Adapt CsmRbac mecanism and CsmPlatformProperties to accept identifier other than mail

jreynard-code · jreynard-code · commit 2ac95764aeb6 · 2023-06-22T16:04:46.000+02:00
diff --git a/src/main/kotlin/com/cosmotech/api/config/CsmPlatformProperties.kt b/src/main/kotlin/com/cosmotech/api/config/CsmPlatformProperties.kt
@@ -98,6 +98,9 @@ data class CsmPlatformProperties(
       /** The JWT Claim where the roles information is stored */
       val rolesJwtClaim: String = "roles",
 
+      /** The JWT Claim used to define application id in ACL */
+      val applicationIdJwtClaim: String = "oid",
+
       /**
        * List of additional tenants allowed to register, besides the configured
        * `csm.platform.azure.credentials.tenantId`
diff --git a/src/main/kotlin/com/cosmotech/api/metrics/MonitorServiceAspect.kt b/src/main/kotlin/com/cosmotech/api/metrics/MonitorServiceAspect.kt
@@ -2,6 +2,7 @@
 // Licensed under the MIT license.
 package com.cosmotech.api.metrics
 
+import com.cosmotech.api.config.CsmPlatformProperties
 import com.cosmotech.api.events.CsmEventPublisher
 import com.cosmotech.api.events.PersistentMetricEvent
 import com.cosmotech.api.utils.getCurrentAuthenticatedIssuer
@@ -25,6 +26,7 @@ private const val SERVICE_NAME = "API"
 class MonitorServiceAspect(
     private var meterRegistry: MeterRegistry,
     private val eventPublisher: CsmEventPublisher,
+    private val csmPlatformProperties: CsmPlatformProperties
 ) {
   private val logger: Logger = LoggerFactory.getLogger(this::class.java)
 
@@ -55,10 +57,10 @@ class MonitorServiceAspect(
           Tag.of(parameterNames[idx], args[idx] as String)
         }
     val name = signature.name
-    val user = getCurrentAuthenticatedUserName()
+    val user = getCurrentAuthenticatedUserName(csmPlatformProperties)
     var issuer = getCurrentAuthenticatedIssuer()
-    Counter.builder("cosmotech.${name}")
-        .description("${name}")
+    Counter.builder("cosmotech.$name")
+        .description(name)
         .tag("method", name)
         .tag("user", user)
         .tag("issuer", issuer)
diff --git a/src/main/kotlin/com/cosmotech/api/rbac/CsmRbac.kt b/src/main/kotlin/com/cosmotech/api/rbac/CsmRbac.kt
@@ -8,7 +8,7 @@ import com.cosmotech.api.exceptions.CsmClientException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
 import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
-import com.cosmotech.api.utils.getCurrentAuthenticatedMail
+import com.cosmotech.api.utils.getCurrentAccountIdentifier
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.stereotype.Component
@@ -44,7 +44,7 @@ open class CsmRbac(
     }
     var userIsAdminOrHasPermission = this.isAdmin(rbacSecurity, rolesDefinition)
     if (!userIsAdminOrHasPermission) {
-      val user = getCurrentAuthenticatedMail(this.csmPlatformProperties)
+      val user = getCurrentAccountIdentifier(this.csmPlatformProperties)
       userIsAdminOrHasPermission = this.verifyRbac(rbacSecurity, permission, rolesDefinition, user)
     }
     return userIsAdminOrHasPermission
@@ -145,7 +145,7 @@ open class CsmRbac(
   fun isAdmin(rbacSecurity: RbacSecurity, rolesDefinition: RolesDefinition): Boolean {
     var isAdmin = this.isAdminToken(rbacSecurity)
     if (!isAdmin) {
-      val user = getCurrentAuthenticatedMail(this.csmPlatformProperties)
+      val user = getCurrentAccountIdentifier(this.csmPlatformProperties)
       isAdmin = this.verifyAdminRole(rbacSecurity, user, rolesDefinition)
     }
     return isAdmin
@@ -214,8 +214,8 @@ open class CsmRbac(
     return rolesDefinition[role] ?: listOf()
   }
 
-  internal fun getUserRole(rbacSecurity: RbacSecurity, user: String): String? {
-    return rbacSecurity.accessControlList.firstOrNull { it.id == user }?.role
+  internal fun getUserRole(rbacSecurity: RbacSecurity, user: String): String {
+    return rbacSecurity.accessControlList.firstOrNull { it.id == user }?.role ?: rbacSecurity.default
   }
 
   internal fun getAdminCount(rbacSecurity: RbacSecurity, rolesDefinition: RolesDefinition): Int {
diff --git a/src/main/kotlin/com/cosmotech/api/utils/SecurityUtils.kt b/src/main/kotlin/com/cosmotech/api/utils/SecurityUtils.kt
@@ -13,60 +13,40 @@ import org.springframework.security.oauth2.server.resource.authentication.JwtAut
 
 fun getCurrentAuthentication(): Authentication? = SecurityContextHolder.getContext().authentication
 
-fun getCurrentUserName(): String? = getCurrentAuthentication()?.name
-
-fun getCurrentAuthenticatedUserName() =
-    getCurrentUserName()
+fun getCurrentAuthenticatedUserName(configuration: CsmPlatformProperties): String {
+  return getValueFromAuthenticatedToken {
+    val jwtClaimsSet = JWTParser.parse(it).jwtClaimsSet
+    jwtClaimsSet.getStringClaim("name")
+        ?: jwtClaimsSet.getStringClaim(configuration.authorization.applicationIdJwtClaim)
         ?: throw IllegalStateException("User Authentication not found in Security Context")
-
-fun getCurrentAuthenticatedIssuer(): String {
-  if (getCurrentAuthentication() == null) {
-    throw IllegalStateException("User Authentication not found in Security Context")
-  }
-
-  val authentication = getCurrentAuthentication()
-
-  if (authentication is JwtAuthenticationToken) {
-    return authentication.token.tokenValue.let { JWTParser.parse(it).jwtClaimsSet.issuer }
-  }
-
-  return (authentication as BearerTokenAuthentication).token.tokenValue.let {
-    JWTParser.parse(it).jwtClaimsSet.issuer
   }
 }
 
-fun getCurrentAuthenticatedMail(configuration: CsmPlatformProperties): String {
-  if (getCurrentAuthentication() == null) {
-    throw IllegalStateException("User Authentication not found in Security Context")
-  }
-
-  val authentication = getCurrentAuthentication()
+fun getCurrentAuthenticatedIssuer(): String {
+  return getValueFromAuthenticatedToken { JWTParser.parse(it).jwtClaimsSet.issuer }
+}
 
-  if (authentication is JwtAuthenticationToken) {
-    return authentication.token.tokenValue.let {
-      JWTParser.parse(it).jwtClaimsSet.getStringClaim(configuration.authorization.mailJwtClaim)
-    }
+fun getCurrentAccountIdentifier(configuration: CsmPlatformProperties): String {
+  return getValueFromAuthenticatedToken {
+    val jwtClaimsSet = JWTParser.parse(it).jwtClaimsSet
+    jwtClaimsSet.getStringClaim(configuration.authorization.mailJwtClaim)
+        ?: jwtClaimsSet.getStringClaim(configuration.authorization.applicationIdJwtClaim)
   }
+}
 
-  return (authentication as BearerTokenAuthentication).token.tokenValue.let {
-    JWTParser.parse(it).jwtClaimsSet.getStringClaim(configuration.authorization.mailJwtClaim)
+fun getCurrentAuthenticatedRoles(configuration: CsmPlatformProperties): List<String> {
+  return getValueFromAuthenticatedToken {
+    JWTParser.parse(it).jwtClaimsSet.getStringListClaim(configuration.authorization.rolesJwtClaim)
   }
 }
 
-fun getCurrentAuthenticatedRoles(configuration: CsmPlatformProperties): List<String> {
+fun <T> getValueFromAuthenticatedToken(actionLambda: (String) -> T): T {
   if (getCurrentAuthentication() == null) {
     throw IllegalStateException("User Authentication not found in Security Context")
   }
-
   val authentication = getCurrentAuthentication()
-
   if (authentication is JwtAuthenticationToken) {
-    return authentication.token.tokenValue.let {
-      JWTParser.parse(it).jwtClaimsSet.getStringListClaim(configuration.authorization.rolesJwtClaim)
-    }
-  }
-
-  return (authentication as BearerTokenAuthentication).token.tokenValue.let {
-    JWTParser.parse(it).jwtClaimsSet.getStringListClaim(configuration.authorization.rolesJwtClaim)
+    return authentication.token.tokenValue.let { actionLambda(it) }
   }
+  return (authentication as BearerTokenAuthentication).token.tokenValue.let { actionLambda(it) }
 }
diff --git a/src/test/kotlin/com/cosmotech/api/rbac/CsmRbacTests.kt b/src/test/kotlin/com/cosmotech/api/rbac/CsmRbacTests.kt
