From f8142ef3e1aae7b2f7099e175fe1e6a94e73dfbf Mon Sep 17 00:00:00 2001
From: Daniel Kelemen <danielkelemen@users.noreply.github.com>
Date: Thu, 19 Sep 2024 09:49:56 +0200
Subject: [PATCH] feat(oauth2): revalidate access tokens (#4603)

related to https://github.com/camunda/camunda-bpm-platform/issues/4585
---
 ...SpringSecurityOAuth2AutoConfiguration.java |  13 +-
 .../oauth2/impl/AuthorizeTokenFilter.java     | 116 ++++++++++++++++++
 2 files changed, 127 insertions(+), 2 deletions(-)
 create mode 100644 spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/impl/AuthorizeTokenFilter.java

diff --git a/spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/CamundaSpringSecurityOAuth2AutoConfiguration.java b/spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/CamundaSpringSecurityOAuth2AutoConfiguration.java
index 7f8fd40ec77..7668affdb05 100644
--- a/spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/CamundaSpringSecurityOAuth2AutoConfiguration.java
+++ b/spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/CamundaSpringSecurityOAuth2AutoConfiguration.java
@@ -23,9 +23,10 @@
 import org.camunda.bpm.spring.boot.starter.CamundaBpmAutoConfiguration;
 import org.camunda.bpm.spring.boot.starter.property.CamundaBpmProperties;
 import org.camunda.bpm.spring.boot.starter.property.WebappProperty;
+import org.camunda.bpm.spring.boot.starter.security.oauth2.impl.AuthorizeTokenFilter;
+import org.camunda.bpm.spring.boot.starter.security.oauth2.impl.OAuth2AuthenticationProvider;
 import org.camunda.bpm.spring.boot.starter.security.oauth2.impl.OAuth2GrantedAuthoritiesMapper;
 import org.camunda.bpm.spring.boot.starter.security.oauth2.impl.OAuth2IdentityProviderPlugin;
-import org.camunda.bpm.spring.boot.starter.security.oauth2.impl.OAuth2AuthenticationProvider;
 import org.camunda.bpm.webapp.impl.security.auth.ContainerBasedAuthenticationFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -44,6 +45,8 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizationRequestRedirectFilter;
 import org.springframework.security.web.SecurityFilterChain;
 
 import java.util.Map;
@@ -96,20 +99,26 @@ protected GrantedAuthoritiesMapper grantedAuthoritiesMapper() {
   }
 
   @Bean
-  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+  public SecurityFilterChain filterChain(HttpSecurity http, OAuth2AuthorizedClientManager clientManager)
+      throws Exception {
     logger.info("Enabling Camunda Spring Security oauth2 integration");
 
+    var validateTokenFilter = new AuthorizeTokenFilter(clientManager);
+
+    // @formatter:off
     http.authorizeHttpRequests(c -> c
             .requestMatchers(webappPath + "/app/**").authenticated()
             .requestMatchers(webappPath + "/api/**").authenticated()
             .anyRequest().permitAll()
         )
+        .addFilterAfter(validateTokenFilter, OAuth2AuthorizationRequestRedirectFilter.class)
         .anonymous(AbstractHttpConfigurer::disable)
         .oauth2Login(Customizer.withDefaults())
         .oidcLogout(Customizer.withDefaults())
         .oauth2Client(Customizer.withDefaults())
         .cors(AbstractHttpConfigurer::disable)
         .csrf(AbstractHttpConfigurer::disable);
+    // @formatter:on
 
