Feature/issue1058

.github/workflows/build.yml

@@ -3,7 +3,6 @@ name: ecodata build
 on:
   push:
     branches:
-      - grails5java11
       - dev
       - master
       - feature/**
@@ -20,18 +19,18 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
-          java-version: '11'
+          java-version: '17'
           distribution: 'adopt'
 
       - name: Validate Gradle wrapper
         uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b
 
       - name: Install and start elasticsearch
         run: |
-          curl https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.16.3-amd64.deb -o elasticsearch.deb
+          curl https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.27-amd64.deb -o elasticsearch.deb
           sudo dpkg -i --force-confnew elasticsearch.deb
           sudo chown -R elasticsearch:elasticsearch /etc/default/elasticsearch
           sudo sh -c 'echo ES_JAVA_OPTS=\"-Xmx1g -Xms1g\" >> /etc/default/elasticsearch'
@@ -40,7 +39,7 @@ jobs:
       - name: Install and start mongodb
         uses: supercharge/[email protected]
         with:
-          mongodb-version: '5.0'
+          mongodb-version: '8.0'
 
       - name: Build and run jacoco coverage report with Gradle
         uses: gradle/[email protected]

build.gradle

@@ -20,7 +20,7 @@ plugins {
     id "com.gorylenko.gradle-git-properties" version "2.4.1"
 }
 
-version "5.2-SNAPSHOT"
+version "$ecodataVersion"
 group "au.org.ala"
 description "Ecodata"
 
@@ -38,7 +38,7 @@ if (Boolean.valueOf(enableJacoco)) {
 }
 
 sourceCompatibility = '11'
-targetCompatibility = '11'
+targetCompatibility = '17'
 
 apply from: "${project.projectDir}/gradle/publish.gradle"
 

gradle.properties

@@ -1,12 +1,13 @@
-grailsVersion=6.2.0
+ecodataVersion=5.2-java17-SNAPSHOT
+grailsVersion=6.2.3
 grailsGradlePluginVersion=6.1.2
 
 gormVersion=8.1.2
 gormMongoVersion=8.2.0
 grailsViewsVersion=2.3.2
 assetPipelineVersion=4.3.0
 elasticsearchVersion=7.17.21
-alaSecurityLibsVersion=6.3.0
+alaSecurityLibsVersion=6.4.0-SNAPSHOT
 #22.x+ causes issues with mongo / GORM javax.validation.spi, might need grails 5
 geoToolsVersion=21.5
 #jtsVersion must match the geotools version

grails-app/conf/application.groovy

@@ -614,12 +614,17 @@ security {
         requiredScopes = []
         connectTimeoutMs = 20000
         readTimeoutMs = 20000
+        callUserInfoEndpoint = false
+        alaUseridClaim = "username"
+        userIdClaim = "username"
     }
 }
 webservice.jwt = false
 webservice['jwt-scopes'] = "ala/internal users/read ala/attrs"
 webservice['client-id']='changeMe'
 webservice['client-secret'] = 'changeMe'
+webservice['callUserInfoEndpoint'] = false
+
 
 grails.gorm.graphql.browser = true
 

grails-app/services/au/org/ala/ecodata/UserService.groovy

@@ -1,19 +1,10 @@
 package au.org.ala.ecodata
 
-import au.org.ala.userdetails.UserDetailsClient
 import au.org.ala.web.AuthService
-import au.org.ala.ws.security.client.AlaOidcClient
 import grails.core.GrailsApplication
 import org.grails.web.servlet.mvc.GrailsWebRequest
-import org.pac4j.core.config.Config
-import org.pac4j.core.context.WebContext
-import org.pac4j.core.credentials.Credentials
-import org.pac4j.core.util.FindBest
-import org.pac4j.jee.context.JEEContextFactory
-import org.springframework.beans.factory.annotation.Autowired
 
 import javax.servlet.http.HttpServletRequest
-import javax.servlet.http.HttpServletResponse
 
 class UserService {
 
@@ -22,11 +13,7 @@ class UserService {
     AuthService authService
     WebService webService
     GrailsApplication grailsApplication
-    UserDetailsClient userDetailsClient
-    @Autowired(required = false)
-    Config config
-    @Autowired(required = false)
-    AlaOidcClient alaOidcClient
+
 
     /** Limit to the maximum number of Users returned by queries */
     static final int MAX_QUERY_RESULT_SIZE = 1000
@@ -179,55 +166,47 @@ class UserService {
     }
 
 
-    /**
-     * Get user from JWT.
-     * @param authorizationHeader
-     * @return
-     */
-    au.org.ala.web.UserDetails getUserFromJWT(String authorizationHeader = null) {
-        if((config == null) || (alaOidcClient == null))
-            return
-        try {
-            GrailsWebRequest grailsWebRequest = GrailsWebRequest.lookup()
-            HttpServletRequest request = grailsWebRequest.getCurrentRequest()
-            HttpServletResponse response = grailsWebRequest.getCurrentResponse()
-            if (!authorizationHeader)
-                authorizationHeader = request?.getHeader(AUTHORIZATION_HEADER_FIELD)
-            if (authorizationHeader?.startsWith("Bearer")) {
-                final WebContext context = FindBest.webContextFactory(null, config, JEEContextFactory.INSTANCE).newContext(request, response)
-                def optCredentials = alaOidcClient.getCredentials(context, config.sessionStore)
-                if (optCredentials.isPresent()) {
-                    Credentials credentials = optCredentials.get()
-                    def optUserProfile = alaOidcClient.getUserProfile(credentials, context, config.sessionStore)
-                    if (optUserProfile.isPresent()) {
-                        def userProfile = optUserProfile.get()
-                        String userId = userProfile?.userId ?: userProfile?.getAttribute(grailsApplication.config.getProperty('userProfile.userIdAttribute'))
-                        if (userId) {
-                            return authService.getUserForUserId(userId)
-                        }
-                    }
-                }
-            }
-        } catch (Throwable e) {
-            log.error("Failed to get user details from JWT", e)
+    private String checkForDelegatedUserId(HttpServletRequest request) {
+        // When BioCollect or MERIT calls ecodata, they use a M2M access token which contains custom scopes to
+        // enable access to the ecodata API.
+        // We can trust the requests containing bearer tokens with this scope and extract the userId from a header.
+        String scope = grailsApplication.config.getProperty('app.readScope')
+        if (!scope) {
+            log.error("No read scope specified in config.")
             return null
         }
+
+        if (request.isUserInRole(scope)) {
+            return request.getHeader(AuditInterceptor.httpRequestHeaderForUserId)
+        }
+        return null
     }
 
     def setUser() {
-        String userId
         GrailsWebRequest grailsWebRequest = GrailsWebRequest.lookup()
         HttpServletRequest request = grailsWebRequest.getCurrentRequest()
+
+        // First check if we've already saved the profile.
         def userDetails = request.getAttribute(UserDetails.REQUEST_USER_DETAILS_KEY)
 
-        if (userDetails)
+        if (userDetails) {
             return userDetails
+        }
 
-        // userId is set from either the request param userId or failing that it tries to get it from
-        // the UserPrincipal (assumes ecodata is being accessed directly via admin page)
-        userId = getUserFromJWT()?.userId ?: authService.getUserId() ?: request.getHeader(AuditInterceptor.httpRequestHeaderForUserId)
+        // if the token is an ALA M2M token from MERIT or BioCollect, we can obtain the userId
+        // from a separate header.  This is the most common scenario as most calls to ecodata will fall into
+        // this category.
+        String userId = checkForDelegatedUserId(request)
 
+        // Otherwise, if the user has logged in interactively or supplies a bearer token which identifies the user
+        // (e.g. the Monitor app passes the user token) the authService will be able to resolve the user from the token.
+        // If the OIDC provider is CAS, authService.getUser() will return the clientId, if it's Cognito, it will return null.
+        if (!userId) {
+            userId = authService.getUserId()
+        }
         if (userId) {
+            log.debug("Setting current user to ${userId}")
+
             userDetails = setCurrentUser(userId)
             if (userDetails) {
                 // We set the current user details in the request scope because

src/main/groovy/au/org/ala/ecodata/IniReader.java

@@ -156,13 +156,13 @@ public int getIntegerValue(String section, String key) {
      */
     public double getDoubleValue(String section, String key) {
         String str = document.get(section + "\\" + key);
-        Double ret;
+        double ret;
         try {
-            ret = new Double(str);
+            ret = Double.parseDouble(str);
         } catch (Exception e) {
-            ret = new Double(0);
+            ret = 0d;
         }
-        return ret.doubleValue();
+        return ret;
     }
 
     /**

src/main/groovy/au/org/ala/ecodata/metadata/SpeciesUrlGetter.groovy

@@ -3,7 +3,7 @@ package au.org.ala.ecodata.metadata
 import pl.touk.excel.export.getters.Getter
 import au.org.ala.ecodata.Record
 
-class SpeciesUrlGetter extends OutputDataGetter implements Getter<String> {
+class SpeciesUrlGetter extends OutputDataGetter {
     String biePrefix
     SpeciesUrlGetter(String propertyName, Map dataNode, Map<String, Object> documentMap, TimeZone timeZone, String biePrefix) {
         super(propertyName, dataNode, documentMap, timeZone)

src/test/groovy/au/org/ala/ecodata/UserServiceSpec.groovy

@@ -1,15 +1,11 @@
 package au.org.ala.ecodata
 
 import au.org.ala.web.AuthService
-import au.org.ala.ws.security.client.AlaOidcClient
-import au.org.ala.ws.security.profile.AlaOidcUserProfile
+import au.org.ala.ws.security.profile.AlaM2MUserProfile
 import grails.test.mongodb.MongoSpec
 import grails.testing.services.ServiceUnitTest
 import grails.testing.web.GrailsWebUnitTest
 import org.pac4j.core.config.Config
-import org.pac4j.core.credentials.AnonymousCredentials
-import org.pac4j.core.credentials.Credentials
-import org.pac4j.core.profile.UserProfile
 import spock.lang.Unroll
 
 /**
@@ -20,7 +16,6 @@ class UserServiceSpec extends MongoSpec implements ServiceUnitTest<UserService>,
 
     WebService webService = Mock(WebService)
     AuthService authService = Mock(AuthService)
-    AlaOidcClient alaOidcClient
     Config pack4jConfig
 
     def user
@@ -43,6 +38,7 @@ class UserServiceSpec extends MongoSpec implements ServiceUnitTest<UserService>,
     def cleanup() {
         User.findAll().each{it.delete(flush:true)}
         Hub.findAll().each{it.delete(flush:true)}
+        service.clearCurrentUser()
     }
 
     def "The recordLoginTime method requires a hubId and userId to be supplied"() {
@@ -160,28 +156,45 @@ class UserServiceSpec extends MongoSpec implements ServiceUnitTest<UserService>,
         "h1"  | "2021-04-15T00:00:00Z" | "2021-05-01T00:00:00Z" | 0
     }
 
-    void "getUserFromJWT returns user when Authorization header is passed"() {
+    void "The user service can identify the user using the authService and make it available on a ThreadLocal"() {
+        when:
+        service.setUser()
+
+        then:
+        1 * authService.getUserId() >> user.userId
+        1 * authService.getUserForUserId(user.userId)  >> userDetails
+
+        UserService.currentUser() == userDetails
+    }
+
+    void "The user service can identify an ALA M2M access token and identify the user from a request header"() {
         setup:
-        def result
-        alaOidcClient = GroovyMock([global: true], AlaOidcClient)
-        pack4jConfig =  GroovyMock([global: true], Config)
-        service.alaOidcClient = alaOidcClient
-        service.config = pack4jConfig
-        AlaOidcUserProfile person = new AlaOidcUserProfile(user.userId)
-        Optional<Credentials> credentials = new Optional<Credentials>(AnonymousCredentials.INSTANCE)
-        Optional<UserProfile> userProfile = new Optional<UserProfile>(person)
+        AuditInterceptor.httpRequestHeaderForUserId = 'userId'
+        request.addUserRole("ecodata/read_test")
 
         when:
-        request.addHeader('Authorization', 'Bearer abcdef')
-        result = service.getUserFromJWT()
+        request.addHeader('userId', user.userId)
+        service.setUser()
 
         then:
-        alaOidcClient.getCredentials(*_) >> credentials
-        alaOidcClient.getUserProfile(*_) >> userProfile
-        authService.getUserForUserId(user.userId)  >> userDetails
-        result.userName == user.userName
-        result.displayName == "${user.firstName} ${user.lastName}"
-        result.userId == user.userId
+        0 * authService.getUserId() >> null
+
+        1 * authService.getUserForUserId(user.userId)  >> userDetails
+
+        UserService.currentUser() == userDetails
+    }
+
+    void "The user service will not read the userId from the header if the caller isn't an ALA system"() {
+        when:
+        request.addHeader('userId', user.userId)
+        service.setUser()
+
+        then:
+        1 * authService.getUserId() >> null
+        0 * authService.getUserDetailsById(_)
+        UserService.currentUser() == null
+
+
     }