Made required code changes to adapt Entra Id for MFA (#325)

* Made required code changes to adapt Entra Id for MFA

* Updated documentation for configuration file

* updated artifact version to 3.0.9

---------

Co-authored-by: Vinay Kumar Gupta Kalpaguri (EXT) <[email protected]>

Author: Vinay-kalpaguri

.github/workflows/main.yml

@@ -20,7 +20,7 @@ jobs:
     if: github.repository == 'eiffel-community/eiffel-intelligence-frontend'
     # The type of runner that the job will run on
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env: 
       EI_BACKEND_PORT: 8099
       M2_HOME: /opt/apache-maven-3.6.3
@@ -54,7 +54,7 @@ jobs:
     if: github.repository == 'eiffel-community/eiffel-intelligence-frontend'
     # The type of runner that the job will run on
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env: 
       EI_BACKEND_PORT: 8099
       M2_HOME: /opt/apache-maven-3.6.3
@@ -113,7 +113,7 @@ jobs:
     if: github.repository == 'eiffel-community/eiffel-intelligence-frontend' && github.event_name == 'push'
     # The type of runner that the job will run on
 
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     env: 
       EI_BACKEND_PORT: 8099
       M2_HOME: /opt/apache-maven-3.6.3

pom.xml

@@ -6,7 +6,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>com.github.ericsson</groupId>
     <artifactId>eiffel-intelligence-frontend</artifactId>
-    <version>3.0.8</version>
+    <version>3.0.9</version>
     <packaging>war</packaging>
 
     <parent>
@@ -108,6 +108,24 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>com.azure.spring</groupId>
+            <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
+            <version>4.5.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-client</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.github.ulisesbocchio</groupId>
+            <artifactId>jasypt-spring-boot-starter</artifactId>
+            <version>2.1.2</version>
+        </dependency>
 
         <dependency>
             <groupId>org.apache.commons</groupId>

src/main/java/com/ericsson/ei/frontend/EIRequestsController.java

@@ -38,6 +38,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -50,16 +51,22 @@
 
 import com.ericsson.ei.frontend.exceptions.EiBackendInstancesException;
 import com.ericsson.ei.frontend.utils.EIRequestsControllerUtils;
+import com.ericsson.ei.frontend.utils.EntraIdTokenIssuer;
 
 @RestController
 public class EIRequestsController {
 
     private static final Logger LOG = LoggerFactory.getLogger(EIRequestsController.class);
     private static final String X_AUTH_TOKEN = "x-auth-token";
+    private static final String AZURE_TOKEN = "azure-token";
     List<String> HEADERS_TO_COPY = new ArrayList<>(Arrays.asList(X_AUTH_TOKEN, "authorization"));
 
     @Autowired
     private EIRequestsControllerUtils eiRequestsControllerUtils;
+    @Autowired
+    private EntraIdTokenIssuer entraIdTokenIssuer;
+    @Value("${spring.cloud.azure.active-directory.enabled}")
+    private Boolean azureEnabled;
 
     /**
      * Bridge all Eiffel Intelligence HTTP GET requests.
@@ -280,6 +287,9 @@ private HttpHeaders getHeadersFromResponse(HttpHeaders headers, CloseableHttpRes
             if (headerShouldBeCopied) {
                 headerNameList.add(header.getName());
                 headers.add(header.getName(), header.getValue());
+                if (azureEnabled) {
+                    headers.add(AZURE_TOKEN, entraIdTokenIssuer.getAccessToken());
+                }
             } else {
                 notCopiedHeaderNameList.add(header.getName());
             }

src/main/java/com/ericsson/ei/frontend/config/SecurityConfig.java

@@ -0,0 +1,24 @@
+package com.ericsson.ei.frontend.config;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+
+@SuppressWarnings("deprecation")
+@Configuration
+@EnableWebSecurity
+@ConditionalOnProperty(name = "spring.cloud.azure.active-directory.enabled", havingValue = "false")
+public class SecurityConfig extends WebSecurityConfigurerAdapter {
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            .csrf().disable() // Disable CSRF protection
+            .authorizeRequests()
+            .anyRequest().permitAll()
+            .and()
+            .formLogin().disable();
+    }
+}

