feat: refresh project authorities for internal tokens

scc-digitalhub · Oct 8, 2024 · e6343df · e6343df
1 parent e904839
commit e6343df
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 14 deletions.
diff --git a/application/src/main/java/it/smartcommunitylabdhub/core/config/SecurityConfig.java b/application/src/main/java/it/smartcommunitylabdhub/core/config/SecurityConfig.java
@@ -12,9 +12,11 @@
 import jakarta.servlet.http.HttpServletRequest;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
 import java.util.Optional;
+import java.util.Set;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
@@ -122,7 +124,9 @@ public SecurityFilterChain apiSecurityFilterChain(HttpSecurity http) throws Exce
                     keyStoreConfig.getJWKSetKeyStore().getJwk()
                 )
             );
-            coreJwtAuthProvider.setJwtAuthenticationConverter(coreJwtAuthenticationConverter("authorities"));
+            coreJwtAuthProvider.setJwtAuthenticationConverter(
+                coreJwtAuthenticationConverter("authorities", projectAuthHelper)
+            );
 
             // Create authentication Manager
             securityChain.oauth2ResourceServer(oauth2 ->
@@ -340,12 +344,15 @@ public static JwtDecoder coreJwtDecoder(String issuer, String audience, JWK jwk)
         return jwtDecoder;
     }
 
-    public static JwtAuthenticationConverter coreJwtAuthenticationConverter(String claim) {
+    public static JwtAuthenticationConverter coreJwtAuthenticationConverter(
+        String claim,
+        AuthorizableAwareEntityService<Project> projectAuthHelper
+    ) {
         JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
         converter.setJwtGrantedAuthoritiesConverter((Jwt source) -> {
             if (source == null) return null;
 
-            List<GrantedAuthority> authorities = new ArrayList<>();
+            Set<GrantedAuthority> authorities = new HashSet<>();
             authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
 
             if (StringUtils.hasText(claim) && source.hasClaim(claim)) {
@@ -358,7 +365,27 @@ public static JwtAuthenticationConverter coreJwtAuthenticationConverter(String c
                 }
             }
 
-            //TODO evaluate refreshing project authorities via helper
+            //refresh project authorities via helper
+            if (projectAuthHelper != null && StringUtils.hasText(source.getSubject())) {
+                String username = source.getSubject();
+
+                //inject roles from ownership of projects
+                projectAuthHelper
+                    .findIdsByCreatedBy(username)
+                    .forEach(p -> {
+                        //derive a scoped ADMIN role
+                        authorities.add(new SimpleGrantedAuthority(p + ":ROLE_ADMIN"));
+                    });
+
+                //inject roles from sharing of projects
+                projectAuthHelper
+                    .findIdsBySharedTo(username)
+                    .forEach(p -> {
+                        //derive a scoped USER role
+                        //TODO make configurable?
+                        authorities.add(new SimpleGrantedAuthority(p + ":ROLE_USER"));
+                    });
+            }
 
             return authorities;
         });
@@ -392,7 +419,7 @@ public static JwtAuthenticationConverter externalJwtAuthenticationConverter(
         converter.setJwtGrantedAuthoritiesConverter((Jwt source) -> {
             if (source == null) return null;
 
-            List<GrantedAuthority> authorities = new ArrayList<>();
+            Set<GrantedAuthority> authorities = new HashSet<>();
             authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
 
             //read roles from token

diff --git a/...ation/src/main/java/it/smartcommunitylabdhub/authorization/controllers/TokenEndpoint.java b/...ation/src/main/java/it/smartcommunitylabdhub/authorization/controllers/TokenEndpoint.java
@@ -12,9 +12,10 @@
 import it.smartcommunitylabdhub.commons.config.SecurityProperties;
 import it.smartcommunitylabdhub.commons.config.SecurityProperties.JwtAuthenticationProperties;
 import it.smartcommunitylabdhub.commons.models.entities.project.Project;
-import java.util.ArrayList;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -43,7 +44,6 @@
 import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthenticationToken;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
-import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -92,13 +92,8 @@ public void afterPropertiesSet() throws Exception {
             Assert.notNull(jwkSetKeyStore, "jwks store is required");
             Assert.notNull(jwkSetKeyStore.getJwk(), "jwk is required");
 
-            JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter();
-            JwtGrantedAuthoritiesConverter authoritiesConverter = new JwtGrantedAuthoritiesConverter();
-            authoritiesConverter.setAuthoritiesClaimName("authorities");
-            authoritiesConverter.setAuthorityPrefix("");
-            jwtConverter.setJwtGrantedAuthoritiesConverter(authoritiesConverter);
-
             //build auth provider to validate tokens
+            JwtAuthenticationConverter jwtConverter = coreJwtAuthenticationConverter("authorities", projectAuthHelper);
             accessTokenAuthProvider = new JwtAuthenticationProvider(coreJwtDecoder(jwkSetKeyStore.getJwk(), false));
             accessTokenAuthProvider.setJwtAuthenticationConverter(jwtConverter);
             refreshTokenAuthProvider = new JwtAuthenticationProvider(coreJwtDecoder(jwkSetKeyStore.getJwk(), true));
@@ -346,7 +341,7 @@ public static JwtAuthenticationConverter externalJwtAuthenticationConverter(
         converter.setJwtGrantedAuthoritiesConverter((Jwt source) -> {
             if (source == null) return null;
 
-            List<GrantedAuthority> authorities = new ArrayList<>();
+            Set<GrantedAuthority> authorities = new HashSet<>();
             authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
 
             //read roles from token
@@ -390,4 +385,52 @@ public static JwtAuthenticationConverter externalJwtAuthenticationConverter(
         converter.setPrincipalClaimName(usernameClaim);
         return converter;
     }
+
+    public static JwtAuthenticationConverter coreJwtAuthenticationConverter(
+        String claim,
+        AuthorizableAwareEntityService<Project> projectAuthHelper
+    ) {
+        JwtAuthenticationConverter converter = new JwtAuthenticationConverter();
+        converter.setJwtGrantedAuthoritiesConverter((Jwt source) -> {
+            if (source == null) return null;
+
+            Set<GrantedAuthority> authorities = new HashSet<>();
+            authorities.add(new SimpleGrantedAuthority("ROLE_USER"));
+
+            if (StringUtils.hasText(claim) && source.hasClaim(claim)) {
+                List<String> roles = source.getClaimAsStringList(claim);
+                if (roles != null) {
+                    roles.forEach(r -> {
+                        //use as is
+                        authorities.add(new SimpleGrantedAuthority(r));
+                    });
+                }
+            }
+
+            //refresh project authorities via helper
+            if (projectAuthHelper != null && StringUtils.hasText(source.getSubject())) {
+                String username = source.getSubject();
+
+                //inject roles from ownership of projects
+                projectAuthHelper
+                    .findIdsByCreatedBy(username)
+                    .forEach(p -> {
+                        //derive a scoped ADMIN role
+                        authorities.add(new SimpleGrantedAuthority(p + ":ROLE_ADMIN"));
+                    });
+
+                //inject roles from sharing of projects
+                projectAuthHelper
+                    .findIdsBySharedTo(username)
+                    .forEach(p -> {
+                        //derive a scoped USER role
+                        //TODO make configurable?
+                        authorities.add(new SimpleGrantedAuthority(p + ":ROLE_USER"));
+                    });
+            }
+
+            return authorities;
+        });
+        return converter;
+    }
 }