Feature migrate web server to sechub server #3648 (#3775)

* migrate web server to sechub server #3648

* migrate web server to sechub server #3648

* remove web-server gradle module

* add local properties for sechub server security config

* only validate security login properties if login is actually enabled

* conditionally include AES256Encryption only if oauth2 mode is enabled

* return null instead of default string in DynamicBearerTokenResolver on missing access token

* @ConditionalOnProperty(name = "sechub.security.encryption.secret-key") to conditionally enable AES256Encryption

* remove sechub-commons-security-login-spring module

* pr fixes

* pr fixes

sechub-commons-security-spring/build.gradle

@@ -9,8 +9,11 @@ dependencies {
 
     implementation project(':sechub-commons-core')
     implementation project(':sechub-testframework-spring')
+    implementation library.springboot_starter_web
     implementation library.springboot_starter_security
+    implementation library.springboot_starter_oauth2_client
     implementation library.springboot_starter_oauth2_resource_server
+    implementation library.jakarta_servlet_api
 
     testImplementation library.springframework_web
     testImplementation library.springframework_webmvc

sechub-commons-security-spring/src/main/java/com/mercedesbenz/sechub/spring/security/AES256Encryption.java

@@ -0,0 +1,100 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.spring.security;
+
+import static java.util.Objects.requireNonNull;
+
+import java.nio.charset.StandardCharsets;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+
+import javax.crypto.Cipher;
+import javax.crypto.SealedObject;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.stereotype.Component;
+
+import com.mercedesbenz.sechub.commons.core.security.CryptoAccess;
+
+@Component
+@ConditionalOnProperty(name = "sechub.security.encryption.secret-key")
+public class AES256Encryption {
+
+    private static final String TRANSFORMATION = "AES";
+    private static final CryptoAccess<SecretKey> secretKeyCryptoAccess = new CryptoAccess<>();
+
+    private final Cipher encrypt;
+    private final Cipher decrypt;
+    private final SealedObject sealedSecretKey;
+
+    AES256Encryption(SecHubSecurityProperties secHubSecurityProperties) throws GeneralSecurityException {
+        requireNonNull(secHubSecurityProperties, "SecHubSecurityProperties must not be null");
+        SecretKey secretKey = getSecretKey(secHubSecurityProperties);
+        this.sealedSecretKey = secretKeyCryptoAccess.seal(secretKey);
+
+        this.encrypt = Cipher.getInstance(TRANSFORMATION);
+        try {
+            initEncrypt();
+        } catch (Exception e) {
+            throw new GeneralSecurityException(e);
+        }
+
+        this.decrypt = Cipher.getInstance(TRANSFORMATION);
+        try {
+            initDecrypt();
+        } catch (Exception e) {
+            throw new GeneralSecurityException(e);
+        }
+    }
+
+    private static SecretKey getSecretKey(SecHubSecurityProperties secHubSecurityProperties) {
+        SecHubSecurityProperties.EncryptionProperties encryption = requireNonNull(secHubSecurityProperties.getEncryptionProperties(),
+                "Property %s must not be null".formatted(SecHubSecurityProperties.EncryptionProperties.PREFIX));
+        String secretKeyString = requireNonNull(encryption.getSecretKey(),
+                "Property %s.%s must not be null".formatted(SecHubSecurityProperties.EncryptionProperties.PREFIX, "secret-key"));
+        return new SecretKeySpec(secretKeyString.getBytes(StandardCharsets.UTF_8), TRANSFORMATION);
+    }
+
+    public byte[] encrypt(String plainText) {
+        byte[] encryptedBytes;
+
+        try {
+            encryptedBytes = encrypt.doFinal(plainText.getBytes(StandardCharsets.UTF_8));
+        } catch (Exception e) {
+            initEncrypt();
+            throw new AES256EncryptionException("Failed to encrypt text", e);
+        }
+
+        return encryptedBytes;
+    }
+
+    public String decrypt(byte[] encryptedBytes) {
+        byte[] decryptedBytes;
+
+        try {
+            decryptedBytes = decrypt.doFinal(encryptedBytes);
+        } catch (Exception e) {
+            initDecrypt();
+            throw new AES256EncryptionException("Failed to decrypt text", e);
+        }
+
+        return new String(decryptedBytes, StandardCharsets.UTF_8);
+    }
+
+    private void initEncrypt() {
+        try {
+            this.encrypt.init(Cipher.ENCRYPT_MODE, secretKeyCryptoAccess.unseal(sealedSecretKey));
+        } catch (InvalidKeyException e) {
+            throw new AES256EncryptionException("Failed to init encryption cipher", e);
+        }
+    }
+
+    private void initDecrypt() {
+        try {
+            this.decrypt.init(Cipher.DECRYPT_MODE, secretKeyCryptoAccess.unseal(sealedSecretKey));
+        } catch (InvalidKeyException e) {
+            throw new AES256EncryptionException("Failed to init decryption cipher", e);
+        }
+    }
+}

sechub-commons-security-spring/src/main/java/com/mercedesbenz/sechub/spring/security/AES256EncryptionException.java

@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.spring.security;
+
+public class AES256EncryptionException extends RuntimeException {
+
+    public AES256EncryptionException(String errMsg, Exception e) {
+        super(errMsg, e);
+    }
+}