11package io .openaev .config ;
22
3- import static io .openaev .config .security .SecurityService .OPENAEV_PROVIDER_PATH_PREFIX ;
43import static io .openaev .config .security .SecurityService .REGISTRATION_ID ;
54import static org .apache .commons .lang3 .StringUtils .isBlank ;
65import static org .springframework .security .oauth2 .client .web .OAuth2AuthorizationRequestRedirectFilter .DEFAULT_AUTHORIZATION_REQUEST_BASE_URI ;
76
8- import com .fasterxml .jackson .core .type .TypeReference ;
9- import com .fasterxml .jackson .databind .JsonNode ;
107import com .fasterxml .jackson .databind .ObjectMapper ;
11- import com .fasterxml .jackson .databind .ObjectReader ;
128import io .openaev .config .security .OpenSamlConfig ;
139import io .openaev .config .security .SecurityService ;
1410import io .openaev .database .model .User ;
1511import io .openaev .security .SsoRefererAuthenticationFailureHandler ;
1612import io .openaev .security .SsoRefererAuthenticationSuccessHandler ;
1713import io .openaev .security .TokenAuthenticationFilter ;
14+ import io .openaev .service .UserMappingService ;
1815import io .openaev .service .user_events .UserEventService ;
1916import jakarta .annotation .Resource ;
2017import jakarta .servlet .http .HttpServletRequest ;
21- import java .io .IOException ;
22- import java .util .ArrayList ;
23- import java .util .Base64 ;
2418import java .util .List ;
25- import java .util .stream .Stream ;
2619import lombok .RequiredArgsConstructor ;
2720import lombok .extern .slf4j .Slf4j ;
2821import org .springframework .boot .autoconfigure .condition .ConditionalOnProperty ;
2922import org .springframework .context .annotation .Bean ;
3023import org .springframework .context .annotation .Configuration ;
31- import org .springframework .core .env .Environment ;
3224import org .springframework .http .HttpStatus ;
3325import org .springframework .security .config .Customizer ;
3426import org .springframework .security .config .annotation .web .builders .HttpSecurity ;
4335import org .springframework .security .oauth2 .client .userinfo .OAuth2UserService ;
4436import org .springframework .security .oauth2 .client .web .DefaultOAuth2AuthorizationRequestResolver ;
4537import org .springframework .security .oauth2 .client .web .OAuth2AuthorizationRequestResolver ;
46- import org .springframework .security .oauth2 .core .OAuth2AccessToken ;
4738import org .springframework .security .oauth2 .core .OAuth2AuthenticationException ;
4839import org .springframework .security .oauth2 .core .OAuth2Error ;
4940import org .springframework .security .oauth2 .core .endpoint .OAuth2AuthorizationRequest ;
5950@ Slf4j
6051public class AppSecurityConfig {
6152
62- private final Environment env ;
6353 private final OpenAEVConfig openAEVConfig ;
6454 private final OpenSamlConfig openSamlConfig ;
6555 private final SecurityService securityService ;
6656 private final UserEventService userEventService ;
57+ private final UserMappingService userMappingService ;
6758
6859 @ Resource protected ObjectMapper mapper ;
6960
@@ -140,43 +131,11 @@ public TokenAuthenticationFilter tokenAuthenticationFilter() {
140131 return new TokenAuthenticationFilter ();
141132 }
142133
143- private List <String > extractRolesFromToken (OAuth2AccessToken accessToken , String registrationId ) {
144- ObjectReader listReader = mapper .readerFor (new TypeReference <List <String >>() {});
145- if (accessToken != null ) {
146- String rolesPathConfig = OPENAEV_PROVIDER_PATH_PREFIX + registrationId + ".roles_path" ;
147- //noinspection unchecked
148- List <String > rolesPath =
149- env .getProperty (rolesPathConfig , List .class , new ArrayList <String >());
150- try {
151- String [] chunks = accessToken .getTokenValue ().split ("\\ ." );
