Merge pull request #58 from ing-bank/feature/upgrade-dependencies

Feature/upgrade dependencies

build.sbt

@@ -6,52 +6,53 @@ val rokkuStsVersion = scala.sys.env.getOrElse("ROKKU_STS_VERSION", "SNAPSHOT")
 
 name := "rokku-sts"
 version := rokkuStsVersion
-scalaVersion := "2.13.1"
+scalaVersion := "2.13.8"
 
 scalacOptions := Seq(
   "-unchecked",
   "-deprecation",
   "-encoding", "utf-8",
-  "-target:jvm-1.8",
+  "-target:11",
   "-feature",
   "-Xlint",
-  "-Xfatal-warnings"
+  "-Xfatal-warnings",
 )
 
 // Experimental: improved update resolution.
-updateOptions := updateOptions.value.withCachedResolution(cachedResoluton = true)
+updateOptions := updateOptions.value.withCachedResolution(true)
 
 assemblyJarName in assembly := "rokku-sts.jar"
 
-val akkaVersion = "2.6.3"
-val akkaHttpVersion = "10.1.11"
-val keycloakVersion = "8.0.2"
+val akkaVersion = "2.6.19"
+val akkaHttpVersion = "10.2.9"
+val keycloakVersion = "16.1.1"
 val logbackJson = "0.1.5"
 
 libraryDependencies ++= Seq(
-  "com.typesafe.akka" %% "akka-http" % akkaHttpVersion,
-  "com.typesafe.akka" %% "akka-stream" % akkaVersion,
-  "ch.megard" %% "akka-http-cors" % "0.4.2",
-  "com.typesafe.akka" %% "akka-http-spray-json" % akkaHttpVersion,
-  "com.typesafe.akka" %% "akka-http-xml" % akkaHttpVersion,
-  "com.typesafe.scala-logging" %% "scala-logging" % "3.9.2",
-  "ch.qos.logback" % "logback-classic" % "1.2.3",
-  "com.typesafe.akka" %% "akka-slf4j" % akkaVersion,
-  "org.keycloak" % "keycloak-core" % keycloakVersion,
-  "org.keycloak" % "keycloak-adapter-core" % keycloakVersion,
-  "org.keycloak" % "keycloak-admin-client" % keycloakVersion,
-  "org.jboss.logging" % "jboss-logging" % "3.3.2.Final",
-  "org.apache.httpcomponents" % "httpclient" % "4.5.6",
-  "org.mariadb.jdbc" % "mariadb-java-client" % "2.3.0",
-  "ch.qos.logback.contrib" % "logback-json-classic" % logbackJson,
-  "ch.qos.logback.contrib" % "logback-jackson" % logbackJson,
-  "com.fasterxml.jackson.core" % "jackson-databind" % "2.9.9",
-  "org.scalatest" %% "scalatest" % "3.1.0" % "test, it",
-  "com.auth0" % "java-jwt" % "3.8.0",
-  "com.typesafe.akka" %% "akka-http-testkit" % akkaHttpVersion % Test,
-  "com.typesafe.akka" %% "akka-stream-testkit" % akkaVersion % Test,
-  "com.amazonaws" % "aws-java-sdk-sts" % "1.11.720" % IntegrationTest,
-  "com.bettercloud" % "vault-java-driver" % "5.1.0")
+  "com.typesafe.akka"          %% "akka-http"             % akkaHttpVersion,
+  "com.typesafe.akka"          %% "akka-stream"           % akkaVersion,
+  "ch.megard"                  %% "akka-http-cors"        % "1.1.3",
+  "com.typesafe.akka"          %% "akka-http-spray-json"  % akkaHttpVersion,
+  "com.typesafe.akka"          %% "akka-http-xml"         % akkaHttpVersion,
+  "com.typesafe.scala-logging" %% "scala-logging"         % "3.9.2",
+  "ch.qos.logback"             %  "logback-classic"       % "1.2.11",
+  "com.typesafe.akka"          %% "akka-slf4j"            % akkaVersion,
+  "org.keycloak"               %  "keycloak-core"         % keycloakVersion,
+  "org.keycloak"               %  "keycloak-adapter-core" % keycloakVersion,
+  "org.keycloak"               %  "keycloak-admin-client" % keycloakVersion,
+  "org.jboss.logging"          %  "jboss-logging"         % "3.5.0.Final",
+  "org.apache.httpcomponents"  %  "httpclient"            % "4.5.13",
+  "org.mariadb.jdbc"           %  "mariadb-java-client"   % "2.3.0",
+  "ch.qos.logback.contrib"     %  "logback-json-classic"  % logbackJson,
+  "ch.qos.logback.contrib"     %  "logback-jackson"       % logbackJson,
+  "com.fasterxml.jackson.core" %  "jackson-databind"      % "2.13.3",
+  "com.auth0"                  %  "java-jwt"              % "4.0.0",
+  "com.bettercloud"            %  "vault-java-driver"     % "5.1.0",
+  "org.scalatest"              %% "scalatest"             % "3.2.13"        % "test, it",
+  "com.typesafe.akka"          %% "akka-http-testkit"     % akkaHttpVersion % Test,
+  "com.typesafe.akka"          %% "akka-stream-testkit"   % akkaVersion     % Test,
+  "com.amazonaws"              %  "aws-java-sdk-sts"      % "1.12.278"      % IntegrationTest,
+)
 
