Code development platform for open source projects from the European Union institutions :large_blue_circle: EU Login authentication by SMS has been phased out. To see alternatives please check here

Skip to content
Snippets Groups Projects
Commit 02459190 authored by Flavio Ferraioli's avatar Flavio Ferraioli
Browse files

Merge branch 'release' into 'main'

release v0.6.0

See merge request simpl/simpl-open/development/iaa/simpl-cloud-gateway!36
parents eb6136b4 eabc896b
Branches
Tags v0.6.0
2 merge requests!52Feature/align,!36release v0.6.0
Pipeline #220866 passed with warnings
Showing
with 659 additions and 41 deletions
...@@ -57,7 +57,8 @@ global: ...@@ -57,7 +57,8 @@ global:
hostBe: authority.be.aruba-simpl.cloud hostBe: authority.be.aruba-simpl.cloud
hostTls: tls.authority.aruba-simpl.cloud hostTls: tls.authority.aruba-simpl.cloud
authorityUrl: "https://authority-service.example.com" authorityUrl: "https://authority-service.example.com"
ingress:
issuer: yourIngressIssuer
cors: cors:
allowOrigin: "https://example.com" allowOrigin: "https://example.com"
``` ```
...@@ -80,3 +81,128 @@ microservices: ...@@ -80,3 +81,128 @@ microservices:
usersRolesUrl: http://users-roles.{{ .Release.Namespace }}.svc.cluster.local:8080 usersRolesUrl: http://users-roles.{{ .Release.Namespace }}.svc.cluster.local:8080
keycloakUrl: http://keycloak.{{ .Release.Namespace }}.svc.cluster.local keycloakUrl: http://keycloak.{{ .Release.Namespace }}.svc.cluster.local
``` ```
## Gateway Routes Configuration
To configure the internal routes of the gateway, you need to modify the `routes`
variable in the `values.yaml` file. This variable allows you to define routing
rules that the gateway will follow to connect to various internal services.
### Routes Configuration
Here is an example of how to configure the routes for the gateway:
```yaml
# Spring Cloud Gateway Routes Authority
springRoutes:
- id: keycloak
uri: ${keycloak.url}
predicates:
- Path=/auth/**
filters:
- StripPrefix=1
- id: users-roles
uri: ${users-roles.url}
predicates:
- Path=/*/user-api/**
filters:
- StripPrefix=2
- id: onboarding
uri: ${onboarding.url}
predicates:
- Path=/*/onboarding-api/**
filters:
- StripPrefix=2
- id: sap
uri: ${sap.url}
predicates:
- Path=/*/sap-api/**
filters:
- StripPrefix=2
- id: identity-provider
uri: ${identity-provider.url}
predicates:
- Path=/*/identity-api/**
filters:
- StripPrefix=2
- id: ocsp
uri: ${ejbca.url}
predicates:
- Path=/ocsp
filters:
- RewritePath=/ocsp/*, /ejbca/publicweb/status/ocsp
- id: ca-certificates
uri: ${ejbca.url}
predicates:
- Path=/ca/*
filters:
- RewritePath=/ca/?(?<segment>.*), /ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3D$\{segment}
- id: crl
uri: ${ejbca.url}
predicates:
- Path=/crl/*
filters:
- RewritePath=/crl/?(?<segment>.*), /ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN%3D$\{segment}
```
```yaml
# Spring Cloud Gateway Routes Participant
springRoutes:
- id: keycloak
uri: ${keycloak.url}
predicates:
- Path=/auth/**
filters:
- StripPrefix=1
- id: users-roles
uri: ${users-roles.url}
predicates:
- Path=/*/user-api/**
filters:
- StripPrefix=2
```
### Swagger configuration
Additionally, the `swaggerUrls` variable enables you to configure API documentation
using OpenAPI/Swagger.
