From f632bdd9b1bebac0460719b7de30b085e8e955ae Mon Sep 17 00:00:00 2001
From: Avgustin Marinov <Avgustin.Marinov@bosch.com>
Date: Wed, 4 Oct 2023 08:47:11 +0300
Subject: [PATCH] Add DDI Authentication & set authentication per group (#1444)

* Add DDI Authentication (using apikey)
  * Gateway token by passing as apikey "GatewayToken: &lt;token&gt;"
  * Target token by passing as apikey "TargetToken: &lt;token&gt;"
* Removed Bearer auth as not supported
* Authentication schemes are set to the correspondent groups in order to be visible only where needed
* Optional OpenAPI (with property _hawkbit.server.swagger.enabled_, by default _true_)

Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
---
 .../hawkbit/rest/OpenApiConfiguration.java    | 68 +++++++++++--------
 1 file changed, 41 insertions(+), 27 deletions(-)

diff --git a/hawkbit-rest/hawkbit-rest-core/src/main/java/org/eclipse/hawkbit/rest/OpenApiConfiguration.java b/hawkbit-rest/hawkbit-rest-core/src/main/java/org/eclipse/hawkbit/rest/OpenApiConfiguration.java
index 764480905..e50f0c230 100644
--- a/hawkbit-rest/hawkbit-rest-core/src/main/java/org/eclipse/hawkbit/rest/OpenApiConfiguration.java
+++ b/hawkbit-rest/hawkbit-rest-core/src/main/java/org/eclipse/hawkbit/rest/OpenApiConfiguration.java
@@ -20,38 +20,24 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 
 @Configuration
+@ConditionalOnProperty(
+    value="hawkbit.server.swagger.enabled",
+    havingValue = "true",
+    matchIfMissing = true)
 public class OpenApiConfiguration {
 
+  private static final String API_TITLE = "hawkBit REST APIs";
+  private static final String API_VERSION = "v1";
   private static final String DESCRIPTION = """
       Eclipse hawkBit™ is a domain-independent back-end framework for rolling out software updates to constrained edge devices as well as more powerful controllers and gateways connected to IP based networking infrastructure.
         """;
 
+  private static final String BASIC_AUTH_SEC_SCHEME_NAME = "Basic Authentication";
+  private static final String DDI_TOKEN_SEC_SCHEME_NAME = "DDI Target/GatewayToken Authentication";
+
   @Bean
-  public OpenAPI customOpenApi() {
-    final String apiTitle = "hawkBit REST APIs";
-
-    final String basiAuthSecSchemeName = "basicAuth";
-    final String bearerAuthenticationSchemeName = "Bearer Authentication";
-
-    return new OpenAPI()
-        .addSecurityItem(new SecurityRequirement().addList(basiAuthSecSchemeName))
-        .addSecurityItem(new SecurityRequirement().addList(bearerAuthenticationSchemeName))
-        .components(
-            new Components()
-                .addSecuritySchemes(basiAuthSecSchemeName,
-                    new SecurityScheme()
-                        .name(basiAuthSecSchemeName)
-                        .type(SecurityScheme.Type.HTTP)
-                        .in(SecurityScheme.In.HEADER)
-                        .scheme("basic")
-                )
-                .addSecuritySchemes(bearerAuthenticationSchemeName,
-                    new SecurityScheme()
-                        .name(bearerAuthenticationSchemeName)
-                        .type(SecurityScheme.Type.HTTP)
-                        .bearerFormat("JWT")
-                        .scheme("bearer")))
-        .info(new Info().title(apiTitle).description(DESCRIPTION).version("v1"));
+  public OpenAPI openApi() {
+    return new OpenAPI().info(new Info().title(API_TITLE).version(API_VERSION).description(DESCRIPTION));
   }
 
   @Bean
@@ -60,9 +46,23 @@ public class OpenApiConfiguration {
       havingValue = "true",
       matchIfMissing = true)
   public GroupedOpenApi mgmtApi() {
-    return GroupedOpenApi.builder()
+    return GroupedOpenApi
+        .builder()
         .group("Management API")
         .pathsToMatch("/rest/v1/**")
+        .addOpenApiCustomiser(openApi -> {
+            openApi
+                .addSecurityItem(new SecurityRequirement().addList(BASIC_AUTH_SEC_SCHEME_NAME))
+                .components(
+                    openApi
+                        .getComponents()
+                        .addSecuritySchemes(BASIC_AUTH_SEC_SCHEME_NAME,
+                            new SecurityScheme()
+                                .name(BASIC_AUTH_SEC_SCHEME_NAME)
+                                .type(SecurityScheme.Type.HTTP)
+                                .in(SecurityScheme.In.HEADER)
+                                .scheme("basic")));
+        })
         .build();
   }
 
@@ -72,9 +72,23 @@ public class OpenApiConfiguration {
       havingValue = "true",
       matchIfMissing = true)
   public GroupedOpenApi ddiApi() {
-    return GroupedOpenApi.builder()
+    return GroupedOpenApi
+        .builder()
         .group("Direct Device Integration API")
         .pathsToMatch("/{tenant}/controller/**")
+        .addOpenApiCustomiser(openApi -> {
+            openApi
+                .addSecurityItem(new SecurityRequirement().addList(DDI_TOKEN_SEC_SCHEME_NAME))
+                .components(
+                    openApi
+                        .getComponents()
+                        .addSecuritySchemes(DDI_TOKEN_SEC_SCHEME_NAME,
+                            new SecurityScheme()
+                                .name("Authorization")
+                                .type(SecurityScheme.Type.APIKEY)
+                                .in(SecurityScheme.In.HEADER)
+                                .description("Format: (Target|Gateway)Token &lt;token&gt;")));
+        })
         .build();
   }
 }