Fix #32637: add group support to CustomHeaderAuthenticationBackend

LEDfan · LEDfan · commit 12b01041f637 · 2025-05-26T10:30:58.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/CustomHeaderAuthenticationBackend.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/CustomHeaderAuthenticationBackend.java
@@ -37,14 +37,16 @@ public class CustomHeaderAuthenticationBackend implements IAuthenticationBackend
     public final static String NAME = "customHeader";
 
     private final static String PROP_CUSTOM_AUTH_USERNAME_HEADER_NAME = "proxy.custom-header.username-header-name";
+    private final static String PROP_CUSTOM_AUTH_GROUPS_HEADER_NAME = "proxy.custom-header.groups-header-name";
     private final static String DEFAULT_USERNAME_HEADER_NAME = "REMOTE_USER";
 
     private final CustomHeaderAuthenticationFilter filter;
 
     public CustomHeaderAuthenticationBackend(Environment environment, ApplicationEventPublisher applicationEventPublisher) {
         String usernameHeaderName = environment.getProperty(PROP_CUSTOM_AUTH_USERNAME_HEADER_NAME, DEFAULT_USERNAME_HEADER_NAME);
+        String groupsHeaderName = environment.getProperty(PROP_CUSTOM_AUTH_GROUPS_HEADER_NAME); // disabled by default
         ProviderManager providerManager = new ProviderManager(new CustomHeaderAuthenticationProvider());
-        filter = new CustomHeaderAuthenticationFilter(providerManager, applicationEventPublisher, usernameHeaderName);
+        filter = new CustomHeaderAuthenticationFilter(providerManager, applicationEventPublisher, usernameHeaderName, groupsHeaderName);
     }
 
     @Override
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationFilter.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationFilter.java
@@ -24,13 +24,17 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
+import net.minidev.json.parser.JSONParser;
+import net.minidev.json.parser.ParseException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.event.AuthenticationSuccessEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
@@ -40,6 +44,9 @@
 
 import javax.annotation.Nonnull;
 import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
 
 public class CustomHeaderAuthenticationFilter extends OncePerRequestFilter {
 
@@ -55,11 +62,13 @@ public class CustomHeaderAuthenticationFilter extends OncePerRequestFilter {
     );
 
     private final String usernameHeaderName;
+    private final String groupsHeaderName;
 
-    public CustomHeaderAuthenticationFilter(AuthenticationManager authenticationManager, ApplicationEventPublisher eventPublisher, String usernameHeaderName) {
+    public CustomHeaderAuthenticationFilter(AuthenticationManager authenticationManager, ApplicationEventPublisher eventPublisher, String usernameHeaderName, String groupsHeaderName) {
         this.authenticationManager = authenticationManager;
         this.eventPublisher = eventPublisher;
         this.usernameHeaderName = usernameHeaderName;
+        this.groupsHeaderName = groupsHeaderName;
     }
 
     @Override
@@ -84,7 +93,7 @@ protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull Ht
                 }
             }
 
-            Authentication authRequest = new CustomHeaderAuthenticationToken(remoteUser, false);
+            Authentication authRequest = new CustomHeaderAuthenticationToken(remoteUser, parseGroups(request, remoteUser), false);
             Authentication authResult = authenticationManager.authenticate(authRequest);
             if (authResult == null) {
                 throw new CustomHeaderAuthenticationException("No authentication");
@@ -93,10 +102,57 @@ protected void doFilterInternal(@Nonnull HttpServletRequest request, @Nonnull Ht
             SecurityContextHolder.getContext().setAuthentication(authResult);
             eventPublisher.publishEvent(new AuthenticationSuccessEvent(authResult));
         } catch (CustomHeaderAuthenticationException e) {
+            logger.warn("Authentication failed: {}", e.getMessage());
+            SecurityContextHolder.clearContext();
+        } catch (Exception e) {
             logger.warn("Authentication failed", e);
             SecurityContextHolder.clearContext();
         }
         chain.doFilter(request, response);
     }
 
