feat: add authentication for TPA

Signed-off-by: Ruben Romero Montes <[email protected]>

Author: ruromero

src/main/java/com/redhat/exhort/integration/Constants.java

@@ -46,6 +46,8 @@ private Constants() {}
   public static final String SNYK_USER_AGENT_HEADER_FORMAT = "redhat-snyk-%s-%s";
   public static final String OSS_INDEX_USER_HEADER = "ex-oss-index-user";
   public static final String OSS_INDEX_TOKEN_HEADER = "ex-oss-index-token";
+  public static final String TPA_TOKEN_HEADER = "ex-tpa-token";
+
   public static final String VERBOSE_MODE_HEADER = "verbose";
 
   public static final String RHDA_TOKEN_HEADER = "rhda-token";
@@ -96,15 +98,16 @@ private Constants() {}
 
   public static final String SNYK_DEP_GRAPH_API_PATH = "/test/dep-graph";
   public static final String SNYK_TOKEN_API_PATH = "/user/me";
+
   public static final String OSS_INDEX_AUTH_COMPONENT_API_PATH = "/authorized/component-report";
   public static final String OSS_INDEX_VERSION_PATH = "/version";
   public static final String OSV_NVD_PURLS_PATH = "/purls";
-
   public static final String OSV_NVD_HEALTH_PATH = "/q/health";
 
   public static final String TRUSTED_CONTENT_PATH = "/recommend";
   public static final String TPA_ANALYZE_PATH = "/vulnerability/analyze";
   public static final String TPA_HEALTH_PATH = "/health/live";
+  public static final String TPA_TOKEN_PATH = "/vulnerability";
 
   public static final String DEFAULT_ACCEPT_MEDIA_TYPE = MediaType.APPLICATION_JSON;
   public static final boolean DEFAULT_VERBOSE_MODE = false;

src/main/java/com/redhat/exhort/integration/backend/ExhortIntegration.java

@@ -244,8 +244,11 @@ public void configure() {
           .setProperty(PROVIDERS_PARAM, constant(Arrays.asList(Constants.SNYK_PROVIDER)))
           .to(direct("snykValidateToken"))
         .when(header(Constants.OSS_INDEX_TOKEN_HEADER).isNotNull())
-        .setProperty(PROVIDERS_PARAM, constant(Arrays.asList(Constants.OSS_INDEX_PROVIDER)))
+          .setProperty(PROVIDERS_PARAM, constant(Arrays.asList(Constants.OSS_INDEX_PROVIDER)))
           .to(direct("ossValidateCredentials"))
+        .when(header(Constants.TPA_TOKEN_HEADER).isNotNull())
+          .setProperty(PROVIDERS_PARAM, constant(Arrays.asList(Constants.TPA_PROVIDER)))
+          .to(direct("tpaValidateCredentials"))
         .otherwise()
           .setProperty(PROVIDERS_PARAM, constant(Arrays.asList(Constants.UNKNOWN_PROVIDER)))
           .setHeader(Exchange.HTTP_RESPONSE_CODE, constant(Response.Status.BAD_REQUEST.getStatusCode()))

src/main/java/com/redhat/exhort/integration/providers/tpa/TpaIntegration.java

@@ -39,30 +39,39 @@ public class TpaIntegration extends EndpointRouteBuilder {
 
   @Inject VulnerabilityProvider vulnerabilityProvider;
   @Inject TpaResponseHandler responseHandler;
+  @Inject TpaRequestBuilder requestBuilder;
 
   @Override
   public void configure() throws Exception {
     // fmt:off
     from(direct("tpaScan"))
       .routeId("tpaScan")
+      .choice()
+      .when(method(TpaRequestBuilder.class, "isEmpty"))
+        .setBody(method(responseHandler, "emptyResponse"))
+        .transform().method(responseHandler, "buildReport")
+      .endChoice()
+      .otherwise()
+        .to(direct("tpaRequest"))
+        .transform().method(responseHandler, "buildReport")
+      .endChoice();
+
+    from(direct("tpaRequest"))
+      .routeId("tpaRequest")
       .circuitBreaker()
         .faultToleranceConfiguration()
           .timeoutEnabled(true)
           .timeoutDuration(timeout)
         .end()
-        .transform(method(TpaRequestBuilder.class, "buildRequest"))
-        .to(direct("tpaRequest"))
+        .transform(method(requestBuilder, "buildRequest"))
+        .process(this::processRequest)
+        .process(requestBuilder::addAuthentication)
+        .to(http("{{api.tpa.host}}"))
+        .transform().method(responseHandler, "responseToIssues")
+      .endCircuitBreaker()
       .onFallback()
         .process(responseHandler::processResponseError)
-      .end()
-      .transform().method(responseHandler, "buildReport");
-
-    from(direct("tpaRequest"))
-      .routeId("tpaRequest")
-      .process(this::processRequest)
-      .log("Headers: ${headers}")
-      .to(http("{{api.tpa.host}}"))
-      .transform().method(responseHandler, "responseToIssues");
+      .end();
 
