From ee4ade13695aae5fe20d4953770f33626443e7db Mon Sep 17 00:00:00 2001 From: Olai Solheim Date: Fri, 21 Nov 2025 13:29:14 +0100 Subject: [PATCH] =?UTF-8?q?feat!:=20utkast=20til=20f=C3=B8rste=20versjon?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/CODEOWNERS | 2 +- .github/renovate.json | 6 + .github/workflows/build-and-publish.yaml | 16 + .gitignore | 3 + .mvn/wrapper/maven-wrapper.properties | 3 + LICENSE | 18 ++ README.md | 114 ++++++- mvnw | 295 ++++++++++++++++++ mvnw.cmd | 189 +++++++++++ pom.xml | 116 ++++++- .../spk/felles/openapi/OpenAPICustomizer.kt | 161 ++++++++++ .../felles/openapi/OpenAPICustomizerTest.kt | 23 ++ src/test/resources/logback-test.xml | 11 + src/test/resources/openapi.yaml | 62 ++++ 14 files changed, 1014 insertions(+), 5 deletions(-) create mode 100644 .github/renovate.json create mode 100644 .github/workflows/build-and-publish.yaml create mode 100644 .gitignore create mode 100644 .mvn/wrapper/maven-wrapper.properties create mode 100644 LICENSE create mode 100755 mvnw create mode 100644 mvnw.cmd create mode 100644 src/main/kotlin/no/spk/felles/openapi/OpenAPICustomizer.kt create mode 100644 src/test/kotlin/no/spk/felles/openapi/OpenAPICustomizerTest.kt create mode 100644 src/test/resources/logback-test.xml create mode 100644 src/test/resources/openapi.yaml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 8284e23..efa944e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @statens-pensjonskasse/team-rettighet \ No newline at end of file +* @statens-pensjonskasse/team-rettighet diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 0000000..6646c0b --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "local>statens-pensjonskasse/renovate-presets-internal:daily-automerge-non-major" + ] +} diff --git a/.github/workflows/build-and-publish.yaml b/.github/workflows/build-and-publish.yaml new file mode 100644 index 0000000..680193d --- /dev/null +++ b/.github/workflows/build-and-publish.yaml @@ -0,0 +1,16 @@ +name: Build Maven Library + +on: + push: + workflow_dispatch: + +jobs: + build-and-publish: + uses: statens-pensjonskasse/github-actions-library/.github/workflows/build-library-maven.yaml@a2bc06ac35932796354f31ce92d0fc516b27a20b # v1.44.15 + permissions: + contents: write + packages: write + secrets: inherit + with: + java-version: '21' + slack-channel: '#rettighet-ci' diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5231862 --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +.idea +*.iml +target diff --git a/.mvn/wrapper/maven-wrapper.properties b/.mvn/wrapper/maven-wrapper.properties new file mode 100644 index 0000000..c0bcafe --- /dev/null +++ b/.mvn/wrapper/maven-wrapper.properties @@ -0,0 +1,3 @@ +wrapperVersion=3.3.4 +distributionType=only-script +distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.11/apache-maven-3.9.11-bin.zip diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..1ac4233 --- /dev/null +++ b/LICENSE @@ -0,0 +1,18 @@ +Copyright 2025 Statens pensjonskasse + +Permission is hereby granted, free of charge, to any person obtaining a copy of +this software and associated documentation files (the “Software”), to deal in +the Software without restriction, including without limitation the rights to +use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of +the Software, and to permit persons to whom the Software is furnished to do so, +subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR +COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN +CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md index 05268a2..8da5cf2 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,114 @@ # felles-openapi-customizer-lib -felles-openapi-customizer-lib eies og forvaltes av team-rettighet + +Takes an OpenAPI specification and customizes all paths with the standard +security scheme and headers typically used in SPK. + +These headers are normally omitted from the OpenAPI specification for +practical purposes and provided to the client and consumed by the server +using implicit infrastructure libraries such as `felles-outbound-lib`. This +class allows adding these headers back in, in order for the server to show a +complete specification using SwaggerUI. + +There are two standard security schemes typically supported in SPK: + +1. Token based authentication using a security token. +2. Basic authentication using the employee's username and password. + +There are three standard headers supported in SPK: + +1. `X-Application-Id` which contains the caller's application identity. +2. `X-Correlation-Id` which