+    private List<GrantedAuthority> parseGroups(HttpServletRequest request, String username) {
+        if (groupsHeaderName == null) {
+            return List.of();
+        }
+        String remoteGroups = request.getHeader(groupsHeaderName);
+        if (remoteGroups == null) {
+            logger.warn("Header '{}' does not contain the groups of user '{}', the proxy should always override this header. This is a security risk, users might spoof groups!", groupsHeaderName, username);
+            return List.of();
+        }
+
+        remoteGroups = remoteGroups.strip();
+
+        List<String> roles = new ArrayList<>();
+
+        if (remoteGroups.startsWith("[")) {
+            // this is probably json
+            try {
+                Object value = new JSONParser(JSONParser.MODE_PERMISSIVE).parse(remoteGroups);
+                if (value instanceof List<?> valueList) {
+                    valueList.forEach(o -> roles.add(o.toString()));
+                    logger.debug("Parsed groups header as JSON: {} -> {}", groupsHeaderName, roles);
+                }
+            } catch (ParseException e) {
+                // Unable to parse JSON
+                logger.debug("Unable to parse groups header as JSON: {} -> {}", groupsHeaderName, remoteGroups);
+            }
+        } else {
+            if (remoteGroups.contains(",")) {
+                Arrays.stream(remoteGroups.split(",")).forEach(g -> roles.add(g.strip()));
+            } else {
+                // assuming it's a single role
+                roles.add(remoteGroups);
+            }
+            logger.debug("Parsed groups header as comma-separated string: {} -> {}", groupsHeaderName, roles);
+        }
+
+        List<GrantedAuthority> authorities = new ArrayList<>();
+        for (String role : roles) {
+            String mappedRole = role.toUpperCase().startsWith("ROLE_") ? role : "ROLE_" + role;
+            authorities.add(new SimpleGrantedAuthority(mappedRole.toUpperCase()));
+        }
+        return authorities;
+    }
+
 }
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationProvider.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationProvider.java
@@ -31,7 +31,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
         CustomHeaderAuthenticationToken authRequest = (CustomHeaderAuthenticationToken) authentication;
 
         if (authRequest.isValid()) {
-            return new CustomHeaderAuthenticationToken(authRequest.getPrincipal().toString(), true);
+            return new CustomHeaderAuthenticationToken(authRequest.getPrincipal().toString(), authRequest.getAuthorities(), true);
         }
 
         throw new CustomHeaderAuthenticationException("Invalid username");
diff --git a/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationToken.java b/src/main/java/eu/openanalytics/containerproxy/auth/impl/customHeader/CustomHeaderAuthenticationToken.java
@@ -21,13 +21,16 @@
 package eu.openanalytics.containerproxy.auth.impl.customHeader;
 
 import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
 
 public class CustomHeaderAuthenticationToken extends AbstractAuthenticationToken {
 
     private final String username;
 
-    public CustomHeaderAuthenticationToken(String username, boolean isAuthenticated) {
-        super(null);
+    public CustomHeaderAuthenticationToken(String username, Collection<GrantedAuthority> authorities, boolean isAuthenticated) {
+        super(authorities);
         this.username = username;
         super.setAuthenticated(isAuthenticated);
     }

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ public Authentication authenticate(Authentication authentication) throws Authent`
`31`	`31`	`CustomHeaderAuthenticationToken authRequest = (CustomHeaderAuthenticationToken) authentication;`
`32`	`32`
`33`	`33`	`if (authRequest.isValid()) {`
`34`		`- return new CustomHeaderAuthenticationToken(authRequest.getPrincipal().toString(), true);`
	`34`	`+ return new CustomHeaderAuthenticationToken(authRequest.getPrincipal().toString(), authRequest.getAuthorities(), true);`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`throw new CustomHeaderAuthenticationException("Invalid username");`