Merge pull request #473 from Breeding-Insight/feature/BI-2540

BI-2540 - Update bi_user Table for Alternate OAuth Provider(s)

Author: mlm483

.env.template

@@ -3,6 +3,10 @@
 USER_ID=<user id of system user>
 GROUP_ID=<group id of system user>
 
+# GitHub OAuth variables. Only required if using GitHub as an OAuth provider.
+GITHUB_OAUTH_CLIENT_ID=<Client ID of GitHub OAuth app.>
+GITHUB_OAUTH_CLIENT_SECRET=<Client Secret of GitHub Oauth app.>
+
 ORCID_SANDBOX_AUTHENTICATION=<true or false; true=>use the Sandbox Orcid, false=>use the Production Orcid.  Defaults to false.>
 
 # Authentication variables
@@ -74,4 +78,4 @@ STUDY_START_DELAY=10s
 TRIAL_START_DELAY=15s
 TRAIT_START_DELAY=20s
 OBSERVATION_START_DELAY=25s
-OBSERVATION_UNIT_START_DELAY=30s
+OBSERVATION_UNIT_START_DELAY=30s

.github/workflows/build.yml

@@ -73,5 +73,7 @@ jobs:
           JWT_SECRET: ${{ secrets.JWT_SECRET }}
           OAUTH_CLIENT_ID: 123abc
           OAUTH_CLIENT_SECRET: asdfljkhalkbaldsfjasdfi238497098asdf
+          GITHUB_OAUTH_CLIENT_ID: 12345678901234567890
+          GITHUB_OAUTH_CLIENT_SECRET: 1234567890123456789012345678901234567890
           BRAPI_REFERENCE_SOURCE: breedinginsight.org
-          BRAPI_DOCKER_IMAGE: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.brapi_server_image || 'breedinginsight/brapi-java-server:develop' }}
+          BRAPI_DOCKER_IMAGE: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.brapi_server_image || 'breedinginsight/brapi-java-server:develop' }}

docker-compose.yml

@@ -40,6 +40,8 @@ services:
       - API_INTERNAL_PORT=${API_INTERNAL_PORT}
       - API_INTERNAL_TEST_PORT=${API_INTERNAL_TEST_PORT}
       - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
+      - GITHUB_OAUTH_CLIENT_ID=${GITHUB_OAUTH_CLIENT_ID}
+      - GITHUB_OAUTH_CLIENT_SECRET=${GITHUB_OAUTH_CLIENT_SECRET}
       - JWT_DOMAIN=${JWT_DOMAIN}
       - DB_SERVER=${DB_SERVER}
       - DB_NAME=${DB_NAME}

pom.xml

@@ -192,6 +192,11 @@
             <artifactId>micronaut-inject</artifactId>
             <scope>compile</scope>
         </dependency>
+        <dependency>
+            <groupId>io.micronaut</groupId>
+            <artifactId>micronaut-http-client</artifactId>
+            <scope>compile</scope>
+        </dependency>
         <dependency>
             <groupId>io.micronaut</groupId>
             <artifactId>micronaut-validation</artifactId>
@@ -619,6 +624,10 @@
                     <url>jdbc:postgresql://${DB_SERVER}/${DB_NAME}</url>
                     <user>${DB_USER}</user>
                     <password>${DB_PASSWORD}</password>
+                    <locations>
+                        <location>filesystem:src/main/java/org/breedinginsight/db/migration</location>
+                        <location>filesystem:src/main/resources/db/migration</location>
+                    </locations>
                 </configuration>
                 <dependencies>
                     <dependency>

src/main/java/org/breedinginsight/api/auth/AuthServiceLoginHandler.java

@@ -30,7 +30,6 @@
 import io.micronaut.security.token.jwt.cookie.JwtCookieLoginHandler;
 import io.micronaut.security.token.jwt.generator.AccessRefreshTokenGenerator;
 import io.micronaut.security.token.jwt.generator.AccessTokenConfiguration;
-import io.micronaut.security.token.jwt.generator.JwtGeneratorConfiguration;
 import lombok.extern.slf4j.Slf4j;
 import org.breedinginsight.api.model.v1.auth.SignUpJWT;
 import org.breedinginsight.model.ProgramUser;
@@ -83,7 +82,7 @@ public AuthServiceLoginHandler(JwtCookieConfiguration jwtCookieConfiguration,
 
     @Override
     public MutableHttpResponse<?> loginSuccess(UserDetails userDetails, HttpRequest<?> request) {
-        // Called when login to orcid is successful.
+        // Called when login to OAuth provider is successful.
         // Check if our login to our system is successful.
         if (request.getCookies().contains(accountTokenCookieName)) {
             Cookie accountTokenCookie = request.getCookies().get(accountTokenCookieName);
@@ -124,7 +123,7 @@ public MutableHttpResponse<?> loginSuccess(UserDetails userDetails, HttpRequest<
 
     private AuthenticatedUser getUserCredentials(UserDetails userDetails) throws AuthenticationException {
 
-        Optional<User> user = userService.getByOrcid(userDetails.getUsername());
+        Optional<User> user = userService.getByOAuthId(userDetails.getUsername());
 
         if (user.isPresent()) {
             if (user.get().getActive()) {
@@ -159,9 +158,20 @@ public MutableHttpResponse<?> loginFailed(AuthenticationResponse authenticationF
         }
     }
 
+    private String parseOAuthProvider(HttpRequest request) {
+        // The request path will be something like "/sso/success/github".
+        if (request.getPath().toLowerCase().contains("github")) {
+            return "github";
+        } else {
+            // Default to ORCID.
+            return "orcid";
+        }
+    }
+
     private MutableHttpResponse newAccountCreationResponse(UserDetails userDetails, String accountToken, HttpRequest request) {
 
-        String orcid = userDetails.getUsername();
+        String oAuthId = userDetails.getUsername();
+        String oAuthProvider = parseOAuthProvider(request);
         SignUpJWT signUpJWT;
         try {
             signUpJWT = signUpJwtService.validateAndParseAccountSignUpJwt(accountToken);
@@ -185,9 +195,9 @@ private MutableHttpResponse newAccountCreationResponse(UserDetails userDetails,
         }
 
         if (newUser.getAccountToken().equals(signUpJWT.getJwtId().toString())) {
-            // Assign orcid to that user
+            // Assign OAuth Id and provider to that user.
             try {
-                userService.updateOrcid(newUser.getId(), orcid);
+                userService.updateOAuthInfo(newUser.getId(), oAuthId, oAuthProvider);
             } catch (DoesNotExistException e) {
                 MutableHttpResponse resp = HttpResponse.seeOther(URI.create(newAccountErrorUrl));
                 return resp;

src/main/java/org/breedinginsight/api/auth/GithubApiClient.java

@@ -0,0 +1,32 @@
+/*
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.breedinginsight.api.auth;
+
+import io.micronaut.http.annotation.Get;
+import io.micronaut.http.annotation.Header;
+import io.micronaut.http.client.annotation.Client;
+import io.reactivex.Flowable;
+
+@Header(name = "User-Agent", value = "Micronaut")
+@Client("https://api.github.com")
+public interface GithubApiClient {
+
+    @Get("/user")
+    Flowable<GithubUser> getUser(@Header("Authorization") String authorization);
+}
+

src/main/java/org/breedinginsight/api/auth/GithubUser.java

@@ -0,0 +1,37 @@
+/*
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.breedinginsight.api.auth;
+
+import com.fasterxml.jackson.databind.PropertyNamingStrategy;
+import com.fasterxml.jackson.databind.annotation.JsonNaming;
+import io.micronaut.core.annotation.Introspected;
+import lombok.Getter;
+
+@Introspected
+@JsonNaming(PropertyNamingStrategy.SnakeCaseStrategy.class)
+@Getter
+public class GithubUser {
+
+    private String id;
+    // The login will be the unique GitHub username.
+    private String login;
+    private String name;
+    private String email;
+
+}
+

src/main/java/org/breedinginsight/api/auth/GithubUserDetailsMapper.java

@@ -0,0 +1,61 @@
+/*
+ * See the NOTICE file distributed with this work for additional information
+ * regarding copyright ownership.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.breedinginsight.api.auth;
+
+import io.micronaut.core.annotation.Nullable;
+import io.micronaut.core.async.publisher.Publishers;
+import io.micronaut.security.authentication.AuthenticationResponse;
+import io.micronaut.security.authentication.UserDetails;
+import io.micronaut.security.oauth2.endpoint.authorization.state.State;
+import io.micronaut.security.oauth2.endpoint.token.response.OauthUserDetailsMapper;
+import io.micronaut.security.oauth2.endpoint.token.response.TokenResponse;
+import lombok.extern.slf4j.Slf4j;
+import org.reactivestreams.Publisher;
+
+
+import javax.inject.Named;
+import javax.inject.Singleton;
+import java.util.Collections;
+import java.util.List;
+
+@Slf4j
+@Named("github")
+@Singleton
+class GithubUserDetailsMapper implements OauthUserDetailsMapper {
+
+    private final GithubApiClient apiClient;
+
+    GithubUserDetailsMapper(GithubApiClient apiClient) {
+        this.apiClient = apiClient;
+    }
+
+    @Override
+    public Publisher<UserDetails> createUserDetails(TokenResponse tokenResponse) {
+        return Publishers.just(new UnsupportedOperationException());
+    }
+
+    @Override
+    public Publisher<AuthenticationResponse> createAuthenticationResponse(TokenResponse tokenResponse, @Nullable State state) {
+        return apiClient.getUser("token " + tokenResponse.getAccessToken())
+                .map(user -> {
+                    List<String> roles = Collections.singletonList("ROLE_GITHUB");
+                    return new UserDetails(user.getLogin(), roles);
+                });
+    }
+}
+

src/main/java/org/breedinginsight/daos/ProgramUserDAO.java

@@ -120,14 +120,14 @@ public List<ProgramUser> getProgramUsersByUserId(UUID userId) {
         return parseRecords(records, createdByUser, updatedByUser);
     }
 
-    public List<ProgramUser> getProgramUsersByOrcid(String orcid) {
+    public List<ProgramUser> getProgramUsersByOAuthId(String oAuthId) {
 
         BiUserTable createdByUser = BI_USER.as("createdByUser");
         BiUserTable updatedByUser = BI_USER.as("updatedByUser");
 
         // TODO: When we allow for pulling archived users, active condition won't be hardcoded.
         Result<Record> records = getProgramUsersQuery(createdByUser, updatedByUser)
-                .where(BI_USER.ORCID.eq(orcid))
+                .where(BI_USER.OAUTH_ID.eq(oAuthId))
                 .and(PROGRAM.ACTIVE.eq(true))
                 .fetch();
 

src/main/java/org/breedinginsight/daos/UserDAO.java

@@ -32,11 +32,11 @@ public interface UserDAO extends DAO<BiUserRecord, BiUserEntity, UUID> {
 
     Optional<User> getUser(UUID id);
 
-    Optional<User> getUserByOrcId(String orcid);
+    Optional<User> getUserByOAuthId(String oAuthId);
 
     BiUserEntity fetchOneById(UUID value);
 
     List<BiUserEntity> fetchByEmail(String... values);
 
-    List<BiUserEntity> fetchByOrcid(String... values);
+    List<BiUserEntity> fetchByOauthId(String... values);
 }