Develop

.github/workflows/deploy.yaml

@@ -30,4 +30,4 @@ jobs:
         run: npm run --prefix website build-production
 
       - name: Maven package
-        run: mvn package -Ppublish-image -DdockerHub.username=${{secrets.DOCKER_USERNAME}} -DdockerHub.password=${{secrets.DOCKER_PASSWORD}}
+        run: mvn package -Ppublish-image -DskipTests -DdockerHub.username=${{secrets.DOCKER_USERNAME}} -DdockerHub.password=${{secrets.DOCKER_PASSWORD}}

SECURITY.md

@@ -0,0 +1,24 @@
+# Security Policy
+
+## How To Report a Vulnerability
+
+If you think you have found a vulnerability in this repository, please report it to us through coordinated disclosure.
+
+**Please do not report security vulnerabilities through public issues, discussions, or change requests.**
+
+Instead, report it using one of the following ways:
+
+* Contact the [Developer Team](mailto:[email protected]) via email
+
+Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+
+* The type of issue (e.g., buffer overflow, SQL injection, or cross-site scripting)
+* Impact of the issue, including how an attacker might exploit the issue
+* Step-by-step instructions to reproduce the issue
+* The location of the affected source code (tag/branch/commit or direct URL)
+* Full paths of source file(s) related to the manifestation of the issue
+* Configuration required to reproduce the issue
+* Log files that are related to this issue (if possible)
+* Proof-of-concept or exploit code (if possible)
+
+This information will help us triage your report more quickly.

admin-service/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>com.michibaum</groupId>
 		<artifactId>microservice</artifactId>
-		<version>1.0.0-TEST-9</version>
+		<version>1.0.0</version>
 		<relativePath>../pom.xml</relativePath>
 	</parent>
 
@@ -72,13 +72,13 @@
 		<dependency>
 			<groupId>com.michibaum</groupId>
 			<artifactId>spring-boot-starter-discord</artifactId>
-			<version>1.0.0-TEST-9</version>
+			<version>1.0.0</version>
 		</dependency>
 
 		<dependency>
 			<groupId>com.michibaum</groupId>
 			<artifactId>authentication-library</artifactId>
-			<version>1.0.0-TEST-9</version>
+			<version>1.0.0</version>
 		</dependency>
 
 		<dependency>

admin-service/src/main/kotlin/com/michibaum/admin_service/security/AdminServiceCredentials.kt

@@ -4,6 +4,6 @@ import org.springframework.boot.context.properties.ConfigurationProperties
 
 @ConfigurationProperties(prefix = "spring.boot.admin.client")
 data class AdminServiceCredentials(
-    var username: String = "",
-    var password: String = ""
+    val username: String,
+    val password: String
 )

admin-service/src/main/kotlin/com/michibaum/admin_service/security/SecurityBeansConfiguration.kt

@@ -1,6 +1,8 @@
 package com.michibaum.admin_service.security
 
 import com.michibaum.authentication_library.AuthenticationClient
+import com.michibaum.authentication_library.public_endpoints.PublicEndpoint
+import com.michibaum.authentication_library.public_endpoints.PublicEndpointResolver
 import com.michibaum.authentication_library.security.ServletAuthenticationFilter
 import com.michibaum.authentication_library.security.ServletDelegateAuthenticationManager
 import com.michibaum.authentication_library.security.SpecificAuthenticationManager
@@ -10,18 +12,20 @@ import com.michibaum.authentication_library.security.basic.servlet.BasicAuthenti
 import com.michibaum.authentication_library.security.jwt.JwsValidator
 import com.michibaum.authentication_library.security.jwt.JwtAuthenticationManager
 import com.michibaum.authentication_library.security.jwt.servlet.JwtAuthenticationConverter
+import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.context.annotation.Lazy
 import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.web.authentication.AuthenticationConverter
 
 @Configuration
+@EnableConfigurationProperties(value = [AdminServiceCredentials::class])
 class SecurityBeansConfiguration {
 