## Authority
```yaml
swaggerUrls:
- url: /public/sap-api/v3/api-docs
name: Security Attributes Provider Service
- url: /public/onboarding-api/v3/api-docs
name: Onboarding Service
- url: /public/user-api/v3/api-docs
name: Users & Roles Service
- url: /public/identity-api/v3/api-docs
name: Identity Provider Service
```
## Participant
```yaml
swaggerUrls:
- url: /public/user-api/v3/api-docs
name: Users & Roles Service
```
### Custom Role Based Access Control
```yaml
routes:
publicUrls:
- method: GET
path: "public"
deniedUrls:
- method: GET
path: "todeny"
rbac:
- path: "rbacPath"
roles:
- NOTARY
- T1UAR_M
```
\ No newline at end of file
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: {{ .Chart.Name }}-configmap name: {{ .Chart.Name }}-env-configmap
data: data:
{{- if eq .Values.global.profile "authority" }} {{- if eq .Values.global.profile "authority" }}
ONBOARDING_URL: "{{ .Values.microservices.onboardingUrl }}" ONBOARDING_URL: "{{ .Values.microservices.onboardingUrl }}"
......
apiVersion: v1
kind: ConfigMap
metadata:
name: simpl-cloud-gateway-spring-configmap
data:
application.yaml: |
{{- with .Values.springRoutes }}
spring:
cloud:
gateway:
routes:
{{ toYaml . | indent 12 }}
{{- end }}
{{- with .Values.swaggerUrls }}
springdoc:
swagger-ui:
urls:
{{ toYaml . | indent 10 }}
{{ end }}
{{- if .Values.routes }}
{{- if or .Values.routes.publicUrls .Values.routes.deniedUrls .Values.routes.rbac }}
routes:
{{- if .Values.routes.publicUrls }}
public-urls:
{{- range .Values.routes.publicUrls }}
- path: {{ .path }}
{{- if .method }}
method: {{ .method }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.routes.deniedUrls }}
denied-urls:
{{- range .Values.routes.deniedUrls }}
- path: {{ .path }}
{{- if .method }}
method: {{ .method }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.routes.rbac }}
rbac:
{{- range .Values.routes.rbac }}
- path: {{ .path }}
{{- if .method }}
method: {{ .method }}
{{- end }}
roles:
{{- range .roles }}
- {{ . }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
\ No newline at end of file
...@@ -73,7 +73,10 @@ autoscaling: ...@@ -73,7 +73,10 @@ autoscaling:
# targetMemoryUtilizationPercentage: 80 # targetMemoryUtilizationPercentage: 80
# Additional volumes on the output Deployment definition. # Additional volumes on the output Deployment definition.
volumes: {} volumes:
- name: spring-config
configMap:
name: simpl-cloud-gateway-spring-configmap
# - name: foo # - name: foo
# secret: # secret:
...@@ -81,11 +84,13 @@ volumes: {} ...@@ -81,11 +84,13 @@ volumes: {}
# optional: false # optional: false
# Additional volumeMounts on the output Deployment definition. # Additional volumeMounts on the output Deployment definition.
volumeMounts: {} volumeMounts:
- name: spring-config
mountPath: /config/
envFrom: envFrom:
- configMapRef: - configMapRef:
name: simpl-cloud-gateway-configmap name: simpl-cloud-gateway-env-configmap
microservices: microservices:
usersRolesUrl: http://users-roles.{{ .Release.Namespace }}.svc.cluster.local:8080 usersRolesUrl: http://users-roles.{{ .Release.Namespace }}.svc.cluster.local:8080
...@@ -100,3 +105,27 @@ nodeSelector: {} ...@@ -100,3 +105,27 @@ nodeSelector: {}
tolerations: [] tolerations: []
affinity: {} affinity: {}
# Spring Cloud Gateway Routes
springRoutes: []
# Custom Role Based Access Control
# This is a complete example, if you omit method, all are matched.
#routes:
# publicUrls:
# - method: GET
# path: "/swagger-ui.html"
# deniedUrls:
# - method: GET
# path: "todeny"
# rbac:
# - path: "rbacPath"
# roles:
# - NOTARY
# - T1UAR_M
routes: {}
# Springdoc Swagger-UI
swaggerUrls: []
PROJECT_VERSION_NUMBER="0.5.0" PROJECT_VERSION_NUMBER="0.6.0"
\ No newline at end of file \ No newline at end of file
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
<parent> <parent>
<groupId>com.aruba.simpl</groupId> <groupId>com.aruba.simpl</groupId>
<artifactId>simpl-parent</artifactId> <artifactId>simpl-parent</artifactId>
<version>0.5.0</version> <version>0.6.0</version>
<relativePath/> <!-- lookup parent from repository --> <relativePath/> <!-- lookup parent from repository -->
</parent> </parent>
...@@ -40,6 +40,10 @@ ...@@ -40,6 +40,10 @@
<artifactId>springdoc-openapi-starter-webflux-ui</artifactId> <artifactId>springdoc-openapi-starter-webflux-ui</artifactId>
<version>2.6.0</version> <version>2.6.0</version>
</dependency> </dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
</dependency>
</dependencies> </dependencies>
......
package com.aruba.simpl.gatewayserver.configurations;
import java.util.List;
import org.springframework.boot.context.properties.ConfigurationProperties;
@ConfigurationProperties(prefix = "routes")
public record RouteConfig(List<Rule> publicUrls, List<Rule> deniedUrls, List<Rule> rbac) {}
package com.aruba.simpl.gatewayserver.configurations;
import java.util.List;
import lombok.extern.log4j.Log4j2;
import org.springframework.http.HttpMethod;
@Log4j2
public record Rule(HttpMethod method, String path, List<String> roles) {}
package com.aruba.simpl.gatewayserver.configurations; package com.aruba.simpl.gatewayserver.configurations;
import com.aruba.simpl.common.annotations.Authority; import com.aruba.simpl.gatewayserver.matchers.KeycloakMatcher;
import com.aruba.simpl.common.autoconfigurations.ReactiveDefaultSecurityAutoConfiguration; import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Objects;
import lombok.extern.log4j.Log4j2;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary; import org.springframework.context.annotation.Primary;
import org.springframework.core.annotation.Order; import org.springframework.core.annotation.Order;
import org.springframework.http.HttpMethod; import org.springframework.http.HttpMethod;
import org.springframework.security.config.Customizer; import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity; import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.web.server.SecurityWebFilterChain; import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher; import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers; import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.util.CollectionUtils;
import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsConfigurationSource; import org.springframework.web.cors.reactive.CorsConfigurationSource;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource; import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;
@Log4j2
@Configuration @Configuration
@EnableWebFluxSecurity
public class SecurityConfig { public class SecurityConfig {
private final RouteConfig routeConfig;
private final List<ServerWebExchangeMatcher> publicMatchers;
private final List<ServerWebExchangeMatcher> deniedMatchers;
private final String agentType;
public SecurityConfig(RouteConfig routeConfig, @Value("${keycloak.app.realm}") String agentType) {
this.routeConfig = routeConfig;
this.agentType = agentType;
this.publicMatchers = buildPublicUrls();
this.deniedMatchers = buildMatchers(routeConfig.deniedUrls());
}
@Bean @Bean
@Primary @Primary
public SecurityWebFilterChain keycloakProxy(ServerHttpSecurity security) { public SecurityWebFilterChain keycloakProxy(ServerHttpSecurity security) {
return security.securityMatcher(ServerWebExchangeMatchers.pathMatchers("/auth/**")) return security.securityMatcher(new KeycloakMatcher())
.headers(headerSpec -> headerSpec.frameOptions(ServerHttpSecurity.HeaderSpec.FrameOptionsSpec::disable)) .headers(headerSpec -> headerSpec.frameOptions(ServerHttpSecurity.HeaderSpec.FrameOptionsSpec::disable))
.csrf(ServerHttpSecurity.CsrfSpec::disable) .csrf(ServerHttpSecurity.CsrfSpec::disable)
.cors(ServerHttpSecurity.CorsSpec::disable) .cors(ServerHttpSecurity.CorsSpec::disable)
.build(); .build();
} }
@Authority
@Bean @Bean
public ReactiveDefaultSecurityAutoConfiguration.ReactivePublicUrlCustomizer publicUrlCustomizer() { @Order
return publicUrl -> { public SecurityWebFilterChain jwtAuth(ServerHttpSecurity security) {
publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/public/identity-api/participant")); return security.authorizeExchange(request -> {
publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.POST, "/ocsp")); if (!CollectionUtils.isEmpty(routeConfig.publicUrls())) {
publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/ca/**")); log.info("configuring public urls {}", routeConfig.publicUrls());
publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/crl/**")); request.matchers(publicMatchers.toArray(ServerWebExchangeMatcher[]::new))
publicUrl.add(ServerWebExchangeMatchers.pathMatchers(HttpMethod.GET, "/public/identity-api/participant")); .permitAll();
addSwaggerPublicUrl(publicUrl, "sap-api");
addSwaggerPublicUrl(publicUrl, "onboarding-api");
addSwaggerPublicUrl(publicUrl, "user-api");
addSwaggerPublicUrl(publicUrl, "identity-api");
};
} }
private void addSwaggerPublicUrl(List<ServerWebExchangeMatcher> publicUrl, String servicePrefix) { if (!CollectionUtils.isEmpty(routeConfig.deniedUrls())) {
publicUrl.add(ServerWebExchangeMatchers.pathMatchers( log.info("configuring urls to deny {}", routeConfig.publicUrls());
HttpMethod.GET, request.matchers(deniedMatchers.toArray(ServerWebExchangeMatcher[]::new))
"public/%s/swagger-ui.html".formatted(servicePrefix), .denyAll();
"public/%s/swagger-ui/**".formatted(servicePrefix),
"public/%s/v3/api-docs/**".formatted(servicePrefix)));
} }
routeConfig.rbac().forEach(rule -> configureRbacRule(request, rule));
@Bean request.pathMatchers("/private/**")
@Order
public SecurityWebFilterChain jwtAuth(ServerHttpSecurity security) {
return security.authorizeExchange(request -> request.pathMatchers("/private/**")
.authenticated() .authenticated()
.anyExchange() .anyExchange()
.denyAll()) .denyAll();
})
.oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults())) .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()))
.csrf(ServerHttpSecurity.CsrfSpec::disable) .csrf(ServerHttpSecurity.CsrfSpec::disable)
.build(); .build();
...@@ -76,4 +86,41 @@ public class SecurityConfig { ...@@ -76,4 +86,41 @@ public class SecurityConfig {
source.registerCorsConfiguration("/**", configuration); source.registerCorsConfiguration("/**", configuration);
return source; return source;
} }
private void configureRbacRule(ServerHttpSecurity.AuthorizeExchangeSpec request, Rule rule) {
request.pathMatchers(rule.method(), rule.path()).hasAnyRole(rule.roles().toArray(String[]::new));
}
private List<ServerWebExchangeMatcher> buildPublicUrls() {
var out = new ArrayList<ServerWebExchangeMatcher>();
addSwaggersPublicUrls(out);
out.addAll(buildMatchers(routeConfig.publicUrls()));
return out;
}
private void addSwaggersPublicUrls(List<ServerWebExchangeMatcher> publicUrl) {
if (Objects.equals("authority", agentType)) {
addSwaggerPublicUrl(publicUrl, "sap-api");
addSwaggerPublicUrl(publicUrl, "identity-api");
addSwaggerPublicUrl(publicUrl, "onboarding-api");
}
addSwaggerPublicUrl(publicUrl, "user-api");
}
private void addSwaggerPublicUrl(List<ServerWebExchangeMatcher> publicUrl, String servicePrefix) {
publicUrl.add(ServerWebExchangeMatchers.pathMatchers(
HttpMethod.GET,
"public/%s/swagger-ui.html".formatted(servicePrefix),
"public/%s/swagger-ui/**".formatted(servicePrefix),
"public/%s/v3/api-docs/**".formatted(servicePrefix)));
}
private List<ServerWebExchangeMatcher> buildMatchers(List<Rule> rules) {
if (rules == null) {
return new ArrayList<>();
}
return rules.stream()
.map(rule -> ServerWebExchangeMatchers.pathMatchers(rule.method(), rule.path()))
.toList();
}
} }
package com.aruba.simpl.gatewayserver.filters;
import com.aruba.simpl.common.exceptions.InvalidTierOneSessionException;
import com.aruba.simpl.common.exceptions.TierOneTokenNotFound;
import com.aruba.simpl.common.model.constants.SimplHeaders;
import com.aruba.simpl.common.utils.JwtUtil;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import lombok.SneakyThrows;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpHeaders;
import org.springframework.stereotype.Component;
import org.springframework.web.server.ServerWebExchange;
import org.springframework.web.server.WebFilter;
import org.springframework.web.server.WebFilterChain;
import reactor.core.publisher.Mono;
@Component
public class HeadersFilter implements WebFilter {
private static final Logger log = LoggerFactory.getLogger(HeadersFilter.class);
