Merge "add KeycloakPermissionFilter"

onap · Dec 17, 2024 · 11fa772 · 11fa772
2 parents d4f1e51 + c5fab8a
commit 11fa772
Show file tree

Hide file tree

Showing 14 changed files with 279 additions and 92 deletions.
diff --git a/app/src/main/resources/application-access-control.yml b/app/src/main/resources/application-access-control.yml
diff --git a/app/src/main/resources/application.yml b/app/src/main/resources/application.yml
@@ -52,8 +52,10 @@ bff:
   preferences-url: ${PREFERENCES_URL}
   history-url: ${HISTORY_URL}
   keycloak-url: ${KEYCLOAK_URL}
+  keycloak-client-id: ${KEYCLOAK_CLIENT_ID}
   endpoints:
     unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/**
+
   rbac:
-    endpoints-excluded: /actuator/**, **/actuator/**, */actuator/**, /**/actuator/**, /*/actuator/**
+    endpoints-excluded: ${RBAC_EXCLUDED_ENDPOINTS}:-/api-docs.html, /api.yaml, /webjars/**, /actuator/**, /users**, /roles**, /preferences**, /actions**}
 
diff --git a/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java b/app/src/test/java/org/onap/portalng/bff/BaseIntegrationTest.java
@@ -115,6 +115,20 @@ public void mockAuth() {
                             .put("session_state", UUID.randomUUID().toString())
                             .put("scope", "email profile")
                             .toString())));
+
+    /*
+     * MockAuth for new RBAC permission via keycloak
+     */
+    WireMock.stubFor(
+        WireMock.post(
+                WireMock.urlMatching(
+                    String.format("/realms/%s/protocol/openid-connect/token", realm)))
+            .withRequestBody(
+                WireMock.containing("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"))
+            .willReturn(
+                WireMock.aResponse()
+                    .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE)
+                    .withBody(objectMapper.createObjectNode().put("result", "true").toString())));
   }
 
