feat/Add cors (#23)

* added vault * Update ci-main.yml * Update ci-main.yml * fix vault name * Add Upload Script * Update ci-main.yml * Update ci-main.yml * Update ci-main.yml * Update ci-main.yml * Downgraded cloud version * fix db driver * added info state * Update Sign-And-Upload Script * Delete ci-sonar.yml * added vault properties * added vault properties * added cors * fix test * checkstyle Co-authored-by: Felix Dittrich <[email protected]> Co-authored-by: Felix Dittrich <[email protected]>
eu-digital-green-certificates · Jul 8, 2021 · 76fb5a5 · 76fb5a5
1 parent d56a59d
commit 76fb5a5
Show file tree

Hide file tree

Showing 13 changed files with 206 additions and 49 deletions.
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
@@ -1,5 +1,6 @@
 name: ci-main
 on:
+  workflow_dispatch:
   push:
     branches:
     - main
@@ -48,9 +49,23 @@ jobs:
         --password-stdin
         docker build . \
         --file ./Dockerfile \
-        --tag "${APP_PACKAGES_URL}:${APP_VERSION}"
+        --tag "${APP_PACKAGES_URL}:${APP_VERSION}" \
+        --tag "${TRUSTED_URL}/${TRUSTED_REPOSITORY}/cwa-dcc-rules:${APP_VERSION}"
         docker push "${APP_PACKAGES_URL}:${APP_VERSION}"
       env:
         APP_PACKAGES_URL: docker.pkg.github.com/${{ github.repository }}/dgca-businessrule-service
         APP_PACKAGES_USERNAME: ${{ github.actor }}
         APP_PACKAGES_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+        TRUSTED_URL: ${{ secrets.TRUSTED_URL }}
+        TRUSTED_REPOSITORY: ${{ secrets.TRUSTED_REPOSITORY }}
+    - name: docker push trusted
+      run: |
+        echo ${TRUSTED_TOKEN} | docker login ${TRUSTED_URL} -u ${TRUSTED_USER} --password-stdin
+        docker push ${TRUSTED_URL}/${TRUSTED_REPOSITORY}/cwa-dcc-rules:${APP_VERSION}
+      env:
+        TRUSTED_KEY: ${{ secrets.TRUSTED_KEY }}
+        TRUSTED_URL: ${{ secrets.TRUSTED_URL }}
+        TRUSTED_SERVER_URL: ${{ secrets.TRUSTED_SERVER_URL }}
+        TRUSTED_REPOSITORY: ${{ secrets.TRUSTED_REPOSITORY }}
+        TRUSTED_USER: ${{ secrets.TRUSTED_USER }}
+        TRUSTED_TOKEN: ${{ secrets.TRUSTED_TOKEN }}
diff --git a/.github/workflows/ci-sonar.yml b/.github/workflows/ci-sonar.yml
diff --git a/pom.xml b/pom.xml
@@ -26,7 +26,7 @@
     <!-- dependencies -->
     <owasp.version>6.1.1</owasp.version>
     <spring.boot.version>2.4.4</spring.boot.version>
-    <spring.cloud.version>2020.0.2</spring.cloud.version>
+    <spring.cloud.version>2020.0.1</spring.cloud.version>
     <spring.test.version>5.3.5</spring.test.version>
     <spring.security.version>5.4.6</spring.security.version>
     <lombok.version>1.18.20</lombok.version>
@@ -107,6 +107,7 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+
       <dependency>
         <groupId>org.projectlombok</groupId>
         <artifactId>lombok</artifactId>
@@ -158,6 +159,14 @@
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-actuator</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.cloud</groupId>
+      <artifactId>spring-cloud-starter-vault-config</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework.cloud</groupId>
+      <artifactId>spring-cloud-starter-bootstrap</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-test</artifactId>
@@ -265,6 +274,10 @@
       <artifactId>nimbus-jose-jwt</artifactId>
       <version>9.9.2</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-security</artifactId>
+    </dependency>
   </dependencies>
 
