Merge pull request #1495 from utmstack/backlog/add-saml-oidc-corporate-authentication-to-backend

Backlog/add saml OIDC corporate authentication to backend

Author: mjabascal10

backend/pom.xml

@@ -192,6 +192,11 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-mail</artifactId>
         </dependency>
+        <!-- SAML2 Service Provider -->
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-saml2-service-provider</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>

backend/src/main/java/com/park/utmstack/config/SecurityConfiguration.java

@@ -1,21 +1,17 @@
 package com.park.utmstack.config;
 
-import com.park.utmstack.loggin.api_key.ApiKeyUsageLoggingService;
-import com.park.utmstack.loggin.filter.MdcCleanupFilter;
 import com.park.utmstack.repository.UserRepository;
 import com.park.utmstack.security.AuthoritiesConstants;
 import com.park.utmstack.security.api_key.ApiKeyConfigurer;
 import com.park.utmstack.security.api_key.ApiKeyFilter;
 import com.park.utmstack.security.internalApiKey.InternalApiKeyConfigurer;
 import com.park.utmstack.security.internalApiKey.InternalApiKeyProvider;
 import com.park.utmstack.security.jwt.JWTConfigurer;
-import com.park.utmstack.security.jwt.JWTFilter;
 import com.park.utmstack.security.jwt.TokenProvider;
-import com.park.utmstack.service.api_key.ApiKeyService;
+import com.park.utmstack.security.saml.Saml2LoginFailureHandler;
+import com.park.utmstack.security.saml.Saml2LoginSuccessHandler;
 import lombok.RequiredArgsConstructor;
-import org.apache.commons.net.util.SubnetUtils;
 import org.springframework.beans.factory.BeanInitializationException;
-import org.springframework.boot.web.servlet.FilterRegistrationBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Import;
@@ -35,10 +31,10 @@
 import org.springframework.web.filter.CorsFilter;
 import org.zalando.problem.spring.web.advice.security.SecurityProblemSupport;
 
+
 import javax.annotation.PostConstruct;
 import javax.servlet.http.HttpServletResponse;
-import java.util.concurrent.ConcurrentHashMap;
-import java.util.concurrent.ConcurrentMap;
+
 
 @Configuration
 @RequiredArgsConstructor
@@ -53,6 +49,8 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
     private final CorsFilter corsFilter;
     private final InternalApiKeyProvider internalApiKeyProvider;
     private final ApiKeyFilter apiKeyFilter;
+    private final UserRepository userRepository;
+
 
     @PostConstruct
     public void init() {
@@ -110,7 +108,9 @@ public void configure(HttpSecurity http) throws Exception {
                 .antMatchers("/api/releaseInfo").permitAll()
                 .antMatchers("/api/account/reset-password/init").permitAll()
                 .antMatchers("/api/account/reset-password/finish").permitAll()
+                .antMatchers("/api/utm-providers").permitAll()
                 .antMatchers("/api/images/all").permitAll()
+                .antMatchers("/api/info/version").permitAll()
                 .antMatchers("/api/enrollment/**").hasAnyAuthority(AuthoritiesConstants.PRE_VERIFICATION_USER)
                 .antMatchers("/api/tfa/verify-code").hasAnyAuthority(AuthoritiesConstants.PRE_VERIFICATION_USER, AuthoritiesConstants.USER, AuthoritiesConstants.ADMIN)
                 .antMatchers("/api/tfa/refresh").hasAnyAuthority(AuthoritiesConstants.PRE_VERIFICATION_USER, AuthoritiesConstants.USER, AuthoritiesConstants.ADMIN)
@@ -126,6 +126,12 @@ public void configure(HttpSecurity http) throws Exception {
                 .antMatchers("/management/info").permitAll()
                 .antMatchers("/management/**").hasAnyAuthority(AuthoritiesConstants.ADMIN, AuthoritiesConstants.USER)
                 .and()
+                .saml2Login()
+                .successHandler(new Saml2LoginSuccessHandler(tokenProvider,
+                                                              userRepository,
+                                                              saml2LoginFailureHandler()))
+                .failureHandler(new Saml2LoginFailureHandler())
+                .and()
                 .apply(securityConfigurerAdapterForJwt())
                 .and()
                 .apply(securityConfigurerAdapterForInternalApiKey())
@@ -147,4 +153,10 @@ private ApiKeyConfigurer securityConfigurerAdapterForApiKey() {
         return new ApiKeyConfigurer(apiKeyFilter);
     }
 
+
+    @Bean
+    public Saml2LoginFailureHandler saml2LoginFailureHandler() {
+        return new Saml2LoginFailureHandler();
+    }
+
 }

backend/src/main/java/com/park/utmstack/config/saml/OAuth2ClientConfig.java

@@ -0,0 +1,14 @@
+package com.park.utmstack.config.saml;
+
+import com.park.utmstack.repository.idp_provider.IdentityProviderConfigRepository;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class OAuth2ClientConfig {
+
+    @Bean
+    public SamlRelyingPartyRegistrationRepository clientRegistrationRepository(IdentityProviderConfigRepository repo) {
+        return new SamlRelyingPartyRegistrationRepository(repo);
+    }
+}

backend/src/main/java/com/park/utmstack/config/saml/ProviderChangeListener.java

@@ -0,0 +1,23 @@
+package com.park.utmstack.config.saml;
+
+import com.park.utmstack.repository.idp_provider.IdentityProviderConfigRepository;
+import com.park.utmstack.util.events.ProviderChangedEvent;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.event.EventListener;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.stereotype.Component;
+
+@Component
+@RequiredArgsConstructor
+public class ProviderChangeListener {
+
+    private final RelyingPartyRegistrationRepository repository;
+    private final IdentityProviderConfigRepository identityProviderConfigRepository;
+
+    @EventListener
+    public void handleProviderChanged(ProviderChangedEvent event) {
+        if (repository instanceof SamlRelyingPartyRegistrationRepository customRepo) {
+            customRepo.reloadProviders(identityProviderConfigRepository);
+        }
+    }
+}

backend/src/main/java/com/park/utmstack/config/saml/SamlRelyingPartyRegistrationRepository.java

@@ -0,0 +1,61 @@
+package com.park.utmstack.config.saml;
+
+import com.park.utmstack.config.Constants;
+import com.park.utmstack.domain.idp_provider.IdentityProviderConfig;
+import com.park.utmstack.repository.idp_provider.IdentityProviderConfigRepository;
+import com.park.utmstack.util.CipherUtil;
+import com.park.utmstack.util.saml.PemUtils;
+import org.springframework.security.saml2.core.Saml2X509Credential;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistration;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrationRepository;
+import org.springframework.security.saml2.provider.service.registration.RelyingPartyRegistrations;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+public class SamlRelyingPartyRegistrationRepository implements RelyingPartyRegistrationRepository {
+
+    private final Map<String, RelyingPartyRegistration> registrations = new ConcurrentHashMap<>();
+
+    public SamlRelyingPartyRegistrationRepository(IdentityProviderConfigRepository jpaProviderRepository) {
+        loadProviders(jpaProviderRepository);
+    }
+
+    @Override
+    public RelyingPartyRegistration findByRegistrationId(String registrationId) {
+        return registrations.get(registrationId);
+    }
+
+    public void reloadProviders(IdentityProviderConfigRepository jpaProviderRepository) {
+        registrations.clear();
+        loadProviders(jpaProviderRepository);
+    }
+
+    private void loadProviders(IdentityProviderConfigRepository jpaProviderRepository) {
+        jpaProviderRepository.findAllByActiveTrue().forEach(entity -> {
+            RelyingPartyRegistration registration = buildRelyingPartyRegistration(entity);
+            registrations.put(entity.getProviderType().name().toLowerCase(), registration);
+        });
+    }
+
+    private RelyingPartyRegistration buildRelyingPartyRegistration(IdentityProviderConfig entity) {
+
+        PrivateKey spKey = PemUtils.parsePrivateKey(CipherUtil.decrypt(
+                entity.getSpPrivateKeyPem(),
+                System.getenv(Constants.ENV_ENCRYPTION_KEY)
+        ));
+        X509Certificate spCert = PemUtils.parseCertificate(entity.getSpCertificatePem());
+
+        return RelyingPartyRegistrations
+                .fromMetadataLocation(entity.getMetadataUrl())
+                .registrationId(entity.getName())
+                .entityId(entity.getSpEntityId())
+                .assertionConsumerServiceLocation(entity.getSpAcsUrl())
+                .signingX509Credentials(c -> c.add(Saml2X509Credential.signing(spKey, spCert)))
+                .build();
+    }
+
+}

backend/src/main/java/com/park/utmstack/domain/idp_provider/IdentityProviderConfig.java

