feat: add basic support for OIDC login

author: Paul-Christian Volkmer 2024-01-31 15:43:10 +0100
committer: Paul-Christian Volkmer 2024-01-31 15:57:16 +0100
commit: 17e04a3f8972fe5eca0bf3b236293e4a6998e56f (patch)
tree: 5fc1a30c2991827cc610e0d2a83bfb4f32109d12 /src/main
parent: f71a775e12bfc6fe50e0b443863ac8fec6f4a4f2 (diff)
6 files changed, 59 insertions, 11 deletions
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/config/AppConfigProperties.kt b/src/main/kotlin/dev/dnpm/etl/processor/config/AppConfigProperties.kt
index aacf97d..b18bc02 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/config/AppConfigProperties.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/config/AppConfigProperties.kt
@@ -86,7 +86,8 @@ data class KafkaTargetProperties(
 data class SecurityConfigProperties(
     val adminUser: String?,
     val adminPassword: String?,
-    val enableTokens: Boolean = false
+    val enableTokens: Boolean = false,
+    val enableOidc: Boolean = false
 ) {
     companion object {
         const val NAME = "app.security"
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
index 22a2e34..750ccbc 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/config/AppSecurityConfiguration.kt
@@ -24,21 +24,15 @@ import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
 import org.springframework.boot.context.properties.EnableConfigurationProperties
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
-import org.springframework.core.Ordered
-import org.springframework.core.annotation.Order
-import org.springframework.http.HttpMethod
-import org.springframework.security.authentication.AuthenticationProvider
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 import org.springframework.security.config.annotation.web.invoke
-import org.springframework.security.config.http.SessionCreationPolicy
 import org.springframework.security.core.userdetails.User
 import org.springframework.security.core.userdetails.UserDetails
 import org.springframework.security.crypto.factory.PasswordEncoderFactories
 import org.springframework.security.crypto.password.PasswordEncoder
 import org.springframework.security.provisioning.InMemoryUserDetailsManager
 import org.springframework.security.web.SecurityFilterChain
-import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy
 import java.util.*
 
 
@@ -82,6 +76,30 @@ class AppSecurityConfiguration(
     }
 
     @Bean
+    @ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "true")
+    fun filterChainOidc(http: HttpSecurity, passwordEncoder: PasswordEncoder): SecurityFilterChain {
+        http {
+            authorizeRequests {
+                authorize("/configs/**", hasRole("ADMIN"))
+                authorize("/mtbfile/**", hasAnyRole("MTBFILE"))
+                authorize(anyRequest, permitAll)
+            }
+            httpBasic {
+                realmName = "ETL-Processor"
+            }
+            formLogin {
+                loginPage = "/login"
+            }
+            oauth2Login {
+                loginPage = "/login"
+            }
+            csrf { disable() }
+        }
+        return http.build()
+    }
+
+    @Bean
+    @ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "false", matchIfMissing = true)
     fun filterChain(http: HttpSecurity, passwordEncoder: PasswordEncoder): SecurityFilterChain {
         http {
             authorizeRequests {
diff --git a/src/main/kotlin/dev/dnpm/etl/processor/web/LoginController.kt b/src/main/kotlin/dev/dnpm/etl/processor/web/LoginController.kt
index 02c98cf..954b23e 100644
--- a/src/main/kotlin/dev/dnpm/etl/processor/web/LoginController.kt
+++ b/src/main/kotlin/dev/dnpm/etl/processor/web/LoginController.kt
@@ -19,14 +19,29 @@
 
 package dev.dnpm.etl.processor.web
 
+import dev.dnpm.etl.processor.config.SecurityConfigProperties
+import org.springframework.boot.autoconfigure.security.oauth2.client.OAuth2ClientProperties
 import org.springframework.stereotype.Controller
+import org.springframework.ui.Model
 import org.springframework.web.bind.annotation.GetMapping
+import java.security.Principal
 
 @Controller
-class LoginController {
+class LoginController(
+    private val securityConfigProperties: SecurityConfigProperties,
+    private val oAuth2ClientProperties: OAuth2ClientProperties?
+) {
 
     @GetMapping(path = ["/login"])
-    fun login(): String {
+    fun login(principal: Principal?, model: Model): String {
+        if (securityConfigProperties.enableOidc) {
+            model.addAttribute(
+                "oidcLogins",
+                oAuth2ClientProperties?.registration?.map { (key, value) -> Pair(key, value.clientName) }.orEmpty()
+            )
+        } else {
+            model.addAttribute("oidcLogins", emptyList<Pair<String, String>>())
+        }
         return "login"
     }
 
diff --git a/src/main/resources/static/style.css b/src/main/resources/static/style.css
index 3249aad..c7a0b38 100644
--- a/src/main/resources/static/style.css
+++ b/src/main/resources/static/style.css
@@ -209,7 +209,14 @@ form.samplecode-input input:focus-visible {
     border-radius: 3px;
 }
 
+.login-form form hr,
+.token-form form hr {
+    padding: 0;
+    width: 100%;
+}
+
 .login-form button,
+.login-form a.btn,
 .token-form button {
     margin: 1em 0;
     background: var(--bg-blue);
diff --git a/src/main/resources/templates/fragments.html b/src/main/resources/templates/fragments.html
index 7a9af2f..bfa36a2 100644
--- a/src/main/resources/templates/fragments.html
+++ b/src/main/resources/templates/fragments.html
@@ -21,6 +21,11 @@
                     <a th:href="@{/login}">Login</a>
                 </li>
                 <li class="login" sec:authorize="isAuthenticated()">
+                    <span>
+                        <span>👤</span>
+                        <span sec:authentication="name">?</span>
+                    </span>
+                    &nbsp;
                     <a th:href="@{/logout}">Abmelden</a>
                 </li>
             </ul>
diff --git a/src/main/resources/templates/login.html b/src/main/resources/templates/login.html
index 9a63b46..4ef8ec9 100644
--- a/src/main/resources/templates/login.html
+++ b/src/main/resources/templates/login.html
@@ -13,9 +13,11 @@
             <div class="centered notification error" th:if="${param.error}">Anmeldung nicht erfolgreich</div>
             <div class="centered notification success" th:if="${param.logout}">Sie haben sich abgemeldet</div>
             <form method="post" th:action="@{/login}">
-                <input type="text" id="username" name="username" class="form-control" placeholder="Username" required="" autofocus="">
-                <input type="password" id="password" name="password" class="form-control" placeholder="Password" required="">
+                <input type="text" id="username" name="username" class="form-control" placeholder="Username" required="" autofocus="" />
+                <input type="password" id="password" name="password" class="form-control" placeholder="Password" required="" />
                 <button type="submit">Anmelden</button>
+                <hr th:if="${not oidcLogins.isEmpty()}" />
+                <a th:each="oidcLogin : ${oidcLogins}" class="btn" th:href="@{/oauth2/authorization/{provider}(provider=${oidcLogin.component1()})}">OIDC Login - [[ ${oidcLogin.component2()} ]]</a>
             </form>
         </div>
     </main>
author	Paul-Christian Volkmer	2024-01-31 15:43:10 +0100
committer	Paul-Christian Volkmer	2024-01-31 15:57:16 +0100
commit	17e04a3f8972fe5eca0bf3b236293e4a6998e56f (patch)
tree	5fc1a30c2991827cc610e0d2a83bfb4f32109d12 /src/main
parent	f71a775e12bfc6fe50e0b443863ac8fec6f4a4f2 (diff)