#4941 - Mapping OIDC groups to INCEpTION's internal roles

.gitattributes

@@ -19,6 +19,9 @@
 *.dump binary
 *.xcas binary
 *.xmi binary
+*.gif binary
+*.pptx binary
+*.zip binary
 #  next is probably the default
 *.pdf binary
 *.ser binary

inception/inception-app-webapp/src/test/java/de/tudarmstadt/ukp/inception/db/InceptionHsqldbIntegrationTest.java

@@ -26,10 +26,13 @@
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Nested;
+import org.junit.jupiter.api.extension.ExtendWith;
 import org.junit.jupiter.api.io.TempDir;
 import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.DynamicPropertyRegistry;
 import org.springframework.test.context.DynamicPropertySource;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
 import org.springframework.util.FileSystemUtils;
 
 class InceptionHsqldbIntegrationTest
@@ -55,6 +58,8 @@ static void tearDownClass()
     }
 
     @Nested
+    @ContextConfiguration
+    @ExtendWith(SpringExtension.class)
     class SpringApplcationContext
         extends InceptionIntegrationTest_ImplBase
     {
@@ -66,9 +71,11 @@ static void configureProperties(DynamicPropertyRegistry registry)
                 // a non-temporary folder on Windows because open files cannot be deleted.
                 STATIC_TEST_FOLDER.mkdirs();
                 registry.add("inception.home", () -> STATIC_TEST_FOLDER);
+
             }
             else {
                 registry.add("inception.home", () -> tempDir.toString());
+
             }
         }
 

inception/inception-security/src/main/java/de/tudarmstadt/ukp/inception/security/oauth/OAuth2AdapterImpl.java

@@ -55,7 +55,6 @@
 import de.tudarmstadt.ukp.clarin.webanno.security.OverridableUserDetailsManager;
 import de.tudarmstadt.ukp.clarin.webanno.security.UserDao;
 import de.tudarmstadt.ukp.clarin.webanno.security.model.User;
-import de.tudarmstadt.ukp.clarin.webanno.security.preauth.PreAuthUtils;
 
 public class OAuth2AdapterImpl
     implements OAuth2Adapter
@@ -148,6 +147,10 @@ private User fetchOrMaterializeUser(OAuth2UserRequest userRequest, OAuth2User us
         if (u != null) {
             denyAccessToDeactivatedUsers(u);
             denyAccessOfRealmsDoNotMatch(realm, u);
+
+            u.setRoles(OAuth2Utils.getOAuth2UserRoles(u, user));
+            userRepository.update(u);
+
             return u;
         }
 
@@ -161,7 +164,8 @@ private User materializeUser(OAuth2User user, String username, String realm)
         u.setPassword(UserDao.EMPTY_PASSWORD);
         u.setEnabled(true);
         u.setRealm(realm);
-        u.setRoles(PreAuthUtils.getPreAuthenticationNewUserRoles(u));
+
+        u.setRoles(OAuth2Utils.getOAuth2UserRoles(u, user));
 
         String email = user.getAttribute("email");
         if (email != null) {

inception/inception-security/src/main/java/de/tudarmstadt/ukp/inception/security/oauth/OAuth2Utils.java

@@ -0,0 +1,128 @@
+/*
+ * Licensed to the Technische Universität Darmstadt under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The Technische Universität Darmstadt
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.tudarmstadt.ukp.inception.security.oauth;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import org.apache.commons.lang3.StringUtils;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+
+import de.tudarmstadt.ukp.clarin.webanno.security.model.Role;
+import de.tudarmstadt.ukp.clarin.webanno.security.model.User;
+
+@Configuration
+@ConfigurationProperties(prefix = "security.oauth.roles")
+public class OAuth2Utils {
+
+    private static boolean OAUTH2_ROLES_ENABLED;
+    private static String OAUTH2_ROLES_CLAIM;
+    private static String OAUTH2_ADMIN_ROLE;
+    private static String OAUTH2_USER_ROLE;
+    private static String OAUTH2_PROJECT_CREATOR_ROLE;
+    private static String OAUTH2_REMOTE_ROLE;
+
+    @Value("${security.oauth.roles.enabled:false}")
+    public void setOAuth2RolesEnabled(boolean oAuth2RolesEnabled)
+    {
+        OAUTH2_ROLES_ENABLED = oAuth2RolesEnabled;
+    }
+
+    @Value("${security.oauth.roles.claim:groups}")
+    public void setOAuth2RolesClaim(String oAuth2RolesClaim)
+    {
+        OAUTH2_ROLES_CLAIM = oAuth2RolesClaim;
+    }
+
+    @Value("${security.oauth.roles.admin:}")
+    public void setAdminRole(String adminRole)
+    {
+        OAUTH2_ADMIN_ROLE = adminRole;
+    }
+
+    @Value("${security.oauth.roles.user:}")
+    public void setUserRole(String userRole)
+    {
+        OAUTH2_USER_ROLE = userRole;
+    }
+
+    @Value("${security.oauth.roles.project-creator:}")
+    public void setProjectCreatorRole(String projectCreatorRole)
+    {
+        OAUTH2_PROJECT_CREATOR_ROLE = projectCreatorRole;
+    }
+
+    @Value("${security.oauth.roles.remote:}")
+    public void setRemoteRole(String remoteRole)
+    {
+        OAUTH2_REMOTE_ROLE = remoteRole;
+    }
+
+
+    public static Set<Role> getOAuth2UserRoles(User aUser, OAuth2User user)
+        throws AccessDeniedException
+    {
+        Set<Role> roles = new HashSet<>();
+
+        if (!OAUTH2_ROLES_ENABLED) {
+            roles.add(Role.ROLE_USER);
+            return roles;
+        }
+
+        List<String> oauth2groups = user.getAttribute(OAUTH2_ROLES_CLAIM);
+
+        if (oauth2groups == null || oauth2groups.isEmpty()) {
+            throw new AccessDeniedException("OAuth2 roles mapping is enabled, but user ["
+                + aUser.getUsername() + "] doesn't have any roles, or the corresponding claim is empty");
+        }
+
+        oauth2groups.forEach(group -> matchOauth2groupToRole(group, roles));
+
+        if (roles.isEmpty()) {
+            throw new AccessDeniedException("User ["
+                + aUser.getUsername() + "] doesn't belong to any role");
+        }
+
+        return roles;
+    }
+
+    private static void matchOauth2groupToRole(String oauth2group, Set<Role> userRoles) {
+
+        if (StringUtils.equals(oauth2group, OAUTH2_ADMIN_ROLE)) {
+            userRoles.add(Role.ROLE_ADMIN);
+        }
+
+        if (StringUtils.equals(oauth2group, OAUTH2_USER_ROLE)) {
+            userRoles.add(Role.ROLE_USER);
+        }
+
+        if (StringUtils.equals(oauth2group, OAUTH2_PROJECT_CREATOR_ROLE)) {
+            userRoles.add(Role.ROLE_PROJECT_CREATOR);
+        }
+
+        if (StringUtils.equals(oauth2group, OAUTH2_REMOTE_ROLE)) {
+            userRoles.add(Role.ROLE_REMOTE);
+        }
+    }
+}

inception/inception-security/src/test/java/de/tudarmstadt/ukp/inception/security/oauth/OAuth2UtilsTest.java

