Update to Tailormap 12.2.1 session serialization format where user/group properties are always saved in the principal (whether username/password or OIDC)

Author: matthijsln

src/main/java/nl/b3p/planmonitorwonen/api/security/PlanmonitorAuthenticationService.java

@@ -9,22 +9,10 @@
 import static org.springframework.http.HttpStatus.FORBIDDEN;
 import static org.springframework.http.HttpStatus.UNAUTHORIZED;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import java.util.Collections;
-import java.util.List;
-import java.util.Map;
 import java.util.Set;
-import java.util.function.Function;
 import java.util.stream.Collectors;
-import java.util.stream.Stream;
-import org.postgresql.util.PGobject;
-import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.context.annotation.Profile;
-import org.springframework.jdbc.core.simple.JdbcClient;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 import org.springframework.web.server.ResponseStatusException;
@@ -36,70 +24,31 @@ public class PlanmonitorAuthenticationService {
   public record PlanmonitorAuthentication(
       Authentication authentication, boolean isProvincie, Set<String> gemeentes) {}
 
-  private final JdbcClient jdbcClient;
-  private final ObjectMapper objectMapper = new ObjectMapper();
-
-  public PlanmonitorAuthenticationService(@Qualifier("tailormapJdbcClient") JdbcClient jdbcClient) {
-    this.jdbcClient = jdbcClient;
-  }
-
   public PlanmonitorAuthentication getFromSecurityContext() throws ResponseStatusException {
     final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
     if (authentication == null) {
       throw new ResponseStatusException(UNAUTHORIZED);
     }
 
-    Map<String, Set<TailormapUserDetails.UDAdditionalProperty>> groupProperties = getGroupProperties();
+    if (authentication.getPrincipal() instanceof TailormapUserDetails userDetails) {
+      // these keys have been registered in the TM API, see:
+      // https://github.com/Tailormap/tailormap-api/blob/main/src/main/java/org/tailormap/api/persistence/helper/AdminAdditionalPropertyHelper.java#L18-L24
 
-    // these keys have been registered in the TM API, see:
-    // https://github.com/Tailormap/tailormap-api/blob/d4be62bc4d1bf8ed8cdb52f0887590f1fed337f0/src/main/java/org/tailormap/api/persistence/helper/AdminAdditionalPropertyHelper.java#L18-L24
-    boolean isProvincie = groupProperties.getOrDefault("typeGebruiker", Collections.emptySet()).stream()
-        .map(TailormapUserDetails.UDAdditionalProperty::value)
-        .anyMatch("provincie"::equals);
+      boolean isProvincie =
+          userDetails.streamAllPropertiesForKey("typeGebruiker").anyMatch("provincie"::equals);
 
-    Set<String> gemeentes = groupProperties.getOrDefault("gemeente", Collections.emptySet()).stream()
-        .map(TailormapUserDetails.UDAdditionalProperty::value)
-        .map(Object::toString)
-        .collect(Collectors.toSet());
+      Set<String> gemeentes = userDetails
+          .streamAllPropertiesForKey("gemeente")
+          .map(Object::toString)
+          .collect(Collectors.toSet());
+      PlanmonitorAuthentication result = new PlanmonitorAuthentication(authentication, isProvincie, gemeentes);
 
-    PlanmonitorAuthentication result = new PlanmonitorAuthentication(authentication, isProvincie, gemeentes);
-
-    if (!result.isProvincie && result.gemeentes.isEmpty()) {
+      if (!result.isProvincie && result.gemeentes.isEmpty()) {
+        throw new ResponseStatusException(FORBIDDEN);
+      }
+      return result;
+    } else {
       throw new ResponseStatusException(FORBIDDEN);
     }
-
-    return result;
-  }
-
-  public Map<String, Set<TailormapUserDetails.UDAdditionalProperty>> getGroupProperties()
-      throws AuthenticationException {
-    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-
-    Function<Object, TailormapUserDetails.UDAdditionalProperty[]> converter = (Object o) -> {
-      try {
-        return objectMapper.readValue(
-            ((PGobject) o).getValue(), TailormapUserDetails.UDAdditionalProperty[].class);
-      } catch (JsonProcessingException e) {
-        throw new RuntimeException(e);
-      }
-    };
-
-    List<TailormapUserDetails.UDAdditionalProperty> properties = jdbcClient
-        .sql(
-            "select additional_properties from groups where name in (:names) and additional_properties is not null")
-        .params(Collections.singletonMap(
-            "names",
-            authentication.getAuthorities().stream()
-                .map(GrantedAuthority::getAuthority)
-                .toList()))
-        .query()
-        .singleColumn()
-        .stream()
-        .map(converter)
-        .flatMap(Stream::of)
-        .toList();
-
-    return properties.stream()
-        .collect(Collectors.groupingBy(TailormapUserDetails.UDAdditionalProperty::key, Collectors.toSet()));
   }
 }

src/main/java/org/tailormap/api/security/TailormapAdditionalProperty.java

@@ -0,0 +1,11 @@
+/*
+ * Copyright (C) 2025 B3Partners B.V.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+package org.tailormap.api.security;
+
+import java.io.Serializable;
+
+public record TailormapAdditionalProperty(String key, Boolean isPublic, Object value) implements Serializable {}

