Feature: enable app registration (#703)

<!-- Please provide brief information about the PR, what it contains &
its purpose, new behaviors after the change. And let us know here if you
need any help: https://github.com/microsoft/HydraLab/issues/new -->

## Description
- Enable app registration auth approach for pipeline requests, according
to SFI requirement.
- Add portal UI for app registration client ID linking:
- <img width="2552" height="1305" alt="image"
src="https://github.com/user-attachments/assets/23f0f815-a5db-438b-88d8-facb4a5c3d7e"
/>

<!-- A few words to explain your changes -->

### Linked GitHub issue ID: #  

## Pull Request Checklist
<!-- Put an x in the boxes that apply. This is simply a reminder of what
we are going to look for before merging your code. -->

- [X] Tests for the changes have been added (for bug fixes / features)
- [X] Code compiles correctly with all tests are passed.
- [X] I've read the [contributing
guide](https://github.com/microsoft/HydraLab/blob/main/CONTRIBUTING.md#making-changes-to-the-code)
and followed the recommended practices.
- [ ] [Wikis](https://github.com/microsoft/HydraLab/wiki) or
[README](https://github.com/microsoft/HydraLab/blob/main/README.md) have
been reviewed and added / updated if needed (for bug fixes / features)

### Does this introduce a breaking change?
*If this introduces a breaking change for Hydra Lab users, please
describe the impact and migration path.*
The pipeline needs to switch to App registration token authentication
approach, basic additional steps:
- Generate ADO Service Connection for App Registration automatically
- Add `API permission` for resource
api://228c4d51-5002-4fcf-8752-552b478fff77 in the App Registration
- Onboard AR client ID on Hydra Lab portal and create relationship to
team ID
- Add precedent AAD token acquiring task in test pipeline

- [X] Yes
- [ ] No

## How you tested it
*Please make sure the change is tested, you can test it by adding UTs,
do local test and share the screenshots, etc.*
Locally tested.

Please check the type of change your PR introduces:
- [ ] Bugfix
- [ ] Feature
- [ ] Technical design
- [ ] Build related changes
- [ ] Refactoring (no functional changes, no api changes)
- [ ] Code style update (formatting, renaming) or Documentation content
changes
- [ ] Other (please describe): 

### Feature UI screenshots or Technical design diagrams
*If this is a relatively large or complex change, kick it off by drawing
the tech design with PlantUML and explaining why you chose the solution
you did and what alternatives you considered, etc...*

---------

Co-authored-by: MaX ES Bot <mmxesbot@microsoft.com>

Author: olivershen-wow

…enter/controller/UserTeamController.java …ab/center/controller/TeamController.javacenter/src/main/java/com/microsoft/hydralab/center/controller/UserTeamController.java renamed to center/src/main/java/com/microsoft/hydralab/center/controller/TeamController.java center/src/main/java/com/microsoft/hydralab/center/controller/UserTeamController.java renamed to center/src/main/java/com/microsoft/hydralab/center/controller/TeamController.java

@@ -6,13 +6,16 @@
 import com.microsoft.hydralab.center.service.SecurityUserService;
 import com.microsoft.hydralab.center.service.SysTeamService;
 import com.microsoft.hydralab.center.service.SysUserService;
+import com.microsoft.hydralab.center.service.TeamAppManagementService;
 import com.microsoft.hydralab.center.service.UserTeamManagementService;
 import com.microsoft.hydralab.common.entity.agent.Result;
 import com.microsoft.hydralab.common.entity.center.SysTeam;
 import com.microsoft.hydralab.common.entity.center.SysUser;
+import com.microsoft.hydralab.common.entity.center.TeamAppRelation;
 import com.microsoft.hydralab.common.entity.center.UserTeamRelation;
 import com.microsoft.hydralab.common.util.Const;
 import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.security.access.prepost.PreAuthorize;
@@ -29,7 +32,7 @@
 
