Merge pull request #5725 from espoon-voltti/sfi-rest-password-rotation

Salasanan rotatointi Suomi.fi viestit REST-toteutukseen + tiukempi integraatio SSM:n kanssa

Author: Gekkio

service/build.gradle.kts

@@ -119,6 +119,7 @@ dependencies {
 
     // AWS SDK
     implementation("software.amazon.awssdk:s3")
+    implementation("software.amazon.awssdk:ssm")
     implementation("software.amazon.awssdk:sts")
     implementation("software.amazon.awssdk:ses")
 

service/src/integrationTest/kotlin/fi/espoo/evaka/sficlient/SoapStackIntegrationTest.kt

@@ -134,7 +134,7 @@ class SoapStackIntegrationTest {
             restEnabled = false,
             restAddress = null,
             restUsername = null,
-            restPassword = null,
+            restPasswordSsmName = null,
         )
 
     @BeforeAll

service/src/integrationTest/kotlin/fi/espoo/evaka/sficlient/rest/MockPasswordStore.kt

@@ -0,0 +1,35 @@
+// SPDX-FileCopyrightText: 2017-2024 City of Espoo
+//
+// SPDX-License-Identifier: LGPL-2.1-or-later
+
+package fi.espoo.evaka.sficlient.rest
+
+import fi.espoo.evaka.Sensitive
+import java.util.concurrent.locks.ReentrantLock
+import kotlin.concurrent.withLock
+
+class MockPasswordStore(initialPassword: String) : PasswordStore {
+    private val lock = ReentrantLock()
+    private val passwords: MutableList<String> = mutableListOf(initialPassword)
+    private var indexByLabel: MutableMap<PasswordStore.Label, Int> =
+        mutableMapOf(PasswordStore.Label.CURRENT to 0)
+
+    override fun getPassword(label: PasswordStore.Label): PasswordStore.VersionedPassword? =
+        lock.withLock {
+            val index = indexByLabel[label] ?: return null
+            PasswordStore.VersionedPassword(
+                Sensitive(passwords[index]),
+                PasswordStore.Version(index.toLong()),
+            )
+        }
+
+    override fun putPassword(password: Sensitive<String>): PasswordStore.Version =
+        lock.withLock {
+            val index = passwords.size
+            passwords += password.value
+            PasswordStore.Version(index.toLong())
+        }
+
+    override fun moveLabel(version: PasswordStore.Version, label: PasswordStore.Label) =
+        lock.withLock { indexByLabel[label] = version.value.toInt() }
+}

service/src/integrationTest/kotlin/fi/espoo/evaka/sficlient/rest/MockSfiMessagesRestEndpoint.kt

@@ -37,13 +37,32 @@ class MockSfiMessagesRestEndpoint {
     )
     fun getAccessToken(@RequestBody body: AccessTokenRequestBody): ResponseEntity<Any> =
         lock.withLock {
-            if (body.username == USERNAME && body.password == PASSWORD) {
+            if (body.username == USERNAME && body.password == password) {
                 val token = UUID.randomUUID().toString()
                 tokens.add(token)
                 ResponseEntity.ok(AccessTokenResponse(access_token = token, token_type = "bearer"))
             } else ResponseEntity.badRequest().body(ApiError("Invalid credentials"))
         }
 
+    @PostMapping("/v1/change-password")
+    fun changePassword(
+        @RequestHeader("Authorization") authorization: String?,
+        @RequestBody body: ChangePasswordRequestBody,
+    ): ResponseEntity<Any> =
+        lock.withLock {
+            val accessToken = authorization?.removePrefix("Bearer ")
+            if (!tokens.contains(accessToken)) {
+                ResponseEntity.status(401).body(ApiError("Invalid token"))
+            } else if (body.accessToken != accessToken) {
+                ResponseEntity.status(400).body(ApiError("Invalid token in body"))
+            } else if (body.currentPassword != password) {
+                ResponseEntity.status(400).body(ApiError("Invalid password"))
+            } else {
+                password = body.newPassword
+                ResponseEntity.ok(null)
+            }
+        }
+
     @PostMapping(
         "/v1/files",
         consumes = [MediaType.MULTIPART_FORM_DATA_VALUE],
@@ -86,7 +105,7 @@ class MockSfiMessagesRestEndpoint {
 
