dnet-applications/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/OAuth2WebSecurityConfig.java

package eu.dnetlib.organizations;

import java.util.HashSet;
import java.util.Set;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Profile;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.web.access.AccessDeniedHandler;

import eu.dnetlib.organizations.controller.UserInfo;
import eu.dnetlib.organizations.controller.UserRole;
import eu.dnetlib.organizations.model.User;
import eu.dnetlib.organizations.utils.DatabaseUtils;
import eu.dnetlib.organizations.utils.OpenOrgsConstants;

@Profile("!dev")
@Configuration
@EnableWebSecurity
public class OAuth2WebSecurityConfig extends WebSecurityConfigurerAdapter {

	@Autowired
	private DatabaseUtils databaseUtils;

	@Autowired
	private ClientRegistrationRepository clientRegistrationRepository;

	@Value("${openaire.api.valid.subnet}")
	private String openaireApiValidSubnet;

	@Value("${openaire.override.logout.url}")
	private String openaireLogoutUrl;

	private static Logger logger = LoggerFactory.getLogger(OAuth2WebSecurityConfig.class);

	@Override
	protected void configure(final HttpSecurity http) throws Exception {
		http.csrf()
			.disable()
			.authorizeRequests()
			.antMatchers("/main", "/api/**")
			.hasAnyRole(OpenOrgsConstants.VALID_ROLES)
			.antMatchers("/registration_api/**")
			.hasRole(OpenOrgsConstants.NOT_AUTORIZED_ROLE)
			.antMatchers("/", "/resources/**", "/webjars/**")
			.permitAll()
			.antMatchers("/oa_api/**")
			.hasIpAddress(openaireApiValidSubnet)
			.anyRequest()
			.authenticated()
			.and()
			.exceptionHandling()
			.accessDeniedHandler(accessDeniedHandler())
			.and()
			.logout()
			.logoutSuccessHandler(oidcLogoutSuccessHandler())
			.invalidateHttpSession(true)
			.clearAuthentication(true)
			.deleteCookies("JSESSIONID")
			.and()
			.oauth2Login(oauth2 -> oauth2.userInfoEndpoint(userInfo -> userInfo.oidcUserService(this.oidcUserService())));
	}

	private AccessDeniedHandler accessDeniedHandler() {
		return (req, res, e) -> {
			final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
			if (authentication != null) {
				logger.warn(String
					.format("User '%s' (%s) attempted to access the protected URL: %s", UserInfo.getEmail(authentication), req
						.getRemoteAddr(), req.getRequestURI()));
			}

			if (UserInfo.isNotAuthorized(authentication)) {
				res.sendRedirect(req.getContextPath() + "/authorizationRequest");
			} else {
				res.sendRedirect(req.getContextPath() + "/alreadyRegistered");
			}
		};
	}

	private OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() {
		final OidcClientInitiatedLogoutSuccessHandler handler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);
		// NB:
		// The same URL must be configured server side:
		// Manage Clients > Edit Client > Other > Post-Logout Redirect

		handler.setPostLogoutRedirectUri("{baseUrl}");
		handler.setRedirectStrategy((req, res, url) -> {
			if (StringUtils.isNotBlank(openaireLogoutUrl)) {
				logger.info("Performing remote logout: " + openaireLogoutUrl);
				res.sendRedirect(openaireLogoutUrl);
			} else {
				logger.info("Performing remote logout: " + url);
				res.sendRedirect(url);
			}
		});
		return handler;

	}

	private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
		final OidcUserService delegate = new OidcUserService();

		return (userRequest) -> {
			final OidcUser oidcUser = delegate.loadUser(userRequest);

			final String role = "ROLE_" + OpenOrgsConstants.OPENORGS_ROLE_PREFIX + databaseUtils.findUser(oidcUser.getEmail())
				.map(User::getRole)
				.filter(StringUtils::isNotBlank)
				.orElse(UserRole.NOT_AUTHORIZED.toString());

			final Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
			mappedAuthorities.add(new SimpleGrantedAuthority(role));

			return new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
		};
	}

	// https://www.baeldung.com/spring-security-openid-connect

	// https://github.com/mitreid-connect/
	// https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/tree/master/openid-connect-client
	// https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Client-configuration

	// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-login-core/trunk/
	// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-user-management/trunk/
	// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-openaire-users/trunk/
	// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-login/trunk/

