v4.1.2

gematik · May 27, 2024 · b5aed74 · b5aed74
1 parent 0ff5b6d
commit b5aed74
Show file tree

Hide file tree

Showing 20 changed files with 422 additions and 208 deletions.
diff --git a/ReleaseNotes.md b/ReleaseNotes.md
@@ -1,3 +1,12 @@
+# Release 4.1.2
+
+- update dependencies
+- improve logging (line numbers)
+- remove parent pom from testsuite to avoid dependency conflicts
+- add local redirect_uri to entity statement
+- refactor keys
+- implements https://github.com/gematik/app-gemRAS/issues/6
+
 # Release 4.0.1
 
 - switch to docker base image eclipse-temurin:17-jre

diff --git a/gra-coverage-report/pom.xml b/gra-coverage-report/pom.xml
@@ -6,7 +6,7 @@
   <parent>
     <groupId>de.gematik.idp</groupId>
     <artifactId>gras-global</artifactId>
-    <version>4.0.1</version>
+    <version>4.1.2</version>
     <relativePath>../pom.xml</relativePath>
   </parent>
 

diff --git a/gra-server/pom.xml b/gra-server/pom.xml
@@ -2,12 +2,110 @@
 <project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns="http://maven.apache.org/POM/4.0.0"
   xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <artifactId>gras-global</artifactId>
+    <groupId>de.gematik.idp</groupId>
+    <relativePath>../pom.xml</relativePath>
+    <version>4.1.2</version>
+  </parent>
+
   <artifactId>gra-server</artifactId>
+  <version>4.1.2</version>
+  <packaging>jar</packaging>
+
+  <name>gra-server</name>
+  <description>Gematik Reference Authorization Server</description>
+
+  <properties>
+    <commit_hash>undefined</commit_hash>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <artifactId>lombok</artifactId>
+      <groupId>org.projectlombok</groupId>
+      <scope>provided</scope>
+    </dependency>
+
+    <dependency>
+      <artifactId>spring-boot-starter-actuator</artifactId>
+      <groupId>org.springframework.boot</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>spring-boot-starter-jersey</artifactId>
+      <groupId>org.springframework.boot</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>spring-boot-starter-validation</artifactId>
+      <groupId>org.springframework.boot</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>spring-boot-configuration-processor</artifactId>
+      <groupId>org.springframework.boot</groupId>
+      <optional>true</optional>
+    </dependency>
+    <dependency>
+      <artifactId>spring-boot-starter-test</artifactId>
+      <groupId>org.springframework.boot</groupId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <artifactId>mockito-core</artifactId>
+      <groupId>org.mockito</groupId>
+      <version>5.12.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <artifactId>mockserver-spring-test-listener</artifactId>
+      <groupId>org.mock-server</groupId>
+      <version>5.15.0</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <artifactId>idp-commons</artifactId>
+      <groupId>de.gematik.idp</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>spring-boot-starter-web</artifactId>
+      <groupId>org.springframework.boot</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>spring-webmvc</artifactId>
+      <groupId>org.springframework</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>unirest-java</artifactId>
+      <groupId>com.konghq</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>jakarta.validation-api</artifactId>
+      <groupId>jakarta.validation</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>jakarta.annotation-api</artifactId>
+      <groupId>jakarta.annotation</groupId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-slf4j2-impl</artifactId>
+    </dependency>
+    <dependency>
+      <artifactId>log4j-api</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+    </dependency>
+    <dependency>
+      <artifactId>log4j-core</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+    </dependency>
+  </dependencies>
 
   <build>
     <plugins>
       <plugin>
         <artifactId>spring-boot-maven-plugin</artifactId>
+        <version>${version.spring-boot-maven-plugin}</version>
         <configuration>
           <excludes>
             <exclude>
@@ -85,102 +183,4 @@
     </plugins>
   </build>
 
