First major release #68
@ -23,6 +23,7 @@ repositories {
|
|||||||
|
|
||||||
dependencies {
|
dependencies {
|
||||||
implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.8.5'
|
implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.8.5'
|
||||||
|
implementation group: 'org.springframework.boot', name:'spring-boot-starter-oauth2-client', version: '3.5.5'
|
||||||
implementation 'org.springframework.boot:spring-boot-starter-web'
|
implementation 'org.springframework.boot:spring-boot-starter-web'
|
||||||
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||||
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
|
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
|
||||||
|
|||||||
@ -7,6 +7,8 @@ services:
|
|||||||
- CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
|
- CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
|
||||||
- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
|
- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
|
||||||
- ENV=${ENV}
|
- ENV=${ENV}
|
||||||
|
- OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
|
||||||
|
- OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
|
||||||
ports:
|
ports:
|
||||||
- 5002:8080
|
- 5002:8080
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
@ -0,0 +1,28 @@
|
|||||||
|
package com.hithomelabs.CFTunnels.Config;
|
||||||
|
|
||||||
|
import com.hithomelabs.CFTunnels.Models.Authorities;
|
||||||
|
import com.hithomelabs.CFTunnels.Models.Groups;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
|
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||||
|
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.HashSet;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
public class AuthoritiesToGroupMapping {
|
||||||
|
|
||||||
|
public Map<String, Set<GrantedAuthority>> getAuthorityForGroup(){
|
||||||
|
HashMap<String, Set<GrantedAuthority>> mappings = new HashMap<>();
|
||||||
|
mappings.put(Groups.GITEA_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))));
|
||||||
|
mappings.put(Groups.POWER_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))));
|
||||||
|
mappings.put(Groups.HOMELAB_DEVELOPER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_DEVELOPER))));
|
||||||
|
mappings.put(Groups.SYSTEM_ADMIN, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_APPROVER), new SimpleGrantedAuthority(Authorities.ROLE_ADMIN))));
|
||||||
|
return mappings;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
@ -0,0 +1,45 @@
|
|||||||
|
package com.hithomelabs.CFTunnels.Config;
|
||||||
|
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
|
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
|
||||||
|
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
|
||||||
|
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
|
||||||
|
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
|
||||||
|
|
||||||
|
import java.util.HashSet;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
public class CustomOidcUserConfiguration extends OidcUserService {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
AuthoritiesToGroupMapping authoritiesToGroupMapping;
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public OidcUser loadUser(OidcUserRequest userRequest) {
|
||||||
|
// * * Delegate to the default implementation for loading user and claims
|
||||||
|
OidcUser oidcUser = super.loadUser(userRequest);
|
||||||
|
|
||||||
|
// * * Copy existing authorities (e.g. scopes → authorities)
|
||||||
|
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
|
||||||
|
|
||||||
|
// * * Extract your custom claim (change "roles" to your claim name)
|
||||||
|
List<String> groups = oidcUser.getClaimAsStringList("groups");
|
||||||
|
if (groups != null) {
|
||||||
|
groups.forEach(group ->
|
||||||
|
mappedAuthorities.addAll(authoritiesToGroupMapping.getAuthorityForGroup().get(group))
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
// * * Return a new DefaultOidcUser with merged authorities
|
||||||
|
return new DefaultOidcUser(
|
||||||
|
mappedAuthorities,
|
||||||
|
oidcUser.getIdToken(),
|
||||||
|
oidcUser.getUserInfo()
|
||||||
|
);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
@ -0,0 +1,39 @@
|
|||||||
|
package com.hithomelabs.CFTunnels.Config.Security;
|
||||||
|
|
||||||
