Final cahnges to add OIDC, setting groups and authorities

2025-09-15 00:21:49 +05:30 · 2025-09-15 00:21:49 +05:30 · e960c5cfa5
commit e960c5cfa5
parent 196cf74a72
9 changed files with 171 additions and 3 deletions
--- a/build.gradle
+++ b/build.gradle
@ -23,6 +23,7 @@ repositories {
 dependencies {
 	implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.8.5'
 	implementation group: 'org.springframework.boot', name:'spring-boot-starter-oauth2-client', version: '3.5.5'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -7,6 +7,8 @@ services:
      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
      - ENV=${ENV}
      - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
      - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
    ports:
      - 5002:8080
    restart: unless-stopped
--- a/src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java
+++ b/src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java
@ -0,0 +1,28 @@
 package com.hithomelabs.CFTunnels.Config;
 import com.hithomelabs.CFTunnels.Models.Authorities;
 import com.hithomelabs.CFTunnels.Models.Groups;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
@Configuration
 public class AuthoritiesToGroupMapping {
    public Map<String, Set<GrantedAuthority>> getAuthorityForGroup(){
        HashMap<String, Set<GrantedAuthority>> mappings = new HashMap<>();
        mappings.put(Groups.GITEA_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))));
        mappings.put(Groups.POWER_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))));
        mappings.put(Groups.HOMELAB_DEVELOPER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_DEVELOPER))));
        mappings.put(Groups.SYSTEM_ADMIN, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_APPROVER), new SimpleGrantedAuthority(Authorities.ROLE_ADMIN))));
        return mappings;
    }
 }
--- a/src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java
+++ b/src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java
@ -0,0 +1,45 @@
 package com.hithomelabs.CFTunnels.Config;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
 import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@Configuration
 public class CustomOidcUserConfiguration extends OidcUserService {
        @Autowired
        AuthoritiesToGroupMapping authoritiesToGroupMapping;
        @Override
        public OidcUser loadUser(OidcUserRequest userRequest) {
            // * * Delegate to the default implementation for loading user and claims
            OidcUser oidcUser = super.loadUser(userRequest);
            // * * Copy existing authorities (e.g. scopes → authorities)
            Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
            // * * Extract your custom claim (change "roles" to your claim name)
            List<String> groups = oidcUser.getClaimAsStringList("groups");
            if (groups != null) {
                groups.forEach(group ->
                        mappedAuthorities.addAll(authoritiesToGroupMapping.getAuthorityForGroup().get(group))
                );
            }
            // * * Return a new DefaultOidcUser with merged authorities
            return new DefaultOidcUser(
                    mappedAuthorities,
                    oidcUser.getIdToken(),
                    oidcUser.getUserInfo()
            );
        }
    }
--- a/src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java
+++ b/src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java
@ -0,0 +1,39 @@
 package com.hithomelabs.CFTunnels.Config.Security;
 import com.hithomelabs.CFTunnels.Config.CustomOidcUserConfiguration;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(
        prePostEnabled = true,
        securedEnabled   = true,
        jsr250Enabled    = true
 )
 public class SecuirtyConfig {
    @Autowired
    private CustomOidcUserConfiguration customOidcUserConfiguration;
    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(auth -> auth
                        .anyRequest().authenticated()
                )
                .with(new OAuth2LoginConfigurer<>(), oauth2 -> oauth2.userInfoEndpoint(u -> u.oidcUserService(customOidcUserConfiguration)));
        return http.build();
    }
 }
--- a/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java
+++ b/src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java
@ -1,8 +1,7 @@
 package com.hithomelabs.CFTunnels.Controllers;
