Merge branch 'IM-459-New-Configure-keycloak-in-remote-engine' into IM…

…-457-Merge-develop-in-IM-384
integratedmodelling · Oct 28, 2024 · 6016ad9 · 6016ad9
2 parents 073b38f + acee3cc
commit 6016ad9
Show file tree

Hide file tree

Showing 9 changed files with 189 additions and 110 deletions.
diff --git a/api/org.integratedmodelling.klab.api/src/org/integratedmodelling/klab/api/API.java b/api/org.integratedmodelling.klab.api/src/org/integratedmodelling/klab/api/API.java
@@ -1283,6 +1283,11 @@ public interface VIEW {
             }
 
         }
+
+        /**
+         * URL path for get SPA pages
+         */
+        public static final String UI = "/ui/*";
 
     }
 

diff --git a/klab.engine/pom.xml b/klab.engine/pom.xml
@@ -545,6 +545,21 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-actuator</artifactId>
 			<version>${spring-boot.version}</version>
+		</dependency>
+				<dependency> 
+			<groupId>org.springframework.security</groupId> 
+			<artifactId>spring-security-oauth2-resource-server</artifactId> 
+			<version>${spring-security.version}</version> 
+		</dependency> 
+		<dependency> 
+			<groupId>org.springframework.security</groupId> 
+			<artifactId>spring-security-oauth2-jose</artifactId> 
+			<version>${spring-security.version}</version> 
+		</dependency>
+		<dependency>
+			<groupId>com.fasterxml.jackson.datatype</groupId>
+			<artifactId>jackson-datatype-joda</artifactId>
+			<version>${jackson-version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.integratedmodelling</groupId>
@@ -563,7 +578,6 @@
 			<artifactId>jopt-simple </artifactId>
 			<version>4.6</version>
 		</dependency>
-
 		<!-- https://mvnrepository.com/artifact/org.eclipse.xtext/org.eclipse.xtext -->
 		<dependency>
 			<groupId>org.eclipse.xtext</groupId>

