Use JWT for authentication (#229)

* Pull out the existing security config

* POC extract user info from JWT token

* Deploy from PR

* Correctly extract JWT from Header

* Allow egress to auth server

* Remove startup probe

* Exclude /ping from user auth paths

* Null check on auth header

* Factor out into private methods

* Unauthorized response when no token supplied

* Implement KlassUserMapperJwt

* Return generic message with error response

* Remove klass-shared from workflow triggers

* Add TODOs

* Remove User Admin tab since functionality is no longer available

* Use only the initials as username

* Handle disabled functionality elegantly

* Remove commented code

* Revert "Deploy from PR"

This reverts commit fd6f766.

* Remove commented code

* Remove more commented and unused code

* Remove more commented code

Author: mmwinther

.github/workflows/klass-forvaltning-build-and-deploy.yaml

@@ -8,7 +8,6 @@ on:
       - nais-migration
     paths:
       - "klass-forvaltning/**"
-      - "klass-shared/**"
       - ".nais/**/klass-forvaltning.yaml"
       - ".github/workflows/klass-forvaltning-build-and-deploy.yaml"
 

.nais/test/klass-forvaltning.yaml

@@ -11,7 +11,10 @@ spec:
 
   ingresses:
     - https://klass-forvaltning.intern.test.ssb.no
-
+  accessPolicy:
+    outbound:
+      external:
+        - host: auth.test.ssb.no
   login:
     provider: openid
     enforce:

klass-forvaltning/pom.xml

@@ -17,7 +17,7 @@
         <github.repository>statisticsnorway/klass</github.repository>
         <!-- Klass dependencies are built with support for Java 8 and Spring Boot 1.4.4.
              Newer versions are not supported -->
-        <klass-shared-version>2.2.1</klass-shared-version>
+        <klass-shared-version>2.2.2-SNAPSHOT</klass-shared-version>
         <klass-solr-version>2.1.7</klass-solr-version>
         <!-- Vaadin 7.7.17 was the last public open-source version of the Vaadin 7 framework.
              See https://vaadin.com/support/vaadin-7-extended-maintenance  -->
@@ -92,15 +92,19 @@
             <version>${postgresql.version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-oauth2-resource-server</artifactId>
-            <version>5.1.13.RELEASE</version>
+            <version>5.3.5.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-oauth2-jose</artifactId>
-            <version>5.1.13.RELEASE</version>
+            <version>5.3.5.RELEASE</version>
         </dependency>
 
         <!--TOMCAT-->
@@ -212,6 +216,10 @@
             <version>4.0.4</version>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-autoconfigure</artifactId>
+        </dependency>
     </dependencies>
 
     <dependencyManagement>

klass-forvaltning/src/main/java/no/ssb/klass/KlassForvaltningApplication.java

@@ -7,11 +7,6 @@
 import org.springframework.boot.web.support.SpringBootServletInitializer;
 import org.springframework.context.annotation.Import;
 
-import javax.servlet.ServletContext;
-import javax.servlet.ServletContextEvent;
-import javax.servlet.ServletContextListener;
-import javax.servlet.ServletException;
-
 
 @SpringBootApplication
 @Import(EmbeddedServletContainerAutoConfiguration.EmbeddedTomcat.class)
@@ -22,26 +17,6 @@ protected SpringApplicationBuilder configure(SpringApplicationBuilder applicatio
         return application.sources(KlassForvaltningApplication.class);
     }
 
-    @Override
-    public void onStartup(ServletContext servletContext) throws ServletException {
-        servletContext.addListener(new ServletContextListener() {
-
-            @Override
-            public void contextInitialized(ServletContextEvent servletContextEvent) {
-                // Nothing to do here
-            }
-
-            @Override
-            public void contextDestroyed(ServletContextEvent sce) {
-                // Explicitly deregister the driver to prevent race conditions with Tomcat de-registering the Driver.
-                // This is fixed in Spring Boot versions >=2.3.0
-                // Ref https://github.com/spring-projects/spring-boot/issues/21221
-                org.mariadb.jdbc.Driver.unloadDriver();
-            }
-        });
-        super.onStartup(servletContext);
-    }
-
 
     public static void main(String[] args) {
         SpringApplication.run(KlassForvaltningApplication.class, args);

klass-forvaltning/src/main/java/no/ssb/klass/designer/LoginDesign.java

@@ -10,13 +10,11 @@
 import com.vaadin.ui.NativeSelect;
 import com.vaadin.ui.UI;
 import no.ssb.klass.core.model.ClassificationType;
-import no.ssb.klass.core.model.User;
 import no.ssb.klass.designer.admin.AdminView;
 import no.ssb.klass.designer.admin.ContentUseStatView;
 import no.ssb.klass.designer.components.BreadcumbPanel.Breadcrumb;
 import no.ssb.klass.designer.components.ClassificationListViewSelection;
 import no.ssb.klass.designer.service.ClassificationFacade;
-import no.ssb.klass.designer.service.KlassLoginService;
 import no.ssb.klass.designer.user.UserContext;
 import no.ssb.klass.designer.util.ConfirmationDialog;
 import no.ssb.klass.designer.util.KlassTheme;
@@ -25,33 +23,30 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.vaadin.spring.security.VaadinSecurity;
 
 import java.util.List;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
 @SpringUI
-@SuppressWarnings("serial")
 public class MainView extends MainDesign implements ViewChangeListener {
     private static final Logger log = LoggerFactory.getLogger(MainView.class);
     private Navigator navigator;
 
     private final SpringViewProvider springViewProvider;
-    private final KlassLoginService klassLoginService;
-    private final VaadinSecurity vaadinSecurity;
     private final UserContext userContext;
 
+
     private ConfirmationDialog confirmationDialog;
 
     @Autowired
-    public MainView(ClassificationFacade classificationFacade, SpringViewProvider springViewProvider,
-                    VaadinSecurity vaadinSecurity, KlassLoginService vaadinLoginService, UserContext userContext) {
+    public MainView(
+            ClassificationFacade classificationFacade,
+            SpringViewProvider springViewProvider,
+            UserContext userContext
+    ) {
         this.springViewProvider = springViewProvider;
-        this.klassLoginService = vaadinLoginService;
-        this.vaadinSecurity = vaadinSecurity;
         this.userContext = userContext;
-        verifyUser();
         configureNavigator();
         MainFilterLogic.configureFilterPanel(selectKodeverk, selectSection, classificationFacade);
         configureTopPanel();
@@ -72,7 +67,7 @@ private void configureUserMenu() {
     }
 
     private void logout(MenuBar.MenuItem menuItem) {
-        vaadinSecurity.logout();
+//        vaadinSecurity.logout();
     }
 
     private void createAdminView() {
@@ -83,16 +78,6 @@ private void createInnholdBruksstatistikkView() {
         VaadinUtil.navigateTo(ContentUseStatView.NAME);
     }
 
-    private void verifyUser() {
-        if (!userContext.hasUser()) {
-        /* TODO https://statistics-norway.atlassian.net/browse/DPMETA-916
-                Replace hardcoded user with user info extracted from the token
-        */
-            log.debug("Set User {}", userContext);
-            userContext.setUser(new User("kno@ssb.no", "Kari Nordmann", "854"));
-        }
-    }
-
     public void configureNavigator() {
         navigator = new Navigator(UI.getCurrent(), content);
         navigator.addViewChangeListener(this);

klass-forvaltning/src/main/java/no/ssb/klass/designer/LoginView.java

@@ -1,21 +1,21 @@
 package no.ssb.klass.designer.admin;
 
-import org.springframework.security.access.annotation.Secured;
-import org.vaadin.spring.annotation.PrototypeScope;
-
 import com.vaadin.navigator.View;
 import com.vaadin.navigator.ViewChangeListener.ViewChangeEvent;
 import com.vaadin.spring.annotation.SpringView;
+import no.ssb.klass.designer.user.KlassRoles;
+import org.springframework.security.access.annotation.Secured;
+import org.vaadin.spring.annotation.PrototypeScope;
 
-import no.ssb.klass.core.ldap.ActiveDirectoryRoles;
 
 @SuppressWarnings("serial")
 @PrototypeScope
 @SpringView(name = AdminView.NAME)
-@Secured(ActiveDirectoryRoles.KLASS_ADMINISTRATOR)
+@Secured(KlassRoles.KLASS_ADMINISTRATOR)
 public class AdminView extends AdminDesign implements View {
 
     public static final String NAME = "AdminView";
+
     @Override
     public void enter(ViewChangeEvent event) {
         sectionsTab.init();