add more fine-grained config for client assertion keystore (#258)

* add more fine-grained config for client assertion keystore

* added docs

* added undeclared deps

Author: jonathanlukas

README.md

@@ -66,8 +66,14 @@ operate:
     client-id:
     client-secret:
     scope: # optional
+    client-assertion-keystore-path: # optional
+    client-assertion-keystore-password: # optional
+    client-assertion-keystore-key-alias: # optional
+    client-assertion-keystore-key-password: # optional
 ```
 
+>The `operate.client.client-assertion-keystore-*` properties are intended to be used for `client_assertion` authentication via oidc. If this is used, no `operate.client.client-secret` needs to be provided.
+
 Configure a Camunda Operate client for Saas:
 
 ```yaml

extension/java-client-operate/src/main/java/io/camunda/operate/auth/JwtAuthentication.java

@@ -27,6 +27,8 @@
 import org.apache.hc.core5.util.Asserts;
 
 public class JwtAuthentication implements Authentication {
+  private static final String JWT_ASSERTION_TYPE =
+      "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
   private final JwtCredential jwtCredential;
   private final TypeReferenceHttpClientResponseHandler<TokenResponse> responseHandler;
   private String token;
@@ -80,21 +82,11 @@ private HttpPost buildRequest() throws Exception {
     formParams.add(new BasicNameValuePair("grant_type", "client_credentials"));
     formParams.add(new BasicNameValuePair("client_id", jwtCredential.clientId()));
 
-    boolean isClientAssertionCertPathProvided =
-        jwtCredential.clientAssertionCertPath() != null
-            && !jwtCredential.clientAssertionCertPath().isEmpty();
-
-    if (!isClientAssertionCertPathProvided) {
+    if (!clientAssertionEnabled()) {
       formParams.add(new BasicNameValuePair("client_secret", jwtCredential.clientSecret()));
     } else {
-      formParams.add(
-          new BasicNameValuePair(
-              "client_assertion",
-              createClientAssertion(
-                  jwtCredential.clientId(),
-                  jwtCredential.authUrl().toString(),
-                  jwtCredential.clientAssertionCertPath(),
-                  jwtCredential.clientAssertionCertStorePassword())));
+      formParams.add(new BasicNameValuePair("client_assertion", createClientAssertion()));
+      formParams.add(new BasicNameValuePair("client_assertion_type", JWT_ASSERTION_TYPE));
     }
 
     formParams.add(new BasicNameValuePair("audience", jwtCredential.audience()));
@@ -105,20 +97,26 @@ private HttpPost buildRequest() throws Exception {
     return httpPost;
   }
 
+  public boolean clientAssertionEnabled() {
+    return jwtCredential.clientAssertionKeystorePassword() != null
+        && !jwtCredential.clientAssertionKeystorePassword().isEmpty()
+        && jwtCredential.clientAssertionKeystorePath() != null
+        && jwtCredential.clientAssertionKeystorePath().toFile().exists();
+  }
+
   /** Create JWT client assertion for OAuth2 authentication */
-  private String createClientAssertion(
-      String clientId, String issuer, String certPath, String password) throws Exception {
+  private String createClientAssertion() throws Exception {
     Instant now = Instant.now();
 
-    var privateKeyData = loadP12Certificate(certPath, password);
+    var privateKeyData = loadP12Certificate();
     PrivateKey privateKey = privateKeyData.getKey();
     String keyId = privateKeyData.getValue();
 
     return Jwts.builder()
-        .issuer(clientId)
-        .subject(clientId)
+        .issuer(jwtCredential.clientId())
+        .subject(jwtCredential.clientId())
         .audience()
-        .add(issuer)
+        .add(jwtCredential.authUrl().toString())
         .and()
         .issuedAt(Date.from(now))
         .notBefore(Date.from(now))
@@ -133,17 +131,28 @@ private String createClientAssertion(
         .compact();
   }
 
-  private Map.Entry<PrivateKey, String> loadP12Certificate(String certPath, String password)
-      throws Exception {
+  private Map.Entry<PrivateKey, String> loadP12Certificate() throws Exception {
     KeyStore keyStore = KeyStore.getInstance("PKCS12");
 
-    try (FileInputStream fis = new FileInputStream(certPath)) {
-      keyStore.load(fis, password != null ? password.toCharArray() : null);
+    char[] keystorePassword =
+        jwtCredential.clientAssertionKeystorePassword() != null
+            ? jwtCredential.clientAssertionKeystorePassword().toCharArray()
+            : null;
+    char[] keystoreKeyPassword =
+        jwtCredential.clientAssertionKeystoreKeyPassword() != null
+            ? jwtCredential.clientAssertionKeystoreKeyPassword().toCharArray()
+            : keystorePassword;
+
+    try (FileInputStream fis =
+        new FileInputStream(jwtCredential.clientAssertionKeystorePath().toFile())) {
+      keyStore.load(fis, keystorePassword);
     }
 
