From 843d6d51532dd12948348da03c48dd579c6e15d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Randi=20=C3=98yri?= <randi.oyri@digdir.no>
Date: Wed, 22 Nov 2023 14:59:36 +0100
Subject: [PATCH] ID-3562: Fjerne basic-auth for login-api (#162)

* Bump org.mariadb.jdbc:mariadb-java-client from 3.2.0 to 3.3.0

Bumps [org.mariadb.jdbc:mariadb-java-client](https://github.com/mariadb-corporation/mariadb-connector-j) from 3.2.0 to 3.3.0.
- [Release notes](https://github.com/mariadb-corporation/mariadb-connector-j/releases)
- [Changelog](https://github.com/mariadb-corporation/mariadb-connector-j/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mariadb-corporation/mariadb-connector-j/compare/3.2.0...3.3.0)

---
updated-dependencies:
- dependency-name: org.mariadb.jdbc:mariadb-java-client
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* ID-3562: Fjerne basic-auth for login-api

* ID-3562: api-key must be present

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 docker/settings.xml                           |  8 ----
 pom.xml                                       |  2 +-
 .../config/TokenAuthenticationFilter.java     | 41 +++----------------
 src/main/resources/application-docker.yaml    |  3 --
 src/main/resources/application-local-dev.yaml |  3 --
 src/main/resources/application-local-h2.yaml  |  3 --
 src/main/resources/application-prod.yaml      |  3 --
 src/main/resources/application-systest.yaml   |  3 --
 src/main/resources/application-test.yaml      |  3 --
 9 files changed, 7 insertions(+), 62 deletions(-)

diff --git a/docker/settings.xml b/docker/settings.xml
index 860ddbe..75721b5 100644
--- a/docker/settings.xml
+++ b/docker/settings.xml
@@ -19,14 +19,6 @@
             </repositories>
         </profile>
     </profiles>
-    <mirrors>
-        <mirror>
-            <id>difi-artifactory-http-unblock</id>
-            <mirrorOf>difi-artifactory</mirrorOf>
-            <name>Dummy mirror to override default blocking mirror that blocks http</name>
-            <url>http://eid-artifactory.dmz.local:8080/artifactory/libs-release</url>
-        </mirror>
-    </mirrors>
     <servers>
         <server>
             <id>github</id>
diff --git a/pom.xml b/pom.xml
index 177f047..54e5d50 100644
--- a/pom.xml
+++ b/pom.xml
@@ -70,7 +70,7 @@
         <dependency>
             <groupId>org.mariadb.jdbc</groupId>
             <artifactId>mariadb-java-client</artifactId>
-            <version>3.2.0</version>
+            <version>3.3.0</version>
         </dependency>
         <dependency>
             <groupId>com.h2database</groupId>
diff --git a/src/main/java/no/idporten/userservice/config/TokenAuthenticationFilter.java b/src/main/java/no/idporten/userservice/config/TokenAuthenticationFilter.java
index f6fecc5..50a4886 100644
--- a/src/main/java/no/idporten/userservice/config/TokenAuthenticationFilter.java
+++ b/src/main/java/no/idporten/userservice/config/TokenAuthenticationFilter.java
@@ -6,6 +6,8 @@
 import jakarta.servlet.http.HttpFilter;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotEmpty;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
@@ -15,29 +17,24 @@
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Component;
+import org.springframework.validation.annotation.Validated;
 
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
 import java.util.ArrayList;
-import java.util.Base64;
 import java.util.Collection;
 
 @WebFilter(urlPatterns = "/login/*")
 @Order(Ordered.HIGHEST_PRECEDENCE)
 @Component
+@Validated
 public class TokenAuthenticationFilter extends HttpFilter {
 
     public static final String API_KEY_NAME = "api-key";
 
     @Value("${spring.security.api-key}")
+    @NotBlank(message = "api-key must not be blank")
     private String apiKey;
 
-    @Value("${spring.security.user.name}") //TODO: remove this when login is updated with api-key
-    private String basicUsername;
-
-    @Value("${spring.security.user.password}") //TODO: remove this when login is updated with api-key
-    private String basicPassword;
-
     @Override
     public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
         // get api-key from request header
@@ -45,8 +42,7 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F
         if (request.getRequestURI().contains("login")) {
 