     @Bean
-    fun adminServiceCredentials(): AdminServiceCredentials =
-        AdminServiceCredentials()
+    fun publicEndpointResolver(): PublicEndpointResolver =
+        PublicEndpointResolver(PublicEndpoint::class.java, "com.michibaum.admin_service")
 
 
 

admin-service/src/main/kotlin/com/michibaum/admin_service/security/SecurityConfiguration.kt

@@ -1,5 +1,6 @@
 package com.michibaum.admin_service.security
 
+import com.michibaum.authentication_library.public_endpoints.PublicEndpointResolver
 import com.michibaum.authentication_library.security.ServletAuthenticationFilter
 import com.michibaum.permission_library.Permissions
 import org.springframework.context.annotation.Bean
@@ -20,12 +21,15 @@ class SecurityConfiguration {
     @Bean
     fun securityFilterChain(
         http: HttpSecurity,
-        authenticationFilter: ServletAuthenticationFilter
+        authenticationFilter: ServletAuthenticationFilter,
+        publicEndpointResolver: PublicEndpointResolver
     ): SecurityFilterChain {
+        val publicEndpoints = publicEndpointResolver.run()
         return http
-            .authorizeHttpRequests {
-                it.anyRequest()
-                    .hasAnyAuthority(Permissions.ADMIN_SERVICE.name)
+            .authorizeHttpRequests { authorizeHttpRequests ->
+                authorizeHttpRequests
+                    .requestMatchers(*publicEndpoints.map { it.requestMatcher}.toTypedArray()).permitAll()
+                    .anyRequest().hasAnyAuthority(Permissions.ADMIN_SERVICE.name)
             }
             .addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter::class.java)
             .httpBasic { httpBasicSpec -> httpBasicSpec.disable() }

authentication-library/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <artifactId>microservice</artifactId>
         <groupId>com.michibaum</groupId>
-        <version>1.0.0-TEST-9</version>
+        <version>1.0.0</version>
         <relativePath>../pom.xml</relativePath>
     </parent>
 
@@ -53,7 +53,7 @@
         <dependency>
             <groupId>com.michibaum</groupId>
             <artifactId>permission-library</artifactId>
-            <version>1.0.0-TEST-9</version>
+            <version>1.0.0</version>
         </dependency>
 
         <dependency>

authentication-library/src/main/kotlin/com/michibaum/authentication_library/public_endpoints/PublicEndpoint.kt

@@ -0,0 +1,7 @@
+package com.michibaum.authentication_library.public_endpoints
+
+@Target(AnnotationTarget.FUNCTION)
+@Retention(AnnotationRetention.RUNTIME)
+annotation class PublicEndpoint(
+
+)

authentication-library/src/main/kotlin/com/michibaum/authentication_library/public_endpoints/PublicEndpointDetails.kt

@@ -0,0 +1,25 @@
+package com.michibaum.authentication_library.public_endpoints
+
+import org.springframework.http.HttpMethod
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher
+import org.springframework.security.web.util.matcher.RequestMatcher
+import org.springframework.web.bind.annotation.RequestMethod
+
+class PublicEndpointDetails(
+    val rawPath: String,
+    requestMethod: RequestMethod
+) {
+
+    val antPath: String = createAntPath()
+    val httpMethod: HttpMethod = HttpMethod.valueOf(requestMethod.name)
+    val requestMatcher: RequestMatcher = createRequestMatcher()
+
+    private fun createAntPath(): String {
+        return rawPath.replace("\\{.*}".toRegex(), "*")
+    }
+
+    private fun createRequestMatcher(): RequestMatcher {
+        return AntPathRequestMatcher.antMatcher(httpMethod, antPath)
+    }
+
+}

authentication-library/src/main/kotlin/com/michibaum/authentication_library/public_endpoints/PublicEndpointResolver.kt

