From 26d944ceaada03dff29a0b0da62e53b2c8f69ee7 Mon Sep 17 00:00:00 2001 From: psevestre Date: Tue, 3 May 2022 02:42:41 -0300 Subject: [PATCH] [BAEL-5584] Article code (#12157) --- spring-security-modules/pom.xml | 1 + .../spring-security-opa/pom.xml | 49 ++++++++ .../baeldung/security/opa/Application.java | 13 +++ .../security/opa/config/OpaConfiguration.java | 25 ++++ .../security/opa/config/OpaProperties.java | 14 +++ .../opa/config/SecurityConfiguration.java | 110 ++++++++++++++++++ .../opa/controller/AccountController.java | 23 ++++ .../baeldung/security/opa/domain/Account.java | 25 ++++ .../security/opa/service/AccountService.java | 37 ++++++ .../src/main/resources/application.yaml | 3 + .../controller/AccountControllerLiveTest.java | 67 +++++++++++ .../src/test/rego/account.rego | 43 +++++++ 12 files changed, 410 insertions(+) create mode 100644 spring-security-modules/spring-security-opa/pom.xml create mode 100644 spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/Application.java create mode 100644 spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/OpaConfiguration.java create mode 100644 spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/OpaProperties.java create mode 100644 spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/SecurityConfiguration.java create mode 100644 spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/controller/AccountController.java create mode 100644 spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/domain/Account.java create mode 100644 spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/service/AccountService.java create mode 100644 spring-security-modules/spring-security-opa/src/main/resources/application.yaml create mode 100644 spring-security-modules/spring-security-opa/src/test/java/com/baeldung/security/opa/controller/AccountControllerLiveTest.java create mode 100644 spring-security-modules/spring-security-opa/src/test/rego/account.rego diff --git a/spring-security-modules/pom.xml b/spring-security-modules/pom.xml index 9fdfde282d..bb36909c79 100644 --- a/spring-security-modules/pom.xml +++ b/spring-security-modules/pom.xml @@ -46,6 +46,7 @@ spring-security-web-x509 spring-session spring-social-login + spring-security-opa \ No newline at end of file diff --git a/spring-security-modules/spring-security-opa/pom.xml b/spring-security-modules/spring-security-opa/pom.xml new file mode 100644 index 0000000000..6665c33db3 --- /dev/null +++ b/spring-security-modules/spring-security-opa/pom.xml @@ -0,0 +1,49 @@ + + 4.0.0 + + com.baeldung + parent-boot-2 + 0.0.1-SNAPSHOT + ../../parent-boot-2 + + spring-security-opa + Spring Security with OPA authorization + + + + org.springframework.boot + spring-boot-starter-webflux + + + + org.springframework.boot + spring-boot-starter-security + + + + org.projectlombok + lombok + + + + com.google.guava + guava + 31.0.1-jre + + + + org.springframework.boot + spring-boot-devtools + + + + org.springframework.security + spring-security-test + + + org.springframework.boot + spring-boot-configuration-processor + true + + + \ No newline at end of file diff --git a/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/Application.java b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/Application.java new file mode 100644 index 0000000000..789a1f803f --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/Application.java @@ -0,0 +1,13 @@ +package com.baeldung.security.opa; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.autoconfigure.SpringBootApplication; + +@SpringBootApplication +public class Application { + + public static void main(String[] args) { + SpringApplication.run(Application.class, args); + } + +} diff --git a/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/OpaConfiguration.java b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/OpaConfiguration.java new file mode 100644 index 0000000000..e24fdbcf35 --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/OpaConfiguration.java @@ -0,0 +1,25 @@ +package com.baeldung.security.opa.config; + +import org.springframework.boot.context.properties.EnableConfigurationProperties; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.web.reactive.function.client.WebClient; + +import lombok.RequiredArgsConstructor; + +@Configuration +@RequiredArgsConstructor +@EnableConfigurationProperties(OpaProperties.class) +public class OpaConfiguration { + + private final OpaProperties opaProperties; + + @Bean + public WebClient opaWebClient(WebClient.Builder builder) { + + return builder + .baseUrl(opaProperties.getEndpoint()) + .build(); + } + +} diff --git a/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/OpaProperties.java b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/OpaProperties.java new file mode 100644 index 0000000000..acc23a2fd2 --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/OpaProperties.java @@ -0,0 +1,14 @@ +package com.baeldung.security.opa.config; + +import javax.annotation.Nonnull; + +import org.springframework.boot.context.properties.ConfigurationProperties; + +import lombok.Data; + +@ConfigurationProperties(prefix = "opa") +@Data +public class OpaProperties { + @Nonnull + private String endpoint = "http://localhost:8181"; +} diff --git a/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/SecurityConfiguration.java