-  <dependencies>
-    <dependency>
-      <artifactId>lombok</artifactId>
-      <groupId>org.projectlombok</groupId>
-      <scope>provided</scope>
-    </dependency>
-
-    <dependency>
-      <artifactId>spring-boot-starter-actuator</artifactId>
-      <groupId>org.springframework.boot</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>spring-boot-starter-jersey</artifactId>
-      <groupId>org.springframework.boot</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>spring-boot-starter-validation</artifactId>
-      <groupId>org.springframework.boot</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>spring-boot-configuration-processor</artifactId>
-      <groupId>org.springframework.boot</groupId>
-      <optional>true</optional>
-    </dependency>
-    <dependency>
-      <artifactId>spring-boot-starter-test</artifactId>
-      <groupId>org.springframework.boot</groupId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <artifactId>mockito-core</artifactId>
-      <groupId>org.mockito</groupId>
-      <version>5.11.0</version>
-    </dependency>
-    <dependency>
-      <artifactId>mockserver-spring-test-listener</artifactId>
-      <groupId>org.mock-server</groupId>
-      <version>5.15.0</version>
-    </dependency>
-    <dependency>
-      <artifactId>idp-commons</artifactId>
-      <groupId>de.gematik.idp</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>idp-test</artifactId>
-      <groupId>de.gematik.idp</groupId>
-      <scope>test</scope>
-    </dependency>
-    <dependency>
-      <artifactId>spring-boot-starter-web</artifactId>
-      <groupId>org.springframework.boot</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>spring-webmvc</artifactId>
-      <groupId>org.springframework</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>unirest-java</artifactId>
-      <groupId>com.konghq</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>jakarta.validation-api</artifactId>
-      <groupId>jakarta.validation</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>jakarta.annotation-api</artifactId>
-      <groupId>jakarta.annotation</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>log4j-api</artifactId>
-      <groupId>org.apache.logging.log4j</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>log4j-core</artifactId>
-      <groupId>org.apache.logging.log4j</groupId>
-    </dependency>
-    <dependency>
-      <artifactId>log4j-slf4j2-impl</artifactId>
-      <groupId>org.apache.logging.log4j</groupId>
-    </dependency>
-  </dependencies>
-  <description>Gematik Reference Authorization Server</description>
-  <modelVersion>4.0.0</modelVersion>
-  <name>gra-server</name>
-
-  <parent>
-    <artifactId>gras-global</artifactId>
-    <groupId>de.gematik.idp</groupId>
-    <relativePath>../pom.xml</relativePath>
-    <version>4.0.1</version>
-  </parent>
-
-  <properties>
-    <commit_hash>undefined</commit_hash>
-  </properties>
-
-  <version>4.0.1</version>
-
 </project>
diff --git a/gra-server/src/main/java/de/gematik/idp/graserver/GraServer.java b/gra-server/src/main/java/de/gematik/idp/graserver/GraServer.java
@@ -52,9 +52,9 @@ public void setGrasLogLevel() {
     final String loglevel = fdAuthServerConfiguration.getLoglevel();
     final String loggerServer = "de.gematik.idp.graserver";
     final String loggerRequests = "org.springframework.web.filter.CommonsRequestLoggingFilter";
-    log.info("fdAuthServerConfiguration.getLoglevel(): {}", loglevel);
     Configurator.setLevel(loggerServer, loglevel);
     Configurator.setLevel(loggerRequests, loglevel);
+    log.info("fdAuthServerConfiguration: {}", fdAuthServerConfiguration);
 
     final LoggerContext loggerContext =
         LoggerContext.getContext(StackLocatorUtil.getCallerClassLoader(2), false, null);

diff --git a/gra-server/src/main/java/de/gematik/idp/graserver/KeyConfiguration.java b/gra-server/src/main/java/de/gematik/idp/graserver/KeyConfiguration.java
@@ -107,6 +107,13 @@ public Key symmetricEncryptionKey() {
         DigestUtils.sha256(fdAuthServerConfiguration.getSymmetricEncryptionKey()), "AES");
   }
 
+  @Bean
+  public PublicKey fedmasterSigKey() throws IOException {
+    return KeyUtility.readX509PublicKey(
+        ResourceReader.getFileFromResourceAsTmpFile(
+            fdAuthServerConfiguration.getFedmasterSigPubKeyFilePath()));
+  }
+
   private FederationPrivKey getFederationPrivKey(final KeyConfig keyConfiguration) {
     try {
       final PrivateKey privateKey =

diff --git a/...erver/src/main/java/de/gematik/idp/graserver/configuration/FdAuthServerConfiguration.java b/...erver/src/main/java/de/gematik/idp/graserver/configuration/FdAuthServerConfiguration.java
@@ -22,13 +22,15 @@
 import lombok.Getter;
 import lombok.NoArgsConstructor;
 import lombok.Setter;
+import lombok.ToString;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
 
 @Component
 @ConfigurationProperties("fd-auth-server")
 @Getter
 @Setter
+@ToString
 @NoArgsConstructor
 @AllArgsConstructor
 @Builder
@@ -44,6 +46,7 @@ public class FdAuthServerConfiguration {
   private KeyConfig tlsClientPrivKeyConfig;
   private String symmetricEncryptionKey;
   private String fedmasterUrl;
+  private String fedmasterSigPubKeyFilePath;
   private String clientId;
   private String loglevel;
 }
diff --git a/gra-server/src/main/java/de/gematik/idp/graserver/services/EntityStatementBuilder.java b/gra-server/src/main/java/de/gematik/idp/graserver/services/EntityStatementBuilder.java
@@ -86,6 +86,7 @@ private Metadata getMetadata(final String serverUrl) {
             .logoUri(serverUrl + "/noLogoYet")
             .redirectUris(
                 new String[] {
+                  "http://127.0.0.1:8084/auth",
                   "https://Fachdienst007.de/client",
                   "https://redirect.testsuite.gsi",
                   "https://idpfadi.dev.gematik.solutions/auth"