correlates the invocation across systems. +3. `X-Request-Origin` which contains the origin's application identity. + +## Usage + +### Maven + +Add the following dependency to your project: + +```xml + + + no.spk.felles + felles-openapi-customizer-lib + 0.0.1-SNAPSHOT + +``` + +### Customize an existing OpenAPI-spec (contract-first) + +Takes the filename of an OpenAPI specification on classpath as input, +reads the file, customizes it with the given security schemes and +headers, and returns it as an `OpenAPI` object. + +The `OpenAPI` object can be provided to Spring as a `@Bean` in order for +documentation providers such as Springdoc to show the specification on +the server using SwaggerUI. + +```kotlin +@Bean +fun createOpenAPI() { + val customizer = OpenAPICustomizer( + customizeWithSecuritySchemes = true, + customizeWithStandardHeaders = true, + ) + return customizer.readAndCustomizeOpenAPI("/openapi/openapi.yaml") +} +``` + +Note that the above requires the OpenAPI specification to be unpacked +into `/openapi/openapi.yaml` on the classpath. + +This is well-suited for OpenAPI specifications written contract-first, +where the specification is available as a file. + +If using Springdoc, it is also advisable to disable scanning of packages +adding `springdoc.packages-to-scan=none` to Spring Boot's configuration, +otherwise annotated resources might show up twice in the specification. + +### Customize a generated OpenAPI-spec (code-first) + +Customizes an existing OpenAPI specification with the given security +schemes and headers. + +The `OpenAPI` object can be provided to Spring as a `@Bean` in order for +documentation providers such as Springdoc to show the specification on +the server using SwaggerUI. + +```kotlin +@Bean +fun createOpenAPI() { + val customizer = OpenAPICustomizer( + customizeWithSecuritySchemes = true, + customizeWithStandardHeaders = true, + ) + val generatedOpenAPI = OpenAPI() + return customizer.customizeOpenAPI(generatedOpenAPI) +} +``` + +This is well-suited for OpenAPI specifications that are generated from +annotated source code, after which these customizations are applied. + +## Development + +### Requirements + +Requirements to build the project on your machine: + +* JDK +* Maven + +### Build + +Run the following command to build the project: + +```shell +mvn clean install +``` + +### Branch and release + +1. Branch from `main`. +2. Create a pull-request and merge to `main`. +3. This will release a new version. diff --git a/mvnw b/mvnw new file mode 100755 index 0000000..bd8896b --- /dev/null +++ b/mvnw @@ -0,0 +1,295 @@ +#!/bin/sh +# ---------------------------------------------------------------------------- +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# ---------------------------------------------------------------------------- + +# ---------------------------------------------------------------------------- +# Apache Maven Wrapper startup batch script, version 3.3.4 +# +# Optional ENV vars +# ----------------- +# JAVA_HOME - location of a JDK home dir, required when download maven via java source +# MVNW_REPOURL - repo url base for downloading maven distribution +# MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven +# MVNW_VERBOSE - true: enable verbose log; debug: trace the mvnw script; others: silence the output +# ---------------------------------------------------------------------------- + +set -euf +[ "${MVNW_VERBOSE-}" != debug ] || set -x + +# OS specific support. +native_path() { printf %s\\n "$1"; } +case "$(uname)" in +CYGWIN* | MINGW*) + [ -z "${JAVA_HOME-}" ] || JAVA_HOME="$(cygpath --unix "$JAVA_HOME")" + native_path() { cygpath --path --windows "$1"; } + ;; +esac + +# set JAVACMD and JAVACCMD +set_java_home() { + # For Cygwin and MinGW, ensure paths are in Unix format before anything is touched + if [ -n "${JAVA_HOME-}" ]; then + if [ -x "$JAVA_HOME/jre/sh/java" ]; then + # IBM's JDK on AIX uses strange locations for the executables + JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACCMD="$JAVA_HOME/jre/sh/javac" + else + JAVACMD="$JAVA_HOME/bin/java" + JAVACCMD="$JAVA_HOME/bin/javac" + + if [ ! -x "$JAVACMD" ] || [ ! -x "$JAVACCMD" ]; then + echo "The JAVA_HOME environment variable is not defined correctly, so mvnw cannot run." >&2 + echo "JAVA_HOME is set to \"$JAVA_HOME\", but \"\$JAVA_HOME/bin/java\" or \"\$JAVA_HOME/bin/javac\" does not exist." >&2 + return 1 + fi + fi + else + JAVACMD="$( + 'set' +e + 'unset' -f command 2>/dev/null + 'command' -v java + )" || : + JAVACCMD="$( + 'set' +e + 'unset' -f command 2>/dev/null + 'command' -v javac + )" || : + + if [ ! -x "${JAVACMD-}" ] || [ ! -x "${JAVACCMD-}" ]; then + echo "The java/javac command does not exist in PATH nor is JAVA_HOME set, so mvnw cannot run." >&2 + return 1 + fi + fi +} + +# hash string like Java String::hashCode +hash_string() { + str="${1:-}" h=0 + while [ -n "$str" ]; do + char="${str%"${str#?}"}" + h=$(((h * 31 + $(LC_CTYPE=C printf %d "'$char")) % 4294967296)) + str="${str#?}" + done + printf %x\\n $h +} + +verbose() { :; } +[ "${MVNW_VERBOSE-}" != true ] || verbose() { printf %s\\n "${1-}"; } + +die() { + printf %s\\n "$1" >&2 + exit 1 +} + +trim() { + # MWRAPPER-139: + # Trims trailing and leading whitespace, carriage returns, tabs, and linefeeds. + # Needed for removing poorly interpreted newline sequences when running in more + # exotic environments such as mingw bash on Windows. + printf "%s" "${1}" | tr -d '[:space:]' +} + +scriptDir="$(dirname "$0")" +scriptName="$(basename "$0")" + +# parse distributionUrl and optional distributionSha256Sum, requires .mvn/wrapper/maven-wrapper.properties +while IFS="=" read -r key value; do + case "${key-}" in + distributionUrl) distributionUrl=$(trim "${value-}") ;; + distributionSha256Sum) distributionSha256Sum=$(trim "${value-}") ;; + esac +done <"$scriptDir/.mvn/wrapper/maven-wrapper.properties" +[ -n "${distributionUrl-}" ] || die "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties" + +case "${distributionUrl##*/}" in +maven-mvnd-*bin.*) + MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ + case "${PROCESSOR_ARCHITECTURE-}${PROCESSOR_ARCHITEW6432-}:$(uname -a)" in + *AMD64:CYGWIN* | *AMD64:MINGW*) distributionPlatform=windows-amd64 ;; + :Darwin*x86_64) distributionPlatform=darwin-amd64 ;; + :Darwin*arm64) distributionPlatform=darwin-aarch64 ;; + :Linux*x86_64*) distributionPlatform=linux-amd64 ;; + *) + echo "Cannot detect native platform for mvnd on $(uname)-$(uname -m), use pure java version" >&2 + distributionPlatform=linux-amd64 + ;; + esac + distributionUrl="${distributionUrl%-bin.*}-$distributionPlatform.zip" + ;; +maven-mvnd-*) MVN_CMD=mvnd.sh _MVNW_REPO_PATTERN=/maven/mvnd/ ;; +*) MVN_CMD="mvn${scriptName#mvnw}" _MVNW_REPO_PATTERN=/org/apache/maven/ ;; +esac + +# apply MVNW_REPOURL and calculate MAVEN_HOME +# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ +[ -z "${MVNW_REPOURL-}" ] || distributionUrl="$MVNW_REPOURL$_MVNW_REPO_PATTERN${distributionUrl#*"$_MVNW_REPO_PATTERN"}" +distributionUrlName="${distributionUrl##*/}" +distributionUrlNameMain="${distributionUrlName%.*}" +distributionUrlNameMain="${distributionUrlNameMain%-bin}" +MAVEN_USER_HOME="${MAVEN_USER_HOME:-${HOME}/.m2}" +MAVEN_HOME="${MAVEN_USER_HOME}/wrapper/dists/${distributionUrlNameMain-}/$(hash_string "$distributionUrl")" + +exec_maven() { + unset MVNW_VERBOSE MVNW_USERNAME MVNW_PASSWORD MVNW_REPOURL || : + exec "$MAVEN_HOME/bin/$MVN_CMD" "$@" || die "cannot exec $MAVEN_HOME/bin/$MVN_CMD" +} + +if [ -d "$MAVEN_HOME" ]; then + verbose "found existing MAVEN_HOME at $MAVEN_HOME" + exec_maven "$@" +fi + +case "${distributionUrl-}" in +*?-bin.zip | *?maven-mvnd-?*-?*.zip) ;; +*) die "distributionUrl is not valid, must match *-bin.zip or maven-mvnd-*.zip, but found '${distributionUrl-}'" ;; +esac + +# prepare tmp dir +if TMP_DOWNLOAD_DIR="$(mktemp -d)" && [ -d "$TMP_DOWNLOAD_DIR" ]; then + clean() { rm -rf -- "$TMP_DOWNLOAD_DIR"; } + trap clean HUP INT TERM EXIT +else + die "cannot create temp dir" +fi + +mkdir -p -- "${MAVEN_HOME%/*}" + +# Download and Install Apache Maven +verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." +verbose "Downloading from: $distributionUrl" +verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" + +# select .zip or .tar.gz +if ! command -v unzip >/dev/null; then + distributionUrl="${distributionUrl%.zip}.tar.gz" + distributionUrlName="${distributionUrl##*/}" +fi + +# verbose opt +__MVNW_QUIET_WGET=--quiet __MVNW_QUIET_CURL=--silent __MVNW_QUIET_UNZIP=-q __MVNW_QUIET_TAR='' +[ "${MVNW_VERBOSE-}" != true ] || __MVNW_QUIET_WGET='' __MVNW_QUIET_CURL='' __MVNW_QUIET_UNZIP='' __MVNW_QUIET_TAR=v + +# normalize http auth +case "${MVNW_PASSWORD:+has-password}" in +'') MVNW_USERNAME='' MVNW_PASSWORD='' ;; +has-password) [ -n "${MVNW_USERNAME-}" ] || MVNW_USERNAME='' MVNW_PASSWORD='' ;; +esac + +if [ -z "${MVNW_USERNAME-}" ] && command -v wget >/dev/null; then + verbose "Found wget ... using wget" + wget ${__MVNW_QUIET_WGET:+"$__MVNW_QUIET_WGET"} "$distributionUrl" -O "$TMP_DOWNLOAD_DIR/$distributionUrlName" || die "wget: Failed to fetch $distributionUrl" +elif [ -z "${MVNW_USERNAME-}" ] && command -v curl >/dev/null; then + verbose "Found curl ... using curl" + curl ${__MVNW_QUIET_CURL:+"$__MVNW_QUIET_CURL"} -f -L -o "$TMP_DOWNLOAD_DIR/$distributionUrlName" "$distributionUrl" || die "curl: Failed to fetch $distributionUrl" +elif set_java_home; then + verbose "Falling back to use Java to download" + javaSource="$TMP_DOWNLOAD_DIR/Downloader.java" + targetZip="$TMP_DOWNLOAD_DIR/$distributionUrlName" + cat >"$javaSource" <<-END + public class Downloader extends java.net.Authenticator + { + protected java.net.PasswordAuthentication getPasswordAuthentication() + { + return new java.net.PasswordAuthentication( System.getenv( "MVNW_USERNAME" ), System.getenv( "MVNW_PASSWORD" ).toCharArray() ); + } + public static void main( String[] args ) throws Exception + { + setDefault( new Downloader() ); + java.nio.file.Files.copy( java.net.URI.create( args[0] ).toURL().openStream(), java.nio.file.Paths.get( args[1] ).toAbsolutePath().normalize() ); + } + } + END + # For Cygwin/MinGW, switch paths to Windows format before running javac and java + verbose " - Compiling Downloader.java ..." + "$(native_path "$JAVACCMD")" "$(native_path "$javaSource")" || die "Failed to compile Downloader.java" + verbose " - Running Downloader.java ..." + "$(native_path "$JAVACMD")" -cp "$(native_path "$TMP_DOWNLOAD_DIR")" Downloader "$distributionUrl" "$(native_path "$targetZip")" +fi + +# If specified, validate the SHA-256 sum of the Maven distribution zip file +if [ -n "${distributionSha256Sum-}" ]; then + distributionSha256Result=false + if [ "$MVN_CMD" = mvnd.sh ]; then + echo "Checksum validation is not supported for maven-mvnd." >&2 + echo "Please disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 + exit 1 + elif command -v sha256sum >/dev/null; then + if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | sha256sum -c - >/dev/null 2>&1; then + distributionSha256Result=true + fi + elif command -v shasum >/dev/null; then + if echo "$distributionSha256Sum $TMP_DOWNLOAD_DIR/$distributionUrlName" | shasum -a 256 -c >/dev/null 2>&1; then + distributionSha256Result=true + fi + else + echo "Checksum validation was requested but neither 'sha256sum' or 'shasum' are available." >&2 + echo "Please install either command, or disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." >&2 + exit 1 + fi + if [ $distributionSha256Result = false ]; then + echo "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised." >&2 + echo "If you updated your Maven version, you need to update the specified distributionSha256Sum property." >&2 + exit 1 + fi +fi + +# unzip and move +if command -v unzip >/dev/null; then + unzip ${__MVNW_QUIET_UNZIP:+"$__MVNW_QUIET_UNZIP"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -d "$TMP_DOWNLOAD_DIR" || die "failed to unzip" +else + tar xzf${__MVNW_QUIET_TAR:+"$__MVNW_QUIET_TAR"} "$TMP_DOWNLOAD_DIR/$distributionUrlName" -C "$TMP_DOWNLOAD_DIR" || die "failed to untar" +fi + +# Find the actual extracted directory name (handles snapshots where filename != directory name) +actualDistributionDir="" + +# First try the expected directory name (for regular distributions) +if [ -d "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain" ]; then + if [ -f "$TMP_DOWNLOAD_DIR/$distributionUrlNameMain/bin/$MVN_CMD" ]; then + actualDistributionDir="$distributionUrlNameMain" + fi +fi + +# If not found, search for any directory with the Maven executable (for snapshots) +if [ -z "$actualDistributionDir" ]; then + # enable globbing to iterate over items + set +f + for dir in "$TMP_DOWNLOAD_DIR"/*; do + if [ -d "$dir" ]; then + if [ -f "$dir/bin/$MVN_CMD" ]; then + actualDistributionDir="$(basename "$dir")" + break + fi + fi + done + set -f +fi + +if [ -z "$actualDistributionDir" ]; then + verbose "Contents of $TMP_DOWNLOAD_DIR:" + verbose "$(ls -la "$TMP_DOWNLOAD_DIR")" + die "Could not find Maven distribution directory in extracted archive" +fi + +verbose "Found extracted Maven distribution directory: $actualDistributionDir" +printf %s\\n "$distributionUrl" >"$TMP_DOWNLOAD_DIR/$actualDistributionDir/mvnw.url" +mv -- "$TMP_DOWNLOAD_DIR/$actualDistributionDir" "$MAVEN_HOME" || [ -d "$MAVEN_HOME" ] || die "fail to move MAVEN_HOME" + +clean || : +exec_maven "$@" diff --git a/mvnw.cmd b/mvnw.cmd new file mode 100644 index 0000000..92450f9 --- /dev/null +++ b/mvnw.cmd @@ -0,0 +1,189 @@ +<# : batch portion +@REM ---------------------------------------------------------------------------- +@REM Licensed to the Apache Software Foundation (ASF) under one +@REM or more contributor license agreements. See the NOTICE file +@REM distributed with this work for additional information +@REM regarding copyright ownership. The ASF licenses this file +@REM to you under the Apache License, Version 2.0 (the +@REM "License"); you may not use this file except in compliance +@REM with the License. You may obtain a copy of the License at +@REM +@REM http://www.apache.org/licenses/LICENSE-2.0 +@REM +@REM Unless required by applicable law or agreed to in writing, +@REM software distributed under the License is distributed on an +@REM "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +@REM KIND, either express or implied. See the License for the +@REM specific language governing permissions and limitations +@REM under the License. +@REM ---------------------------------------------------------------------------- + +@REM ---------------------------------------------------------------------------- +@REM Apache Maven Wrapper startup batch script, version 3.3.4 +@REM +@REM Optional ENV vars +@REM MVNW_REPOURL - repo url base for downloading maven distribution +@REM MVNW_USERNAME/MVNW_PASSWORD - user and password for downloading maven +@REM MVNW_VERBOSE - true: enable verbose log; others: silence the output +@REM ---------------------------------------------------------------------------- + +@IF "%__MVNW_ARG0_NAME__%"=="" (SET __MVNW_ARG0_NAME__=%~nx0) +@SET __MVNW_CMD__= +@SET __MVNW_ERROR__= +@SET __MVNW_PSMODULEP_SAVE=%PSModulePath% +@SET PSModulePath= +@FOR /F "usebackq tokens=1* delims==" %%A IN (`powershell -noprofile "& {$scriptDir='%~dp0'; $script='%__MVNW_ARG0_NAME__%'; icm -ScriptBlock ([Scriptblock]::Create((Get-Content -Raw '%~f0'))) -NoNewScope}"`) DO @( + IF "%%A"=="MVN_CMD" (set __MVNW_CMD__=%%B) ELSE IF "%%B"=="" (echo %%A) ELSE (echo %%A=%%B) +) +@SET PSModulePath=%__MVNW_PSMODULEP_SAVE% +@SET __MVNW_PSMODULEP_SAVE= +@SET __MVNW_ARG0_NAME__= +@SET MVNW_USERNAME= +@SET MVNW_PASSWORD= +@IF NOT "%__MVNW_CMD__%"=="" ("%__MVNW_CMD__%" %*) +@echo Cannot start maven from wrapper >&2 && exit /b 1 +@GOTO :EOF +: end batch / begin powershell #> + +$ErrorActionPreference = "Stop" +if ($env:MVNW_VERBOSE -eq "true") { + $VerbosePreference = "Continue" +} + +# calculate distributionUrl, requires .mvn/wrapper/maven-wrapper.properties +$distributionUrl = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionUrl +if (!$distributionUrl) { + Write-Error "cannot read distributionUrl property in $scriptDir/.mvn/wrapper/maven-wrapper.properties" +} + +switch -wildcard -casesensitive ( $($distributionUrl -replace '^.*/','') ) { + "maven-mvnd-*" { + $USE_MVND = $true + $distributionUrl = $distributionUrl -replace '-bin\.[^.]*$',"-windows-amd64.zip" + $MVN_CMD = "mvnd.cmd" + break + } + default { + $USE_MVND = $false + $MVN_CMD = $script -replace '^mvnw','mvn' + break + } +} + +# apply MVNW_REPOURL and calculate MAVEN_HOME +# maven home pattern: ~/.m2/wrapper/dists/{apache-maven-,maven-mvnd--}/ +if ($env:MVNW_REPOURL) { + $MVNW_REPO_PATTERN = if ($USE_MVND -eq $False) { "/org/apache/maven/" } else { "/maven/mvnd/" } + $distributionUrl = "$env:MVNW_REPOURL$MVNW_REPO_PATTERN$($distributionUrl -replace "^.*$MVNW_REPO_PATTERN",'')" +} +$distributionUrlName = $distributionUrl -replace '^.*/','' +$distributionUrlNameMain = $distributionUrlName -replace '\.[^.]*$','' -replace '-bin$','' + +$MAVEN_M2_PATH = "$HOME/.m2" +if ($env:MAVEN_USER_HOME) { + $MAVEN_M2_PATH = "$env:MAVEN_USER_HOME" +} + +if (-not (Test-Path -Path $MAVEN_M2_PATH)) { + New-Item -Path $MAVEN_M2_PATH -ItemType Directory | Out-Null +} + +$MAVEN_WRAPPER_DISTS = $null +if ((Get-Item $MAVEN_M2_PATH).Target[0] -eq $null) { + $MAVEN_WRAPPER_DISTS = "$MAVEN_M2_PATH/wrapper/dists" +} else { + $MAVEN_WRAPPER_DISTS = (Get-Item $MAVEN_M2_PATH).Target[0] + "/wrapper/dists" +} + +$MAVEN_HOME_PARENT = "$MAVEN_WRAPPER_DISTS/$distributionUrlNameMain" +$MAVEN_HOME_NAME = ([System.Security.Cryptography.SHA256]::Create().ComputeHash([byte[]][char[]]$distributionUrl) | ForEach-Object {$_.ToString("x2")}) -join '' +$MAVEN_HOME = "$MAVEN_HOME_PARENT/$MAVEN_HOME_NAME" + +if (Test-Path -Path "$MAVEN_HOME" -PathType Container) { + Write-Verbose "found existing MAVEN_HOME at $MAVEN_HOME" + Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD" + exit $? +} + +if (! $distributionUrlNameMain -or ($distributionUrlName -eq $distributionUrlNameMain)) { + Write-Error "distributionUrl is not valid, must end with *-bin.zip, but found $distributionUrl" +} + +# prepare tmp dir +$TMP_DOWNLOAD_DIR_HOLDER = New-TemporaryFile +$TMP_DOWNLOAD_DIR = New-Item -Itemtype Directory -Path "$TMP_DOWNLOAD_DIR_HOLDER.dir" +$TMP_DOWNLOAD_DIR_HOLDER.Delete() | Out-Null +trap { + if ($TMP_DOWNLOAD_DIR.Exists) { + try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null } + catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" } + } +} + +New-Item -Itemtype Directory -Path "$MAVEN_HOME_PARENT" -Force | Out-Null + +# Download and Install Apache Maven +Write-Verbose "Couldn't find MAVEN_HOME, downloading and installing it ..." +Write-Verbose "Downloading from: $distributionUrl" +Write-Verbose "Downloading to: $TMP_DOWNLOAD_DIR/$distributionUrlName" + +$webclient = New-Object System.Net.WebClient +if ($env:MVNW_USERNAME -and $env:MVNW_PASSWORD) { + $webclient.Credentials = New-Object System.Net.NetworkCredential($env:MVNW_USERNAME, $env:MVNW_PASSWORD) +} +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +$webclient.DownloadFile($distributionUrl, "$TMP_DOWNLOAD_DIR/$distributionUrlName") | Out-Null + +# If specified, validate the SHA-256 sum of the Maven distribution zip file +$distributionSha256Sum = (Get-Content -Raw "$scriptDir/.mvn/wrapper/maven-wrapper.properties" | ConvertFrom-StringData).distributionSha256Sum +if ($distributionSha256Sum) { + if ($USE_MVND) { + Write-Error "Checksum validation is not supported for maven-mvnd. `nPlease disable validation by removing 'distributionSha256Sum' from your maven-wrapper.properties." + } + Import-Module $PSHOME\Modules\Microsoft.PowerShell.Utility -Function Get-FileHash + if ((Get-FileHash "$TMP_DOWNLOAD_DIR/$distributionUrlName" -Algorithm SHA256).Hash.ToLower() -ne $distributionSha256Sum) { + Write-Error "Error: Failed to validate Maven distribution SHA-256, your Maven distribution might be compromised. If you updated your Maven version, you need to update the specified distributionSha256Sum property." + } +} + +# unzip and move +Expand-Archive "$TMP_DOWNLOAD_DIR/$distributionUrlName" -DestinationPath "$TMP_DOWNLOAD_DIR" | Out-Null + +# Find the actual extracted directory name (handles snapshots where filename != directory name) +$actualDistributionDir = "" + +# First try the expected directory name (for regular distributions) +$expectedPath = Join-Path "$TMP_DOWNLOAD_DIR" "$distributionUrlNameMain" +$expectedMvnPath = Join-Path "$expectedPath" "bin/$MVN_CMD" +if ((Test-Path -Path $expectedPath -PathType Container) -and (Test-Path -Path $expectedMvnPath -PathType Leaf)) { + $actualDistributionDir = $distributionUrlNameMain +} + +# If not found, search for any directory with the Maven executable (for snapshots) +if (!$actualDistributionDir) { + Get-ChildItem -Path "$TMP_DOWNLOAD_DIR" -Directory | ForEach-Object { + $testPath = Join-Path $_.FullName "bin/$MVN_CMD" + if (Test-Path -Path $testPath -PathType Leaf) { + $actualDistributionDir = $_.Name + } + } +} + +if (!$actualDistributionDir) { + Write-Error "Could not find Maven distribution directory in extracted archive" +} + +Write-Verbose "Found extracted Maven distribution directory: $actualDistributionDir" +Rename-Item -Path "$TMP_DOWNLOAD_DIR/$actualDistributionDir" -NewName $MAVEN_HOME_NAME | Out-Null +try { + Move-Item -Path "$TMP_DOWNLOAD_DIR/$MAVEN_HOME_NAME" -Destination $MAVEN_HOME_PARENT | Out-Null +} catch { + if (! (Test-Path -Path "$MAVEN_HOME" -PathType Container)) { + Write-Error "fail to move MAVEN_HOME" + } +} finally { + try { Remove-Item $TMP_DOWNLOAD_DIR -Recurse -Force | Out-Null } + catch { Write-Warning "Cannot remove $TMP_DOWNLOAD_DIR" } +} + +Write-Output "MVN_CMD=$MAVEN_HOME/bin/$MVN_CMD" diff --git a/pom.xml b/pom.xml index 7cde8f2..397073f 100644 --- a/pom.xml +++ b/pom.xml @@ -3,7 +3,13 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - no.spk + + org.springframework.boot + spring-boot-starter-parent + 3.5.7 + + + no.spk.felles felles-openapi-customizer-lib 0.0.1-SNAPSHOT @@ -21,10 +27,76 @@ - 25 + 21 + + + + + 2.2.40 + 2.1.35 + 5.9.1 + + + + + + org.jetbrains.kotlin + kotlin-stdlib + + + ch.qos.logback + logback-classic + test + + + io.swagger.core.v3 + swagger-core-jakarta + ${swagger-core.version} + runtime + + + io.swagger.core.v3 + swagger-models-jakarta + ${swagger-core.version} + + + + io.swagger.parser.v3 + swagger-parser-v3 + ${swagger-parser-v3.version} + + + io.swagger.core.v3 + swagger-core + + + io.swagger.core.v3 + swagger-models + + + + + org.junit.jupiter + junit-jupiter-api + test + + + io.kotest + kotest-assertions-core-jvm + ${kotest.version} + test + + + io.kotest + kotest-assertions-shared-jvm + ${kotest.version} + test + @@ -33,5 +105,43 @@ https://maven.pkg.github.com/statens-pensjonskasse/* - + + ${project.basedir}/src/main/kotlin + ${project.basedir}/src/test/kotlin + + + org.apache.maven.plugins + maven-dependency-plugin + + + + analyze-only + + + true + true + ch.qos.logback:logback-classic + org.jetbrains:annotations + + + + + + org.jetbrains.kotlin + kotlin-maven-plugin + + + org.apache.maven.plugins + maven-source-plugin + + + + jar-no-fork + + + + + + + diff --git a/src/main/kotlin/no/spk/felles/openapi/OpenAPICustomizer.kt b/src/main/kotlin/no/spk/felles/openapi/OpenAPICustomizer.kt new file mode 100644 index 0000000..dfa8337 --- /dev/null +++ b/src/main/kotlin/no/spk/felles/openapi/OpenAPICustomizer.kt @@ -0,0 +1,161 @@ +package no.spk.felles.openapi + +import io.swagger.v3.oas.models.OpenAPI +import io.swagger.v3.oas.models.media.StringSchema +import io.swagger.v3.oas.models.parameters.HeaderParameter +import io.swagger.v3.oas.models.security.SecurityRequirement +import io.swagger.v3.oas.models.security.SecurityScheme +import io.swagger.v3.parser.OpenAPIV3Parser +import java.io.FileNotFoundException + +/** + * Takes an OpenAPI specification and customizes all paths with the standard + * security scheme and headers typically used in SPK. + * + * These headers are normally omitted from the OpenAPI specification for + * practical purposes and provided to the client and consumed by the server + * using implicit infrastructure libraries such as `felles-outbound-lib`. This + * class allows adding these headers back in, in order for the server to show a + * complete specification using SwaggerUI. + * + * There are two standard security schemes typically supported in SPK: + * 1. Token based authentication using a security token. + * 2. Basic authentication using the employee's username and password. + * + * If [customizeWithSecuritySchemes] is `true`, both are added. + * + * There are three standard headers supported in SPK: + * 1. `X-Application-Id` which contains the caller's application identity. + * 1. `X-Correlation-Id` which correlates the invocation across systems. + * 1. `X-Request-Origin` which contains the origin's application identity. + * + * If [customizeWithStandardHeaders] is `true`, all three are added. + * + * @param customizeWithSecuritySchemes if security schemes should be added + * @param customizeWithStandardHeaders if standard headers should be added + */ +class OpenAPICustomizer( + private val customizeWithSecuritySchemes: Boolean = true, + private val customizeWithStandardHeaders: Boolean = true, +) { + + /** + * Takes the filename of an OpenAPI specification on classpath as input, + * reads the file, customizes it with the given security schemes and + * headers, and returns it as an [OpenAPI] object. + * + * The [OpenAPI] object can be provided to Spring as a `@Bean` in order for + * documentation providers such as Springdoc to show the specification on + * the server using SwaggerUI. + * + * ```kotlin + * @Bean + * fun createOpenAPI() { + * val customizer = OpenAPICustomizer( + * customizeWithSecuritySchemes = true, + * customizeWithStandardHeaders = true, + * ) + * return customizer.readAndCustomizeOpenAPI("/openapi/openapi.yaml") + * } + * ``` + * + * Note that the above requires the OpenAPI specification to be unpacked + * into `/openapi/openapi.yaml` on the classpath. + * + * This is well-suited for OpenAPI specifications written contract-first, + * where the specification is available as a file. + * + * If using Springdoc, it is also advisable to disable scanning of packages + * adding `springdoc.packages-to-scan=none` to Spring Boot's configuration, + * otherwise annotated resources might show up twice in the specification. + * + * @param openApiYamlFilenameOnClasspath filename of YAML file containing OpenAPI specification on classpath + * @return read and customized OpenAPI object + */ + fun readAndCustomizeOpenAPI(openApiYamlFilenameOnClasspath: String): OpenAPI { + val api = OpenAPIV3Parser().read(openApiYamlFilenameOnClasspath) + ?: throw FileNotFoundException("Could not read OpenAPI specification in file $openApiYamlFilenameOnClasspath on classpath") + return customizeOpenAPI(api) + } + + /** + * Customizes an existing OpenAPI specification with the given security + * schemes and headers. + * + * The [io.swagger.v3.oas.models.OpenAPI] object can be provided to Spring as a `@Bean` in order for + * documentation providers such as Springdoc to show the specification on + * the server using SwaggerUI. + * + * ```kotlin + * @Bean + * fun createOpenAPI() { + * val customizer = OpenAPICustomizer( + * customizeWithSecuritySchemes = true, + * customizeWithStandardHeaders = true, + * ) + * val generatedOpenAPI = OpenAPI() + * return customizer.customizeOpenAPI(generatedOpenAPI) + * } + * ``` + * + * This is well-suited for OpenAPI specifications that are generated from + * annotated source code, after which these customizations are applied. + * + * @return customized OpenAPI object + */ + fun customizeOpenAPI(api: OpenAPI): OpenAPI { + if (customizeWithSecuritySchemes) { + api.addSecurityItem( + SecurityRequirement() + .addList("SpkToken") + .addList("BasicAuth") + ) + api.components + .addSecuritySchemes( + "SpkToken", SecurityScheme() + .type(SecurityScheme.Type.APIKEY) + .`in`(SecurityScheme.In.HEADER) + .name("Authorization") + .description("De fleste kall mellom tjenester i SPK bruker et autentiseringstoken for å autentisere kallet i test og produksjon.") + ) + .addSecuritySchemes( + "BasicAuth", SecurityScheme() + .type(SecurityScheme.Type.HTTP) + .scheme("basic") + .description("Du kan også bruke ditt eget brukernavn og passord for å autentisere kallet i test. Dette funker ikke i produksjon, der kun tokenbasert autentisering er tillatt.") + ) + } + if (customizeWithStandardHeaders) { + api.components + .addParameters( + "xApplicationId", HeaderParameter() + .name("X-Application-Id") + .required(true) + .schema(StringSchema()) + .example("SwaggerUI") + ) + .addParameters( + "xCorrelationId", HeaderParameter() + .name("X-Correlation-Id") + .required(true) + .schema(StringSchema()) + .example("f8c0d93c-8761-4d35-9b4a-51ac9d12c319") + ) + .addParameters( + "xRequestOrigin", HeaderParameter() + .name("X-Request-Origin") + .required(true) + .schema(StringSchema()) + .example("SwaggerUI") + ) + api.paths.forEach { (_, path) -> + path.readOperations().forEach { operation -> + operation.addParametersItem(HeaderParameter().`$ref`("#/components/parameters/xApplicationId")) + operation.addParametersItem(HeaderParameter().`$ref`("#/components/parameters/xCorrelationId")) + operation.addParametersItem(HeaderParameter().`$ref`("#/components/parameters/xRequestOrigin")) + } + } + } + return api + } +} diff --git a/src/test/kotlin/no/spk/felles/openapi/OpenAPICustomizerTest.kt b/src/test/kotlin/no/spk/felles/openapi/OpenAPICustomizerTest.kt new file mode 100644 index 0000000..310e16f --- /dev/null +++ b/src/test/kotlin/no/spk/felles/openapi/OpenAPICustomizerTest.kt @@ -0,0 +1,23 @@ +package no.spk.felles.openapi + +import io.kotest.matchers.maps.shouldContainKey +import io.kotest.matchers.shouldNotBe +import org.junit.jupiter.api.Test + +internal class OpenAPICustomizerTest { + + @Test + fun `Gets a customized OpenAPI spec`() { + + val customizer = OpenAPICustomizer( + customizeWithSecuritySchemes = true, + customizeWithStandardHeaders = true, + ) + val api = customizer.readAndCustomizeOpenAPI("/openapi.yaml") + api shouldNotBe null + + val (first) = api.security + first.shouldContainKey("SpkToken") + first.shouldContainKey("BasicAuth") + } +} \ No newline at end of file diff --git a/src/test/resources/logback-test.xml b/src/test/resources/logback-test.xml new file mode 100644 index 0000000..3a1f749 --- /dev/null +++ b/src/test/resources/logback-test.xml @@ -0,0 +1,11 @@ + + + + + %d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %mdc - %msg%n%ex + + + + + + diff --git a/src/test/resources/openapi.yaml b/src/test/resources/openapi.yaml new file mode 100644 index 0000000..08f30a5 --- /dev/null +++ b/src/test/resources/openapi.yaml @@ -0,0 +1,62 @@ +openapi: 3.0.2 +info: + title: petshop-ws-api + description: OpenAPI specification for petshop-ws. + version: 1.0.0 +servers: + - url: /api +tags: + - name: pet + description: A cozy little companion. +paths: + /pets: + post: + tags: + - pet + operationId: createPet + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Pet' + required: true + responses: + '200': + description: Pet created. + content: + application/json: + schema: + $ref: '#/components/schemas/Pet' + /pets/{name}: + get: + tags: + - pet + operationId: getPet + parameters: + - name: name + in: path + required: true + schema: + type: string + example: 'Mouse' + responses: + '200': + description: Pet fetched. + content: + application/json: + schema: + $ref: '#/components/schemas/Pet' +components: + schemas: + Pet: + type: object + properties: + name: + type: string + example: 'Mouse' + color: + type: string + example: 'Pink' + favoriteFood: + type: string + example: 'Cheese'