 
 configs(IntegrationTest)
@@ -61,7 +62,7 @@ Defaults.itSettings
 parallelExecution in IntegrationTest := false
 
 javaOptions in Universal ++= Seq(
-  "-Dlogback.configurationFile=/rokku/logback.xml"
+  "-Dlogback.configurationFile=/rokku/logback.xml",
 )
 
 enablePlugins(JavaAppPackaging)
@@ -70,7 +71,7 @@ fork := true
 
 dockerExposedPorts := Seq(12345)
 dockerCommands += ExecCmd("ENV", "PROXY_HOST", "0.0.0.0")
-dockerBaseImage := "openjdk:8u171-jre-slim-stretch"
+dockerBaseImage := "openjdk:8u171-jre-slim-buster"
 dockerAlias := docker.DockerAlias(Some("docker.io"), Some("wbaa"), "rokku-sts", Some(rokkuStsVersion))
 
 scalariformPreferences := scalariformPreferences.value

docker-compose.yml

@@ -2,7 +2,7 @@ version: "2"
 services:
 
   keycloak:
-    image: wbaa/rokku-dev-keycloak:0.0.9
+    build: ./keycloak
     environment:
       - KEYCLOAK_USER=admin
       - KEYCLOAK_PASSWORD=admin

keycloak/Dockerfile

@@ -0,0 +1,5 @@
+FROM jboss/keycloak:16.1.1
+
+
+COPY data /opt/jboss/keycloak/standalone/data
+USER root

keycloak/data/kernel/process-uuid

@@ -0,0 +1 @@
+6895c06c-d735-46a1-90d7-c0c2c1ac0f80

keycloak/data/keycloak.lock.db

@@ -0,0 +1,6 @@
+#FileLock
+#Fri Aug 12 09:55:34 GMT 2022
+server=172.26.0.3\:40845
+hostName=d0d26d21a3d6
+method=file
+id=182917b0236589229c0cb40987878a043daa48ed417

keycloak/data/keycloak.trace.db

@@ -0,0 +1,9 @@
+2022-08-10 10:08:21 jdbc[3]: exception
+org.h2.jdbc.JdbcSQLException: Table "DATABASECHANGELOGLOCK" not found; SQL statement:
+select count(*) from PUBLIC.DATABASECHANGELOGLOCK [42102-197]
+2022-08-10 10:08:25 jdbc[4]: exception
+org.h2.jdbc.JdbcSQLException: Table "DATABASECHANGELOG" not found; SQL statement:
+select count(*) from PUBLIC.DATABASECHANGELOG [42102-197]
+2022-08-10 10:08:29 jdbc[4]: exception
+org.h2.jdbc.JdbcSQLException: Table "DATABASECHANGELOG" not found; SQL statement:
+select count(*) from PUBLIC.DATABASECHANGELOG [42102-197]

project/build.properties

@@ -1 +1 @@
-sbt.version = 1.3.8
+sbt.version = 1.7.1

scripts/rokku-assume-role.sh

@@ -1,4 +1,4 @@
-token_session=$(curl -s -X POST http://localhost:8080/auth/realms/auth-rokku/protocol/openid-connect/token  -H "Content-Type: application/x-www-form-urlencoded" -d "username=userone" -d "password=password" -d 'grant_type=password' -d 'client_id=sts-rokku' | jq -r '.access_token')
+token_session=$(curl -s -X POST http://localhost:8080/auth/realms/auth-rokku/protocol/openid-connect/token  -H "Content-Type: application/x-www-form-urlencoded" -d "username=userone" -d "password=password" -d 'grant_type=password' -d 'client_id=sts-rokku' -d 'client_secret=q4dHVTDyViys4T0njCSSoS5Xto4GjA12' | jq -r '.access_token')
 echo "Read keycloak token: $token_session"
 if [ ${#token_session} -gt 10 ]
 then

scripts/rokku-get-session-token.sh

@@ -1,4 +1,4 @@
-token_session=$(curl -s -X POST http://localhost:8080/auth/realms/auth-rokku/protocol/openid-connect/token  -H "Content-Type: application/x-www-form-urlencoded" -d "username=testuser" -d "password=password" -d 'grant_type=password' -d 'client_id=sts-rokku' | jq -r '.access_token')
+token_session=$(curl -s -X POST http://localhost:8080/auth/realms/auth-rokku/protocol/openid-connect/token  -H "Content-Type: application/x-www-form-urlencoded" -d "username=testuser" -d "password=password" -d 'grant_type=password' -d 'client_id=sts-rokku' -d 'client_secret=q4dHVTDyViys4T0njCSSoS5Xto4GjA12' | jq -r '.access_token')
 echo "Read keycloak token: $token_session"
 if [ ${#token_session} -gt 10 ]
 then

src/it/scala/com/ing/wbaa/rokku/sts/StsServiceItTest.scala

@@ -28,7 +28,14 @@ class StsServiceItTest extends AsyncWordSpec with Diagrams
   override implicit val testSystem: ActorSystem = ActorSystem.create("test-system")
   override implicit val exContext: ExecutionContextExecutor = testSystem.dispatcher
 
-  private val validCredentials = Map("grant_type" -> "password", "username" -> "userone", "password" -> "password", "client_id" -> "sts-rokku")
+  val keycloakSettings: KeycloakSettings = new KeycloakSettings(testSystem.settings.config)
+  private val validCredentials = Map(
+    "grant_type" -> "password",
+    "username" -> "userone",
+    "password" -> "password",
+    "client_id" -> keycloakSettings.resource,
+    "client_secret" -> keycloakSettings.clientSecret,
+  )
   private val invalidCredentials = validCredentials + ("password" -> "xxx")
   private val validAdminArn = "arn:aws:iam::account-id:role/admin"
   private val forbiddenSuperUserArn = "arn:aws:iam:account-id:role/superuser"
@@ -38,10 +45,6 @@ class StsServiceItTest extends AsyncWordSpec with Diagrams
     override val httpBind: String = "127.0.0.1"
   }
 
-  override val keycloakSettings: KeycloakSettings = new KeycloakSettings(testSystem.settings.config) {
-    override val realmPublicKeyId: String = "FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"
-  }
-
   def withOAuth2TokenRequest(formData: Map[String, String])(testCode: KeycloackToken => Assertion): Future[Assertion] = {
     keycloackToken(formData).map(testCode(_))
   }
@@ -59,10 +62,7 @@ class StsServiceItTest extends AsyncWordSpec with Diagrams
 
       override protected[this] def httpSettings: HttpSettings = rokkuHttpSettings
 
-      override protected[this] def keycloakSettings: KeycloakSettings = new KeycloakSettings(testSystem.settings.config) {
-        override val realmPublicKeyId: String = "FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"
-        override val issuerForList: Set[String] = Set("sts-rokku")
-      }
+      val keycloakSettings: KeycloakSettings = new KeycloakSettings(testSystem.settings.config)
 
       override protected[this] def stsSettings: StsSettings = StsSettings(testSystem)
 