@@ -0,0 +1,139 @@
+/*
+ * Licensed to the Technische Universität Darmstadt under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The Technische Universität Darmstadt
+ * licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.tudarmstadt.ukp.inception.security.oauth;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import java.util.ArrayList;
+import java.util.Set;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.oauth2.core.user.OAuth2User;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.annotation.DirtiesContext.ClassMode;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.TestPropertySource;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+
+import de.tudarmstadt.ukp.clarin.webanno.security.model.Role;
+import de.tudarmstadt.ukp.clarin.webanno.security.model.User;
+
+
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration(classes = OAuth2Utils.class)
+@DirtiesContext(classMode = ClassMode.AFTER_CLASS)
+@TestPropertySource(
+        properties = """
+            security.oauth.roles.enabled=true
+            security.oauth.roles.claim=groups
+            security.oauth.roles.admin=/INCEPTION_ADMIN
+            security.oauth.roles.user=/INCEPTION_USER
+            security.oauth.roles.project-creator=/INCEPTION_PROJECT_CREATOR
+            security.oauth.roles.remote=/INCEPTION_REMOTE
+        """)
+public class OAuth2UtilsTest
+{
+
+    String USERNAME = "ThatGuy";
+    String OAUTH2_GROUP_USER = "/INCEPTION_USER";
+    String OAUTH2_GROUP_PROJECT_CREATOR = "/INCEPTION_PROJECT_CREATOR";
+    String OAUTH2_GROUP_ADMIN = "/INCEPTION_ADMIN";
+    String OAUTH2_GROUP_REMOTE = "/INCEPTION_REMOTE";
+
+    User testUser;
+    OAuth2User testRetievedOAuth2User;
+
+    @BeforeEach
+    void setup() {
+      testUser = new User();
+      testUser.setUsername(USERNAME);
+
+      testRetievedOAuth2User = mock(OAuth2User.class);
+    }
+
+    @Test
+    void thatAdminRoleIsGivenIfMatchingGroupFound()
+    {
+        ArrayList<String> userOAuth2Groups = new ArrayList<>();
+        userOAuth2Groups.add(OAUTH2_GROUP_ADMIN);
+        when(testRetievedOAuth2User.getAttribute(anyString())).thenReturn(userOAuth2Groups);
+
+        Set<Role> userRoles = OAuth2Utils.getOAuth2UserRoles(testUser, testRetievedOAuth2User);
+
+        assertTrue(userRoles.contains(Role.ROLE_ADMIN));
+    }
+
+    @Test
+    void thatUserRoleIsGivenIfMatchingGroupFound()
+    {
+        ArrayList<String> userOAuth2Groups = new ArrayList<>();
+        userOAuth2Groups.add(OAUTH2_GROUP_USER);
+        when(testRetievedOAuth2User.getAttribute(anyString())).thenReturn(userOAuth2Groups);
+
+        Set<Role> userRoles = OAuth2Utils.getOAuth2UserRoles(testUser, testRetievedOAuth2User);
+
+        assertTrue(userRoles.contains(Role.ROLE_USER));
+    }
+
+    @Test
+    void thatProjectCreatorRoleIsGivenIfMatchingGroupFound()
+    {
+        ArrayList<String> userOAuth2Groups = new ArrayList<>();
+        userOAuth2Groups.add(OAUTH2_GROUP_PROJECT_CREATOR);
+        when(testRetievedOAuth2User.getAttribute(anyString())).thenReturn(userOAuth2Groups);
+
+        Set<Role> userRoles = OAuth2Utils.getOAuth2UserRoles(testUser, testRetievedOAuth2User);        
+        assertTrue(userRoles.contains(Role.ROLE_PROJECT_CREATOR));
+    }
+
+    @Test
+    void thatRemoteRoleIsGivenIfMatchingGroupFound()
+    {
+        ArrayList<String> userOAuth2Groups = new ArrayList<>();
+        userOAuth2Groups.add(OAUTH2_GROUP_REMOTE);
+        when(testRetievedOAuth2User.getAttribute(anyString())).thenReturn(userOAuth2Groups);
+
+        Set<Role> userRoles = OAuth2Utils.getOAuth2UserRoles(testUser, testRetievedOAuth2User);
+
+        assertTrue(userRoles.contains(Role.ROLE_REMOTE));
+    }
+
+    @Test
+    void thatUnauthorizedExceptionIsThrownIfNoRoleIsMapped() {
+
+        ArrayList<String> userOAuth2Groups = new ArrayList<>();
+        when(testRetievedOAuth2User.getAttribute(anyString())).thenReturn(userOAuth2Groups);
+
+        try {
+            OAuth2Utils.getOAuth2UserRoles(testUser, testRetievedOAuth2User);
+        } catch (AccessDeniedException ade) {
+            System.out.println(ade.getClass().getSimpleName() + " was thrown");
+            return;
+        }
+
+        fail("Expected Exception wasn't catched");
+    }
+}