Chore/PRSD-NONE: mock one login endpoint

.run/local-with-auth.run.xml

@@ -0,0 +1,19 @@
+<component name="ProjectRunConfigurationManager">
+  <configuration default="false" name="local-with-auth" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
+    <option name="ACTIVE_PROFILES" value="local,local-auth" />
+    <option name="FRAME_DEACTIVATION_UPDATE_POLICY" value="UpdateClassesAndResources" />
+    <module name="prsdb-webapp.main" />
+    <option name="SPRING_BOOT_MAIN_CLASS" value="uk.gov.communities.prsdb.webapp.PrsdbWebappApplication" />
+    <extension name="software.aws.toolkits.jetbrains.core.execution.JavaAwsConnectionExtension">
+      <option name="credential" />
+      <option name="region" />
+      <option name="useCurrentConnection" value="false" />
+    </extension>
+    <method v="2">
+      <option name="RunConfigurationTask" enabled="true" run_configuration_name="npm build" run_configuration_type="js.build_tools.npm" />
+      <option name="Make" enabled="true" />
+      <option name="RunConfigurationTask" enabled="true" run_configuration_name="local_resources_up" run_configuration_type="docker-deploy" />
+      <option name="RunConfigurationTask" enabled="true" run_configuration_name="flywayClean-local" run_configuration_type="GradleRunConfiguration" />
+    </method>
+  </configuration>
+</component>

.run/local.run.xml

@@ -1,9 +1,14 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="local" type="SpringBootApplicationConfigurationType" factoryName="Spring Boot">
-    <option name="ACTIVE_PROFILES" value="local" />
+    <option name="ACTIVE_PROFILES" value="local,local-no-auth" />
     <option name="FRAME_DEACTIVATION_UPDATE_POLICY" value="UpdateClassesAndResources" />
     <module name="prsdb-webapp.main" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="uk.gov.communities.prsdb.webapp.PrsdbWebappApplication" />
+    <extension name="software.aws.toolkits.jetbrains.core.execution.JavaAwsConnectionExtension">
+      <option name="credential" />
+      <option name="region" />
+      <option name="useCurrentConnection" value="false" />
+    </extension>
     <method v="2">
       <option name="RunConfigurationTask" enabled="true" run_configuration_name="npm build" run_configuration_type="js.build_tools.npm" />
       <option name="Make" enabled="true" />

ReadMe.md

@@ -80,4 +80,17 @@ Database migrations <will be/ are> run at deployment time for all non-local depl
 the `flywayMigrate` Gradle task. When developing locally using the `local` profile the migrations will run at
 application start up. If you are using the `local` launch profile in IntelliJ, this will also run the `flywayClean` task
 before running the migrations. After the migrations have run Spring Boot will then run the SQL in `data-local.sql` to
-populate the database with seed data. 
+populate the database with seed data. 
+
+### Mock One Login Oauth2
+
+For development, we've mocked elements of the governments one login system (that the web app will be using in deployment).
+When you start the app using the `local` run configuration, this will be available, when you attempt to login. It will automatically log you in as a user that has every role - and therefore can access all pages.
+
+If you are adding new roles please add the user with the `userId` set in `MockOneLoginHelper` to that new role/table.
+
+If you need to be able to login as a user that has specific roles then you can change the `userId` in `MockOneLoginHelper` to the id from the `one_login_user` table of a user that has the permissions you want.
+
+#### Disabling the mock One Login Oauth2
+
+If you need to disable the mock to run the app with One login's integration system, you start the app using the `local-with-auth` run configuration in `.run`.

src/main/kotlin/uk/gov/communities/prsdb/webapp/config/CustomSecurityConfig.kt

@@ -33,9 +33,15 @@ class CustomSecurityConfig {
                     .permitAll()
                     .requestMatchers("/register-as-a-landlord")
                     .permitAll()
+                    .requestMatchers("/one-login-local/**")
+                    .permitAll()
                     .anyRequest()
                     .authenticated()
             }.oauth2Login(Customizer.withDefaults())
+            .csrf { requests ->
+                requests.ignoringRequestMatchers("/one-login-local/**")
+            }
+
         return http.build()
     }
 

src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/controller/MockOneLoginController.kt