b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/SecurityConfiguration.java new file mode 100644 index 0000000000..7e10cb2e8a --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/config/SecurityConfiguration.java @@ -0,0 +1,110 @@ +package com.baeldung.security.opa.config; + +import java.util.Arrays; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.stream.Collectors; + +import org.reactivestreams.Publisher; +import org.springframework.beans.factory.annotation.Qualifier; +import org.springframework.context.annotation.Bean; +import org.springframework.context.annotation.Configuration; +import org.springframework.http.MediaType; +import org.springframework.http.client.reactive.ClientHttpRequest; +import org.springframework.security.authentication.AnonymousAuthenticationToken; +import org.springframework.security.authorization.AuthorizationDecision; +import org.springframework.security.authorization.ReactiveAuthorizationManager; +import org.springframework.security.config.web.server.ServerHttpSecurity; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.authority.SimpleGrantedAuthority; +import org.springframework.security.web.server.SecurityWebFilterChain; +import org.springframework.security.web.server.authorization.AuthorizationContext; +import org.springframework.web.reactive.function.BodyInserter; +import org.springframework.web.reactive.function.BodyInserters; +import org.springframework.web.reactive.function.client.ClientResponse; +import org.springframework.web.reactive.function.client.WebClient; + +import com.fasterxml.jackson.databind.node.ObjectNode; +import com.google.common.collect.ImmutableMap; + +import reactor.core.publisher.Mono; + +@Configuration +public class SecurityConfiguration { + + + @Bean + public SecurityWebFilterChain accountAuthorization(ServerHttpSecurity http, @Qualifier("opaWebClient")WebClient opaWebClient) { + + // @formatter:on + return http + .httpBasic() + .and() + .authorizeExchange(exchanges -> { + exchanges + .pathMatchers("/account/*") + .access(opaAuthManager(opaWebClient)); + }) + .build(); + // @formatter:on + + } + + @Bean + public ReactiveAuthorizationManager opaAuthManager(WebClient opaWebClient) { + + return (auth, context) -> { + return opaWebClient.post() + .accept(MediaType.APPLICATION_JSON) + .contentType(MediaType.APPLICATION_JSON) + .body(toAuthorizationPayload(auth,context), Map.class) + .exchangeToMono(this::toDecision); + }; + } + + private Mono toDecision(ClientResponse response) { + + if ( !response.statusCode().is2xxSuccessful()) { + return Mono.just(new AuthorizationDecision(false)); + } + + return response + .bodyToMono(ObjectNode.class) + .map(node -> { + boolean authorized = node.path("result").path("authorized").asBoolean(false); + return new AuthorizationDecision(authorized); + }); + + } + + private Publisher> toAuthorizationPayload(Mono auth, AuthorizationContext context) { + // @formatter:off + return auth + .defaultIfEmpty(new AnonymousAuthenticationToken("**ANONYMOUS**", new Object(), Arrays.asList(new SimpleGrantedAuthority("ANONYMOUS")))) + .map( a -> { + + Map headers = context.getExchange().getRequest() + .getHeaders() + .toSingleValueMap(); + + Map attributes = ImmutableMap.builder() + .put("principal",a.getName()) + .put("authorities", + a.getAuthorities() + .stream() + .map(g -> g.getAuthority()) + .collect(Collectors.toList())) + .put("uri", context.getExchange().getRequest().getURI().getPath()) + .put("headers",headers) + .build(); + + Map input = ImmutableMap.builder() + .put("input",attributes) + .build(); + + return input; + }); + // @formatter:on + } +} diff --git a/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/controller/AccountController.java b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/controller/AccountController.java new file mode 100644 index 0000000000..ba0ff61554 --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/controller/AccountController.java @@ -0,0 +1,23 @@ +package com.baeldung.security.opa.controller; + +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.PathVariable; +import org.springframework.web.bind.annotation.RestController; + +import com.baeldung.security.opa.domain.Account; +import com.baeldung.security.opa.service.AccountService; + +import lombok.RequiredArgsConstructor; +import reactor.core.publisher.Mono; + +@RestController +@RequiredArgsConstructor +public class AccountController { + + private final AccountService accountService; + + @GetMapping("/account/{accountId}") + public Mono getAccount(@PathVariable("accountId") String accountId) { + return accountService.findByAccountId(accountId); + } +} diff --git a/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/domain/Account.java b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/domain/Account.java new file mode 100644 index 0000000000..db494627a8 --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/domain/Account.java @@ -0,0 +1,25 @@ +package com.baeldung.security.opa.domain; + +import java.math.BigDecimal; + +import lombok.Data; + +@Data +public class Account { + + private String id; + private BigDecimal balance; + private String currency; + + + public static Account of(String id, BigDecimal balance, String currency) { + Account acc = new Account(); + acc.setId(id); + acc.setBalance(balance); + acc.setCurrency(currency); + + return acc; + } + + +} diff --git a/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/service/AccountService.java b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/service/AccountService.java new file mode 100644 index 0000000000..18968019f9 --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/main/java/com/baeldung/security/opa/service/AccountService.java @@ -0,0 +1,37 @@ +/** + * + */ +package com.baeldung.security.opa.service; + +import java.math.BigDecimal; +import java.util.Map; + +import org.springframework.stereotype.Service; + +import com.baeldung.security.opa.domain.Account; +import com.google.common.collect.ImmutableMap; + +import reactor.core.publisher.Mono; + +/** + * @author Philippe + * + */ +@Service +public class AccountService { + + private Map accounts = ImmutableMap.builder() + .put("0001", Account.of("0001", BigDecimal.valueOf(100.00), "USD")) + .put("0002", Account.of("0002", BigDecimal.valueOf(101.00), "EUR")) + .put("0003", Account.of("0003", BigDecimal.valueOf(102.00), "BRL")) + .put("0004", Account.of("0004", BigDecimal.valueOf(103.00), "AUD")) + .put("0005", Account.of("0005", BigDecimal.valueOf(10400.00), "JPY")) + .build(); + + + public Mono findByAccountId(String accountId) { + return Mono.just(accounts.get(accountId)) + .switchIfEmpty(Mono.error(new IllegalArgumentException("invalid.account"))); + } + +} diff --git a/spring-security-modules/spring-security-opa/src/main/resources/application.yaml b/spring-security-modules/spring-security-opa/src/main/resources/application.yaml new file mode 100644 index 0000000000..6fb9200277 --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/main/resources/application.yaml @@ -0,0 +1,3 @@ +# OPA configuration properties +opa: + endpoint: http://localhost:8181/v1/data/baeldung/auth/account \ No newline at end of file diff --git a/spring-security-modules/spring-security-opa/src/test/java/com/baeldung/security/opa/controller/AccountControllerLiveTest.java b/spring-security-modules/spring-security-opa/src/test/java/com/baeldung/security/opa/controller/AccountControllerLiveTest.java new file mode 100644 index 0000000000..7469fd327c --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/test/java/com/baeldung/security/opa/controller/AccountControllerLiveTest.java @@ -0,0 +1,67 @@ +package com.baeldung.security.opa.controller; + +import static org.springframework.security.test.web.reactive.server.SecurityMockServerConfigurers.springSecurity; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.test.context.SpringBootTest; +import org.springframework.context.ApplicationContext; +import org.springframework.http.MediaType; +import org.springframework.security.test.context.support.WithMockUser; +import org.springframework.test.context.ActiveProfiles; +import org.springframework.test.web.reactive.server.WebTestClient; + +// !!! NOTICE: Start OPA server before running this test class !!! +@SpringBootTest +@ActiveProfiles("test") +class AccountControllerLiveTest { + + @Autowired + ApplicationContext context; + WebTestClient rest; + + @BeforeEach + public void setup() { + this.rest = WebTestClient.bindToApplicationContext(this.context) + .apply(springSecurity()) + .configureClient() + .build(); + } + + + @Test + @WithMockUser(username = "user1", roles = { "account:read:0001"} ) + void testGivenValidUser_thenSuccess() { + rest.get() + .uri("/account/0001") + .accept(MediaType.APPLICATION_JSON) + .exchange() + .expectStatus() + .is2xxSuccessful(); + } + + @Test + @WithMockUser(username = "user1", roles = { "account:read:0002"} ) + void testGivenValidUser_thenUnauthorized() { + rest.get() + .uri("/account/0001") + .accept(MediaType.APPLICATION_JSON) + .exchange() + .expectStatus() + .isForbidden(); + } + + @Test + @WithMockUser(username = "user1", roles = {} ) + void testGivenNoAuthorities_thenForbidden() { + rest.get() + .uri("/account/0001") + .accept(MediaType.APPLICATION_JSON) + .exchange() + .expectStatus() + .isForbidden(); + } + + +} diff --git a/spring-security-modules/spring-security-opa/src/test/rego/account.rego b/spring-security-modules/spring-security-opa/src/test/rego/account.rego new file mode 100644 index 0000000000..567d531bb4 --- /dev/null +++ b/spring-security-modules/spring-security-opa/src/test/rego/account.rego @@ -0,0 +1,43 @@ +# +# Simple authorization rule for accounts +# +# Assumes an input document with the following properties: +# +# resource: requested resource +# method: request method +# authorities: Granted authorities +# headers: Request headers +# +package baeldung.auth.account + +# Not authorized by default +default authorized = false + +# Authorize when there are no rules that deny access to the resource and +# there's at least one rule allowing +authorized = true { + count(deny) == 0 + count(allow) > 0 +} + +# Allow access to /public +allow["public"] { + regex.match("^/public/.*",input.uri) +} + +# Account API requires authenticated user +deny["account_api_authenticated"] { + regex.match("^/account/.*",input.uri) + regex.match("ANONYMOUS",input.principal) +} + +# Authorize access to account if principal has +# matching authority +allow["account_api_authorized"] { + regex.match("^/account/.+",input.uri) + parts := split(input.uri,"/") + account := parts[2] + role := concat(":",[ "ROLE_account", "read", account] ) + role == input.authorities[i] +} +