diff --git a/gra-server/src/main/java/de/gematik/idp/graserver/services/EntityStmntIdpsService.java b/gra-server/src/main/java/de/gematik/idp/graserver/services/EntityStmntIdpsService.java
@@ -17,7 +17,6 @@
 package de.gematik.idp.graserver.services;
 
 import de.gematik.idp.IdpConstants;
-import de.gematik.idp.crypto.CryptoLoader;
 import de.gematik.idp.graserver.ServerUrlService;
 import de.gematik.idp.graserver.exceptions.FdAuthServerException;
 import de.gematik.idp.token.JsonWebToken;
@@ -44,6 +43,7 @@ public class EntityStmntIdpsService {
 
   private final ResourceReader resourceReader;
   private final ServerUrlService serverUrlService;
+  private final PublicKey fedmasterSigKey;
 
   /** Entity statements of Idp-Sektorals. Delivered by respective Idp-Sektoral. */
   private static final Map<String, JsonWebToken> ENTITY_STATEMENTS_IDP = new HashMap<>();
@@ -66,7 +66,7 @@ void putEntityStatementAboutIdp(final String issuer, final JsonWebToken entitySt
   }
 
   public JsonWebToken getEntityStatementIdp(final String issuer) {
-    log.info("Entitystatement for IDP [{}] requested.", issuer);
+    log.info("Entitystatement for IDP {} requested.", issuer);
     updateStatementIdpIfExpiredAndNewIsAvailable(issuer);
     return ENTITY_STATEMENTS_IDP.get(issuer);
   }
@@ -181,7 +181,8 @@ private void fetchEntityStatementAboutIdp(final String sub) {
             .asString();
     if (resp.getStatus() == HttpStatus.OK.value()) {
       final JsonWebToken entityStatementAboutIdp = new JsonWebToken(resp.getBody());
-      entityStatementAboutIdp.verify(getFedmasterSigKey());
+      log.debug("EntityStatementAboutIdp: {}", entityStatementAboutIdp.getRawString());
+      entityStatementAboutIdp.verify(fedmasterSigKey);
       ENTITY_STATEMENTS_FEDMASTER_ABOUT_IDP.put(sub, entityStatementAboutIdp);
     } else {
       log.info(resp.getBody());
@@ -196,11 +197,4 @@ private void fetchEntityStatementAboutIdp(final String sub) {
           HttpStatus.BAD_REQUEST);
     }
   }
-
-  // TODO: read from file with public key only
-  private PublicKey getFedmasterSigKey() {
-    return CryptoLoader.getCertificateFromPem(
-            resourceReader.getFileFromResourceAsBytes("cert/fedmaster-sig-TU.pem"))
-        .getPublicKey();
-  }
 }
diff --git a/gra-server/src/main/resources/application-github.yml b/gra-server/src/main/resources/application-github.yml
@@ -0,0 +1,57 @@
+fd-auth-server:
+  esSigPrivKeyConfig:
+    fileName: keys/ref-privkey.pem
+    keyId: puk_fd_sig
+    use: sig
+    addX5c: false
+  esSigPubKeyConfig:
+    fileName: keys/ref-pubkey.pem
+    keyId: puk_fd_sig
+    use: sig
+  tlsClientPrivKeyConfig:
+    fileName: classpath:cert/ref-key.p12
+    keyId: puk_tls_sig
+    use: sig
+    x5cInJwks: true
+  encPrivKeyConfig:
+    fileName: keys/ref-privkey.pem
+    keyId: puk_fd_enc
+    use: enc
+    x5cInJwks: false
+  encPubKeyConfig:
+    fileName: keys/ref-pubkey.pem
+    keyId: puk_fd_enc
+    use: enc
+  tokenSigPrivKeyConfig:
+    fileName: keys/ref-privkey.pem
+    keyId: puk_token_sig
+    use: sig
+    x5cInJwks: false
+  tokenSigPubKeyConfig:
+    fileName: keys/ref-pubkey.pem
+    keyId: puk_token_sig
+    use: sig
+  symmetricEncryptionKey: "setYourKeyHere"
+  serverUrl: "${FD_AUTH_SERVER_URL:http://127.0.0.1:8084}"
+  fedmasterUrl: "${FEDMASTER_SERVER_URL:http://127.0.0.1:8083}"
+  fedmasterSigPubKeyFilePath: "keys/ref-fedmaster-sig-pubkey.pem"
+  debug:
+    requestLogging: true
+  loglevel: debug
+server:
+  port: ${SERVER_PORT:8084}
+management:
+  server:
+    port: ${MANAGEMENT_PORT:8184}
+  endpoints:
+    web:
+      exposure:
+        include: "health"
+    enabled-by-default: false
+  endpoint:
+    health:
+      enabled: true
+    metrics:
+      enabled: true
+    logfile:
+      enabled: true