private final String rolesClaimName;
public HeadersFilter(
@Value("${spring.security.oauth2.resourceserver.jwt.authorities-claim-name}") String rolesClaimName) {
this.rolesClaimName = rolesClaimName;
}
@Override
public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
if (shouldSkip(exchange)) {
return chain.filter(exchange);
}
return parseToken(exchange)
.flatMap(jwt -> addHeadersToRequest(exchange, jwt))
.then(chain.filter(exchange)); // Continue the filter chain after adding auth info
}
private boolean shouldSkip(ServerWebExchange exchange) {
return exchange.getRequest().getPath().value().startsWith("/auth")
|| !exchange.getRequest().getHeaders().containsKey(HttpHeaders.AUTHORIZATION);
}
@SneakyThrows
private Mono<Void> addHeadersToRequest(ServerWebExchange exchange, SignedJWT jwt) {
log.debug("Adding JWT claims to request");
var claimSet = JwtUtil.getClaimSet(jwt);
List<String> roles =
Objects.requireNonNullElse(JwtUtil.getListClaim(jwt, rolesClaimName, String.class), new ArrayList<>());
exchange.getRequest()
.mutate()
.header(SimplHeaders.USERNAME, claimSet.getStringClaim("preferred_username"))
.header(SimplHeaders.USER_EMAIL, claimSet.getStringClaim("email"))
.header(SimplHeaders.USER_ID, claimSet.getSubject())
.header(SimplHeaders.USER_ROLES, String.join(",", roles));
return Mono.empty();
}
private Mono<SignedJWT> parseToken(ServerWebExchange exchange) {
var token = JwtUtil.getBearerToken(exchange.getRequest().getHeaders()).orElseThrow(TierOneTokenNotFound::new);
return Mono.fromCallable(() -> {
try {
return SignedJWT.parse(token);
} catch (ParseException e) {
throw new InvalidTierOneSessionException();
}
});
}
}
package com.aruba.simpl.gatewayserver.matchers;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class KeycloakMatcher implements ServerWebExchangeMatcher {
@Override
public Mono<MatchResult> matches(ServerWebExchange exchange) {
return ServerWebExchangeMatchers.pathMatchers("/auth/**").matches(exchange);
}
}
package com.aruba.simpl.gatewayserver.matchers;
import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;
public class MtlsMatcher implements ServerWebExchangeMatcher {
@Override
public Mono<MatchResult> matches(ServerWebExchange exchange) {
var path = exchange.getRequest().getURI().getPath();
return path.contains("mtls") ? MatchResult.match() : MatchResult.notMatch();
}
}
...@@ -66,3 +66,167 @@ springdoc: ...@@ -66,3 +66,167 @@ springdoc:
keycloak: keycloak:
app: app:
realm: authority realm: authority
routes:
public-urls:
- method: GET
path: "/swagger-ui.html"
- method: GET
path: "/swagger-ui/**"
- method: GET
path: "/v3/api-docs/**"
- method: GET
path: "/actuator/**"
# TODO Protect with NOTARY role
- method: GET
path: "/public/onboarding-api/onboarding-template/*"
- method: PUT
path: "/public/onboarding-api/onboarding-template/*"
- method: POST
path: "/public/onboarding-api/credential-request"
# TODO Protect with APPLICANT and NOTARY roles
- method: GET
path: "/public/onboarding-api/onboarding-request"
- method: POST
path: "/ocsp"
- method: GET
path: "/ca/**"
- method: GET
path: "/crl/**"
rbac:
### CLI
- path: "private/identity-api/cli/*"
roles:
- NOTARY
- T1UAR_M
- path: "private/sap-api/cli*"
roles:
- NOTARY
- T1UAR_M
- path: "private/user-api/cli*"
roles:
- NOTARY
- T1UAR_M
### ONBOARDING
- path: "private/onboarding-api/onboarding-request/*/status"
roles:
- NOTARY
- path: "private/onboarding-api/onboarding-request/*/document"
method: POST
roles:
- NOTARY
- path: "private/onboarding-api/participant-type/*"
roles:
- T2IAA_M
- path: "private/onboarding-api/onboarding-status/*"
roles:
- T2IAA_M
- path: "private/onboarding-api/onboarding-template/*"
roles:
- T2IAA_M
- path: "private/onboarding-api/mime-type/*"
roles:
- T2IAA_M
###
- path: "private/identity-api/participant/*"
method: PUT
roles:
- NOTARY
