Merge remote-tracking branch 'origin/develop' into feat/chronos

Conflicts:
	pom.xml
	src/main/java/it/reply/orchestrator/exception/http/BadRequestException.java
	src/main/java/it/reply/orchestrator/service/DeploymentServiceImpl.java
	src/main/java/it/reply/orchestrator/service/ToscaService.java
	src/main/java/it/reply/orchestrator/service/ToscaServiceImpl.java
	src/main/java/it/reply/orchestrator/service/commands/PollDeploy.java
	src/main/java/it/reply/orchestrator/service/deployment/providers/ImServiceImpl.java
	src/main/resources/tosca-definitions/custom_types.yaml

README.md

@@ -73,3 +73,14 @@ sudo docker run --name orchestrator1 -h orchestrator1 -e ORCHESTRATOR_DB_ENDPOIN
   -e WORKFLOW_DB_PWD=DB_USER_PASSWORD -p 80:8080 -d indigodatacloud/orchestrator
 ```
 using as parameters (`DOMAIN_NAME`, `PORT`, `SCHEMA_NAME`, `DB_USER`, `DB_USER_PASSWORD`) the correct values.
+
+1.4 CONFIGURING
+--------------
+Besides those used to link the orchestrator to the DBs, there are other environment variables that can be set in order to configure the orchestrator behaviour.
+
+### Configure security
+ 1. `SECURITY_ENABLE`: if set to `true` enable AAI OAuth2 authentication and authorization
+ 2. `OIDC_ISSUERS`: String containing a list of comma separated values of whitelisted AAI token issuers
+ 3. `OIDC_CLIENT_ID`: The OAuth2 client ID
+ 4. `OIDC_CLIENT_SECRET` The OAuth2 client secret
+ 

docker/Dockerfile

@@ -62,6 +62,11 @@ ENV IM_URL="" \
 	OPENNEBULA_AUTH_FILE_PATH="" \
 	OPENSTACK_AUTH_FILE_PATH="" \
 	ONEDOCK_AUTH_FILE_PATH=""
+
+ENV SECURITY_ENABLE="" \
+	OIDC_ISSUERS="" \
+	OIDC_CLIENT_ID="" \
+	OIDC_CLIENT_SECRET=""
 
 ENTRYPOINT sh /launch.sh
 

docker/launch.sh

@@ -13,6 +13,7 @@ java -jar /usr/share/java/saxon.jar -o:$JBOSS_HOME/standalone/configuration/$JBO
 	workflow.DB.pwd=$WORKFLOW_DB_PWD
 
 IM_PROP_FILE="$JBOSS_HOME/standalone/deployments/$WAR_NAME.war/WEB-INF/classes/im-config/im-java-api.properties"
+SECURITY_PROP_FILE="$JBOSS_HOME/standalone/deployments/$WAR_NAME.war/WEB-INF/classes/security.properties"
 
 if [[ $IM_URL ]];
 	then sed -i "s/^\(url=\).*$/\1$(echo $IM_URL | sed -e 's/[\/&]/\\&/g')/" ${IM_PROP_FILE};
@@ -30,6 +31,25 @@ if [[ $ONEDOCK_AUTH_FILE_PATH ]];
 	then sed -i "s/^\(onedock\.auth\.file\.path=\).*$/\1$(echo $ONEDOCK_AUTH_FILE_PATH | sed -e 's/[\/&]/\\&/g')/" ${IM_PROP_FILE};
 fi;
 
+# CUSTOMIZE SECURITY PROPERTIES
+if [ $SECURITY_ENABLE = "true"];
+	then sed -i "s/^\(security\.enabled=\).*$/\1$(echo 'true' | sed -e 's/[\/&]/\\&/g')/" ${SECURITY_PROP_FILE};
+	else sed -i "s/^\(security\.enabled=\).*$/\1$(echo 'false' | sed -e 's/[\/&]/\\&/g')/" ${SECURITY_PROP_FILE};
+fi;
+
+if [[ $OIDC_ISSUERS ]];
+	then sed -i "s/^\(OIDC\.issuers=\).*$/\1$(echo $OIDC_ISSUERS | sed -e 's/[\/&]/\\&/g')/" ${SECURITY_PROP_FILE};
+fi;
+
+if [[ $OIDC_CLIENT_ID ]];
+	then sed -i "s/^\(OIDC\.clientID=\).*$/\1$(echo $OIDC_CLIENT_ID | sed -e 's/[\/&]/\\&/g')/" ${SECURITY_PROP_FILE};
+fi;
+
+if [[ $OIDC_CLIENT_SECRET ]];
+	then sed -i "s/^\(OIDC\.clientSecret=\).*$/\1$(echo $OIDC_CLIENT_SECRET | sed -e 's/[\/&]/\\&/g')/" ${SECURITY_PROP_FILE};
+fi;
+################################
+
 if [ "${ENABLE_DEBUG}" = "true" ];
 	then DEBUG_ARG="--debug";
 	else DEBUG_ARG="";

pom.xml

@@ -3,14 +3,16 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>it.reply</groupId>
 	<artifactId>orchestrator</artifactId>
-	<version>0.0.4-SNAPSHOT</version>
+	<version>0.0.5-SNAPSHOT</version>
 	<packaging>war</packaging>
 	<name>orchestrator</name>
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<java.version>1.8</java.version>
 		<springframework.version>4.2.2.RELEASE</springframework.version>
+		<spring.security.version>4.1.0.RELEASE</spring.security.version>
+		<openid.connect.version>1.2.6</openid.connect.version>
