Pre authenticated user (#2386)

saveourtool · Aug 4, 2023 · 398b864 · 398b864
1 parent 0f95a03
commit 398b864
Show file tree

Hide file tree

Showing 37 changed files with 368 additions and 550 deletions.
diff --git a/...gateway/src/main/kotlin/com/saveourtool/save/gateway/controller/SecurityInfoController.kt b/...gateway/src/main/kotlin/com/saveourtool/save/gateway/controller/SecurityInfoController.kt
@@ -44,7 +44,7 @@ class SecurityInfoController(
         is OAuth2AuthenticationToken -> {
             val source = authentication.authorizedClientRegistrationId
             val nameInSource = authentication.name
-            backendService.findByOriginalLogin(source, nameInSource).map { it.username }
+            backendService.findByOriginalLogin(source, nameInSource).map { it.name }
         }
         else -> Mono.empty()
     }

diff --git a/api-gateway/src/main/kotlin/com/saveourtool/save/gateway/security/WebSecurityConfig.kt b/api-gateway/src/main/kotlin/com/saveourtool/save/gateway/security/WebSecurityConfig.kt
@@ -17,6 +17,7 @@ import org.springframework.security.authorization.AuthenticatedReactiveAuthoriza
 import org.springframework.security.authorization.AuthorizationDecision
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
 import org.springframework.security.config.web.server.ServerHttpSecurity
+import org.springframework.security.core.userdetails.UserDetails
 import org.springframework.security.crypto.factory.PasswordEncoderFactories
 import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.security.web.server.SecurityWebFilterChain
@@ -31,6 +32,7 @@ import org.springframework.security.web.server.util.matcher.NegatedServerWebExch
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatcher.MatchResult
 import org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers
+import reactor.kotlin.core.publisher.cast
 
 @EnableWebFluxSecurity
 @Suppress(
@@ -118,7 +120,7 @@ class WebSecurityConfig(
             // Authenticate by comparing received basic credentials with existing one from DB
             httpBasicSpec.authenticationManager(
                 UserDetailsRepositoryReactiveAuthenticationManager { username ->
-                    backendService.findByName(username)
+                    backendService.findByName(username).cast<UserDetails>()
                 }
             )
         }

diff --git a/api-gateway/src/main/kotlin/com/saveourtool/save/gateway/service/BackendService.kt b/api-gateway/src/main/kotlin/com/saveourtool/save/gateway/service/BackendService.kt
@@ -1,19 +1,18 @@
 package com.saveourtool.save.gateway.service
 
+import com.saveourtool.save.authservice.utils.AuthenticationUserDetails
 import com.saveourtool.save.entities.User
 import com.saveourtool.save.gateway.config.ConfigurationProperties
+import com.saveourtool.save.utils.orNotFound
 
-import com.fasterxml.jackson.databind.ObjectMapper
 import org.springframework.http.MediaType
-import org.springframework.security.core.userdetails.User as SpringUser
 import org.springframework.security.core.userdetails.UserDetails
-import org.springframework.security.jackson2.CoreJackson2Module
-import org.springframework.security.jackson2.SecurityJackson2Modules
 import org.springframework.stereotype.Service
 import org.springframework.web.reactive.function.client.WebClient
 import org.springframework.web.reactive.function.client.toEntity
 import org.springframework.web.server.ResponseStatusException
 import reactor.core.publisher.Mono
+import reactor.kotlin.core.publisher.toMono
 
 /**
  * A service to backend to lookup users in DB
@@ -22,42 +21,35 @@ import reactor.core.publisher.Mono
 class BackendService(
     configurationProperties: ConfigurationProperties,
 ) {
-    private val springUserDetailsReader = ObjectMapper()
-        .findAndRegisterModules()
-        .registerModule(CoreJackson2Module())
-        .registerModules(SecurityJackson2Modules.getModules(javaClass.classLoader))
-        .readerFor(SpringUser::class.java)
     private val webClient = WebClient.create(configurationProperties.backend.url)
 
     /**
      * @param username
      * @return [UserDetails] found in DB by received name
      */
-    fun findByName(username: String): Mono<UserDetails> = webClient.get()
-        .uri("/internal/users/find-by-name/$username")
-        .retrieve()
-        .onStatus({ it.is4xxClientError }) {
-            Mono.error(ResponseStatusException(it.statusCode()))
-        }
-        .toEntity<String>()
-        .map {
-            springUserDetailsReader.readValue(it.body)
-        }
+    fun findByName(
+        username: String,
+    ): Mono<AuthenticationUserDetails> = findAuthenticationUserDetails("/internal/users/find-by-name/$username")
 
     /**
      * @param source
      * @param nameInSource
      * @return [UserDetails] found in DB by source and name in this source
      */
-    fun findByOriginalLogin(source: String, nameInSource: String): Mono<UserDetails> = webClient.get()
-        .uri("/internal/users/find-by-original-login/$source/$nameInSource")
+    fun findByOriginalLogin(
+        source: String,
+        nameInSource: String,
+    ): Mono<AuthenticationUserDetails> = findAuthenticationUserDetails("/internal/users/find-by-original-login/$source/$nameInSource")
+
+    private fun findAuthenticationUserDetails(uri: String): Mono<AuthenticationUserDetails> = webClient.get()
+        .uri(uri)
         .retrieve()
         .onStatus({ it.is4xxClientError }) {
             Mono.error(ResponseStatusException(it.statusCode()))
         }
-        .toEntity<String>()
-        .map {
-            springUserDetailsReader.readValue(it.body)
+        .toEntity<AuthenticationUserDetails>()
+        .flatMap { responseEntity ->
+            responseEntity.body.toMono().orNotFound { "Authentication body is empty" }
         }
 
     /**

diff --git a/...ain/kotlin/com/saveourtool/save/gateway/utils/AuthorizationHeadersGatewayFilterFactory.kt b/...ain/kotlin/com/saveourtool/save/gateway/utils/AuthorizationHeadersGatewayFilterFactory.kt
@@ -0,0 +1,55 @@
+package com.saveourtool.save.gateway.utils
+
+import com.saveourtool.save.authservice.utils.AuthenticationUserDetails
+import com.saveourtool.save.gateway.service.BackendService
+import com.saveourtool.save.utils.switchIfEmptyToResponseException
+import org.springframework.cloud.gateway.filter.GatewayFilter
+import org.springframework.cloud.gateway.filter.GatewayFilterChain
+import org.springframework.cloud.gateway.filter.factory.AbstractGatewayFilterFactory
+import org.springframework.http.HttpHeaders
+import org.springframework.http.HttpStatus
+import org.springframework.security.authentication.BadCredentialsException
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken
+import org.springframework.stereotype.Component
+import org.springframework.web.server.ServerWebExchange
+import reactor.core.publisher.Mono
+import reactor.kotlin.core.publisher.toMono
+import java.security.Principal
+
+/**
+ * Filter, that mutate existing exchange,
+ * inserts user's info into Authorization headers instead of existing value, not paying attention to the credentials,
+ * since at this moment they are already checked by gateway.
+ */
+@Component
+class AuthorizationHeadersGatewayFilterFactory(
+    private val backendService: BackendService,
+) : AbstractGatewayFilterFactory<Any>() {
+    override fun apply(config: Any?): GatewayFilter = GatewayFilter { exchange: ServerWebExchange, chain: GatewayFilterChain ->
+        exchange.getPrincipal<Principal>()
+            .flatMap { resolveSaveUser(it) }
+            .map { user ->
+                exchange.mutate()
+                    .request { builder ->
+                        builder.headers { headers: HttpHeaders ->
+                            headers.remove(HttpHeaders.AUTHORIZATION)
+                            user.populateHeaders(headers)
+                        }
+                    }
+                    .build()
+            }
+            .defaultIfEmpty(exchange)
+            .flatMap { chain.filter(it) }
+    }
+
+    private fun resolveSaveUser(principal: Principal): Mono<AuthenticationUserDetails> = when (principal) {
+        is OAuth2AuthenticationToken -> backendService.findByOriginalLogin(principal.authorizedClientRegistrationId, principal.name)
+        is UsernamePasswordAuthenticationToken -> (principal.principal as? AuthenticationUserDetails)
+            .toMono()
+            .switchIfEmptyToResponseException(HttpStatus.INTERNAL_SERVER_ERROR) {
+                "Unexpected principal type ${principal.principal.javaClass} in ${UsernamePasswordAuthenticationToken::class}"
+            }
+        else -> Mono.error(BadCredentialsException("Unsupported authentication type: ${principal::class}"))
+    }
+}
diff --git a/...tlin/com/saveourtool/save/gateway/utils/ConvertAuthorizationHeaderGatewayFilterFactory.kt b/...tlin/com/saveourtool/save/gateway/utils/ConvertAuthorizationHeaderGatewayFilterFactory.kt
diff --git a/api-gateway/src/main/resources/application.yml b/api-gateway/src/main/resources/application.yml
@@ -34,15 +34,15 @@ spring:
           filters:
             # If SESSION cookie is passed to downstream, it is then removed, because downstream discards it
             - RemoveRequestHeader=Cookie
-            - ConvertAuthorizationHeader=
+            - AuthorizationHeaders=
         - id: demo-api_route
           uri: ${gateway.demo.url}
           predicates:
             - Path=/api/demo/**
           filters:
             # If SESSION cookie is passed to downstream, it is then removed, because downstream discards it
             - RemoveRequestHeader=Cookie
-            - ConvertAuthorizationHeader=
+            - AuthorizationHeaders=
         - id: demo-cpg-api_route
           uri: ${gateway.demo-cpg.url}
           predicates:
@@ -57,7 +57,7 @@ spring:
           filters:
             # If SESSION cookie is passed to downstream, it is then removed, because downstream discards it
             - RemoveRequestHeader=Cookie
-            - ConvertAuthorizationHeader=
+            - AuthorizationHeaders=
         - id: error_route
           uri: ${gateway.backend.url}/error
           predicates:

