Merge pull request #48 from gooddata/LX-341

feat: Add support for JIT defined via Organization setting

Author: jeskepetr

gooddata-server-oauth2-autoconfigure/src/main/kotlin/AuthenticationStoreClient.kt

@@ -40,6 +40,16 @@ interface AuthenticationStoreClient {
      */
     fun getOrganizationByHostname(hostname: String): Mono<Organization>
 
+    /**
+     * Retrieves [JitProvisioningSetting] that corresponds to provided `organizationId`.
+     *
+     * Returns `null` in case no [JitProvisioningSetting] can be found.
+     *
+     * @param organizationId ID of the organization
+     * @return found `JitProvisioningSetting` or `null` in case no [JitProvisioningSetting] is found
+     */
+    fun getJitProvisioningSetting(organizationId: String): Mono<JitProvisioningSetting>
+
     /**
      * Retrieves [User] that corresponds to provided `organizationId` and `authenticationId` retrieved from
      * OIDC ID token.
@@ -213,3 +223,21 @@ data class User(
     var email: String? = null,
     var userGroups: List<String>? = null,
 )
+
+/**
+ * Represents JIT provisioning setting stored in the persistent storage.
+ *
+ * @property enabled the switch to enable/disable the JIT provisioning
+ * @property userGroupsScopeEnabled the switch to enable/disable the user groups scope in authentication flow
+ * @property userGroupsScopeName the name of the OIDC scope used for user groups provisioning
+ * @property userGroupsDefaults the list of default user groups to be used if user groups are not to be shared via OIDC
+ * authentication flow
+ *
+ * @see AuthenticationStoreClient
+ */
+data class JitProvisioningSetting(
+    val enabled: Boolean,
+    val userGroupsScopeEnabled: Boolean = false,
+    val userGroupsScopeName: String? = null,
+    val userGroupsDefaults: List<String>? = null
+)

gooddata-server-oauth2-autoconfigure/src/main/kotlin/AuthenticationUtils.kt

@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 @file:Suppress("TooManyFunctions")
+
 package com.gooddata.oauth2.server
 
 import com.gooddata.oauth2.server.OAuthConstants.GD_USER_GROUPS_SCOPE
@@ -34,8 +35,10 @@ import com.nimbusds.oauth2.sdk.ParseException
 import com.nimbusds.oauth2.sdk.Scope
 import com.nimbusds.openid.connect.sdk.OIDCScopeValue
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata
+import java.net.URI
 import java.security.MessageDigest
 import java.time.Instant
+import java.util.Collections
 import net.minidev.json.JSONObject
 import org.springframework.core.ParameterizedTypeReference
 import org.springframework.core.convert.ConversionService
@@ -60,8 +63,6 @@ import org.springframework.web.client.RestTemplate
 import org.springframework.web.server.ResponseStatusException
 import org.springframework.web.util.UriComponentsBuilder
 import reactor.core.publisher.Mono
-import java.net.URI
-import java.util.Collections
 
 /**
  * Constants for OAuth type authentication which are not directly available in the Spring Security.
@@ -111,12 +112,13 @@ private val typeReference: ParameterizedTypeReference<Map<String, Any>> = object
 fun buildClientRegistration(
     registrationId: String,
     organization: Organization,
+    jitProvisioningSetting: JitProvisioningSetting,
     properties: HostBasedClientRegistrationRepositoryProperties,
     clientRegistrationCache: ClientRegistrationCache,
 ): ClientRegistration {
     val issuerLocation = organization.oauthIssuerLocation
         // fallback to DEX client registration if issuer location is not defined
-        ?: return dexClientRegistration(registrationId, properties, organization)
+        ?: return dexClientRegistration(registrationId, properties, organization, jitProvisioningSetting)
 