@@ -0,0 +1,125 @@
+package com.michibaum.authentication_library.public_endpoints
+
+import org.slf4j.Logger
+import org.slf4j.LoggerFactory
+import org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider
+import org.springframework.core.type.filter.AnnotationTypeFilter
+import org.springframework.web.bind.annotation.*
+import java.lang.reflect.Method
+
+
+class PublicEndpointResolver(
+    private val publicAnnotation: Class<out Annotation>,
+    private vararg val packageName: String
+) { // TODO take into account that @RestController can have @RequestMapping
+
+    private val logger: Logger = LoggerFactory.getLogger(PublicEndpointResolver::class.java)
+
+    fun run(): List<PublicEndpointDetails> {
+        val mappings = getAllRestController()
+            .map { getMethodsAnnotatedWith(it) }
+            .map { getMappingValue(it) }
+            .flatten()
+
+        logger.info("Found ${mappings.size} public endpoints")
+        for (mapping in mappings) {
+            logger.info("Mapping: ${mapping.httpMethod} '${mapping.rawPath}' converted to antPath: '${mapping.antPath}'")
+        }
+        return mappings
+    }
+
+
+    private fun getMethodsAnnotatedWith(type: Class<*>): List<Method> {
+        logger.debug("Searching for methods annotated with ${publicAnnotation.name} in class: ${type.name}")
+        val methods: Array<Method> = type.methods
+        logger.debug("Found ${methods.size} methods")
+        val annotatedMethods: MutableList<Method> = ArrayList(methods.size)
+        for (method in methods) {
+            if (method.isAnnotationPresent(publicAnnotation)) {
+                annotatedMethods.add(method)
+            }
+        }
+        logger.debug("Found ${annotatedMethods.size} annotated methods")
+        return annotatedMethods
+    }
+
+    private fun getMappingValue(methods: List<Method>): List<PublicEndpointDetails> {
+        return methods.map { getMappingValue(it) }
+            .flatten()
+            .toList()
+    }
+
+    private fun getMappingValue(method: Method): List<PublicEndpointDetails> {
+        logger.debug("Searching for mapping annotation on method: ${method.name}")
+
+        val mappings = ArrayList<PublicEndpointDetails>()
+
+        getEndpointsFromRequestMapping(method).also {
+            mappings.addAll(it)
+        }
+
+        if(method.isAnnotationPresent(GetMapping::class.java)){
+            val paths = method.getAnnotation(GetMapping::class.java).value
+            val result = paths.map { PublicEndpointDetails(it, RequestMethod.GET) }
+            mappings.addAll(result)
+        }
+
+        if(method.isAnnotationPresent(PostMapping::class.java)){
+            val paths = method.getAnnotation(PostMapping::class.java).value
+            val result = paths.map { PublicEndpointDetails(it, RequestMethod.POST) }
+            mappings.addAll(result)
+        }
+
+        if(method.isAnnotationPresent(PutMapping::class.java)){
+            val paths = method.getAnnotation(PutMapping::class.java).value
+            val result = paths.map { PublicEndpointDetails(it, RequestMethod.PUT) }
+            mappings.addAll(result)
+        }
+
+        if(method.isAnnotationPresent(PatchMapping::class.java)){
+            val paths = method.getAnnotation(PatchMapping::class.java).value
+            val result = paths.map { PublicEndpointDetails(it, RequestMethod.PATCH) }
+            mappings.addAll(result)
+        }
+
+        if (method.isAnnotationPresent(DeleteMapping::class.java)) {
+            val paths = method.getAnnotation(DeleteMapping::class.java).value
+            val result = paths.map { PublicEndpointDetails(it, RequestMethod.DELETE) }
+            mappings.addAll(result)
+        }
+
+        logger.debug("Found mapping: $mappings")
+        return mappings
+    }
+
+    private fun getEndpointsFromRequestMapping(
+        method: Method,
+    ): List<PublicEndpointDetails> {
+        if (method.isAnnotationPresent(RequestMapping::class.java)) {
+            val paths = method.getAnnotation(RequestMapping::class.java).value
+            val methods = method.getAnnotation(RequestMapping::class.java).method
+            val result = paths.map { path ->
+                methods.map { method ->
+                    PublicEndpointDetails(path, method)
+                }
+            }.flatten()
+            return result
+        }
+        return emptyList()
+    }
+
+    private fun getAllRestController(): List<Class<*>> {
+        logger.debug("Searching for all RestController in packages: ${packageName.joinToString(", ")}")
+        val scanner = ClassPathScanningCandidateComponentProvider(false)
+        scanner.addIncludeFilter(AnnotationTypeFilter(RestController::class.java))
+        val beanDefinitions = packageName.map { scanner.findCandidateComponents(it) }
+            .flatten()
+            .filterNotNull()
+
+        logger.debug("Found ${beanDefinitions.size} RestController")
+        val classes = beanDefinitions.map { Class.forName(it.beanClassName) }.filterNotNull().toList()
+        logger.debug("Resolved ${classes.size} classes of RestController")
+        return classes
+    }
+
+}

