Encapsulate auth

.github/workflows/gradle-auth.yml

@@ -0,0 +1,60 @@
+# Copyright 2023 Libre311 Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+#     http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Build And Test Auth With Gradle
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+env:
+  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up JDK 25
+        uses: actions/setup-java@v5
+        with:
+          java-version: '25'
+          distribution: 'temurin'
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@v5
+        with:
+          gradle-version: '9.2.1'
+      - name: Ensure Docker Client Version
+        run: echo "api.version=1.44" > "$HOME/.docker-java.properties"
+      - name: Execute Gradle build
+        run: gradle :auth:build
+      - name: Publish Test Report
+        uses: mikepenz/action-junit-report@v6
+        if: always()
+        with:
+          report_paths: 'auth/build/test-results/**/*.xml'
+          detailed_summary: true
+          include_passed: true

app/build.gradle

@@ -100,7 +100,7 @@ micronaut {
         annotations("app.*")
     }
     testResources {
-        enabled = System.getenv("MICRONAUT_TEST_RESOURCES_ENABLED") == "false" ? false : true
+        enabled = !gradle.startParameter.taskNames.any{it.endsWith(":run")}
     }
 }
 

app/docker-compose.deps.yml

@@ -11,6 +11,9 @@ services:
     environment:
       MYSQL_ROOT_PASSWORD: test
       MYSQL_DATABASE: libre311
+    configs:
+      - source: mysql-init
+        target: /docker-entrypoint-initdb.d/01-create-databases.sql
     healthcheck:
       test:
         ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u", "root", "-ptest"]
@@ -85,6 +88,11 @@ services:
         # After writing the file, start Nginx
         nginx -g 'daemon off;'
 
+configs:
+  mysql-init:
+    content: |
+      CREATE DATABASE IF NOT EXISTS unity_auth;
+
 networks:
   default:
     name: unity-network

app/src/main/java/app/ProjectAdminController.java

@@ -43,7 +43,8 @@ public ProjectAdminController(ProjectService projectService) {
 
     @Get(uris = { "{?jurisdiction_id}", ".json{?jurisdiction_id}" })
     @ExecuteOn(TaskExecutors.IO)
-    @RequiresPermissions({LIBRE311_ADMIN_VIEW_SYSTEM, LIBRE311_ADMIN_VIEW_TENANT, LIBRE311_ADMIN_VIEW_SUBTENANT})
+    @RequiresPermissions({LIBRE311_ADMIN_VIEW_SYSTEM, LIBRE311_ADMIN_VIEW_TENANT, LIBRE311_ADMIN_VIEW_SUBTENANT,
+        LIBRE311_REQUEST_VIEW_SYSTEM, LIBRE311_REQUEST_VIEW_TENANT, LIBRE311_REQUEST_VIEW_SUBTENANT})
     public List<ProjectDTO> index(@Nullable @QueryValue("jurisdiction_id") String jurisdictionId) {
         return projectService.getProjects(jurisdictionId);
     }

app/src/main/java/app/TenantAdminController.java

@@ -57,11 +57,11 @@ public JurisdictionDTO createJurisdictionRemoteHostsJson(String jurisdictionId,
         return jurisdictionService.setJurisdictionRemoteHosts(jurisdictionId, remoteHosts);
     }
 
-    @Patch(uris = {"/jurisdictions/{jurisdictionId}{?tenant_id}", "/jurisdictions/{jurisdictionId}.json{?tenant_id}"})
+    @Patch(uris = {"/jurisdictions/{jurisdictionId}{?jurisdiction_id}", "/jurisdictions/{jurisdictionId}.json{?jurisdiction_id}"})
     @ExecuteOn(TaskExecutors.IO)
-    @RequiresPermissions({LIBRE311_ADMIN_EDIT_SYSTEM, LIBRE311_ADMIN_EDIT_TENANT})
+    @RequiresPermissions({LIBRE311_ADMIN_EDIT_SYSTEM, LIBRE311_ADMIN_EDIT_TENANT, LIBRE311_ADMIN_EDIT_SUBTENANT})
     public JurisdictionDTO updateJurisdictionJson(String jurisdictionId, @Valid @Body PatchJurisdictionDTO requestDTO,
-                                             @Nullable @QueryValue("tenant_id") Long tenant_id) {
+                                             @Nullable @QueryValue("jurisdiction_id") String jurisdiction_id) {
         return jurisdictionService.updateJurisdiction(jurisdictionId, requestDTO);
     }
 }

