SKADC version support (6eef3264) · Commits · IA2 / GMS

gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbFilter.java

+5 −5

Original line number	Diff line number	Diff line
		package it.inaf.ia2.gms.authn;

		import it.inaf.ia2.aa.AuthConfig;
		import it.inaf.ia2.rap.client.RapClient;
		import it.inaf.ia2.aa.UserManager;
		import java.io.IOException;
		import java.net.URI;
		import javax.servlet.Filter;
		@@ -15,11 +15,11 @@ public class ClientDbFilter implements Filter {

		public static final String CLIENT_DB = "client_db";

		private final RapClient rapClient;
		private final UserManager userManager;
		private final String defaultJwksUri;

		public ClientDbFilter(AuthConfig authConfig, RapClient rapClient) {
		this.rapClient = rapClient;
		public ClientDbFilter(AuthConfig authConfig, UserManager userManager) {
		this.userManager = userManager;
		defaultJwksUri = URI.create(authConfig.getRapBaseUri()).resolve(authConfig.getJwksEndpoint()).toString();
		}

		@@ -32,7 +32,7 @@ public class ClientDbFilter implements Filter {
		if (clientDb != null) {
		request.getSession().setAttribute(CLIENT_DB, clientDb);
		String newUrl = defaultJwksUri.replaceAll("\\?client_name=(.*)", "?client_name=" + clientDb);
		rapClient.addJwksUri(URI.create(newUrl));
		userManager.addJwksUri(URI.create(newUrl));
		}

		fc.doFilter(req, res);

gms/src/main/java/it/inaf/ia2/gms/authn/ClientDbRapClient.java

0 → 100644

+98 −0

Original line number	Diff line number	Diff line
		package it.inaf.ia2.gms.authn;

		import static it.inaf.ia2.gms.authn.ClientDbFilter.CLIENT_DB;
		import it.inaf.ia2.gms.exception.BadRequestException;
		import it.inaf.ia2.rap.client.call.GetUserCall;
		import it.inaf.ia2.rap.data.RapUser;
		import java.net.URI;
		import java.net.http.HttpRequest;
		import java.util.List;
		import java.util.stream.Collectors;
		import javax.servlet.http.HttpServletRequest;
		import javax.servlet.http.HttpSession;
		import org.slf4j.Logger;
		import org.slf4j.LoggerFactory;

		public class ClientDbRapClient extends ServletRapClient {

		private static final Logger LOG = LoggerFactory.getLogger(ClientDbRapClient.class);

		public ClientDbRapClient(String baseUrl) {
		super(baseUrl);
		}

		@Override
		protected HttpRequest.Builder newAuthRequest(HttpRequest.Builder requestBuilder, HttpServletRequest request) {
		return setClientDb(super.newClientSecretRequest(requestBuilder), request);
		}

		@Override
		public HttpRequest.Builder newRequest(String endpoint, HttpServletRequest context) {
		return setClientDb(super.newRequest(endpoint), context);
		}

		@Override
		public HttpRequest.Builder newRequest(URI uri, HttpServletRequest context) {
		return setClientDb(super.newRequest(uri), context);
		}

		private HttpRequest.Builder setClientDb(HttpRequest.Builder builder, HttpServletRequest request) {
		HttpSession session = request.getSession(false);
		if (session != null) {
		String clientDb = (String) session.getAttribute("client_db");
		if (clientDb != null) {
		builder.setHeader("client_db", clientDb);
		LOG.debug("client_db=" + clientDb);
		}
		}
		return builder;
		}

		@Override
		public URI getAuthorizationUri(HttpServletRequest request) {
		// for a better security we should check for allowed redirects
		String redirect = request.getParameter("redirect");

		URI uri;
		if (redirect != null) {
		uri = URI.create(redirect);
		} else {
		uri = super.getAuthorizationUri(request);
		}

		String clientDb = request.getParameter(CLIENT_DB);
		if (clientDb == null) {
		HttpSession session = request.getSession(false);
		if (session != null) {
		clientDb = (String) session.getAttribute(CLIENT_DB);
		}
		}
		if (clientDb == null) {
		throw new BadRequestException("client_db not set");
		}

		redirect = uri.toString();

		redirect += redirect.contains("?") ? "&" : "?";
		redirect += CLIENT_DB + "=" + clientDb;

		return URI.create(redirect);
		}

		@Override
		public URI getAccessTokenUri(HttpServletRequest request) {
		String tokenUri = request.getParameter("token_uri");
		if (tokenUri != null) {
		return URI.create(tokenUri);
		}
		return super.getAccessTokenUri(request);
		}

		@Override
		public List<RapUser> getUsers(String searchText, HttpServletRequest request) {
		List<RapUser> users = new GetUserCall(this).getUsers(searchText, request);
		return users.stream()
		.filter(u -> u.getDisplayName().contains(searchText) \|\| u.getPrimaryEmailAddress().contains(searchText))
		.collect(Collectors.toList());
		}
		}

gms/src/main/resources/application.properties

+0 −10

Original line number	Diff line number	Diff line
		@@ -4,14 +4,6 @@ server.servlet.context-path=/gms
		spring.main.allow-bean-definition-overriding=true
		server.error.whitelabel.enabled=false

		security.oauth2.client.client-id=gms
		security.oauth2.client.client-secret=gms-secret
		security.oauth2.client.access-token-uri=http://localhost/franco/fake-rap/token.php
		security.oauth2.client.user-authorization-uri=http://localhost/franco/fake-rap/index.php
		security.oauth2.resource.token-info-uri=http://localhost/franco/fake-rap/check-token.php
		security.oauth2.client.scope=openid,email,profile
		security.oauth2.resource.jwk.key-set-uri=http://localhost/franco/fake-rap/jwks.php

		logging.level.it.inaf=TRACE
		logging.level.org.springframework.security=DEBUG
		logging.level.org.springframework.jdbc=TRACE
		@@ -21,8 +13,6 @@ spring.datasource.url=jdbc:postgresql://localhost:5432/postgres
		spring.datasource.username=gms
		spring.datasource.password=gms

		rap.ws-url=http://localhost/franco/fake-rap/get-users.php
		rap.ws.basic-auth=true
		support.contact.label=IA2 team
		support.contact.email=ia2@inaf.it

gms/src/main/resources/auth.properties

+14 −9

Original line number	Diff line number	Diff line
		client_id=gms
		client_secret=gms-secret
		rap_uri=http://localhost/rap-ia2
		jwks_endpoint=/auth/oidc/jwks
		access_token_uri=http://localhost/rap-ia2/auth/oauth2/token
		user_authorization_uri=http://localhost/rap-ia2/auth/oauth2/authorize
		check_token_uri=http://localhost/rap-ia2/auth/oauth2/token
		jwks_uri=http://localhost/rap-ia2/auth/oidc/jwks
		gms_uri=http://localhost:8082/gms/ws/jwt
		client_id=
		client_secret=

		rap_uri=https://auth.inaf.it/auth/prod/

		access_token_endpoint=accessToken/
		user_authorization_endpoint=authorization/
		check_token_endpoint=userInfo/
		jwks_endpoint=jwks?client_name=ia2gms
		rap_ws_user_endpoint=portal/SendUsers.php/user

		rap_client_class=it.inaf.ia2.gms.authn.ClientDbRapClient

		gms_uri=https://sso-devel.ia2.inaf.it/gms
		groups_autoload=false
		store_state_on_login_endpoint=true
		scope=openid email profile read:rap

gms/src/test/java/it/inaf/ia2/gms/authn/ClientDbFilterTest.java

+4 −4

Original line number	Diff line number	Diff line
		package it.inaf.ia2.gms.authn;

		import it.inaf.ia2.aa.AuthConfig;
		import it.inaf.ia2.rap.client.RapClient;
		import it.inaf.ia2.aa.UserManager;
		import java.net.URI;
		import javax.servlet.FilterChain;
		import javax.servlet.http.HttpServletRequest;
		@@ -26,7 +26,7 @@ public class ClientDbFilterTest {
		private AuthConfig authConfig;

		@Mock
		private RapClient rapClient;
		private UserManager userManager;

		private ClientDbFilter filter;

		@@ -38,9 +38,9 @@ public class ClientDbFilterTest {
		when(request.getSession()).thenReturn(mock(HttpSession.class));
		when(request.getParameter(eq("client_db"))).thenReturn("other_db");

		filter = new ClientDbFilter(authConfig, rapClient);
		filter = new ClientDbFilter(authConfig, userManager);
		filter.doFilter(request, mock(HttpServletResponse.class), mock(FilterChain.class));

		verify(rapClient).addJwksUri(eq(URI.create("http://ia2.inaf.it/jwks?client_name=other_db")));
		verify(userManager).addJwksUri(eq(URI.create("http://ia2.inaf.it/jwks?client_name=other_db")));
		}
		}