   /**

diff --git a/app/src/test/java/org/onap/portalng/bff/rbac/RoleBaseAccessIntegrationTest.java b/app/src/test/java/org/onap/portalng/bff/rbac/RoleBaseAccessIntegrationTest.java
@@ -0,0 +1,104 @@
+/*
+ *
+ * Copyright (c) 2024. Deutsche Telekom AG
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ *
+ */
+
+package org.onap.portalng.bff.rbac;
+
+import com.github.tomakehurst.wiremock.client.WireMock;
+import io.restassured.http.Header;
+import org.junit.jupiter.api.Test;
+import org.onap.portalng.bff.BaseIntegrationTest;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+
+public class RoleBaseAccessIntegrationTest extends BaseIntegrationTest {
+
+  @Test
+  void thatRoleIsNotSufficient() {
+
+    WireMock.stubFor(
+        WireMock.post(
+                WireMock.urlMatching(
+                    String.format("/realms/%s/protocol/openid-connect/token", realm)))
+            .withRequestBody(
+                WireMock.containing("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"))
+            .willReturn(
+                WireMock.aResponse()
+                    .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE)
+                    .withStatus(HttpStatus.FORBIDDEN.value())));
+
+    requestSpecification()
+        .given()
+        .accept(MediaType.APPLICATION_JSON_VALUE)
+        .header(new Header("X-Request-Id", "addf6005-3075-4c80-b7bc-2c70b7d42b57"))
+        .when()
+        .get("/roles")
+        .then()
+        .statusCode(HttpStatus.FORBIDDEN.value());
+  }
+
+  @Test
+  void thatResourceIsNotAvailable() {
+
+    WireMock.stubFor(
+        WireMock.post(
+                WireMock.urlMatching(
+                    String.format("/realms/%s/protocol/openid-connect/token", realm)))
+            .withRequestBody(
+                WireMock.containing("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"))
+            .willReturn(
+                WireMock.aResponse()
+                    .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE)
+                    .withStatus(HttpStatus.BAD_REQUEST.value())));
+
+    requestSpecification()
+        .given()
+        .accept(MediaType.APPLICATION_JSON_VALUE)
+        .header(new Header("X-Request-Id", "addf6005-3075-4c80-b7bc-2c70b7d42b57"))
+        .when()
+        .get("/roles")
+        .then()
+        .statusCode(HttpStatus.FORBIDDEN.value());
+  }
+
+  @Test
+  void thatRoleBaseCheckIsMalformed() {
+
+    WireMock.stubFor(
+        WireMock.post(
+                WireMock.urlMatching(
+                    String.format("/realms/%s/protocol/openid-connect/token", realm)))
+            .withRequestBody(
+                WireMock.containing("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket"))
+            .willReturn(
+                WireMock.aResponse()
+                    .withHeader("Content-Type", MediaType.APPLICATION_JSON_VALUE)
+                    .withBody(objectMapper.createObjectNode().put("result", "false").toString())));
+
+    requestSpecification()
+        .given()
+        .accept(MediaType.APPLICATION_JSON_VALUE)
+        .header(new Header("X-Request-Id", "addf6005-3075-4c80-b7bc-2c70b7d42b57"))
+        .when()
+        .get("/roles")
+        .then()
+        .statusCode(HttpStatus.FORBIDDEN.value());
+  }
+}
diff --git a/app/src/test/resources/application-development.yml b/app/src/test/resources/application-development.yml
@@ -30,3 +30,8 @@ bff:
   preferences-url: http://localhost:${wiremock.server.port}
   history-url: http://localhost:${wiremock.server.port}
   keycloak-url: http://localhost:${wiremock.server.port}
+  keycloak-client-id: test
+  endpoints:
+    unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/**
+  rbac:
+    endpoints-excluded: /api-docs.html, /api.yaml, /webjars/**, /actuator/**
diff --git a/app/src/test/resources/application.yml b/app/src/test/resources/application.yml
@@ -27,8 +27,8 @@ bff:
   preferences-url: http://localhost:${wiremock.server.port}
   history-url: http://localhost:${wiremock.server.port}
   keycloak-url: http://localhost:${wiremock.server.port}
+  keycloak-client-id: test
   endpoints:
     unauthenticated: /api-docs.html, /api.yaml, /webjars/**, /actuator/**
   rbac:
-    endpoints-excluded: /actuator/**, **/actuator/**, */actuator/**, /**/actuator/**, /*/actuator/**
-
+    endpoints-excluded: /api-docs.html, /api.yaml, /webjars/**, /actuator/**
diff --git a/lib/src/main/java/org/onap/portalng/bff/config/BffConfig.java b/lib/src/main/java/org/onap/portalng/bff/config/BffConfig.java
@@ -45,6 +45,7 @@ public class BffConfig {
   @NotBlank private final String preferencesUrl;
   @NotBlank private final String historyUrl;
   @NotBlank private final String keycloakUrl;
+  @NotBlank private final String keycloakClientId;
 
   @NotNull private final Map<String, Set<String>> accessControl;
 

