fixes #364 Split unified-config for UnifiedSecurityHandle to share wi…

…th Lambda native

openapi-security/pom.xml

@@ -50,6 +50,10 @@
             <groupId>com.networknt</groupId>
             <artifactId>security</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.networknt</groupId>
+            <artifactId>unified-config</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.networknt</groupId>
             <artifactId>handler</artifactId>

pom.xml

@@ -119,6 +119,7 @@
         <module>openapi-meta</module>
         <module>validator-config</module>
         <module>openapi-validator</module>
+        <module>unified-config</module>
         <module>openapi-security</module>
         <module>access-control</module>
         <module>specification</module>
@@ -147,6 +148,11 @@
                 <artifactId>openapi-validator</artifactId>
                 <version>${project.version}</version>
             </dependency>
+            <dependency>
+                <groupId>com.networknt</groupId>
+                <artifactId>unified-config</artifactId>
+                <version>${project.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.networknt</groupId>
                 <artifactId>openapi-security</artifactId>
@@ -178,6 +184,11 @@
                 <artifactId>http-string</artifactId>
                 <version>${version.light-4j}</version>
             </dependency>
+            <dependency>
+                <groupId>com.networknt</groupId>
+                <artifactId>security-config</artifactId>
+                <version>${version.light-4j}</version>
+            </dependency>
             <dependency>
                 <groupId>com.networknt</groupId>
                 <artifactId>security</artifactId>

unified-config/pom.xml

@@ -0,0 +1,63 @@
+<!--
+  ~ Copyright (c) 2016 Network New Technologies Inc.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>com.networknt</groupId>
+        <artifactId>light-rest-4j</artifactId>
+        <version>2.1.34-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>unified-config</artifactId>
+    <packaging>jar</packaging>
+    <description>The unified-security config module shared with lambda-native.</description>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.networknt</groupId>
+            <artifactId>config</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.networknt</groupId>
+            <artifactId>security-config</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+    </dependencies>
+
+</project>

unified-config/src/main/resources/config/openapi-security.yml

@@ -0,0 +1,123 @@
+# Security configuration for openapi-security in light-rest-4j. It is a specific config
+# for OpenAPI framework security. It is introduced to support multiple frameworks in the
+# same server instance. If this file cannot be found, the generic security.yml will be
+# loaded for backward compatibility.
+---
+# Enable the JWT verification flag. The JwtVerifierHandler will skip the JWT token verification
+# if this flag is false. It should only be set to false on the dev environment for testing
+# purposes. If you have some endpoints that want to skip the JWT verification, you can put the
+# request path prefix in skipPathPrefixes.
+enableVerifyJwt: ${openapi-security.enableVerifyJwt:true}
+
+# Enable the SWT verification flag. The SwtVerifierHandler will skip the SWT token verification
+# if this flag is false. It should only be set to false on the dev environment for testing
+# purposes. If you have some endpoints that want to skip the SWT verification, you can put the
+# request path prefix in skipPathPrefixes.
+enableVerifySwt: ${openapi-security.enableVerifySwt:false}
+
+# swt clientId header name. When light-gateway is used and the consumer app does not want to save
+# the client secret in the configuration file, it can be passed in the header.
+swtClientIdHeader: ${openapi-security.swtClientIdHeader:swt-client}
+# swt clientSecret header name. When light-gateway is used and the consumer app does not want to save
+# the client secret in the configuration file, it can be passed in the header.
+swtClientSecretHeader: ${openapi-security.swtClientSecretHeader:swt-secret}
+
+# Extract JWT scope token from the X-Scope-Token header and validate the JWT token
+enableExtractScopeToken: ${openapi-security.enableExtractScopeToken:true}
+
+# Enable JWT scope verification. This flag is valid when enableVerifyJwt is true. When using the
+# light gateway as a centralized gateway without backend API specifications, you can still enable
+# this flag to allow the admin endpoints to have scopes verified. And all backend APIs without
+# specifications skip the scope verification if the spec does not exist with the skipVerifyScopeWithoutSpec
+# flag to true. Also, you need to have the openapi.yml specification file in the config folder to
+# enable it, as the scope verification compares the scope from the JWT token and the scope in the
+# endpoint specification.
+enableVerifyScope: ${openapi-security.enableVerifyScope:true}
+
+# Users should only use this flag in a shared light gateway if the backend API specifications are
+# unavailable in the gateway config folder. If this flag is true and the enableVerifyScope is true,
+# the security handler will invoke the scope verification for all endpoints. However, if the endpoint
+# doesn't have a specification to retrieve the defined scopes, the handler will skip the scope verification.
+skipVerifyScopeWithoutSpec: ${openapi-security.skipVerifyScopeWithoutSpec:false}
+
+# If set true, the JWT verifier handler will pass if the JWT token is expired already. Unless
+# you have a strong reason, please use it only on the dev environment if your OAuth 2 provider
+# doesn't support long-lived token for dev environment or test automation.
+ignoreJwtExpiry: ${openapi-security.ignoreJwtExpiry:false}
+
+# set true if you want to allow http 1/1 connections to be upgraded to http/2 using the UPGRADE method (h2c).
+# By default, this is set to false for security reasons. If you choose to enable it make sure you can handle http/2 w/o tls.
+enableH2c: ${openapi-security.enableH2c:false}
+
+# User for test only. should be always be false on official environment.
+enableMockJwt: ${openapi-security.enableMockJwt:false}
+
+# Enables relaxed verification for jwt. e.g. Disables key length requirements.
+# Should be used in test environments only.
+enableRelaxedKeyValidation: ${openapi-security.enableRelaxedKeyValidation:false}
+
+# JWT signature public certificates. kid and certificate path mappings.
+jwt:
+  certificate: ${openapi-security.certificate:100=primary.crt&101=secondary.crt}
+#    '100': primary.crt
+#    '101': secondary.crt
+  clockSkewInSeconds: ${openapi-security.clockSkewInSeconds:60}
+  # Key distribution server standard: JsonWebKeySet for other OAuth 2.0 provider| X509Certificate for light-oauth2
+  keyResolver: ${openapi-security.keyResolver:JsonWebKeySet}
+
+# Enable or disable JWT token logging for audit. This is to log the entire token
+# or choose the next option that only logs client_id, user_id and scope.
+logJwtToken: ${openapi-security.logJwtToken:true}
+
+# Enable or disable client_id, user_id and scope logging if you don't want to log
+# the entire token. Choose this option or the option above.
+logClientUserScope: ${openapi-security.logClientUserScope:false}
+
+# Enable JWT token cache to speed up verification. This will only verify expired time
+# and skip the signature verification as it takes more CPU power and a long time. If
+# each request has a different jwt token, like authorization code flow, this indicator
+# should be turned off. Otherwise, the cached jwt will only be removed after 15 minutes
+# and the cache can grow bigger if the number of requests is very high. This will cause
+# memory kill in a Kubernetes pod if the memory setting is limited.
+enableJwtCache: ${openapi-security.enableJwtCache:true}
+
+# If enableJwtCache is true, then an error message will be shown up in the log if the
+# cache size is bigger than the jwtCacheFullSize. This helps the developers to detect
+# cache problem if many distinct tokens flood the cache in a short period of time. If
+# you see JWT cache exceeds the size limit in logs, you need to turn off the enableJwtCache
+# or increase the cache full size to a bigger number from the default 100.
+jwtCacheFullSize: ${openapi-security.jwtCacheFullSize:100}
+
+# If you are using light-oauth2, then you don't need to have oauth subfolder for public
+# key certificate to verify JWT token, the key will be retrieved from key endpoint once
+# the first token is arrived. Default to false for dev environment without oauth2 server
+# or official environment that use other OAuth 2.0 providers.
+bootstrapFromKeyService: ${openapi-security.bootstrapFromKeyService:false}
+
+# Used in light-oauth2 and oauth-kafka key service for federated deployment. Each instance
+# will have a providerId, and it will be part of the kid to allow each instance to get the
+# JWK from other instance based on the providerId in the kid.
+providerId: ${openapi-security.providerId:}
+
+# Define a list of path prefixes to skip the security to ease the configuration for the
+# handler.yml so that users can define some endpoint without security even through it uses
+# the default chain. This is particularly useful in the light-gateway use case as the same
+# instance might be shared with multiple consumers and providers with different security
+# requirement. The format is a list of strings separated with commas or a JSON list in
+# values.yml definition from config server, or you can use yaml format in this file.
+skipPathPrefixes: ${openapi-security.skipPathPrefixes:}
+
+# When light-gateway or http-sidecar is used for security, sometimes, we need to pass some
+# claims from the JWT or SWT to the backend API for further verification or audit. You can
+# select some claims to pass to the backend API with HTTP headers. The format is a map of
+# claim in the token and a header name that the downstream API is expecting. You can use
+# both JSON or YAML format.
+# When SwtVerifyHandler is used, the claim names are in https://github.com/networknt/light-4j/blob/master/client/src/main/java/com/networknt/client/oauth/TokenInfo.java
+# When JwtVerifyHandler is used, the claim names is the JwtClaims claimName.
+# YAML
+# openapi-security.passThroughClaims:
+#   clientId: client_id
+#   tokenType: token_type
+# JSON
+# openapi-security.passThroughClaims: {"clientId":"client_id","tokenType":"token_type"}
+passThroughClaims: ${openapi-security.passThroughClaims:}

unified-config/src/main/resources/config/unified-security.yml

@@ -0,0 +1,31 @@
+# unified-security.yml
+# indicate if this handler is enabled. By default, it will be enabled if it is injected into the
+# request/response chain in the handler.yml configuration.
+enabled: ${unified-security.enabled:true}
+# Anonymous prefixes configuration. A list of request path prefixes. The anonymous prefixes will be checked
+# first, and if any path is matched, all other security checks will be bypassed, and the request goes to
+# the next handler in the chain. You can use json array or string separated by comma or YAML format.
+anonymousPrefixes: ${unified-security.anonymousPrefixes:}
+# String format with comma separator
+# /v1/pets,/v1/cats,/v1/dogs
+# JSON format as a string
+# ["/v1/pets", "/v1/dogs", "/v1/cats"]
+# YAML format
+#   - /v1/pets
+#   - /v1/dogs
+#   - /v1/cats
+pathPrefixAuths: ${unified-security.pathPrefixAuths:}
+# format as a string for config server.
+# [{"prefix":"/salesforce","basic":true,"jwt":true,"apikey":true,"jwkServiceIds":"com.networknt.petstore-1.0.0, com.networknt.market-1.0.0"},{"prefix":"/blackrock","basic":true,"jwt":true,"jwkServiceIds":["com.networknt.petstore-1.0.0","com.networknt.market-1.0.0"]}]
+# format with YAML for readability
+    # path prefix security configuration.
+    # - pathPrefix: /salesforce
+        # indicate if the basic auth is enabled for this path prefix
+      # basic: true
+        # indicate if the jwt token verification is enabled for this path prefix
+      # jwt: true
+        # indicate if the apikey is enabled for this path prefix
+      # apikey: true
+        # if jwt is true and there are two or more jwk servers for the path prefix, then list all the
+        # serviceIds for jwk in client.yml
+      # jwkServiceIds: service1,service2

unified-config/src/test/resources/config/handler.yml

@@ -0,0 +1,68 @@
+# Handler middleware chain configuration
+---
+enabled: true
+
+# Configuration for the LightHttpHandler. The handler is the base class  for all middleware, server and health handlers
+# set the Status Object in the AUDIT_INFO, for auditing purposes
+# default, if not set:false
+auditOnError: ${handler.auditOnError:false}
+
+# set the StackTrace in the AUDIT_INFO, for auditing purposes
+# default, if not set:false
+auditStackTrace: ${handler.auditStackTrace:false}
+
+# Base Path of the API endpoints
+basePath: ${handler.basePath:/}
+
+#------------------------------------------------------------------------------
+# Support individual handler chains for each separate endpoint. It allows framework
+# handlers like health check, server info to bypass majority of the middleware handlers
+# and allows mixing multiple frameworks like OpenAPI and GraphQL in the same instance.
+#
+# handlers  --  list of handlers to be used across chains in this microservice
+#               including the routing handlers for ALL endpoints
+#           --  format: fully qualified handler class name@optional:given name
+# chains    --  allows forming of [1..N] chains, which could be wholly or
+#               used to form handler chains for each endpoint
+#               ex.: default chain below, reused partially across multiple endpoints
+# paths     --  list all the paths to be used for routing within the microservice
+#           ----  path: the URI for the endpoint (ex.: path: '/v1/pets')
+#           ----  method: the operation in use (ex.: 'post')
+#           ----  exec: handlers to be executed -- this element forms the list and
+#                       the order of execution for the handlers
+#
+# IMPORTANT NOTES:
+# - to avoid executing a handler, it has to be removed/commented out in the chain
+#   or change the enabled:boolean to false for a middleware handler configuration.
+# - all handlers, routing handler included, are to be listed in the execution chain
+# - for consistency, give a name to each handler; it is easier to refer to a name
+#   vs a fully qualified class name and is more elegant
+# - you can list in chains the fully qualified handler class names, and avoid using the
+#   handlers element altogether
+#------------------------------------------------------------------------------
+handlers: ${handler.handlers:}
+
+chains:
+  default: ${handler.chains.default:}
+
+paths:
+  - path: '/*'
+    method: 'GET'
+    exec:
+      - default
+  - path: '/*'
+    method: 'POST'
+    exec:
+      - default
+  - path: '/*'
+    method: 'PUT'
+    exec:
+      - default
+  - path: '/*'
+    method: 'DELETE'
+    exec:
+      - default
+  - path: '/*'
+    method: 'PATCH'
+    exec:
+      - default

unified-config/src/test/resources/config/openapi-handler-multiple.yml

@@ -0,0 +1,9 @@
+# openapi-handler.yml
+# This configuration file is used to support multiple OpenAPI specifications in the same light-rest-4j instance.
+# An indicator to allow multiple openapi specifications. Default to false which only allow one spec named openapi.yml or openapi.yaml or openapi.json.
+multipleSpec: ${openapi-handler.multipleSpec:true}
+# Path to spec mapping. One or more base paths can map to the same specifications. The key is the base path and the value is the specification name.
+# If users want to use multiple specification files in the same instance, each specification must have a unique base path and it must be set as key.
+pathSpecMapping:
+  /petstore: openapi-petstore
+  /market: openapi-market