release: 1.9.5 (#351)

Author: devxb

.github/workflows/deploy.yml

@@ -74,6 +74,7 @@ jobs:
             "INTERNAL_SECRET=${{ secrets.INTERNAL_SECRET }}"
             "SLACK_TOKEN=${{ secrets.SLACK_TOKEN }}"
             "RELAY_APPROVE_TOKEN=${{ secrets.RELAY_APPROVE_TOKEN }}"
+            "INTERNAL_AUTH_SECRET=${{ secrets.INTERNAL_AUTH_SECRET }}"
 
       - name: build and push filebeat
         uses: docker/build-push-action@v4

deploy/api/Dockerfile

@@ -9,6 +9,7 @@ ARG REDIS_PORT
 ARG INTERNAL_SECRET
 ARG SLACK_TOKEN
 ARG RELAY_APPROVE_TOKEN
+ARG INTERNAL_AUTH_SECRET
 
 ARG JAR_FILE=./*.jar
 COPY ${JAR_FILE} gitanimals-render.jar
@@ -21,7 +22,8 @@ ENV db_url=${DB_URL} \
   redis_port=${REDIS_PORT} \
   internal_secret=${INTERNAL_SECRET} \
   slack_token=${SLACK_TOKEN} \
-  relay_approve_token=${RELAY_APPROVE_TOKEN}
+  relay_approve_token=${RELAY_APPROVE_TOKEN} \
+  internal_auth_secret=${INTERNAL_AUTH_SECRET}
 
 ENTRYPOINT java -jar gitanimals-render.jar \
   --spring.datasource.url=${db_url} \
@@ -32,4 +34,5 @@ ENTRYPOINT java -jar gitanimals-render.jar \
   --github.token=${github_token} \
   --internal.secret=${internal_secret} \
   --slack.token=${slack_token} \
-  --relay.approve.token=${relay_approve_token}
+  --relay.approve.token=${relay_approve_token} \
+  --internal.auth.secret=${internal_auth_secret}

src/main/kotlin/org/gitanimals/core/advice/GlobalExceptionHandler.kt

@@ -1,5 +1,6 @@
 package org.gitanimals.core.advice
 
+import org.gitanimals.core.AuthorizationException
 import org.gitanimals.core.ErrorResponse
 import org.slf4j.LoggerFactory
 import org.springframework.http.HttpStatus
@@ -52,4 +53,9 @@ class GlobalExceptionHandler {
     fun handleNoHandlerFoundException(exception: Exception): ErrorResponse {
         return ErrorResponse("CANNOT FOUND ANY RESOURCE.")
     }
+
+    @ExceptionHandler(AuthorizationException::class)
+    @ResponseStatus(HttpStatus.UNAUTHORIZED)
+    fun handleAuthorizationException(exception: AuthorizationException): ErrorResponse =
+        ErrorResponse.from(exception)
 }

src/main/kotlin/org/gitanimals/core/auth/InternalAuth.kt

@@ -0,0 +1,107 @@
+package org.gitanimals.core.auth
+
+import jakarta.servlet.http.HttpServletRequest
+import org.gitanimals.core.AUTHORIZATION_EXCEPTION
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Value
+import org.springframework.http.HttpHeaders
+import org.springframework.stereotype.Component
+import java.security.SecureRandom
+import java.util.*
+import javax.crypto.Cipher
+import javax.crypto.spec.GCMParameterSpec
+import javax.crypto.spec.SecretKeySpec
+
+@Component
+class InternalAuth(
+    private val httpServletRequest: HttpServletRequest,
+    private val internalAuthClient: InternalAuthClient,
+    @Value("\${internal.auth.secret}") private val internalAuthSecret: String,
+) {
+
+    private val logger = LoggerFactory.getLogger(this::class.simpleName)
+
+    private val secretKey by lazy {
+        val decodedKey = Base64.getDecoder().decode(internalAuthSecret)
+        SecretKeySpec(decodedKey, "AES")
+    }
+
+    fun getUserId(throwOnFailure: () -> Unit = throwCannotGetUserId): Long {
+        val userId = findUserId()
+
+        if (userId == null) {
+            throwOnFailure.invoke()
+        }
+
+        return userId ?: throw AUTHORIZATION_EXCEPTION
+    }
+
+    fun findUserId(): Long? {
+        val token: String? = httpServletRequest.getHeader(HttpHeaders.AUTHORIZATION)
+        val iv: String? = httpServletRequest.getHeader(INTERNAL_AUTH_IV_KEY)
+        val internalAuthSecret: String? = httpServletRequest.getHeader(INTERNAL_AUTH_SECRET_KEY)
+
+        var userId: Long? = runCatching {
+            if (internalAuthSecret == null || iv == null) {
+                return@runCatching null
+            }
+            return decrypt(
+                iv = Base64.getDecoder().decode(iv),
+                secret = Base64.getDecoder().decode(internalAuthSecret),
+            )
+        }.getOrElse {
+            logger.warn("[InternalAuth] Fail to get userId by secret and iv", it)
+            null
+        }
+
+        if (token != null) {
+            userId = runCatching {
+                internalAuthClient.getUserByToken(token).id.toLong()
+            }.getOrElse {
+                logger.warn("[InternalAuth] Fail to get userId by token", it)
+                null
+            }
+        }
+
+        return userId
+    }
+
+    private fun decrypt(iv: ByteArray, secret: ByteArray): Long {
+        val cipher = Cipher.getInstance("AES/GCM/NoPadding")
+        val spec = GCMParameterSpec(128, iv)
+        cipher.init(Cipher.DECRYPT_MODE, secretKey, spec)
+
+        val decryptedBytes = cipher.doFinal(secret)
+        return String(decryptedBytes, Charsets.UTF_8).toLong()
+    }
+
+    fun encrypt(userId: Long): Encrypted {
+        val iv = ByteArray(12)
+        SecureRandom().nextBytes(iv)
+
+        val cipher: Cipher = Cipher.getInstance("AES/GCM/NoPadding")
+        val spec = GCMParameterSpec(128, iv)
+        cipher.init(Cipher.ENCRYPT_MODE, secretKey, spec)
+
+        val cipherText = cipher.doFinal(userId.toString().toByteArray(Charsets.UTF_8))
+
+        return Encrypted(
+            iv = iv,
+            secret = cipherText,
+        )
+    }
+
+    companion object {
+        const val INTERNAL_AUTH_IV_KEY = "Internal-Auth-Iv"
+        const val INTERNAL_AUTH_SECRET_KEY = "Internal-Auth-Secret"
+
+        private val throwCannotGetUserId: () -> Unit = {
+            throw AUTHORIZATION_EXCEPTION
+        }
+    }
+}
+
+class Encrypted(
+    val iv: ByteArray,
+    val secret: ByteArray,
+)

src/main/kotlin/org/gitanimals/core/auth/InternalAuthClient.kt

@@ -0,0 +1,70 @@
+package org.gitanimals.core.auth
+
+import org.gitanimals.core.AuthorizationException
+import org.gitanimals.core.filter.MDCFilter
+import org.slf4j.MDC
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import org.springframework.http.HttpHeaders
+import org.springframework.http.HttpStatus
+import org.springframework.http.client.ClientHttpResponse
+import org.springframework.web.bind.annotation.RequestHeader
+import org.springframework.web.client.ResponseErrorHandler
+import org.springframework.web.client.RestClient
+import org.springframework.web.client.support.RestClientAdapter
+import org.springframework.web.service.annotation.GetExchange
+import org.springframework.web.service.invoker.HttpServiceProxyFactory
+
+fun interface InternalAuthClient {
+
+    @GetExchange("/users")
+    fun getUserByToken(@RequestHeader(HttpHeaders.AUTHORIZATION) token: String): UserResponse
+
+    data class UserResponse(
+        val id: String,
+    )
+}
+
+@Configuration
+class InternalAuthClientConfigurer {
+
+    @Bean
+    fun internalAuthHttpClient(): InternalAuthClient {
+        val restClient = RestClient
+            .builder()
+            .requestInterceptor { request, body, execution ->
+                request.headers.add(MDCFilter.TRACE_ID, MDC.get(MDCFilter.TRACE_ID))
+                execution.execute(request, body)
+            }
+            .defaultStatusHandler(HttpClientErrorHandler())
+            .baseUrl("https://api.gitanimals.org")
+            .build()
+
+        val httpServiceProxyFactory = HttpServiceProxyFactory
+            .builderFor(RestClientAdapter.create(restClient))
+            .build()
+
+        return httpServiceProxyFactory.createClient(InternalAuthClient::class.java)
+    }
+
+    class HttpClientErrorHandler : ResponseErrorHandler {
+
+        override fun hasError(response: ClientHttpResponse): Boolean {
+            return response.statusCode.isError
+        }
+
+        override fun handleError(response: ClientHttpResponse) {
+            val body = response.body.bufferedReader().use { it.readText() }
+            when {
+                response.statusCode.isSameCodeAs(HttpStatus.UNAUTHORIZED) ->
+                    throw AuthorizationException(body)
+
+                response.statusCode.is4xxClientError ->
+                    throw IllegalArgumentException(body)
+
+                response.statusCode.is5xxServerError ->
+                    throw IllegalStateException(body)
+            }
+        }
+    }
+}

src/main/kotlin/org/gitanimals/core/auth/InternalAuthRequestInterceptor.kt

@@ -0,0 +1,41 @@
+package org.gitanimals.core.auth
+
+import org.gitanimals.core.filter.MDCFilter.Companion.USER_ID
+import org.slf4j.MDC
+import org.springframework.http.HttpRequest
+import org.springframework.http.client.ClientHttpRequestExecution
+import org.springframework.http.client.ClientHttpRequestInterceptor
+import org.springframework.http.client.ClientHttpResponse
+import org.springframework.stereotype.Component
+import java.util.*
+
+@Component
+class InternalAuthRequestInterceptor(
+    private val internalAuth: InternalAuth,
+) : ClientHttpRequestInterceptor {
+
+    override fun intercept(
+        request: HttpRequest,
+        body: ByteArray,
+        execution: ClientHttpRequestExecution
+    ): ClientHttpResponse {
+        val userId = runCatching {
+            MDC.get(USER_ID).toLong()
+        }.getOrNull()
+
+        if (userId != null) {
+            val encrypt = internalAuth.encrypt(userId = userId)
+
+            request.headers.add(
+                InternalAuth.INTERNAL_AUTH_SECRET_KEY,
+                Base64.getEncoder().encodeToString(encrypt.secret),
+            )
+            request.headers.add(
+                InternalAuth.INTERNAL_AUTH_IV_KEY,
+                Base64.getEncoder().encodeToString(encrypt.iv),
+            )
+        }
+
+        return execution.execute(request, body)
+    }
+}

src/main/kotlin/org/gitanimals/core/filter/MDCFilter.kt

@@ -4,14 +4,17 @@ import jakarta.servlet.FilterChain
 import jakarta.servlet.http.HttpServletRequest
 import jakarta.servlet.http.HttpServletResponse
 import org.gitanimals.core.IdGenerator
+import org.gitanimals.core.auth.InternalAuth
 import org.slf4j.LoggerFactory
 import org.slf4j.MDC
 import org.springframework.stereotype.Component
 import org.springframework.web.filter.OncePerRequestFilter
 import kotlin.system.measureTimeMillis
 
 @Component
-class MDCFilter : OncePerRequestFilter() {
+class MDCFilter(
+    private val internalAuth: InternalAuth,
+) : OncePerRequestFilter() {
 
     override fun doFilterInternal(
         request: HttpServletRequest,
@@ -25,6 +28,7 @@ class MDCFilter : OncePerRequestFilter() {
 
             MDC.put(TRACE_ID, traceId)
             MDC.put(PATH, request.requestURI)
+            internalAuth.findUserId()?.let { MDC.put(USER_ID, it.toString()) }
 
             val elapsedTime = measureTimeMillis {
                 filterChain.doFilter(request, response)
@@ -38,10 +42,12 @@ class MDCFilter : OncePerRequestFilter() {
             MDC.remove(TRACE_ID)
             MDC.remove(ELAPSED_TIME)
             MDC.remove(PATH)
+            MDC.remove(USER_ID)
         }
     }
 
     companion object {
+        const val USER_ID = "userId"
         const val TRACE_ID = "traceId"
         const val ELAPSED_TIME = "elapsedTime"
         const val PATH = "path"

src/main/kotlin/org/gitanimals/guild/app/AcceptJoinGuildFacade.kt

@@ -1,19 +1,20 @@
 package org.gitanimals.guild.app
 
+import org.gitanimals.core.auth.InternalAuth
 import org.gitanimals.guild.domain.GuildService
 import org.springframework.stereotype.Service
 
 @Service
 class AcceptJoinGuildFacade(
-    private val identityApi: IdentityApi,
+    private val internalAuth: InternalAuth,
     private val guildService: GuildService,
 ) {
 
-    fun acceptJoin(token: String, guildId: Long, acceptUserId: Long) {
-        val user = identityApi.getUserByToken(token)
+    fun acceptJoin(guildId: Long, acceptUserId: Long) {
+        val userId = internalAuth.getUserId()
 
         guildService.acceptJoin(
-            acceptorId = user.id.toLong(),
+            acceptorId = userId,
             guildId = guildId,
             acceptUserId = acceptUserId,
         )

src/main/kotlin/org/gitanimals/guild/app/ChangeGuildFacade.kt

@@ -1,22 +1,23 @@
 package org.gitanimals.guild.app
 
+import org.gitanimals.core.auth.InternalAuth
 import org.gitanimals.guild.domain.GuildService
 import org.gitanimals.guild.domain.request.ChangeGuildRequest
 import org.springframework.stereotype.Service
 
 @Service
 class ChangeGuildFacade(
-    private val identityApi: IdentityApi,
+    private val internalAuth: InternalAuth,
     private val guildService: GuildService,
 ) {
 
-    fun changeGuild(token: String, guildId: Long, changeGuildRequest: ChangeGuildRequest) {
+    fun changeGuild(guildId: Long, changeGuildRequest: ChangeGuildRequest) {
         changeGuildRequest.requireValidTitle()
 
-        val user = identityApi.getUserByToken(token)
+        val userId = internalAuth.getUserId()
 
         guildService.changeGuild(
-            changeRequesterId = user.id.toLong(),
+            changeRequesterId = userId,
             guildId = guildId,
             request = changeGuildRequest,
         )

src/main/kotlin/org/gitanimals/guild/app/DenyJoinGuildFacade.kt

@@ -1,17 +1,18 @@
 package org.gitanimals.guild.app
 
+import org.gitanimals.core.auth.InternalAuth
 import org.gitanimals.guild.domain.GuildService
 import org.springframework.stereotype.Service
 
 @Service
 class DenyJoinGuildFacade(
-    private val identityApi: IdentityApi,
+    private val internalAuth: InternalAuth,
     private val guildService: GuildService,
 ) {
 
-    fun denyJoin(token: String, guildId: Long, denyUserId: Long) {
-        val user = identityApi.getUserByToken(token)
+    fun denyJoin(guildId: Long, denyUserId: Long) {
+        val userId = internalAuth.getUserId()
 
-        guildService.denyJoin(denierId = user.id.toLong(), guildId = guildId, denyUserId = denyUserId)
+        guildService.denyJoin(denierId = userId, guildId = guildId, denyUserId = denyUserId)
     }
 }