 		<log4j.version>2.5</log4j.version>
 		<jackson.version>2.6.4</jackson.version>
 		<hibernate.version>4.3.11.Final</hibernate.version>
@@ -23,7 +25,7 @@
 		<snippetsDirectory>${project.build.directory}\generated-snippets</snippetsDirectory>
 		<checkstyle-plugin.version>2.17</checkstyle-plugin.version>
 		<workflow-manager.version>0.0.3-SNAPSHOT</workflow-manager.version>
-		<alien4cloud.version>1.1.0-INDIGO1</alien4cloud.version>
+		<alien4cloud.version>1.1.0-INDIGO2-SNAPSHOT</alien4cloud.version>
 		<chronos-client.version>0.0.1-SNAPSHOT</chronos-client.version>
 	</properties>
 
@@ -60,6 +62,18 @@
 	</repositories>
 
 	<dependencies>
+		<!-- Fix for java.lang.NoSuchFieldError: REFLECTION -->
+		<dependency>
+			<groupId>com.sun.xml.bind</groupId>
+			<artifactId>jaxb-core</artifactId>
+			<version>2.2.11</version>
+		</dependency>
+		<dependency>
+			<groupId>com.sun.xml.bind</groupId>
+			<artifactId>jaxb-impl</artifactId>
+			<version>2.2.11</version>
+		</dependency>
+		<!--           -->
 		<!-- Fix to avoid to import the library (which conflicts with the one in 
 			WildFly) -->
 		<dependency>
@@ -104,7 +118,31 @@
 			<artifactId>spring-plugin-core</artifactId>
 			<version>1.2.0.RELEASE</version>
 		</dependency>
-
+		<dependency>
+	        <groupId>org.springframework.security</groupId>
+	        <artifactId>spring-security-config</artifactId>
+			<version>${spring.security.version}</version>
+	    </dependency>
+    	<dependency>
+	        <groupId>org.springframework.security</groupId>
+	        <artifactId>spring-security-core</artifactId>
+			<version>${spring.security.version}</version>
+	    </dependency>
+		<dependency>
+	        <groupId>org.springframework.security</groupId>
+	        <artifactId>spring-security-web</artifactId>
+			<version>${spring.security.version}</version>
+	    </dependency>
+	    <dependency>
+	        <groupId>org.springframework.security.oauth</groupId>
+    	    <artifactId>spring-security-oauth2</artifactId>
+    	    <version>2.0.9.RELEASE</version>
+    	</dependency>
+	    <dependency>
+			<groupId>org.mitre</groupId>
+			<artifactId>openid-connect-client</artifactId>
+			<version>${openid.connect.version}</version>
+		</dependency>
 		<!-- Logging -->
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>

src/main/java/it/reply/orchestrator/config/ApplicationConfig.java

@@ -1,15 +1,21 @@
 package it.reply.orchestrator.config;
 
+import it.reply.orchestrator.config.security.WebSecurityConfig;
+
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Import;
 import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
+import org.springframework.core.convert.ConversionService;
+import org.springframework.core.convert.support.DefaultConversionService;
 import org.springframework.core.io.ResourceLoader;
 import org.springframework.scheduling.annotation.EnableAsync;
 
 import java.io.IOException;
 
 @Configuration
 @EnableAsync
+@Import(WebSecurityConfig.class)
 public class ApplicationConfig {
 
   /**
@@ -27,4 +33,8 @@ public static PropertySourcesPlaceholderConfigurer propertyPlaceholderConfigurer
     return propertyPlaceholderConfigurer;
   }
 
+  @Bean
+  public ConversionService conversionService() {
+    return new DefaultConversionService();
+  }
 }

src/main/java/it/reply/orchestrator/config/PersistenceConfig.java

@@ -3,6 +3,8 @@
 import it.reply.workflowmanager.spring.orchestrator.annotations.WorkflowPersistenceUnit;
 import it.reply.workflowmanager.utils.Constants;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
@@ -32,6 +34,8 @@
 @PropertySource(value = { "classpath:application.properties" })
 public class PersistenceConfig {
 
+  private static final Logger LOG = LogManager.getLogger(PersistenceConfig.class);
+
   private static final String ENTITY_MANAGER_PACKAGE_TO_SCAN = "entitymanager.packages.to.scan";
   private static final String HIBERNATE_HBM2DDL_AUTO = "hibernate.hbm2ddl.auto";
   private static final String HIBERNATE_DIALECT = "hibernate.dialect";
@@ -73,6 +77,11 @@ public LocalContainerEntityManagerFactoryBean entityManagerFactory() throws Nami
     factory.setJpaVendorAdapter(vendorAdapter);
     factory.setPackagesToScan(this.env.getProperty(ENTITY_MANAGER_PACKAGE_TO_SCAN));
 
+    LOG.debug(env.getProperty(ENTITY_MANAGER_PACKAGE_TO_SCAN));
+    LOG.debug(env.getProperty(HIBERNATE_HBM2DDL_AUTO));
+    LOG.debug(env.getProperty(HIBERNATE_DIALECT));
+    LOG.debug(env.getProperty(HIBERNATE_TRANSACTION_JTA_PLATFORM));
+
     Properties jpaProperties = new Properties();
     jpaProperties.put(HIBERNATE_HBM2DDL_AUTO, env.getProperty(HIBERNATE_HBM2DDL_AUTO));
     jpaProperties.put(HIBERNATE_DIALECT, env.getProperty(HIBERNATE_DIALECT));

src/main/java/it/reply/orchestrator/config/security/SecurityWebApplicationInitializer.java

@@ -0,0 +1,7 @@
+package it.reply.orchestrator.config.security;
+
+import org.springframework.security.web.context.AbstractSecurityWebApplicationInitializer;
+
+public class SecurityWebApplicationInitializer extends AbstractSecurityWebApplicationInitializer {
+
+}

src/main/java/it/reply/orchestrator/config/security/WebSecurityConfig.java

@@ -0,0 +1,182 @@
+package it.reply.orchestrator.config.security;
+
+import it.reply.orchestrator.service.security.IndigoUserInfoFetcher;
+import it.reply.orchestrator.service.security.UserInfoIntrospectingTokenService;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+import org.mitre.oauth2.introspectingfilter.service.IntrospectionConfigurationService;
+import org.mitre.oauth2.introspectingfilter.service.impl.JWTParsingIntrospectionConfigurationService;
+import org.mitre.oauth2.model.RegisteredClient;
+import org.mitre.openid.connect.client.UserInfoFetcher;
+import org.mitre.openid.connect.client.service.ClientConfigurationService;
+import org.mitre.openid.connect.client.service.ServerConfigurationService;
+import org.mitre.openid.connect.client.service.impl.DynamicServerConfigurationService;
+import org.mitre.openid.connect.client.service.impl.StaticClientConfigurationService;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Lazy;
+import org.springframework.context.annotation.PropertySource;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
+import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+@Configuration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(securedEnabled = true, prePostEnabled = true)
+@PropertySource(value = { "classpath:security.properties" })
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+  static final Logger LOG = LogManager.getLogger(WebSecurityConfig.class);
+
+  @Value("${security.enabled}")
+  private boolean securityEnabled;
+
+  @Configuration
+  @ConditionalOnProperty(name = "security.enabled", havingValue = "true")
+  public static class OidcConfig {
+
+    @Value("${OIDC.issuers}")
+    private Set<String> oidcIssuers;
+
+    @Value("${OIDC.clientID}")
+    private String oidcClientId;
+
+    @Value("${OIDC.clientSecret}")
+    private String oidcClientSecret;
+
+    @Value("${OIDC.cacheTokens}")
+    private boolean oidcCacheTokens;
+
+    @Value("${OIDC.clientScopes}")
+    private Set<String> oidcClientScopes;
+
+    @Bean
+    protected ServerConfigurationService serverConfigurationService() {
+      DynamicServerConfigurationService serverConfigurationService =
+          new DynamicServerConfigurationService();
+      serverConfigurationService.setWhitelist(oidcIssuers);
+      return serverConfigurationService;
+    }
+
+    @Bean
+    protected ClientConfigurationService clientConfigurationService() {
