IGDD-2010 make healthcheck public (#142) (#143)

* IGDD-2010 Adding new endpoint /healthy and allowing new role of 'any' to allow public access.

* Changing role name to be more obvious that the endpoint is publicly accessible.

* Setting pom to 0.7.1

Co-authored-by: pcahillai <[email protected]>

Author: austinmoody

pom.xml

@@ -10,7 +10,7 @@
 	</parent>
 	<groupId>gov.cdc.izgateway</groupId>
 	<artifactId>xform</artifactId>
-        <version>0.8.0</version>
+        <version>0.7.1</version>
 	<name>xform</name>
 	<description>IZ Gateway Xform Service</description>
 	<properties>

src/main/java/gov/cdc/izgateway/xform/XformApplicationController.java

@@ -2,14 +2,15 @@
 
 import gov.cdc.izgateway.common.HealthService;
 import gov.cdc.izgateway.security.AccessControlRegistry;
-import gov.cdc.izgateway.xform.services.*;
+import gov.cdc.izgateway.xform.security.Roles;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.media.Content;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import jakarta.annotation.security.RolesAllowed;
 import lombok.extern.java.Log;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Lazy;
+import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
 
 @Log
@@ -24,7 +25,17 @@ public XformApplicationController(
         registry.register(this);
     }
 
-    @RolesAllowed({"admin"})
+    @RolesAllowed({Roles.PUBLIC_ACCESS})
+    @GetMapping("/healthy")
+    public ResponseEntity<Boolean> isHealthy() {
+        boolean healthy = HealthService.getHealth().isHealthy();
+        if (!healthy) {
+            return ResponseEntity.status(503).body(false);
+        }
+        return ResponseEntity.ok(true);
+    }
+
+    @RolesAllowed({Roles.ADMIN})
     @GetMapping("/health")
     public gov.cdc.izgateway.logging.event.Health getHealth() {
         return HealthService.getHealth();
@@ -35,7 +46,7 @@ public gov.cdc.izgateway.logging.event.Health getHealth() {
     @ApiResponse(responseCode = "200", description = "Success",
             content = @Content(mediaType = "text/plain")
     )
-    @RolesAllowed({"admin"})
+    @RolesAllowed({Roles.ADMIN})
     @GetMapping({"/build", "/build.txt"})
     public String getBuild() {
         return Application.getPage(Application.BUILD);

src/main/java/gov/cdc/izgateway/xform/security/Roles.java

@@ -24,7 +24,10 @@ public class Roles {
     /** Header to indicate that request from localhost should not be treated as an admin */
     public static final String NOT_ADMIN_HEADER = "X-Not-Admin";
 
-    /** 
+    // Special role for public access to an API endpoint.  Health check endpoints use this role.
+    public static final String PUBLIC_ACCESS = "public-access";
+
+    /**
      * A list of all roles to enable validation of role names
      * in model elements.
      */
@@ -33,7 +36,7 @@ public class Roles {
     		ADMIN, XFORM_SENDING_SYSTEM, 
     		PIPELINE_READER, PIPELINE_WRITER, PIPELINE_DELETER,
     		ORGANIZATION_READER, ORGANIZATION_WRITER, ORGANIZATION_DELETER,
-    		SOLUTION_READER, SOLUTION_WRITER, SOLUTION_DELETER
+    		SOLUTION_READER, SOLUTION_WRITER, SOLUTION_DELETER, PUBLIC_ACCESS
     	)
     );
     private Roles() {}

src/main/java/gov/cdc/izgateway/xform/services/AccessControlService.java

@@ -57,6 +57,11 @@ public Boolean checkSwaggerAccess(String method, String path) {
     public Boolean checkXformAccess(String method, String path) {
         List<String> allowedRoles = getAllowedRoles(RequestMethod.valueOf(method), path);
 
+        // Check for public access
+        if (allowedRoles.contains(Roles.PUBLIC_ACCESS)) {
+            return true;
+        }
+
         // If RequestContext.getRoles() has one role that matches the roles list, return true
         return RequestContext.getPrincipal().getRoles().stream().anyMatch(allowedRoles::contains);
     }