             String apiKeyRecived = request.getHeader(API_KEY_NAME);
-            boolean isBasicAuth = isBasicAuth(request);
-            if ((apiKey == null || !apiKey.equals(apiKeyRecived)) && !isBasicAuth) {
+            if (apiKey == null || !apiKey.equals(apiKeyRecived)) {
                 response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
             } else {
                 // create default user and add to context
@@ -61,29 +57,4 @@ public void doFilter(HttpServletRequest request, HttpServletResponse response, F
         chain.doFilter(request, response);
     }
 
-    /**
-     * Check if request is using basic auth and verify it
-     *
-     * TODO: REMOVE when login has changed to api-key
-     *
-     * @param request
-     * @return
-     * @throws UnsupportedEncodingException
-     */
-    private boolean isBasicAuth(HttpServletRequest request) throws UnsupportedEncodingException {
-        String basicauth = request.getHeader("Authorization");
-        if (basicauth == null || !basicauth.startsWith("Basic ")) {
-            return false;
-        }
-        byte[] decoded = Base64.getDecoder().decode(basicauth.substring("Basic ".length()));
-        if (decoded == null) {
-            return false;
-        }
-        String[] credentials = new String(decoded, "UTF-8").split(":");
-        if (credentials == null || credentials.length != 2) {
-            return false;
-        }
-        return basicUsername.equals(credentials[0]) && basicPassword.equals(credentials[1]);
-
-    }
 }
diff --git a/src/main/resources/application-docker.yaml b/src/main/resources/application-docker.yaml
index 2c5476d..061d07e 100644
--- a/src/main/resources/application-docker.yaml
+++ b/src/main/resources/application-docker.yaml
@@ -39,9 +39,6 @@ spring:
       max-lifetime: 500 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: mytoken-docker
-    user:
-      name: user
-      password: password
     oauth2:
       resource:
         jwt:
diff --git a/src/main/resources/application-local-dev.yaml b/src/main/resources/application-local-dev.yaml
index f6789a1..de40913 100644
--- a/src/main/resources/application-local-dev.yaml
+++ b/src/main/resources/application-local-dev.yaml
@@ -18,9 +18,6 @@ spring:
       max-lifetime: 500 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: mytoken
-    user:
-      name: user
-      password: password
     oauth2:
       resource:
         jwt:
diff --git a/src/main/resources/application-local-h2.yaml b/src/main/resources/application-local-h2.yaml
index 74bc8c0..85e8b83 100644
--- a/src/main/resources/application-local-h2.yaml
+++ b/src/main/resources/application-local-h2.yaml
@@ -14,9 +14,6 @@ spring:
     database-platform: org.hibernate.dialect.H2Dialect
   security:
     api-key: mytoken
-    user:
-      name: user
-      password: password
     oauth2:
       resource:
         jwt:
diff --git a/src/main/resources/application-prod.yaml b/src/main/resources/application-prod.yaml
index 0a706b9..c7bd168 100644
--- a/src/main/resources/application-prod.yaml
+++ b/src/main/resources/application-prod.yaml
@@ -13,9 +13,6 @@ spring:
       max-lifetime: 1000 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: ${API_KEY}
-    user:
-      name: ${API_USER}
-      password: ${API_USER_PASSWORD}
     oauth2:
       resource:
         jwt:
diff --git a/src/main/resources/application-systest.yaml b/src/main/resources/application-systest.yaml
index ee62175..f26466d 100644
--- a/src/main/resources/application-systest.yaml
+++ b/src/main/resources/application-systest.yaml
@@ -18,9 +18,6 @@ spring:
       max-lifetime: 1000 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: ${API_KEY}
-    user:
-      name: ${API_USER}
-      password: ${API_USER_PASSWORD}
     oauth2:
       resource:
         jwt:
diff --git a/src/main/resources/application-test.yaml b/src/main/resources/application-test.yaml
index eced39d..a5a65ab 100644
--- a/src/main/resources/application-test.yaml
+++ b/src/main/resources/application-test.yaml
@@ -13,9 +13,6 @@ spring:
       max-lifetime: 1000 # maximum lifetime in milliseconds of a connection in the pool after it is closed.
   security:
     api-key: ${API_KEY}
-    user:
-      name: ${API_USER}
-      password: ${API_USER_PASSWORD}
     oauth2:
       resource:
         jwt: