Add remote authentication to security filters

Author: culka

development.sh

@@ -29,7 +29,7 @@ download_docker_bundle() {
 
 start_all() {
   download_docker_bundle
-  $DOCKER_COMPOSE_CMD up -d jore4-hasura jore4-testdb
+  $DOCKER_COMPOSE_CMD up -d jore4-hasura jore4-testdb jore4-auth
   $DOCKER_COMPOSE_CMD up --build -d jore4-timetables-api
   prepare_timetables_data_inserter
 }

src/main/kotlin/fi/hsl/jore4/timetables/config/WebSecurityConfig.kt

@@ -1,21 +1,60 @@
 package fi.hsl.jore4.timetables.config
 
+import jakarta.servlet.FilterChain
+import jakarta.servlet.http.HttpServletRequest
+import jakarta.servlet.http.HttpServletResponse
+import mu.KotlinLogging
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.http.HttpMethod
+import org.springframework.security.authentication.AuthenticationProvider
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.http.SessionCreationPolicy
+import org.springframework.security.core.context.SecurityContextHolder
 import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
+import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken
+import org.springframework.web.filter.OncePerRequestFilter
 
 @Configuration
 @EnableWebSecurity
 class WebSecurityConfig {
 
+    val logger = KotlinLogging.logger {}
+
+    inner class HasuraFilter(private val authenticationProvider: AuthenticationProvider) : OncePerRequestFilter() {
+        override fun doFilterInternal(
+            request: HttpServletRequest,
+            response: HttpServletResponse,
+            filterChain: FilterChain
+        ) {
+            val sessionCookie = request.cookies?.find { it.name.lowercase() == "session" }
+            val roleHeader = request.getHeader("X-Hasura-Role")
+
+            if ("OPTIONS" == request.method) {
+                response.status = HttpServletResponse.SC_OK
+            } else {
+                if (sessionCookie == null || sessionCookie.value.isBlank()) {
+                    logger.info("No session cookie in request http request")
+                } else if (roleHeader == null) {
+                    logger.info("No role header in http request")
+                } else {
+                    logger.info("cookie value ${sessionCookie.value}")
+
+                    val preauth = PreAuthenticatedAuthenticationToken(sessionCookie.value, roleHeader)
+                    SecurityContextHolder.getContext().authentication = authenticationProvider.authenticate(preauth)
+                }
+            }
+            filterChain.doFilter(request, response)
+        }
+    }
+
     @Bean
     @Throws(Exception::class)
-    fun configure(httpSecurity: HttpSecurity): SecurityFilterChain {
+    fun configure(httpSecurity: HttpSecurity, authentication: RemoteAuthenticationProvider): SecurityFilterChain {
         return httpSecurity
+            .addFilterBefore(HasuraFilter(authentication), UsernamePasswordAuthenticationFilter::class.java)
             .sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.NEVER) }
             .csrf { it.disable() }
             .cors {}
@@ -24,16 +63,19 @@ class WebSecurityConfig {
                     .requestMatchers(
                         HttpMethod.GET,
                         "/actuator/health",
-                        "/error",
-                        "/hello",
-                        "/hello/test",
-                        "/timetables/to-replace"
+                        "/error"
                     )
                     .permitAll()
+                    .requestMatchers(
+                        HttpMethod.GET,
+                        "/timetables/to-replace"
+                    )
+                    .hasAuthority("admin")
                     .requestMatchers(
                         HttpMethod.POST,
                         "/timetables/*"
-                    ).permitAll()
+                    )
+                    .hasAuthority("admin")
                     .anyRequest().denyAll()
             }
             .build()