     from(direct("tpaHealthCheck"))
       .routeId("tpaHealthCheck")
@@ -81,13 +90,28 @@ public void configure() throws Exception {
             .timeoutEnabled(true)
             .timeoutDuration(timeout)
          .end()
+         .process(requestBuilder::addAuthentication)
          .to(http("{{api.tpa.management.host}}"))
          .setHeader(Exchange.HTTP_RESPONSE_TEXT,constant("Service is up and running"))
          .setBody(constant("Service is up and running"))
       .onFallback()
          .setBody(constant(Constants.TPA_PROVIDER + "Service is down"))
          .setHeader(Exchange.HTTP_RESPONSE_CODE,constant(Response.Status.SERVICE_UNAVAILABLE))
       .end();
+
+    from(direct("tpaValidateCredentials"))
+      .routeId("tpaValidateCredentials")
+      .circuitBreaker()
+        .faultToleranceConfiguration()
+          .timeoutEnabled(true)
+          .timeoutDuration(timeout)
+        .end()
+        .process(this::processTokenRequest)
+        .process(requestBuilder::addAuthentication)
+        .to(http("{{api.tpa.host}}"))
+        .setBody(constant("Token validated successfully"))
+      .onFallback()
+        .process(responseHandler::processTokenFallBack);
     // fmt:on
   }
 
@@ -113,4 +137,15 @@ private void processHealthRequest(Exchange exchange) {
     message.setHeader(Exchange.HTTP_PATH, Constants.TPA_HEALTH_PATH);
     message.setHeader(Exchange.HTTP_METHOD, HttpMethod.GET);
   }
+
+  private void processTokenRequest(Exchange exchange) {
+    var message = exchange.getMessage();
+    message.removeHeader(Exchange.HTTP_URI);
+    message.removeHeader(Exchange.HTTP_HOST);
+    message.removeHeader(Constants.ACCEPT_ENCODING_HEADER);
+    message.removeHeader(Exchange.CONTENT_TYPE);
+    message.setHeader(Exchange.HTTP_PATH, Constants.TPA_TOKEN_PATH);
+    message.setHeader(Exchange.HTTP_METHOD, HttpMethod.GET);
+    message.setHeader(Exchange.HTTP_QUERY, "limit=0");
+  }
 }

src/main/java/com/redhat/exhort/integration/providers/tpa/TpaRequestBuilder.java

@@ -18,16 +18,28 @@
 
 package com.redhat.exhort.integration.providers.tpa;
 
+import java.util.Optional;
+
+import org.apache.camel.Exchange;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.redhat.exhort.config.ObjectMapperProducer;
+import com.redhat.exhort.integration.Constants;
 import com.redhat.exhort.model.DependencyTree;
 
 import io.quarkus.runtime.annotations.RegisterForReflection;
 
+import jakarta.enterprise.context.ApplicationScoped;
+
+@ApplicationScoped
 @RegisterForReflection
 public class TpaRequestBuilder {
 
+  @ConfigProperty(name = "api.tpa.token")
+  Optional<String> defaultToken;
+
   private ObjectMapper mapper = ObjectMapperProducer.newInstance();
 
   public String buildRequest(DependencyTree tree) throws JsonProcessingException {
@@ -37,4 +49,22 @@ public String buildRequest(DependencyTree tree) throws JsonProcessingException {
     request.set("purls", purls);
     return mapper.writeValueAsString(request);
   }
+
+  public void addAuthentication(Exchange exchange) {
+    var message = exchange.getMessage();
+    var userToken = message.getHeader(Constants.TPA_TOKEN_HEADER, String.class);
+    String token = null;
+    if (userToken != null) {
+      token = userToken;
+    } else if (defaultToken.isPresent()) {
+      token = defaultToken.get();
+    }
+    if (token != null) {
+      message.setHeader("Authorization", "Bearer " + token);
+    }
+  }
+
+  public boolean isEmpty(DependencyTree tree) {
+    return tree.dependencies().isEmpty();
+  }
 }

src/test/java/com/redhat/exhort/extensions/WiremockExtension.java

@@ -29,6 +29,7 @@
 public class WiremockExtension implements QuarkusTestResourceLifecycleManager {
 
   public static final String SNYK_TOKEN = "snyk-token-xyz";
+  public static final String TPA_TOKEN = "tpa-token-abc";
 
   private final WireMockServer server = new WireMockServer(options().dynamicPort());
 
