Added OAuth and few other bug fixes (#11)

* Added OAuth WIP.

* Formatting

* Gradle cleanup

Author: nicholasnet

backend/main/java/com/ideasbucket/tansen/configuration/AuthenticationProperties.java

@@ -0,0 +1,43 @@
+/*
+ * This file is part of the Tansen project.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+package com.ideasbucket.tansen.configuration;
+
+import static jakarta.validation.constraints.Pattern.Flag.CASE_INSENSITIVE;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.Pattern;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.validation.annotation.Validated;
+
+@ConfigurationProperties(prefix = "auth")
+@Validated
+public class AuthenticationProperties {
+
+    @JsonProperty("type")
+    @Pattern(regexp = "^(?:OAUTH2|oauth2)$", message = "Only OAuth2 is supported currently.", flags = CASE_INSENSITIVE)
+    private final String type;
+
+    @JsonProperty("oauth2")
+    @Valid
+    private final OAuth2 oauth2;
+
+    @JsonCreator
+    public AuthenticationProperties(@JsonProperty("type") String type, @JsonProperty("oauth2") OAuth2 oauth2) {
+        this.type = type == null ? null : type.toLowerCase();
+        this.oauth2 = oauth2;
+    }
+
+    public String getType() {
+        return type;
+    }
+
+    public OAuth2 getOauth2() {
+        return oauth2;
+    }
+}

backend/main/java/com/ideasbucket/tansen/configuration/OAuth2.java

@@ -0,0 +1,60 @@
+/*
+ * This file is part of the Tansen project.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+package com.ideasbucket.tansen.configuration;
+
+import com.fasterxml.jackson.annotation.*;
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.AssertTrue;
+import java.util.Map;
+import java.util.stream.Collectors;
+import javax.validation.constraints.NotNull;
+
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonPropertyOrder({ "client" })
+public class OAuth2 {
+
+    @JsonProperty("client")
+    @Valid
+    private final Map<String, @Valid @NotNull(
+        message = "OAuth2 properties cannot be null."
+    ) OAuthClientProperties> client;
+
+    @JsonCreator
+    public OAuth2(@JsonProperty("client") Map<String, OAuthClientProperties> client) {
+        this.client =
+            client
+                .entrySet()
+                .stream()
+                .collect(
+                    Collectors.toMap(
+                        it -> it.getKey().toLowerCase(),
+                        it -> {
+                            var result = OAuthClientProperties.getInstanceWithProvider(
+                                it.getValue(),
+                                it.getKey().toLowerCase()
+                            );
+                            OAuthClientProperties.validate(result);
+                            return result;
+                        }
+                    )
+                );
+    }
+
+    public Map<String, OAuthClientProperties> getClient() {
+        return client;
+    }
+
+    @AssertTrue(message = "Invalid OAuth provider currently we only support Okta.")
+    @JsonIgnore
+    private boolean hasValidSupportedOAuthProvider() {
+        if (client.isEmpty()) {
+            return true;
+        }
+
+        return client.containsKey("okta");
+    }
+}

backend/main/java/com/ideasbucket/tansen/configuration/OAuthClientProperties.java

