uoa-repository-manager-service/src/main/java/eu/dnetlib/repo/manager/service/security/AuthoritiesUpdater.java

package eu.dnetlib.repo.manager.service.security;

import org.slf4j.Logger;
import org.mitre.openid.connect.model.OIDCAuthenticationToken;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.session.FindByIndexNameSessionRepository;
import org.springframework.session.Session;
import org.springframework.stereotype.Service;

import java.util.Collection;
import java.util.HashSet;
import java.util.Map;


@Service
public class AuthoritiesUpdater extends HttpSessionSecurityContextRepository {

    private static final Logger logger = LoggerFactory.getLogger(AuthoritiesUpdater.class);

    @Autowired
    FindByIndexNameSessionRepository sessions;

    public void update(String id, Update update) {
        if (sessions != null) {
            Map<String, Session> map = sessions.
                    findByIndexNameAndIndexValue(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, id);
            if (map != null) {
                for (Session session : map.values()) {
                    logger.debug(session.getId());
                    if (!session.isExpired()) {
                        SecurityContext securityContext = session.getAttribute(SPRING_SECURITY_CONTEXT_KEY);
                        Authentication authentication = securityContext.getAuthentication();
                        if (authentication instanceof OIDCAuthenticationToken) {
                            OIDCAuthenticationToken authOIDC = (OIDCAuthenticationToken) authentication;
                            securityContext.setAuthentication(new OIDCAuthenticationToken(authOIDC.getSub(), authOIDC.getIssuer(),
                                    authOIDC.getUserInfo(), update.authorities(authOIDC.getAuthorities()), authOIDC.getIdToken(),
                                    authOIDC.getAccessTokenValue(), authOIDC.getRefreshTokenValue()));
                            logger.debug("Update authorities");
                            session.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
                            sessions.save(session);
                        }
                    }
                }
            }
        }
    }

    public void addRole(String id, GrantedAuthority role) {
        this.update(id, old -> {
            HashSet<GrantedAuthority> authorities = new HashSet<>(old);
            authorities.add(role);
            return authorities;
        });
    }

    public void addRole(GrantedAuthority role) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth instanceof OIDCAuthenticationToken) {
            OIDCAuthenticationToken oidcAuth = (OIDCAuthenticationToken) auth;
            this.addRole(oidcAuth.getUserInfo().getEmail(), role);
        } else {
            throw new UnauthorizedClientException("User auth is not instance of OIDCAuthenticationToken");
        }
    }

    public void removeRole(String id, GrantedAuthority role) {
        this.update(id, old -> {
            HashSet<GrantedAuthority> authorities = new HashSet<>(old);
            authorities.remove(role);
            return authorities;
        });
    }

    public void removeRole(GrantedAuthority role) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth instanceof OIDCAuthenticationToken) {
            OIDCAuthenticationToken oidcAuth = (OIDCAuthenticationToken) auth;
            this.removeRole(oidcAuth.getUserInfo().getEmail(), role);
        }
    }

    public interface Update {
        Collection<? extends GrantedAuthority> authorities(Collection<? extends GrantedAuthority> old);
    }
}
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`package eu.dnetlib.repo.manager.service.security;`

replaced log4j2 with slf4j 2023-01-11 17:50:31 +01:00			`import org.slf4j.Logger;`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`import org.mitre.openid.connect.model.OIDCAuthenticationToken;`
replaced log4j2 with slf4j 2023-01-11 17:50:31 +01:00			`import org.slf4j.LoggerFactory;`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`import org.springframework.beans.factory.annotation.Autowired;`
			`import org.springframework.security.core.Authentication;`
			`import org.springframework.security.core.GrantedAuthority;`
			`import org.springframework.security.core.context.SecurityContext;`
			`import org.springframework.security.core.context.SecurityContextHolder;`
			`import org.springframework.security.oauth2.common.exceptions.UnauthorizedClientException;`
			`import org.springframework.security.web.context.HttpSessionSecurityContextRepository;`
			`import org.springframework.session.FindByIndexNameSessionRepository;`
Optimize imports. 2022-12-01 14:19:29 +01:00			`import org.springframework.session.Session;`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`import org.springframework.stereotype.Service;`

