Merge branch 'main' into devBackOfficeUserAuth

Author: alexisszmundy

src/main/java/fr/insee/genesis/configuration/auth/security/ApplicationRole.java

@@ -8,5 +8,6 @@ public enum ApplicationRole {
     SCHEDULER,
     READER,
     USER_BACK_OFFICE
+    USER_BATCH_GENERIC
 }
 

src/main/java/fr/insee/genesis/configuration/auth/security/OIDCSecurityConfig.java

@@ -4,26 +4,31 @@
 import lombok.RequiredArgsConstructor;
 import lombok.Setter;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.http.HttpMethod;
-import org.springframework.security.config.Customizer;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider;
+import org.springframework.security.oauth2.server.resource.authentication.JwtIssuerAuthenticationManagerResolver;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
 import java.util.Collection;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -43,29 +48,36 @@ public class OIDCSecurityConfig {
     private final RoleConfiguration roleConfiguration;
     private final SecurityTokenProperties inseeSecurityTokenProperties;
 
+    @Value("${fr.insee.genesis.security.resourceserver.jwt.issuer-uri}")
+    String issuerUri;
+
+    @Value("${fr.insee.genesis.security.resourceserver.dmz.jwt.issuer-uri}")
+    String issuerUriDmz;
+
     @Bean
-    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http, JwtIssuerAuthenticationManagerResolver authenticationManagerResolver) throws Exception {
         http
                 .csrf(AbstractHttpConfigurer::disable)
-                .sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
-        for (var pattern : whitelistMatchers) {
-            http.authorizeHttpRequests(authorize ->
-                    authorize
-                            .requestMatchers(AntPathRequestMatcher.antMatcher(pattern)).permitAll()
-            );
-        }
-        http
-                .authorizeHttpRequests(configure -> configure
+                .sessionManagement(sess -> sess.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authorizeHttpRequests(authorize -> authorize
+                        // Whitelisted paths sans auth
+                        .requestMatchers(whitelistMatchers).permitAll()
+
+                        // Secured reader-access paths
                         .requestMatchers(HttpMethod.GET,"/questionnaires/**").hasRole(String.valueOf(ApplicationRole.READER))
                         .requestMatchers(HttpMethod.GET,"/modes/**").hasRole(String.valueOf(ApplicationRole.READER))
                         .requestMatchers(HttpMethod.GET,"/interrogations/**").hasRole(String.valueOf(ApplicationRole.READER))
                         .requestMatchers(HttpMethod.GET,"/campaigns/**").hasRole(String.valueOf(ApplicationRole.READER))
+
+                        //All others require authentication
                         .anyRequest().authenticated()
                 )
-                .oauth2ResourceServer(oauth2 -> oauth2.jwt(Customizer.withDefaults()));
+                .oauth2ResourceServer(
+                    oauth2 -> oauth2.authenticationManagerResolver(authenticationManagerResolver));
         return http.build();
     }
 
+
     @Bean
     JwtAuthenticationConverter jwtAuthenticationConverter() {
         JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
@@ -75,6 +87,26 @@ JwtAuthenticationConverter jwtAuthenticationConverter() {
     }
 
 
+
+    @Bean
+    public JwtIssuerAuthenticationManagerResolver authenticationManagerResolver() {
+        final List<String> issuers = List.of(issuerUri,issuerUriDmz);
+        Map<String, AuthenticationManager> authenticationManagers = new HashMap<>();
+
+        for (String issuer : issuers) {
+            NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder
+                    .withJwkSetUri(issuer + "/protocol/openid-connect/certs")
+                    .build();
+
+            JwtAuthenticationProvider provider = new JwtAuthenticationProvider(jwtDecoder);
+            provider.setJwtAuthenticationConverter(jwtAuthenticationConverter());
+
+            AuthenticationManager manager = new ProviderManager(provider);
+            authenticationManagers.put(issuer, manager);
+        }
+        return new JwtIssuerAuthenticationManagerResolver(authenticationManagers::get);
+    }
+
     Converter<Jwt, Collection<GrantedAuthority>> jwtGrantedAuthoritiesConverter() {
         return new Converter<Jwt, Collection<GrantedAuthority>>() {
             @Override

src/main/java/fr/insee/genesis/configuration/auth/security/RoleConfiguration.java

@@ -37,6 +37,10 @@ public class RoleConfiguration {
     @Value("#{'${app.role.scheduler.claims}'.split(',')}")
     private List<String> schedulerClaims;
 
+    @Value("#{'${app.role.batch-generic.claims}'.split(',')}")
+    private List<String> batchGenericClaims;
+
+
     public Map<String, List<String>> getRolesByClaim() {
         return rolesByClaim;
     }
@@ -56,6 +60,7 @@ static RoleHierarchy roleHierarchy() {
                 .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.USER_BACK_OFFICE.toString())
                 .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.COLLECT_PLATFORM.toString())
                 .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.SCHEDULER.toString())
+                .role(ApplicationRole.ADMIN.toString()).implies(ApplicationRole.USER_BATCH_GENERIC.toString())
                 .role(ApplicationRole.USER_KRAFTWERK.toString()).implies(ApplicationRole.READER.toString())
                 .role(ApplicationRole.USER_PLATINE.toString()).implies(ApplicationRole.READER.toString())
                 .role(ApplicationRole.USER_BACK_OFFICE.toString()).implies(ApplicationRole.READER.toString())
@@ -110,6 +115,11 @@ public void initialization() {
                 .computeIfAbsent(claim, k -> new ArrayList<>())
                 .add(String.valueOf(ApplicationRole.SCHEDULER)));
 
+        //Add claims for the USER_BATCH_GENERIC role
+        batchGenericClaims.forEach(claim -> rolesByClaim
+                .computeIfAbsent(claim, k -> new ArrayList<>())
+                .add(String.valueOf(ApplicationRole.USER_BATCH_GENERIC)));
+
         log.info("Roles configuration : {}", rolesByClaim);
     }
 }

src/main/java/fr/insee/genesis/controller/rest/responses/RawResponseController.java

@@ -191,17 +191,18 @@ public ResponseEntity<Map<String, List<String>>> getProcessedDataIdsSinceHours(
         Map<String, List<String>> result = lunaticJsonRawDataApiPort.findProcessedIdsgroupedByQuestionnaireSince(LocalDateTime.now().minusHours(hours).minusMinutes(10));
         return ResponseEntity.ok(result);
     }
-    @Operation(summary = "Get lunatic JSON data from one campaign in Genesis Database, filtered by optional start and end dates")
+
+    @Operation(summary = "Get lunatic JSON data from one campaign in Genesis Database, filtered by start and end dates")
     @GetMapping(path = "/lunatic-json/{campaignId}")
-    @PreAuthorize("hasRole('USER_KRAFTWERK')")
+    @PreAuthorize("hasRole('USER_BATCH_GENERIC')")
     public ResponseEntity<PagedModel<LunaticJsonRawDataModel>> getRawResponsesFromJsonBody(
             @PathVariable String campaignId,
             @RequestParam(value = "startDate", required = false) @DateTimeFormat(iso = DateTimeFormat.ISO.DATE_TIME) Instant startDate,
             @RequestParam(value = "endDate", required = false) @DateTimeFormat(iso = DateTimeFormat.ISO.DATE_TIME) Instant endDate,
             @RequestParam(value = "page", defaultValue = "0") int page,
             @RequestParam(value = "size", defaultValue = "1000") int size
     ) {
-        log.info("Try to read raw JSONs for campaign {}, with startDate={} and endDate={}", campaignId, startDate, endDate);
+        log.info("Try to read raw JSONs for campaign {}, with startDate={} and endDate={} - page={} - size={}", campaignId, startDate, endDate,page,size);
         Pageable pageable = PageRequest.of(page, size);
         Page<LunaticJsonRawDataModel> rawResponses = lunaticJsonRawDataApiPort.findRawDataByCampaignIdAndDate(campaignId, startDate, endDate, pageable);
         log.info("rawResponses=" + rawResponses.getContent().size());

src/main/java/fr/insee/genesis/domain/service/surveyunit/SurveyUnitService.java

@@ -1,8 +1,8 @@
 package fr.insee.genesis.domain.service.surveyunit;
 
+import fr.insee.bpm.metadata.model.VariableType;
 import fr.insee.bpm.metadata.model.VariablesMap;
 import fr.insee.genesis.controller.dto.CampaignWithQuestionnaire;
-import fr.insee.genesis.domain.model.surveyunit.InterrogationId;
 import fr.insee.genesis.controller.dto.QuestionnaireWithCampaign;
 import fr.insee.genesis.controller.dto.SurveyUnitDto;
 import fr.insee.genesis.controller.dto.SurveyUnitInputDto;
@@ -11,6 +11,7 @@
 import fr.insee.genesis.controller.dto.VariableStateDto;
 import fr.insee.genesis.controller.services.MetadataService;
 import fr.insee.genesis.domain.model.surveyunit.DataState;
+import fr.insee.genesis.domain.model.surveyunit.InterrogationId;
 import fr.insee.genesis.domain.model.surveyunit.Mode;
 import fr.insee.genesis.domain.model.surveyunit.SurveyUnitModel;
 import fr.insee.genesis.domain.model.surveyunit.VarIdScopeTuple;
@@ -600,19 +601,25 @@ private Object getValueWithType(String variableName, String value, VariablesMap
         }
         if(value == null) return null;
         if(value.isEmpty()) return value;
-        switch (variablesMap.getVariable(variableName).getType()){
-            case INTEGER -> {
-                return Integer.parseInt(value);
-            }
-            case BOOLEAN -> {
-                return Boolean.parseBoolean(value);
-            }
-            case NUMBER -> {
-                return Double.parseDouble(value);
-            }
-            default -> {
-                return value;
+        VariableType variableType = variablesMap.getVariable(variableName).getType();
+        try {
+            switch (variableType) {
+                case INTEGER -> {
+                    return Integer.parseInt(value);
+                }
+                case BOOLEAN -> {
+                    return Boolean.parseBoolean(value);
+                }
+                case NUMBER -> {
+                    return Double.parseDouble(value);
+                }
+                default -> {
+                    return value;
+                }
             }
+        }catch (NumberFormatException e){
+            log.warn("Invalid value {} for variable {}, expected type {}", value, variableName, variableType);
+            return value;
         }
     }
 

src/main/java/fr/insee/genesis/infrastructure/adapter/LunaticJsonRawDataMongoAdapter.java

@@ -2,7 +2,6 @@
 
 import fr.insee.genesis.Constants;
 import fr.insee.genesis.domain.model.surveyunit.GroupedInterrogation;
-import fr.insee.genesis.domain.model.surveyunit.InterrogationId;
 import fr.insee.genesis.domain.model.surveyunit.Mode;
 import fr.insee.genesis.domain.model.surveyunit.rawdata.LunaticJsonRawDataModel;
 import fr.insee.genesis.domain.ports.spi.LunaticJsonRawDataPersistencePort;

src/main/resources/application-dev.properties

@@ -23,6 +23,7 @@ app.role.user-platine.claims=***
 app.role.reader.claims=***
 app.role.collect-platform.claims=***
 app.role.scheduler.claims=***
+app.role.batch-generic.claims=***
 
 #--------------------------------------------------------------------------
 # Survey quality tool

src/main/resources/application-preprod.properties

@@ -23,7 +23,7 @@ app.role.user-platine.claims=***
 app.role.reader.claims=***
 app.role.collect-platform.claims=***
 app.role.scheduler.claims=***
-
+app.role.batch-generic.claims=***
 #--------------------------------------------------------------------------
 # Survey quality tool
 #--------------------------------------------------------------------------

src/main/resources/application-prod.properties

@@ -23,6 +23,7 @@ app.role.user-platine.claims=***
 app.role.reader.claims=***
 app.role.collect-platform.claims=***
 app.role.scheduler.claims=***
+app.role.batch-generic.claims=***
 
 #--------------------------------------------------------------------------
 # Survey quality tool

src/main/resources/application-test-cucumber.properties

@@ -9,6 +9,7 @@ app.role.user-back-office.claims=utilisateur_Back_Office
 app.role.reader.claims=lecteur_traiter
 app.role.collect-platform.claims=protools
 app.role.scheduler.claims=scheduler_traiter
+app.role.batch-generic.claims=utilisateur_batch_generic
 
 logging.file.name = /logs/genesis-api.log