     companion object {
         const val USERNAME = "test-user"
-        const val PASSWORD = "test-password"
+        const val DEFAULT_PASSWORD = "test-password"
 
         private val lock = ReentrantLock()
 
@@ -95,17 +114,21 @@ class MockSfiMessagesRestEndpoint {
         private val messages =
             mutableMapOf<ExternalId, Pair<MessageId, NewMessageFromClientOrganisation>>()
         private var nextMessageId: MessageId = 1L
+        private var password: String = DEFAULT_PASSWORD
 
         fun reset() =
             lock.withLock {
                 tokens.clear()
                 files.clear()
                 messages.clear()
                 nextMessageId = 1L
+                password = DEFAULT_PASSWORD
             }
 
         fun clearTokens() = lock.withLock { tokens.clear() }
 
+        fun getCurrentPassword() = lock.withLock { password }
+
         fun getCapturedFiles() = lock.withLock { files.toMap() }
 
         fun getCapturedMessages() = lock.withLock { messages.toMap() }

service/src/integrationTest/kotlin/fi/espoo/evaka/sficlient/rest/SfiMessagesRestClientIntegrationTest.kt

@@ -16,6 +16,7 @@ import fi.espoo.evaka.sficlient.SfiMessage
 import java.net.URI
 import kotlin.test.assertContentEquals
 import kotlin.test.assertEquals
+import kotlin.test.assertNotEquals
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
 
@@ -49,7 +50,7 @@ class SfiMessagesRestClientIntegrationTest : FullApplicationTest(resetDbBeforeEa
             restEnabled = true,
             restAddress = URI.create("http://localhost:$httpPort/public/mock-sfi-messages"),
             restUsername = MockSfiMessagesRestEndpoint.USERNAME,
-            restPassword = Sensitive(MockSfiMessagesRestEndpoint.PASSWORD),
+            restPasswordSsmName = null,
             // dummy fields only used by the SOAP implementation
             address = "",
             trustStore = KeystoreEnv(location = URI.create("")),
@@ -95,6 +96,10 @@ class SfiMessagesRestClientIntegrationTest : FullApplicationTest(resetDbBeforeEa
                     assertEquals(message.documentKey, key)
                     Document(key, fileContent, contentType = "content-type")
                 },
+                passwordStore =
+                    MockPasswordStore(
+                        initialPassword = MockSfiMessagesRestEndpoint.DEFAULT_PASSWORD
+                    ),
             )
     }
 
@@ -178,4 +183,16 @@ class SfiMessagesRestClientIntegrationTest : FullApplicationTest(resetDbBeforeEa
         client.send(message.copy(messageId = "message-id-2"))
         assertEquals(2, MockSfiMessagesRestEndpoint.getCapturedMessages().size)
     }
+
+    @Test
+    fun `changing password works`() {
+        val oldPassword = MockSfiMessagesRestEndpoint.getCurrentPassword()
+        client.rotatePassword()
+        val newPassword = MockSfiMessagesRestEndpoint.getCurrentPassword()
+        assertNotEquals(oldPassword, newPassword)
+
+        // sending a message should still work after password change
+        client.send(message)
+        assertEquals(1, MockSfiMessagesRestEndpoint.getCapturedMessages().size)
+    }
 }

service/src/integrationTest/resources/application-integration-test.yaml

@@ -116,6 +116,8 @@ logging:
         evaka.messaging: debug
     org:
       springframework:
+        boot:
+          autoconfigure: ERROR
         ws:
           client:
             MessageTracing:

service/src/main/kotlin/fi/espoo/evaka/EvakaEnv.kt

@@ -441,8 +441,18 @@ data class SfiEnv(
     val restAddress: URI?,
     /** Username for the messages REST API, also known as "systemId" */
     val restUsername: String?,
-    /** Password for the messages REST API */
-    val restPassword: Sensitive<String>?,
+    /**
+     * SSM parameter name for the messages REST API password.
+     *
+     * The service instance must have the permission to perform the following operations on it:
+     * - GetParameter
+     * - PutParameter
+     * - LabelParameterVersion
+     *
+     * Required first time manual setup: save the password received from Suomi.fi to SSM and add the
+     * label CURRENT to it
+     */
+    val restPasswordSsmName: String?,
 ) {
     companion object {
         fun fromEnvironment(env: Environment) =
@@ -477,8 +487,7 @@ data class SfiEnv(
                 restEnabled = env.lookup("evaka.integration.sfi.rest_enabled") ?: false,
                 restAddress = env.lookup("evaka.integration.sfi.rest_address"),
                 restUsername = env.lookup("evaka.integration.sfi.rest_username"),
-                restPassword =
-                    env.lookup<String?>("evaka.integration.sfi.rest_password")?.let(::Sensitive),
+                restPasswordSsmName = env.lookup("evaka.integration.sfi.rest_password_ssm_name"),
             )
     }
 }

service/src/main/kotlin/fi/espoo/evaka/sficlient/MockSfiMessagesClient.kt

@@ -19,6 +19,8 @@ class MockSfiMessagesClient : SfiMessagesClient {
         lock.write { data[msg.messageId] = msg }
     }
 
+    override fun rotatePassword() {}
+
     companion object {
         private val data = mutableMapOf<MessageId, SfiMessage>()
         private val lock = ReentrantReadWriteLock()

service/src/main/kotlin/fi/espoo/evaka/sficlient/SfiMessagesClient.kt

@@ -8,6 +8,8 @@ import com.fasterxml.jackson.annotation.JsonIgnoreProperties
 
 interface SfiMessagesClient {
     fun send(msg: SfiMessage)
+
+    fun rotatePassword()
 }
 
 @JsonIgnoreProperties(value = ["language"]) // ignore legacy properties

service/src/main/kotlin/fi/espoo/evaka/sficlient/SfiMessagesSoapClient.kt

@@ -267,6 +267,10 @@ class SfiMessagesSoapClient(
         }
     }
 
+    override fun rotatePassword() {
+        // not supported or needed with the SOAP client
+    }
+
     private inline fun <reified T> WebServiceTemplate.marshalSendAndReceiveAsType(request: Any): T =
         marshalSendAndReceive(request).let {
             it as? T

service/src/main/kotlin/fi/espoo/evaka/sficlient/rest/PasswordStore.kt

@@ -0,0 +1,97 @@
+// SPDX-FileCopyrightText: 2017-2024 City of Espoo
+//
+// SPDX-License-Identifier: LGPL-2.1-or-later
+
+package fi.espoo.evaka.sficlient.rest
+
+import fi.espoo.evaka.Sensitive
+import fi.espoo.evaka.SfiEnv
+import mu.KotlinLogging
+import software.amazon.awssdk.services.ssm.SsmClient
+import software.amazon.awssdk.services.ssm.model.GetParameterRequest
+import software.amazon.awssdk.services.ssm.model.LabelParameterVersionRequest
+import software.amazon.awssdk.services.ssm.model.ParameterNotFoundException
+import software.amazon.awssdk.services.ssm.model.ParameterType
+import software.amazon.awssdk.services.ssm.model.ParameterVersionNotFoundException
+import software.amazon.awssdk.services.ssm.model.PutParameterRequest
+import software.amazon.awssdk.services.ssm.model.SsmException
+
+/** Backing store for a single password with support for multiple versions/labels */
+interface PasswordStore {
+    /** Gets the password from the store which has the given label */
+    fun getPassword(label: Label): VersionedPassword?
+
+    /**
+     * Saves a new password to the store, returning its internal version that can be used for
+     * applying labels
+     */
+    fun putPassword(password: Sensitive<String>): Version
+
+    /** Moves the given label to a saved password that has the given version */
+    fun moveLabel(version: Version, label: Label)
+
+    data class VersionedPassword(val password: Sensitive<String>, val version: Version)
+
+    /** An internal version number for a specific password value */
+    @JvmInline value class Version(val value: Long)
+
+    /** Unique, transferable label for a password */
+    enum class Label {
+        PENDING,
+        CURRENT,
+    }
+}
+
+class AwsSsmPasswordStore(private val client: SsmClient, env: SfiEnv) : PasswordStore {
+    private val ssmName =
+        env.restPasswordSsmName ?: error("SFI REST password SSM name is not configured")
+    private val logger = KotlinLogging.logger {}
+
+    override fun getPassword(label: PasswordStore.Label): PasswordStore.VersionedPassword? {
+        logger.info { "Fetching a password with label $label" }
+        return try {
+            client
+                .getParameter(
+                    GetParameterRequest.builder()
+                        .name("$ssmName:$label")
+                        .withDecryption(true)
+                        .build()
+                )
+                .let { response ->
+                    PasswordStore.VersionedPassword(
+                        Sensitive(response.parameter().value()),
+                        PasswordStore.Version(response.parameter().version()),
+                    )
+                }
+        } catch (e: SsmException) {
+            if (e is ParameterNotFoundException || e is ParameterVersionNotFoundException) null
+            else throw e
+        }
+    }
+
+    override fun putPassword(password: Sensitive<String>): PasswordStore.Version =
+        client
+            .putParameter(
+                PutParameterRequest.builder()
+                    .name(ssmName)
+                    .type(ParameterType.SECURE_STRING)
+                    .overwrite(true)
+                    .value(password.value)
+                    .build()
+            )
+            .let { response ->
+                logger.info { "Saved a new password with version ${response.version()}" }
+                PasswordStore.Version(response.version())
+            }
+
+    override fun moveLabel(version: PasswordStore.Version, label: PasswordStore.Label) {
+        logger.info { "Applying label $label to ${version.value}" }
+        client.labelParameterVersion(
+            LabelParameterVersionRequest.builder()
+                .name(ssmName)
+                .labels(label.toString())
+                .parameterVersion(version.value)
+                .build()
+        )
+    }
+}

service/src/main/kotlin/fi/espoo/evaka/sficlient/rest/RestSchema.kt

@@ -14,11 +14,17 @@ import okhttp3.MultipartBody
 import okhttp3.RequestBody.Companion.toRequestBody
 
 // https://api.messages-qa.suomi.fi/api-docs
-data class ApiUrls(val token: HttpUrl, val files: HttpUrl, val messages: HttpUrl) {
+data class ApiUrls(
+    val token: HttpUrl,
+    val files: HttpUrl,
+    val messages: HttpUrl,
+    val changePassword: HttpUrl,
+) {
     constructor(
         base: HttpUrl
     ) : this(
         token = base.newBuilder().addPathSegments("v1/token").build(),
+        changePassword = base.newBuilder().addPathSegments("v1/change-password").build(),
         files = base.newBuilder().addPathSegments("v1/files").build(),
         messages = base.newBuilder().addPathSegments("v1/messages").build(),
     )
@@ -175,3 +181,10 @@ data class Address(
         require(countryCode.isNotBlank()) { "countryCode must not be blank" }
     }
 }
+
+// https://api.messages-qa.suomi.fi/api-docs#model-ChangePasswordRequestBody
+data class ChangePasswordRequestBody(
+    val accessToken: String,
+    val currentPassword: String,
+    val newPassword: String,
+)