src/main/java/com/ericsson/ei/frontend/config/SecurityConfigAzureAD.java

@@ -0,0 +1,90 @@
+package com.ericsson.ei.frontend.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtDecoder;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+
+@SuppressWarnings("deprecation")
+@Configuration
+@ConditionalOnProperty(name = "spring.cloud.azure.active-directory.enabled", havingValue = "true")
+public class SecurityConfigAzureAD extends WebSecurityConfigurerAdapter {
+    
+    @Value("${spring.cloud.azure.active-directory.credential.client-id}")
+    private String clientId;
+
+    @Value("${spring.cloud.azure.active-directory.profile.tenant-id}")
+    private String tenantId;
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http
+            .csrf().disable()
+            .authorizeRequests()
+            .antMatchers("/authentication/*","/status","/actuator/**").permitAll()
+            .anyRequest().authenticated()
+            .and()
+            .oauth2Login()  // Enable Azure MFA for H2M
+            .and()
+            .sessionManagement()
+            .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
+            .and()
+            .oauth2ResourceServer()
+            .jwt()
+            .jwtAuthenticationConverter(jwtAuthenticationConverter())  // Configure JWT converter
+            .decoder(jwtDecoder()); // Configure JWT decoder to handle client credentials flow
+    }
+
+    @Bean
+    public JwtAuthenticationConverter jwtAuthenticationConverter() {
+        JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
+        // You can add additional configuration for authorities mapping here
+        return converter;
+    }
+
+    @Bean
+    public JwtDecoder jwtDecoder() {
+        // Use Azure AD's JWKS endpoint
+        String jwkSetUri = "https://login.microsoftonline.com/" + tenantId + "/discovery/v2.0/keys";
+        NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
+
+        // token validators (e.g., audience, issuer) to validate the token properly
+        OAuth2TokenValidator<Jwt> audienceValidator = new OAuth2TokenValidator<Jwt>() {
+            @Override
+            public OAuth2TokenValidatorResult validate(Jwt token) {
+                if (!token.getAudience().contains("api://" + clientId)) {
+                    return OAuth2TokenValidatorResult.failure(new OAuth2Error("invalid_audience", "Invalid audience", null));
+                }
+                return OAuth2TokenValidatorResult.success();
+            }
+        };
+
+        OAuth2TokenValidator<Jwt> issuerValidator = new OAuth2TokenValidator<Jwt>() {
+            @Override
+            public OAuth2TokenValidatorResult validate(Jwt token) {
+                String issuer = token.getIssuer().toString();
+                // Validate the issuer for both v1.0 and v2.0 endpoints
+                if (!issuer.equals("https://login.microsoftonline.com/" + tenantId +"/v2.0") && !issuer.equals("https://sts.windows.net/" + tenantId + "/")) {
+                    return OAuth2TokenValidatorResult.failure(new OAuth2Error("invalid_issuer", "Invalid issuer", null));
+                }
+                return OAuth2TokenValidatorResult.success();
+            }
+        };
+
+        // Chain validators together (audience and issuer)
+        OAuth2TokenValidator<Jwt> tokenValidator = new DelegatingOAuth2TokenValidator<>(audienceValidator, issuerValidator);
+        jwtDecoder.setJwtValidator(tokenValidator); // Apply validators to the decoder
+        return jwtDecoder;
+    }
+}

src/main/java/com/ericsson/ei/frontend/utils/EntraIdTokenIssuer.java

@@ -0,0 +1,46 @@
+package com.ericsson.ei.frontend.utils;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Component;
+
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.identity.ClientSecretCredentialBuilder;
+
+@Component
+public class EntraIdTokenIssuer {
+
+    @Value("${spring.cloud.azure.active-directory.credential.client-id}")
+    private String clientId;
+
+    @Value("${spring.cloud.azure.active-directory.credential.client-secret}")
+    private String clientSecret;
+
+    @Value("${spring.cloud.azure.active-directory.profile.tenant-id}")
+    private String tenantId;
+
+    @Value("${spring.cloud.azure.active-directory.api-scope}")
+    private String scope;
+
+    /**
+     * Retrieves an access token for the configured Azure AD scope.
+     * @return the access token as a string
+     * @throws RuntimeException if token retrieval fails
+     */
+    public String getAccessToken() {
+            // Build the ClientSecretCredential using Spring's property values
+            TokenCredential clientSecretCredential = new ClientSecretCredentialBuilder()
+                .clientId(clientId)
+                .clientSecret(clientSecret)
+                .tenantId(tenantId)
+                .build();
+            // Get the token using the scope defined (default is ".default")
+            String token = clientSecretCredential
+                .getToken(new TokenRequestContext().addScopes(scope))
+                .block()
+                .getToken();
+
+            // Return the token string
+            return token;
+    }
+}

src/main/resources/application.properties

@@ -24,6 +24,14 @@ ei.eiffel.documentation.urls={ "EI front-end on GitHub": "https://github.com/eif
                                "Eiffel protocol on Github": "https://github.com/eiffel-community/eiffel",\
                                "User guide for test rules page": "https://github.com/eiffel-community/eiffel-intelligence-frontend/blob/master/wiki/test-rules.md" }
 