   <build>

diff --git a/scripts/Readme.md b/scripts/Readme.md
@@ -0,0 +1,28 @@
+# DCC Rules Upload Script
+
+This Batch script allows to upload multiple DCC-Validation Rules with one CMD command.
+
+## Preparation
+
+Install DGC-CLI on your computer. Follow all the steps described in Readme file.
+https://github.com/eu-digital-green-certificates/dgc-cli
+
+Copy your DCC-Validation Rules in a directory next to the Batch-File.
+The Rules can be placed within a directory structure.
+A rule file MUST have the filename ```rule.json```. All other files will be ignored.
+
+Copy you Upload- and MTLS-Certificate into the directory.
+
+Open the Batch-File with a Text-Editor of your choice and set the following Values
+
+| Variable | Value |
+| --- | --- |
+| DGCG_ENDPOINT | URL of rules upload endpoint (should end with /rules) |
+| SIGNING_KEY | Path to PrivateKeyFile of your Upload Certificate |
+| SIGNING_CERT | Path to PEM-File of your Upload Certificate |
+| TLS_KEY | Path to PrivateKeyFile of your TLS Certificate |
+| TLS_CERT | Path to PEM-File of your TLS Certificate |
+
+## Upload Rules
+
+Just execute the Batch Script and all Rules will be uploaded.
diff --git a/scripts/sign-and-upload.bat b/scripts/sign-and-upload.bat
@@ -0,0 +1,26 @@
+@echo off
+REM Change this values according to your needs
+SET DGCG_ENDPOINT="https://example.org/rules"
+SET SIGNING_KEY="upload_key.pem"
+SET SIGNING_CERT="upload.pem"
+SET TLS_KEY="auth_key.pem"
+SET TLS_CERT="auth.pem"
+
+
+REM DO NOT CHANGE ANYTHING BELOW THIS!
+
+echo Search rule files and sign with Upload Certificate and Upload to DGCG
+
+for /f "usebackq delims=|" %%f in (`dir /s/b rule.json`) do (call :upload %%f)
+
+echo deleting temporary file
+del -f tmp.cms
+
+goto :eof
+
+:upload
+echo Processing JSON file %1
+call dgc signing sign-string -c %SIGNING_CERT% -k %SIGNING_KEY% -i "%1" -o tmp.cms
+call curl --no-progress-bar --request POST "%DGCG_ENDPOINT%" --header "Content-Type: application/cms-text" --header "Accept: application/json" --data-binary @tmp.cms --cert %TLS_CERT% --key %TLS_KEY%
+echo.
+echo.
diff --git a/src/main/java/eu/europa/ec/dgc/businessrule/config/CorsConfig.java b/src/main/java/eu/europa/ec/dgc/businessrule/config/CorsConfig.java
@@ -0,0 +1,24 @@
+package eu.europa.ec.dgc.businessrule.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+@EnableWebSecurity
+public class CorsConfig implements WebMvcConfigurer {
+
+    @Bean
+    CorsConfigurationSource corsConfigurationSource(DgcConfigProperties dgcConfigProperties) {
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+        CorsConfiguration corsConfiguration = new CorsConfiguration().applyPermitDefaultValues();
+        corsConfiguration.addAllowedOrigin(dgcConfigProperties.getCorsUrl());
+        source.registerCorsConfiguration("/**",corsConfiguration);
+        return source;
+    }
+
+}
diff --git a/src/main/java/eu/europa/ec/dgc/businessrule/config/DgcConfigProperties.java b/src/main/java/eu/europa/ec/dgc/businessrule/config/DgcConfigProperties.java
@@ -35,6 +35,8 @@ public class DgcConfigProperties {
 
     private final GatewayDownload countryListDownload = new GatewayDownload();
 
+    private String corsUrl;
+
     @Getter
     @Setter
     public static class GatewayDownload {

