From 45b7b82329fbe80ad1b8e60a30280ad604355f34 Mon Sep 17 00:00:00 2001
From: Pavel Kotelevsky <pavel.kotelevskii@camunda.com>
Date: Mon, 6 Mar 2023 18:12:27 +0100
Subject: [PATCH] feat(bundle-saas): support m2m authentication in SaaS

---
 bundle/mvn/camunda-saas-bundle/pom.xml        |  4 +
 .../runtime/security/AudienceValidator.java   | 39 ++++++++++
 .../security/SecurityConfiguration.java       | 73 +++++++++++++++++++
 .../src/main/resources/application.properties |  5 +-
 4 files changed, 120 insertions(+), 1 deletion(-)
 create mode 100644 bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java
 create mode 100644 bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java

diff --git a/bundle/mvn/camunda-saas-bundle/pom.xml b/bundle/mvn/camunda-saas-bundle/pom.xml
index b2696db1f2..3accc637f8 100644
--- a/bundle/mvn/camunda-saas-bundle/pom.xml
+++ b/bundle/mvn/camunda-saas-bundle/pom.xml
@@ -16,6 +16,10 @@
       <artifactId>connector-runtime-bundle</artifactId>
       <version>${project.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+    </dependency>
     <dependency>
       <groupId>io.camunda.connector</groupId>
       <artifactId>connector-gcp-security-manager</artifactId>
diff --git a/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java b/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java
new file mode 100644
index 0000000000..7425ba9220
--- /dev/null
+++ b/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/AudienceValidator.java
@@ -0,0 +1,39 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.camunda.connector.runtime.security;
+
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+
+public class AudienceValidator implements OAuth2TokenValidator<Jwt> {
+  private final String audience;
+
+  AudienceValidator(String audience) {
+    this.audience = audience;
+  }
+
+  public OAuth2TokenValidatorResult validate(Jwt jwt) {
+    OAuth2Error error = new OAuth2Error("invalid_token", "The required audience is missing", null);
+
+    if (jwt.getAudience().contains(audience)) {
+      return OAuth2TokenValidatorResult.success();
+    }
+    return OAuth2TokenValidatorResult.failure(error);
+  }
+}
diff --git a/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java b/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java
new file mode 100644
index 0000000000..bf180df338
--- /dev/null
+++ b/bundle/mvn/camunda-saas-bundle/src/main/java/io/camunda/connector/runtime/security/SecurityConfiguration.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.camunda.connector.runtime.security;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.JwtDecoders;
+import org.springframework.security.oauth2.jwt.JwtValidators;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.web.SecurityFilterChain;
+
+@EnableWebSecurity
+@Configuration
+public class SecurityConfiguration {
+
+  @Value("${camunda.connector.auth.audience}")
+  private String audience;
+
+  @Value("${camunda.connector.auth.issuer}")
+  private String issuer;
+
+  @Bean
+  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    http.csrf()
+        .disable()
+        .authorizeRequests()
+        .antMatchers(HttpMethod.POST, "/inbound/**")
+        .permitAll()
+        .antMatchers("/inbound")
+        .hasAuthority("SCOPE_inbound:read")
+        .anyRequest()
+        .authenticated()
+        .and()
+        .oauth2ResourceServer()
+        .jwt();
+    return http.build();
+  }
+
+  @Bean
+  JwtDecoder jwtDecoder() {
+    NimbusJwtDecoder jwtDecoder = JwtDecoders.fromOidcIssuerLocation(issuer);
+
+    OAuth2TokenValidator<Jwt> audienceValidator = new AudienceValidator(audience);
+    OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuer);
+    OAuth2TokenValidator<Jwt> withAudience =
+        new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
+
+    jwtDecoder.setJwtValidator(withAudience);
+    return jwtDecoder;
+  }
+}
diff --git a/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties b/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties
index 7fa68d8202..14d95f1847 100644
--- a/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties
+++ b/bundle/mvn/camunda-saas-bundle/src/main/resources/application.properties
@@ -10,7 +10,10 @@ camunda.connector.polling.enabled=true
 camunda.connector.polling.interval=5000
 camunda.connector.secrets.cache.millis=5000
 camunda.connector.webhook.enabled=true
-#spring.main.web-application-type=none
+
+# TODO: replace with prod values by default
+camunda.connector.auth.audience=connectors.dev.ultrawombat.con
+camunda.connector.auth.issuer=https://camunda-excitingdev.eu.auth0.com/
 
 # Enforce local connection, even if cluster-id set (for Operate Auth)
 zeebe.client.connection-mode=ADDRESS
\ No newline at end of file