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
+    JAVA_TOOL_OPTIONS: "-Xms128m -Xmx4g -Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -Dio.netty.eventLoopThreads=100 -javaagent:/app/applicationinsights-agent.jar -Dapplicationinsights.configuration.file=/mnt/file-config-external/appinsights-config/applicationinsights.json -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
 
 
   keyvault:

@@ -29,7 +29,7 @@ microservice-chart:
 
   envConfig:
     ENV: "PROD"
-    JAVA_OPTS: "-Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
+    JAVA_TOOL_OPTIONS: "-Xms128m -Xmx4g -Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -Dio.netty.eventLoopThreads=100 -javaagent:/app/applicationinsights-agent.jar -Dapplicationinsights.configuration.file=/mnt/file-config-external/appinsights-config/applicationinsights.json -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
 
 
   keyvault:

@@ -29,7 +29,7 @@ microservice-chart:
 
   envConfig:
     ENV: "UAT"
-    JAVA_OPTS: "-Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
+    JAVA_TOOL_OPTIONS: "-Xms128m -Xmx4g -Djava.util.concurrent.ForkJoinPool.common.parallelism=7 -Dio.netty.eventLoopThreads=100 -javaagent:/app/applicationinsights-agent.jar -Dapplicationinsights.configuration.file=/mnt/file-config-external/appinsights-config/applicationinsights.json -agentlib:jdwp=transport=dt_socket,server=y,address=8001,suspend=n -Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=3002 -Dcom.sun.management.jmxremote.rmi.port=3003 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
 
 
   keyvault:

@@ -44,6 +44,9 @@ microservice-chart:
 
   securityContext:
     allowPrivilegeEscalation: false
+    runAsNonRoot: true
+    runAsUser: 65534
+    runAsGroup: 65534
 
   externalConfigMapFiles:
     create: true

@@ -0,0 +1,21 @@
+package it.gov.pagopa.payhub.auth.configuration;
+
+import it.gov.pagopa.payhub.auth.constants.AuthConstants;
+import it.gov.pagopa.payhub.common.web.dto.ErrorDTO;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class AuthErrorManagerConfig {
+  @Bean
+  ErrorDTO defaultErrorDTO() {
+    return new ErrorDTO(
+            AuthConstants.ExceptionCode.GENERIC_ERROR,
+            "A generic error occurred"
+    );
+  }
+  @Bean
+  ErrorDTO templateValidationErrorDTO(){
+    return new ErrorDTO(AuthConstants.ExceptionCode.INVALID_REQUEST, null);
+  }
+}
@@ -0,0 +1,27 @@
+package it.gov.pagopa.payhub.auth.configuration;
+
+import it.gov.pagopa.payhub.auth.exception.InvalidTokenException;
+import it.gov.pagopa.payhub.auth.exception.TokenExpiredException;
+import it.gov.pagopa.payhub.common.web.exception.ServiceException;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpStatus;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@Configuration
+public class ServiceExceptionConfig {
+
+  @Bean
+  public Map<Class<? extends ServiceException>, HttpStatus> serviceExceptionMapper() {
+    Map<Class<? extends ServiceException>, HttpStatus> exceptionMap = new HashMap<>();
+
+    //Unauthorized
+    exceptionMap.put(TokenExpiredException.class, HttpStatus.UNAUTHORIZED);
+    exceptionMap.put(InvalidTokenException.class, HttpStatus.UNAUTHORIZED);
+
+    return exceptionMap;
+  }
+
+}
@@ -0,0 +1,14 @@
+package it.gov.pagopa.payhub.auth.constants;
+
+public class AuthConstants {
+    private AuthConstants() {}
+    public static final class ExceptionCode {
+
+        public static final String TOKEN_DATE_EXPIRED = "AUTH_TOKEN_EXPIRED_DATE";
+        public static final String GENERIC_ERROR = "AUTH_GENERIC_ERROR";
+        public static final String INVALID_REQUEST = "AUTH_INVALID_REQUEST";
+        public static final String INVALID_TOKEN = "AUTH_INVALID_TOKEN";
+
+        private ExceptionCode() {}
+    }
+}
@@ -0,0 +1,13 @@
+package it.gov.pagopa.payhub.auth.controller;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.*;
+
+@RestController
+@RequestMapping("/payhub")
+interface AuthController {
+
+    @PostMapping("/auth")
+    @ResponseStatus(code = HttpStatus.OK)
+    void authToken(@RequestParam String token);
+}
@@ -0,0 +1,19 @@
+package it.gov.pagopa.payhub.auth.controller;
+
+import it.gov.pagopa.payhub.auth.service.AuthService;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class AuthControllerImpl implements AuthController{
+
+    private final AuthService authService;
+
+    public AuthControllerImpl(AuthService authService) {
+        this.authService = authService;
+    }
+
+    @Override
+    public void authToken(String token) {
+        authService.authToken(token);
+    }
+}
@@ -0,0 +1,18 @@
+package it.gov.pagopa.payhub.auth.exception;
+
+import it.gov.pagopa.payhub.auth.constants.AuthConstants;
+import it.gov.pagopa.payhub.common.web.exception.ServiceException;
+
+public class InvalidTokenException extends ServiceException {
+    public InvalidTokenException(String message) {
+        this(AuthConstants.ExceptionCode.INVALID_TOKEN, message);
+    }
+
+    public InvalidTokenException(String code, String message) {
+        this(code, message, false, null);
+    }
+
+    public InvalidTokenException(String code, String message, boolean printStackTrace, Throwable ex) {
+        super(code, message,printStackTrace, ex);
+    }
+}
@@ -0,0 +1,18 @@
+package it.gov.pagopa.payhub.auth.exception;
+
+import it.gov.pagopa.payhub.auth.constants.AuthConstants;
+import it.gov.pagopa.payhub.common.web.exception.ServiceException;
+
+public class TokenExpiredException extends ServiceException {
+    public TokenExpiredException(String message) {
+        this(AuthConstants.ExceptionCode.TOKEN_DATE_EXPIRED, message);
+    }
+
+    public TokenExpiredException(String code, String message) {
+        this(code, message, false, null);
+    }
+
+    public TokenExpiredException(String code, String message, boolean printStackTrace, Throwable ex) {
+        super(code, message,printStackTrace, ex);
+    }
+}
@@ -0,0 +1,6 @@
+package it.gov.pagopa.payhub.auth.service;
+
+public interface AuthService {
+
+    void authToken(String token);
+}
@@ -0,0 +1,37 @@
+package it.gov.pagopa.payhub.auth.service;
+
+import it.gov.pagopa.payhub.auth.exception.InvalidTokenException;
+import it.gov.pagopa.payhub.auth.utils.JWTValidator;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Service;
+
+import java.util.Map;
+
+@Slf4j
+@Service
+public class AuthServiceImpl implements AuthService{
+    private final String audience;
+    private final String issuer;
+    private final String urlJwkProvider;
+    private final JWTValidator jwtValidator;
+
+    public AuthServiceImpl(@Value("${auth.token.audience:}")String audience,
+                           @Value("${auth.token.issuer:}")String issuer,
+                           @Value("${auth.token.jwk:}")String urlJwkProvider,
+                           JWTValidator jwtValidator) {
+        this.audience = audience;
+        this.issuer = issuer;
+        this.urlJwkProvider = urlJwkProvider;
+        this.jwtValidator = jwtValidator;
+    }
+
+    @Override
+    public void authToken(String token) {
+        Map<String, String> data = jwtValidator.validate(token, urlJwkProvider);
+        if (!(data.get("aud").equals(audience) && data.get("iss").equals(issuer))){
+            throw new InvalidTokenException("Invalid audience or issuer in the token");
+        }
+        log.info("Token validated successfully");
+    }
+}
@@ -0,0 +1,45 @@
+package it.gov.pagopa.payhub.auth.utils;
+
+import com.auth0.jwk.Jwk;
+import com.auth0.jwk.JwkException;
+import com.auth0.jwk.JwkProvider;
+import com.auth0.jwk.UrlJwkProvider;
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import it.gov.pagopa.payhub.auth.constants.AuthConstants;
+import it.gov.pagopa.payhub.auth.exception.InvalidTokenException;
+import it.gov.pagopa.payhub.auth.exception.TokenExpiredException;
+import org.springframework.stereotype.Component;
+
+import java.security.interfaces.RSAPublicKey;
+import java.util.HashMap;
+import java.util.Map;
+
+@Component
+public class JWTValidator {
+
+
+    public Map<String, String> validate(String token, String urlJwkProvider) {
+        try {
+            DecodedJWT jwt = JWT.decode(token);
+
+            JwkProvider provider = new UrlJwkProvider(urlJwkProvider);
+            Jwk jwk = provider.get(jwt.getKeyId());
+            Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
+            JWTVerifier verifier = JWT.require(algorithm).build();
+            verifier.verify(token);
+
+            Map<String, String> claimsMap = new HashMap<>();
+            jwt.getClaims().forEach((key, value) -> claimsMap.put(key, value.asString()));
+            return claimsMap;
+
+        } catch (com.auth0.jwt.exceptions.TokenExpiredException e){
+            throw new TokenExpiredException(e.getMessage());
+        } catch (JwkException | JWTVerificationException ex) {
+            throw new InvalidTokenException(AuthConstants.ExceptionCode.INVALID_TOKEN, "The token is not valid", true, ex);
+        }
+    }
+}
@@ -0,0 +1,21 @@
+package it.gov.pagopa.payhub.common.web.dto;
+
+import com.fasterxml.jackson.annotation.JsonInclude;
+import jakarta.validation.constraints.NotBlank;
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@AllArgsConstructor
+@NoArgsConstructor
+@Data
+@EqualsAndHashCode
+public class ErrorDTO {
+
+  @NotBlank
+  private String code;
+  @NotBlank
+  private String message;
+}