app/src/main/java/app/security/UnityAuthClient.java

@@ -26,24 +26,24 @@
 
 import static io.micronaut.context.env.Environment.TEST;
 
-@Client(id = "auth", path = "api/")
+@Client(id = "auth")
 @Requires(notEnv = TEST)
 public interface UnityAuthClient {
-    @Post( "/hasPermission")
+    @Post("/auth/hasPermission")
     HttpResponse<HasPermissionResponse> hasPermission(@Body HasPermissionRequest requestDTO,
                                                       @Header("Authorization") String authorizationHeader);
 
-    @Post("/principal/permissions")
+    @Post("/auth/principal/permissions")
     HttpResponse<UserPermissionsResponse> getUserPermissions(
         @Body UnityAuthUserPermissionsRequest requestDTO,
         @Header("Authorization") String authorizationHeader);
 
-    @Post("/password-reset/generate")
+    @Post("/auth/password-reset/generate")
     HttpResponse<GenerateTokenResponse> generateToken(
             @Body GenerateTokenRequest request,
             @Header("X-Unity-Auth-Internal") String internalToken);
 
-    @Post("/password-reset/reset")
+    @Post("/auth/password-reset/reset")
     HttpResponse<?> resetPassword(@Body ResetPasswordRequest request,
                                   @Header("X-Unity-Auth-Internal") String internalToken);
 }

app/src/main/java/app/service/jurisdiction/JurisdictionService.java

@@ -59,7 +59,7 @@ public JurisdictionAlreadyExists(String id) {
 
     private static final Logger LOG = LoggerFactory.getLogger(JurisdictionService.class);
 
-    @Property(name = "micronaut.http.services.auth.url")
+    @Property(name = "app.auth-base-url")
     protected String authUrl;
 
     private final JurisdictionRepository jurisdictionRepository;

app/src/main/resources/application-docker.yml

@@ -1,13 +1,4 @@
 ---
-# NOTE: In the Docker environment, micronaut.http.services.auth.url is used by both
-# the libre311-api service to get user permission (see PermissionsController.java) and
-# the browser on host (it is returned to the browser by the frontend).
-# So the setup must be so that this URL is resolved correctly by both of them.
-# For example, if it is set to http://unity-auth-api:9090, the host must be able
-# to access the unity-auth-api service from port 9090 on host, and the libre311-api
-# service also must be able to access unity-auth-api using port 9090 on its container.
-# This means the container for unity-auth-api must bind port 9090 on host to port 9090
-# on the container.
 micronaut:
   http:
     services:
@@ -21,7 +12,7 @@ micronaut:
         signatures:
           jwks:
             unity:
-              url: ${AUTH_JWKS:`http://unity-auth-api:9090/keys`}
+              url: ${AUTH_JWKS:`http://unity-auth-api:9090/auth/keys`}
     redirect:
       login-success: http://localhost:3000
       login-failure: http://localhost:3000/?login-failed=true

app/src/main/resources/application-local.yml

@@ -16,7 +16,7 @@ micronaut:
         signatures:
           jwks:
             unity:
-              url: ${AUTH_JWKS:`http://localhost:9090/keys`}
+              url: ${AUTH_JWKS:`http://localhost:9090/auth/keys`}
     redirect:
       login-success: http://localhost:3000
       login-failure: http://localhost:3000/?login-failed=true