@@ -0,0 +1,162 @@
+package uk.gov.communities.prsdb.webapp.local.api.controller
+
+import com.nimbusds.jose.Algorithm
+import com.nimbusds.jose.JOSEObjectType
+import com.nimbusds.jose.JWSAlgorithm
+import com.nimbusds.jose.JWSHeader
+import com.nimbusds.jose.crypto.ECDSASigner
+import com.nimbusds.jose.jwk.Curve
+import com.nimbusds.jose.jwk.ECKey
+import com.nimbusds.jose.jwk.KeyUse
+import com.nimbusds.jose.jwk.gen.ECKeyGenerator
+import com.nimbusds.jwt.JWTClaimsSet
+import com.nimbusds.jwt.SignedJWT
+import org.springframework.context.annotation.Profile
+import org.springframework.http.MediaType
+import org.springframework.http.ResponseEntity
+import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.PostMapping
+import org.springframework.web.bind.annotation.RequestMapping
+import org.springframework.web.bind.annotation.RequestParam
+import org.springframework.web.bind.annotation.RestController
+import org.springframework.web.util.UriComponentsBuilder
+import java.io.File
+import java.net.URI
+import java.time.Instant
+import java.util.Date
+import java.util.UUID
+
+@Profile("local")
+@RestController
+@RequestMapping("/one-login-local")
+class MockOneLoginController {
+    companion object {
+        val keyId = UUID.randomUUID().toString()
+
+        val ecKey = generateSecretKey()
+
+        private fun generateSecretKey(): ECKey {
+            val ecKey =
+                ECKeyGenerator(Curve.P_256)
+                    .keyUse(KeyUse.SIGNATURE)
+                    .keyID(keyId)
+                    .algorithm(Algorithm("ES256"))
+                    .generate()
+
+            return ecKey
+        }
+    }
+
+    private val userId = "urn:fdc:gov.uk:2022:UVWXY"
+
+    // These values are from One-Login's publicly available docs (https://docs.sign-in.service.gov.uk/integrate-with-integration-environment/authenticate-your-user/)
+    private val userEmail = "[email protected]"
+    private val userNumber = "01406946277"
+
+    var lastReceivedNonce: String? = null
+
+    @GetMapping("/.well-known/openid-configuration")
+    fun openidConfiguration(): String =
+        File("src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/mockOneLoginResponses/openid-configuration.json")
+            .readText(Charsets.UTF_8)
+
+    @GetMapping("/.well-known/jwks.json")
+    fun jwksJson(): String =
+        File("src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/mockOneLoginResponses/jwks.json")
+            .readText(Charsets.UTF_8)
+            .replace("keyId", keyId)
+            .replace(
+                "publicJWK_x",
+                ecKey
+                    .toPublicJWK()
+                    .x
+                    .toString(),
+            ).replace(
+                "publicJWK_y",
+                ecKey
+                    .toPublicJWK()
+                    .y
+                    .toString(),
+            )
+
+    @GetMapping("/authorize")
+    fun authorize(
+        @RequestParam response_type: String,
+        @RequestParam client_id: String,
+        @RequestParam scope: String,
+        @RequestParam state: String,
+        @RequestParam redirect_uri: String,
+        @RequestParam nonce: String,
+    ): ResponseEntity<Unit> {
+        lastReceivedNonce = nonce
+        val locationURI: URI =
+            UriComponentsBuilder
+                .newInstance()
+                .uri(URI.create(redirect_uri))
+                .query("code=SplxlOBeZQQYbYS6WxSbIA")
+                .queryParam("state", state)
+                .build()
+                .toUri()
+
+        return ResponseEntity.status(302).location(locationURI).build()
+    }
+
+    @PostMapping("/token")
+    fun token(
+        @RequestParam grant_type: String,
+        @RequestParam redirect_uri: String,
+        @RequestParam client_assertion: String,
+        @RequestParam client_assertion_type: String,
+        @RequestParam code: String,
+    ): ResponseEntity<String> {
+        val responseBody =
+            File("src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/mockOneLoginResponses/token.json")
+                .readText(Charsets.UTF_8)
+                .replace("idToken", getIdToken())
+
+        val responseBuild = ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(responseBody)
+
+        return responseBuild
+    }
+
+    @GetMapping("/userinfo")
+    fun userInfo(): ResponseEntity<String> {
+        val responseBody =
+            File("src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/mockOneLoginResponses/userInfo.json")
+                .readText(Charsets.UTF_8)
+                .replace("userId", userId)
+                .replace("userEmail", userEmail)
+                .replace("userNumber", userNumber)
+
+        val responseBuild = ResponseEntity.ok().contentType(MediaType.APPLICATION_JSON).body(responseBody)
+
+        return responseBuild
+    }
+
+    private fun getIdToken(): String {
+        val headerBuilder: JWSHeader.Builder =
+            JWSHeader
+                .Builder(JWSAlgorithm.ES256)
+                .type(JOSEObjectType.JWT)
+                .jwk(ecKey.toPublicJWK())
+
+        val claimSetBBuilder: JWTClaimsSet.Builder =
+            JWTClaimsSet
+                .Builder()
+                .subject(userId)
+                .audience("l0AE7SbEHrEa8QeQCGdml9KQ4bk")
+                .issuer("http://localhost:8080/one-login-local/")
+                .issueTime(Date())
+                .expirationTime(Date.from(Instant.now().plusSeconds(300)))
+                .claim("vot", "Cl.Cm")
+                .claim("nonce", lastReceivedNonce)
+                .claim("vtm", "http://localhost:8080/one-login-local/trustmark")
+                .claim("sid", "dX5xv0XgHh6yfD1xy-ss_1EDK0I")
+
+        val signedJwt = SignedJWT(headerBuilder.build(), claimSetBBuilder.build())
+
+        signedJwt.sign(ECDSASigner(ecKey))
+
+        return signedJwt.serialize()
+    }
+}