@@ -101,8 +101,8 @@ class StsServiceItTest extends AsyncWordSpec with Diagrams
     "return credentials for valid token" in withAwsClient { stsAwsClient =>
       withOAuth2TokenRequest(validCredentials) { keycloakToken =>
         val credentials = stsAwsClient.getSessionToken(new GetSessionTokenRequest()
-          .withTokenCode(keycloakToken.access_token))
-          .getCredentials
+        .withTokenCode(keycloakToken.access_token))
+        .getCredentials
 
         assert(!credentials.getAccessKeyId.isEmpty)
         assert(!credentials.getSecretAccessKey.isEmpty)

src/it/scala/com/ing/wbaa/rokku/sts/keycloak/KeycloakClientItTest.scala

@@ -15,10 +15,7 @@ class KeycloakClientItTest extends AsyncWordSpec with Diagrams with OAuth2TokenR
   override implicit val testSystem: ActorSystem = ActorSystem.create("test-system")
   override implicit val exContext: ExecutionContextExecutor = testSystem.dispatcher
 
-  override val keycloakSettings: KeycloakSettings = new KeycloakSettings(testSystem.settings.config) {
-    override val realmPublicKeyId: String = "FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"
-    override val issuerForList: Set[String] = Set("sts-rokku")
-  }
+  val keycloakSettings: KeycloakSettings = new KeycloakSettings(testSystem.settings.config)
 
   "Keycloak client" should {
     val username = "test"

src/it/scala/com/ing/wbaa/rokku/sts/keycloak/KeycloakTokenVerifierTest.scala

@@ -17,17 +17,26 @@ class KeycloakTokenVerifierTest extends AsyncWordSpec with Diagrams with OAuth2T
   override implicit val testSystem: ActorSystem = ActorSystem.create("test-system")
   override implicit val exContext: ExecutionContextExecutor = testSystem.dispatcher
 
-  override val keycloakSettings: KeycloakSettings = new KeycloakSettings(testSystem.settings.config) {
-    override val realmPublicKeyId: String = "FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"
-    override val issuerForList: Set[String] = Set("sts-rokku")
-  }
+  val keycloakSettings: KeycloakSettings = new KeycloakSettings(testSystem.settings.config)
 
   private def withOAuth2TokenRequest(formData: Map[String, String])(testCode: KeycloackToken => Assertion): Future[Assertion] = {
     keycloackToken(formData).map(testCode)
   }
 
-  private val validCredentialsUser1 = Map("grant_type" -> "password", "username" -> "userone", "password" -> "password", "client_id" -> "sts-rokku")
-  private val validCredentialsUser2 = Map("grant_type" -> "password", "username" -> "testuser", "password" -> "password", "client_id" -> "sts-rokku")
+  private val validCredentialsUser1 = Map(
+    "grant_type" -> "password",
+    "username" -> "userone",
+    "password" -> "password",
+    "client_id" -> keycloakSettings.resource,
+    "client_secret" -> keycloakSettings.clientSecret,
+    )
+    private val validCredentialsUser2 = Map(
+      "grant_type" -> "password",
+      "username" -> "testuser",
+      "password" -> "password",
+      "client_id" -> keycloakSettings.resource,
+      "client_secret" -> keycloakSettings.clientSecret,
+     )
 
   "Keycloak verifier" should {
     "return verified token for user 1" in withOAuth2TokenRequest(validCredentialsUser1) { keycloakToken =>

src/main/resources/reference.conf

@@ -7,16 +7,16 @@ rokku {
         }
         # Default keycloak configuration file and realm public key id
         keycloak {
-            realmPublicKeyId = "FJ86GcF3jTbNLOco4NvZkUCIUmfYCqoqtOQeMfbhNlE"
+            realmPublicKeyId = "71Fo4peRHRc7XjPQMEMWFne3F_Hug3O-NT9bMP9YoQg"
             realm = "auth-rokku"
             resource = "sts-rokku"
             url = "http://127.0.0.1:8080"
-            clientSecret = ""
+            clientSecret = "q4dHVTDyViys4T0njCSSoS5Xto4GjA12"
             adminUsername = "rokkuadmin"
             adminPassword = "password"
             verifyToken {
                 checkRealmUrl = true
-                issuerForList = ""
+                issuerForList = "sts-rokku"
             }
         }
 

src/main/scala/com/ing/wbaa/rokku/sts/RokkuStsService.scala

@@ -27,8 +27,6 @@ trait RokkuStsService
 
   protected[this] def httpSettings: HttpSettings
 
-  import com.ing.wbaa.rokku.sts.handler.StsExceptionHandlers.exceptionHandler
-
   // The routes we serve
   final val allRoutes: Route =
     toStrictEntity(3.seconds) {
@@ -40,15 +38,15 @@ trait RokkuStsService
   // Details about the server binding.
   final val startup: Future[Http.ServerBinding] = {
 
-    Http(system).bindAndHandle(allRoutes, httpSettings.httpBind, httpSettings.httpPort)
+    Http().newServerAt(httpSettings.httpBind, httpSettings.httpPort).bind(allRoutes)
       .andThen {
         case Success(binding) => logger.info(s"Sts service started listening: ${binding.localAddress}")
         case Failure(reason)  => logger.error("Sts service failed to start.", reason)
       }
   }
 
   def shutdown(): Future[Done] = {
-    startup.flatMap(_.unbind)
+    startup.flatMap(_.unbind())
       .andThen {
         case Success(_)      => logger.info("Sts service stopped.")
         case Failure(reason) => logger.error("Sts service failed to stop.", reason)

src/main/scala/com/ing/wbaa/rokku/sts/api/AdminApi.scala

@@ -53,7 +53,7 @@ trait AdminApi extends LazyLogging with Encryption with JwtToken {
   def addNPA: Route = logRequestResult("debug") {
     post {
       path("npa") {
-        formFields((Symbol("npaAccount"), Symbol("safeName"), Symbol("awsAccessKey"), Symbol("awsSecretKey"))) { (npaAccount, safeName, awsAccessKey, awsSecretKey) =>
+        formFields("npaAccount", "safeName", "awsAccessKey", "awsSecretKey") { (npaAccount, safeName, awsAccessKey, awsSecretKey) =>
           authorizeToken(verifyAuthenticationToken) { keycloakUserInfo =>
             if (userInAdminGroups(keycloakUserInfo.userGroups)) {
               val awsCredentials = AwsCredential(AwsAccessKey(awsAccessKey), AwsSecretKey(awsSecretKey))
@@ -81,7 +81,7 @@ trait AdminApi extends LazyLogging with Encryption with JwtToken {
   def addServiceNPA: Route = logRequestResult("debug") {
     post {
       path("service" / "npa") {
-        formFields((Symbol("npaAccount"), Symbol("safeName"), Symbol("awsAccessKey"), Symbol("awsSecretKey"))) { (npaAccount, safeName, awsAccessKey, awsSecretKey) =>
+        formFields("npaAccount", "safeName", "awsAccessKey", "awsSecretKey") { (npaAccount, safeName, awsAccessKey, awsSecretKey) =>
           headerValueByName("Authorization") { bearerToken =>
             if (verifyInternalToken(bearerToken)) {
               val awsCredentials = AwsCredential(AwsAccessKey(awsAccessKey), AwsSecretKey(awsSecretKey))
@@ -149,7 +149,7 @@ trait AdminApi extends LazyLogging with Encryption with JwtToken {
       path("keycloak" / "user") {
         formFields((Symbol("username"))) { username =>
           authorizeToken(verifyAuthenticationToken) { keycloakUserInfo =>
-            extractUri { uri =>
+            extractUri { _ =>
               if (userInAdminGroups(keycloakUserInfo.userGroups)) {
                 onComplete(insertUserToKeycloak(UserName(username))) {
                   case Success(_)  => complete(ResponseMessage(s"Add user ok", s"$username added", "keycloak"))

src/main/scala/com/ing/wbaa/rokku/sts/api/STSApi.scala

@@ -33,8 +33,7 @@ trait STSApi extends LazyLogging with TokenXML {
   }
 
   private val assumeRoleInputs = {
-    val inputList = (Symbol("RoleArn"), Symbol("RoleSessionName"), "DurationSeconds".as[Int].?)
-    (parameters(inputList) | formFields(inputList)).tmap(t =>
+    (parameters("RoleArn", "RoleSessionName", "DurationSeconds".as[Int].?) | formFields("RoleArn", "RoleSessionName", "DurationSeconds".as[Int].?)).tmap(t =>
       t.copy(_1 = AwsRoleArn(t._1), _3 = parseDurationSeconds(t._3))
     )
   }