use_user_admin_server (#66)

etiennehomer · web-flow · commit fa61c50a5786 · 2022-09-26T12:53:00.000+02:00
Signed-off-by: Etienne Homer &lt;etiennehomer@gmail.com&gt;
diff --git a/src/main/java/org/gridsuite/gateway/GatewayConfig.java b/src/main/java/org/gridsuite/gateway/GatewayConfig.java
@@ -50,6 +50,7 @@ public RouteLocator myRoutes(RouteLocatorBuilder builder, ApplicationContext con
             .route(p -> context.getBean(NetworkConversionServer.class).getRoute(p))
             .route(p -> context.getBean(OdreServer.class).getRoute(p))
             .route(p -> context.getBean(GeoDataServer.class).getRoute(p))
+            .route(p -> context.getBean(UserAdminServer.class).getRoute(p))
             .route(p -> context.getBean(CgmesGlServer.class).getRoute(p))
             .build();
     }
diff --git a/src/main/java/org/gridsuite/gateway/ServiceURIsConfig.java b/src/main/java/org/gridsuite/gateway/ServiceURIsConfig.java
@@ -78,6 +78,9 @@ public class ServiceURIsConfig {
     @Value("${backing-services.geo-data-server.base-uri:http://geo-data-server/}")
     String geoDataServerBaseUri;
 
+    @Value("${backing-services.user-admin-server.base-uri:http://user-admin-server/}")
+    String userAdminServerBaseUri;
+
     @Value("${backing-services.cgmes-gl-server.base-uri:http://cgmes-gl-server/}")
     String cgmesGlServerBaseUri;
 }
diff --git a/src/main/java/org/gridsuite/gateway/endpoints/UserAdminServer.java b/src/main/java/org/gridsuite/gateway/endpoints/UserAdminServer.java
@@ -0,0 +1,35 @@
+/*
+  Copyright (c) 2022, RTE (http://www.rte-france.com)
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+package org.gridsuite.gateway.endpoints;
+
+import org.gridsuite.gateway.ServiceURIsConfig;
+import org.springframework.stereotype.Component;
+
+/**
+ * @author Etienne Homer <etienne.homer at rte-france.com>
+ */
+@Component(value = UserAdminServer.ENDPOINT_NAME)
+public class UserAdminServer implements EndPointElementServer {
+
+    public static final String ENDPOINT_NAME = "user-admin";
+
+    private final ServiceURIsConfig servicesURIsConfig;
+
+    public UserAdminServer(ServiceURIsConfig servicesURIsConfig) {
+        this.servicesURIsConfig = servicesURIsConfig;
+    }
+
+    @Override
+    public String getEndpointBaseUri() {
+        return servicesURIsConfig.getUserAdminServerBaseUri();
+    }
+
+    @Override
+    public String getEndpointName() {
+        return ENDPOINT_NAME;
+    }
+}
diff --git a/src/main/java/org/gridsuite/gateway/filters/TokenValidatorGlobalPreFilter.java b/src/main/java/org/gridsuite/gateway/filters/TokenValidatorGlobalPreFilter.java
@@ -64,7 +64,7 @@ public TokenValidatorGlobalPreFilter(GatewayService gatewayService) {
     @Override
     public int getOrder() {
         // Before ElementAccessControllerGlobalPreFilter to enforce authentication
-        return Ordered.LOWEST_PRECEDENCE - 3;
+        return Ordered.LOWEST_PRECEDENCE - 4;
     }
 
     @Override
diff --git a/src/main/java/org/gridsuite/gateway/filters/UserAdminControlGlobalPreFilter.java b/src/main/java/org/gridsuite/gateway/filters/UserAdminControlGlobalPreFilter.java
@@ -0,0 +1,52 @@
+/**
+ * Copyright (c) 2022, RTE (http://www.rte-france.com)
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+package org.gridsuite.gateway.filters;
+
+import lombok.NonNull;
+import org.gridsuite.gateway.services.UserAdminService;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.cloud.gateway.filter.GatewayFilterChain;
+import org.springframework.core.Ordered;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+import org.springframework.web.server.ServerWebExchange;
+import reactor.core.publisher.Mono;
+
+import java.util.Objects;
+
+import static org.gridsuite.gateway.GatewayConfig.HEADER_USER_ID;
+
+/**
+ * @author Etienne Homer <etienne.homer at rte-france.com>
+ */
+@Component
+public class UserAdminControlGlobalPreFilter extends AbstractGlobalPreFilter {
+    private static final Logger LOGGER = LoggerFactory.getLogger(UserAdminControlGlobalPreFilter.class);
+
+    private UserAdminService userAdminService;
+
+    public UserAdminControlGlobalPreFilter(UserAdminService userAdminService) {
+        this.userAdminService = userAdminService;
+    }
+
+    @Override
+    public Mono<Void> filter(@NonNull ServerWebExchange exchange, @NonNull GatewayFilterChain chain) {
+        LOGGER.debug("Filter : {}", getClass().getSimpleName());
+
+        HttpHeaders httpHeaders = exchange.getRequest().getHeaders();
+        String sub = Objects.requireNonNull(httpHeaders.get(HEADER_USER_ID)).get(0);
+
+        return userAdminService.userExists(sub).flatMap(userExist ->  Boolean.TRUE.equals(userExist) ? chain.filter(exchange) : completeWithCode(exchange, HttpStatus.FORBIDDEN));
+    }
+
+    @Override
+    public int getOrder() {
+        return Ordered.LOWEST_PRECEDENCE - 3;
+    }
+}
diff --git a/src/main/java/org/gridsuite/gateway/services/UserAdminService.java b/src/main/java/org/gridsuite/gateway/services/UserAdminService.java
@@ -0,0 +1,46 @@
+/**
+ * Copyright (c) 2022, RTE (http://www.rte-france.com)
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+package org.gridsuite.gateway.services;
+
+import org.gridsuite.gateway.ServiceURIsConfig;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+import org.springframework.web.reactive.function.client.WebClient;
+import reactor.core.publisher.Mono;
+
+/**
+ * @author Etienne Homer <etienne.homer at rte-france.com>
+ */
+@Service
+public class UserAdminService {
+
+    private static final String USER_ADMIN_SERVER_API_VERSION = "v1";
+
+    private static final String DELIMITER = "/";
+
+    private static final String USER_ADMIN_SERVER_ROOT_PATH = DELIMITER + USER_ADMIN_SERVER_API_VERSION + DELIMITER + "users";
+
+    private final WebClient webClient;
+
+    @Autowired
+    public UserAdminService(ServiceURIsConfig servicesURIsConfig, WebClient.Builder webClientBuilder) {
+        this.webClient = webClientBuilder.baseUrl(servicesURIsConfig.getUserAdminServerBaseUri()).build();
+    }
+
+    public Mono<Boolean> userExists(String sub) {
+        return webClient
+            .head()
+            .uri(uriBuilder -> uriBuilder
+                    .path(USER_ADMIN_SERVER_ROOT_PATH + DELIMITER + sub)
+                    .build()
+            )
+            .retrieve()
+            .toBodilessEntity()
+            .single()
+            .map(entity -> entity.getStatusCode().value() == 200);
+    }
+}
diff --git a/src/main/resources/application-local.yml b/src/main/resources/application-local.yml
@@ -40,6 +40,8 @@ backing-services:
     base-uri: http://localhost:8090
   geo-data-server:
     base-uri: http://localhost:8087
+  user-admin-server:
+    base-uri: http://localhost:5033
   cgmes-gl-server:
     base-uri: http://localhost:8095
 
diff --git a/src/test/java/org/gridsuite/gateway/ElementAccessControlTest.java b/src/test/java/org/gridsuite/gateway/ElementAccessControlTest.java
@@ -47,6 +47,7 @@
         "backing-services.study-server.base-uri=http://localhost:${wiremock.server.port}",
         "backing-services.actions-server.base-uri=http://localhost:${wiremock.server.port}",
         "backing-services.filter-server.base-uri=http://localhost:${wiremock.server.port}",
+        "backing-services.user-admin-server.base-uri=http://localhost:${wiremock.server.port}",
     }
 )
 @AutoConfigureWireMock(port = 0)
@@ -509,6 +510,12 @@ public void testAccessControlInfos() {
     }
 
     private void initStubForJwk() {
+        stubFor(head(urlEqualTo(String.format("/v1/users/%s", "user1"))).withPort(port)
+                .willReturn(aResponse().withStatus(200)));
+
+        stubFor(head(urlEqualTo(String.format("/v1/users/%s", "user2"))).withPort(port)
+                .willReturn(aResponse().withStatus(200)));
+
         stubFor(get(urlEqualTo("/.well-known/openid-configuration"))
             .willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
diff --git a/src/test/java/org/gridsuite/gateway/TokenValidationTest.java b/src/test/java/org/gridsuite/gateway/TokenValidationTest.java
@@ -67,7 +67,8 @@
         "backing-services.dynamic-mapping-server.base-uri=http://localhost:${wiremock.server.port}",
         "backing-services.filter-server.base-uri=http://localhost:${wiremock.server.port}",
         "backing-services.report-server.base-uri=http://localhost:${wiremock.server.port}",
-        "backing-services.network-modification-server.base-uri=http://localhost:${wiremock.server.port}"
+        "backing-services.network-modification-server.base-uri=http://localhost:${wiremock.server.port}",
+        "backing-services.user-admin-server.base-uri=http://localhost:${wiremock.server.port}",
     })
 
 @AutoConfigureWireMock(port = 0)
@@ -380,6 +381,9 @@ public void testWebsockets() {
     }
 
     private void initStubForJwk() {
+        stubFor(head(urlEqualTo(String.format("/v1/users/%s", "chmits"))).withPort(port)
+                .willReturn(aResponse().withStatus(200)));
+
         stubFor(get(urlEqualTo("/.well-known/openid-configuration"))
             .willReturn(aResponse()
                 .withHeader("Content-Type", "application/json")
@@ -393,6 +397,9 @@ private void initStubForJwk() {
 