 @RestController
 @RequestMapping
-public class UserTeamController {
+public class TeamController {
     @Resource
     SysTeamService sysTeamService;
     @Resource
@@ -38,6 +41,8 @@ public class UserTeamController {
     UserTeamManagementService userTeamManagementService;
     @Resource
     SecurityUserService securityUserService;
+    @Autowired
+    private TeamAppManagementService teamAppManagementService;
 
     @PreAuthorize("hasAnyAuthority('SUPER_ADMIN','ADMIN')")
     @PostMapping(value = {"/api/team/create"}, produces = MediaType.APPLICATION_JSON_VALUE)
@@ -311,4 +316,70 @@ public Result<SysTeam> queryDefaultTeam(@CurrentSecurityContext SysUser requesto
         return Result.ok(sysTeamService.queryTeamById(user.getDefaultTeamId()));
     }
 
+    /**
+     * Authenticated USER: all
+     */
+    @PostMapping(value = {"/api/teamApp/addRelation"}, produces = MediaType.APPLICATION_JSON_VALUE)
+    public Result<TeamAppRelation> addTeamAppRelation(@CurrentSecurityContext SysUser requestor,
+                                                        @RequestParam("appClientId") String appClientId,
+                                                        @RequestParam("teamId") String teamId) {
+        if (requestor == null) {
+            return Result.error(HttpStatus.UNAUTHORIZED.value(), "Unauthorized");
+        }
+        ///  todo: app client ID format check
+        if (!sysUserService.checkUserAdmin(requestor) && !userTeamManagementService.checkRequestorTeamRelation(requestor, teamId)) {
+            return Result.error(HttpStatus.UNAUTHORIZED.value(), "Unauthorized, user doesn't belong to this Team");
+        }
+        String existingTeamId = teamAppManagementService.queryTeamIdByClientId(appClientId);
+        if (existingTeamId != null) {
+            if (existingTeamId.equals(teamId)) {
+                return Result.error(HttpStatus.FORBIDDEN.value(), "Client ID already linked in current team.");
+            } else {
+                return Result.error(HttpStatus.FORBIDDEN.value(), "Client ID already linked in another team.");
+            }
+        }
+
+        return Result.ok(teamAppManagementService.addTeamAppRelation(teamId, appClientId));
+    }
+
+    /**
+     * Authenticated USER: all
+     */
+    @PostMapping(value = {"/api/teamApp/deleteRelation"}, produces = MediaType.APPLICATION_JSON_VALUE)
+    public Result deleteTeamAppRelation(@CurrentSecurityContext SysUser requestor,
+                                     @RequestParam("appClientId") String appClientId,
+                                     @RequestParam("teamId") String teamId) {
+        if (requestor == null) {
+            return Result.error(HttpStatus.UNAUTHORIZED.value(), "Unauthorized");
+        }
+        ///  todo: app client ID format check
+        if (!sysUserService.checkUserAdmin(requestor) && !userTeamManagementService.checkRequestorTeamRelation(requestor, teamId)) {
+            return Result.error(HttpStatus.UNAUTHORIZED.value(), "Unauthorized, user doesn't belong to this Team");
+        }
+        TeamAppRelation relation = teamAppManagementService.queryRelation(appClientId, teamId);
+        if (relation == null) {
+            return Result.error(HttpStatus.BAD_REQUEST.value(), "Relation doesn't exist.");
+        }
+
+        teamAppManagementService.deleteTeamAppRelation(relation);
+        return Result.ok("delete team-app relation successfully!");
+    }
+
+    /**
+     * Authenticated USER: all
+     */
+    @PostMapping(value = {"/api/team/clientIds"}, produces = MediaType.APPLICATION_JSON_VALUE)
+    public Result<List<String>> queryTeamClientIds(@CurrentSecurityContext SysUser requestor,
+                                                      @RequestParam("teamId") String teamId) {
+        if (requestor == null) {
+            return Result.error(HttpStatus.UNAUTHORIZED.value(), "Unauthorized");
+        }
+        ///  todo: app client ID format check
+        if (!sysUserService.checkUserAdmin(requestor) && !userTeamManagementService.checkRequestorTeamRelation(requestor, teamId)) {
+            return Result.error(HttpStatus.UNAUTHORIZED.value(), "Unauthorized, user doesn't belong to this Team");
+        }
+
+        List<String> clientIds = teamAppManagementService.queryClientIdsByTeam(teamId);
+        return Result.ok(clientIds);
+    }
 }

center/src/main/java/com/microsoft/hydralab/center/interceptor/BaseInterceptor.java

@@ -40,12 +40,16 @@ public class BaseInterceptor extends HandlerInterceptorAdapter {
     AuthTokenService authTokenService;
     @Value("${app.storage.type}")
     private String storageType;
+    @Value("${app.api-auth-mode}")
+    private String apiAuthMode;
 
     @Override
     public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws IOException {
         String remoteUser = request.getRemoteUser();
         String requestURI = request.getRequestURI();
-        String oauthToken = null;
+        String sessionAuthToken = null;
+        String authorizationToken;
+        String aadIdToken;
         if (LogUtils.isLegalStr(requestURI, Const.RegexString.URL, true) && LogUtils.isLegalStr(remoteUser, Const.RegexString.MAIL_ADDRESS, true)) {
             LOGGER.info("New access from IP {}, host {}, user {}, for path {}", request.getRemoteAddr(), request.getRemoteHost(), remoteUser,
                     requestURI);// CodeQL [java/log-injection] False Positive: Has verified the string by regular expression
@@ -64,41 +68,43 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
         SecurityContext securityContext = (SecurityContext) request.getSession().getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
         if (securityContext != null) {
             SysUser userAuthentication = (SysUser) securityContext.getAuthentication();
-            oauthToken = userAuthentication.getAccessToken();
+            sessionAuthToken = userAuthentication.getAccessToken();
         }
 
-        String authToken = request.getHeader("Authorization");
-        if (authToken != null) {
-            authToken = authToken.replaceAll("Bearer ", "");
+        authorizationToken = request.getHeader("Authorization");
+        if (authorizationToken != null) {
+            authorizationToken = authorizationToken.replaceAll("Bearer ", "");
         }
 
         // For Azure AD authentication
-        String accessToken = request.getHeader("X-MS-TOKEN-AAD-ID-TOKEN");
+        aadIdToken = request.getHeader("X-MS-TOKEN-AAD-ID-TOKEN");
         LOGGER.info("UserId: " + request.getHeader("X-MS-CLIENT-PRINCIPAL-ID"));
         LOGGER.info("UserName: " + request.getHeader("X-MS-CLIENT-PRINCIPAL-NAME"));
 
-        //check is ignore
+        // check is ignore
         if (!authUtil.isIgnore(requestURI)) {
-            //invoked by API client
-            if (!StringUtils.isEmpty(accessToken)) {
-                if (authTokenService.checkAADToken(accessToken)) {
+            // invoked by API client
+            if (!StringUtils.isEmpty(aadIdToken)) {
+                if (authTokenService.checkAADToken(aadIdToken)) {
                     return true;
                 } else {
                     response.sendError(HttpStatus.UNAUTHORIZED.value(), "unauthorized, error authorization code");
                 }
             }
 
-            //invoke by client
-            if (!StringUtils.isEmpty(authToken)) {
-                if (authTokenService.checkAuthToken(authToken)) {
+            // invoked by agent client
+            if (!StringUtils.isEmpty(authorizationToken)) {
+                if ("SECRET".equals(apiAuthMode) && authTokenService.checkAuthToken(authorizationToken)) {
+                    return true;
+                } else if ("TOKEN".equals(apiAuthMode) && authTokenService.setUserAuthByAppClientToken(authorizationToken)) {
                     return true;
                 } else {
                     response.sendError(HttpStatus.UNAUTHORIZED.value(), "unauthorized, error authorization code");
                 }
-
             }
-            //invoke by browser
-            if (StringUtils.isEmpty(oauthToken) || !authUtil.verifyToken(oauthToken)) {
+
+            // invoke by browser
+            if (StringUtils.isEmpty(sessionAuthToken) || !authUtil.verifyToken(sessionAuthToken)) {
                 if (requestURI.contains(Const.FrontEndPath.PREFIX_PATH)) {
                     String queryString = request.getQueryString();
                     if (StringUtils.isNotEmpty(queryString)

center/src/main/java/com/microsoft/hydralab/center/repository/TeamAppRelationRepository.java

@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package com.microsoft.hydralab.center.repository;
+
+import com.microsoft.hydralab.common.entity.center.TeamAppRelation;
+import com.microsoft.hydralab.common.entity.center.TeamAppRelationId;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import java.util.Optional;
+
+@Repository
+public interface TeamAppRelationRepository extends JpaRepository<TeamAppRelation, TeamAppRelationId> {
+    Optional<TeamAppRelation> findByAppClientIdAndTeamId(String appClientId, String teamId);
+}

center/src/main/java/com/microsoft/hydralab/center/service/AuthTokenService.java

@@ -6,6 +6,7 @@
 import com.microsoft.hydralab.center.repository.AuthTokenRepository;
 import com.microsoft.hydralab.center.util.AuthUtil;
 import com.microsoft.hydralab.common.entity.center.AuthToken;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
@@ -24,6 +25,10 @@ public class AuthTokenService {
     AuthTokenRepository authTokenRepository;
     @Resource
     SecurityUserService securityUserService;
+    @Autowired
+    private TeamAppManagementService teamAppManagementService;
+    @Autowired
+    private UserTeamManagementService userTeamManagementService;
 
     public AuthToken saveAuthToken(AuthToken authToken) {
         return authTokenRepository.save(authToken);
@@ -76,6 +81,23 @@ public boolean checkAADToken(String aadToken) {
         return true;
     }
 
+    public boolean setUserAuthByAppClientToken(String clientAadToken) {
+        if (!authUtil.isValidToken(clientAadToken)) {
+            return false;
+        }
+        String appClientId = authUtil.getAppClientId(clientAadToken);
+        String teamId = teamAppManagementService.queryTeamIdByClientId(appClientId);
+        Authentication authObj = userTeamManagementService.queryUsersByTeam(teamId).stream()
+                .findFirst()
+                .orElse(null);
+        if (authObj == null) {
+            return false;
+        }
+
+        SecurityContextHolder.getContext().setAuthentication(authObj);
+        return true;
+    }
+
     public void loadDefaultUser(HttpSession session) {
         securityUserService.addDefaultUserSession(session);
     }

center/src/main/java/com/microsoft/hydralab/center/service/TeamAppManagementService.java