diff --git a/...ngine/src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityConfig.java b/...ngine/src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityConfig.java
diff --git a/.../src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityInitializer.java b/.../src/main/java/org/integratedmodelling/klab/engine/rest/security/SecurityInitializer.java
@@ -6,6 +6,6 @@
 @Configuration
 public class SecurityInitializer extends AbstractSecurityWebApplicationInitializer {
   public SecurityInitializer() {
-    super(SecurityConfig.class);
+    super(WebSecurityConfig.class);
   }
 }
diff --git a/...ne/src/main/java/org/integratedmodelling/klab/engine/rest/security/WebSecurityConfig.java b/...ne/src/main/java/org/integratedmodelling/klab/engine/rest/security/WebSecurityConfig.java
@@ -0,0 +1,156 @@
+package org.integratedmodelling.klab.engine.rest.security; 
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.stream.Stream;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.integratedmodelling.klab.api.auth.Roles;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.core.annotation.Order;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationProvider;
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
+import org.springframework.security.web.authentication.preauth.RequestHeaderAuthenticationFilter; 
+
+@Configuration
+class WebSecurityConfig {
+
+	interface AuthoritiesConverter extends Converter<Map<String, Object>, Collection<GrantedAuthority>> {} 
+
+	@Profile("engine.remote")
+	@EnableWebSecurity 
+	@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true) 
+	class WebSecurityConfigRemote extends WebSecurityConfigurerAdapter{ 
+
+	  @Bean 
+	  AuthoritiesConverter realmRolesAuthoritiesConverter() { 
+	      return claims -> { 
+	          final var realmAccess = Optional.ofNullable((Map<String, Object>) claims.get("realm_access")); 
+	          final var roles = 
+	                  realmAccess.flatMap(map -> Optional.ofNullable((List<String>) map.get("roles"))); 
+
+	          List<GrantedAuthority> rolesList = roles.map(List::stream).orElse(Stream.empty()).map(SimpleGrantedAuthority::new) 
+	                  .map(GrantedAuthority.class::cast).toList();
+
+	          rolesList.add(new SimpleGrantedAuthority(Roles.PUBLIC));
+
+
+	          return rolesList;
+	      }; 
+	  } 
+
+	  @Override 
+	  protected void configure(HttpSecurity http) throws Exception { 
+
+		  http
+		  .cors().and().csrf().disable()
+	      .authorizeRequests()
+	      .antMatchers("/api/**").authenticated()
+	      .antMatchers("/**").permitAll();
+
+	  }
+
+	}
+
+
+	@Profile("engine.local")
+	@EnableWebSecurity
+	@EnableGlobalMethodSecurity(prePostEnabled = true, securedEnabled = true)
+	class WebSecurityConfigLocal extends WebSecurityConfigurerAdapter {
+
+	  @Autowired
+	  private PreauthenticatedUserDetailsService customUserDetailsService;
+
+	  @Autowired
+	  private EngineDirectoryAuthenticationProvider authProvider;
+
+	  @Override
+	  protected void configure(HttpSecurity http) throws Exception {
+		  http
+		  // disable automatic session creation to avoid use of cookie session
+		  // and the consequent authentication failures in web ui
+		  .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+		  .and()
+		  .addFilterBefore(certFilter(), RequestHeaderAuthenticationFilter.class)
+//		  .authorizeRequests().anyRequest().hasAnyRole("ADMIN")
+//	      .and()
+	      .authorizeRequests().antMatchers("/login**").permitAll()
+	      .and()
+	      .formLogin().permitAll()
+	      .and()
+	      .logout().permitAll() 
+	      .and()
+	      .csrf().disable()
+	      .exceptionHandling().authenticationEntryPoint(new AuthenticationEntryPoint() {
+
+			@Override
+			public void commence(HttpServletRequest request, HttpServletResponse response,
+					AuthenticationException authException) throws IOException, ServletException {
+				// Pre-authenticated entry point called. Rejecting access
+		        response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+			}
+
+	      })
+	      .and()
+	      .headers().frameOptions().disable();
+	  }
+
+		@Bean
+		@Override
+		protected AuthenticationManager authenticationManager()  {
+			final List<AuthenticationProvider> providers = new ArrayList<>(2);
+			providers.add(preauthAuthProvider());
+			providers.add(authProvider);
+			return new ProviderManager(providers);
+		}
+
+	  	@Bean(name="certFilter")
+	  	PreauthenticationFilter certFilter() {
+	  		PreauthenticationFilter ret = new PreauthenticationFilter();
+			ret.setAuthenticationManager(authenticationManager());
+	  		return ret;
+	  	}
+
+		@Bean(name = "preAuthProvider")
+		PreAuthenticatedAuthenticationProvider preauthAuthProvider()  {
+			PreAuthenticatedAuthenticationProvider provider = new PreAuthenticatedAuthenticationProvider();
+			provider.setPreAuthenticatedUserDetailsService(userDetailsServiceWrapper());
+			return provider;
+		}
+
+		@Bean
+		UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> userDetailsServiceWrapper()  {
+			UserDetailsByNameServiceWrapper<PreAuthenticatedAuthenticationToken> wrapper = new UserDetailsByNameServiceWrapper<>();
+			wrapper.setUserDetailsService(customUserDetailsService);
+			return wrapper;
+		}
+
+	}
+
+}
+
diff --git a/klab.engine/src/main/resources/application.properties b/klab.engine/src/main/resources/application.properties
@@ -1 +1,2 @@
-spring.jackson.serialization.FAIL_ON_EMPTY_BEANS=false
+spring.jackson.serialization.FAIL_ON_EMPTY_BEANS=false
+spring.profiles.default=local
diff --git a/products/cloud/pom.xml b/products/cloud/pom.xml
@@ -105,11 +105,8 @@
 			<groupId>org.springframework.cloud</groupId>
 			<artifactId>spring-cloud-starter-consul-config</artifactId>
 		</dependency>
-		<dependency>
-			<groupId>com.fasterxml.jackson.datatype</groupId>
-			<artifactId>jackson-datatype-joda</artifactId>
-			<version>${jackson-version}</version>
-		</dependency>
+
+
 		<dependency>
 			<groupId>org.integratedmodelling</groupId>
 			<artifactId>klab.authority.gbif</artifactId>

diff --git a/...ucts/cloud/src/main/java/org/integratedmodelling/klab/engine/services/HubUserService.java b/...ucts/cloud/src/main/java/org/integratedmodelling/klab/engine/services/HubUserService.java
@@ -39,6 +39,8 @@
 import org.springframework.stereotype.Service;
 import org.springframework.web.client.HttpClientErrorException;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 /**
  * This hub service is used to authenticate a user request to login to an engine
@@ -265,6 +267,7 @@ private Session activeSession(HubUserProfile profile, String token) {
 
     private ResponseEntity<HubLoginResponse> hubLogin(UserAuthenticationRequest login) {
         HttpHeaders headers = new HttpHeaders();
+        headers.add("Authorization", ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest().getHeader("Authorization"));
         HttpEntity< ? > request = new HttpEntity<>(login, headers);
         return restTemplate.postForEntity(getLoginUrl(), request, HubLoginResponse.class);
     }

diff --git a/products/cloud/src/main/resources/bootstrap.yml b/products/cloud/src/main/resources/bootstrap.yml
@@ -4,6 +4,11 @@ spring:
   cloud:
     consul:
       enabled: false
+  security:
+    oauth2:
+      resourceserver:
+        jwt:
+          issuer-uri: http://localhost:8078/realms/im
 
 stats:
   server:
-Original file line number
+Diff line change
@@ Expand Up / @@ -1283,6 +1283,11 @@ public interface VIEW { @@
                 }
             }
+            /**
+             * URL path for get SPA pages
+             */
+            public static final String UI = "/ui/*";
         }
@@ Expand Down @@