     @Test
     public void testJwksUpdate() {
+        stubFor(head(urlEqualTo(String.format("/v1/users/%s", "chmits"))).withPort(port)
+                .willReturn(aResponse().withStatus(200)));
+
         stubFor(get(urlEqualTo("/v1/cases"))
                 .willReturn(aResponse()
                         .withHeader("Content-Type", "application/json")
@@ -455,6 +462,8 @@ public void testJwksUpdate() {
 
     @Test
     public void invalidToken() {
+        stubFor(head(urlEqualTo(String.format("/v1/users/%s", "chmits"))).withPort(port)
+                .willReturn(aResponse().withStatus(200)));
 
         stubFor(get(urlEqualTo("/v1/cases"))
                 .willReturn(aResponse()
@@ -529,6 +538,19 @@ public void invalidToken() {
             ws -> ws.receive().then()).doOnSuccess(s -> Assert.fail("Should have thrown"));
     }
 
+    @Test
+    public void forbiddenUserTest() {
+        initStubForJwk();
+        stubFor(head(urlEqualTo(String.format("/v1/users/%s", "chmits"))).withPort(port)
+                .willReturn(aResponse().withStatus(204)));
+
+        webClient
+                .get().uri("case/v1/cases")
+                .header("Authorization", "Bearer " + token)
+                .exchange()
+                .expectStatus().isEqualTo(403);
+    }
+
     @TestConfiguration
     static class MyTestConfiguration {
         @Bean

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@ public RouteLocator myRoutes(RouteLocatorBuilder builder, ApplicationContext con`
`50`	`50`	`.route(p -> context.getBean(NetworkConversionServer.class).getRoute(p))`
`51`	`51`	`.route(p -> context.getBean(OdreServer.class).getRoute(p))`
`52`	`52`	`.route(p -> context.getBean(GeoDataServer.class).getRoute(p))`
	`53`	`+ .route(p -> context.getBean(UserAdminServer.class).getRoute(p))`
`53`	`54`	`.route(p -> context.getBean(CgmesGlServer.class).getRoute(p))`
`54`	`55`	`.build();`
`55`	`56`	`}`
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,9 @@ public class ServiceURIsConfig {`
`78`	`78`	`@Value("${backing-services.geo-data-server.base-uri:http://geo-data-server/}")`
`79`	`79`	`String geoDataServerBaseUri;`
`80`	`80`
	`81`	`+ @Value("${backing-services.user-admin-server.base-uri:http://user-admin-server/}")`
	`82`	`+ String userAdminServerBaseUri;`
	`83`	`+`
`81`	`84`	`@Value("${backing-services.cgmes-gl-server.base-uri:http://cgmes-gl-server/}")`
`82`	`85`	`String cgmesGlServerBaseUri;`
`83`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ public TokenValidatorGlobalPreFilter(GatewayService gatewayService) {`
`64`	`64`	`@Override`
`65`	`65`	`public int getOrder() {`
`66`	`66`	`// Before ElementAccessControllerGlobalPreFilter to enforce authentication`
`67`		`- return Ordered.LOWEST_PRECEDENCE - 3;`
	`67`	`+ return Ordered.LOWEST_PRECEDENCE - 4;`
`68`	`68`	`}`
`69`	`69`
`70`	`70`	`@Override`
Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@`
`47`	`47`	`"backing-services.study-server.base-uri=http://localhost:${wiremock.server.port}",`
`48`	`48`	`"backing-services.actions-server.base-uri=http://localhost:${wiremock.server.port}",`
`49`	`49`	`"backing-services.filter-server.base-uri=http://localhost:${wiremock.server.port}",`
	`50`	`+ "backing-services.user-admin-server.base-uri=http://localhost:${wiremock.server.port}",`
`50`	`51`	`}`
`51`	`52`	`)`
`52`	`53`	`@AutoConfigureWireMock(port = 0)`
`@@ -509,6 +510,12 @@ public void testAccessControlInfos() {`
`509`	`510`	`}`
`510`	`511`
`511`	`512`	`private void initStubForJwk() {`
	`513`	`+ stubFor(head(urlEqualTo(String.format("/v1/users/%s", "user1"))).withPort(port)`
	`514`	`+ .willReturn(aResponse().withStatus(200)));`
	`515`	`+`
	`516`	`+ stubFor(head(urlEqualTo(String.format("/v1/users/%s", "user2"))).withPort(port)`
	`517`	`+ .willReturn(aResponse().withStatus(200)));`
	`518`	`+`
`512`	`519`	`stubFor(get(urlEqualTo("/.well-known/openid-configuration"))`
`513`	`520`	`.willReturn(aResponse()`
`514`	`521`	`.withHeader("Content-Type", "application/json")`