Merge branch 'permissions' into main

Author: slisson

authorization/src/main/kotlin/org/modelix/authorization/KeycloakUtils.kt

@@ -20,10 +20,12 @@ import com.auth0.jwt.interfaces.DecodedJWT
 import com.google.common.cache.CacheBuilder
 import org.keycloak.authorization.client.AuthzClient
 import org.keycloak.authorization.client.Configuration
+import org.keycloak.authorization.client.resource.ProtectedResource
 import org.keycloak.representations.idm.authorization.AuthorizationRequest
 import org.keycloak.representations.idm.authorization.Permission
 import org.keycloak.representations.idm.authorization.PermissionRequest
 import org.keycloak.representations.idm.authorization.ResourceRepresentation
+import org.keycloak.representations.idm.authorization.ScopeRepresentation
 import java.net.URL
 import java.util.concurrent.TimeUnit
 
@@ -52,9 +54,11 @@ object KeycloakUtils {
     }
 
     private val permissionCache = CacheBuilder.newBuilder()
-        .expireAfterWrite(1, TimeUnit.MINUTES)
+        .expireAfterWrite(30, TimeUnit.SECONDS)
         .build<String, List<Permission>>()
-    private val existingResources = HashSet<String>()
+    private val existingResources = CacheBuilder.newBuilder()
+        .expireAfterWrite(3, TimeUnit.MINUTES)
+        .build<String, ResourceRepresentation>()
 
     private fun patchUrls(c: AuthzClient): AuthzClient {
         patchObject(c.serverConfiguration)
@@ -105,43 +109,115 @@ object KeycloakUtils {
     }
 
     @Synchronized
-    fun hasPermission(accessToken: DecodedJWT, resourceName: String, scope: String): Boolean {
-        ensureResourcesExists(resourceName)
+    fun hasPermission(accessToken: DecodedJWT, resourceSpec: KeycloakResource, scope: KeycloakScope): Boolean {
+        ensureResourcesExists(resourceSpec, accessToken)
         val allPermissions = getPermissions(accessToken)
-        val forResource = allPermissions.filter { it.resourceName == resourceName }
+        val forResource = allPermissions.filter { it.resourceName == resourceSpec.name }
         if (forResource.isEmpty()) return false
         val scopes: Set<String> = forResource.mapNotNull { it.scopes }.flatten().toSet()
         if (scopes.isEmpty()) {
             // If the permissions are not restricted to any scope we assume they are valid for all scopes.
             return true
         }
-        return scopes.contains(scope)
+        return scopes.contains(scope.name)
     }
 
-    private fun hasPermissions(accessToken: DecodedJWT, resourceNames: List<String>): Boolean {
-        try {
-            val ticket = authzClient.protection(accessToken.token).permission().create(resourceNames.map { PermissionRequest(it) }).ticket
-            val rpt = authzClient.authorization(accessToken.token).authorize(AuthorizationRequest(ticket)).token
-            val introspect = authzClient.protection().introspectRequestingPartyToken(rpt)
-            return introspect.active
-        } catch (e: Exception) {
-            throw RuntimeException("Can't get permissions for token: ${accessToken.token}", e)
-        }
-    }
+    @Synchronized
+    fun grantPermission(user: DecodedJWT, resourceSpec: KeycloakResource, scopes: Set<KeycloakScope>): Boolean {
+        val resource = ensureResourcesExists(resourceSpec, user)
+        val ticketResponse = authzClient.protection(user.token).permission()
+            .create(PermissionRequest(resource.id, *scopes.map { it.name }.toTypedArray()))
 
-    private fun createPermission(ownerToken: DecodedJWT?, resourceName: String): String {
-        val protection = if (ownerToken == null) authzClient.protection() else authzClient.protection(ownerToken.token)
-        val newResource = protection.resource().create(ResourceRepresentation(resourceName))
-        return newResource.id
+        val authResponse = authzClient.authorization(/* service account */)
+            .authorize(AuthorizationRequest(ticketResponse.ticket))
+
+        return authResponse.isUpgraded
     }
 
     @Synchronized
-    fun ensureResourcesExists(resourceName: String) {
-        if (existingResources.contains(resourceName)) return
-        if (authzClient.protection().resource().findByName(resourceName) == null) {
-            authzClient.protection().resource().create(ResourceRepresentation(resourceName))
+    fun ensureResourcesExists(
+        resourceSpec: KeycloakResource,
+        owner: DecodedJWT? = null
+    ): ResourceRepresentation {
+        return existingResources.get(resourceSpec.name) {
+            var resource = authzClient.protection().resource().findByNameAnyOwner(resourceSpec.name)
+            if (resource != null) return@get resource
+            val protection = (
+                    if (resourceSpec.type.ownerManaged) {
+                        owner?.let { authzClient.protection(owner.token) }
+                    } else {
+                        null
+                    }
+                    ) ?: authzClient.protection()
+            resource = ResourceRepresentation().apply {
+                name = resourceSpec.name
+                scopes = resourceSpec.type.scopes.map { ScopeRepresentation(it.name) }.toSet()
+                type = resourceSpec.type.name
+                if (resourceSpec.type.ownerManaged) ownerManagedAccess = true
+            }
+            resource = protection.resource().create(resource)
             permissionCache.invalidateAll()
+            return@get resource
         }
-        existingResources += resourceName
+
+    }
+}
+
+data class KeycloakScope(val name: String) {
+    operator fun plus(other: KeycloakScope): Set<KeycloakScope> = setOf(this, other)
+    fun toSet() = setOf(this)
+
+    companion object {
+        val ADD = KeycloakScope("add") // the user can add a new item, but not remove other items in a list
+        val LIST = KeycloakScope("list") // the user can see that an item exists, but not read the contents
+        val READ = KeycloakScope("read")
+        val WRITE = KeycloakScope("write")
+        val DELETE = KeycloakScope("delete")
+        val READ_WRITE_DELETE = setOf(READ, WRITE, DELETE)
+        val READ_WRITE_DELETE_LIST = setOf(READ, WRITE, DELETE, LIST)
+        val READ_WRITE = setOf(READ, WRITE)
+        val READ_WRITE_LIST = setOf(READ, WRITE, LIST)
+        val READ_ONLY = setOf(READ)
+        val READ_LIST = setOf(READ, LIST)
+        val ALL_SCOPES = READ_WRITE_DELETE_LIST
+    }
+}
+fun EPermissionType.toKeycloakScope(): KeycloakScope = when (this) {
+    EPermissionType.READ -> KeycloakScope.READ
+    EPermissionType.WRITE -> KeycloakScope.WRITE
+}
+
+data class KeycloakResource(val name: String, val type: KeycloakResourceType) {
+
+}
+
+data class KeycloakResourceType(val name: String, val scopes: Set<KeycloakScope>, val ownerManaged: Boolean = false) {
+    fun createInstance(resourceName: String) = KeycloakResource(this.name + "/" + resourceName, this)
+
+    companion object {
+        val DEFAULT_TYPE = KeycloakResourceType("default", KeycloakScope.READ_WRITE)
+        val MODEL_SERVER_ENTRY = KeycloakResourceType("model-server-entry", KeycloakScope.READ_WRITE_DELETE)
+        val REPOSITORY = KeycloakResourceType("repository", KeycloakScope.READ_WRITE_DELETE_LIST)
+        val WORKSPACE = KeycloakResourceType("workspace", KeycloakScope.READ_WRITE_DELETE_LIST, ownerManaged = true)
     }
+}
+
+fun String.asResource() = KeycloakResourceType.DEFAULT_TYPE.createInstance(this)
+
+private fun ProtectedResource.findByNameAnyOwner(name: String): ResourceRepresentation? {
+    val resources: List<ResourceRepresentation> = org.modelix.authorization.KeycloakUtils.authzClient.protection().resource()
+        .find(
+            null,
+            name,
+            null,
+            null,
+            null,
+            null,
+            false,
+            true,
+            true,
+            null,
+            null
+        )
+    return resources.firstOrNull()
 }

authorization/src/main/kotlin/org/modelix/authorization/KtorAuthUtils.kt

@@ -125,20 +125,42 @@ fun Application.installAuthentication(unitTestMode: Boolean = false) {
 
 }
 
-fun Route.requiresPermission(resourceName: String, scope: String, body: Route.()->Unit) {
+fun Route.requiresPermission(resource: KeycloakResource, permissionType: EPermissionType, body: Route.()->Unit) {
+    requiresPermission(resource, permissionType.toKeycloakScope(), body)
+}
+
+fun Route.requiresRead(resource: KeycloakResource, body: Route.()->Unit) {
+    requiresPermission(resource, KeycloakScope.READ, body)
+}
+
+fun Route.requiresWrite(resource: KeycloakResource, body: Route.()->Unit) {
+    requiresPermission(resource, KeycloakScope.WRITE, body)
+}
+
+fun Route.requiresDelete(resource: KeycloakResource, body: Route.()->Unit) {
+    requiresPermission(resource, KeycloakScope.DELETE, body)
+}
+
+fun Route.requiresPermission(resource: KeycloakResource, scope: KeycloakScope, body: Route.()->Unit) {
     authenticate(jwtAuth) {
         intercept(ApplicationCallPipeline.Call) {
-            call.checkPermission(resourceName, scope)
+            call.checkPermission(resource, scope)
         }
         body()
     }
 }
 
-fun ApplicationCall.checkPermission(resourceName: String, scope: String) {
+fun Route.requiresLogin(body: Route.()->Unit) {
+    authenticate(jwtAuth) {
+        body()
+    }
+}
+
+fun ApplicationCall.checkPermission(resource: KeycloakResource, scope: KeycloakScope) {
     if (attributes.getOrNull(UNIT_TEST_MODE_KEY) == true) return
     val principal = principal<AccessTokenPrincipal>() ?: throw NotLoggedInException()
-    if (!KeycloakUtils.hasPermission(principal.jwt, resourceName, scope)) {
-        throw NoPermissionException(principal, resourceName, scope)
+    if (!KeycloakUtils.hasPermission(principal.jwt, resource, scope)) {
+        throw NoPermissionException(principal, resource.name, scope.name)
     }
 }
 
@@ -161,6 +183,8 @@ fun ApplicationCall.jwtFromHeaders(): DecodedJWT? {
     return (request.header("X-Forwarded-Access-Token") ?: getBearerToken())?.let { JWT.decode(it) }
 }
 
+fun ApplicationCall.jwt() = principal<AccessTokenPrincipal>()?.jwt ?: jwtFromHeaders()
+
 fun PipelineContext<Unit, ApplicationCall>.getUserName(): String? {
     return call.getUserName()
 }

model-server/Dockerfile

@@ -2,5 +2,5 @@ FROM openjdk:11
 WORKDIR /usr/modelix-model
 EXPOSE 28101
 COPY run-model-server.sh /usr/modelix-model/
-COPY build/ /usr/modelix-model/model-server/build/
+COPY build/libs/ /usr/modelix-model/model-server/build/libs/
 CMD ["./run-model-server.sh"]

model-server/src/main/kotlin/org/modelix/model/server/HistoryHandler.kt

@@ -7,6 +7,8 @@ import io.ktor.server.request.*
 import io.ktor.server.response.*
 import io.ktor.server.routing.*
 import org.apache.commons.lang3.StringEscapeUtils
+import org.modelix.authorization.KeycloakScope
+import org.modelix.authorization.asResource
 import org.modelix.authorization.getUserName
 import org.modelix.authorization.requiresPermission
 import org.modelix.model.LinearHistory
@@ -47,7 +49,7 @@ class HistoryHandler(private val client: IModelClient) {
                     buildRepositoryPage(PrintWriter(this), RepositoryAndBranch(repositoryId, branch), params["head"], skip, limit)
                 }
             }
-            requiresPermission("history", "WRITE") {
+            requiresPermission("history".asResource(), KeycloakScope.WRITE) {
                 post("/history/{repoId}/{branch}/revert") {
                     val repositoryId = call.parameters["repoId"]!!
                     val branch = call.parameters["branch"]!!