authentication-service/pom.xml

@@ -7,7 +7,7 @@
     <parent>
         <artifactId>microservice</artifactId>
         <groupId>com.michibaum</groupId>
-        <version>1.0.0-TEST-9</version>
+        <version>1.0.0</version>
     </parent>
 
     <artifactId>authentication-service</artifactId>
@@ -86,17 +86,17 @@
         <dependency>
             <groupId>com.michibaum</groupId>
             <artifactId>authentication-library</artifactId>
-            <version>1.0.0-TEST-9</version>
+            <version>1.0.0</version>
         </dependency>
         <dependency>
             <groupId>com.michibaum</groupId>
             <artifactId>usermanagement-library</artifactId>
-            <version>1.0.0-TEST-9</version>
+            <version>1.0.0</version>
         </dependency>
         <dependency>
             <groupId>com.michibaum</groupId>
             <artifactId>spring-boot-starter-discord</artifactId>
-            <version>1.0.0-TEST-9</version>
+            <version>1.0.0</version>
         </dependency>
 
         <dependency>

authentication-service/src/main/kotlin/com/michibaum/authentication_service/authentication/AuthenticationController.kt

@@ -2,6 +2,7 @@ package com.michibaum.authentication_service.authentication
 
 import com.michibaum.authentication_library.AuthenticationEndpoints
 import com.michibaum.authentication_library.PublicKeyDto
+import com.michibaum.authentication_library.public_endpoints.PublicEndpoint
 import com.michibaum.usermanagement_library.*
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Lazy
@@ -20,6 +21,7 @@ class AuthenticationController (
     @Lazy
     lateinit var usermanagementClient: UsermanagementClient
 
+    @PublicEndpoint
     @PostMapping(value = ["/api/authenticate"])
     fun authenticate(@RequestBody authenticationDto: AuthenticationDto): ResponseEntity<AuthenticationResponse> {
         val loginDto = LoginDto(authenticationDto.username, authenticationDto.password)
@@ -36,6 +38,7 @@ class AuthenticationController (
         return ResponseEntity.ok().body(responseBody)
     }
 
+    @PublicEndpoint
     @PostMapping(value = ["/api/register"])
     fun register(@RequestBody registerDto: RegisterDto): ResponseEntity<RegisterResponse> {
         val createUserDto = CreateUserDto(registerDto.username, registerDto.email, registerDto.password)

authentication-service/src/main/kotlin/com/michibaum/authentication_service/security/AdminServiceCredentials.kt

@@ -4,6 +4,6 @@ import org.springframework.boot.context.properties.ConfigurationProperties
 
 @ConfigurationProperties(prefix = "spring.boot.admin.client")
 data class AdminServiceCredentials(
-    var username: String = "",
-    var password: String = ""
+    val username: String,
+    val password: String
 )