+# Microsoft Entra Id Config
+spring.cloud.azure.active-directory.credential.client-id=
+spring.cloud.azure.active-directory.credential.client-secret=
+spring.cloud.azure.active-directory.redirect-uri=
+spring.cloud.azure.active-directory.enabled=false
+spring.cloud.azure.active-directory.profile.tenant-id=
+spring.cloud.azure.active-directory.api-scope=
+
 #### LOGGING #########
 logging.level.root: INFO
 logging.level.org.springframework.web: INFO

src/main/resources/templates/index.html

@@ -87,6 +87,12 @@
           </ul>
         </div>
       </li>
+      <li class="nav-item">
+      <!-- Logout button -->
+        <a class="nav-link" href="/eifrontend/logout">
+           <i class="fa fa-sign-out"></i>FrontendLogout
+        </a>
+      </li>
     </ul>
   </header>
 

wiki/authentication.md

@@ -0,0 +1,70 @@
+# EI Frontend Authentication Documentation
+
+## Overview
+
+This documentation explains how to authenticate with the EI Frontend using different authentication mechanisms for human-based (H2M) and machine-to-machine (M2M) scenarios.
+
+Authentication is not a requirement but can be turned on and off in the
+application properties file with the 'spring.cloud.azure.active-directory.enabled' property.
+
+### Authentication Types:
+
+- **H2M Authentication**: For human-based authentication, users will be redirected to the Microsoft login page for Single Sign-On (SSO). Multi-Factor Authentication (MFA) may be prompted if required.
+  
+- **M2M Authentication**: In M2M scenarios, the client application directly makes a `GET` request to the `/authentication/login` API. The client must provide a username and password using basic authentication. The response headers will includes two tokens:
+  - `xauth-token`: Required for making requests to the `/subscriptions` API (POST, PUT, DELETE).
+  - `azure-token`: Required for accessing all APIs when azure authentication is enabled.
+
+**Note**: Include both xauth-token and azure-token in the headers for accessing `/subscriptions` API (POST, PUT, DELETE).
+
+## Step 1: Authenticating to Obtain Tokens
+
+To authenticate and receive the necessary tokens, make a `GET` request to the `/authentication/login` endpoint.
+
+### Request Example:
+
+    curl -X GET -H "Content-Type: application/json" -u <user>:<password> http://localhost:8080/authentication/login
+
+Example of full response
+
+    < HTTP/1.1 200 
+    < Vary: Origin
+    < Vary: Access-Control-Request-Method
+    < Vary: Access-Control-Request-Headers
+    < Set-Cookie: JSESSIONID=4AC3653506A32762E220489C8230E37F; Path=/; HttpOnly
+    < X-Auth-Token: 0c61a3d0-a154-42ac-ad08-aea6fda9de9a
+    < azure-token: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImltaTBZMnowthlLeEJ0dEFxS19UdDVoWUJUayIsImtpZCI6ImltaTBZMnowZFlLeEJ0dEFxS19UdDVoWUJUayJ9.eyJhdWQiOiJhcGk6Ly83Mzg3N2ViNS1iNjUxLTRjYzAtYjI5Yi05NTYyZGRjMjgyYzciLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC85MmU4NGNlYi1mYmZkLTQ3YWItYmU1Mi0wODBjNmI4Nzk1M2YvIiwiaWF0IjoxNzQwOTc2MzY5LCJuYmYiOjE3NDA5NzYzNjksImV4cCI6MTc0MDk4MDI2OSwiYWlvIjoiazJSZ1lEaktPNWR6cTU3aWh2bDgyMlkybU90cis1KzVFN0h6eTJ2aHU5WXRSVUhpb1Z3QSIsImFwcGlkIjoiNzM4NzdlYjUtYjY1MS00Y2MwLWIyOWItOTU2MmRkYzI4MmM3IiwiYXBwaWRhY3IiOiIxIiwiaWRwIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvOTJlODRjZWItZmJmZC00N2FiLWJlNTItMDgwYzZiODc5NTNmLyIsIm9pZCI6IjBhMGRhODg0LTZhZmEtNGIwNC05NmIyLTVhYjJjODIxYjI0NCIsInJoIjoiMS5BUkVBNjB6b2t2MzdxMGUtVWdnTWE0ZVZQN1YtaDNOUnRzQk1zcHVWWXQzQ2dzY1JBQUFSQUEuIiwicm9sZXMiOlsiYXBpLnJlYWQiXSwic3ViIjoiMGEwZGE4ODQtNmFmYS00YjA0LTk2YjItNWFiMmM4MjFiMjQ0IiwidGlkIjoiOTJlODRjZWItZmJmZC00N2FiLWJlNTItMDgwYzZiODc5NTNmIiwidXRpIjoidURfa2htWHNJRWVEQUsyakFnd3hBQSIsInZlciI6IjEuMCJ9.IpUvwU7OA1x9B3OaE24QDRH0FXKfmo5dHJ1uygLb2sAsRzxHMOTbnerqKnggAqvDuFAQL4Cp3Cn6OINlA6Az8OoyxQwQVtXCb52fElik5N8HbjNhM6YVmC6lIRem0rm8W2SmGQad0gAhEgO_QdCDYQJP3_9EgFxuqjA2nyWNPzM7hZzniiAIm1eokRIb92Nb05mBirj9V2bs8viVnS--0c7P2nF6L8EfE2KeeHg675WsMuA9Gv8MOyxhMl5-H3Ri86m7Nx2G1rwMNQA3QwP-cOgjIDG5nNGvxjbDpycQSxl_qJS19qjpa3y6QhbcpnNZ3jf7_Se_LNyy-H4O6i2tmg
+    < X-Content-Type-Options: nosniff
+    < X-XSS-Protection: 1; mode=block
+    < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
+    < Pragma: no-cache
+    < Expires: 0
+    < X-Frame-Options: DENY
+    < Content-Type: application/json
+    < Content-Length: 18
+    < Date: Mon, 03 Mar 2025 04:37:49 GMT
+    < 
+    * Connection #0 to host localhost left intact
+    {"user":"myuser"}
+
+## Step 2: Making API Requests with Tokens
+
+Once you have obtained the tokens, include them in your API requests as follows:
+
+### 1. Accessing All APIs (e.g., `/status`, `/backends`, `/templates`, etc.)
+
+For all APIs include the `Authorization` header with the `azure-token`.
+
+#### Request Example for GET
+
+    curl -X GET -H "Authorization: Bearer <azure-token>" http://localhost:8080/status
+    
+### 2. Accessing subscriptions APIs (e.g., `/subscriptions`)
+
+    curl -X POST -d @file_containing_list_of_json_objects -H "Content-Type: application/json" \
+        -H "X-Auth-Token: <xauth-token>" -H "Authorization: Bearer <azure-token> \
+        http://localhost:8080/subscriptions
+
+**More information about how to make API Requests can be found [here](https://github.com/eiffel-community/eiffel-intelligence-frontend/blob/master/wiki/curl-examples.md).**
+
+

wiki/configuration.md

@@ -53,6 +53,26 @@ then these properties need to be set:
 
 Read more in Spring documentation about how to enable HTTPS security in Spring applications.
 
+## Microsoft Entra Id Config
+
+Set the below properties to enable Microsoft EntraId SSO and Multi-factor authentication.By default it is set to false. Make it true and provide all the necessary data to enable this functionality.
+
+    spring.cloud.azure.active-directory.enabled=false
+    spring.cloud.azure.active-directory.credential.client-id=<Your Client ID>    # The client ID of your application registered in Microsoft Entra ID.
+    spring.cloud.azure.active-directory.credential.client-secret=<Your Azure App Secret>    # The client secret for your Azure application.
+    spring.cloud.azure.active-directory.redirect-uri=<Redirect URI>    # The redirect URI configured in your Azure application.
+    spring.cloud.azure.active-directory.profile.tenant-id=<Your Tenant ID>    # The tenant ID of your Microsoft Entra ID instance.
+    spring.cloud.azure.active-directory.api-scope=<Application ID URI>    # The Application ID URI of your Microsoft Entra ID instance.
+
+### Example values for Entra Id
+
+    spring.cloud.azure.active-directory.enabled=true
+    spring.cloud.azure.active-directory.credential.client-id=12345678-90ab-cdef-1234-567890abcdef
+    spring.cloud.azure.active-directory.credential.client-secret=abcdef1234567890abcdef1234567890
+    spring.cloud.azure.active-directory.redirect-uri=http://localhost:8080/login/oauth2/code/
+    spring.cloud.azure.active-directory.profile.tenant-id=12345678-90ab-cdef-1234-567890abcdef
+    spring.cloud.azure.active-directory.api-scope=api://12345678-90ab-cdef-1234-567890abcdef/.default
+
 ## Customize Documentation Links
 It is possible to add and change Documentation url links that is seen in the Eiffel 
 Intelligence front-end Web-UI. Documentation url links is configured by