app/src/main/resources/application.yml

@@ -100,6 +100,7 @@ unity:
 app:
   service-id: ${LIBRE311_SERVICE_ID}
   base-url: ${APP_BASE_URL}
+  auth-base-url: /auth
 
   discovery:
     changeset: ${LIBRE311_DISCOVERY_CHANGESET_DATETIME:`2012-09-14T08:00:00-07:00`}

app/src/test/java/app/RootControllerTest.java

@@ -266,7 +266,7 @@ private void setupBikeLaneServiceDefinition(Jurisdiction city, ServiceGroup infr
 
     private void addValuesToAttribute(ServiceDefinitionAttribute serviceDefinitionAttribute, Set<String> values) {
         values.forEach(s -> serviceDefinitionAttribute.addAttributeValue(
-                attributeValueRepository.save(new AttributeValue(sidewalkMultiValueAttr, s))
+                attributeValueRepository.save(new AttributeValue(serviceDefinitionAttribute, s))
         ));
     }
 
@@ -377,9 +377,12 @@ public void canCreateServiceRequestWithVaryingDatatypes() {
 
         ServiceRequestDTO serviceRequestDTO = serviceRequestDTOS[0];
         assertFalse(serviceRequestDTO.getSelectedValues().isEmpty());
-        ServiceDefinitionAttributeDTO serviceDefinitionAttributeDTO = serviceRequestDTO.getSelectedValues().get(0);
-        assertNotNull(serviceDefinitionAttributeDTO.getValues());
-        assertFalse(serviceDefinitionAttributeDTO.getValues().isEmpty());
+        ServiceDefinitionAttributeDTO multiValueAttrDTO = serviceRequestDTO.getSelectedValues().stream()
+            .filter(a -> a.getId().equals(sidewalkMultiValueAttr.getId()))
+            .findFirst()
+            .orElseThrow(() -> new AssertionError("Multi-value attribute not found in response"));
+        assertNotNull(multiValueAttrDTO.getValues());
+        assertFalse(multiValueAttrDTO.getValues().isEmpty());
     }
 
     @Test
@@ -689,8 +692,8 @@ public void getJurisdictionTest() {
         JurisdictionDTO infoResponse = response.getBody().get();
         assertEquals("1", infoResponse.getJurisdictionId());
         assertEquals("jurisdiction1", infoResponse.getName());
-        // from application-test.yml's property `micronaut.http.services.auth.urls`
-        assertEquals("http://localhost:8080", infoResponse.getUnityAuthUrl());
+        // hardcoded in application.yml as the frontend-facing relative path prefix
+        assertEquals("/auth", infoResponse.getUnityAuthUrl());
         assertNotNull(infoResponse.getBounds());
         assertTrue(infoResponse.getBounds().length > 0);
     }

auth/DockerfileAPI

@@ -0,0 +1,33 @@
+# Stage 1: Build with Gradle
+FROM gradle:9-jdk25 AS builder
+WORKDIR /workspace
+
+ARG CLOUD_DB=false
+ENV UNITYAUTH_CLOUD_DB=${CLOUD_DB}
+
+# Copy Gradle config files
+COPY auth/gradle.properties auth/settings.gradle ./
+
+# Download Gradle
+RUN gradle --version --no-daemon
+
+COPY --chown=gradle:gradle ./auth .
+
+RUN gradle buildLayers --no-daemon
+
+# Stage 2: Create the final image
+FROM eclipse-temurin:25-jre
+
+WORKDIR /home/app
+
+# Micronaut 4.x layer structure
+COPY --from=builder /workspace/build/docker/main/layers/libs /home/app/libs
+COPY --from=builder /workspace/build/docker/main/layers/resources /home/app/resources
+COPY --from=builder /workspace/build/docker/main/layers/app/application.jar /home/app/application.jar
+
+RUN useradd -u 8877 unity
+# Change to non-root privilege
+USER unity
+
+EXPOSE 9090
+ENTRYPOINT ["java", "-jar", "/home/app/application.jar"]

