feature(chore):786 added alternative port for internal access only.

charts/traceability-foss/charts/backend/templates/deployment.yaml

@@ -128,6 +128,8 @@ spec:
               value: {{ .Values.config.allowedCorsOriginSecond | quote }}
             - name: EDC_DATA_ENDPOINT_URL
               value: {{ .Values.edc.dataEndpointUrl | quote }}
+            - name: TRUSTED_PORT
+              value: {{ .Values.edc.dataEndpointUrl | quote }}
             - name: DISCOVERY_FINDER_URL_WITH_PATH
               value: {{ .Values.discoveryfinder.baseUrl | quote }}
             - name: JWT_RESOURCE_CLIENT

charts/traceability-foss/charts/backend/templates/service.yaml

@@ -31,5 +31,9 @@ spec:
       targetPort: {{ .Values.service.port }}
       protocol: TCP
       name: http
+    - port: {{ .Values.service.trustedPort }}
+      targetPort: http-trusted
+      protocol: TCP
+      name: http-trusted
   selector:
     {{- include "traceability-foss-backend.selectorLabels" . | nindent 4 }}

charts/traceability-foss/values.yaml

@@ -212,6 +212,7 @@ backend:
   service:
     type: ClusterIP
     port: 8080
+    trustedPort: 8181
 
   autoscaling:
     enabled: false

tx-backend/src/main/java/org/eclipse/tractusx/traceability/common/config/TrustedEndpointsFilter.java

@@ -0,0 +1,82 @@
+/********************************************************************************
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+package org.eclipse.tractusx.traceability.common.config;
+
+import jakarta.servlet.Filter;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequestWrapper;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpServletResponseWrapper;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.StringUtils;
+import org.eclipse.tractusx.irs.common.ApiConstants;
+import org.springframework.context.annotation.Profile;
+
+import java.io.IOException;
+
+import static org.eclipse.tractusx.traceability.common.config.ApplicationProfiles.NOT_INTEGRATION_TESTS;
+
+@Profile(NOT_INTEGRATION_TESTS)
+@Slf4j
+public class TrustedEndpointsFilter implements Filter {
+    private final int trustedPortNum;
+
+    /* package */ TrustedEndpointsFilter(final String trustedPort) {
+        if (StringUtils.isNotEmpty(trustedPort)) {
+            trustedPortNum = Integer.parseInt(trustedPort);
+        } else {
+            trustedPortNum = 0;
+        }
+    }
+
+    @Override
+    public void doFilter(final ServletRequest servletRequest, final ServletResponse servletResponse,
+                         final FilterChain filterChain) throws IOException, ServletException {
+        if (trustedPortNum != 0) {
+
+            if (isRequestForTrustedEndpoint(servletRequest) && servletRequest.getLocalPort() != trustedPortNum) {
+                log.warn("denying request for trusted endpoint on untrusted port");
+                if (servletResponse instanceof HttpServletResponseWrapper httpServletResponse) {
+                    httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND);
+                }
+                servletResponse.getOutputStream().close();
+                return;
+            }
+
+            if (!isRequestForTrustedEndpoint(servletRequest) && servletRequest.getLocalPort() == trustedPortNum) {
+                log.warn("denying request for untrusted endpoint on trusted port");
+                if (servletResponse instanceof HttpServletResponseWrapper httpServletResponse) {
+                    httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND);
+                }
+                servletResponse.getOutputStream().close();
+                return;
+            }
+        }
+
+        filterChain.doFilter(servletRequest, servletResponse);
+    }
+
+    private boolean isRequestForTrustedEndpoint(final ServletRequest servletRequest) {
+        return ((HttpServletRequestWrapper) servletRequest).getRequestURI()
+                .startsWith("/" + ApiConstants.API_PREFIX_INTERNAL);
+    }
+}

tx-backend/src/main/java/org/eclipse/tractusx/traceability/common/config/TrustedPortConfiguration.java

@@ -0,0 +1,112 @@
+/********************************************************************************
+ * Copyright (c) 2024 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Apache License, Version 2.0 which is available at
+ * https://www.apache.org/licenses/LICENSE-2.0.
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ ********************************************************************************/
+package org.eclipse.tractusx.traceability.common.config;
+
+import org.apache.catalina.connector.Connector;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.web.ServerProperties;
+import org.springframework.boot.autoconfigure.web.servlet.TomcatServletWebServerFactoryCustomizer;
+import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
+import org.springframework.boot.web.server.WebServerFactoryCustomizer;
+import org.springframework.boot.web.servlet.FilterRegistrationBean;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import static org.eclipse.tractusx.traceability.common.config.ApplicationProfiles.NOT_INTEGRATION_TESTS;
+
+/**
+ * Configures the trusted port
+ */
+@Profile(NOT_INTEGRATION_TESTS)
+@Configuration
+public class TrustedPortConfiguration {
+    private final String serverPort;
+
+    private final String trustedPort;
+
+    public TrustedPortConfiguration(@Value("${server.port:8080}") final String serverPort,
+                                    @Value("${management.server.port:${server.port:8080}}") final String managementPort,
+                                    @Value("${server.trustedPort}") final String trustedPort) {
+
+        this.serverPort = serverPort;
+        this.trustedPort = trustedPort;
+    }
+
+    @Bean
+    public WebServerFactoryCustomizer<TomcatServletWebServerFactory> servletContainer() {
+
+        final Connector[] additionalConnectors = this.additionalConnector();
+
+        final ServerProperties serverProperties = new ServerProperties();
+        return new TomcatMultiConnectorServletWebServerFactoryCustomizer(serverProperties, additionalConnectors);
+    }
+
+    private Connector[] additionalConnector() {
+
+        if (StringUtils.isEmpty(this.trustedPort)) {
+            return new Connector[0];
+        }
+
+        final Set<String> defaultPorts = new HashSet<>();
+        defaultPorts.add(serverPort);
+
+        if (defaultPorts.contains(trustedPort)) {
+            return new Connector[0];
+        } else {
+            final Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
+            connector.setScheme("http");
+            connector.setPort(Integer.parseInt(trustedPort));
+            return new Connector[] { connector };
+        }
+    }
+
+    /**
+     * Customizer for additional connectors
+     */
+    private static class TomcatMultiConnectorServletWebServerFactoryCustomizer
+            extends TomcatServletWebServerFactoryCustomizer {
+        private final Connector[] additionalConnectors;
+
+        /* package */ TomcatMultiConnectorServletWebServerFactoryCustomizer(final ServerProperties serverProperties,
+                final Connector... additionalConnectors) {
+            super(serverProperties);
+            this.additionalConnectors = Arrays.copyOf(additionalConnectors, additionalConnectors.length);
+        }
+
+        @Override
+        public void customize(final TomcatServletWebServerFactory factory) {
+            super.customize(factory);
+
+            if (additionalConnectors != null && additionalConnectors.length > 0) {
+                factory.addAdditionalTomcatConnectors(additionalConnectors);
+            }
+        }
+    }
+
+    @Bean
+    public FilterRegistrationBean<TrustedEndpointsFilter> trustedEndpointsFilter() {
+        return new FilterRegistrationBean<>(new TrustedEndpointsFilter(trustedPort));
+    }
+}

tx-backend/src/main/resources/application.yml

@@ -81,6 +81,7 @@ irs-edc-client:
 
 
 server:
+  trustedPort: ${TRUSTED_PORT}
   servlet:
     context-path: /api