feat(rbac): init user at OAuth2 login

README.adoc

@@ -88,14 +88,17 @@ A sample `values.yaml` could be like this one:
 api:
   authentication: oauth2-github # Put a friendly value to disable default authentication
   customConfig:
-    # Active providers
-    # provider-type has to be one of custom / github / google
-    # code refers to the provider key ( spring.security.oauth2.client.registration.<code>)
     oauth2providers:
-      conf:
-      - display-name: Github
-        provider-type: github
-        code: github
+      setup:
+        -
+          # Used for front login:
+          provider:
+            # Value displayed on the login front page button.
+            display-value: Github
+            # Value below can only be one of the following: custom, github or google
+            type: github
+            # Refers to the registration code (i.e. spring.security.oauth2.client.registration.<code>)
+            registration: github
 
     # Oauth
     spring:

code/api/api/src/main/java/com/decathlon/ara/security/configuration/SecurityConfiguration.java

@@ -0,0 +1,91 @@
+package com.decathlon.ara.security.configuration;
+
+import com.decathlon.ara.security.service.AuthenticationService;
+import org.apache.logging.log4j.util.Strings;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
+import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.security.web.SecurityFilterChain;
+
+import java.util.Set;
+
+@Configuration
+public class SecurityConfiguration {
+
+    @Value("${ara.clientBaseUrl}")
+    private String clientBaseUrl;
+
+    @Value("${ara.loginStartingUrl}")
+    private String loginStartingUrl;
+
+    @Value("${ara.loginProcessingUrl}")
+    private String loginProcessingUrl;
+
+    @Value("${ara.logoutProcessingUrl}")
+    private String logoutProcessingUrl;
+
+    @Value("${spring.security.oauth2.resourceserver.jwt.issuer-uri:}")
+    private String resourceIssuerUri;
+
+    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri:}")
+    private String resourceJwkSetUri;
+
+    private final AuthenticationService authenticationService;
+
+    public SecurityConfiguration(AuthenticationService authenticationService) {
+        this.authenticationService = authenticationService;
+    }
+
+    @Bean
+    public SecurityFilterChain configure(HttpSecurity http) throws Exception {
+        // Whatever is the authentication method, we need to authorize /actguatorgw
+        String redirectUrl = String.format("%s?spring_redirect=true", this.clientBaseUrl);
+        http
+                .csrf().disable() //NOSONAR
+                .authorizeRequests() //NOSONAR
+                .antMatchers("/oauth/**", "/actuator/**").permitAll()
+                .anyRequest().authenticated()
+                .and()
+                .logout()
+                .logoutUrl(this.logoutProcessingUrl) // logout entrypoint
+                .invalidateHttpSession(true)
+                .clearAuthentication(true).logoutSuccessUrl(redirectUrl).deleteCookies("JSESSIONID").permitAll()
+                .and()
+                .oauth2Login(oauth2 -> oauth2
+                        .userInfoEndpoint(userInfo -> userInfo.oidcUserService(this.oidcUserService()))
+                        .loginProcessingUrl(this.loginProcessingUrl + "/*") // path to redirect to from auth server
+                        .loginPage(String.format("%s/%s", this.clientBaseUrl, "login")) // standard spring redirection for protected resources
+                        .defaultSuccessUrl(redirectUrl, true) // once logged in, redirect to
+                        .authorizationEndpoint().baseUri(this.loginStartingUrl) // entrypoint to initialize oauth processing
+                );
+
+        if (isResourceServerConfiguration()) {
+            http.oauth2ResourceServer().jwt();
+        }
+        return http.build();
+    }
+
+    private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService() {
+        final OidcUserService delegate = new OidcUserService();
+
+        return userRequest -> {
+            var providerName = userRequest.getClientRegistration().getRegistrationId();
+            OidcUser oidcUser = delegate.loadUser(userRequest);
+            Set<GrantedAuthority> mappedAuthorities = authenticationService.manageUserAtLogin(oidcUser, providerName);
+            oidcUser = new DefaultOidcUser(mappedAuthorities, oidcUser.getIdToken(), oidcUser.getUserInfo());
+            return oidcUser;
+        };
+    }
+
+    private boolean isResourceServerConfiguration() {
+        return Strings.isNotBlank(resourceIssuerUri) || Strings.isNotBlank(resourceJwkSetUri);
+    }
+
+}

code/api/api/src/main/java/com/decathlon/ara/security/configuration/data/providers/OAuth2ProvidersConfiguration.java

@@ -0,0 +1,80 @@
+package com.decathlon.ara.security.configuration.data.providers;
+
+import com.decathlon.ara.domain.security.member.user.entity.UserEntity;
+import com.decathlon.ara.repository.ProjectRepository;
+import com.decathlon.ara.security.configuration.data.providers.setup.ProviderSetupConfiguration;
+import com.decathlon.ara.security.configuration.data.providers.setup.users.UsersConfiguration;
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.util.CollectionUtils;
+
+import java.util.*;
+
+@Configuration
+@ConfigurationProperties("oauth2providers")
+public class OAuth2ProvidersConfiguration {
+
+    private List<ProviderSetupConfiguration> setup;
+
+    public List<ProviderSetupConfiguration> getSetup() {
+        return setup;
+    }
+
+    public void setSetup(List<ProviderSetupConfiguration> setup) {
+        this.setup = setup;
+    }
+
+    /**
+     * Search for a configuration matching an OAuth2 provider name and a user login.
+     * If found, a matching user entity is returned
+     * @param providerName the provider name
+     * @param login the user login
+     * @param projectRepository the project repository
+     * @return the matching user entity, when found
+     */
+    public Optional<UserEntity> getMatchingUserEntityFromProviderNameAndLogin(String providerName, String login, ProjectRepository projectRepository) {
+        if (StringUtils.isBlank(providerName)) {
+            return Optional.empty();
+        }
+
+        if (StringUtils.isBlank(login)) {
+            return Optional.empty();
+        }
+
+        return CollectionUtils.isEmpty(setup) ?
+                Optional.empty() :
+                setup.stream()
+                        .filter(configuration -> Objects.nonNull(configuration.getProvider()))
+                        .filter(configuration -> providerName.equalsIgnoreCase(configuration.getProvider().getRegistration()))
+                        .map(configuration -> configuration.getMatchingUserEntityFromLogin(login, projectRepository))
+                        .filter(Optional::isPresent)
+                        .findFirst()
+                        .orElse(Optional.empty());
+    }
+
+    /**
+     * Get all non-standard attributes for a given provider
+     * @param providerName the provider name
+     * @return the map matching the standard attributes to non-standard ones
+     */
+    public Map<String, String> getUsersCustomAttributesFromProviderName(String providerName) {
+        if (StringUtils.isBlank(providerName)) {
+            return new HashMap<>();
+        }
+
+        if (CollectionUtils.isEmpty(setup)) {
+            return new HashMap<>();
+        }
+
+        return setup.stream()
+                .filter(configuration -> Objects.nonNull(configuration.getProvider()))
+                .filter(configuration -> providerName.equalsIgnoreCase(configuration.getProvider().getRegistration()))
+                .map(ProviderSetupConfiguration::getUsers)
+                .filter(Objects::nonNull)
+                .map(UsersConfiguration::getCustomAttributes)
+                .filter(Objects::nonNull) 
+                .findFirst()
+                .orElse(new HashMap<>());
+    }
+}