	// Aprire Ticket a GRNET con Argiro e Katerina come watchers

}
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00			`package eu.dnetlib.organizations;`

role remapping 2020-11-04 12:18:25 +01:00			`import java.util.HashSet;`
			`import java.util.Set;`

urls with authorizations 2020-11-04 14:18:41 +01:00			`import org.apache.commons.lang3.StringUtils;`
logout and homepage 2020-11-04 15:06:34 +01:00			`import org.slf4j.Logger;`
			`import org.slf4j.LoggerFactory;`
role remapping 2020-11-04 12:18:25 +01:00			`import org.springframework.beans.factory.annotation.Autowired;`
restricted access for simrels api 2020-09-29 11:34:31 +02:00			`import org.springframework.beans.factory.annotation.Value;`
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00			`import org.springframework.context.annotation.Configuration;`
simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`import org.springframework.context.annotation.Profile;`
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00			`import org.springframework.security.config.annotation.web.builders.HttpSecurity;`
			`import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;`
			`import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;`
logout and homepage 2020-11-04 15:06:34 +01:00			`import org.springframework.security.core.Authentication;`
role remapping 2020-11-04 12:18:25 +01:00			`import org.springframework.security.core.GrantedAuthority;`
			`import org.springframework.security.core.authority.SimpleGrantedAuthority;`
logout and homepage 2020-11-04 15:06:34 +01:00			`import org.springframework.security.core.context.SecurityContextHolder;`
role remapping 2020-11-04 12:18:25 +01:00			`import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;`
			`import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;`
logout and homepage 2020-11-04 15:06:34 +01:00			`import org.springframework.security.oauth2.client.oidc.web.logout.OidcClientInitiatedLogoutSuccessHandler;`
			`import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;`
role remapping 2020-11-04 12:18:25 +01:00			`import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;`
			`import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;`
			`import org.springframework.security.oauth2.core.oidc.user.OidcUser;`
urls with authorizations 2020-11-04 14:18:41 +01:00			`import org.springframework.security.web.access.AccessDeniedHandler;`
role remapping 2020-11-04 12:18:25 +01:00
logout and homepage 2020-11-04 15:06:34 +01:00			`import eu.dnetlib.organizations.controller.UserInfo;`
role remapping 2020-11-04 12:18:25 +01:00			`import eu.dnetlib.organizations.controller.UserRole;`
			`import eu.dnetlib.organizations.model.User;`
user access dates 2020-11-12 15:47:41 +01:00			`import eu.dnetlib.organizations.utils.DatabaseUtils;`
simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`import eu.dnetlib.organizations.utils.OpenOrgsConstants;`
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00
simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`@Profile("!dev")`
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00			`@Configuration`
			`@EnableWebSecurity`
simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`public class OAuth2WebSecurityConfig extends WebSecurityConfigurerAdapter {`
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00
role remapping 2020-11-04 12:18:25 +01:00			`@Autowired`
user access dates 2020-11-12 15:47:41 +01:00			`private DatabaseUtils databaseUtils;`
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00
urls with authorizations 2020-11-04 14:18:41 +01:00			`@Autowired`
logout and homepage 2020-11-04 15:06:34 +01:00			`private ClientRegistrationRepository clientRegistrationRepository;`
urls with authorizations 2020-11-04 14:18:41 +01:00
restricted access for simrels api 2020-09-29 11:34:31 +02:00			`@Value("${openaire.api.valid.subnet}")`
			`private String openaireApiValidSubnet;`

override remote logout url 2020-12-02 16:10:23 +01:00			`@Value("${openaire.override.logout.url}")`
			`private String openaireLogoutUrl;`

simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`private static Logger logger = LoggerFactory.getLogger(OAuth2WebSecurityConfig.class);`
urls with authorizations 2020-11-04 14:18:41 +01:00
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00			`@Override`
			`protected void configure(final HttpSecurity http) throws Exception {`
urls with authorizations 2020-11-04 14:18:41 +01:00			`http.csrf()`
			`.disable()`
			`.authorizeRequests()`
logout and homepage 2020-11-04 15:06:34 +01:00			`.antMatchers("/main", "/api/**")`
simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`.hasAnyRole(OpenOrgsConstants.VALID_ROLES)`
urls with authorizations 2020-11-04 14:18:41 +01:00			`.antMatchers("/registration_api/**")`
simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`.hasRole(OpenOrgsConstants.NOT_AUTORIZED_ROLE)`
logout and homepage 2020-11-04 15:06:34 +01:00			`.antMatchers("/", "/resources/", "/webjars/")`
urls with authorizations 2020-11-04 14:18:41 +01:00			`.permitAll()`
			`.antMatchers("/oa_api/**")`
			`.hasIpAddress(openaireApiValidSubnet)`
			`.anyRequest()`
			`.authenticated()`
			`.and()`
			`.exceptionHandling()`
logout and homepage 2020-11-04 15:06:34 +01:00			`.accessDeniedHandler(accessDeniedHandler())`
			`.and()`
			`.logout()`
			`.logoutSuccessHandler(oidcLogoutSuccessHandler())`
override remote logout url 2020-12-02 16:10:23 +01:00			`.invalidateHttpSession(true)`
			`.clearAuthentication(true)`
			`.deleteCookies("JSESSIONID")`
urls with authorizations 2020-11-04 14:18:41 +01:00			`.and()`
			`.oauth2Login(oauth2 -> oauth2.userInfoEndpoint(userInfo -> userInfo.oidcUserService(this.oidcUserService())));`
logout and homepage 2020-11-04 15:06:34 +01:00			`}`

