-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathOIDCSecurityConfig.java
More file actions
151 lines (130 loc) · 7.3 KB
/
Copy pathOIDCSecurityConfig.java
File metadata and controls
151 lines (130 loc) · 7.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
package fr.insee.genesis.configuration.auth.security;
import lombok.Getter;
import lombok.RequiredArgsConstructor;
import lombok.Setter;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.convert.converter.Converter;
import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
import org.springframework.security.web.SecurityFilterChain;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(prePostEnabled = true)
@Slf4j
@ConditionalOnProperty(name = "fr.insee.genesis.authentication", havingValue = "OIDC")
@ConfigurationProperties(prefix = "fr.insee.genesis.security")
@RequiredArgsConstructor
public class OIDCSecurityConfig {
@Getter
@Setter
private String[] whitelistMatchers;
private static final String ROLE_PREFIX = "ROLE_";
private final RoleConfiguration roleConfiguration;
private final SecurityTokenProperties inseeSecurityTokenProperties;
@Value("${fr.insee.genesis.security.resourceserver.jwt.issuer-uri}")
String issuerUri;
@Value("${fr.insee.genesis.security.resourceserver.dmz.jwt.issuer-uri}")
String issuerUriDmz;
@Bean
public SecurityFilterChain filterChain(HttpSecurity http, JwtIssuerAuthenticationManagerResolver authenticationManagerResolver) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(authorize -> authorize
// Whitelisted paths sans auth
.requestMatchers(whitelistMatchers).permitAll()
// Secured reader-access paths
.requestMatchers(HttpMethod.GET,"/questionnaires/**").hasRole(String.valueOf(ApplicationRole.READER))
.requestMatchers(HttpMethod.GET,"/modes/**").hasRole(String.valueOf(ApplicationRole.READER))
.requestMatchers(HttpMethod.GET,"/interrogations/**").hasRole(String.valueOf(ApplicationRole.READER))
.requestMatchers(HttpMethod.GET,"/campaigns/**").hasRole(String.valueOf(ApplicationRole.READER))
//All others require authentication
.anyRequest().authenticated()
)
.oauth2ResourceServer(
oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver));
return http.build();
}
@Bean
JwtAuthenticationConverter jwtAuthenticationConverter() {
JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
jwtAuthenticationConverter.setPrincipalClaimName(inseeSecurityTokenProperties.getOidcClaimUsername());
jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter());
return jwtAuthenticationConverter;
}
@Bean
public JwtIssuerAuthenticationManagerResolver authenticationManagerResolver() {
final List<String> issuers = List.of(issuerUri,issuerUriDmz);
Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
for (String issuer : issuers) {
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder
.withJwkSetUri(issuer + "/protocol/openid-connect/certs")
.build();
JwtAuthenticationProvider provider = new JwtAuthenticationProvider(jwtDecoder);
provider.setJwtAuthenticationConverter(jwtAuthenticationConverter());
AuthenticationManager manager = new ProviderManager(provider);
authenticationManagers.put(issuer, manager);
}
return new JwtIssuerAuthenticationManagerResolver(authenticationManagers::get);
}
Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {
return new Converter<Jwt, Collection<GrantedAuthority>>() {
@Override
@SuppressWarnings({"unchecked"})
public Collection<GrantedAuthority> convert(Jwt source) {
String[] claimPath = inseeSecurityTokenProperties.getOidcClaimRole().split("\\.");
Map<String, Object> claims = source.getClaims();
try {
for (int i = 0; i < claimPath.length - 1; i++) {
claims = (Map<String, Object>) claims.get(claimPath[i]);
}
if (claims != null) {
List<String> tokenClaims = (List<String>) claims.getOrDefault(claimPath[claimPath.length - 1], List.of());
// Collect distinct values from mapping associated with input keys
List<String> claimedRoles = tokenClaims.stream()
.filter(roleConfiguration.getRolesByClaim()::containsKey) // Ensure the key exists in the mapping
.flatMap(key -> roleConfiguration.getRolesByClaim().get(key).stream()) // Get the list of values associated with the key
.distinct() // Remove duplicates
.toList();
return Collections.unmodifiableCollection(claimedRoles.stream().map(s -> new GrantedAuthority() {
@Override
public String getAuthority() {
return ROLE_PREFIX + s;
}
@Override
public String toString() {
return getAuthority();
}
}).toList());
}
} catch (ClassCastException e) {
// role path not correctly found, assume that no role for this user
return List.of();
}
return List.of();
}
};
}
}