+      RegisteredClient client = new RegisteredClient();
+      client.setClientId(oidcClientId);
+      client.setClientSecret(oidcClientSecret);
+      client.setScope(oidcClientScopes);
+      Map<String, RegisteredClient> clients = new HashMap<>();
+      for (String issuer : oidcIssuers) {
+        clients.put(issuer, client);
+      }
+
+      StaticClientConfigurationService clientConfigurationService =
+          new StaticClientConfigurationService();
+      clientConfigurationService.setClients(clients);
+
+      return clientConfigurationService;
+    }
+
+    @Bean
+    protected UserInfoFetcher userInfoFetcher() {
+      return new IndigoUserInfoFetcher();
+    }
+
+    @Bean
+    protected IntrospectionConfigurationService introspectionConfigurationService() {
+      JWTParsingIntrospectionConfigurationService introspectionConfigurationService =
+          new JWTParsingIntrospectionConfigurationService();
+      introspectionConfigurationService.setServerConfigurationService(serverConfigurationService());
+      introspectionConfigurationService.setClientConfigurationService(clientConfigurationService());
+      return introspectionConfigurationService;
+    }
+
+    @Bean
+    protected ResourceServerTokenServices introspectingTokenService() {
+      UserInfoIntrospectingTokenService introspectingTokenService =
+          new UserInfoIntrospectingTokenService();
+      introspectingTokenService
+          .setIntrospectionConfigurationService(introspectionConfigurationService());
+      introspectingTokenService.setCacheTokens(oidcCacheTokens);
+      introspectingTokenService.setServerConfigurationService(serverConfigurationService());
+      introspectingTokenService.setUserInfoFetcher(userInfoFetcher());
+      return introspectingTokenService;
+    }
+  }
+
+  private static final class NoOpAuthenticationProvider implements AuthenticationProvider {
+
+    @Override
+    public Authentication authenticate(Authentication authentication)
+        throws AuthenticationException {
+      throw new UnsupportedOperationException(
+          "This AuthenticationProvider must not be used to authenticate");
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+      return false;
+    }
+  }
+
+  @Bean
+  @Override
+  public AuthenticationManager authenticationManagerBean() throws Exception {
+    return super.authenticationManagerBean();
+  }
+
+  @Override
+  protected void configure(AuthenticationManagerBuilder auth) throws Exception {
+    auth.authenticationProvider(new NoOpAuthenticationProvider());
+  }
+
+  @Override
+  public void configure(WebSecurity webSecurity) throws Exception {
+    if (securityEnabled) {
+      webSecurity.ignoring().regexMatchers("/?");
+    } else {
+      webSecurity.ignoring().anyRequest();
+    }
+  }
+
+  @Autowired
+  @Lazy
+  private ResourceServerTokenServices tokenServices;
+
+  @Override
+  public void configure(HttpSecurity http) throws Exception {
+    if (securityEnabled) {
+      http.csrf().disable();
+      http.authorizeRequests().anyRequest().fullyAuthenticated().and().sessionManagement()
+          .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
+      ResourceServerSecurityConfigurer configurer = new ResourceServerSecurityConfigurer();
+      configurer.setBuilder(http);
+      configurer.tokenServices(tokenServices);
+      configurer.configure(http);
+
+      // TODO Customize the authentication entry point in order to align the response body error
+      // coming from the security filter chain to the ones coming from the REST controllers
+      // see https://github.com/spring-projects/spring-security-oauth/issues/605
+      // configurer.authenticationEntryPoint(new CustomAuthenticationEntryPoint());
+    } else {
+      super.configure(http);
+    }
+  }
+}