			`import java.util.Collection;`
			`import java.util.HashSet;`
			`import java.util.Map;`


			`@Service`
			`public class AuthoritiesUpdater extends HttpSessionSecurityContextRepository {`

replaced log4j2 with slf4j 2023-01-11 17:50:31 +01:00			`private static final Logger logger = LoggerFactory.getLogger(AuthoritiesUpdater.class);`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00
			`@Autowired`
			`FindByIndexNameSessionRepository sessions;`

repository terms functionality 2022-03-15 12:33:49 +01:00			`public void update(String id, Update update) {`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`if (sessions != null) {`
merged branch springboot - 61629:HEAD 2021-10-22 13:32:44 +02:00			`Map<String, Session> map = sessions.`
repository terms functionality 2022-03-15 12:33:49 +01:00			`findByIndexNameAndIndexValue(FindByIndexNameSessionRepository.PRINCIPAL_NAME_INDEX_NAME, id);`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`if (map != null) {`
merged branch springboot - 61629:HEAD 2021-10-22 13:32:44 +02:00			`for (Session session : map.values()) {`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`logger.debug(session.getId());`
			`if (!session.isExpired()) {`
			`SecurityContext securityContext = session.getAttribute(SPRING_SECURITY_CONTEXT_KEY);`
			`Authentication authentication = securityContext.getAuthentication();`
			`if (authentication instanceof OIDCAuthenticationToken) {`
			`OIDCAuthenticationToken authOIDC = (OIDCAuthenticationToken) authentication;`
			`securityContext.setAuthentication(new OIDCAuthenticationToken(authOIDC.getSub(), authOIDC.getIssuer(),`
repository terms functionality 2022-03-15 12:33:49 +01:00			`authOIDC.getUserInfo(), update.authorities(authOIDC.getAuthorities()), authOIDC.getIdToken(),`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`authOIDC.getAccessTokenValue(), authOIDC.getRefreshTokenValue()));`
			`logger.debug("Update authorities");`
			`session.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);`
			`sessions.save(session);`
			`}`
			`}`
			`}`
			`}`
			`}`
			`}`

repository terms functionality 2022-03-15 12:33:49 +01:00			`public void addRole(String id, GrantedAuthority role) {`
			`this.update(id, old -> {`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`HashSet<GrantedAuthority> authorities = new HashSet<>(old);`
			`authorities.add(role);`
			`return authorities;`
			`});`
			`}`

			`public void addRole(GrantedAuthority role) {`
			`Authentication auth = SecurityContextHolder.getContext().getAuthentication();`
			`if (auth instanceof OIDCAuthenticationToken) {`
			`OIDCAuthenticationToken oidcAuth = (OIDCAuthenticationToken) auth;`
			`this.addRole(oidcAuth.getUserInfo().getEmail(), role);`
			`} else {`
			`throw new UnauthorizedClientException("User auth is not instance of OIDCAuthenticationToken");`
			`}`
			`}`

repository terms functionality 2022-03-15 12:33:49 +01:00			`public void removeRole(String id, GrantedAuthority role) {`
			`this.update(id, old -> {`
merged branch aai_roles_new to trunk 2021-07-21 13:51:18 +02:00			`HashSet<GrantedAuthority> authorities = new HashSet<>(old);`
			`authorities.remove(role);`
			`return authorities;`
			`});`
			`}`

			`public void removeRole(GrantedAuthority role) {`
			`Authentication auth = SecurityContextHolder.getContext().getAuthentication();`
			`if (auth instanceof OIDCAuthenticationToken) {`
			`OIDCAuthenticationToken oidcAuth = (OIDCAuthenticationToken) auth;`
			`this.removeRole(oidcAuth.getUserInfo().getEmail(), role);`
			`}`
			`}`

			`public interface Update {`
			`Collection<? extends GrantedAuthority> authorities(Collection<? extends GrantedAuthority> old);`
			`}`
			`}`