     return http.build();
   }
diff --git a/spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/impl/AuthorizeTokenFilter.java b/spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/impl/AuthorizeTokenFilter.java
new file mode 100644
index 00000000000..a3edb8e623d
--- /dev/null
+++ b/spring-boot-starter/starter-security/src/main/java/org/camunda/bpm/spring/boot/starter/security/oauth2/impl/AuthorizeTokenFilter.java
@@ -0,0 +1,116 @@
+/*
+ * Copyright Camunda Services GmbH and/or licensed to Camunda Services GmbH
+ * under one or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information regarding copyright
+ * ownership. Camunda licenses this file to you under the Apache License,
+ * Version 2.0; you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.camunda.bpm.spring.boot.starter.security.oauth2.impl;
+
+import jakarta.annotation.Nonnull;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.camunda.bpm.engine.impl.util.ClockUtil;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.client.OAuth2AuthorizationContext;
+import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
+import org.springframework.security.oauth2.core.OAuth2AuthorizationException;
+import org.springframework.security.oauth2.core.OAuth2Token;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.util.Date;
+
+/**
+ * Authorize or re-authorize (if required) oauth2 client using {@link OAuth2AuthorizedClientManager}.
+ * <ul>
+ *   <li>If the access token is valid, then does nothing.
+ *   <li>If the access token is expired, then refreshes it.
+ *   <li>If authorize failed, then clears the {@link org.springframework.security.core.context.SecurityContext} and {@link jakarta.servlet.http.HttpSession}.
+ * </ul>
+ * <p>
+ * References:
+ * <ul>
+ *   <li> {@link OAuth2AuthorizedClientManager#authorize(OAuth2AuthorizeRequest)}
+ *   <li> {@link org.springframework.security.oauth2.client.OAuth2AuthorizedClientProvider#authorize(OAuth2AuthorizationContext)}
+ *   <li> {@link org.springframework.security.oauth2.client.DelegatingOAuth2AuthorizedClientProvider#authorize(OAuth2AuthorizationContext)}
+ *   <li> {@link org.springframework.security.oauth2.client.RefreshTokenOAuth2AuthorizedClientProvider#authorize(OAuth2AuthorizationContext)}
+ * </ul>
+ */
+public class AuthorizeTokenFilter extends OncePerRequestFilter {
+
+  private static final Logger logger = LoggerFactory.getLogger(AuthorizeTokenFilter.class);
+  private final OAuth2AuthorizedClientManager clientManager;
+
+  public AuthorizeTokenFilter(OAuth2AuthorizedClientManager clientManager) {
+    this.clientManager = clientManager;
+  }
+
+  @Override
+  protected void doFilterInternal(@Nonnull HttpServletRequest request,
+                                  @Nonnull HttpServletResponse response,
+                                  @Nonnull FilterChain filterChain) throws ServletException, IOException {
+
+    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+    if (authentication instanceof OAuth2AuthenticationToken) {
+      var token = (OAuth2AuthenticationToken) authentication;
+      authorizeToken(token, request, response);
+    }
+    filterChain.doFilter(request, response);
+  }
+
+  protected boolean hasTokenExpired(OAuth2Token token) {
+    return token.getExpiresAt() == null || ClockUtil.now().after(Date.from(token.getExpiresAt()));
+  }
+
+  protected void clearContext(HttpServletRequest request) {
+    SecurityContextHolder.clearContext();
+    try {
+      request.getSession().invalidate();
+    } catch (Exception ignored) {
+    }
+  }
+
+  protected void authorizeToken(OAuth2AuthenticationToken token,
+                                HttpServletRequest request,
+                                HttpServletResponse response) {
+    // @formatter:off
+    var authRequest = OAuth2AuthorizeRequest
+        .withClientRegistrationId(token.getAuthorizedClientRegistrationId())
+        .principal(token)
+        .attributes(attrs -> {
+          attrs.put(HttpServletRequest.class.getName(), request);
+          attrs.put(HttpServletResponse.class.getName(), response);
+        }).build();
+    // @formatter:on
+
+    try {
+      var res = clientManager.authorize(authRequest);
+      if (res == null || hasTokenExpired(res.getAccessToken())) {
+        logger.warn("Authorize failed: could not re-authorize expired access token");
+        clearContext(request);
+      } else {
+        logger.debug("Authorize successful, access token expiry: {}", res.getAccessToken().getExpiresAt());
+      }
+    } catch (OAuth2AuthorizationException e) {
+      logger.warn("Authorize failed: {}", e.getMessage());
+      clearContext(request);
+    }
+  }
+}