			`private AccessDeniedHandler accessDeniedHandler() {`
			`return (req, res, e) -> {`
			`final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();`
			`if (authentication != null) {`
			`logger.warn(String`
simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`.format("User '%s' (%s) attempted to access the protected URL: %s", UserInfo.getEmail(authentication), req`
logout and homepage 2020-11-04 15:06:34 +01:00			`.getRemoteAddr(), req.getRequestURI()));`
			`}`

			`if (UserInfo.isNotAuthorized(authentication)) {`
			`res.sendRedirect(req.getContextPath() + "/authorizationRequest");`
			`} else {`
			`res.sendRedirect(req.getContextPath() + "/alreadyRegistered");`
			`}`
			`};`
			`}`
urls with authorizations 2020-11-04 14:18:41 +01:00
logout and homepage 2020-11-04 15:06:34 +01:00			`private OidcClientInitiatedLogoutSuccessHandler oidcLogoutSuccessHandler() {`
redirect logout 2020-11-05 09:55:02 +01:00			`final OidcClientInitiatedLogoutSuccessHandler handler = new OidcClientInitiatedLogoutSuccessHandler(clientRegistrationRepository);`
			`// NB:`
			`// The same URL must be configured server side:`
			`// Manage Clients > Edit Client > Other > Post-Logout Redirect`
override remote logout url 2020-12-02 16:10:23 +01:00
redirect logout 2020-11-05 09:55:02 +01:00			`handler.setPostLogoutRedirectUri("{baseUrl}");`
override remote logout url 2020-12-02 16:10:23 +01:00			`handler.setRedirectStrategy((req, res, url) -> {`
			`if (StringUtils.isNotBlank(openaireLogoutUrl)) {`
			`logger.info("Performing remote logout: " + openaireLogoutUrl);`
			`res.sendRedirect(openaireLogoutUrl);`
			`} else {`
			`logger.info("Performing remote logout: " + url);`
			`res.sendRedirect(url);`
			`}`
			`});`
redirect logout 2020-11-05 09:55:02 +01:00			`return handler;`

added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00			`}`

role remapping 2020-11-04 12:18:25 +01:00			`private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {`
			`final OidcUserService delegate = new OidcUserService();`

			`return (userRequest) -> {`
			`final OidcUser oidcUser = delegate.loadUser(userRequest);`

simple authentication in DEV profile 2020-11-23 12:02:33 +01:00			`final String role = "ROLE_" + OpenOrgsConstants.OPENORGS_ROLE_PREFIX + databaseUtils.findUser(oidcUser.getEmail())`
urls with authorizations 2020-11-04 14:18:41 +01:00			`.map(User::getRole)`
			`.filter(StringUtils::isNotBlank)`
			`.orElse(UserRole.NOT_AUTHORIZED.toString());`
role remapping 2020-11-04 12:18:25 +01:00
			`final Set<GrantedAuthority> mappedAuthorities = new HashSet<>();`
urls with authorizations 2020-11-04 14:18:41 +01:00			`mappedAuthorities.add(new SimpleGrantedAuthority(role));`
role remapping 2020-11-04 12:18:25 +01:00
			`return new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());`
			`};`
			`}`
oauth2 first steps 2020-11-04 10:30:29 +01:00
			`// https://www.baeldung.com/spring-security-openid-connect`

			`// https://github.com/mitreid-connect/`
			`// https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/tree/master/openid-connect-client`
			`// https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/Client-configuration`

			`// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-login-core/trunk/`
			`// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/uoa-user-management/trunk/`
			`// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-openaire-users/trunk/`
			`// https://svn.driver.research-infrastructures.eu/driver/dnet45/modules/dnet-login/trunk/`

			`// Aprire Ticket a GRNET con Argiro e Katerina come watchers`
added dnet-orgs-database-application 2020-07-03 12:09:22 +02:00
			`}`