Implement client credential and on-behalf-of flow validators; update flavor handling in authorization

Author: angelmp01

api-project/src/main/java/org/opendevstack/apiservice/project/util/SecurityUtils.java

@@ -13,15 +13,22 @@ private SecurityUtils() {
     }
 
     public static UUID getClientId() {
-        String appId = null;
         Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
 
         if (principal instanceof Jwt) {
-            appId = ((Jwt) principal).getClaimAsString("appid");
+            Jwt jwt = ((Jwt) principal);
+            String clientId = jwt.getClaimAsString("azp");
+            if (clientId == null || clientId.isBlank()) {
+                clientId = jwt.getClaimAsString("appid");
+            }
+            
+            if (clientId == null || clientId.isBlank()) {
+                throw new InvalidBearerTokenException("Client ID not found in token claims");
+            }
+            
+            return UUID.fromString(clientId);
         } else {
             throw new InvalidBearerTokenException("Invalid authentication token: " + principal.getClass().getName());
         }
-
-        return UUID.fromString(appId);
     }
 }

core-security/src/main/java/org/opendevstack/apiservice/core/security/authorization/PolicyAuthorizationManager.java

@@ -51,6 +51,10 @@ public org.springframework.security.authorization.AuthorizationDecision check(
 
         Optional<ApiDefinition> apiDef = this.resolver.resolve(request);
 
+        if (apiDef.isPresent()) {
+            request.setAttribute("oas.apiDefinition", apiDef.get());   
+        }
+
         // Unknown routes are denied (fail-closed). Public API definitions are allowed.
         if (apiDef.isEmpty()) {
             return new org.springframework.security.authorization.AuthorizationDecision(false);

core-security/src/main/java/org/opendevstack/apiservice/core/security/authorization/evaluator/FlavorRestrictionEvaluator.java

@@ -37,7 +37,7 @@ public AuthorizationDecision evaluate(PolicyContext context) {
             return AuthorizationDecision.ABSTAIN;
         }
 
-        String requestedFlavor = (String) body.get("flavor");
+        String requestedFlavor = (String) body.get("projectFlavor");
         if (requestedFlavor == null) {
             return AuthorizationDecision.ABSTAIN;
         }

core-security/src/main/java/org/opendevstack/apiservice/core/security/flow/validator/ClientCredentialFlowValidator.java

@@ -0,0 +1,47 @@
+package org.opendevstack.apiservice.core.security.flow.validator;
+
+import org.opendevstack.apiservice.core.contracts.auth.AuthType;
+import org.opendevstack.apiservice.core.security.flow.AuthFlowValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.stereotype.Component;
+
+@Component
+public class ClientCredentialFlowValidator implements AuthFlowValidator {
+
+    @Override
+    public AuthType getSupportedFlow() {
+        return AuthType.CLIENT_CREDENTIALS;
+    }
+
+    @Override
+    public boolean validate(Jwt jwt) {
+        String appid = jwt.getClaimAsString("appid");
+        if (appid == null || appid.isBlank()) {
+            return false;
+        }
+
+        Object aud = jwt.getClaim("aud");
+        if (aud == null) {
+            return false;
+        }
+
+        String scp = jwt.getClaimAsString("scp");
+        if (scp != null && !scp.isBlank()) {
+            return false;
+        }
+
+        String upn = jwt.getClaimAsString("upn");
+        String preferredUsername = jwt.getClaimAsString("preferred_username");
+        if ((upn != null && !upn.isBlank()) || (preferredUsername != null && !preferredUsername.isBlank())) {
+            return false;
+        }
+
+        String sub = jwt.getSubject();
+        String oid = jwt.getClaimAsString("oid");
+        if (sub == null || oid == null || !sub.equals(oid)) {
+            return false;
+        }
+
+        return true;
+    }
+}

core-security/src/main/java/org/opendevstack/apiservice/core/security/flow/validator/OboFlowValidator.java

@@ -0,0 +1,40 @@
+package org.opendevstack.apiservice.core.security.flow.validator;
+
+import org.opendevstack.apiservice.core.contracts.auth.AuthType;
+import org.opendevstack.apiservice.core.security.flow.AuthFlowValidator;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.stereotype.Component;
+
+@Component
+public class OboFlowValidator implements AuthFlowValidator {
+
+    @Override
+    public AuthType getSupportedFlow() {
+        return AuthType.OBO;
+    }
+
+    @Override
+    public boolean validate(Jwt jwt) {
+        String scp = jwt.getClaimAsString("scp");
+        if (scp == null || scp.isBlank()) {
+            return false;
+        }
+        
+        String roles = jwt.getClaimAsString("roles");
+        if (roles != null && !roles.isBlank()) {
+            return false;
+        }
+        
+        String user = jwt.getClaimAsString("upn");
+        if (user == null || user.isBlank()) {
+            user = jwt.getClaimAsString("preferred_username");
+        }
+        
+        if (user == null || user.isBlank()) {
+            user = jwt.getSubject();
+        }
+        
+        return user != null && !user.isBlank();
+    }
+    
+}

core/pom.xml

@@ -145,12 +145,7 @@
             <artifactId>api-project-platform</artifactId>
             <version>${project.version}</version>
         </dependency>
-
-        <dependency>
-            <groupId>org.opendevstack.apiservice</groupId>
-            <artifactId>api-project-component-v0</artifactId>
-            <version>${project.version}</version>
-        </dependency>
+        
         <!-- Service Projects module: project creation and key generation -->
         <dependency>
             <groupId>org.opendevstack.apiservice</groupId>