src/main/java/org/tailormap/api/security/TailormapOidcUser.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2025 B3Partners B.V.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+
+package org.tailormap.api.security;
+
+import java.io.Serial;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.OidcUserInfo;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+
+public class TailormapOidcUser extends DefaultOidcUser implements TailormapUserDetails {
+  @Serial
+  private static final long serialVersionUID = 1L;
+
+  private final Collection<TailormapAdditionalProperty> additionalGroupProperties;
+
+  public TailormapOidcUser(
+      Collection<? extends GrantedAuthority> authorities,
+      OidcIdToken idToken,
+      OidcUserInfo userInfo,
+      String nameAttributeKey,
+      Collection<TailormapAdditionalProperty> additionalGroupProperties) {
+    super(authorities, idToken, userInfo, nameAttributeKey);
+    this.additionalGroupProperties = Collections.unmodifiableCollection(additionalGroupProperties);
+  }
+
+  @Override
+  public Collection<TailormapAdditionalProperty> getAdditionalProperties() {
+    return List.of();
+  }
+
+  @Override
+  public Collection<TailormapAdditionalProperty> getAdditionalGroupProperties() {
+    return additionalGroupProperties;
+  }
+
+  @Override
+  public String getPassword() {
+    return null;
+  }
+
+  @Override
+  public String getUsername() {
+    return super.getName();
+  }
+}

src/main/java/org/tailormap/api/security/TailormapUserDetails.java

@@ -1,66 +1,36 @@
 /*
- * Copyright (C) 2024 Provincie Zeeland
+ * Copyright (C) 2025 B3Partners B.V.
  *
  * SPDX-License-Identifier: MIT
  */
 
 package org.tailormap.api.security;
 
-import java.io.Serial;
 import java.io.Serializable;
-import java.time.ZoneId;
-import java.time.ZonedDateTime;
-import java.util.ArrayList;
 import java.util.Collection;
-import java.util.List;
-import org.springframework.security.core.GrantedAuthority;
+import java.util.stream.Stream;
 import org.springframework.security.core.userdetails.UserDetails;
 
-public class TailormapUserDetails implements UserDetails {
-  public record UDAdditionalProperty(String key, Boolean isPublic, Object value) implements Serializable {}
+public interface TailormapUserDetails extends Serializable, UserDetails {
 
-  @Serial
-  private static final long serialVersionUID = 2L;
+  Collection<TailormapAdditionalProperty> getAdditionalProperties();
 
-  public Collection<GrantedAuthority> authorities;
-  public String username;
-  public String password;
-  public ZonedDateTime validUntil;
-  public boolean enabled;
+  Collection<TailormapAdditionalProperty> getAdditionalGroupProperties();
 
-  private final List<UDAdditionalProperty> additionalProperties = new ArrayList<>();
-  private final List<UDAdditionalProperty> additionalGroupProperties = new ArrayList<>();
-
-  @Override
-  public Collection<? extends GrantedAuthority> getAuthorities() {
-    return authorities;
-  }
-
-  @Override
-  public String getPassword() {
-    return password;
-  }
-
-  @Override
-  public String getUsername() {
-    return username;
-  }
-
-  @Override
-  public boolean isAccountNonExpired() {
-    return validUntil == null || validUntil.isAfter(ZonedDateTime.now(ZoneId.systemDefault()));
-  }
-
-  @Override
-  public boolean isEnabled() {
-    return enabled;
-  }
-
-  public List<UDAdditionalProperty> getAdditionalProperties() {
-    return additionalProperties;
+  /**
+   * Returns true if any user or group Boolean property with the given key is true. If beside a true value, there are
+   * also properties with the same key but with any other value than true, the true value has precedence.
+   *
+   * @param key the key to look for
+   * @return true if a Boolean property with the key is present with a true value
+   */
+  default boolean hasTruePropertyForKey(String key) {
+    return streamAllPropertiesForKey(key).anyMatch(Boolean.TRUE::equals);
   }
 
-  public List<UDAdditionalProperty> getAdditionalGroupProperties() {
-    return additionalGroupProperties;
+  default Stream<Object> streamAllPropertiesForKey(String key) {
+    return Stream.concat(getAdditionalProperties().stream(), getAdditionalGroupProperties().stream())
+        .filter(p -> p.key().equals(key))
+        .map(TailormapAdditionalProperty::value);
   }
 }

src/main/java/org/tailormap/api/security/TailormapUserDetailsImpl.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2022 B3Partners B.V.
+ *
+ * SPDX-License-Identifier: MIT
+ */
+package org.tailormap.api.security;
+
+import java.io.Serial;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.util.ArrayList;
+import java.util.Collection;
+import org.springframework.security.core.GrantedAuthority;
+
+class TailormapUserDetailsImpl implements TailormapUserDetails {
+
+  @Serial
+  private static final long serialVersionUID = 1L;
+
+  private Collection<GrantedAuthority> authorities;
+  private String username;
+  private String password;
+  private ZonedDateTime validUntil;
+  private boolean enabled;
+
+  private final Collection<TailormapAdditionalProperty> additionalProperties = new ArrayList<>();
+  private final Collection<TailormapAdditionalProperty> additionalGroupProperties = new ArrayList<>();
+
+  @Override
+  public Collection<? extends GrantedAuthority> getAuthorities() {
+    return authorities;
+  }
+
+  @Override
+  public String getPassword() {
+    return password;
+  }
+
+  @Override
+  public String getUsername() {
+    return username;
+  }
+
+  @Override
+  public boolean isAccountNonExpired() {
+    return validUntil == null || validUntil.isAfter(ZonedDateTime.now(ZoneId.systemDefault()));
+  }
+
+  @Override
+  public boolean isEnabled() {
+    return enabled;
+  }
+
+  @Override
+  public Collection<TailormapAdditionalProperty> getAdditionalProperties() {
+    return additionalProperties;
+  }
+
+  @Override
+  public Collection<TailormapAdditionalProperty> getAdditionalGroupProperties() {
+    return additionalGroupProperties;
+  }
+}