|
import com.hithomelabs.CFTunnels.Config.CustomOidcUserConfiguration;
|
||||||
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
|
import org.springframework.context.annotation.Bean;
|
||||||
|
import org.springframework.context.annotation.Configuration;
|
||||||
|
|
||||||
|
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||||
|
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
|
||||||
|
import org.springframework.security.web.SecurityFilterChain;
|
||||||
|
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
@EnableWebSecurity
|
||||||
|
@EnableMethodSecurity(
|
||||||
|
prePostEnabled = true,
|
||||||
|
securedEnabled = true,
|
||||||
|
jsr250Enabled = true
|
||||||
|
)
|
||||||
|
public class SecuirtyConfig {
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private CustomOidcUserConfiguration customOidcUserConfiguration;
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||||
|
http
|
||||||
|
.authorizeHttpRequests(auth -> auth
|
||||||
|
.anyRequest().authenticated()
|
||||||
|
)
|
||||||
|
.with(new OAuth2LoginConfigurer<>(), oauth2 -> oauth2.userInfoEndpoint(u -> u.oidcUserService(customOidcUserConfiguration)));
|
||||||
|
|
||||||
|
|
||||||
|
return http.build();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
@ -1,8 +1,7 @@
|
|||||||
package com.hithomelabs.CFTunnels.Controllers;
|
package com.hithomelabs.CFTunnels.Controllers;
|
||||||
|
|
||||||
import com.fasterxml.jackson.core.JsonProcessingException;
|
import com.fasterxml.jackson.core.JsonProcessingException;
|
||||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
import com.hithomelabs.CFTunnels.Config.AuthoritiesToGroupMapping;
|
||||||
import com.fasterxml.jackson.databind.SerializationFeature;
|
|
||||||
import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
|
import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
|
||||||
import com.hithomelabs.CFTunnels.Config.RestTemplateConfig;
|
import com.hithomelabs.CFTunnels.Config.RestTemplateConfig;
|
||||||
import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
|
import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
|
||||||
@ -11,7 +10,10 @@ import com.hithomelabs.CFTunnels.Models.Ingress;
|
|||||||
import com.hithomelabs.CFTunnels.Models.TunnelResponse;
|
import com.hithomelabs.CFTunnels.Models.TunnelResponse;
|
||||||
import org.springframework.beans.factory.annotation.Autowired;
|
import org.springframework.beans.factory.annotation.Autowired;
|
||||||
import org.springframework.http.*;
|
import org.springframework.http.*;
|
||||||
import org.springframework.http.converter.HttpMessageConverter;
|
import org.springframework.security.access.prepost.PreAuthorize;
|
||||||
|
import org.springframework.security.core.GrantedAuthority;
|
||||||
|
import org.springframework.security.core.annotation.AuthenticationPrincipal;
|
||||||
|
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
|
||||||
import org.springframework.web.bind.annotation.*;
|
import org.springframework.web.bind.annotation.*;
|
||||||
import org.springframework.web.client.RestTemplate;
|
import org.springframework.web.client.RestTemplate;
|
||||||
|
|
||||||
@ -25,6 +27,8 @@ public class TunnelController {
|
|||||||
|
|
||||||
private final RestTemplate restTemplate = new RestTemplate();
|
private final RestTemplate restTemplate = new RestTemplate();
|
||||||
|
|
||||||
|
@Autowired
|
||||||
|
private AuthoritiesToGroupMapping authoritiesToGroupMapping;
|
||||||
@Autowired
|
@Autowired
|
||||||
private CloudflareConfig cloudflareConfig;
|
private CloudflareConfig cloudflareConfig;
|
||||||
|
|
||||||
@ -34,6 +38,20 @@ public class TunnelController {
|
|||||||
@Autowired
|
@Autowired
|
||||||
private RestTemplateConfig restTemplateConfig;
|
private RestTemplateConfig restTemplateConfig;
|
||||||
|
|
||||||
|
@PreAuthorize("hasAnyRole('USER')")
|
||||||
|
@GetMapping("/whoami")
|
||||||
|
public Map<String,Object> whoAmI(@AuthenticationPrincipal OidcUser oidcUser) {
|
||||||
|
|
||||||
|
List<String> authorities = oidcUser.getAuthorities().stream()
|
||||||
|
.map(GrantedAuthority::getAuthority)
|
||||||
|
.toList();
|
||||||
|
return Map.of(
|
||||||
|
"username", oidcUser.getPreferredUsername(),
|
||||||
|
"roles", authorities
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
