15864 Spring Cloud Gate configuration with Swagger (#16292)

auth/build.gradle.kts

@@ -21,11 +21,14 @@ dependencies {
      * Spring WebFlux was chosen for this project to be able to better handle periods of high traffic
      */
     implementation("org.springframework.boot:spring-boot-starter-webflux")
-    implementation("org.springframework.cloud:spring-cloud-gateway-webflux")
+    implementation("org.springframework.cloud:spring-cloud-starter-gateway")
     implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
 
     runtimeOnly("com.nimbusds:oauth2-oidc-sdk:11.19.1")
 
+    // Swagger
+    implementation("org.springdoc:springdoc-openapi-starter-webflux-ui:2.6.0")
+
     testImplementation("org.springframework.boot:spring-boot-starter-test")
     testImplementation("org.springframework.security:spring-security-test")
     testImplementation("org.jetbrains.kotlin:kotlin-test-junit5")

auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/AuthApplication.kt

@@ -1,9 +1,11 @@
 package gov.cdc.prime.reportstream.auth
 
 import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.context.properties.ConfigurationPropertiesScan
 import org.springframework.boot.runApplication
 
 @SpringBootApplication
+@ConfigurationPropertiesScan
 class AuthApplication
 
 fun main(args: Array<String>) {

auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/AuthApplicationConstants.kt

@@ -6,9 +6,16 @@ package gov.cdc.prime.reportstream.auth
 object AuthApplicationConstants {
 
     /**
-     * All endpoints defined here
+     * All Auth service endpoints defined here
      */
     object Endpoints {
         const val HEALTHCHECK_ENDPOINT_V1 = "/api/v1/healthcheck"
     }
+
+    /**
+     * All Submissions service endpoints defined here
+     */
+    object SubmissionsEndpoints {
+        const val REPORTS_ENDPOINT_V1 = "/api/v1/reports"
+    }
 }

auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/ApplicationConfig.kt

@@ -1,32 +1,21 @@
 package gov.cdc.prime.reportstream.auth.config
 
+import gov.cdc.prime.reportstream.auth.model.Environment
 import org.springframework.boot.context.properties.ConfigurationProperties
-import org.springframework.boot.context.properties.EnableConfigurationProperties
+import org.springframework.boot.context.properties.bind.ConstructorBinding
 import org.springframework.context.annotation.Bean
-import org.springframework.context.annotation.Configuration
 import kotlin.time.TimeSource
 
 /**
  * Simple class to automatically read configuration from application.yml (or environment variable overrides)
  */
-@Configuration
-@EnableConfigurationProperties(ProxyConfigurationProperties::class)
-class ApplicationConfig(
-    val proxyConfig: ProxyConfigurationProperties,
+@ConfigurationProperties(prefix = "app")
+data class ApplicationConfig @ConstructorBinding constructor(
+    val environment: Environment,
 ) {
 
     @Bean
     fun timeSource(): TimeSource {
         return TimeSource.Monotonic
     }
-}
-
-@ConfigurationProperties("proxy")
-data class ProxyConfigurationProperties(
-    val pathMappings: List<ProxyPathMapping>,
-)
-
-data class ProxyPathMapping(
-    val baseUrl: String,
-    val pathPrefix: String,
-)
+}

auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/RouteConfig.kt

@@ -0,0 +1,27 @@
+package gov.cdc.prime.reportstream.auth.config
+
+import gov.cdc.prime.reportstream.auth.AuthApplicationConstants
+import org.springframework.cloud.gateway.route.RouteLocator
+import org.springframework.cloud.gateway.route.builder.RouteLocatorBuilder
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+
+/**
+ * Configuration class to set up route forwarding
+ */
+@Configuration
+class RouteConfig(
+    private val submissionsConfig: SubmissionsConfig,
+) {
+
+    @Bean
+    fun routes(builder: RouteLocatorBuilder): RouteLocator {
+        return builder.routes()
+            .route {
+                it
+                    .path(AuthApplicationConstants.SubmissionsEndpoints.REPORTS_ENDPOINT_V1)
+                    .uri(submissionsConfig.baseUrl)
+            }
+            .build()
+    }
+}

auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/SecurityConfig.kt

@@ -1,6 +1,8 @@
 package gov.cdc.prime.reportstream.auth.config
 
 import gov.cdc.prime.reportstream.auth.AuthApplicationConstants
+import gov.cdc.prime.reportstream.auth.model.Environment
+import org.apache.logging.log4j.kotlin.Logging
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
@@ -14,17 +16,27 @@ import org.springframework.security.web.server.SecurityWebFilterChain
  */
 @Configuration
 @EnableWebFluxSecurity
-class SecurityConfig {
+class SecurityConfig(
+    private val applicationConfig: ApplicationConfig,
+) : Logging {
 
     @Bean
     fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
         http
+            .csrf { it.disable() } // TODO: re-enable after 16312
             .authorizeExchange { authorize ->
                 authorize
                     // allow health endpoint without authentication
                     .pathMatchers(AuthApplicationConstants.Endpoints.HEALTHCHECK_ENDPOINT_V1).permitAll()
-                    // all other requests must be authenticated
-                    .anyExchange().authenticated()
+
+                // allow unauthenticated access to swagger on local environments
+                if (applicationConfig.environment == Environment.LOCAL) {
+                    logger.info("Allowing unauthenticated Swagger access at http://localhost:9000/swagger/ui.html")
+                    authorize.pathMatchers("/swagger/**").permitAll()
+                }
+
+                // all other requests must be authenticated
+                authorize.anyExchange().authenticated()
             }
             .oauth2ResourceServer {
                 it.opaqueToken { }

auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/config/SubmissionsConfig.kt

@@ -0,0 +1,12 @@
+package gov.cdc.prime.reportstream.auth.config
+
+import org.springframework.boot.context.properties.ConfigurationProperties
+import org.springframework.boot.context.properties.bind.ConstructorBinding
+
+/**
+ * Configuration for Submissions microservice
+ */
+@ConfigurationProperties(prefix = "submissions")
+data class SubmissionsConfig @ConstructorBinding constructor(
+    val baseUrl: String,
+)

auth/src/main/kotlin/gov/cdc/prime/reportstream/auth/model/Environment.kt

@@ -0,0 +1,10 @@
+package gov.cdc.prime.reportstream.auth.model
+
+/**
+ * All possible environments the auth app can be running
+ */
+enum class Environment {
+    LOCAL,
+    STAGING,
+    PRODUCTION,
+}

auth/src/main/resources/application.yml

@@ -1,26 +1,28 @@
 spring:
   application:
     name: "auth"
-  profiles:
-    active: local
   security:
     oauth2:
       resourceserver:
         opaquetoken: # Set client secret in SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENT_SECRET env variable
           client-id: 0oaek8tip2lhrhHce1d7
           introspection-uri: https://reportstream.oktapreview.com/oauth2/ausekaai7gUuUtHda1d7/v1/introspect
-  cloud:
-    gateway:
-      proxy:
-        sensitive: [] # pass authorization and cookie headers downstream (filtered by default)
 
 server.port: 9000
 
-proxy.pathMappings:
-  - pathPrefix: /reportstream
-    baseUrl: http://localhost:7071
-  - pathPrefix: /submissions
-    baseUrl: http://localhost:8880
+app:
+  environment: local
+
+# submissions microservice configuration
+submissions:
+  baseUrl: http://localhost:8080
+
+# Ensure these are disabled in production
+springdoc:
+  swagger-ui:
+    path: /swagger/ui.html
+  api-docs:
+    path: /swagger/api-docs
 
 #Uncomment for verbose logging
 #logging: