Merge pull request #185 from InseeFr/develop

Habilitations and refactor raw data save

Author: loichenninger

pom.xml

@@ -138,6 +138,12 @@
             <version>${cucumber.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.cucumber</groupId>
+            <artifactId>cucumber-spring</artifactId>
+            <version>${cucumber.version}</version>
+            <scope>test</scope>
+        </dependency>
 
 
         <dependency>

qodana.yaml

@@ -0,0 +1,31 @@
+#-------------------------------------------------------------------------------#
+#               Qodana analysis is configured by qodana.yaml file               #
+#             https://www.jetbrains.com/help/qodana/qodana-yaml.html            #
+#-------------------------------------------------------------------------------#
+version: "1.0"
+
+#Specify inspection profile for code analysis
+profile:
+  name: qodana.starter
+
+#Enable inspections
+#include:
+#  - name: <SomeEnabledInspectionId>
+
+#Disable inspections
+#exclude:
+#  - name: <SomeDisabledInspectionId>
+#    paths:
+#      - <path/where/not/run/inspection>
+
+projectJDK: 21 #(Applied in CI/CD pipeline)
+
+#Execute shell command before Qodana execution (Applied in CI/CD pipeline)
+#bootstrap: sh ./prepare-qodana.sh
+
+#Install IDE plugins before Qodana execution (Applied in CI/CD pipeline)
+#plugins:
+#  - id: <plugin.id> #(plugin id can be found at https://plugins.jetbrains.com)
+
+#Specify Qodana linter for analysis (Applied in CI/CD pipeline)
+linter: jetbrains/qodana-jvm-community:latest

src/main/java/fr/insee/genesis/Constants.java

@@ -10,11 +10,13 @@ public class Constants {
             "(^([0-9]|[0-2][0-9]|3[0-1])[\\-\\/]([0-9]|1[0-2]|0[1-9])[\\-\\/]([0-9]{4})$)";
     public static final String FILTER_RESULT_PREFIX = "FILTER_RESULT_";
     public static final String MISSING_SUFFIX = "_MISSING";
+    public static final String MONGODB_LUNATIC_RAWDATA_COLLECTION_NAME = "lunaticjsondata";
     private static final String[] ENO_VARIABLES = {"COMMENT_QE","COMMENT_UE","HEURE_REMPL","MIN_REMPL"};
 
     public static final String MONGODB_SCHEDULE_COLLECTION_NAME = "schedules";
     public static final String LOOP_NAME_PREFIX = "BOUCLE";
     public static final String MONGODB_RESPONSE_COLLECTION_NAME = "responses";
+    public static final String MONGODB_VARIABLETYPE_COLLECTION_NAME = "variabletypes";
     public static final String VOLUMETRY_FOLDER_NAME = "genesis_volumetries";
     public static final String VOLUMETRY_FILE_SUFFIX = "_VOLUMETRY";
     public static final String VOLUMETRY_FILE_DATE_FORMAT = "yyyy_MM_dd";

src/main/java/fr/insee/genesis/configuration/Config.java

@@ -2,12 +2,14 @@
 
 import lombok.Getter;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.cache.annotation.EnableCaching;
 import org.springframework.context.annotation.Configuration;
 
 import java.nio.file.Path;
 
 @Configuration
 @Getter
+@EnableCaching
 public class Config {
 
 	/******************************************************/

src/main/java/fr/insee/genesis/configuration/auth/security/ApplicationRole.java

@@ -0,0 +1,10 @@
+package fr.insee.genesis.configuration.auth.security;
+
+public enum ApplicationRole {
+    ADMIN,
+    USER_KRAFTWERK,
+    USER_PLATINE,
+    COLLECT_PLATFORM,
+    READER
+}
+

src/main/java/fr/insee/genesis/configuration/auth/security/OIDCSecurityConfig.java

@@ -1,48 +1,120 @@
 package fr.insee.genesis.configuration.auth.security;
 
-import fr.insee.genesis.configuration.Config;
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+
 @Configuration
 @EnableWebSecurity
+@EnableMethodSecurity(prePostEnabled = true)
 @Slf4j
 @ConditionalOnProperty(name = "fr.insee.genesis.authentication", havingValue = "OIDC")
+@ConfigurationProperties(prefix = "fr.insee.genesis.security")
+@RequiredArgsConstructor
 public class OIDCSecurityConfig {
 
-    Config config;
-    @Autowired
-    public OIDCSecurityConfig(Config config) {
-        this.config = config;
-    }
+    @Getter
+    @Setter
+    private String[] whitelistMatchers;
+    private static final String ROLE_PREFIX = "ROLE_";
+    private final RoleConfiguration roleConfiguration;
+    private final SecurityTokenProperties inseeSecurityTokenProperties;
 
-        @Bean
-        public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
-            http
-                    .csrf(AbstractHttpConfigurer::disable)
-                    .sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
-            for (var pattern : config.getWhiteList()) {
-                http.authorizeHttpRequests(authorize ->
-                        authorize
-                                .requestMatchers(AntPathRequestMatcher.antMatcher(pattern)).permitAll()
-                );
-            }
-            http
-                    .authorizeHttpRequests(configurer -> configurer
-                            .anyRequest().authenticated()
-                    )
-                    .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
-            return http.build();
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http
+                .csrf(AbstractHttpConfigurer::disable)
+                .sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
+        for (var pattern : whitelistMatchers) {
+            http.authorizeHttpRequests(authorize ->
+                    authorize
+                            .requestMatchers(AntPathRequestMatcher.antMatcher(pattern)).permitAll()
+            );
         }
+        http
+                .authorizeHttpRequests(configurer -> configurer
+                        .requestMatchers(HttpMethod.GET,"/questionnaires/**").hasRole(String.valueOf(ApplicationRole.READER))
+                        .requestMatchers(HttpMethod.GET,"/modes/**").hasRole(String.valueOf(ApplicationRole.READER))
+                        .requestMatchers(HttpMethod.GET,"/interrogations/**").hasRole(String.valueOf(ApplicationRole.READER))
+                        .requestMatchers(HttpMethod.GET,"/campaigns/**").hasRole(String.valueOf(ApplicationRole.READER))
+                        .anyRequest().authenticated()
+                )
+                .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
+        return http.build();
+    }
+
+    @Bean
+    JwtAuthenticationConverter jwtAuthenticationConverter() {
+        JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
+        jwtAuthenticationConverter.setPrincipalClaimName(inseeSecurityTokenProperties.getOidcClaimUsername());
+        jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(jwtGrantedAuthoritiesConverter());
+        return jwtAuthenticationConverter;
+    }
 
+
+    Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {
+        return new Converter<Jwt, Collection<GrantedAuthority>>() {
+            @Override
+            @SuppressWarnings({"unchecked"})
+            public Collection<GrantedAuthority> convert(Jwt source) {
+
+                String[] claimPath = inseeSecurityTokenProperties.getOidcClaimRole().split("\\.");
+                Map<String, Object> claims = source.getClaims();
+                try {
+                    for (int i = 0; i < claimPath.length - 1; i++) {
+                        claims = (Map<String, Object>) claims.get(claimPath[i]);
+                    }
+                    if (claims != null) {
+                        List<String> tokenClaims = (List<String>) claims.getOrDefault(claimPath[claimPath.length - 1], List.of());
+                        // Collect distinct values from mapping associated with input keys
+                        List<String> claimedRoles = tokenClaims.stream()
+                                .filter(roleConfiguration.getRolesByClaim()::containsKey) // Ensure the key exists in the mapping
+                                .flatMap(key -> roleConfiguration.getRolesByClaim().get(key).stream()) // Get the list of values associated with the key
+                                .distinct() // Remove duplicates
+                                .toList();
+
+                        return Collections.unmodifiableCollection(claimedRoles.stream().map(s -> new GrantedAuthority() {
+                            @Override
+                            public String getAuthority() {
+                                return ROLE_PREFIX + s;
+                            }
+
+                            @Override
+                            public String toString() {
+                                return getAuthority();
+                            }
+                        }).toList());
+                    }
+                } catch (ClassCastException e) {
+                    // role path not correctly found, assume that no role for this user
+                    return List.of();
+                }
+                return List.of();
+            }
+        };
+    }
 }

src/main/java/fr/insee/genesis/configuration/auth/security/RoleConfiguration.java