@@ -0,0 +1,79 @@
+package com.park.utmstack.domain.idp_provider;
+
+import com.park.utmstack.domain.idp_provider.enums.ProviderType;
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.NoArgsConstructor;
+import org.hibernate.annotations.Type;
+
+import javax.persistence.*;
+import java.time.LocalDateTime;
+
+@Entity
+@Table(name = "utm_identity_provider_config")
+@Data
+@NoArgsConstructor
+@AllArgsConstructor
+@EqualsAndHashCode(onlyExplicitlyIncluded = true)
+public class IdentityProviderConfig {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @EqualsAndHashCode.Include
+    private Long id;
+
+    @Column(nullable = false)
+    private String name;
+
+    @Enumerated(EnumType.STRING)
+    @Column(nullable = false)
+    private ProviderType providerType;
+
+    /**
+     * Metadata URL of the IdP (Keycloak, Okta, Azure, etc.)
+     * Example: https://localhost:8443/realms/UTMSTACK/protocol/saml/descriptor
+     */
+    @Column(name = "metadata_url", nullable = false, length = 512)
+    private String metadataUrl;
+
+    /**
+     * Service Provider private key in PEM format
+     * Used to sign AuthnRequests and other outgoing SAML messages
+     */
+    @Type(type = "text")
+    @Column(name = "sp_private_key_pem", nullable = false, columnDefinition = "TEXT")
+    private String spPrivateKeyPem;
+
+    /**
+     * Service Provider public certificate in PEM format
+     * Shared with IdP so it can validate signed requests from the SP
+     */
+    @Type(type = "text")
+    @Column(name = "sp_certificate_pem", nullable = false, columnDefinition = "TEXT")
+    private String spCertificatePem;
+
+    @Column(name = "sp_entity_id", nullable = false, length = 512)
+    private String spEntityId;
+
+    @Column(name = "sp_acs_url", nullable = false, length = 512)
+    private String spAcsUrl;
+
+    /**
+     * Flag to enable or disable this IdP configuration
+     */
+    @Column(nullable = false)
+    private Boolean active;
+
+    /**
+     * Timestamp when the record was created
+     */
+    @Column(nullable = false)
+    private LocalDateTime createdAt;
+
+    /**
+     * Timestamp when the record was last updated
+     */
+    @Column(nullable = false)
+    private LocalDateTime updatedAt;
+}

backend/src/main/java/com/park/utmstack/domain/idp_provider/enums/ProviderType.java

@@ -0,0 +1,12 @@
+package com.park.utmstack.domain.idp_provider.enums;
+
+public enum ProviderType {
+    GOOGLE,
+    KEYCLOAK,
+    OKTA,
+    MICROSOFT;
+
+    public static ProviderType from(String value) {
+        return ProviderType.valueOf(value.toUpperCase());
+    }
+}

backend/src/main/java/com/park/utmstack/repository/idp_provider/IdentityProviderConfigRepository.java

@@ -0,0 +1,18 @@
+package com.park.utmstack.repository.idp_provider;
+
+import com.park.utmstack.domain.idp_provider.IdentityProviderConfig;
+import com.park.utmstack.domain.idp_provider.enums.ProviderType;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.JpaSpecificationExecutor;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+import java.util.Optional;
+
+@Repository
+public interface IdentityProviderConfigRepository extends JpaRepository<IdentityProviderConfig, Long>, JpaSpecificationExecutor<IdentityProviderConfig> {
+
+    Optional<IdentityProviderConfig> findByProviderTypeAndActiveTrue(ProviderType providerType);
+
+    List<IdentityProviderConfig> findAllByActiveTrue();
+}

backend/src/main/java/com/park/utmstack/security/jwt/JWTConfigurer.java

@@ -7,7 +7,7 @@
 
 public class JWTConfigurer extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
 
-    private TokenProvider tokenProvider;
+    private final TokenProvider tokenProvider;
 
     public JWTConfigurer(TokenProvider tokenProvider) {
         this.tokenProvider = tokenProvider;

backend/src/main/java/com/park/utmstack/security/saml/Saml2LoginFailureHandler.java

@@ -0,0 +1,37 @@
+package com.park.utmstack.security.saml;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AuthenticationFailureHandler;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.net.URI;
+import java.util.Objects;
+
+/**
+ * Failure handler for SAML2 login.
+ * Redirects the user to the frontend with an error parameter.
+ */
+@Slf4j
+public class Saml2LoginFailureHandler implements AuthenticationFailureHandler {
+
+    @Override
+    public void onAuthenticationFailure(HttpServletRequest request,
+                                        HttpServletResponse response,
+                                        AuthenticationException exception) throws IOException {
+
+        String scheme = Objects.requireNonNullElse(request.getHeader("X-Forwarded-Proto"), request.getScheme());
+        String host = Objects.requireNonNullElse(request.getHeader("Host"), request.getServerName());
+
+        String frontBaseUrl = scheme + "://" + host;
+
+        URI redirectUri = UriComponentsBuilder.fromHttpUrl(frontBaseUrl)
+                .queryParam("error", "saml2")
+                .build().toUri();
+
+        response.sendRedirect(redirectUri.toString());
+    }
+}