diff --git a/lib/src/main/java/org/onap/portalng/bff/config/KeycloakPermissionFilter.java b/lib/src/main/java/org/onap/portalng/bff/config/KeycloakPermissionFilter.java
@@ -0,0 +1,122 @@
+/*
+ *
+ * Copyright (c) 2024. Deutsche Telekom AG
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ *
+ */
+
+package org.onap.portalng.bff.config;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.stereotype.Component;
+import org.springframework.web.reactive.function.client.WebClient;
+import org.springframework.web.server.ServerWebExchange;
+import org.springframework.web.server.WebFilter;
+import org.springframework.web.server.WebFilterChain;
+import reactor.core.publisher.Mono;
+
+@Component
+@Slf4j
+public class KeycloakPermissionFilter implements WebFilter {
+
+  private final WebClient webClient;
+
+  private final ObjectMapper objectMapper;
+  private final BffConfig bffConfig;
+
+  @Value("${bff.rbac.endpoints-excluded}")
+  private String[] EXCLUDED_PATHS;
+
+  public KeycloakPermissionFilter(
+      WebClient.Builder webClientBuilder, ObjectMapper objectMapper, BffConfig bffConfig) {
+    this.webClient = webClientBuilder.build();
+    this.objectMapper = objectMapper;
+    this.bffConfig = bffConfig;
+  }
+
+  @Override
+  public Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {
+    String accessToken = exchange.getRequest().getHeaders().getFirst(HttpHeaders.AUTHORIZATION);
+    String uri = exchange.getRequest().getURI().getPath();
+    String method = exchange.getRequest().getMethod().toString();
+
+    for (String excludedPath : EXCLUDED_PATHS) {
+      if (uri.matches(excludedPath.replace("**", ".*"))) {
+        return chain.filter(exchange);
+      }
+    }
+
+    String body =
+        new StringBuilder()
+            .append("grant_type=urn:ietf:params:oauth:grant-type:uma-ticket")
+            .append("&audience=")
+            .append(bffConfig.getKeycloakClientId())
+            .append("&permission_resource_format=uri")
+            .append("&permission_resource_matching_uri=true")
+            .append("&permission=")
+            .append(uri)
+            .append("#")
+            .append(method)
+            .append("&response_mode=decision")
+            .toString();
+
+    return webClient
+        .post()
+        .uri(
+            bffConfig.getKeycloakUrl()
+                + "/realms/"
+                + bffConfig.getRealm()
+                + "/protocol/openid-connect/token")
+        .header(HttpHeaders.AUTHORIZATION, accessToken)
+        .contentType(MediaType.APPLICATION_FORM_URLENCODED)
+        .bodyValue(body)
+        .retrieve()
+        .bodyToMono(String.class)
+        .flatMap(
+            response -> {
+              if (isPermissionGranted(response)) {
+                return chain.filter(exchange);
+              } else {
+                exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
+                return exchange.getResponse().setComplete();
+              }
+            })
+        .onErrorResume(
+            ex -> {
+              exchange.getResponse().setStatusCode(HttpStatus.FORBIDDEN);
+              return exchange.getResponse().setComplete();
+            });
+  }
+
+  private boolean isPermissionGranted(String response) {
+    try {
+      JsonNode jsonNode = objectMapper.readTree(response);
+      if (jsonNode.has("result") && jsonNode.get("result").asBoolean()) {
+        return true;
+      }
+    } catch (Exception e) {
+      log.error("Error parsing JSON response", e);
+    }
+    return false;
+  }
+}
diff --git a/lib/src/main/java/org/onap/portalng/bff/config/SecurityConfig.java b/lib/src/main/java/org/onap/portalng/bff/config/SecurityConfig.java
@@ -23,10 +23,12 @@
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
+import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.SecurityWebFiltersOrder;
 import org.springframework.security.config.web.server.ServerHttpSecurity;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientManager;
 import org.springframework.security.oauth2.client.ReactiveOAuth2AuthorizedClientProvider;
@@ -38,8 +40,11 @@
 
 @Configuration
 @EnableWebFluxSecurity
+@RequiredArgsConstructor
 public class SecurityConfig {
 
+  private final KeycloakPermissionFilter keycloakPermissionFilter;
+
   @Value("${bff.endpoints.unauthenticated}")
   private String[] unauthenticatedEndpoints;
 
@@ -59,6 +64,7 @@ public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
                     .authenticated())
         .oauth2ResourceServer(ServerHttpSecurity.OAuth2ResourceServerSpec::jwt)
         .oauth2Client(withDefaults())
+        .addFilterAfter(keycloakPermissionFilter, SecurityWebFiltersOrder.AUTHORIZATION)
         .build();
   }
 

diff --git a/lib/src/main/java/org/onap/portalng/bff/controller/AbstractBffController.java b/lib/src/main/java/org/onap/portalng/bff/controller/AbstractBffController.java
@@ -22,9 +22,6 @@
 package org.onap.portalng.bff.controller;
 
 import org.onap.portalng.bff.config.BffConfig;
-import org.onap.portalng.bff.config.IdTokenExchangeFilterFunction;
-import org.springframework.web.server.ServerWebExchange;
-import reactor.core.publisher.Mono;
 
 public abstract class AbstractBffController {
 
@@ -33,14 +30,4 @@ public abstract class AbstractBffController {
   protected AbstractBffController(BffConfig bffConfig) {
     this.bffConfig = bffConfig;
   }
-
-  public Mono<Void> checkRoleAccess(String method, ServerWebExchange exchange) {
-    return bffConfig
-        .getRoles(method)
-        .flatMap(
-            roles ->
-                roles.contains("*")
-                    ? Mono.empty()
-                    : IdTokenExchangeFilterFunction.validateAccess(exchange, roles));
-  }
 }