@@ -0,0 +1,97 @@
+package fr.insee.genesis.configuration.auth.security;
+
+import jakarta.annotation.PostConstruct;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler;
+import org.springframework.security.access.expression.method.MethodSecurityExpressionHandler;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
+import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+@Configuration
+@Slf4j
+public class RoleConfiguration {
+
+    //Mapping des claims du jeton sur les roles applicatifs
+    @Value("#{'${app.role.admin.claims}'.split(',')}")
+    private List<String> adminClaims;
+    @Value("#{'${app.role.user-kraftwerk.claims}'.split(',')}")
+    private List<String> userKraftwerkClaims;
+    @Value("#{'${app.role.user-platine.claims}'.split(',')}")
+    private List<String> userPlatineClaims;
+    @Value("#{'${app.role.reader.claims}'.split(',')}")
+    private List<String> readerClaims;
+    @Value("#{'${app.role.collect-platform.claims}'.split(',')}")
+    private List<String> collectPlatformClaims;
+
+    public Map<String, List<String>> getRolesByClaim() {
+        return rolesByClaim;
+    }
+
+    private Map<String, List<String>> rolesByClaim;
+
+    //Defines a role hierarchy
+    //ADMIN implies USER   role too
+    //USER  implies READER role too
+    //so an admin has 2 roles: ADMIN/USER
+    @Bean
+    static RoleHierarchy roleHierarchy() {
+        return RoleHierarchyImpl.withDefaultRolePrefix()
+                .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.USER_KRAFTWERK.toString())
+                .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.USER_PLATINE.toString())
+                .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.COLLECT_PLATFORM.toString())
+                .role(ApplicationRole.USER_KRAFTWERK.toString()).implies(ApplicationRole.READER.toString())
+                .role(ApplicationRole.USER_PLATINE.toString()).implies(ApplicationRole.READER.toString())
+                .build();
+    }
+
+    // and, if using pre-post method security also add
+    @Bean
+    static MethodSecurityExpressionHandler methodSecurityExpressionHandler(RoleHierarchy roleHierarchy) {
+        DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
+        expressionHandler.setRoleHierarchy(roleHierarchy);
+        return expressionHandler;
+    }
+
+    @PostConstruct
+    public void initialization() {
+
+        rolesByClaim = new HashMap<>();
+
+        // Ajout des claims pour le rôle ADMIN
+        adminClaims.forEach(claim -> rolesByClaim
+                .computeIfAbsent(claim, k -> new ArrayList<>())
+                .add(String.valueOf(ApplicationRole.ADMIN)));
+
+        // Ajout des claims pour le rôle USER_KRAFTWERK
+        userKraftwerkClaims.forEach(claim -> rolesByClaim
+                .computeIfAbsent(claim, k -> new ArrayList<>())
+                .add(String.valueOf(ApplicationRole.USER_KRAFTWERK)));
+
+        // Ajout des claims pour le rôle USER_PLATINE
+        userPlatineClaims.forEach(claim -> rolesByClaim
+                .computeIfAbsent(claim, k -> new ArrayList<>())
+                .add(String.valueOf(ApplicationRole.USER_PLATINE)));
+
+        // Ajout des claims pour le rôle COLLECT_PLATFORM
+        collectPlatformClaims.forEach(claim -> rolesByClaim
+                .computeIfAbsent(claim, k -> new ArrayList<>())
+                .add(String.valueOf(ApplicationRole.COLLECT_PLATFORM)));
+
+        // Ajout des claims pour le rôle READER
+        readerClaims.forEach(claim -> rolesByClaim
+                .computeIfAbsent(claim, k -> new ArrayList<>())
+                .add(String.valueOf(ApplicationRole.READER)));
+
+
+        log.info("Roles configuration : {}", rolesByClaim);
+    }
+
+}

src/main/java/fr/insee/genesis/configuration/auth/security/SecurityTokenProperties.java

@@ -0,0 +1,19 @@
+package fr.insee.genesis.configuration.auth.security;
+
+import lombok.Data;
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+@ConfigurationProperties(
+        prefix = "fr.insee.genesis.security.token"
+)
+@Data
+public class SecurityTokenProperties {
+
+    //Chemin pour récupérer la liste des rôles dans le jwt (token)
+    private String oidcClaimRole;
+    //Chemin pour récupérer le username dans le jwt (token)
+    private String oidcClaimUsername;
+
+}

src/main/java/fr/insee/genesis/controller/dto/rawdata/LunaticJsonRawDataUnprocessedDto.java

@@ -0,0 +1,6 @@
+package fr.insee.genesis.controller.dto.rawdata;
+
+import lombok.Builder;
+
+@Builder
+public record LunaticJsonRawDataUnprocessedDto(String campaignId, String interrogationId){}