make auth work

2023-11-10 14:05:58 +05:30 · 2023-11-10 14:05:58 +05:30 · 1e3d9aa1f1
commit 1e3d9aa1f1
parent b0042d2e6b
9 changed files with 352 additions and 16 deletions
--- a/api.http
+++ b/api.http
@ -1,17 +1,19 @@
 ### create row
 POST http://localhost:9001/api/vehicle
 Content-Type: application/json
 Authorization: set-auth-token
 {
  "data": {
-    "number": "KA03HD6064"
+    "number": "KA01MU0556"
  },
-  "uniqueIdentifier": "KA03HD6064"
+  "uniqueIdentifier": "KA01MU0556"
 }
 ### create row, with autogenerated identifier
 POST http://localhost:9001/api/log
 Content-Type: application/json
 Authorization: set-auth-token
 {
  "data": {
@ -26,6 +28,7 @@ GET http://localhost:9001/api/vehicle/KA03HD6064
 ### query row
 POST http://localhost:9001/api/vehicle/query
 Content-Type: application/json
 Authorization: set-auth-token
 {
  "sql": "select sys_pk, tenant_id, deleted_on, deleted_by, deleted, version, created_at, modified_at, created_by, modified_by, data, tags, comments, unique_identifier, entity_name from data_model where data ->> 'number' = :number",
@ -37,6 +40,7 @@ Content-Type: application/json
 ### update field
 PATCH http://localhost:9001/api/vehicle/KA03HD6064
 Content-Type: application/json
 Authorization: set-auth-token
 {
  "key": "ownerName",
@ -47,6 +51,7 @@ Content-Type: application/json
 ### upate a row
 PUT http://localhost:9001/api/vehicle/KA03HD6064
 Content-Type: application/json
 Authorization: set-auth-token
 {
  "number": "KA03HD6064",
--- a/app-sample.properties
+++ b/app-sample.properties
@ -4,4 +4,9 @@ app.cors.hosts=www.readymixerp.com,app.readymixerp.com
 app.db.user=postgres
 app.db.pass=postgres
 app.db.url=jdbc:postgresql://192.168.64.6/modules_app
-app.db.run_migration=true
+app.db.run_migration=true
 app.iam.url=https://auth.compegence.com
 app.iam.realm=forewarn-dev
 app.iam.client=forewarn
 app.iam.client_redirect_uri=http://localhost:9001/auth/code
 app.cache.redis_uri=redis://127.0.0.1:6379/0
--- a/build.gradle.kts
+++ b/build.gradle.kts
@ -26,7 +26,9 @@ dependencies {
    implementation("com.fasterxml.jackson.module:jackson-module-kotlin:2.15.+")
    implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.+")
    implementation("org.bitbucket.b_c:jose4j:0.9.3")
    implementation("org.slf4j:slf4j-simple:2.0.7")
    implementation("redis.clients:jedis:5.0.2")
    api ("net.cactusthorn.config:config-core:0.81")
    kapt("net.cactusthorn.config:config-compiler:0.81")
    kapt("io.ebean:kotlin-querybean-generator:13.23.2")
--- a/src/main/kotlin/com/restapi/Main.kt
+++ b/src/main/kotlin/com/restapi/Main.kt
@ -1,7 +1,12 @@
 package com.restapi
 import AuthTokenResponse
 import com.fasterxml.jackson.databind.JsonMappingException
 import com.fasterxml.jackson.module.kotlin.readValue
 import com.restapi.config.AppConfig.Companion.appConfig
 import com.restapi.config.Auth
 import com.restapi.config.Auth.getAuthEndpoint
 import com.restapi.config.AuthEndpoint
 import com.restapi.domain.DataModel
 import com.restapi.domain.DataNotFoundException
 import com.restapi.domain.Session
@ -9,6 +14,9 @@ import com.restapi.domain.Session.creatSeq
 import com.restapi.domain.Session.database
 import com.restapi.domain.Session.findByEntityAndId
 import com.restapi.domain.Session.nextUniqId
 import com.restapi.domain.Session.objectMapper
 import com.restapi.domain.Session.redis
 import com.restapi.domain.Session.setAuthorizedUser
 import io.ebean.CallableSql
 import io.ebean.DuplicateKeyException
 import io.ebean.RawSqlBuilder
@ -17,10 +25,18 @@ import io.javalin.apibuilder.ApiBuilder.*
 import io.javalin.http.*
 import io.javalin.json.JavalinJackson
 import org.slf4j.LoggerFactory
 import java.net.URI
 import java.net.URLEncoder
 import java.net.http.HttpClient
 import java.net.http.HttpRequest
 import java.net.http.HttpRequest.BodyPublishers
 import java.net.http.HttpResponse.BodyHandlers
 import java.nio.charset.StandardCharsets
 import java.time.LocalDateTime
 fun main(args: Array<String>) {
    val logger = LoggerFactory.getLogger("api")
    Javalin
        .create { cfg ->
            cfg.http.generateEtags = true
@ -39,7 +55,47 @@ fun main(args: Array<String>) {
            cfg.jsonMapper(JavalinJackson(Session.objectMapper))
        }
        .routes {
-            before("/*") { ctx ->
+
            path("/auth") {
                get("/init") {
                    val endpoint = getAuthEndpoint().authorizationEndpoint
                    val redirectUrl =
                        "$endpoint?response_type=code&client_id=${appConfig.iamClient()}&redirect_uri=${appConfig.iamClientRedirectUri()}&scope=profile&state=1234zyx"
                    it.redirect(redirectUrl)
                }
                get("/code") {
                    val code = it.queryParam("code") ?: throw BadRequestResponse("not proper")
                    val ep = getAuthEndpoint().tokenEndpoint
                    val client = HttpClient.newHttpClient()
                    val req = HttpRequest.newBuilder()
                        .uri(URI.create(ep))
                        .POST(
                            BodyPublishers.ofString(
                                getFormDataAsString(
                                    mapOf(
                                        "code" to code,
                                        "redirect_uri" to appConfig.iamClientRedirectUri(),
                                        "client_id" to appConfig.iamClient(),
                                        "grant_type" to "authorization_code",
                                    )
                                )
                            )
                        )
                        .header("Content-Type", "application/x-www-form-urlencoded")
                        .build()
                    val message = client.send(req, BodyHandlers.ofString()).body()
                    val atResponse = objectMapper.readValue<AuthTokenResponse>(message)
                    //lets keep auth token refreshed
                    redis.sadd("AUTH_TOKEN", message)
                    it.result(atResponse.accessToken).contentType(ContentType.TEXT_PLAIN)
                }
            }
            before("/api/*") { ctx ->
                //validate, auth token
                //allow only alpha, numeric, hypen, underscore, dot in paths
@ -51,6 +107,12 @@ fun main(args: Array<String>) {
                            throw IllegalArgumentException()
                        }
                    }
                val at = ctx.header("Authorization")?.replace("Bearer ", "")?.replace("Bearer: ", "")?.trim()
                    ?: throw UnauthorizedResponse()
                val pt = Auth.parseAuthToken(authToken = at)
                setAuthorizedUser(pt)
            }
            path("/api") {
                post("/execute/{name}") {
@ -174,4 +236,17 @@ data class Query(
    val params: Map<String, Any>
 )
 private fun getFormDataAsString(formData: Map<String, String>): String {
    val formBodyBuilder = StringBuilder()
    for ((key, value) in formData) {
        if (formBodyBuilder.length > 0) {
            formBodyBuilder.append("&")
        }
        formBodyBuilder.append(URLEncoder.encode(key, StandardCharsets.UTF_8))
        formBodyBuilder.append("=")
        formBodyBuilder.append(URLEncoder.encode(value, StandardCharsets.UTF_8))
    }
    return formBodyBuilder.toString()
 }
 data class PatchValue(val key: String, val value: Any)
--- a/src/main/kotlin/com/restapi/config/AppConfig.kt
+++ b/src/main/kotlin/com/restapi/config/AppConfig.kt
@ -5,6 +5,7 @@ import net.cactusthorn.config.core.Default
 import net.cactusthorn.config.core.Key
 import net.cactusthorn.config.core.factory.ConfigFactory
 import net.cactusthorn.config.core.loader.LoadStrategy
 import java.util.Optional
 const val INITIAL_ROLES_JSON = """{
  "roles": []
@ -41,6 +42,26 @@ interface AppConfig {
    @Key("app.db.run_migration")
    fun dbRunMigration(): Boolean
    @Key("app.iam.url")
    fun iamUrl(): String
    @Key("app.iam.realm")
    fun iamRealm(): String
    @Key("app.iam.client")
    fun iamClient(): String
    @Key("app.iam.client_redirect_uri")
    fun iamClientRedirectUri(): String
    @Key("app.iam.client_id")
    fun iamClientId(): Optional<String>
    @Key("app.iam.client_secret")
    fun iamClientSecret(): Optional<String>
    @Key("app.cache.redis_uri")
    fun redisUri(): Optional<String>
    companion object {
        val appConfig: AppConfig = ConfigFactory.builder().build().create(AppConfig::class.java)
--- a/src/main/kotlin/com/restapi/config/Auth.kt
+++ b/src/main/kotlin/com/restapi/config/Auth.kt
@ -0,0 +1,72 @@
 package com.restapi.config
 import com.fasterxml.jackson.module.kotlin.readValue
 import com.restapi.config.AppConfig.Companion.appConfig
 import com.restapi.domain.Session
 import com.restapi.domain.Session.objectMapper
 import io.javalin.http.Context
 import io.javalin.http.HandlerType
 import io.javalin.http.UnauthorizedResponse
 import org.jose4j.jwk.HttpsJwks
 import org.jose4j.jwt.consumer.ErrorCodes
 import org.jose4j.jwt.consumer.InvalidJwtException
 import org.jose4j.jwt.consumer.JwtConsumerBuilder
 import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver
 import org.slf4j.LoggerFactory
 import java.net.URI
 import java.net.http.HttpClient
 import java.net.http.HttpRequest
 import java.net.http.HttpResponse
 import java.util.concurrent.ConcurrentHashMap
 import java.util.function.Function
 object Auth {
    private val authCache = ConcurrentHashMap<String, AuthEndpoint>()
    fun getAuthEndpoint(): AuthEndpoint {
        return authCache.computeIfAbsent("AUTH") {
            val wellKnown =
                "${appConfig.iamUrl()}/realms/${appConfig.iamRealm()}/.well-known/openid-configuration"
            val client = HttpClient.newHttpClient()
            val req = HttpRequest.newBuilder()
                .uri(URI.create(wellKnown))
                .GET().build()
            objectMapper.readValue<AuthEndpoint>(
                client.send(req, HttpResponse.BodyHandlers.ofString()).body()
            )
        }
    }
    private val jwtConsumer = JwtConsumerBuilder()
        .setRequireExpirationTime()
        .setAllowedClockSkewInSeconds(30)
        .setRequireSubject()
        .setExpectedIssuer(getAuthEndpoint().issuer)
        .setExpectedAudience("account")
        .setVerificationKeyResolver(HttpsJwksVerificationKeyResolver(HttpsJwks(getAuthEndpoint().jwksUri)))
        .build()
    fun parseAuthToken(authToken: String): AuthUser {
        //  Validate the JWT and process it to the Claims
        val jwtClaims = jwtConsumer.process(authToken)
        val userId = jwtClaims.jwtClaims.claimsMap["preferred_username"] as String
        val tenant = jwtClaims.jwtClaims.claimsMap["tenant"] as String
        val roles = ((jwtClaims.jwtClaims.claimsMap["realm_access"] as Map<String, Any>)["roles"]) as List<String>
        return AuthUser(
            userName = userId,
            tenant = tenant,
            roles = roles
        )
    }
 }
 data class AuthUser(val userName: String, val tenant: String, val roles: List<String>)
--- a/src/main/kotlin/com/restapi/config/AuthEndpoint.kt
+++ b/src/main/kotlin/com/restapi/config/AuthEndpoint.kt
@ -0,0 +1,132 @@
 package com.restapi.config
 import com.fasterxml.jackson.annotation.JsonProperty
 data class AuthEndpoint(
    @JsonProperty("acr_values_supported")
    val acrValuesSupported: List<String>,
    @JsonProperty("authorization_encryption_alg_values_supported")
    val authorizationEncryptionAlgValuesSupported: List<String>,
    @JsonProperty("authorization_encryption_enc_values_supported")
    val authorizationEncryptionEncValuesSupported: List<String>,
    @JsonProperty("authorization_endpoint")
    val authorizationEndpoint: String,
    @JsonProperty("authorization_signing_alg_values_supported")
    val authorizationSigningAlgValuesSupported: List<String>,
    @JsonProperty("backchannel_authentication_endpoint")
    val backchannelAuthenticationEndpoint: String,
    @JsonProperty("backchannel_authentication_request_signing_alg_values_supported")
    val backchannelAuthenticationRequestSigningAlgValuesSupported: List<String>,
    @JsonProperty("backchannel_logout_session_supported")
    val backchannelLogoutSessionSupported: Boolean,
    @JsonProperty("backchannel_logout_supported")
    val backchannelLogoutSupported: Boolean,
    @JsonProperty("backchannel_token_delivery_modes_supported")
    val backchannelTokenDeliveryModesSupported: List<String>,
    @JsonProperty("check_session_iframe")
    val checkSessionIframe: String,
    @JsonProperty("claim_types_supported")
    val claimTypesSupported: List<String>,
    @JsonProperty("claims_parameter_supported")
    val claimsParameterSupported: Boolean,
    @JsonProperty("claims_supported")
    val claimsSupported: List<String>,
    @JsonProperty("code_challenge_methods_supported")
    val codeChallengeMethodsSupported: List<String>,
    @JsonProperty("device_authorization_endpoint")
    val deviceAuthorizationEndpoint: String,
    @JsonProperty("end_session_endpoint")
    val endSessionEndpoint: String,
    @JsonProperty("frontchannel_logout_session_supported")
    val frontchannelLogoutSessionSupported: Boolean,
    @JsonProperty("frontchannel_logout_supported")
    val frontchannelLogoutSupported: Boolean,
    @JsonProperty("grant_types_supported")
    val grantTypesSupported: List<String>,
    @JsonProperty("id_token_encryption_alg_values_supported")
    val idTokenEncryptionAlgValuesSupported: List<String>,
    @JsonProperty("id_token_encryption_enc_values_supported")
    val idTokenEncryptionEncValuesSupported: List<String>,
    @JsonProperty("id_token_signing_alg_values_supported")
    val idTokenSigningAlgValuesSupported: List<String>,
    @JsonProperty("introspection_endpoint")
    val introspectionEndpoint: String,
    @JsonProperty("introspection_endpoint_auth_methods_supported")
    val introspectionEndpointAuthMethodsSupported: List<String>,
    @JsonProperty("introspection_endpoint_auth_signing_alg_values_supported")
    val introspectionEndpointAuthSigningAlgValuesSupported: List<String>,
    @JsonProperty("issuer")
    val issuer: String,
    @JsonProperty("jwks_uri")
    val jwksUri: String,
    @JsonProperty("mtls_endpoint_aliases")
    val mtlsEndpointAliases: MtlsEndpointAliases,
    @JsonProperty("pushed_authorization_request_endpoint")
    val pushedAuthorizationRequestEndpoint: String,
    @JsonProperty("registration_endpoint")
    val registrationEndpoint: String,
    @JsonProperty("request_object_encryption_alg_values_supported")
    val requestObjectEncryptionAlgValuesSupported: List<String>,
    @JsonProperty("request_object_encryption_enc_values_supported")
    val requestObjectEncryptionEncValuesSupported: List<String>,
    @JsonProperty("request_object_signing_alg_values_supported")
    val requestObjectSigningAlgValuesSupported: List<String>,
    @JsonProperty("request_parameter_supported")
    val requestParameterSupported: Boolean,
    @JsonProperty("request_uri_parameter_supported")
    val requestUriParameterSupported: Boolean,
    @JsonProperty("require_pushed_authorization_requests")
    val requirePushedAuthorizationRequests: Boolean,
    @JsonProperty("require_request_uri_registration")
    val requireRequestUriRegistration: Boolean,
    @JsonProperty("response_modes_supported")
    val responseModesSupported: List<String>,
    @JsonProperty("response_types_supported")
    val responseTypesSupported: List<String>,
    @JsonProperty("revocation_endpoint")
    val revocationEndpoint: String,
    @JsonProperty("revocation_endpoint_auth_methods_supported")
    val revocationEndpointAuthMethodsSupported: List<String>,
    @JsonProperty("revocation_endpoint_auth_signing_alg_values_supported")
    val revocationEndpointAuthSigningAlgValuesSupported: List<String>,
    @JsonProperty("scopes_supported")
    val scopesSupported: List<String>,
    @JsonProperty("subject_types_supported")
    val subjectTypesSupported: List<String>,
    @JsonProperty("tls_client_certificate_bound_access_tokens")
    val tlsClientCertificateBoundAccessTokens: Boolean,
    @JsonProperty("token_endpoint")
    val tokenEndpoint: String,
    @JsonProperty("token_endpoint_auth_methods_supported")
    val tokenEndpointAuthMethodsSupported: List<String>,
    @JsonProperty("token_endpoint_auth_signing_alg_values_supported")
    val tokenEndpointAuthSigningAlgValuesSupported: List<String>,
    @JsonProperty("userinfo_encryption_alg_values_supported")
    val userinfoEncryptionAlgValuesSupported: List<String>,
    @JsonProperty("userinfo_encryption_enc_values_supported")
    val userinfoEncryptionEncValuesSupported: List<String>,
    @JsonProperty("userinfo_endpoint")
    val userinfoEndpoint: String,
    @JsonProperty("userinfo_signing_alg_values_supported")
    val userinfoSigningAlgValuesSupported: List<String>
 ) {
    data class MtlsEndpointAliases(
        @JsonProperty("backchannel_authentication_endpoint")
        val backchannelAuthenticationEndpoint: String,
        @JsonProperty("device_authorization_endpoint")
        val deviceAuthorizationEndpoint: String,
        @JsonProperty("introspection_endpoint")
        val introspectionEndpoint: String,
        @JsonProperty("pushed_authorization_request_endpoint")
        val pushedAuthorizationRequestEndpoint: String,
        @JsonProperty("registration_endpoint")
        val registrationEndpoint: String,
        @JsonProperty("revocation_endpoint")
        val revocationEndpoint: String,
        @JsonProperty("token_endpoint")
        val tokenEndpoint: String,
        @JsonProperty("userinfo_endpoint")
        val userinfoEndpoint: String
    )
 }
--- a/src/main/kotlin/com/restapi/config/AuthTokenResponse.kt
+++ b/src/main/kotlin/com/restapi/config/AuthTokenResponse.kt
@ -0,0 +1,23 @@
 import com.fasterxml.jackson.annotation.JsonProperty
 import java.time.LocalDateTime
 data class AuthTokenResponse(
    @JsonProperty("access_token")
    val accessToken: String,
    @JsonProperty("expires_in")
    val expiresIn: Int,
    @JsonProperty("not-before-policy")
    val notBeforePolicy: Int,
    @JsonProperty("refresh_expires_in")
    val refreshExpiresIn: Int,
    @JsonProperty("refresh_token")
    val refreshToken: String,
    @JsonProperty("scope")
    val scope: String,
    @JsonProperty("session_state")
    val sessionState: String,
    @JsonProperty("token_type")
    val tokenType: String,
    val createdAt: LocalDateTime = LocalDateTime.now()
 )
--- a/src/main/kotlin/com/restapi/domain/db.kt
+++ b/src/main/kotlin/com/restapi/domain/db.kt
@ -6,27 +6,26 @@ import com.fasterxml.jackson.databind.SerializationFeature
 import com.fasterxml.jackson.databind.module.SimpleModule
 import com.fasterxml.jackson.module.kotlin.jacksonObjectMapper
 import com.restapi.config.AppConfig.Companion.appConfig
 import com.restapi.config.AuthUser
 import io.ebean.Database
 import io.ebean.DatabaseFactory
 import io.ebean.config.CurrentTenantProvider
 import io.ebean.config.CurrentUserProvider
 import io.ebean.config.DatabaseConfig
 import io.ebean.config.TenantMode
 import redis.clients.jedis.JedisPooled
 import java.util.*
-
+import kotlin.jvm.optionals.getOrDefault
 data class CurrentUser(
    val anon: Boolean = true,
    val userId: String = "",
    val tenantId: String = ""
 )
 object Session {
-    private val currentUser = object : ThreadLocal<CurrentUser>() {
+    private val currentUser = object : ThreadLocal<AuthUser>() {
-        override fun initialValue(): CurrentUser {
+        override fun initialValue(): AuthUser {
-            return CurrentUser()
+            return AuthUser("", "", emptyList<String>())
        }
    }
    fun setAuthorizedUser(a: AuthUser) = currentUser.set(a)
    private val sc = DatabaseConfig().apply {
        loadFromProperties(Properties().apply {
            setProperty("datasource.db.username", appConfig.dbUser())
@ -35,8 +34,8 @@ object Session {
            setProperty("ebean.migration.run", appConfig.dbRunMigration().toString())
        })
        tenantMode = TenantMode.PARTITION
-        currentTenantProvider = CurrentTenantProvider { currentUser.get().tenantId }
+        currentTenantProvider = CurrentTenantProvider { currentUser.get().tenant }
-        currentUserProvider = CurrentUserProvider { currentUser.get().userId }
+        currentUserProvider = CurrentUserProvider { currentUser.get().userName }
    }
    val database: Database = DatabaseFactory.create(sc)
@ -46,7 +45,7 @@ object Session {
        findAndRegisterModules()
    }
-    fun currentUser() = currentUser.get().userId
+    fun currentUser() = currentUser.get().userName
    fun Database.findByEntityAndId(entity: String, id: String): DataModel {
        return find(DataModel::class.java)
@ -68,6 +67,8 @@ object Session {
        return String.format("%s-%s", entity, "$s".padStart(10, '0'))
    }
    val redis = JedisPooled(appConfig.redisUri().getOrDefault("redis://localhost:6739/0"))
 }
 object DataNotFoundException : Exception() {