forked from Hithomelabs/CFTunnels
Final cahnges to add OIDC, setting groups and authorities
This commit is contained in:
parent
196cf74a72
commit
e960c5cfa5
@ -23,6 +23,7 @@ repositories {
|
||||
|
||||
dependencies {
|
||||
implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.8.5'
|
||||
implementation group: 'org.springframework.boot', name:'spring-boot-starter-oauth2-client', version: '3.5.5'
|
||||
implementation 'org.springframework.boot:spring-boot-starter-web'
|
||||
testImplementation 'org.springframework.boot:spring-boot-starter-test'
|
||||
testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
|
||||
|
||||
@ -7,6 +7,8 @@ services:
|
||||
- CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
|
||||
- CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
|
||||
- ENV=${ENV}
|
||||
- OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
|
||||
- OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
|
||||
ports:
|
||||
- 5002:8080
|
||||
restart: unless-stopped
|
||||
@ -0,0 +1,28 @@
|
||||
package com.hithomelabs.CFTunnels.Config;
|
||||
|
||||
import com.hithomelabs.CFTunnels.Models.Authorities;
|
||||
import com.hithomelabs.CFTunnels.Models.Groups;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.HashSet;
|
||||
import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
@Configuration
|
||||
public class AuthoritiesToGroupMapping {
|
||||
|
||||
public Map<String, Set<GrantedAuthority>> getAuthorityForGroup(){
|
||||
HashMap<String, Set<GrantedAuthority>> mappings = new HashMap<>();
|
||||
mappings.put(Groups.GITEA_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))));
|
||||
mappings.put(Groups.POWER_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))));
|
||||
mappings.put(Groups.HOMELAB_DEVELOPER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_DEVELOPER))));
|
||||
mappings.put(Groups.SYSTEM_ADMIN, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_APPROVER), new SimpleGrantedAuthority(Authorities.ROLE_ADMIN))));
|
||||
return mappings;
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
@ -0,0 +1,45 @@
|
||||
package com.hithomelabs.CFTunnels.Config;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
|
||||
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
|
||||
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
|
||||
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
|
||||
@Configuration
|
||||
public class CustomOidcUserConfiguration extends OidcUserService {
|
||||
|
||||
@Autowired
|
||||
AuthoritiesToGroupMapping authoritiesToGroupMapping;
|
||||
|
||||
@Override
|
||||
public OidcUser loadUser(OidcUserRequest userRequest) {
|
||||
// * * Delegate to the default implementation for loading user and claims
|
||||
OidcUser oidcUser = super.loadUser(userRequest);
|
||||
|
||||
// * * Copy existing authorities (e.g. scopes → authorities)
|
||||
Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
|
||||
|
||||
// * * Extract your custom claim (change "roles" to your claim name)
|
||||
List<String> groups = oidcUser.getClaimAsStringList("groups");
|
||||
if (groups != null) {
|
||||
groups.forEach(group ->
|
||||
mappedAuthorities.addAll(authoritiesToGroupMapping.getAuthorityForGroup().get(group))
|
||||
);
|
||||
}
|
||||
|
||||
// * * Return a new DefaultOidcUser with merged authorities
|
||||
return new DefaultOidcUser(
|
||||
mappedAuthorities,
|
||||
oidcUser.getIdToken(),
|
||||
oidcUser.getUserInfo()
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,39 @@
|
||||
package com.hithomelabs.CFTunnels.Config.Security;
|
||||
|
||||
import com.hithomelabs.CFTunnels.Config.CustomOidcUserConfiguration;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Bean;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
|
||||
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
|
||||
import org.springframework.security.web.SecurityFilterChain;
|
||||
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
@EnableMethodSecurity(
|
||||
prePostEnabled = true,
|
||||
securedEnabled = true,
|
||||
jsr250Enabled = true
|
||||
)
|
||||
public class SecuirtyConfig {
|
||||
|
||||
@Autowired
|
||||
private CustomOidcUserConfiguration customOidcUserConfiguration;
|
||||
|
||||
@Bean
|
||||
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.authorizeHttpRequests(auth -> auth
|
||||
.anyRequest().authenticated()
|
||||
)
|
||||
.with(new OAuth2LoginConfigurer<>(), oauth2 -> oauth2.userInfoEndpoint(u -> u.oidcUserService(customOidcUserConfiguration)));
|
||||
|
||||
|
||||
return http.build();
|
||||
}
|
||||
|
||||
}
|
||||
@ -1,8 +1,7 @@
|
||||
package com.hithomelabs.CFTunnels.Controllers;
|
||||
|
||||
import com.fasterxml.jackson.core.JsonProcessingException;
|
||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||
import com.fasterxml.jackson.databind.SerializationFeature;
|
||||
import com.hithomelabs.CFTunnels.Config.AuthoritiesToGroupMapping;
|
||||
import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
|
||||
import com.hithomelabs.CFTunnels.Config.RestTemplateConfig;
|
||||
import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
|
||||
@ -11,7 +10,10 @@ import com.hithomelabs.CFTunnels.Models.Ingress;
|
||||
import com.hithomelabs.CFTunnels.Models.TunnelResponse;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.http.*;
|
||||
import org.springframework.http.converter.HttpMessageConverter;
|
||||
import org.springframework.security.access.prepost.PreAuthorize;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
import org.springframework.security.core.annotation.AuthenticationPrincipal;
|
||||
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
|
||||
import org.springframework.web.bind.annotation.*;
|
||||
import org.springframework.web.client.RestTemplate;
|
||||
|
||||
@ -25,6 +27,8 @@ public class TunnelController {
|
||||
|
||||
private final RestTemplate restTemplate = new RestTemplate();
|
||||
|
||||
@Autowired
|
||||
private AuthoritiesToGroupMapping authoritiesToGroupMapping;
|
||||
@Autowired
|
||||
private CloudflareConfig cloudflareConfig;
|
||||
|
||||
@ -34,6 +38,20 @@ public class TunnelController {
|
||||
@Autowired
|
||||
private RestTemplateConfig restTemplateConfig;
|
||||
|
||||
@PreAuthorize("hasAnyRole('USER')")
|
||||
@GetMapping("/whoami")
|
||||
public Map<String,Object> whoAmI(@AuthenticationPrincipal OidcUser oidcUser) {
|
||||
|
||||
List<String> authorities = oidcUser.getAuthorities().stream()
|
||||
.map(GrantedAuthority::getAuthority)
|
||||
.toList();
|
||||
return Map.of(
|
||||
"username", oidcUser.getPreferredUsername(),
|
||||
"roles", authorities
|
||||
);
|
||||
}
|
||||
|
||||
@PreAuthorize("hasAnyRole('USER')")
|
||||
@GetMapping("/tunnels")
|
||||
public ResponseEntity<Map<String,Object>> getTunnels(){
|
||||
|
||||
@ -50,6 +68,7 @@ public class TunnelController {
|
||||
return ResponseEntity.ok(jsonResponse);
|
||||
}
|
||||
|
||||
@PreAuthorize("hasAnyRole('DEVELOPER')")
|
||||
@GetMapping("/tunnel/{tunnelId}")
|
||||
public ResponseEntity<Map<String,Object>> getTunnelConfigurations(@PathVariable String tunnelId) throws JsonProcessingException {
|
||||
|
||||
@ -67,6 +86,7 @@ public class TunnelController {
|
||||
}
|
||||
|
||||
// 50df9101-f625-4618-b7c5-100338a57124
|
||||
@PreAuthorize("hasAnyRole('ADMIN')")
|
||||
@PutMapping("/tunnel/{tunnelId}/add")
|
||||
public ResponseEntity<Map<String, Object>> addTunnelconfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
|
||||
|
||||
@ -95,6 +115,7 @@ public class TunnelController {
|
||||
return ResponseEntity.ok(jsonResponse);
|
||||
}
|
||||
|
||||
@PreAuthorize("hasAnyRole('DEVELOPER')")
|
||||
@PutMapping("/tunnel/{tunnelId}/delete")
|
||||
public ResponseEntity<Map<String, Object>> deleteTunnelConfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
|
||||
|
||||
|
||||
@ -0,0 +1,10 @@
|
||||
package com.hithomelabs.CFTunnels.Models;
|
||||
|
||||
public class Authorities {
|
||||
|
||||
public static final String ROLE_ADMIN = "ROLE_ADMIN";
|
||||
public static final String ROLE_DEVELOPER = "ROLE_DEVELOPER";
|
||||
public static final String ROLE_USER = "ROLE_USER";
|
||||
public static final String ROLE_APPROVER = "ROLE_APPROVER";
|
||||
|
||||
}
|
||||
10
src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java
Normal file
10
src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java
Normal file
@ -0,0 +1,10 @@
|
||||
package com.hithomelabs.CFTunnels.Models;
|
||||
|
||||
public class Groups {
|
||||
|
||||
public static final String HOMELAB_DEVELOPER = "homelab developer";
|
||||
public static final String SYSTEM_ADMIN = "authentik Admins";
|
||||
public static final String POWER_USER = "arr premium";
|
||||
public static final String GITEA_USER = "gitrestricted";
|
||||
|
||||
}
|
||||
@ -3,3 +3,15 @@ cloudflare.accountId=${CLOUDFLARE_ACCOUNT_ID}
|
||||
cloudflare.apiKey=${CLOUDFLARE_API_KEY}
|
||||
cloudflare.email=${CLOUDFLARE_EMAIL}
|
||||
spring.profiles.active=${ENV}
|
||||
|
||||
spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID}
|
||||
spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET}
|
||||
spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code
|
||||
spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels
|
||||
spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels
|
||||
|
||||
spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/
|
||||
spring.security.oauth2.client.provider.cftunnels.token-uri=https://auth.hithomelabs.com/application/o/token/
|
||||
spring.security.oauth2.client.provider.cftunnels.user-info-uri=https://auth.hithomelabs.com/application/o/userinfo/
|
||||
spring.security.oauth2.client.provider.cftunnels.jwk-set-uri=https://auth.hithomelabs.com/application/o/cftunnels/jwks/
|
||||
spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels/
|
||||
Loading…
Reference in New Issue
Block a user