-    String alias = keyStore.aliases().nextElement();
-    PrivateKey privateKey =
-        (PrivateKey) keyStore.getKey(alias, password != null ? password.toCharArray() : null);
+    String alias =
+        jwtCredential.clientAssertionKeystoreKeyAlias() != null
+            ? jwtCredential.clientAssertionKeystoreKeyAlias()
+            : keyStore.aliases().nextElement();
+    PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, keystoreKeyPassword);
     X509Certificate cert = (X509Certificate) keyStore.getCertificate(alias);
 
     String x5tThumbprint = generateX5tThumbprint(cert);

extension/java-client-operate/src/main/java/io/camunda/operate/auth/JwtCredential.java

@@ -1,18 +1,21 @@
 package io.camunda.operate.auth;
 
 import java.net.URL;
+import java.nio.file.Path;
 
 public record JwtCredential(
     String clientId,
     String clientSecret,
     String audience,
     URL authUrl,
     String scope,
-    String clientAssertionCertPath,
-    String clientAssertionCertStorePassword) {
+    Path clientAssertionKeystorePath,
+    String clientAssertionKeystorePassword,
+    String clientAssertionKeystoreKeyAlias,
+    String clientAssertionKeystoreKeyPassword) {
 
   public JwtCredential(
       String clientId, String clientSecret, String audience, URL authUrl, String scope) {
-    this(clientId, clientSecret, audience, authUrl, scope, null, null);
+    this(clientId, clientSecret, audience, authUrl, scope, null, null, null, null);
   }
 }

extension/spring-boot-starter-camunda-operate/pom.xml

@@ -12,6 +12,11 @@
   <artifactId>spring-boot-starter-camunda-operate</artifactId>
 
   <dependencies>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+      <scope>provided</scope>
+    </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter</artifactId>
@@ -92,6 +97,9 @@
               </ignoredUnusedDeclaredDependency>
               <ignoredUnusedDeclaredDependency>org.springframework.boot:spring-boot-configuration-processor</ignoredUnusedDeclaredDependency>
             </ignoredUnusedDeclaredDependencies>
+            <ignoredUsedUndeclaredDependencies>
+              <ignoredUsedUndeclaredDependency>org.springframework:spring-jcl</ignoredUsedUndeclaredDependency>
+            </ignoredUsedUndeclaredDependencies>
           </configuration>
         </plugin>
       </plugins>

extension/spring-boot-starter-camunda-operate/src/main/java/io/camunda/operate/spring/OperateClientConfiguration.java

@@ -12,6 +12,8 @@
 import io.camunda.operate.http.TypeReferenceHttpClientResponseHandler;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
@@ -24,6 +26,7 @@
 @ConditionalOnProperty(value = "operate.client.enabled", matchIfMissing = true)
 @Import(ObjectMapperConfiguration.class)
 public class OperateClientConfiguration {
+  private static final Logger LOG = LoggerFactory.getLogger(OperateClientConfiguration.class);
   private final OperateClientConfigurationProperties properties;
   private final ObjectMapper objectMapper;
 
@@ -79,8 +82,10 @@ public Authentication operateAuthentication() {
                 properties.audience(),
                 properties.authUrl(),
                 properties.scope(),
-                properties.clientAssertionCertPath(),
-                properties.clientAssertionCertStorePassword()),
+                properties.clientAssertionKeystorePath(),
+                properties.clientAssertionKeystorePassword(),
+                properties.clientAssertionKeystoreKeyAlias(),
+                properties.clientAssertionKeystoreKeyPassword()),
             new TypeReferenceHttpClientResponseHandler<>(new TypeReference<>() {}, objectMapper));
       }
       default -> throw new IllegalStateException("Unsupported profile: " + properties.profile());

extension/spring-boot-starter-camunda-operate/src/main/java/io/camunda/operate/spring/OperateClientConfigurationProperties.java

@@ -1,6 +1,7 @@
 package io.camunda.operate.spring;
 
 import java.net.URL;
+import java.nio.file.Path;
 import java.time.Duration;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
@@ -20,8 +21,10 @@ public record OperateClientConfigurationProperties(
     URL authUrl,
     String audience,
     String scope,
-    String clientAssertionCertPath,
-    String clientAssertionCertStorePassword,
+    Path clientAssertionKeystorePath,
+    String clientAssertionKeystorePassword,
+    String clientAssertionKeystoreKeyAlias,
+    String clientAssertionKeystoreKeyPassword,
     // saas auth properies
     String region,
     String clusterId) {

extension/spring-boot-starter-camunda-operate/src/main/java/io/camunda/operate/spring/OperatePropertiesPostProcessor.java

@@ -1,23 +1,35 @@
 package io.camunda.operate.spring;
 
 import io.camunda.operate.spring.OperateClientConfigurationProperties.Profile;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
+import org.apache.commons.logging.Log;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.env.EnvironmentPostProcessor;
 import org.springframework.boot.env.YamlPropertySourceLoader;
+import org.springframework.boot.logging.DeferredLogFactory;
 import org.springframework.core.env.ConfigurableEnvironment;
 import org.springframework.core.env.PropertySource;
 import org.springframework.core.io.ClassPathResource;
 
 public class OperatePropertiesPostProcessor implements EnvironmentPostProcessor {
+  private final Log log;
+
+  public OperatePropertiesPostProcessor(DeferredLogFactory deferredLogFactory) {
+    log = deferredLogFactory.getLog(OperatePropertiesPostProcessor.class);
+  }
 
   @Override
   public void postProcessEnvironment(
       ConfigurableEnvironment environment, SpringApplication application) {
     try {
       Profile profile = environment.getProperty("operate.client.profile", Profile.class);
       if (profile == null) {
-        return;
+        profile = detectProfile(environment);
+        if (profile == null) {
+          return;
+        }
       }
       YamlPropertySourceLoader loader = new YamlPropertySourceLoader();
       String propertiesFile = "operate-profiles/" + determinePropertiesFile(profile);
@@ -45,4 +57,39 @@ private String determinePropertiesFile(Profile clientMode) {
     }
     throw new IllegalStateException("Unknown client mode " + clientMode);
   }
+
+  private Profile detectProfile(ConfigurableEnvironment environment) {
+    // cluster id is set -> always saas
+    if (environment.getProperty("operate.client.cluster-id") != null) {
+      log.debug("Detected 'operate.client.profile'='saas' based on 'operate.client.cluster-id'");
+      return Profile.saas;
+    }
+    // here, we can try to distinguish between simple and oidc
+    Set<Profile> potentialProfiles = new HashSet<>();
+    if (environment.getProperty("operate.client.username") != null) {
+      log.debug("Detected 'operate.client.profile'='simple' based on 'operate.client.username'");
+      potentialProfiles.add(Profile.simple);
+    }
+    if (environment.getProperty("operate.client.password") != null) {
+      log.debug("Detected 'operate.client.profile'='simple' based on 'operate.client.password'");
+      potentialProfiles.add(Profile.simple);
+    }
+    if (environment.getProperty("operate.client.client-id") != null) {
+      log.debug("Detected 'operate.client.profile'='oidc' based on 'operate.client.client-id'");
+      potentialProfiles.add(Profile.oidc);
+    }
+    if (environment.getProperty("operate.client.client-secret") != null) {
+      log.debug("Detected 'operate.client.profile'='oidc' based on 'operate.client.client-secret'");
+      potentialProfiles.add(Profile.oidc);
+    }
+    if (potentialProfiles.isEmpty()) {
+      log.debug("No 'operate.client.profile' could be detected");
+      return null;
+    }
+    if (potentialProfiles.size() > 1) {
+      log.warn(
+          "Multiple implicit values for 'operate.client.profile' detected: " + potentialProfiles);
+    }
+    return potentialProfiles.iterator().next();
+  }
 }

extension/spring-boot-starter-camunda-operate/src/test/java/io/camunda/operate/spring/OperateClientProfileDetectionTest.java

@@ -0,0 +1,66 @@
+package io.camunda.operate.spring;
+
+import static io.camunda.operate.spring.OperateClientConfigurationProperties.Profile.*;
+import static org.assertj.core.api.Assertions.*;
+
+import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+
+public class OperateClientProfileDetectionTest {
+  @Nested
+  @SpringBootTest(properties = "operate.client.username=demo")
+  class DetectSimpleByUsername {
+    @Autowired OperateClientConfigurationProperties properties;
+
+    @Test
+    void shouldDetectProfile() {
+      assertThat(properties.profile()).isEqualTo(simple);
+    }
+  }
+
+  @Nested
+  @SpringBootTest(properties = "operate.client.password=demo")
+  class DetectSimpleByPassword {
+    @Autowired OperateClientConfigurationProperties properties;
+
+    @Test
+    void shouldDetectProfile() {
+      assertThat(properties.profile()).isEqualTo(simple);
+    }
+  }
+
+  @Nested
+  @SpringBootTest(properties = "operate.client.client-id=demo")
+  class DetectOidcByClientId {
+    @Autowired OperateClientConfigurationProperties properties;
+
+    @Test
+    void shouldDetectProfile() {
+      assertThat(properties.profile()).isEqualTo(oidc);
+    }
+  }
+
+  @Nested
+  @SpringBootTest(properties = "operate.client.client-secret=demo")
+  class DetectOidcByClientSecret {
+    @Autowired OperateClientConfigurationProperties properties;
+
+    @Test
+    void shouldDetectProfile() {
+      assertThat(properties.profile()).isEqualTo(oidc);
+    }
+  }
+
+  @Nested
+  @SpringBootTest(properties = {"operate.client.cluster-id=demo", "operate.client.region=bru-2"})
+  class DetectSaasByClusterId {
+    @Autowired OperateClientConfigurationProperties properties;
+
+    @Test
+    void shouldDetectProfile() {
+      assertThat(properties.profile()).isEqualTo(saas);
+    }
+  }
+}