@PreAuthorize("hasAnyRole('USER')")
|
||||||
@GetMapping("/tunnels")
|
@GetMapping("/tunnels")
|
||||||
public ResponseEntity<Map<String,Object>> getTunnels(){
|
public ResponseEntity<Map<String,Object>> getTunnels(){
|
||||||
|
|
||||||
@ -50,6 +68,7 @@ public class TunnelController {
|
|||||||
return ResponseEntity.ok(jsonResponse);
|
return ResponseEntity.ok(jsonResponse);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@PreAuthorize("hasAnyRole('DEVELOPER')")
|
||||||
@GetMapping("/tunnel/{tunnelId}")
|
@GetMapping("/tunnel/{tunnelId}")
|
||||||
public ResponseEntity<Map<String,Object>> getTunnelConfigurations(@PathVariable String tunnelId) throws JsonProcessingException {
|
public ResponseEntity<Map<String,Object>> getTunnelConfigurations(@PathVariable String tunnelId) throws JsonProcessingException {
|
||||||
|
|
||||||
@ -67,6 +86,7 @@ public class TunnelController {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// 50df9101-f625-4618-b7c5-100338a57124
|
// 50df9101-f625-4618-b7c5-100338a57124
|
||||||
|
@PreAuthorize("hasAnyRole('ADMIN')")
|
||||||
@PutMapping("/tunnel/{tunnelId}/add")
|
@PutMapping("/tunnel/{tunnelId}/add")
|
||||||
public ResponseEntity<Map<String, Object>> addTunnelconfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
|
public ResponseEntity<Map<String, Object>> addTunnelconfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
|
||||||
|
|
||||||
@ -95,6 +115,7 @@ public class TunnelController {
|
|||||||
return ResponseEntity.ok(jsonResponse);
|
return ResponseEntity.ok(jsonResponse);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@PreAuthorize("hasAnyRole('DEVELOPER')")
|
||||||
@PutMapping("/tunnel/{tunnelId}/delete")
|
@PutMapping("/tunnel/{tunnelId}/delete")
|
||||||
public ResponseEntity<Map<String, Object>> deleteTunnelConfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
|
public ResponseEntity<Map<String, Object>> deleteTunnelConfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
|
||||||
|
|
||||||
|
|||||||
@ -0,0 +1,10 @@
|
|||||||
|
package com.hithomelabs.CFTunnels.Models;
|
||||||
|
|
||||||
|
public class Authorities {
|
||||||
|
|
||||||
|
public static final String ROLE_ADMIN = "ROLE_ADMIN";
|
||||||
|
public static final String ROLE_DEVELOPER = "ROLE_DEVELOPER";
|
||||||
|
public static final String ROLE_USER = "ROLE_USER";
|
||||||
|
public static final String ROLE_APPROVER = "ROLE_APPROVER";
|
||||||
|
|
||||||
|
}
|
||||||
10
src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java
Normal file
10
src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
package com.hithomelabs.CFTunnels.Models;
|
||||||
|
|
||||||
|
public class Groups {
|
||||||
|
|
||||||
|
public static final String HOMELAB_DEVELOPER = "homelab developer";
|
||||||
|
public static final String SYSTEM_ADMIN = "authentik Admins";
|
||||||
|
public static final String POWER_USER = "arr premium";
|
||||||
|
public static final String GITEA_USER = "gitrestricted";
|
||||||
|
|
||||||
|
}
|
||||||
@ -3,3 +3,15 @@ cloudflare.accountId=${CLOUDFLARE_ACCOUNT_ID}
|
|||||||
cloudflare.apiKey=${CLOUDFLARE_API_KEY}
|
cloudflare.apiKey=${CLOUDFLARE_API_KEY}
|
||||||
cloudflare.email=${CLOUDFLARE_EMAIL}
|
cloudflare.email=${CLOUDFLARE_EMAIL}
|
||||||
spring.profiles.active=${ENV}
|
spring.profiles.active=${ENV}
|
||||||
|
|
||||||
|
spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID}
|
||||||
|
spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET}
|
||||||
|
spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code
|
||||||
|
spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels
|
||||||
|
spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels
|
||||||
|
|
||||||
|
spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/
|
||||||
|
spring.security.oauth2.client.provider.cftunnels.token-uri=https://auth.hithomelabs.com/application/o/token/
|
||||||
|
spring.security.oauth2.client.provider.cftunnels.user-info-uri=https://auth.hithomelabs.com/application/o/userinfo/
|
||||||
|
spring.security.oauth2.client.provider.cftunnels.jwk-set-uri=https://auth.hithomelabs.com/application/o/cftunnels/jwks/
|
||||||
|
spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels/
|
||||||
Loading…
Reference in New Issue
Block a user