add role header propagation for cross-service requests (#144)

achour94 · web-flow · commit 306c6e97b45a · 2025-05-20T15:16:15.000+02:00
Signed-off-by: achour94 &lt;berrahmaachour@gmail.com&gt;
diff --git a/src/main/java/org/gridsuite/explore/server/RestTemplateConfig.java b/src/main/java/org/gridsuite/explore/server/RestTemplateConfig.java
@@ -8,13 +8,23 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
+import jakarta.servlet.http.HttpServletRequest;
 import org.springframework.boot.jackson.JsonComponentModule;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpRequest;
+import org.springframework.http.client.ClientHttpRequestExecution;
+import org.springframework.http.client.ClientHttpRequestInterceptor;
+import org.springframework.http.client.ClientHttpResponse;
 import org.springframework.http.converter.HttpMessageConverter;
 import org.springframework.http.converter.json.Jackson2ObjectMapperBuilder;
 import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
 import org.springframework.web.client.RestTemplate;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import java.io.IOException;
+import java.util.Collections;
 
 /**
  * @author Etienne Homer <etienne.homer at rte-france.com>
@@ -32,11 +42,47 @@ public RestTemplate restTemplate() {
             if (httpMessageConverter instanceof MappingJackson2HttpMessageConverter) {
                 restTemplate.getMessageConverters().set(i, mappingJackson2HttpMessageConverter());
             }
+
+            restTemplate.setInterceptors(
+                    Collections.singletonList(new RoleHeaderForwardingInterceptor())
+            );
         }
 
         return restTemplate;
     }
 
+    /**
+     * In our microservice architecture, user permissions (roles) must be preserved when
+     * one service calls another. This interceptor automatically forwards the "roles" header
+     * from incoming requests to any outgoing REST calls made with this RestTemplate.
+     *
+     * Without this interceptor, authorization information would be lost in service-to-service
+     * communication.
+     */
+    public static class RoleHeaderForwardingInterceptor implements ClientHttpRequestInterceptor {
+
+        private static final String ROLES_HEADER = "roles";
+
+        @Override
+        public ClientHttpResponse intercept(HttpRequest request, byte[] body,
+                                            ClientHttpRequestExecution execution) throws IOException {
+            ServletRequestAttributes attributes =
+                    (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+
+            // If we have a current request, copy its roles header to the outgoing request
+            if (attributes != null) {
+                HttpServletRequest currentRequest = attributes.getRequest();
+                String roles = currentRequest.getHeader(ROLES_HEADER);
+
+                if (roles != null && !roles.isEmpty()) {
+                    request.getHeaders().set(ROLES_HEADER, roles);
+                }
+            }
+
+            return execution.execute(request, body);
+        }
+    }
+
     public MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter() {
         MappingJackson2HttpMessageConverter converter = new MappingJackson2HttpMessageConverter();
         converter.setObjectMapper(objectMapper());
diff --git a/src/test/java/org/gridsuite/explore/server/RestTemplateConfigTest.java b/src/test/java/org/gridsuite/explore/server/RestTemplateConfigTest.java
@@ -0,0 +1,143 @@
+/**
+ * Copyright (c) 2025, RTE (http://www.rte-france.com)
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+package org.gridsuite.explore.server;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.MediaType;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit.jupiter.SpringExtension;
+import org.springframework.test.web.client.MockRestServiceServer;
+import org.springframework.test.web.client.response.MockRestResponseCreators;
+import org.springframework.web.client.RestTemplate;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import static org.springframework.test.web.client.match.MockRestRequestMatchers.*;
+
+
+/**
+ * @author Achour Berrahma <achour.berrahma at rte-france.com>
+ */
+@ExtendWith(SpringExtension.class)
+@ContextConfiguration(classes = {RestTemplateConfig.class})
+class RestTemplateConfigTest {
+
+    @Autowired
+    private RestTemplate restTemplate;
+
+    private MockRestServiceServer mockServer;
+    private static final String ROLES_HEADER = "roles";
+    private static final String TEST_ROLES = "ADMIN|USER";
+    private static final String TEST_ENDPOINT = "http://test-service/api/resource";
+
+    @BeforeEach
+    void setUp() {
+        mockServer = MockRestServiceServer.createServer(restTemplate);
+    }
+
+    @AfterEach
+    void tearDown() {
+        // Clean up the RequestContextHolder after each test
+        RequestContextHolder.resetRequestAttributes();
+    }
+
+    @Test
+    void testRoleHeaderIsPropagated() {
+        // Setup mock incoming request with roles header
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.addHeader(ROLES_HEADER, TEST_ROLES);
+        RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
+
+        // Setup mock response for the outgoing request
+        mockServer.expect(requestTo(TEST_ENDPOINT))
+                .andExpect(method(HttpMethod.GET))
+                .andExpect(header(ROLES_HEADER, TEST_ROLES)) // This verifies our interceptor works
+                .andRespond(MockRestResponseCreators.withSuccess("{\"result\":\"success\"}", MediaType.APPLICATION_JSON));
+
+        // Execute request through our RestTemplate
+        restTemplate.getForObject(TEST_ENDPOINT, String.class);
+
+        // Verify the request was made correctly
+        mockServer.verify();
+    }
+
+    @Test
+    void testNoRoleHeaderPropagationWhenNotPresent() {
+        // Setup mock incoming request WITHOUT roles header
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
+
+        // Setup mock response - here we expect NOT to see the roles header
+        mockServer.expect(requestTo(TEST_ENDPOINT))
+                .andExpect(method(HttpMethod.GET))
+                .andExpect(req -> {
+                    // Verify the header isn't present (would throw if present)
+                    if (req.getHeaders().containsKey(ROLES_HEADER)) {
+                        throw new AssertionError("Roles header should not be present");
+                    }
+                })
+                .andRespond(MockRestResponseCreators.withSuccess("{\"result\":\"success\"}", MediaType.APPLICATION_JSON));
+
+        // Execute request
+        restTemplate.getForObject(TEST_ENDPOINT, String.class);
+
+        // Verify
+        mockServer.verify();
+    }
+
+    @Test
+    void testEmptyRoleHeaderNotPropagated() {
+        // Setup mock incoming request with EMPTY roles header
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        request.addHeader(ROLES_HEADER, ""); // Empty value
+        RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request));
+
+        // Setup mock - we don't expect the header to be forwarded if empty
+        mockServer.expect(requestTo(TEST_ENDPOINT))
+                .andExpect(method(HttpMethod.GET))
+                .andExpect(req -> {
+                    if (req.getHeaders().containsKey(ROLES_HEADER)) {
+                        throw new AssertionError("Roles header should not be present when empty");
+                    }
+                })
+                .andRespond(MockRestResponseCreators.withSuccess("{\"result\":\"success\"}", MediaType.APPLICATION_JSON));
+
+        // Execute request
+        restTemplate.getForObject(TEST_ENDPOINT, String.class);
+
+        // Verify
+        mockServer.verify();
+    }
+
+    @Test
+    void testContextHolderIsNull() {
+        // Make sure the context holder is null
+        RequestContextHolder.resetRequestAttributes();
+
+        // Setup mock - we don't expect any header forwarding when no request context exists
+        mockServer.expect(requestTo(TEST_ENDPOINT))
+                .andExpect(method(HttpMethod.GET))
+                .andExpect(request -> {
+                    if (request.getHeaders().containsKey(ROLES_HEADER)) {
+                        throw new AssertionError("Roles header should not be present when RequestContextHolder is null");
+                    }
+                })
+                .andRespond(MockRestResponseCreators.withSuccess("{\"result\":\"success\"}", MediaType.APPLICATION_JSON));
+
+        // Execute request
+        restTemplate.getForObject(TEST_ENDPOINT, String.class);
+
+        // Verify
+        mockServer.verify();
+    }
+}