model-server/src/main/kotlin/org/modelix/model/server/JsonModelServer.kt

@@ -30,6 +30,8 @@ import kotlinx.html.td
 import kotlinx.html.tr
 import org.json.JSONArray
 import org.json.JSONObject
+import org.modelix.authorization.KeycloakScope
+import org.modelix.authorization.asResource
 import org.modelix.authorization.getUserName
 import org.modelix.authorization.requiresPermission
 import org.modelix.model.IKeyListener
@@ -50,7 +52,7 @@ class JsonModelServer(val client: LocalModelClient) {
     fun init(application: Application) {
         application.apply {
             routing {
-                requiresPermission("model-json-api", "read") {
+                requiresPermission("model-json-api".asResource(), KeycloakScope.READ) {
                     route("/json") {
                         initRouting()
                     }

model-server/src/main/kotlin/org/modelix/model/server/JsonModelServer2.kt

@@ -23,6 +23,8 @@ import kotlinx.coroutines.channels.Channel
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.sync.Mutex
 import kotlinx.coroutines.sync.withLock
+import org.modelix.authorization.KeycloakScope
+import org.modelix.authorization.asResource
 import org.modelix.authorization.getUserName
 import org.modelix.authorization.requiresPermission
 import org.modelix.model.VersionMerger
@@ -77,7 +79,7 @@ class JsonModelServer2(val client: LocalModelClient) {
     fun init(application: Application) {
         application.apply {
             routing {
-                requiresPermission("model-json-api", "read") {
+                requiresPermission("model-json-api".asResource(), KeycloakScope.READ) {
                     route("/json/v2") {
                         initRouting()
                     }

model-server/src/main/kotlin/org/modelix/model/server/KtorModelServer.kt

@@ -34,7 +34,8 @@ import java.net.UnknownHostException
 import java.util.*
 import java.util.regex.Pattern
 
-val PERMISSION_MODEL_SERVER = "model-server"
+val PERMISSION_MODEL_SERVER = "model-server".asResource()
+val MODEL_SERVER_ENTRY = KeycloakResourceType("model-server-entry", KeycloakScope.READ_WRITE_DELETE)
 
 private fun toLong(value: String?): Long {
     return if (value == null || value.isEmpty()) 0 else value.toLong()
@@ -84,7 +85,7 @@ class KtorModelServer(val storeClient: IStoreClient) {
                 val headers = call.request.headers.entries().flatMap { e -> e.value.map { e.key to it } }
                 call.respondText(headers.joinToString("\n") { "${it.first}: ${it.second}" })
             }
-            requiresPermission(PERMISSION_MODEL_SERVER, EPermissionType.READ.name) {
+            requiresPermission(PERMISSION_MODEL_SERVER, EPermissionType.READ) {
                 get("/get/{key}") {
                     val key = call.parameters["key"]!!
                     checkKeyPermission(key, EPermissionType.READ)
@@ -169,7 +170,7 @@ class KtorModelServer(val storeClient: IStoreClient) {
                     call.respondText(respJson.toString(), contentType = ContentType.Application.Json)
                 }
             }
-            requiresPermission(PERMISSION_MODEL_SERVER, "write") {
+            requiresPermission(PERMISSION_MODEL_SERVER, EPermissionType.WRITE) {
 
             }
         }
@@ -295,7 +296,7 @@ class KtorModelServer(val storeClient: IStoreClient) {
             // A permission check has happened somewhere earlier.
             return
         }
-        call.checkPermission("model-server-entry/$key", type.name)
+        call.checkPermission(MODEL_SERVER_ENTRY.createInstance(key), type.toKeycloakScope())
     }