 import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.hithomelabs.CFTunnels.Config.AuthoritiesToGroupMapping;
 import com.fasterxml.jackson.databind.SerializationFeature;
 import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
 import com.hithomelabs.CFTunnels.Config.RestTemplateConfig;
 import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
@ -11,7 +10,10 @@ import com.hithomelabs.CFTunnels.Models.Ingress;
 import com.hithomelabs.CFTunnels.Models.TunnelResponse;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.*;
-import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.client.RestTemplate;
@ -25,6 +27,8 @@ public class TunnelController {
    private final RestTemplate restTemplate = new RestTemplate();
    @Autowired
    private AuthoritiesToGroupMapping authoritiesToGroupMapping;
    @Autowired
    private CloudflareConfig cloudflareConfig;
@ -34,6 +38,20 @@ public class TunnelController {
    @Autowired
    private RestTemplateConfig restTemplateConfig;
    @PreAuthorize("hasAnyRole('USER')")
    @GetMapping("/whoami")
    public Map<String,Object> whoAmI(@AuthenticationPrincipal OidcUser oidcUser) {
        List<String> authorities = oidcUser.getAuthorities().stream()
                .map(GrantedAuthority::getAuthority)
                .toList();
        return Map.of(
                "username", oidcUser.getPreferredUsername(),
                "roles", authorities
        );
    }
    @PreAuthorize("hasAnyRole('USER')")
    @GetMapping("/tunnels")
    public ResponseEntity<Map<String,Object>> getTunnels(){
@ -50,6 +68,7 @@ public class TunnelController {
        return ResponseEntity.ok(jsonResponse);
    }
    @PreAuthorize("hasAnyRole('DEVELOPER')")
    @GetMapping("/tunnel/{tunnelId}")
    public ResponseEntity<Map<String,Object>> getTunnelConfigurations(@PathVariable String tunnelId) throws JsonProcessingException {
@ -67,6 +86,7 @@ public class TunnelController {
    }
 // 50df9101-f625-4618-b7c5-100338a57124
    @PreAuthorize("hasAnyRole('ADMIN')")
    @PutMapping("/tunnel/{tunnelId}/add")
    public ResponseEntity<Map<String, Object>> addTunnelconfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
@ -95,6 +115,7 @@ public class TunnelController {
        return ResponseEntity.ok(jsonResponse);
    }
    @PreAuthorize("hasAnyRole('DEVELOPER')")
    @PutMapping("/tunnel/{tunnelId}/delete")
    public ResponseEntity<Map<String, Object>> deleteTunnelConfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
--- a/src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java
+++ b/src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java
@ -0,0 +1,10 @@
 package com.hithomelabs.CFTunnels.Models;
 public class Authorities {
    public static final String ROLE_ADMIN = "ROLE_ADMIN";
    public static final String ROLE_DEVELOPER = "ROLE_DEVELOPER";
    public static final String ROLE_USER = "ROLE_USER";
    public static final String ROLE_APPROVER = "ROLE_APPROVER";
 }
--- a/src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java
+++ b/src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java
@ -0,0 +1,10 @@
 package com.hithomelabs.CFTunnels.Models;
 public class Groups {
    public static final String HOMELAB_DEVELOPER = "homelab developer";
    public static final String SYSTEM_ADMIN = "authentik Admins";
    public static final String POWER_USER = "arr premium";
    public static final String GITEA_USER = "gitrestricted";
 }
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@ -3,3 +3,15 @@ cloudflare.accountId=${CLOUDFLARE_ACCOUNT_ID}
 cloudflare.apiKey=${CLOUDFLARE_API_KEY}
 cloudflare.email=${CLOUDFLARE_EMAIL}
 spring.profiles.active=${ENV}
 spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID}
 spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET}
 spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code
 spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels
 spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels
 spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/
 spring.security.oauth2.client.provider.cftunnels.token-uri=https://auth.hithomelabs.com/application/o/token/
 spring.security.oauth2.client.provider.cftunnels.user-info-uri=https://auth.hithomelabs.com/application/o/userinfo/
 spring.security.oauth2.client.provider.cftunnels.jwk-set-uri=https://auth.hithomelabs.com/application/o/cftunnels/jwks/
 spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels/