Enhance PolicyAuthorizationManager to extract request body for JSON write requests and update SecurityConfig to include CachedBodyRequestFilter

Author: angelmp01

core-security/src/main/java/org/opendevstack/apiservice/core/security/authorization/PolicyAuthorizationManager.java

@@ -1,6 +1,7 @@
 package org.opendevstack.apiservice.core.security.authorization;
 
 
+import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.servlet.http.HttpServletRequest;
 import org.opendevstack.apiservice.core.contracts.auth.AuthorizationDecision;
@@ -13,7 +14,9 @@
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 import org.springframework.stereotype.Component;
 
+import java.io.IOException;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 import java.util.function.Supplier;
 
@@ -65,6 +68,7 @@ public org.springframework.security.authorization.AuthorizationDecision check(
         }
 
         PolicyContext policyContext = contextFactory.create(apiDef.get(), request);
+        policyContext = policyContext.withRequestBody(extractRequestBody(request));
 
         List<PolicyRule> rules = policyService.findPolicies(apiDef.get().getId(), policyContext.getClientId());
 
@@ -74,4 +78,33 @@ public org.springframework.security.authorization.AuthorizationDecision check(
                 decision != AuthorizationDecision.DENY
         );
     }
+
+    private Map<String, Object> extractRequestBody(HttpServletRequest request) {
+        if (!isJsonWriteRequest(request)) {
+            return Map.of();
+        }
+
+        try {
+            byte[] bytes = request.getInputStream().readAllBytes();
+            if (bytes.length == 0) {
+                return Map.of();
+            }
+            return objectMapper.readValue(bytes, new TypeReference<>() {
+            });
+        } catch (IOException ex) {
+            return Map.of();
+        }
+    }
+
+    private boolean isJsonWriteRequest(HttpServletRequest request) {
+        String method = request.getMethod();
+        if (!"POST".equalsIgnoreCase(method)
+                && !"PUT".equalsIgnoreCase(method)
+                && !"PATCH".equalsIgnoreCase(method)) {
+            return false;
+        }
+
+        String contentType = request.getContentType();
+        return contentType != null && contentType.toLowerCase().startsWith("application/json");
+    }
 }

core-security/src/main/java/org/opendevstack/apiservice/core/security/config/SecurityConfig.java

@@ -1,12 +1,14 @@
 package org.opendevstack.apiservice.core.security.config;
 
 import org.opendevstack.apiservice.core.security.authorization.PolicyAuthorizationManager;
+import org.opendevstack.apiservice.core.security.filter.CachedBodyRequestFilter;
 import org.opendevstack.apiservice.core.security.jwt.AzureJwtAuthenticationConverter;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.web.access.intercept.AuthorizationFilter;
 import org.springframework.security.web.SecurityFilterChain;
 import lombok.extern.slf4j.Slf4j;
 import java.util.Arrays;
@@ -20,12 +22,17 @@ public class SecurityConfig {
     private final SecurityProperties securityProperties;
     private final PolicyAuthorizationManager policyAuthorizationManager;
     private final AzureJwtAuthenticationConverter azureJwtAuthenticationConverter;
+    private final CachedBodyRequestFilter cachedBodyRequestFilter;
 
 
-    public SecurityConfig(SecurityProperties securityProperties, PolicyAuthorizationManager policyAuthorizationManager, AzureJwtAuthenticationConverter azureJwtAuthenticationConverter) {
+    public SecurityConfig(SecurityProperties securityProperties,
+                          PolicyAuthorizationManager policyAuthorizationManager,
+                          AzureJwtAuthenticationConverter azureJwtAuthenticationConverter,
+                          CachedBodyRequestFilter cachedBodyRequestFilter) {
         this.securityProperties = securityProperties;
         this.policyAuthorizationManager = policyAuthorizationManager;
         this.azureJwtAuthenticationConverter = azureJwtAuthenticationConverter;
+        this.cachedBodyRequestFilter = cachedBodyRequestFilter;
     }
 
     @Bean
@@ -48,6 +55,8 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
             .headers(headers -> headers.frameOptions(frame -> frame.disable()))
             .csrf(csrf -> csrf.disable());
 
+        http.addFilterBefore(cachedBodyRequestFilter, AuthorizationFilter.class);
+
         return http.build();
     }
 }

core-security/src/test/java/org/opendevstack/apiservice/core/security/authorization/PolicyAuthorizationManagerTest.java

@@ -12,6 +12,7 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
 
+import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -21,6 +22,7 @@
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.anyMap;
 import static org.mockito.Mockito.anyString;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.verifyNoInteractions;
@@ -75,6 +77,7 @@ void check_securedApi_policyPermits() {
 
         PolicyContext ctx = mock(PolicyContext.class);
         when(ctx.getClientId()).thenReturn("client-a");
+        when(ctx.withRequestBody(anyMap())).thenReturn(ctx);
         when(contextFactory.create(apiDef, request)).thenReturn(ctx);
 
         List<PolicyRule> rules = List.of(new PolicyRule(UUID.randomUUID(), "api-1", "client-a", "ALLOWED_CLIENTS", Map.of()));
@@ -95,6 +98,7 @@ void check_securedApi_policyDenies() {
 
         PolicyContext ctx = mock(PolicyContext.class);
         when(ctx.getClientId()).thenReturn("client-b");
+        when(ctx.withRequestBody(anyMap())).thenReturn(ctx);
         when(contextFactory.create(apiDef, request)).thenReturn(ctx);
 
         List<PolicyRule> rules = List.of(new PolicyRule(UUID.randomUUID(), "api-1", "client-b", "ALLOWED_CLIENTS", Map.of()));
@@ -115,6 +119,7 @@ void check_securedApi_abstainPermits() {
 
         PolicyContext ctx = mock(PolicyContext.class);
         when(ctx.getClientId()).thenReturn("client-a");
+        when(ctx.withRequestBody(anyMap())).thenReturn(ctx);
         when(contextFactory.create(apiDef, request)).thenReturn(ctx);
 
         when(policyService.findPolicies(anyString(), anyString())).thenReturn(List.of());
@@ -124,4 +129,32 @@ void check_securedApi_abstainPermits() {
 
         assertTrue(decision.isGranted());
     }
+
+    @Test
+    void check_securedPostRequest_populatesRequestBodyInContext() {
+        MockHttpServletRequest request = new MockHttpServletRequest("POST", "/api/v0/projects");
+        request.setContentType("application/json");
+        String requestBody = "{" +
+            "\"projectFlavor\":\"DLSS\"," +
+            "\"location\":\"UNKNOWN_REGION\"" +
+            "}";
+        request.setContent(requestBody.getBytes(StandardCharsets.UTF_8));
+
+        ApiDefinition apiDef = new ApiDefinition("api-1", "Projects", "/projects", "v0",
+                Set.of(AuthType.CLIENT_CREDENTIALS), false, null, true);
+        when(resolver.resolve(request)).thenReturn(Optional.of(apiDef));
+
+        PolicyContext ctx = mock(PolicyContext.class);
+        when(ctx.getClientId()).thenReturn("client-a");
+        when(ctx.withRequestBody(anyMap())).thenReturn(ctx);
+        when(contextFactory.create(apiDef, request)).thenReturn(ctx);
+
+        List<PolicyRule> rules = List.of(new PolicyRule(UUID.randomUUID(), "api-1", "client-a", "FLAVOR_RESTRICTION", Map.of()));
+        when(policyService.findPolicies("api-1", "client-a")).thenReturn(rules);
+        when(policyEngine.evaluate(ctx, rules)).thenReturn(AuthorizationDecision.PERMIT);
+
+        var decision = manager.check(() -> null, new RequestAuthorizationContext(request));
+
+        assertTrue(decision.isGranted());
+    }
 }

core-security/src/test/java/org/opendevstack/apiservice/core/security/config/SecurityConfigTest.java

@@ -3,6 +3,7 @@
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.opendevstack.apiservice.core.security.authorization.PolicyAuthorizationManager;
+import org.opendevstack.apiservice.core.security.filter.CachedBodyRequestFilter;
 import org.opendevstack.apiservice.core.security.jwt.AzureJwtAuthenticationConverter;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.web.SecurityFilterChain;
@@ -17,14 +18,21 @@ class SecurityConfigTest {
     private SecurityProperties securityProperties;
     private PolicyAuthorizationManager policyAuthorizationManager;
     private AzureJwtAuthenticationConverter azureJwtAuthenticationConverter;
+    private CachedBodyRequestFilter cachedBodyRequestFilter;
     private SecurityConfig securityConfig;
 
     @BeforeEach
     void setUp() {
         securityProperties = mock(SecurityProperties.class);
         policyAuthorizationManager = mock(PolicyAuthorizationManager.class);
         azureJwtAuthenticationConverter = new AzureJwtAuthenticationConverter();
-        securityConfig = new SecurityConfig(securityProperties, policyAuthorizationManager, azureJwtAuthenticationConverter);
+        cachedBodyRequestFilter = mock(CachedBodyRequestFilter.class);
+        securityConfig = new SecurityConfig(
+            securityProperties,
+            policyAuthorizationManager,
+            azureJwtAuthenticationConverter,
+            cachedBodyRequestFilter
+        );
     }
 
     @Test