- path: "private/user-api/agent/identity-attributes"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/agent/identity-attributes/*"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/identity-attribute/search"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/role/*"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/role"
method: PUT
roles:
- T1UAR_M
- path: "private/user-api/role/*/identity-attributes"
method: POST
roles:
- T1UAR_M
- path: "private/user-api/role/delete-attribute"
method: DELETE
roles:
- T1UAR_M
- path: "private/user-api/role/*"
method: DELETE
roles:
- T1UAR_M
- path: "private/user-api/role/search"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/role/*/duplicate-identity-attribute"
method: POST
roles:
- T1UAR_M
- path: "private/user-api/user/*"
method: POST
roles:
- T1UAR_M
- path: "private/user-api/user/*"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/user/*"
method: PUT
roles:
- T1UAR_M
- path: "private/user-api/user/*"
method: DELETE
roles:
- T1UAR_M
- path: "private/sap-api/identity-attribute"
method: POST
roles:
- IATTR_M
- path: "private/sap-api/identity-attribute/*"
method: GET
roles:
- IATTR_M
- path: "private/sap-api/identity-attribute/*"
method: PUT
roles:
- IATTR_M
- path: "private/sap-api/identity-attribute/*"
method: DELETE
roles:
- IATTR_M
- path: "private/sap-api/identity-attribute/assignable/*"
method: PUT
roles:
- IATTR_M
- path: "private/sap-api/identity-attribute/add-participant-type/*"
method: PUT
roles:
- IATTR_M
- path: "private/sap-api/identity-attribute/unassign-participant/*"
method: DELETE
roles:
- NOTARY
- path: "private/sap-api/identity-attribute/assign-participant/*"
method: PUT
roles:
- NOTARY
- path: "private/sap-api/identity-attribute/assign/*/*"
method: PUT
roles:
- NOTARY
\ No newline at end of file
users-roles: users-roles:
url: http://localhost:8080
onboarding:
url: http://localhost:8081 url: http://localhost:8081
onboarding:
url: http://localhost:8084
sap: sap:
url: http://localhost:8082 url: http://localhost:8082
identity-provider: identity-provider:
...@@ -21,6 +21,7 @@ logging: ...@@ -21,6 +21,7 @@ logging:
org.springframework: org.springframework:
web.client: DEBUG web.client: DEBUG
security: DEBUG security: DEBUG
config: classpath:log4j2-local.xml
cors: cors:
allowed-origins: "*" allowed-origins: "*"
......
...@@ -24,3 +24,72 @@ springdoc: ...@@ -24,3 +24,72 @@ springdoc:
keycloak: keycloak:
app: app:
realm: participant realm: participant
routes:
public-urls:
- method: GET
path: "/swagger-ui.html"
- method: GET
path: "/swagger-ui/**"
- method: GET
path: "/v3/api-docs/**"
- method: GET
path: "/actuator/**"
rbac:
- path: "private/user-api/agent/identity-attributes"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/agent/identity-attributes/*"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/identity-attribute/search"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/role/*"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/role"
method: PUT
roles:
- T1UAR_M
- path: "private/user-api/role/*/identity-attributes"
method: POST
roles:
- T1UAR_M
- path: "private/user-api/role/delete-attribute"
method: DELETE
roles:
- T1UAR_M
- path: "private/user-api/role/*"
method: DELETE
roles:
- T1UAR_M
- path: "private/user-api/role/search"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/role/*/duplicate-identity-attribute"
method: POST
roles:
- T1UAR_M
- path: "private/user-api/user/as-t1user"
method: POST
roles:
- T1UAR_M
- path: "private/user-api/user/*"
method: GET
roles:
- T1UAR_M
- path: "private/user-api/user/*"
method: PUT
roles:
- T1UAR_M
- path: "private/user-api/user/*"
method: DELETE
roles:
- T1UAR_M
...@@ -8,6 +8,8 @@ spring: ...@@ -8,6 +8,8 @@ spring:
resourceserver: resourceserver:
jwt: jwt:
issuer-uri: "${gateway.url}/auth/realms/${keycloak.app.realm}" issuer-uri: "${gateway.url}/auth/realms/${keycloak.app.realm}"
authorities-claim-name: client-roles
authority-prefix: ROLE_
management: management:
endpoints: endpoints:
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment