feat(identity): support identity authentication for Zeebe

chillleader · chillleader · commit ed2b42801e84 · 2024-01-31T09:31:54.000+01:00
diff --git a/camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/SelfManagedAuthentication.java b/camunda-sdk-java/java-common/src/main/java/io/camunda/common/auth/SelfManagedAuthentication.java
@@ -1,9 +1,9 @@
 package io.camunda.common.auth;
 
 import io.camunda.common.auth.identity.IdentityConfig;
+import io.camunda.common.exception.SdkException;
 import io.camunda.identity.sdk.Identity;
 import io.camunda.identity.sdk.authentication.Tokens;
-import io.camunda.identity.sdk.authentication.exception.TokenExpiredException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -14,10 +14,30 @@
 
 public class SelfManagedAuthentication extends JwtAuthentication {
 
+  private static class Token {
+
+    public static final long EXPIRATION_BUFFER = 60 * 1000; // 1 minute
+    private final String accessToken;
+    private final long expiresAtMillis;
+
+    public Token(String accessToken, long expiresInSeconds) {
+      this.accessToken = accessToken;
+      expiresAtMillis = System.currentTimeMillis() + expiresInSeconds * 1000 - EXPIRATION_BUFFER;
+    }
+
+    public String getAccessToken() {
+      return accessToken;
+    }
+
+    public boolean isExpired() {
+      return expiresAtMillis < System.currentTimeMillis();
+    }
+  }
+
   private static final Logger LOG = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
   private JwtConfig jwtConfig;
   private IdentityConfig identityConfig;
-  private Map<Product, String> tokens;
+  private final Map<Product, Token> tokens;
 
   public SelfManagedAuthentication() {
     tokens = new HashMap<>();
@@ -51,24 +71,27 @@ public void resetToken(Product product) {
 
   @Override
   public Map.Entry<String, String> getTokenHeader(Product product) {
-    String token;
-    if (tokens.containsKey(product)) {
-      token = tokens.get(product);
-    } else {
+    Token token = tokens.computeIfAbsent(product, k -> getIdentityToken(product));
+    if (token.isExpired()) {
+      LOG.debug("Token for product {} is expired. Requesting new token", product);
       token = getIdentityToken(product);
       saveToken(product, token);
     }
-    return new AbstractMap.SimpleEntry<>("Authorization", "Bearer " + token);
+    return new AbstractMap.SimpleEntry<>("Authorization", "Bearer " + token.getAccessToken());
   }
 
-  private String getIdentityToken(Product product) {
+  private Token getIdentityToken(Product product) {
     Identity identity = identityConfig.get(product).getIdentity();
     String audience = jwtConfig.getProduct(product).getAudience();
     Tokens identityTokens = identity.authentication().requestToken(audience);
-    return identityTokens.getAccessToken();
+    if (identityTokens.getAccessToken() == null) {
+      throw new SdkException("Unable to get access token from identity");
+    }
+    LOG.debug("Received new token for product {}", product);
+    return new Token(identityTokens.getAccessToken(), identityTokens.getExpiresIn());
   }
 
-  private void saveToken(Product product, String token) {
+  private void saveToken(Product product, Token token) {
     tokens.put(product, token);
   }
 }
diff --git a/spring-boot-starter-camunda/src/main/java/io/camunda/zeebe/spring/client/configuration/CommonClientConfiguration.java b/spring-boot-starter-camunda/src/main/java/io/camunda/zeebe/spring/client/configuration/CommonClientConfiguration.java
@@ -7,6 +7,7 @@
 import io.camunda.identity.sdk.IdentityConfiguration;
 import io.camunda.identity.sdk.Identity;
 import io.camunda.zeebe.spring.client.properties.*;
+import org.slf4j.Logger;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
 import org.springframework.context.annotation.Bean;
@@ -16,6 +17,8 @@
 @EnableConfigurationProperties({CommonConfigurationProperties.class, ZeebeSelfManagedProperties.class})
 public class CommonClientConfiguration {
 
+  private final static Logger LOG = org.slf4j.LoggerFactory.getLogger(CommonClientConfiguration.class);
+
 
   @Autowired(required = false)
   CommonConfigurationProperties commonConfigurationProperties;
@@ -120,26 +123,39 @@ private JwtConfig configureJwtConfig() {
     JwtConfig jwtConfig = new JwtConfig();
     // ZEEBE
     if (zeebeClientConfigurationProperties.getCloud().getClientId() != null && zeebeClientConfigurationProperties.getCloud().getClientSecret() != null) {
+      LOG.info("Using Cloud properties to determine credentials for Zeebe");
       jwtConfig.addProduct(Product.ZEEBE, new JwtCredential(
         zeebeClientConfigurationProperties.getCloud().getClientId(),
         zeebeClientConfigurationProperties.getCloud().getClientSecret(),
         zeebeClientConfigurationProperties.getCloud().getAudience(),
         zeebeClientConfigurationProperties.getCloud().getAuthUrl())
       );
     } else if (zeebeSelfManagedProperties.getClientId() != null && zeebeSelfManagedProperties.getClientSecret() != null) {
+      LOG.info("Using Self Managed properties to determine credentials for Zeebe");
       jwtConfig.addProduct(Product.ZEEBE, new JwtCredential(
         zeebeSelfManagedProperties.getClientId(),
         zeebeSelfManagedProperties.getClientSecret(),
         zeebeSelfManagedProperties.getAudience(),
         zeebeSelfManagedProperties.getAuthServer())
       );
     } else if (commonConfigurationProperties.getClientId() != null && commonConfigurationProperties.getClientSecret() != null) {
+      LOG.info("Using Common properties to determine credentials for Zeebe");
       jwtConfig.addProduct(Product.ZEEBE, new JwtCredential(
         commonConfigurationProperties.getClientId(),
         commonConfigurationProperties.getClientSecret(),
         zeebeClientConfigurationProperties.getCloud().getAudience(),
         zeebeClientConfigurationProperties.getCloud().getAuthUrl())
       );
+    } else if (identityConfigurationFromProperties != null
+      && hasText(identityConfigurationFromProperties.getClientId())
+      && hasText(identityConfigurationFromProperties.getClientSecret())) {
+      LOG.info("Using Identity SDK credentials for Zeebe");
+      jwtConfig.addProduct(Product.ZEEBE, new JwtCredential(
+        identityConfigurationFromProperties.getClientId(),
+        identityConfigurationFromProperties.getClientSecret(),
+        identityConfigurationFromProperties.getAudience(),
+        identityConfigurationFromProperties.getIssuerBackendUrl())
+      );
     }
 
     // OPERATE
@@ -160,20 +176,25 @@ private JwtConfig configureJwtConfig() {
       }
 
       if (operateClientConfigurationProperties.getClientId() != null && operateClientConfigurationProperties.getClientSecret() != null) {
+        LOG.info("Using Operate Client properties to determine credentials for Operate");
         jwtConfig.addProduct(Product.OPERATE, new JwtCredential(operateClientConfigurationProperties.getClientId(), operateClientConfigurationProperties.getClientSecret(), operateAudience, operateAuthUrl));
       } else if (identityConfigurationFromProperties != null && hasText(identityConfigurationFromProperties.getClientId()) && hasText(identityConfigurationFromProperties.getClientSecret())) {
+        LOG.info("Using Identity SDK credentials for Operate");
         jwtConfig.addProduct(Product.OPERATE, new JwtCredential(identityConfigurationFromProperties.getClientId(), identityConfigurationFromProperties.getClientSecret(), identityConfigurationFromProperties.getAudience(), identityConfigurationFromProperties.getIssuerBackendUrl()));
       }
       else if (commonConfigurationProperties.getClientId() != null && commonConfigurationProperties.getClientSecret() != null) {
+        LOG.info("Using Common properties to determine credentials for Operate");
         jwtConfig.addProduct(Product.OPERATE, new JwtCredential(
           commonConfigurationProperties.getClientId(),
           commonConfigurationProperties.getClientSecret(),
           operateAudience,
           operateAuthUrl)
         );
       } else if (zeebeClientConfigurationProperties.getCloud().getClientId() != null && zeebeClientConfigurationProperties.getCloud().getClientSecret() != null) {
+        LOG.info("Using Zeebe Cloud properties to determine credentials for Operate");
         jwtConfig.addProduct(Product.OPERATE, new JwtCredential(zeebeClientConfigurationProperties.getCloud().getClientId(), zeebeClientConfigurationProperties.getCloud().getClientSecret(), operateAudience, operateAuthUrl));
       } else if (zeebeSelfManagedProperties.getClientId() != null && zeebeSelfManagedProperties.getClientSecret() != null) {
+        LOG.info("Using Zeebe Self Managed properties to determine credentials for Operate");
         jwtConfig.addProduct(Product.OPERATE, new JwtCredential(zeebeSelfManagedProperties.getClientId(), zeebeSelfManagedProperties.getClientSecret(), operateAudience, operateAuthUrl));
       } else {
         throw new SdkException("Unable to determine OPERATE credentials");
@@ -191,6 +212,11 @@ private IdentityConfig configureIdentities(JwtConfig jwtConfig) {
       IdentityContainer operateIdentityContainer = configureOperateIdentityContainer(jwtConfig);
       identityConfig.addProduct(Product.OPERATE, operateIdentityContainer);
     }
+    // ZEEBE
+    if (zeebeClientConfigurationProperties != null) {
+      IdentityContainer zeebeIdentityContainer = configureZeebeIdentityContainer(jwtConfig);
+      identityConfig.addProduct(Product.ZEEBE, zeebeIdentityContainer);
+    }
     return identityConfig;
   }
 
@@ -227,4 +253,32 @@ private IdentityContainer configureOperateIdentityContainer(JwtConfig jwtConfig)
     Identity operateIdentity = new Identity(operateIdentityConfiguration);
     return new IdentityContainer(operateIdentity, operateIdentityConfiguration);
   }
+
+  private IdentityContainer configureZeebeIdentityContainer(JwtConfig jwtConfig) {
+    String issuer;
+    String issuerBackendUrl;
+    if (hasText(identityConfigurationFromProperties.getIssuer())) {
+      issuer = identityConfigurationFromProperties.getIssuer();
+    } else {
+      issuer = jwtConfig.getProduct(Product.ZEEBE).getAuthUrl();
+    }
+
+    if (hasText(identityConfigurationFromProperties.getIssuerBackendUrl())) {
+      issuerBackendUrl = identityConfigurationFromProperties.getIssuerBackendUrl();
+    } else {
+      issuerBackendUrl = jwtConfig.getProduct(Product.ZEEBE).getAuthUrl();
+    }
+
+    IdentityConfiguration zeebeIdentityConfiguration = new IdentityConfiguration.Builder()
+      .withBaseUrl(identityConfigurationFromProperties.getBaseUrl())
+      .withIssuer(issuer)
+      .withIssuerBackendUrl(issuerBackendUrl)
+      .withClientId(jwtConfig.getProduct(Product.ZEEBE).getClientId())
+      .withClientSecret(jwtConfig.getProduct(Product.ZEEBE).getClientSecret())
+      .withAudience(jwtConfig.getProduct(Product.ZEEBE).getAudience())
+      .withType(identityConfigurationFromProperties.getType().name())
+      .build();
+    Identity zeebeIdentity = new Identity(zeebeIdentityConfiguration);
+    return new IdentityContainer(zeebeIdentity, zeebeIdentityConfiguration);
+  }
 }