152- Base64 .Decoder decoder = Base64 .getUrlDecoder ();
153- String payload = new String (decoder .decode (chunks [1 ]));
154- JsonNode jsonNode = mapper .readTree (payload );
155- return rolesPath .stream ()
156- .map (path -> "/" + path .replaceAll ("\\ ." , "/" ))
157- .flatMap (
158- path -> {
159- JsonNode arrayRoles = jsonNode .at (path );
160- try {
161- List <String > roles = listReader .readValue (arrayRoles );
162- return roles .stream ();
163- } catch (IOException e ) {
164- return Stream .empty ();
165- }
166- })
167- .toList ();
168- } catch (Exception e ) {
169- log .error (e .getMessage (), e );
170- }
171- }
172- return new ArrayList <>();
173- }
174-
175- public User userOauth2Management (
176- OAuth2AccessToken accessToken , ClientRegistration clientRegistration , OAuth2User user ) {
134+ public User userOauth2Management (ClientRegistration clientRegistration , OAuth2User user ) {
177135 String emailAttribute = user .getAttribute ("email" );
178136 String registrationId = clientRegistration .getRegistrationId ();
179- List <String > rolesFromToken = extractRolesFromToken (accessToken , registrationId );
137+ List <String > rolesFromUser = userMappingService .extractRolesFromUser (user , registrationId );
138+ List <String > groupsFromUser = userMappingService .extractGroupsFromUser (user , registrationId );
180139 if (isBlank (emailAttribute )) {
181140 OAuth2Error authError =
182141 new OAuth2Error (
@@ -189,7 +148,8 @@ public User userOauth2Management(
189148 this .securityService .userManagement (
190149 emailAttribute ,
191150 registrationId ,
192- rolesFromToken ,
151+ rolesFromUser ,
152+ groupsFromUser ,
193153 user .getAttribute ("given_name" ),
194154 user .getAttribute ("family_name" ));
195155
@@ -201,32 +161,28 @@ public User userOauth2Management(
201161 throw new OAuth2AuthenticationException (authError );
202162 }
203163
204- public OidcUser oidcUserManagement (
205- OAuth2AccessToken accessToken , ClientRegistration clientRegistration , OAuth2User user ) {
206- User loginUser = userOauth2Management (accessToken , clientRegistration , user );
164+ public OidcUser oidcUserManagement (ClientRegistration clientRegistration , OAuth2User user ) {
165+ User loginUser = userOauth2Management (clientRegistration , user );
207166 return new OpenAEVOidcUser (loginUser );
208167 }
209168
210- public OAuth2User oAuth2UserManagement (
211- OAuth2AccessToken accessToken , ClientRegistration clientRegistration , OAuth2User user ) {
212- User loginUser = userOauth2Management (accessToken , clientRegistration , user );
169+ public OAuth2User oAuth2UserManagement (ClientRegistration clientRegistration , OAuth2User user ) {
170+ User loginUser = userOauth2Management (clientRegistration , user );
213171 return new OpenAEVOAuth2User (loginUser );
214172 }
215173
216174 @ Bean
217175 public OAuth2UserService <OidcUserRequest , OidcUser > oidcUserService () {
218176 OidcUserService delegate = new OidcUserService ();
219177 return request ->
220- oidcUserManagement (
221- request .getAccessToken (), request .getClientRegistration (), delegate .loadUser (request ));
178+ oidcUserManagement (request .getClientRegistration (), delegate .loadUser (request ));
222179 }
223180
224181 @ Bean
225182 public OAuth2UserService <OAuth2UserRequest , OAuth2User > oauth2UserService () {
226183 DefaultOAuth2UserService delegate = new DefaultOAuth2UserService ();
227184 return request ->
228- oAuth2UserManagement (
229- request .getAccessToken (), request .getClientRegistration (), delegate .loadUser (request ));
185+ oAuth2UserManagement (request .getClientRegistration (), delegate .loadUser (request ));
230186 }
231187
232188 @ Bean
0 commit comments