Merge branch 'main' into dependabot/gradle/kotlinCoroutines-1.7.1

Author: slisson

authorization/build.gradle.kts

@@ -22,6 +22,12 @@ tasks.getByName<Test>("test") {
     useJUnitPlatform()
 }
 
+java {
+    toolchain {
+        languageVersion.set(JavaLanguageVersion.of(11))
+    }
+}
+
 publishing {
     publications {
         create<MavenPublication>("maven") {

authorization/src/main/kotlin/org/modelix/authorization/KeycloakUtils.kt

@@ -18,6 +18,7 @@ import com.auth0.jwk.JwkProviderBuilder
 import com.auth0.jwt.JWT
 import com.auth0.jwt.interfaces.DecodedJWT
 import com.google.common.cache.CacheBuilder
+import org.keycloak.authorization.client.AuthorizationDeniedException
 import org.keycloak.authorization.client.AuthzClient
 import org.keycloak.authorization.client.Configuration
 import org.keycloak.authorization.client.resource.ProtectedResource
@@ -56,7 +57,7 @@ object KeycloakUtils {
 
     private val permissionCache = CacheBuilder.newBuilder()
         .expireAfterWrite(30, TimeUnit.SECONDS)
-        .build<String, List<Permission>>()
+        .build<Pair<Pair<DecodedJWT, KeycloakResource>, KeycloakScope>, Boolean>()
     private val existingResources = CacheBuilder.newBuilder()
         .expireAfterWrite(3, TimeUnit.MINUTES)
         .build<String, ResourceRepresentation>()
@@ -90,44 +91,61 @@ object KeycloakUtils {
         }
     }
 
-    @Synchronized
-    fun getPermissions(accessToken: DecodedJWT): List<Permission> {
-        return permissionCache.get(accessToken.token) { queryPermissions(accessToken) }
-    }
-
     fun getServiceAccountToken(): DecodedJWT {
         return JWT.decode(authzClient.obtainAccessToken().token)
     }
 
-    private fun queryPermissions(token: DecodedJWT): List<Permission> {
+    private fun isAccessToken(token: DecodedJWT): Boolean {
+        val authClaim = token.getClaim("authorization")
+        return !(authClaim.isNull || authClaim.isMissing)
+    }
+
+    private fun readPermissions(token: DecodedJWT): List<Permission> {
+        require(isAccessToken(token)) { "Not an access token: ${token.token}" }
         try {
-            val rpt = if (token.getClaim("authorization").isNull) {
-                // The token was probably created by the OAuth proxy after login.
-                // The token contains no permission information yet. Query them from keycloak.
-                authzClient.authorization(token.token).authorize(AuthorizationRequest()).token
-            } else {
-                // The token was probably created using KeycloakUtils.createToken
-                token.token
-            }
+            val rpt = token.token
             val introspect = authzClient.protection().introspectRequestingPartyToken(rpt)
-            return introspect.permissions
+            return introspect.permissions ?: emptyList()
         } catch (e: Exception) {
             throw RuntimeException("Can't get permissions for token: ${token.token}", e)
         }
     }
 
