Skip to content

Commit 3391fd3

Browse files
committed
[NCL-9522] Enable clients to use LDAP auth to requests to other apps
1 parent b38e6bc commit 3391fd3

File tree

9 files changed

+95
-90
lines changed

9 files changed

+95
-90
lines changed

pom.xml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -242,6 +242,11 @@
242242
<artifactId>bifrost-upload-client</artifactId>
243243
<version>3.3.0</version>
244244
</dependency>
245+
<dependency>
246+
<groupId>org.jboss.pnc</groupId>
247+
<artifactId>quarkus-pnc-client-auth</artifactId>
248+
<version>1.0.0-SNAPSHOT</version>
249+
</dependency>
245250
<dependency>
246251
<groupId>org.jboss.pnc.logging</groupId>
247252
<artifactId>quarkus-logging-kafka-deployment</artifactId>
@@ -311,6 +316,17 @@
311316
<id>jboss-snapshots</id>
312317
<url>https://repository.jboss.org/nexus/content/repositories/snapshots</url>
313318
</repository>
319+
<repository>
320+
<releases>
321+
<enabled>false</enabled>
322+
</releases>
323+
<snapshots>
324+
<enabled>true</enabled>
325+
</snapshots>
326+
<id>central-portal-snapshots</id>
327+
<name>Central Portal Snapshots</name>
328+
<url>https://central.sonatype.com/repository/maven-snapshots/</url>
329+
</repository>
314330

315331
<repository>
316332
<snapshots>

src/main/java/org/jboss/pnc/repositorydriver/Driver.java

Lines changed: 10 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,7 @@
8080
import org.jboss.pnc.bifrost.upload.TagOption;
8181
import org.jboss.pnc.common.log.MDCUtils;
8282
import org.jboss.pnc.common.otel.OtelUtils;
83+
import org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuth;
8384
import org.jboss.pnc.repositorydriver.artifactfilter.ArtifactFilterDatabase;
8485
import org.jboss.pnc.repositorydriver.runtime.ApplicationLifecycle;
8586
import org.slf4j.Logger;
@@ -97,7 +98,6 @@
9798
import io.opentelemetry.context.Scope;
9899
import io.opentelemetry.instrumentation.annotations.SpanAttribute;
99100
import io.opentelemetry.instrumentation.annotations.WithSpan;
100-
import io.quarkus.oidc.client.OidcClient;
101101
import net.jodah.failsafe.Failsafe;
102102
import net.jodah.failsafe.RetryPolicy;
103103
import net.jodah.failsafe.event.ExecutionAttemptedEvent;
@@ -141,7 +141,7 @@ public class Driver {
141141
TrackingReportProcessor trackingReportProcessor;
142142

143143
@Inject
144-
OidcClient oidcClient;
144+
PNCClientAuth pncClientAuth;
145145

146146
@Inject
147147
BifrostLogUploader bifrostLogUploader;
@@ -412,7 +412,7 @@ private void uploadLogs(String message, String operation) {
412412
.build();
413413
bifrostLogUploader.uploadString(message, logMetadata);
414414
} catch (BifrostUploadException ex) {
415-
logger.error("Unable to upload logs to bifrost. Log was:\n" + message, ex);
415+
logger.error("Unable to upload logs to bifrost. Log was: \n{}", message, ex);
416416
// We don't want to fail the build when we couldn't upload to bifrost, because the repo driver log is not
417417
// critical.
418418
}
@@ -528,7 +528,7 @@ private HttpRequest getArchivalHttpRequest(String body) {
528528
.uri(URI.create(configuration.getArchiveServiceEndpoint()))
529529
.POST(HttpRequest.BodyPublishers.ofString(body))
530530
.timeout(Duration.ofSeconds(configuration.getHttpClientRequestTimeout()))
531-
.header(AUTHORIZATION_STRING, "Bearer " + getFreshAccessToken())
531+
.header(AUTHORIZATION_STRING, pncClientAuth.getHttpAuthorizationHeaderValue())
532532
.header(CONTENT_TYPE_STRING, "application/json");
533533

534534
return builder.build();
@@ -603,7 +603,7 @@ private HttpRequest getNotifyHttpRequest(Request callback, String body) {
603603
callback.getHeaders().forEach(h -> builder.header(h.getName(), h.getValue()));
604604
// Add the service account's access token. We use a fresh one instead of serviceTokens since serviceTokens might
605605
// already be closed to expiry when we hit this method inside the executor
606-
builder.header(jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION, "Bearer " + getFreshAccessToken());
606+
builder.header(jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION, pncClientAuth.getHttpAuthorizationHeaderValue());
607607
return builder.build();
608608
}
609609

@@ -888,7 +888,7 @@ private String getValidationError(AbstractPromoteResult<?> result) {
888888
.append("\n\n"));
889889
}
890890
}
891-
if (sb.length() == 0) {
891+
if (sb.isEmpty()) {
892892
sb.append("(no error message received)");
893893
}
894894
return sb.toString();
@@ -926,7 +926,7 @@ private void deleteBuildRepos(
926926
other = new StoreKey(genericRepo.getPackageType(), StoreType.group, groupName);
927927
}
928928
} else {
929-
logger.error("Unexpected store type in " + genericRepo + " which should be cleaned. Skipping.");
929+
logger.error("Unexpected store type in {} which should be cleaned. Skipping.", genericRepo);
930930
}
931931

932932
if (other != null) {
@@ -985,7 +985,9 @@ private Runnable heartBeatSender(Request heartBeat) {
985985
.method(heartBeat.getMethod().name(), HttpRequest.BodyPublishers.noBody())
986986
.timeout(Duration.ofSeconds(configuration.getHttpClientRequestTimeout()));
987987
heartBeat.getHeaders().forEach(h -> builder.header(h.getName(), h.getValue()));
988-
builder.header(jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION, "Bearer " + getFreshAccessToken());
988+
builder.header(
989+
jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION,
990+
pncClientAuth.getHttpAuthorizationHeaderValue());
989991
HttpRequest request = builder.build();
990992

991993
CompletableFuture<HttpResponse<String>> response = httpClient
@@ -1088,13 +1090,4 @@ private Function<HttpResponse<String>, HttpResponse<String>> validateResponse()
10881090
}
10891091
};
10901092
}
1091-
1092-
/**
1093-
* Get an access token for the service account
1094-
*
1095-
* @return fresh access token
1096-
*/
1097-
private String getFreshAccessToken() {
1098-
return oidcClient.getTokens().await().indefinitely().getAccessToken();
1099-
}
11001093
}

src/main/java/org/jboss/pnc/repositorydriver/indy/IndyPNCOAuthBearerAuthenticator.java

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -9,31 +9,24 @@
99
import org.apache.http.message.BasicHeader;
1010
import org.commonjava.indy.client.core.auth.IndyClientAuthenticator;
1111
import org.commonjava.util.jhttpc.JHttpCException;
12-
13-
import io.quarkus.oidc.client.OidcClient;
12+
import org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuth;
1413

1514
@ApplicationScoped
1615
public class IndyPNCOAuthBearerAuthenticator extends IndyClientAuthenticator {
1716

1817
private static final String AUTHORIZATION_HEADER = "Authorization";
1918

20-
private static final String BEARER_FORMAT = "Bearer %s";
21-
2219
@Inject
23-
OidcClient oidcClient;
20+
PNCClientAuth pncClientAuth;
2421

2522
@Override
2623
public HttpClientBuilder decorateClientBuilder(HttpClientBuilder builder) throws JHttpCException {
2724
builder.addInterceptorFirst((HttpRequestInterceptor) (httpRequest, httpContext) -> {
2825
final Header header = new BasicHeader(
2926
AUTHORIZATION_HEADER,
30-
String.format(BEARER_FORMAT, getFreshAccessToken()));
27+
pncClientAuth.getHttpAuthorizationHeaderValue());
3128
httpRequest.addHeader(header);
3229
});
3330
return builder;
3431
}
35-
36-
private String getFreshAccessToken() {
37-
return oidcClient.getTokens().await().indefinitely().getAccessToken();
38-
}
3932
}

src/main/java/org/jboss/pnc/repositorydriver/runtime/BifrostLogUploaderProducer.java

Lines changed: 10 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -25,31 +25,26 @@
2525

2626
import org.eclipse.microprofile.config.inject.ConfigProperty;
2727
import org.jboss.pnc.bifrost.upload.BifrostLogUploader;
28-
29-
import io.quarkus.oidc.client.OidcClient;
28+
import org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuth;
3029

3130
@ApplicationScoped
3231
public class BifrostLogUploaderProducer {
3332

3433
@Inject
35-
OidcClient oidcClient;
36-
private final BifrostLogUploader logUploader;
34+
PNCClientAuth pncClientAuth;
3735

38-
public BifrostLogUploaderProducer(
36+
@Produces
37+
@ApplicationScoped
38+
public BifrostLogUploader createClient(
3939
@ConfigProperty(name = "repository-driver.bifrost-uploader.api-url") URI bifrostUrl,
4040
@ConfigProperty(name = "repository-driver.bifrost-uploader.maxRetries", defaultValue = "6") int maxRetries,
4141
@ConfigProperty(
4242
name = "repository-driver.bifrost-uploader.retryDelay",
4343
defaultValue = "10") int retryDelay) {
44-
logUploader = new BifrostLogUploader(bifrostUrl, this::getFreshAccessToken, maxRetries, retryDelay);
45-
}
46-
47-
private String getFreshAccessToken() {
48-
return "Bearer " + oidcClient.getTokens().await().indefinitely().getAccessToken();
49-
}
50-
51-
@Produces
52-
public BifrostLogUploader produce() {
53-
return logUploader;
44+
return new BifrostLogUploader(
45+
bifrostUrl,
46+
pncClientAuth::getHttpAuthorizationHeaderValue,
47+
maxRetries,
48+
retryDelay);
5449
}
5550
}

src/main/resources/application.yaml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,12 @@ quarkus:
6060
client-id: my-app
6161
credentials:
6262
secret: secret
63+
64+
pnc_client_auth:
65+
type: OIDC # or LDAP
66+
# ldap_credentials:
67+
# path: /mnt/secrets/ldap_credentials # file must be in format: <username>:<password>
68+
6369
repository-driver:
6470
ignored-path-patterns:
6571
archive:
@@ -101,10 +107,19 @@ repository-driver:
101107

102108
"%test":
103109
quarkus:
110+
arc:
111+
# to use the injected Mock instead
112+
exclude-types: org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuthImpl
104113
oidc:
105114
enabled: false
106115
oidc-client:
107116
enabled: false
117+
http:
118+
auth:
119+
basic: false
120+
security:
121+
ldap:
122+
enabled: false
108123
log:
109124
console:
110125
json: false

src/test/java/org/jboss/pnc/repositorydriver/DriverTest.java

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22

33
import static com.github.tomakehurst.wiremock.client.WireMock.*;
44
import static io.restassured.RestAssured.given;
5+
import static org.mockito.ArgumentMatchers.anyInt;
6+
import static org.mockito.Mockito.any;
57

68
import java.net.URI;
79
import java.net.URISyntaxException;
@@ -86,9 +88,9 @@ public static void beforeClass() throws Exception {
8688
callbackServer.start(8082, BIND_HOST);
8789

8890
BifrostLogUploader bifrostLogUploader = Mockito.mock(BifrostLogUploader.class);
89-
Mockito.doNothing().when(bifrostLogUploader).uploadString(Mockito.any(), Mockito.any());
91+
Mockito.doNothing().when(bifrostLogUploader).uploadString(any(), any());
9092
BifrostLogUploaderProducer bifrostLogUploaderProducer = Mockito.mock(BifrostLogUploaderProducer.class);
91-
Mockito.when(bifrostLogUploaderProducer.produce()).thenReturn(bifrostLogUploader);
93+
Mockito.when(bifrostLogUploaderProducer.createClient(any(), anyInt(), anyInt())).thenReturn(bifrostLogUploader);
9294
QuarkusMock.installMockForType(bifrostLogUploaderProducer, BifrostLogUploaderProducer.class);
9395
}
9496

src/test/java/org/jboss/pnc/repositorydriver/MockOidcClient.java

Lines changed: 0 additions & 44 deletions
This file was deleted.
Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
package org.jboss.pnc.repositorydriver;
2+
3+
import java.io.IOException;
4+
5+
import javax.enterprise.context.ApplicationScoped;
6+
7+
import org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuth;
8+
9+
import io.quarkus.test.Mock;
10+
11+
@Mock
12+
@ApplicationScoped
13+
public class PNCClientAuthMock implements PNCClientAuth {
14+
@Override
15+
public String getAuthToken() {
16+
return "1234";
17+
}
18+
19+
@Override
20+
public String getHttpAuthorizationHeaderValue() {
21+
return "Bearer 1234";
22+
}
23+
24+
@Override
25+
public String getHttpAuthorizationHeaderValueWithCachedToken() {
26+
return getHttpAuthorizationHeaderValue();
27+
}
28+
29+
@Override
30+
public LDAPCredentials getLDAPCredentials() throws IOException {
31+
return new LDAPCredentials("user", "password");
32+
}
33+
}

src/test/java/org/jboss/pnc/repositorydriver/WithSidecarTest.java

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22

33
import static io.restassured.RestAssured.given;
44
import static org.jboss.pnc.repositorydriver.DriverTest.requestHeaders;
5+
import static org.mockito.ArgumentMatchers.anyInt;
6+
import static org.mockito.Mockito.any;
57

68
import jakarta.inject.Inject;
79
import jakarta.ws.rs.core.MediaType;
@@ -37,9 +39,9 @@ public class WithSidecarTest {
3739
@BeforeAll
3840
public static void beforeClass() throws Exception {
3941
BifrostLogUploader bifrostLogUploader = Mockito.mock(BifrostLogUploader.class);
40-
Mockito.doNothing().when(bifrostLogUploader).uploadString(Mockito.any(), Mockito.any());
42+
Mockito.doNothing().when(bifrostLogUploader).uploadString(any(), any());
4143
BifrostLogUploaderProducer bifrostLogUploaderProducer = Mockito.mock(BifrostLogUploaderProducer.class);
42-
Mockito.when(bifrostLogUploaderProducer.produce()).thenReturn(bifrostLogUploader);
44+
Mockito.when(bifrostLogUploaderProducer.createClient(any(), anyInt(), anyInt())).thenReturn(bifrostLogUploader);
4345
QuarkusMock.installMockForType(bifrostLogUploaderProducer, BifrostLogUploaderProducer.class);
4446
}
4547

0 commit comments

Comments
 (0)