diff --git a/build.gradle b/build.gradle index 49a3976..bfc0540 100644 --- a/build.gradle +++ b/build.gradle @@ -23,6 +23,7 @@ repositories { dependencies { implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.8.5' + implementation group: 'org.springframework.boot', name:'spring-boot-starter-oauth2-client', version: '3.5.5' implementation 'org.springframework.boot:spring-boot-starter-web' testImplementation 'org.springframework.boot:spring-boot-starter-test' testRuntimeOnly 'org.junit.platform:junit-platform-launcher' diff --git a/docker-compose.yaml b/docker-compose.yaml index 1c03e48..7cac007 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -7,6 +7,8 @@ services: - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY} - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL} - ENV=${ENV} + - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID} + - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET} ports: - 5002:8080 restart: unless-stopped \ No newline at end of file diff --git a/src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java b/src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java new file mode 100644 index 0000000..b323700 --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java @@ -0,0 +1,28 @@ +package com.hithomelabs.CFTunnels.Config; + +import com.hithomelabs.CFTunnels.Models.Authorities; +import com.hithomelabs.CFTunnels.Models.Groups; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; + +import java.util.HashMap; +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +@Configuration +public class AuthoritiesToGroupMapping { + + public Map> getAuthorityForGroup(){ + HashMap> mappings = new HashMap<>(); + mappings.put(Groups.GITEA_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER)))); + mappings.put(Groups.POWER_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER)))); + mappings.put(Groups.HOMELAB_DEVELOPER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_DEVELOPER)))); + mappings.put(Groups.SYSTEM_ADMIN, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_APPROVER), new SimpleGrantedAuthority(Authorities.ROLE_ADMIN)))); + return mappings; + } + + + +} diff --git a/src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java b/src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java new file mode 100644 index 0000000..22a4e64 --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java @@ -0,0 +1,45 @@ +package com.hithomelabs.CFTunnels.Config; + +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Configuration; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest; +import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService; +import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser; +import org.springframework.security.oauth2.core.oidc.user.OidcUser; + +import java.util.HashSet; +import java.util.List; +import java.util.Set; + +@Configuration +public class CustomOidcUserConfiguration extends OidcUserService { + + @Autowired + AuthoritiesToGroupMapping authoritiesToGroupMapping; + + @Override + public OidcUser loadUser(OidcUserRequest userRequest) { + // * * Delegate to the default implementation for loading user and claims + OidcUser oidcUser = super.loadUser(userRequest); + + // * * Copy existing authorities (e.g. scopes → authorities) + Set mappedAuthorities = new HashSet<>(); + + // * * Extract your custom claim (change "roles" to your claim name) + List groups = oidcUser.getClaimAsStringList("groups"); + if (groups != null) { + groups.forEach(group -> + mappedAuthorities.addAll(authoritiesToGroupMapping.getAuthorityForGroup().get(group)) + ); + } + + // * * Return a new DefaultOidcUser with merged authorities + return new DefaultOidcUser( + mappedAuthorities, + oidcUser.getIdToken(), + oidcUser.getUserInfo() + ); + } + } + diff --git a/src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java b/src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java new file mode 100644 index 0000000..7bd9c1e --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java @@ -0,0 +1,39 @@ +package com.hithomelabs.CFTunnels.Config.Security; + +import com.hithomelabs.CFTunnels.Config.CustomOidcUserConfiguration; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; + +import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer; +import org.springframework.security.web.SecurityFilterChain; + + +@Configuration +@EnableWebSecurity +@EnableMethodSecurity( + prePostEnabled = true, + securedEnabled = true, + jsr250Enabled = true +) +public class SecuirtyConfig { + + @Autowired + private CustomOidcUserConfiguration customOidcUserConfiguration; + + @Bean + public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception { + http + .authorizeHttpRequests(auth -> auth + .anyRequest().authenticated() + ) + .with(new OAuth2LoginConfigurer<>(), oauth2 -> oauth2.userInfoEndpoint(u -> u.oidcUserService(customOidcUserConfiguration))); + + + return http.build(); + } + +} diff --git a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java index 9e8ad9c..fc8819f 100644 --- a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java +++ b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java @@ -1,8 +1,7 @@ package com.hithomelabs.CFTunnels.Controllers; import com.fasterxml.jackson.core.JsonProcessingException; -import com.fasterxml.jackson.databind.ObjectMapper; -import com.fasterxml.jackson.databind.SerializationFeature; +import com.hithomelabs.CFTunnels.Config.AuthoritiesToGroupMapping; import com.hithomelabs.CFTunnels.Config.CloudflareConfig; import com.hithomelabs.CFTunnels.Config.RestTemplateConfig; import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader; @@ -11,7 +10,10 @@ import com.hithomelabs.CFTunnels.Models.Ingress; import com.hithomelabs.CFTunnels.Models.TunnelResponse; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.*; -import org.springframework.http.converter.HttpMessageConverter; +import org.springframework.security.access.prepost.PreAuthorize; +import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.annotation.AuthenticationPrincipal; +import org.springframework.security.oauth2.core.oidc.user.OidcUser; import org.springframework.web.bind.annotation.*; import org.springframework.web.client.RestTemplate; @@ -25,6 +27,8 @@ public class TunnelController { private final RestTemplate restTemplate = new RestTemplate(); + @Autowired + private AuthoritiesToGroupMapping authoritiesToGroupMapping; @Autowired private CloudflareConfig cloudflareConfig; @@ -34,6 +38,20 @@ public class TunnelController { @Autowired private RestTemplateConfig restTemplateConfig; + @PreAuthorize("hasAnyRole('USER')") + @GetMapping("/whoami") + public Map whoAmI(@AuthenticationPrincipal OidcUser oidcUser) { + + List authorities = oidcUser.getAuthorities().stream() + .map(GrantedAuthority::getAuthority) + .toList(); + return Map.of( + "username", oidcUser.getPreferredUsername(), + "roles", authorities + ); + } + + @PreAuthorize("hasAnyRole('USER')") @GetMapping("/tunnels") public ResponseEntity> getTunnels(){ @@ -50,6 +68,7 @@ public class TunnelController { return ResponseEntity.ok(jsonResponse); } + @PreAuthorize("hasAnyRole('DEVELOPER')") @GetMapping("/tunnel/{tunnelId}") public ResponseEntity> getTunnelConfigurations(@PathVariable String tunnelId) throws JsonProcessingException { @@ -67,6 +86,7 @@ public class TunnelController { } // 50df9101-f625-4618-b7c5-100338a57124 + @PreAuthorize("hasAnyRole('ADMIN')") @PutMapping("/tunnel/{tunnelId}/add") public ResponseEntity> addTunnelconfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException { @@ -95,6 +115,7 @@ public class TunnelController { return ResponseEntity.ok(jsonResponse); } + @PreAuthorize("hasAnyRole('DEVELOPER')") @PutMapping("/tunnel/{tunnelId}/delete") public ResponseEntity> deleteTunnelConfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException { diff --git a/src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java b/src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java new file mode 100644 index 0000000..f26a17b --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java @@ -0,0 +1,10 @@ +package com.hithomelabs.CFTunnels.Models; + +public class Authorities { + + public static final String ROLE_ADMIN = "ROLE_ADMIN"; + public static final String ROLE_DEVELOPER = "ROLE_DEVELOPER"; + public static final String ROLE_USER = "ROLE_USER"; + public static final String ROLE_APPROVER = "ROLE_APPROVER"; + +} diff --git a/src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java b/src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java new file mode 100644 index 0000000..f7c213d --- /dev/null +++ b/src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java @@ -0,0 +1,10 @@ +package com.hithomelabs.CFTunnels.Models; + +public class Groups { + + public static final String HOMELAB_DEVELOPER = "homelab developer"; + public static final String SYSTEM_ADMIN = "authentik Admins"; + public static final String POWER_USER = "arr premium"; + public static final String GITEA_USER = "gitrestricted"; + +} diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 9b04cc9..3ba3827 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -3,3 +3,15 @@ cloudflare.accountId=${CLOUDFLARE_ACCOUNT_ID} cloudflare.apiKey=${CLOUDFLARE_API_KEY} cloudflare.email=${CLOUDFLARE_EMAIL} spring.profiles.active=${ENV} + +spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID} +spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET} +spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code +spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels +spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels + +spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/ +spring.security.oauth2.client.provider.cftunnels.token-uri=https://auth.hithomelabs.com/application/o/token/ +spring.security.oauth2.client.provider.cftunnels.user-info-uri=https://auth.hithomelabs.com/application/o/userinfo/ +spring.security.oauth2.client.provider.cftunnels.jwk-set-uri=https://auth.hithomelabs.com/application/o/cftunnels/jwks/ +spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels/ \ No newline at end of file