fix(identity-trust)!: disable spring security for identityMinusTrust …

…endpoint

Signed-off-by: Dominik Pinsel <[email protected]>

miw/src/main/java/org/eclipse/tractusx/managedidentitywallets/config/security/SecurityConfig.java

@@ -42,6 +42,10 @@
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
+import org.springframework.security.web.util.matcher.OrRequestMatcher;
+
+import java.util.List;
 
 import static org.springframework.http.HttpMethod.GET;
 import static org.springframework.http.HttpMethod.POST;
@@ -116,6 +120,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                         .requestMatchers(new AntPathRequestMatcher("/error")).permitAll()
                 ).oauth2ResourceServer(resourceServer -> resourceServer.jwt(jwt ->
                         jwt.jwtAuthenticationConverter(new CustomAuthenticationConverter(securityConfigProperties.clientId()))))
+                        .securityMatcher(new NegatedRequestMatcher( new OrRequestMatcher(
+                                List.of(
+                                        new AntPathRequestMatcher(RestURI.API_PRESENTATIONS_IATP),
+                                        new AntPathRequestMatcher(RestURI.API_PRESENTATIONS_IATP_WORKAROUND)))))
                 .addFilterAfter(new PresentationIatpFilter(validationService), BasicAuthenticationFilter.class);
 
         return http.build();

miw/src/main/java/org/eclipse/tractusx/managedidentitywallets/utils/TokenParsingUtils.java

@@ -76,6 +76,14 @@ public static Optional<String> getAccessToken(JWTClaimsSet claims) {
     }
 
     public static SignedJWT getAccessToken(String outerToken) {
+
+        // in the history of tractus-x sometimes the header contains a bearer, sometimes not.
+        // as it is not possible to fix this wrong behavior over all applications
+        // we added this mitigation here (not good, we know..).
+        if (outerToken.startsWith("Bearer ")) {
+            outerToken = outerToken.substring("Bearer ".length());
+        }
+
         SignedJWT jwtOuter = parseToken(outerToken);
         JWTClaimsSet claimsSet = getClaimsSet(jwtOuter);
         Optional<String> accessToken = getAccessToken(claimsSet);

miw/src/test/java/org/eclipse/tractusx/managedidentitywallets/identityminustrust/TokenRequestTest.java

@@ -148,7 +148,7 @@ public void testPresentationQueryWithToken() {
         final Map<String, Object> data2 = MAPPER.readValue(message2, Map.class);
 
         final HttpHeaders headers2 = new HttpHeaders();
-        headers2.set(HttpHeaders.AUTHORIZATION, jwt);
+        headers2.set(HttpHeaders.AUTHORIZATION, "Bearer " + jwt);
         final HttpEntity<Map<String, Object>> entity2 = new HttpEntity<>(data2, headers2);
         var result2 = restTemplate
                 .postForEntity(RestURI.API_PRESENTATIONS_IATP, entity2, String.class);