Fix #27809: re-implement OAuth Resource Server

LEDfan · LEDfan · commit a4b037403fdf · 2023-01-02T15:59:33.000+01:00
diff --git a/pom.xml b/pom.xml
@@ -149,6 +149,10 @@
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-oauth2-jose</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-oauth2-resource-server</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-test</artifactId>
diff --git a/src/main/java/eu/openanalytics/containerproxy/security/APISecurityConfig.java b/src/main/java/eu/openanalytics/containerproxy/security/APISecurityConfig.java
diff --git a/src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java b/src/main/java/eu/openanalytics/containerproxy/security/WebSecurityConfig.java
@@ -23,6 +23,7 @@
 import eu.openanalytics.containerproxy.ContainerProxyApplication;
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.auth.UserLogoutHandler;
+import eu.openanalytics.containerproxy.auth.impl.OpenIDAuthenticationBackend;
 import eu.openanalytics.containerproxy.util.AppRecoveryFilter;
 import eu.openanalytics.containerproxy.util.EnvironmentUtils;
 import eu.openanalytics.containerproxy.util.OverridingHeaderWriter;
@@ -32,15 +33,27 @@
 import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.convert.converter.Converter;
 import org.springframework.core.env.Environment;
 import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2Error;
+import org.springframework.security.oauth2.core.OAuth2TokenValidator;
+import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.JwtTimestampValidator;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
@@ -56,7 +69,10 @@
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 
 import static eu.openanalytics.containerproxy.ui.TemplateResolverConfig.PROP_CORS_ALLOWED_ORIGINS;
 
@@ -85,6 +101,10 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	public static final String PROP_DISABLE_HSTS_HEADER = "proxy.api-security.disable-hsts-header";
 	public static final String PROP_DISABLE_XSS_PROTECTION_HEADER = "proxy.api-security.disable-xss-protection-header";
 	public static final String PROP_CUSTOM_HEADERS = "proxy.api-security.custom-headers";
+	public static final String PROP_OAUTH2_RESOURCE_ID = "proxy.oauth2.resource-id";
+	public static final String PROP_OAUTH2_JWKS_URL = "proxy.oauth2.jwks-url";
+	public static final String PROP_OAUTH2_ROLES_CLAIM = "proxy.oauth2.roles-claim";
+	public static final String PROP_OAUTH2_USERNAME_ATTRIBUTE = "proxy.oauth2.username-attribute";
 
 	@Override
 	public void configure(WebSecurity web) {
@@ -233,6 +253,63 @@ public void handle(HttpServletRequest request, HttpServletResponse response, Acc
 
 		// create session cookie even if there is no Authentication in order to support the None authentication backend
 		http.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
+
+
+		String oauth2JwksUri = environment.getProperty(PROP_OAUTH2_JWKS_URL);
+		String resourceId = environment.getProperty(PROP_OAUTH2_RESOURCE_ID);
+		if (oauth2JwksUri != null && resourceId != null) {
+			http.oauth2ResourceServer()
+					.jwt()
+					.decoder(jwtDecoder(oauth2JwksUri, resourceId))
+					.jwtAuthenticationConverter(jwtAuthenticationConverter());
+		}
+	}
+
+	private NimbusJwtDecoder jwtDecoder(String oauth2JwksUri, String resourceId) {
+		String usernameClaim = environment.getProperty(PROP_OAUTH2_USERNAME_ATTRIBUTE, "sub");
+		OAuth2TokenValidator<Jwt> audienceValidator = token -> {
+			if (token.getAudience().contains(resourceId)) {
+				return OAuth2TokenValidatorResult.success();
+			} else {
+				return OAuth2TokenValidatorResult.failure(new OAuth2Error("custom_code", "Invalid audience", null));
+			}
+		};
+
+		OAuth2TokenValidator<Jwt> usernameValidator = token -> {
+			if (token.hasClaim(usernameClaim)) {
+				return OAuth2TokenValidatorResult.success();
+			} else {
+				return OAuth2TokenValidatorResult.failure(new OAuth2Error("custom_code", "Username claim missing", null));
+			}
+		};
+
+		DelegatingOAuth2TokenValidator<Jwt> validators = new DelegatingOAuth2TokenValidator<>(Arrays.asList(new JwtTimestampValidator(), audienceValidator, usernameValidator));
+
+		NimbusJwtDecoder decoder = NimbusJwtDecoder.withJwkSetUri(oauth2JwksUri).build();
+		decoder.setJwtValidator(validators);
+
+		return decoder;
+	}
+
+	private Converter<Jwt, AbstractAuthenticationToken> jwtAuthenticationConverter() {
+		String rolesClaim = environment.getProperty(PROP_OAUTH2_ROLES_CLAIM);
+		String usernameClaim = environment.getProperty(PROP_OAUTH2_USERNAME_ATTRIBUTE, "sub");
+		return source -> {
+			Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
+			if (rolesClaim != null) {
+				Object claimValue = source.getClaim(rolesClaim);
+				for (String role : OpenIDAuthenticationBackend.parseRolesClaim(logger,  rolesClaim, claimValue)) {
+					String mappedRole = role.toUpperCase().startsWith("ROLE_") ? role : "ROLE_" + role;
+					mappedAuthorities.add(new SimpleGrantedAuthority(mappedRole.toUpperCase()));
+				}
+			}
+
+			String principalClaimValue = source.getClaimAsString(usernameClaim);
+			if (principalClaimValue == null) {
+				throw new IllegalArgumentException(String.format("Cannot extract username from OAuth token, no claim %s found", usernameClaim));
+			}
+			return new JwtAuthenticationToken(source, mappedAuthorities, principalClaimValue);
+		};
 	}
 
 	@Bean(name="authenticationManager")
