Skip to content

Commit

Permalink
Merge pull request #131 from georchestra/allow-external-provider-in-p…
Browse files Browse the repository at this point in the history
…reauth

Adds preauth external provider header
  • Loading branch information
pmauduit authored Jun 26, 2024
2 parents a1f921c + 0f177ea commit 9cf7a71
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 2 deletions.
6 changes: 6 additions & 0 deletions docs/pre-authentication.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ The following headers are expected to be received by the Gateway:
* `preauth-firstname`: the first name of the user (e.g. "Pierre")
* `preauth-lastname`: the surname of the user (e.g. "Mauduit")
* `preauth-org`: the organisation identifier (e.g. "geOrchestra")
* `preauth-provider`: __(optional)__ the external provider (e.g. "myexternalprovider")
* `preauth-provider-id`: __(optional)__ the external provider identifier (e.g. "user_123456")

== Charset considerations & encoded headers

Expand Down Expand Up @@ -152,6 +154,8 @@ The following Apache configuration has been used in a setup to interact with the
RequestHeader unset preauth-firstname
RequestHeader unset preauth-lastname
RequestHeader unset preauth-org
RequestHeader unset preauth-provider
RequestHeader unset preauth-provider-id

# The following ones are used by geOrchestra
# You can find a list of headers here:
Expand All @@ -177,6 +181,8 @@ The following Apache configuration has been used in a setup to interact with the
RequestHeader set preauth-firstname %{MELLON_GIVEN_NAME}e "expr=-n env('MELLON_GIVEN_NAME')"
RequestHeader set preauth-lastname %{MELLON_SN}e "expr=-n env('MELLON_SN')"
RequestHeader set preauth-org %{MELLON_O}e "expr=-n env('MELLON_O')"
RequestHeader set preauth-provider myexternalprovider "expr=-n env('MELLON_O')"
RequestHeader set preauth-provider-id %{MELLON_EPPN}e "expr=-n env('MELLON_EPPN')"
# If needed to base64-encode the headers because of them containing accented characters, you can
# use the following syntax and adapt the other headers above:
# RequestHeader set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,8 @@ public class PreauthAuthenticationManager implements ReactiveAuthenticationManag
public static final String PREAUTH_LASTNAME = "preauth-lastname";
public static final String PREAUTH_ORG = "preauth-org";
public static final String PREAUTH_ROLES = "preauth-roles";
public static final String PREAUTH_PROVIDER = "preauth-provider";
public static final String PREAUTH_PROVIDER_ID = "preauth-provider-id";

/**
* @return {@code Mono.empty()} if the pre-auth request headers are not
Expand Down Expand Up @@ -93,6 +95,9 @@ public static GeorchestraUser map(Map<String, String> requestHeaders) {
String lastName = SecurityHeaders.decode(requestHeaders.get(PREAUTH_LASTNAME));
String org = SecurityHeaders.decode(requestHeaders.get(PREAUTH_ORG));
String rolesValue = SecurityHeaders.decode(requestHeaders.get(PREAUTH_ROLES));
String provider = SecurityHeaders.decode(requestHeaders.get(PREAUTH_PROVIDER));
String providerId = SecurityHeaders.decode(requestHeaders.get(PREAUTH_PROVIDER_ID));

List<String> roleNames = Optional.ofNullable(rolesValue)
.map(roles -> Stream
.concat(Stream.of("ROLE_USER"), Stream.of(roles.split(";")).filter(StringUtils::hasText))
Expand All @@ -106,6 +111,9 @@ public static GeorchestraUser map(Map<String, String> requestHeaders) {
user.setLastName(lastName);
user.setOrganization(org);
user.setRoles(roleNames);
user.setOAuth2Provider(provider);
user.setOAuth2Uid(providerId);
//TODO rename oauth2 fields to a more generic name : externalProvider ?
return user;
}

Expand All @@ -117,5 +125,7 @@ public void removePreauthHeaders(HttpHeaders mutableHeaders) {
mutableHeaders.remove(PREAUTH_LASTNAME);
mutableHeaders.remove(PREAUTH_ORG);
mutableHeaders.remove(PREAUTH_ROLES);
mutableHeaders.remove(PREAUTH_PROVIDER);
mutableHeaders.remove(PREAUTH_PROVIDER_ID);
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,10 @@ public class CreateAccountUserCustomizerIT {
"preauth-email", "[email protected]", //
"preauth-firstname", "Pierre-Jean-Pierre", //
"preauth-lastname", "Martin", //
"preauth-org", "NEWORG");
"preauth-org", "NEWORG",
"preauth-provider", "georchestra",
"preauth-provider-id", "georchestra12"
);

private static final Map<String, String> ANOTHER_NOT_EXISTING_ACCOUNT_HEADERS_EXISTING_ORG = Map.of( //
"sec-georchestra-preauthenticated", "true", //
Expand Down Expand Up @@ -113,7 +116,9 @@ private WebTestClient.RequestHeadersUriSpec<?> prepareWebTestClientHeaders(
.is2xxSuccessful()//
.expectBody()//
.jsonPath("$.GeorchestraUser").isNotEmpty()//
.jsonPath("$.GeorchestraUser.organization").isEqualTo("NEWORG");
.jsonPath("$.GeorchestraUser.organization").isEqualTo("NEWORG")
.jsonPath("$.GeorchestraUser.oauth2Provider").isEqualTo("georchestra")
.jsonPath("$.GeorchestraUser.oauth2Uid").isEqualTo("georchestra12");

// Make sure the account has been created
assertNotNull(accountDao.findByUID("pmartin2"));
Expand Down

0 comments on commit 9cf7a71

Please sign in to comment.