     // fetch the cached settings obtained from the well-known endpoint for the particular issuerLocation
     // this saves HTTP requests to well known endpoints everytime the API call is authorized
@@ -136,7 +138,7 @@ fun buildClientRegistration(
     return ClientRegistration.withClientRegistration(cachedRegistration)
         .registrationId(registrationId)
         .withRedirectUri(organization.oauthIssuerId)
-        .buildWithIssuerConfig(organization)
+        .buildWithIssuerConfig(organization, jitProvisioningSetting)
 }
 
 /**
@@ -165,11 +167,12 @@ private fun ClientRegistration.Builder.buildWithDummyValues(): ClientRegistratio
 private fun dexClientRegistration(
     registrationId: String,
     properties: HostBasedClientRegistrationRepositoryProperties,
-    organization: Organization
+    organization: Organization,
+    jitProvisioningSetting: JitProvisioningSetting
 ): ClientRegistration = ClientRegistration
     .withRegistrationId(registrationId)
     .withDexConfig(properties)
-    .buildWithIssuerConfig(organization)
+    .buildWithIssuerConfig(organization, jitProvisioningSetting)
 
 /**
  * Handles client registration for Azure B2C by validating issuer metadata and building the registration.
@@ -318,6 +321,7 @@ private fun handleRuntimeException(ex: RuntimeException, issuerLocation: String)
             HttpStatus.UNAUTHORIZED,
             "Authorization failed for given issuer \"$issuerLocation\". ${ex.message}"
         )
+
         else -> throw ex
     }
 }
@@ -426,6 +430,7 @@ private fun ClientRegistration.Builder.withRedirectUri(oauthIssuerId: String?) =
  */
 internal fun ClientRegistration.Builder.buildWithIssuerConfig(
     organization: Organization,
+    jitProvisioningSetting: JitProvisioningSetting
 ): ClientRegistration {
     if (organization.oauthClientId == null || organization.oauthClientSecret == null) {
         throw ResponseStatusException(
@@ -439,7 +444,7 @@ internal fun ClientRegistration.Builder.buildWithIssuerConfig(
         .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
         .userNameAttributeName("name")
     val supportedScopes = withIssuerConfigBuilder.build().resolveSupportedScopes()
-    return withIssuerConfigBuilder.withScopes(supportedScopes, organization).build()
+    return withIssuerConfigBuilder.withScopes(supportedScopes, organization, jitProvisioningSetting).build()
 }
 
 private fun ClientRegistration.resolveSupportedScopes() =
@@ -449,18 +454,25 @@ private fun ClientRegistration.resolveSupportedScopes() =
 
 private fun ClientRegistration.Builder.withScopes(
     supportedScopes: Scope?,
-    organization: Organization
-
+    organization: Organization,
+    jitProvisioningSetting: JitProvisioningSetting,
 ): ClientRegistration.Builder {
     // in the future, we could check mandatory scopes against the supported ones
     val mandatoryScopes = listOf(OIDCScopeValue.OPENID, OIDCScopeValue.PROFILE).map(Scope.Value::getValue)
     val userGroupsScope = if (organization.jitEnabled == true) {
         listOf(OIDCScopeValue.EMAIL.value, GD_USER_GROUPS_SCOPE)
+    } else if (jitProvisioningSetting.enabled) {
+        if (jitProvisioningSetting.userGroupsScopeEnabled) {
+            listOf(OIDCScopeValue.EMAIL.value, jitProvisioningSetting.userGroupsScopeName ?: GD_USER_GROUPS_SCOPE)
+        } else {
+            listOf(OIDCScopeValue.EMAIL.value)
+        }
     } else {
         listOf()
     }
     val azureB2CScope = if (organization.oauthIssuerLocation != null &&
-        organization.oauthIssuerLocation.toUri().isAzureB2C()) {
+        organization.oauthIssuerLocation.toUri().isAzureB2C()
+    ) {
         listOf(organization.oauthClientId)
     } else {
         listOf()

gooddata-server-oauth2-autoconfigure/src/main/kotlin/HostBasedReactiveClientRegistrationRepository.kt

@@ -26,15 +26,21 @@ import reactor.core.publisher.Mono
 class HostBasedReactiveClientRegistrationRepository(
     private val properties: HostBasedClientRegistrationRepositoryProperties,
     private val clientRegistrationCache: ClientRegistrationCache,
+    private val client: AuthenticationStoreClient
 ) : ReactiveClientRegistrationRepository {
 
     override fun findByRegistrationId(registrationId: String): Mono<ClientRegistration> =
-        getOrganizationFromContext().map {
-            buildClientRegistration(
-                registrationId = registrationId,
-                organization = it,
-                properties = properties,
-                clientRegistrationCache = clientRegistrationCache,
-            )
+        getOrganizationFromContext().flatMap { organization ->
+            client.getJitProvisioningSetting(organization.id)
+                .defaultIfEmpty(JitProvisioningSetting(enabled = false))
+                .map { jitProvisioningSetting ->
+                    buildClientRegistration(
+                        registrationId = registrationId,
+                        organization = organization,
+                        jitProvisioningSetting = jitProvisioningSetting,
+                        properties = properties,
+                        clientRegistrationCache = clientRegistrationCache,
+                    )
+                }
         }
 }

gooddata-server-oauth2-autoconfigure/src/main/kotlin/JitProvisioningAuthenticationSuccessHandler.kt

@@ -52,23 +52,30 @@ class JitProvisioningAuthenticationSuccessHandler(
             if (organization.jitEnabled == true) {
                 provisionUser(authenticationToken, organization)
             } else {
-                logMessage("JIT provisioning disabled, skipping", "finished", "")
-                Mono.empty()
+                client.getJitProvisioningSetting(organization.id).flatMap {
+                    if (it.enabled) {
+                        provisionUser(authenticationToken, organization, it.userGroupsDefaults)
+                    } else {
+                        logMessage("JIT provisioning disabled, skipping", "finished", "")
+                        Mono.empty()
+                    }
+                }
             }
         }
     }
 
     private fun provisionUser(
         authenticationToken: OAuth2AuthenticationToken,
-        organization: Organization
+        organization: Organization,
+        userGroups: List<String>? = null
     ): Mono<User> {
         checkMandatoryClaims(authenticationToken, organization.id)
         logMessage("Initiating JIT provisioning", "started", organization.id)
         val subClaim = authenticationToken.getClaim(organization.oauthSubjectIdClaim)
         val firstnameClaim = authenticationToken.getClaim(GIVEN_NAME)
         val lastnameClaim = authenticationToken.getClaim(FAMILY_NAME)
         val emailClaim = authenticationToken.getClaim(EMAIL)
-        val userGroupsClaim = authenticationToken.getClaimList(GD_USER_GROUPS)
+        val userGroupsClaim = authenticationToken.getClaimList(GD_USER_GROUPS) ?: userGroups
 
         return client.getUserByAuthenticationId(organization.id, subClaim)
             .flatMap { user ->

gooddata-server-oauth2-autoconfigure/src/main/kotlin/ServerOAuth2AutoConfiguration.kt

@@ -115,8 +115,13 @@ class ServerOAuth2AutoConfiguration {
         client: ObjectProvider<AuthenticationStoreClient>,
         properties: HostBasedClientRegistrationRepositoryProperties,
         clientRegistrationCache: ClientRegistrationCache,
+        authenticationStoreClient: ObjectProvider<AuthenticationStoreClient>
     ): ReactiveClientRegistrationRepository =
-        HostBasedReactiveClientRegistrationRepository(properties, clientRegistrationCache)
+        HostBasedReactiveClientRegistrationRepository(
+            properties,
+            clientRegistrationCache,
+            authenticationStoreClient.`object`
+        )
 
     @ConditionalOnMissingBean(ClientRegistrationCache::class)
     @Bean