diff --git a/...tion-service/src/main/kotlin/com/saveourtool/save/authservice/config/WebSecurityConfig.kt b/...tion-service/src/main/kotlin/com/saveourtool/save/authservice/config/WebSecurityConfig.kt
@@ -4,22 +4,26 @@
 
 package com.saveourtool.save.authservice.config
 
-import com.saveourtool.save.authservice.security.ConvertingAuthenticationManager
+import com.saveourtool.save.authservice.utils.AuthenticationUserDetails.Companion.toAuthenticationUserDetails
 import com.saveourtool.save.authservice.utils.roleHierarchy
 import com.saveourtool.save.v1
 
-import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Profile
 import org.springframework.http.HttpStatus
 import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler
+import org.springframework.security.authentication.ReactiveAuthenticationManager
 import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder
 import org.springframework.security.config.web.server.ServerHttpSecurity
 import org.springframework.security.crypto.factory.PasswordEncoderFactories
 import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.security.web.server.SecurityWebFilterChain
+import org.springframework.security.web.server.authentication.AuthenticationWebFilter
 import org.springframework.security.web.server.authentication.HttpStatusServerEntryPoint
+import org.springframework.web.server.WebFilter
+import reactor.kotlin.core.publisher.toMono
 
 import javax.annotation.PostConstruct
 
@@ -28,9 +32,19 @@ import javax.annotation.PostConstruct
 @Profile("secure")
 @Suppress("MISSING_KDOC_TOP_LEVEL", "MISSING_KDOC_CLASS_ELEMENTS", "MISSING_KDOC_ON_FUNCTION")
 class WebSecurityConfig(
-    private val authenticationManager: ConvertingAuthenticationManager,
-    @Autowired private var defaultMethodSecurityExpressionHandler: DefaultMethodSecurityExpressionHandler
+    private val defaultMethodSecurityExpressionHandler: DefaultMethodSecurityExpressionHandler
 ) {
+    @Bean
+    fun saveUserPreAuthenticatedProcessingWebFilter(): WebFilter {
+        val authenticationManager = ReactiveAuthenticationManager { authentication -> authentication.toMono() }
+        return AuthenticationWebFilter(authenticationManager)
+            .also { authenticationWebFilter ->
+                authenticationWebFilter.setServerAuthenticationConverter { exchange ->
+                    exchange.request.headers.toAuthenticationUserDetails()?.toAuthenticationToken().toMono()
+                }
+            }
+    }
+
     @Bean
     fun securityWebFilterChain(
         http: ServerHttpSecurity
@@ -53,9 +67,7 @@ class WebSecurityConfig(
             // FixMe: Properly support CSRF protection https://github.com/saveourtool/save-cloud/issues/34
             csrf().disable()
         }
-        .httpBasic {
-            it.authenticationManager(authenticationManager)
-        }
+        .addFilterAt(saveUserPreAuthenticatedProcessingWebFilter(), SecurityWebFiltersOrder.AUTHENTICATION)
         .exceptionHandling {
             it.authenticationEntryPoint(
                 HttpStatusServerEntryPoint(HttpStatus.UNAUTHORIZED)

diff --git a/...c/main/kotlin/com/saveourtool/save/authservice/repository/AuthenticationUserRepository.kt b/...c/main/kotlin/com/saveourtool/save/authservice/repository/AuthenticationUserRepository.kt