@@ -0,0 +1,79 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+
+package com.microsoft.hydralab.center.service;
+
+import com.microsoft.hydralab.center.repository.TeamAppRelationRepository;
+import com.microsoft.hydralab.common.entity.center.TeamAppRelation;
+import org.springframework.stereotype.Service;
+
+import javax.annotation.PostConstruct;
+import javax.annotation.Resource;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.ConcurrentHashMap;
+
+@Service
+public class TeamAppManagementService {
+    // cache teamId -> App Client ID mapping <String, String>
+    private final Map<String, Set<String>> teamAppListMap = new ConcurrentHashMap<>();
+    // cache App Client ID -> teamId mapping <String, String>
+    private final Map<String, String> appTeamListMap = new ConcurrentHashMap<>();
+    @Resource
+    private TeamAppRelationRepository teamAppRelationRepository;
+
+    @PostConstruct
+    public void initList() {
+        List<TeamAppRelation> relationList = teamAppRelationRepository.findAll();
+        relationList.forEach(relation -> {
+            this.insertToCache(relation.getTeamId(), relation.getAppClientId());
+        });
+    }
+
+    private void insertToCache(String teamId, String appClientId) {
+        Set<String> clientIds = teamAppListMap.computeIfAbsent(teamId, k -> new HashSet<>());
+        clientIds.add(appClientId);
+
+        appTeamListMap.put(appClientId, teamId);
+    }
+
+    private void removeFromCache(TeamAppRelation relation) {
+        Set<String> clientIdList = teamAppListMap.get(relation.getTeamId());
+        if (clientIdList != null) {
+            clientIdList.removeIf(clientId -> clientId.equals(relation.getAppClientId()));
+        }
+        appTeamListMap.remove(relation.getAppClientId());
+    }
+
+    public TeamAppRelation addTeamAppRelation(String teamId, String appClientId) {
+        this.insertToCache(teamId, appClientId);
+
+        TeamAppRelation teamAppRelation = new TeamAppRelation(teamId, appClientId);
+        return teamAppRelationRepository.save(teamAppRelation);
+    }
+
+    public void deleteTeamAppRelation(TeamAppRelation relation) {
+        removeFromCache(relation);
+        teamAppRelationRepository.delete(relation);
+    }
+
+    public TeamAppRelation queryRelation(String appClientId, String teamId) {
+        return teamAppRelationRepository.findByAppClientIdAndTeamId(appClientId, teamId).orElse(null);
+    }
+
+    public List<String> queryClientIdsByTeam(String teamId) {
+        Set<String> clientIds = teamAppListMap.get(teamId);
+        if (clientIds == null) {
+            return null;
+        }
+
+        return new ArrayList<>(clientIds);
+    }
+
+    public String queryTeamIdByClientId(String appClientId) {
+        return appTeamListMap.get(appClientId);
+    }
+}

center/src/main/java/com/microsoft/hydralab/center/util/AuthUtil.java

@@ -134,6 +134,15 @@ private PublicKey getPublicKey(JWSObject jwsObject, JWKSet jwkSet) throws JOSEEx
         return publicKey;
     }
 
+    public String getAppClientId(String accessToken) {
+        String clientId = "";
+        JSONObject clientInfo = decodeAccessToken(accessToken);
+        if (clientInfo != null) {
+            clientId = clientInfo.getString("appid");
+        }
+        return clientId;
+    }
+
     /**
      * check the uri is need verify auth
      *

center/src/main/resources/application.yml

@@ -84,6 +84,7 @@ app:
     deployment: ${OPENAI_DEPLOYMENT:}
     endpoint: ${OPENAI_ENDPOINT:}
   agent-auth-mode: ${AGENT_AUTH_MODE:SECRET} # options: TOKEN, SECRET
+  api-auth-mode: ${API_AUTH_MODE:SECRET} # options: TOKEN, SECRET
 management:
   endpoints:
     web:

common/src/main/java/com/microsoft/hydralab/common/entity/center/TeamAppRelation.java

@@ -0,0 +1,33 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+package com.microsoft.hydralab.common.entity.center;
+
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import javax.persistence.Column;
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.persistence.IdClass;
+import javax.persistence.Table;
+import java.io.Serializable;
+
+@Data
+@Entity
+@NoArgsConstructor
+@Table(name = "team_app_relation")
+@IdClass(TeamAppRelationId.class)
+public class TeamAppRelation implements Serializable {
+    private static final long serialVersionUID = 1L;
+
+    @Id
+    private String teamId;
+    @Id
+    @Column(unique = true)
+    private String appClientId;
+
+    public TeamAppRelation(String teamId, String appClientId){
+        this.teamId = teamId;
+        this.appClientId = appClientId;
+    }
+}

common/src/main/java/com/microsoft/hydralab/common/entity/center/TeamAppRelationId.java

@@ -0,0 +1,16 @@
+// Copyright (c) Microsoft Corporation.
+// Licensed under the MIT License.
+package com.microsoft.hydralab.common.entity.center;
+
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import java.io.Serializable;
+
+
+@Data
+@NoArgsConstructor
+public class TeamAppRelationId implements Serializable {
+    private String appClientId;
+    private String teamId;
+}