+    private fun createAccessToken(identityToken: DecodedJWT, permissions: List<Pair<String, List<String>>>): DecodedJWT {
+        return JWT.decode(authzClient.authorization(identityToken.token).authorize(AuthorizationRequest().also {
+            for (permission in permissions) {
+                it.addPermission(permission.first, permission.second)
+            }
+        }).token)
+    }
+
     @Synchronized
-    fun hasPermission(accessToken: DecodedJWT, resourceSpec: KeycloakResource, scope: KeycloakScope): Boolean {
-        ensureResourcesExists(resourceSpec, accessToken)
-        val allPermissions = getPermissions(accessToken)
-        val forResource = allPermissions.filter { it.resourceName == resourceSpec.name }
-        if (forResource.isEmpty()) return false
-        val scopes: Set<String> = forResource.mapNotNull { it.scopes }.flatten().toSet()
-        if (scopes.isEmpty()) {
-            // If the permissions are not restricted to any scope we assume they are valid for all scopes.
-            return true
+    fun hasPermission(identityOrAccessToken: DecodedJWT, resourceSpec: KeycloakResource, scope: KeycloakScope): Boolean {
+        val key = identityOrAccessToken to resourceSpec to scope
+        return permissionCache.get(key) { checkPermission(identityOrAccessToken, resourceSpec, scope) }
+    }
+
+    private fun checkPermission(identityOrAccessToken: DecodedJWT, resourceSpec: KeycloakResource, scope: KeycloakScope): Boolean {
+        ensureResourcesExists(resourceSpec, identityOrAccessToken)
+
+        if (isAccessToken(identityOrAccessToken)) {
+            val grantedPermissions = readPermissions(identityOrAccessToken)
+            val forResource = grantedPermissions.filter { it.resourceName == resourceSpec.name }
+            if (forResource.isEmpty()) return false
+            val scopes: Set<String> = forResource.mapNotNull { it.scopes }.flatten().toSet()
+            if (scopes.isEmpty()) {
+                // If the permissions are not restricted to any scope we assume they are valid for all scopes.
+                return true
+            }
+            return scopes.contains(scope.name)
+        } else {
+            return try {
+                createAccessToken(identityOrAccessToken, listOf(resourceSpec.name to listOf(scope.name)))
+                true
+            } catch (_: AuthorizationDeniedException) {
+                false
+            }
         }
-        return scopes.contains(scope.name)
     }
 
     @Synchronized

authorization/src/main/kotlin/org/modelix/authorization/KtorAuthUtils.kt

@@ -114,9 +114,6 @@ fun Application.installAuthentication(unitTestMode: Boolean = false) {
                                 |Validation result: $validationError
                                 |
                                 |$claims
-                                |
-                                |Permissions:
-                                |${KeycloakUtils.getPermissions(jwt).joinToString("\n") { "    $it" }}
                                 |""".trimMargin())
                 }
             }

build.gradle.kts

@@ -19,7 +19,7 @@ plugins {
     alias(libs.plugins.ktlint) apply false
     alias(libs.plugins.spotless) apply false
     alias(libs.plugins.tasktree)
-    id("org.jetbrains.dokka") version "1.8.10"
+    id("org.jetbrains.dokka") version "1.8.20"
 }
 
 repositories {

docker-build-model.sh

@@ -3,16 +3,14 @@
 set -e
 
 TAG=$( ./modelix-version.sh )
-MODELIX_TARGET_PLATFORM="${MODELIX_TARGET_PLATFORM:=linux/amd64}"
 
 (
   cd model-server
   if [ "${CI}" = "true" ]; then
-    docker buildx build --platform linux/amd64,linux/arm64 --push --no-cache \
+    docker buildx build --platform linux/amd64,linux/arm64 --push \
     -t modelix/modelix-model:latest -t "modelix/modelix-model:${TAG}" .
   else
-    docker build --platform "${MODELIX_TARGET_PLATFORM}" --no-cache \
-    -t modelix/modelix-model:latest -t "modelix/modelix-model:${TAG}" .
+    docker build -t modelix/modelix-model:latest -t "modelix/modelix-model:${TAG}" .
   fi
 )
 

docs/global/modules/core/images/model-api.api.png

@@ -11,7 +11,7 @@ https://github.com/modelix/modelix.core[Repository^] | https://github.com/modeli
 
 In order to export a meta-model (i.e. the structure aspect of a langauge) from MPS, modelix uses the MPS solution `metamodel-export`.
 This solution maps the structure of a language to corresponding serializable data classes of the https://api.modelix.org/2.3.0/model-api/org.modelix.model.data/index.html[`model-api`] (e.g. `LanguageData` and `ConcepData`).
-Further, the `metamodel-expor` provides a command line interface to export these data classes to a JSON file from outside of MPS.
+Further, the `metamodel-export` provides a command line interface to export these data classes to a JSON file from outside of MPS.
 
 
 

docs/global/modules/core/images/model-api.data.metamodel.png

@@ -1,7 +1,6 @@
 = Gradle Plugin for the Model API Generator
 :navtitle: `model-api-gen-gradle`
 
-
 :tip-caption: 🔗 Quick Links
 [TIP]
 --
@@ -176,6 +175,10 @@ Inside the `metamodel` block a `names` block can be declared to configure `prefi
 |"\_C_TypedImpl_"
 |""
 
+|`conceptTypeAlias`
+|"CN_"
+|""
+
 |===
 
 == Example