diff --git a/src/main/java/eu/europa/ec/dgc/businessrule/config/WebSecurityConfig.java b/src/main/java/eu/europa/ec/dgc/businessrule/config/WebSecurityConfig.java
@@ -0,0 +1,15 @@
+package eu.europa.ec.dgc.businessrule.config;
+
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@EnableWebSecurity
+public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.cors();
+    }
+
+}
diff --git a/src/main/resources/application-cloud.yml b/src/main/resources/application-cloud.yml
@@ -1,11 +1,30 @@
 spring:
-  h2:
-    console:
-      enabled: false
   datasource:
     driver-class-name: org.postgresql.Driver
-    url: jdbc:postgresql://localhost:5432/postgres
-    username: postgres
-    password: postgres
+    url: jdbc:postgresql://${POSTGRESQL_SERVICE_HOST}:${POSTGRESQL_SERVICE_PORT}/${POSTGRESQL_DATABASE}
+    username: ${POSTGRESQL_USER}
+    password: ${POSTGRESQL_PASSWORD}
   jpa:
     database-platform: org.hibernate.dialect.PostgreSQLDialect
+springdoc:
+  api-docs:
+    enabled: false
+dgc:
+  corsUrl: ${DGC_CORS_ENABLED_URL}
+  gateway:
+    connector:
+      enabled: true
+      endpoint: ${DGC_GATEWAY_CONNECTOR_ENDPOINT}
+      proxy:
+        enabled: false
+      tls-trust-store:
+        password: ${DGC_GATEWAY_CONNECTOR_TLSTRUSTSTORE_PASSWORD}
+        path: ${DGC_GATEWAY_CONNECTOR_TLSTRUSTSTORE_PATH}
+      tls-key-store:
+        alias: ${DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_ALIAS}
+        password: ${DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_PASSWORD}
+        path: ${DGC_GATEWAY_CONNECTOR_TLSKEYSTORE_PATH}
+      trust-anchor:
+        alias: ${DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_ALIAS}
+        password: ${DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_PASSWORD}
+        path: ${DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_PATH}
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
@@ -25,17 +25,34 @@ spring:
       pool:
         size: 5
 management:
+  server:
+    ssl:
+      enabled: false
+    port: 8081
   endpoint:
     info:
       enabled: true
     health:
       enabled: true
+    metrics:
+      enabled: true
+    prometheus:
+      enabled: true
   endpoints:
     enabled-by-default: false
     web:
-      base-path: /management
       exposure:
-        include: info,health
+        include: info,health,metrics,prometheus
+    jmx:
+      exposure:
+        include: info,health,metrics,prometheus
+  health:
+    probes:
+      enabled: true
+  metrics:
+    export:
+      prometheus:
+        enabled: true
 info:
   name: ${spring.application.name}
   profiles: ${spring.profiles.active}
@@ -46,6 +63,7 @@ springdoc:
   swagger-ui:
     path: /swagger
 dgc:
+  corsUrl: https://dgc-gateway.example.com
   businessRulesDownload:
     timeInterval: 1800000
     lockLimit: 3600000

diff --git a/src/main/resources/bootstrap-cloud.yaml b/src/main/resources/bootstrap-cloud.yaml
@@ -0,0 +1,30 @@
+---
+spring:
+  application:
+    name: cwa-dcc-rules
+  cloud:
+    vault:
+      ssl:
+        trust-store: file:${SSL_VAULT_TRUSTSTORE_PATH}
+        trust-store-password: ${SSL_VAULT_TRUSTSTORE_PASSWORD}
+      enabled: true
+      generic:
+        enabled: false
+      kv:
+        enabled: true
+        backend: ${VAULT_BACKEND}
+        profile-separator: '/'
+        application-name: 'cwa-dcc-rules'
+        default-context: ''
+        profiles: cloud
+      fail-fast: true
+      authentication: KUBERNETES
+      kubernetes:
+        role: ${VAULT_ROLE}
+        kubernetes-path: kubernetes
+        service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
+      uri: ${VAULT_URI}
+      connection-timeout: 5000
+      read-timeout: 15000
+      config:
+        order: -10
diff --git a/src/main/resources/bootstrap.yaml b/src/main/resources/bootstrap.yaml
@@ -0,0 +1,5 @@
+---
+spring:
+  cloud:
+    vault:
+      enabled: false
diff --git a/src/test/resources/application.yml b/src/test/resources/application.yml
@@ -11,6 +11,7 @@ spring:
   main:
     allow-bean-definition-overriding: true
 dgc:
+  corsUrl: "localhost"
   businessRulesDownload:
     timeInterval: 1800000
     lockLimit: 3600000
-Original file line number
+Diff line change
@@ Expand Up / @@ -35,6 +35,8 @@ public class DgcConfigProperties { @@
         private final GatewayDownload countryListDownload = new GatewayDownload();
+        private String corsUrl;
         @Getter
         @Setter
         public static class GatewayDownload {
@@ Expand Down @@