From bcee8dd9c54206d7ec8ba8957bbe5b698d47a386 Mon Sep 17 00:00:00 2001 From: fnecas Date: Mon, 24 Jun 2024 23:22:44 +0200 Subject: [PATCH 1/2] feat: adds preauth external provider header --- .../security/preauth/PreauthAuthenticationManager.java | 7 +++++++ .../accounts/admin/CreateAccountUserCustomizerIT.java | 9 +++++++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java b/gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java index d1295f1e..ce760b62 100644 --- a/gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java +++ b/gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java @@ -48,6 +48,8 @@ public class PreauthAuthenticationManager implements ReactiveAuthenticationManag public static final String PREAUTH_LASTNAME = "preauth-lastname"; public static final String PREAUTH_ORG = "preauth-org"; public static final String PREAUTH_ROLES = "preauth-roles"; + public static final String PREAUTH_PROVIDER = "preauth-provider"; + public static final String PREAUTH_PROVIDER_ID = "preauth-provider-id"; /** * @return {@code Mono.empty()} if the pre-auth request headers are not @@ -93,6 +95,9 @@ public static GeorchestraUser map(Map requestHeaders) { String lastName = SecurityHeaders.decode(requestHeaders.get(PREAUTH_LASTNAME)); String org = SecurityHeaders.decode(requestHeaders.get(PREAUTH_ORG)); String rolesValue = SecurityHeaders.decode(requestHeaders.get(PREAUTH_ROLES)); + String provider = SecurityHeaders.decode(requestHeaders.get(PREAUTH_PROVIDER)); + String providerId = SecurityHeaders.decode(requestHeaders.get(PREAUTH_PROVIDER_ID)); + List roleNames = Optional.ofNullable(rolesValue) .map(roles -> Stream .concat(Stream.of("ROLE_USER"), Stream.of(roles.split(";")).filter(StringUtils::hasText)) @@ -106,6 +111,8 @@ public static GeorchestraUser map(Map requestHeaders) { user.setLastName(lastName); user.setOrganization(org); user.setRoles(roleNames); + user.setOAuth2Provider(provider); + user.setOAuth2Uid(providerId); return user; } diff --git a/gateway/src/test/java/org/georchestra/gateway/accounts/admin/CreateAccountUserCustomizerIT.java b/gateway/src/test/java/org/georchestra/gateway/accounts/admin/CreateAccountUserCustomizerIT.java index cf4583f1..6cc73e59 100644 --- a/gateway/src/test/java/org/georchestra/gateway/accounts/admin/CreateAccountUserCustomizerIT.java +++ b/gateway/src/test/java/org/georchestra/gateway/accounts/admin/CreateAccountUserCustomizerIT.java @@ -60,7 +60,10 @@ public class CreateAccountUserCustomizerIT { "preauth-email", "pierre.martin2@example.org", // "preauth-firstname", "Pierre-Jean-Pierre", // "preauth-lastname", "Martin", // - "preauth-org", "NEWORG"); + "preauth-org", "NEWORG", + "preauth-provider", "georchestra", + "preauth-provider-id", "georchestra12" + ); private static final Map ANOTHER_NOT_EXISTING_ACCOUNT_HEADERS_EXISTING_ORG = Map.of( // "sec-georchestra-preauthenticated", "true", // @@ -113,7 +116,9 @@ private WebTestClient.RequestHeadersUriSpec prepareWebTestClientHeaders( .is2xxSuccessful()// .expectBody()// .jsonPath("$.GeorchestraUser").isNotEmpty()// - .jsonPath("$.GeorchestraUser.organization").isEqualTo("NEWORG"); + .jsonPath("$.GeorchestraUser.organization").isEqualTo("NEWORG") + .jsonPath("$.GeorchestraUser.oauth2Provider").isEqualTo("georchestra") + .jsonPath("$.GeorchestraUser.oauth2Uid").isEqualTo("georchestra12"); // Make sure the account has been created assertNotNull(accountDao.findByUID("pmartin2")); From 0f177ea93975cf9f1c9fac0c5fb6b7f6ffd5dd52 Mon Sep 17 00:00:00 2001 From: Florian Necas Date: Wed, 26 Jun 2024 09:19:17 +0200 Subject: [PATCH 2/2] fix: add documentation and unsets --- docs/pre-authentication.adoc | 6 ++++++ .../security/preauth/PreauthAuthenticationManager.java | 3 +++ 2 files changed, 9 insertions(+) diff --git a/docs/pre-authentication.adoc b/docs/pre-authentication.adoc index 775b4bfa..30162311 100644 --- a/docs/pre-authentication.adoc +++ b/docs/pre-authentication.adoc @@ -30,6 +30,8 @@ The following headers are expected to be received by the Gateway: * `preauth-firstname`: the first name of the user (e.g. "Pierre") * `preauth-lastname`: the surname of the user (e.g. "Mauduit") * `preauth-org`: the organisation identifier (e.g. "geOrchestra") +* `preauth-provider`: __(optional)__ the external provider (e.g. "myexternalprovider") +* `preauth-provider-id`: __(optional)__ the external provider identifier (e.g. "user_123456") == Charset considerations & encoded headers @@ -152,6 +154,8 @@ The following Apache configuration has been used in a setup to interact with the RequestHeader unset preauth-firstname RequestHeader unset preauth-lastname RequestHeader unset preauth-org + RequestHeader unset preauth-provider + RequestHeader unset preauth-provider-id # The following ones are used by geOrchestra # You can find a list of headers here: @@ -177,6 +181,8 @@ The following Apache configuration has been used in a setup to interact with the RequestHeader set preauth-firstname %{MELLON_GIVEN_NAME}e "expr=-n env('MELLON_GIVEN_NAME')" RequestHeader set preauth-lastname %{MELLON_SN}e "expr=-n env('MELLON_SN')" RequestHeader set preauth-org %{MELLON_O}e "expr=-n env('MELLON_O')" + RequestHeader set preauth-provider myexternalprovider "expr=-n env('MELLON_O')" + RequestHeader set preauth-provider-id %{MELLON_EPPN}e "expr=-n env('MELLON_EPPN')" # If needed to base64-encode the headers because of them containing accented characters, you can # use the following syntax and adapt the other headers above: # RequestHeader set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')" diff --git a/gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java b/gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java index ce760b62..019b26d5 100644 --- a/gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java +++ b/gateway/src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java @@ -113,6 +113,7 @@ public static GeorchestraUser map(Map requestHeaders) { user.setRoles(roleNames); user.setOAuth2Provider(provider); user.setOAuth2Uid(providerId); + //TODO rename oauth2 fields to a more generic name : externalProvider ? return user; } @@ -124,5 +125,7 @@ public void removePreauthHeaders(HttpHeaders mutableHeaders) { mutableHeaders.remove(PREAUTH_LASTNAME); mutableHeaders.remove(PREAUTH_ORG); mutableHeaders.remove(PREAUTH_ROLES); + mutableHeaders.remove(PREAUTH_PROVIDER); + mutableHeaders.remove(PREAUTH_PROVIDER_ID); } }