@@ -0,0 +1,168 @@
+/*
+ * This file is part of the Tansen project.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+package com.ideasbucket.tansen.configuration;
+
+import com.fasterxml.jackson.annotation.*;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.NotNull;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import org.springframework.beans.factory.BeanInitializationException;
+
+@JsonInclude(JsonInclude.Include.NON_NULL)
+@JsonPropertyOrder(
+    {
+        "provider",
+        "clientId",
+        "clientSecret",
+        "authorizationUri",
+        "tokenUri",
+        "userInfoUri",
+        "jwkSetUri",
+        "scope",
+        "customParams",
+    }
+)
+public class OAuthClientProperties {
+
+    private final String provider;
+
+    @JsonProperty("clientId")
+    @NotNull(message = "Client ID cannot be null.")
+    @NotBlank(message = "Client ID cannot be blank.")
+    private final String clientId;
+
+    @JsonProperty("clientSecret")
+    @NotNull(message = "Client Secret cannot be null.")
+    @NotBlank(message = "Client Secret cannot be blank.")
+    private final String clientSecret;
+
+    @JsonProperty("authorizationUri")
+    private final String authorizationUri;
+
+    @JsonProperty("tokenUri")
+    private final String tokenUri;
+
+    @JsonProperty("userInfoUri")
+    private final String userInfoUri;
+
+    @JsonProperty("jwkSetUri")
+    private final String jwkSetUri;
+
+    @JsonProperty("scope")
+    @NotNull(message = "Scope cannot be null.")
+    @NotEmpty(message = "Scope cannot be empty.")
+    private final List<@NotNull(message = "Scope cannot be null.") @NotBlank(
+        message = "Scope cannot be blank."
+    ) String> scope;
+
+    @JsonProperty("customParams")
+    private final Map<String, String> customParameters;
+
+    @JsonCreator
+    public OAuthClientProperties(
+        @JsonProperty("provider") String provider,
+        @JsonProperty("clientId") String clientId,
+        @JsonProperty("clientSecret") String clientSecret,
+        @JsonProperty("authorizationUri") String authorizationUri,
+        @JsonProperty("tokenUri") String tokenUri,
+        @JsonProperty("userInfoUri") String userInfoUri,
+        @JsonProperty("jwkSetUri") String jwkSetUri,
+        @JsonProperty("scope") List<String> scope,
+        @JsonProperty("customParams") Map<String, String> customParameters
+    ) {
+        this.provider = provider;
+        this.clientId = clientId;
+        this.clientSecret = clientSecret;
+        this.authorizationUri = authorizationUri;
+        this.tokenUri = tokenUri;
+        this.userInfoUri = userInfoUri;
+        this.jwkSetUri = jwkSetUri;
+        this.scope = scope;
+        this.customParameters = customParameters == null ? Map.of() : Map.copyOf(customParameters);
+    }
+
+    public static OAuthClientProperties getInstanceWithProvider(OAuthClientProperties original, String provider) {
+        return new OAuthClientProperties(
+            provider,
+            original.clientId,
+            original.clientSecret,
+            original.authorizationUri,
+            original.tokenUri,
+            original.userInfoUri,
+            original.jwkSetUri,
+            original.scope,
+            original.customParameters
+        );
+    }
+
+    public static void validate(OAuthClientProperties target) throws BeanInitializationException {
+        if (target.getProvider() == null) {
+            return;
+        }
+
+        if (target.getProvider().equalsIgnoreCase("okta")) {
+            if (target.getJwkSetUri() == null || target.getJwkSetUri().isBlank()) {
+                throw new BeanInitializationException(
+                    "Okta requires JWK set URI. Properties path 'auth.oauth2.client.okta.jwkSetUri'"
+                );
+            }
+
+            if (target.getAuthorizationUri() == null || target.getAuthorizationUri().isBlank()) {
+                throw new BeanInitializationException(
+                    "Okta requires Authorization URI. Properties path 'auth.oauth2.client.okta.authorizationUri'"
+                );
+            }
+
+            if (target.getTokenUri() == null || target.getTokenUri().isBlank()) {
+                throw new BeanInitializationException(
+                    "Okta requires token URI. Properties path 'auth.oauth2.client.okta.tokenUri'"
+                );
+            }
+
+            if (!new HashSet<>(target.scope).containsAll(List.of("openid", "profile", "email"))) {
+                throw new BeanInitializationException(
+                    "Okta requires following scopes openid, profile and email at minimum. Properties path 'auth.oauth2.client.okta.scope'"
+                );
+            }
+        }
+    }
+
+    public String getProvider() {
+        return provider;
+    }
+
+    public String getClientId() {
+        return clientId;
+    }
+
+    public String getClientSecret() {
+        return clientSecret;
+    }
+
+    public String getAuthorizationUri() {
+        return authorizationUri;
+    }
+
+    public String getTokenUri() {
+        return tokenUri;
+    }
+
+    public String getUserInfoUri() {
+        return userInfoUri;
+    }
+
+    public String getJwkSetUri() {
+        return jwkSetUri;
+    }
+
+    public List<String> getScope() {
+        return scope;
+    }
+}

backend/main/java/com/ideasbucket/tansen/configuration/RbacProperties.java

@@ -9,26 +9,20 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import jakarta.validation.Valid;
-import jakarta.validation.constraints.NotNull;
 import java.util.List;
 import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.boot.context.properties.EnableConfigurationProperties;
-import org.springframework.context.annotation.PropertySource;
 import org.springframework.validation.annotation.Validated;
 
-@PropertySource(value = "classpath:roles.yml", factory = YamlPropertySourceFactory.class)
 @ConfigurationProperties(prefix = "rbac")
-@EnableConfigurationProperties(RbacProperties.class)
 @Validated
 public class RbacProperties {
 
     @JsonProperty("roles")
-    @NotNull(message = "Roles cannot be null.")
     private final List<@Valid Role> roles;
 
     @JsonCreator
     public RbacProperties(@JsonProperty("roles") List<Role> roles) {
-        this.roles = roles;
+        this.roles = roles == null ? List.of() : List.copyOf(roles);
     }
 
     public List<Role> getRoles() {

backend/main/java/com/ideasbucket/tansen/configuration/SecurityConfiguration.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of the Tansen project.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+package com.ideasbucket.tansen.configuration;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.context.NoOpServerSecurityContextRepository;
+import reactor.core.publisher.Mono;
+
+@Configuration
+@EnableWebFluxSecurity
+@EnableReactiveMethodSecurity
+public class SecurityConfiguration {
+
+    private final AuthenticationProperties authenticationProperties;
+
+    @Autowired
+    public SecurityConfiguration(AuthenticationProperties authenticationProperties) {
+        this.authenticationProperties = authenticationProperties;
+    }
+
+    @Bean
+    public SecurityWebFilterChain configure(ServerHttpSecurity http) {
+        if (this.authenticationProperties == null || this.authenticationProperties.getType() == null) {
+            return disabledSecurity(http);
+        }
+        return disabledSecurity(http);
+    }
+
+    private SecurityWebFilterChain disabledSecurity(ServerHttpSecurity http) {
+        return http
+            .exceptionHandling(exceptionHandlingSpec -> {
+                exceptionHandlingSpec.authenticationEntryPoint((swe, e) ->
+                    Mono.fromRunnable(() -> swe.getResponse().setStatusCode(HttpStatus.UNAUTHORIZED))
+                );
+                exceptionHandlingSpec.accessDeniedHandler((swe, e) ->
+                    Mono.fromRunnable(() -> swe.getResponse().setStatusCode(HttpStatus.FORBIDDEN))
+                );
+            })
+            .logout((ServerHttpSecurity.LogoutSpec::disable))
+            .httpBasic((ServerHttpSecurity.HttpBasicSpec::disable))
+            .csrf(ServerHttpSecurity.CsrfSpec::disable)
+            .cors(corsSpec -> {})
+            .securityContextRepository(NoOpServerSecurityContextRepository.getInstance())
+            .authorizeExchange(authorizeExchangeSpec -> {
+                authorizeExchangeSpec.pathMatchers(HttpMethod.OPTIONS).permitAll();
+                authorizeExchangeSpec.pathMatchers(HttpMethod.GET, "/**").permitAll();
+                authorizeExchangeSpec.pathMatchers(HttpMethod.POST, "/**").permitAll();
+                authorizeExchangeSpec.pathMatchers(HttpMethod.PUT, "/**").permitAll();
+                authorizeExchangeSpec.pathMatchers(HttpMethod.PATCH, "/**").permitAll();
+                authorizeExchangeSpec.pathMatchers(HttpMethod.DELETE, "/**").permitAll();
+                authorizeExchangeSpec.anyExchange().permitAll();
+            })
+            .build();
+    }
+}

backend/main/resources/roles.yml

@@ -41,6 +41,8 @@ dependencies {
     implementation("org.springframework.boot:spring-boot-starter-thymeleaf")
     implementation("org.springframework.boot:spring-boot-starter-validation")
     implementation("org.springframework.boot:spring-boot-starter-webflux")
+    implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
+    implementation("org.springframework.boot:spring-boot-starter-security")
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin")
     implementation("io.projectreactor.kotlin:reactor-kotlin-extensions")
     implementation("org.jetbrains.kotlin:kotlin-reflect")
@@ -55,6 +57,7 @@ dependencies {
     implementation("org.springdoc:springdoc-openapi-starter-webflux-ui:2.1.0")
     annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")
     testImplementation("org.springframework.boot:spring-boot-starter-test")
+    testImplementation("org.springframework.security:spring-security-test")
     testImplementation("io.projectreactor:reactor-test")
     testImplementation("org.springframework.kafka:spring-kafka-test")
     testImplementation("org.testcontainers:junit-jupiter")