@@ -42,7 +43,8 @@ public Map<String, String> start() {
         "api.trustedcontent.host", server.baseUrl(),
         "api.ossindex.host", server.baseUrl(),
         "api.onguard.host", server.baseUrl(),
-        "api.tpa.host", server.baseUrl());
+        "api.tpa.host", server.baseUrl(),
+        "api.tpa.token", TPA_TOKEN);
   }
 
   @Override

src/test/java/com/redhat/exhort/integration/AbstractAnalysisTest.java

@@ -30,6 +30,7 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
 import static com.redhat.exhort.extensions.WiremockExtension.SNYK_TOKEN;
+import static com.redhat.exhort.extensions.WiremockExtension.TPA_TOKEN;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -198,6 +199,7 @@ protected void verifyTokenRequest(String provider, Map<String, String> headers)
       case Constants.OSS_INDEX_PROVIDER -> verifyOssRequest(
           headers.get(Constants.OSS_INDEX_USER_HEADER),
           headers.get(Constants.OSS_INDEX_TOKEN_HEADER));
+      case Constants.TPA_PROVIDER -> verifyTpaTokenRequest(headers.get(Constants.TPA_TOKEN_HEADER));
     }
   }
 
@@ -213,6 +215,36 @@ protected void verifySnykTokenRequest(String token) {
     }
   }
 
+  protected void verifyTpaTokenRequest(String token) {
+    if (token == null) {
+      server.verify(
+          1,
+          getRequestedFor(urlPathEqualTo(Constants.TPA_TOKEN_PATH))
+              .withQueryParam("limit", equalTo("0")));
+    } else {
+      server.verify(
+          1,
+          getRequestedFor(urlPathEqualTo(Constants.TPA_TOKEN_PATH))
+              .withQueryParam("limit", equalTo("0"))
+              .withHeader(Constants.AUTHORIZATION_HEADER, equalTo("Bearer " + token)));
+    }
+  }
+
+  protected void verifyTpaRequest(String token) {
+    verifyTpaRequest(token, 1);
+  }
+
+  protected void verifyTpaRequest(String token, int count) {
+    if (token == null) {
+      server.verify(count, postRequestedFor(urlEqualTo(Constants.TPA_ANALYZE_PATH)));
+    } else {
+      server.verify(
+          count,
+          postRequestedFor(urlEqualTo(Constants.TPA_ANALYZE_PATH))
+              .withHeader(Constants.AUTHORIZATION_HEADER, equalTo("Bearer " + token)));
+    }
+  }
+
   protected void stubAllProviders() {
     stubSnykRequests();
     stubOssToken();
@@ -232,7 +264,8 @@ protected void verifyProviders(Collection<String> providers, Map<String, String>
                     credentials.get(Constants.OSS_INDEX_USER_HEADER),
                     credentials.get(Constants.OSS_INDEX_TOKEN_HEADER));
                 case Constants.OSV_PROVIDER -> verifyOsvNvdRequest();
-                case Constants.TPA_PROVIDER -> verifyTpaRequest();
+                case Constants.TPA_PROVIDER -> verifyTpaRequest(
+                    credentials.get(Constants.TPA_TOKEN_HEADER));
               }
             });
     verifyTrustedContentRequest();
@@ -352,8 +385,25 @@ protected void stubOsvRequests() {
   }
 
   protected void stubTpaRequests() {
+    // Missing token
+    server.stubFor(post(Constants.TPA_ANALYZE_PATH).willReturn(aResponse().withStatus(401)));
+
+    // Invalid token
     server.stubFor(
         post(Constants.TPA_ANALYZE_PATH)
+            .withHeader(Constants.AUTHORIZATION_HEADER, equalTo("Bearer " + INVALID_TOKEN))
+            .withHeader(Exchange.CONTENT_TYPE, containing(MediaType.APPLICATION_JSON))
+            .willReturn(
+                aResponse()
+                    .withStatus(401)
+                    .withBody(
+                        "{\"error\": \"Unauthorized\", \"message\": \"Authentication failed\"}")));
+
+    server.stubFor(
+        post(Constants.TPA_ANALYZE_PATH)
+            .withHeader(
+                Constants.AUTHORIZATION_HEADER,
+                equalTo("Bearer " + TPA_TOKEN).or(equalTo("Bearer " + OK_TOKEN)))
             .withHeader(Exchange.CONTENT_TYPE, containing(MediaType.APPLICATION_JSON))
             .willReturn(
                 aResponse()
@@ -363,6 +413,9 @@ protected void stubTpaRequests() {
 
     server.stubFor(
         post(Constants.TPA_ANALYZE_PATH)
+            .withHeader(
+                Constants.AUTHORIZATION_HEADER,
+                equalTo("Bearer " + TPA_TOKEN).or(equalTo("Bearer " + OK_TOKEN)))
             .withHeader(Exchange.CONTENT_TYPE, containing(MediaType.APPLICATION_JSON))
             .withRequestBody(
                 equalToJson(loadFileAsString("__files/tpa/maven_request.json"), true, false))
@@ -373,6 +426,9 @@ protected void stubTpaRequests() {
                     .withBodyFile("tpa/maven_report.json")));
     server.stubFor(
         post(Constants.TPA_ANALYZE_PATH)
+            .withHeader(
+                Constants.AUTHORIZATION_HEADER,
+                equalTo("Bearer " + TPA_TOKEN).or(equalTo("Bearer " + OK_TOKEN)))
             .withHeader(Exchange.CONTENT_TYPE, containing(MediaType.APPLICATION_JSON))
             .withRequestBody(
                 equalToJson(loadFileAsString("__files/tpa/batch_request.json"), true, false))
@@ -383,6 +439,42 @@ protected void stubTpaRequests() {
                     .withBodyFile("tpa/maven_report.json")));
   }
 
+  protected void stubTpaTokenRequests() {
+    // Missing token
+    server.stubFor(
+        get(urlPathEqualTo(Constants.TPA_TOKEN_PATH))
+            .withQueryParam("limit", equalTo("0"))
+            .willReturn(aResponse().withStatus(401)));
+    // Default request
+    server.stubFor(
+        get(urlPathEqualTo(Constants.TPA_TOKEN_PATH))
+            .withHeader(
+                Constants.AUTHORIZATION_HEADER,
+                equalTo("Bearer " + TPA_TOKEN).or(equalTo("Bearer " + OK_TOKEN)))
+            .withQueryParam("limit", equalTo("0"))
+            .willReturn(
+                aResponse()
+                    .withStatus(200)
+                    .withHeader(Exchange.CONTENT_TYPE, MediaType.APPLICATION_JSON)
+                    .withBodyFile("tpa/empty_report.json")));
+    // Internal Error
+    server.stubFor(
+        get(urlPathEqualTo(Constants.TPA_TOKEN_PATH))
+            .withHeader(Constants.AUTHORIZATION_HEADER, equalTo("Bearer " + ERROR_TOKEN))
+            .withQueryParam("limit", equalTo("0"))
+            .willReturn(aResponse().withStatus(500).withBody("This is an example error")));
+    // Invalid token
+    server.stubFor(
+        get(urlPathEqualTo(Constants.TPA_TOKEN_PATH))
+            .withHeader(Constants.AUTHORIZATION_HEADER, equalTo("Bearer " + INVALID_TOKEN))
+            .withQueryParam("limit", equalTo("0"))
+            .willReturn(
+                aResponse()
+                    .withStatus(401)
+                    .withBody(
+                        "{\"error\": \"Unauthorized\", \"message\": \"Authentication failed\"}")));
+  }
+
   protected void verifyTrustedContentRequest() {
     server.verify(1, postRequestedFor(urlEqualTo(Constants.TRUSTED_CONTENT_PATH)));
   }
@@ -612,14 +704,6 @@ protected void verifyOsvNvdRequest(int count) {
     server.verify(count, postRequestedFor(urlEqualTo(Constants.OSV_NVD_PURLS_PATH)));
   }
 
-  protected void verifyTpaRequest() {
-    verifyTpadRequest(1);
-  }
-
-  protected void verifyTpadRequest(int count) {
-    server.verify(count, postRequestedFor(urlEqualTo(Constants.TPA_ANALYZE_PATH)));
-  }
-
   protected void verifyNoInteractions() {
     verifyNoInteractionsWithSnyk();
     verifyNoInteractionsWithOSS();