[NCL-9522] Enable clients to use LDAP auth to requests to other apps

Author: thescouser89

pom.xml

@@ -242,6 +242,11 @@
       <artifactId>bifrost-upload-client</artifactId>
       <version>3.3.0</version>
     </dependency>
+    <dependency>
+      <groupId>org.jboss.pnc</groupId>
+      <artifactId>quarkus-pnc-client-auth</artifactId>
+      <version>1.0.0-SNAPSHOT</version>
+    </dependency>
     <dependency>
       <groupId>org.jboss.pnc.logging</groupId>
       <artifactId>quarkus-logging-kafka-deployment</artifactId>
@@ -311,6 +316,17 @@
       <id>jboss-snapshots</id>
       <url>https://repository.jboss.org/nexus/content/repositories/snapshots</url>
     </repository>
+    <repository>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <id>central-portal-snapshots</id>
+      <name>Central Portal Snapshots</name>
+      <url>https://central.sonatype.com/repository/maven-snapshots/</url>
+    </repository>
 
     <repository>
       <snapshots>

src/main/java/org/jboss/pnc/repositorydriver/Driver.java

@@ -80,6 +80,7 @@
 import org.jboss.pnc.bifrost.upload.TagOption;
 import org.jboss.pnc.common.log.MDCUtils;
 import org.jboss.pnc.common.otel.OtelUtils;
+import org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuth;
 import org.jboss.pnc.repositorydriver.artifactfilter.ArtifactFilterDatabase;
 import org.jboss.pnc.repositorydriver.runtime.ApplicationLifecycle;
 import org.slf4j.Logger;
@@ -97,7 +98,6 @@
 import io.opentelemetry.context.Scope;
 import io.opentelemetry.instrumentation.annotations.SpanAttribute;
 import io.opentelemetry.instrumentation.annotations.WithSpan;
-import io.quarkus.oidc.client.OidcClient;
 import net.jodah.failsafe.Failsafe;
 import net.jodah.failsafe.RetryPolicy;
 import net.jodah.failsafe.event.ExecutionAttemptedEvent;
@@ -141,7 +141,7 @@ public class Driver {
     TrackingReportProcessor trackingReportProcessor;
 
     @Inject
-    OidcClient oidcClient;
+    PNCClientAuth pncClientAuth;
 
     @Inject
     BifrostLogUploader bifrostLogUploader;
@@ -412,7 +412,7 @@ private void uploadLogs(String message, String operation) {
                     .build();
             bifrostLogUploader.uploadString(message, logMetadata);
         } catch (BifrostUploadException ex) {
-            logger.error("Unable to upload logs to bifrost. Log was:\n" + message, ex);
+            logger.error("Unable to upload logs to bifrost. Log was: \n{}", message, ex);
             // We don't want to fail the build when we couldn't upload to bifrost, because the repo driver log is not
             // critical.
         }
@@ -528,7 +528,7 @@ private HttpRequest getArchivalHttpRequest(String body) {
                 .uri(URI.create(configuration.getArchiveServiceEndpoint()))
                 .POST(HttpRequest.BodyPublishers.ofString(body))
                 .timeout(Duration.ofSeconds(configuration.getHttpClientRequestTimeout()))
-                .header(AUTHORIZATION_STRING, "Bearer " + getFreshAccessToken())
+                .header(AUTHORIZATION_STRING, pncClientAuth.getHttpAuthorizationHeaderValue())
                 .header(CONTENT_TYPE_STRING, "application/json");
 
         return builder.build();
@@ -603,7 +603,7 @@ private HttpRequest getNotifyHttpRequest(Request callback, String body) {
         callback.getHeaders().forEach(h -> builder.header(h.getName(), h.getValue()));
         // Add the service account's access token. We use a fresh one instead of serviceTokens since serviceTokens might
         // already be closed to expiry when we hit this method inside the executor
-        builder.header(jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION, "Bearer " + getFreshAccessToken());
+        builder.header(jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION, pncClientAuth.getHttpAuthorizationHeaderValue());
         return builder.build();
     }
 
@@ -888,7 +888,7 @@ private String getValidationError(AbstractPromoteResult<?> result) {
                                         .append("\n\n"));
             }
         }
-        if (sb.length() == 0) {
+        if (sb.isEmpty()) {
             sb.append("(no error message received)");
         }
         return sb.toString();
@@ -926,7 +926,7 @@ private void deleteBuildRepos(
                         other = new StoreKey(genericRepo.getPackageType(), StoreType.group, groupName);
                     }
                 } else {
-                    logger.error("Unexpected store type in " + genericRepo + " which should be cleaned. Skipping.");
+                    logger.error("Unexpected store type in {} which should be cleaned. Skipping.", genericRepo);
                 }
 
                 if (other != null) {
@@ -985,7 +985,9 @@ private Runnable heartBeatSender(Request heartBeat) {
                     .method(heartBeat.getMethod().name(), HttpRequest.BodyPublishers.noBody())
                     .timeout(Duration.ofSeconds(configuration.getHttpClientRequestTimeout()));
             heartBeat.getHeaders().forEach(h -> builder.header(h.getName(), h.getValue()));
-            builder.header(jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION, "Bearer " + getFreshAccessToken());
+            builder.header(
+                    jakarta.ws.rs.core.HttpHeaders.AUTHORIZATION,
+                    pncClientAuth.getHttpAuthorizationHeaderValue());
             HttpRequest request = builder.build();
 
             CompletableFuture<HttpResponse<String>> response = httpClient
@@ -1088,13 +1090,4 @@ private Function<HttpResponse<String>, HttpResponse<String>> validateResponse()
             }
         };
     }
-
-    /**
-     * Get an access token for the service account
-     *
-     * @return fresh access token
-     */
-    private String getFreshAccessToken() {
-        return oidcClient.getTokens().await().indefinitely().getAccessToken();
-    }
 }

src/main/java/org/jboss/pnc/repositorydriver/indy/IndyPNCOAuthBearerAuthenticator.java

@@ -9,31 +9,24 @@
 import org.apache.http.message.BasicHeader;
 import org.commonjava.indy.client.core.auth.IndyClientAuthenticator;
 import org.commonjava.util.jhttpc.JHttpCException;
-
-import io.quarkus.oidc.client.OidcClient;
+import org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuth;
 
 @ApplicationScoped
 public class IndyPNCOAuthBearerAuthenticator extends IndyClientAuthenticator {
 
     private static final String AUTHORIZATION_HEADER = "Authorization";
 
-    private static final String BEARER_FORMAT = "Bearer %s";
-
     @Inject
-    OidcClient oidcClient;
+    PNCClientAuth pncClientAuth;
 
     @Override
     public HttpClientBuilder decorateClientBuilder(HttpClientBuilder builder) throws JHttpCException {
         builder.addInterceptorFirst((HttpRequestInterceptor) (httpRequest, httpContext) -> {
             final Header header = new BasicHeader(
                     AUTHORIZATION_HEADER,
-                    String.format(BEARER_FORMAT, getFreshAccessToken()));
+                    pncClientAuth.getHttpAuthorizationHeaderValue());
             httpRequest.addHeader(header);
         });
         return builder;
     }
-
-    private String getFreshAccessToken() {
-        return oidcClient.getTokens().await().indefinitely().getAccessToken();
-    }
 }

src/main/java/org/jboss/pnc/repositorydriver/runtime/BifrostLogUploaderProducer.java

@@ -25,31 +25,26 @@
 
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.jboss.pnc.bifrost.upload.BifrostLogUploader;
-
-import io.quarkus.oidc.client.OidcClient;
+import org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuth;
 
 @ApplicationScoped
 public class BifrostLogUploaderProducer {
 
     @Inject
-    OidcClient oidcClient;
-    private final BifrostLogUploader logUploader;
+    PNCClientAuth pncClientAuth;
 
-    public BifrostLogUploaderProducer(
+    @Produces
+    @ApplicationScoped
+    public BifrostLogUploader createClient(
             @ConfigProperty(name = "repository-driver.bifrost-uploader.api-url") URI bifrostUrl,
             @ConfigProperty(name = "repository-driver.bifrost-uploader.maxRetries", defaultValue = "6") int maxRetries,
             @ConfigProperty(
                     name = "repository-driver.bifrost-uploader.retryDelay",
                     defaultValue = "10") int retryDelay) {
-        logUploader = new BifrostLogUploader(bifrostUrl, this::getFreshAccessToken, maxRetries, retryDelay);
-    }
-
-    private String getFreshAccessToken() {
-        return "Bearer " + oidcClient.getTokens().await().indefinitely().getAccessToken();
-    }
-
-    @Produces
-    public BifrostLogUploader produce() {
-        return logUploader;
+        return new BifrostLogUploader(
+                bifrostUrl,
+                pncClientAuth::getHttpAuthorizationHeaderValue,
+                maxRetries,
+                retryDelay);
     }
 }

src/main/resources/application.yaml

@@ -60,6 +60,12 @@ quarkus:
     client-id: my-app
     credentials:
       secret: secret
+
+pnc_client_auth:
+  type: OIDC # or LDAP
+  # ldap_credentials:
+  #    path: /mnt/secrets/ldap_credentials # file must be in format: <username>:<password>
+
 repository-driver:
   ignored-path-patterns:
     archive:
@@ -101,10 +107,19 @@ repository-driver:
 
 "%test":
   quarkus:
+    arc:
+      # to use the injected Mock instead
+      exclude-types: org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuthImpl
     oidc:
       enabled: false
     oidc-client:
       enabled: false
+    http:
+      auth:
+        basic: false
+    security:
+      ldap:
+        enabled: false
     log:
       console:
         json: false

src/test/java/org/jboss/pnc/repositorydriver/DriverTest.java

@@ -2,6 +2,8 @@
 
 import static com.github.tomakehurst.wiremock.client.WireMock.*;
 import static io.restassured.RestAssured.given;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.Mockito.any;
 
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -86,9 +88,9 @@ public static void beforeClass() throws Exception {
         callbackServer.start(8082, BIND_HOST);
 
         BifrostLogUploader bifrostLogUploader = Mockito.mock(BifrostLogUploader.class);
-        Mockito.doNothing().when(bifrostLogUploader).uploadString(Mockito.any(), Mockito.any());
+        Mockito.doNothing().when(bifrostLogUploader).uploadString(any(), any());
         BifrostLogUploaderProducer bifrostLogUploaderProducer = Mockito.mock(BifrostLogUploaderProducer.class);
-        Mockito.when(bifrostLogUploaderProducer.produce()).thenReturn(bifrostLogUploader);
+        Mockito.when(bifrostLogUploaderProducer.createClient(any(), anyInt(), anyInt())).thenReturn(bifrostLogUploader);
         QuarkusMock.installMockForType(bifrostLogUploaderProducer, BifrostLogUploaderProducer.class);
     }
 

src/test/java/org/jboss/pnc/repositorydriver/MockOidcClient.java

@@ -0,0 +1,33 @@
+package org.jboss.pnc.repositorydriver;
+
+import java.io.IOException;
+
+import javax.enterprise.context.ApplicationScoped;
+
+import org.jboss.pnc.quarkus.client.auth.runtime.PNCClientAuth;
+
+import io.quarkus.test.Mock;
+
+@Mock
+@ApplicationScoped
+public class PNCClientAuthMock implements PNCClientAuth {
+    @Override
+    public String getAuthToken() {
+        return "1234";
+    }
+
+    @Override
+    public String getHttpAuthorizationHeaderValue() {
+        return "Bearer 1234";
+    }
+
+    @Override
+    public String getHttpAuthorizationHeaderValueWithCachedToken() {
+        return getHttpAuthorizationHeaderValue();
+    }
+
+    @Override
+    public LDAPCredentials getLDAPCredentials() throws IOException {
+        return new LDAPCredentials("user", "password");
+    }
+}

src/test/java/org/jboss/pnc/repositorydriver/PNCClientAuthMock.java

@@ -2,6 +2,8 @@
 
 import static io.restassured.RestAssured.given;
 import static org.jboss.pnc.repositorydriver.DriverTest.requestHeaders;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.Mockito.any;
 
 import jakarta.inject.Inject;
 import jakarta.ws.rs.core.MediaType;
@@ -37,9 +39,9 @@ public class WithSidecarTest {
     @BeforeAll
     public static void beforeClass() throws Exception {
         BifrostLogUploader bifrostLogUploader = Mockito.mock(BifrostLogUploader.class);
-        Mockito.doNothing().when(bifrostLogUploader).uploadString(Mockito.any(), Mockito.any());
+        Mockito.doNothing().when(bifrostLogUploader).uploadString(any(), any());
         BifrostLogUploaderProducer bifrostLogUploaderProducer = Mockito.mock(BifrostLogUploaderProducer.class);
-        Mockito.when(bifrostLogUploaderProducer.produce()).thenReturn(bifrostLogUploader);
+        Mockito.when(bifrostLogUploaderProducer.createClient(any(), anyInt(), anyInt())).thenReturn(bifrostLogUploader);
         QuarkusMock.installMockForType(bifrostLogUploaderProducer, BifrostLogUploaderProducer.class);
     }