auth/build.gradle

@@ -0,0 +1,87 @@
+plugins {
+    id("com.gradleup.shadow") version "8.3.9"
+    id("io.micronaut.application") version "4.6.1"
+    id("io.micronaut.test-resources") version "4.6.1"
+    id("io.micronaut.aot") version "4.6.1"
+}
+
+version = "0.1"
+group = "io.unityfoundation"
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    annotationProcessor("io.micronaut.data:micronaut-data-processor")
+    annotationProcessor("io.micronaut:micronaut-http-validation")
+    annotationProcessor("io.micronaut.security:micronaut-security-annotations")
+    annotationProcessor("io.micronaut.serde:micronaut-serde-processor")
+    implementation("io.micronaut.security:micronaut-security-jwt")
+    implementation("io.micronaut.data:micronaut-data-jdbc")
+    implementation("io.micronaut.sql:micronaut-jdbc-hikari")
+    implementation("io.micronaut.flyway:micronaut-flyway")
+    implementation("io.micronaut.serde:micronaut-serde-jackson")
+    implementation("io.micronaut.reactor:micronaut-reactor")
+    implementation("at.favre.lib:bcrypt:0.10.2")
+    compileOnly("io.micronaut:micronaut-http-client")
+    runtimeOnly("ch.qos.logback:logback-classic")
+    runtimeOnly("org.yaml:snakeyaml")
+
+    Boolean cloudDb = Boolean.parseBoolean(System.getenv("UNITYAUTH_CLOUD_DB"))
+    runtimeOnly("mysql:mysql-connector-java")
+    runtimeOnly("org.flywaydb:flyway-mysql")
+    if (cloudDb) {
+        runtimeOnly('com.google.cloud.sql:mysql-socket-factory-connector-j-8:1.7.2')
+    }
+    testImplementation("io.micronaut:micronaut-http-client")
+
+    aotPlugins platform("io.micronaut.platform:micronaut-platform:${micronautVersion}")
+    aotPlugins("io.micronaut.security:micronaut-security-aot")
+}
+
+application {
+    mainClass.set("io.unityfoundation.Application")
+}
+
+java {
+    sourceCompatibility = JavaVersion.VERSION_25
+    targetCompatibility = JavaVersion.VERSION_25
+}
+run {
+    systemProperties([
+            'micronaut.environments': 'local'
+    ])
+}
+graalvmNative.toolchainDetection = false
+
+micronaut {
+    runtime("netty")
+    testRuntime("junit5")
+    processing {
+        incremental(true)
+        annotations("io.unityfoundation.*")
+    }
+    testResources {
+	enabled = !gradle.startParameter.taskNames.any{it.endsWith(":run")}
+        additionalModules.add("jdbc-mysql")
+    }
+    aot {
+        optimizeServiceLoading = false
+        convertYamlToJava = false
+        precomputeOperations = true
+        cacheEnvironment = true
+        optimizeClassLoading = true
+        deduceEnvironment = true
+        optimizeNetty = true
+        configurationProperties.put("micronaut.security.jwks.enabled", "false")
+    }
+}
+
+tasks.withType(io.micronaut.gradle.testresources.StartTestResourcesService).configureEach {
+    useClassDataSharing = false
+}
+
+tasks.named('shadowJar') {
+    zip64 = true
+}

auth/gradle.properties

@@ -0,0 +1 @@
+micronautVersion=4.6.1

auth/settings.gradle

@@ -0,0 +1 @@
+rootProject.name = "auth"

auth/src/main/java/io/unityfoundation/Application.java

@@ -0,0 +1,10 @@
+package io.unityfoundation;
+
+import io.micronaut.runtime.Micronaut;
+
+public class Application {
+
+  public static void main(String[] args) {
+    Micronaut.run(Application.class, args);
+  }
+}