src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/mockOneLoginResponses/jwks.json

@@ -0,0 +1,14 @@
+{
+  "keys":
+  [
+    {
+      "kty": "EC",
+      "use": "sig",
+      "crv": "P-256",
+      "kid": "keyId",
+      "x": "publicJWK_x",
+      "y": "publicJWK_y",
+      "alg": "ES256"
+    }
+  ]
+}

src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/mockOneLoginResponses/openid-configuration.json

@@ -0,0 +1,71 @@
+{
+  "authorization_endpoint": "http://localhost:8080/one-login-local/authorize",
+  "token_endpoint": "http://localhost:8080/one-login-local/token",
+  "registration_endpoint": "http://localhost:8080/one-login-local/connect/register",
+  "issuer": "http://localhost:8080/one-login-local/",
+  "jwks_uri": "http://localhost:8080/one-login-local/.well-known/jwks.json",
+  "scopes_supported": [
+    "openid",
+    "email",
+    "phone",
+    "offline_access"
+  ],
+  "response_types_supported": [
+    "code"
+  ],
+  "grant_types_supported": [
+    "authorization_code"
+  ],
+  "token_endpoint_auth_methods_supported": [
+    "private_key_jwt",
+    "client_secret_post"
+  ],
+  "token_endpoint_auth_signing_alg_values_supported": [
+    "RS256",
+    "RS384",
+    "RS512",
+    "PS256",
+    "PS384",
+    "PS512"
+  ],
+  "ui_locales_supported": [
+    "en",
+    "cy"
+  ],
+  "service_documentation": "https://docs.sign-in.service.gov.uk/",
+  "op_policy_uri": "https://signin.integration.account.gov.uk/privacy-notice",
+  "op_tos_uri": "https://signin.integration.account.gov.uk/terms-and-conditions",
+  "request_parameter_supported": true,
+  "trustmarks": "http://localhost:8080/one-login-local/trustmark",
+  "subject_types_supported": [
+    "public",
+    "pairwise"
+  ],
+  "userinfo_endpoint": "http://localhost:8080/one-login-local/userinfo",
+  "end_session_endpoint": "http://localhost:8080/one-login-local/logout",
+  "id_token_signing_alg_values_supported": [
+    "ES256",
+    "RS256"
+  ],
+  "claim_types_supported": [
+    "normal"
+  ],
+  "claims_supported": [
+    "sub",
+    "email",
+    "email_verified",
+    "phone_number",
+    "phone_number_verified",
+    "wallet_subject_id",
+    "https://vocab.account.gov.uk/v1/passport",
+    "https://vocab.account.gov.uk/v1/socialSecurityRecord",
+    "https://vocab.account.gov.uk/v1/drivingPermit",
+    "https://vocab.account.gov.uk/v1/coreIdentityJWT",
+    "https://vocab.account.gov.uk/v1/address",
+    "https://vocab.account.gov.uk/v1/inheritedIdentityJWT",
+    "https://vocab.account.gov.uk/v1/returnCode"
+  ],
+  "request_uri_parameter_supported": false,
+  "backchannel_logout_supported": true,
+  "backchannel_logout_session_supported": false
+}

src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/mockOneLoginResponses/token.json

@@ -0,0 +1,6 @@
+{
+  "access_token": "SlAV32hkKG",
+  "token_type": "Bearer",
+  "expires_in": 180,
+  "id_token": "idToken"
+}

src/main/kotlin/uk/gov/communities/prsdb/webapp/local/api/mockOneLoginResponses/userInfo.json

@@ -0,0 +1,7 @@
+{
+  "sub": "userId",
+  "email": "userEmail",
+  "email_verified": true,
+  "phone_number": "userNumber",
+  "phone_number_verified": true
+}