Retrofit Entur authorization service

pom.xml

@@ -40,7 +40,7 @@
         <java.version>21</java.version>
         <entur.google.pubsub.emulator.download.skip>true</entur.google.pubsub.emulator.download.skip>
 
-        <entur.helpers.version>2.24</entur.helpers.version>
+        <entur.helpers.version>2.25</entur.helpers.version>
 
         <entur-google-pubsub-version>${entur.helpers.version}</entur-google-pubsub-version>
         <gcp-storage.version>${entur.helpers.version}</gcp-storage.version>

src/ext-test/java/no/entur/uttu/ext/entur/security/EnturUserContextServiceTest.java

@@ -6,6 +6,7 @@
 import no.entur.uttu.model.Provider;
 import no.entur.uttu.repository.ProviderRepository;
 import org.entur.oauth2.JwtRoleAssignmentExtractor;
+import org.entur.oauth2.user.JwtUserInfoExtractor;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -30,7 +31,8 @@ void setUp() {
     subject =
       new EnturUserContextService(
         mockProviderRepository,
-        new JwtRoleAssignmentExtractor()
+        new JwtRoleAssignmentExtractor(),
+        new JwtUserInfoExtractor()
       );
   }
 

src/ext/java/no/entur/uttu/ext/entur/security/EnturSecurityConfiguration.java

@@ -6,7 +6,9 @@
 import org.entur.oauth2.JwtRoleAssignmentExtractor;
 import org.entur.oauth2.RorAuthenticationConverter;
 import org.entur.oauth2.multiissuer.MultiIssuerAuthenticationManagerResolverBuilder;
+import org.entur.oauth2.user.JwtUserInfoExtractor;
 import org.rutebanken.helper.organisation.RoleAssignmentExtractor;
+import org.rutebanken.helper.organisation.user.UserInfoExtractor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -24,16 +26,26 @@ public JwtAuthenticationConverter customJwtAuthenticationConverter() {
   }
 
   @Bean
-  public UserContextService userContextService(
-    ProviderRepository providerRepository,
-    RoleAssignmentExtractor roleAssignmentExtractor
-  ) {
-    return new EnturUserContextService(providerRepository, roleAssignmentExtractor);
+  public RoleAssignmentExtractor roleAssignmentExtractor() {
+    return new JwtRoleAssignmentExtractor();
   }
 
   @Bean
-  public RoleAssignmentExtractor roleAssignmentExtractor() {
-    return new JwtRoleAssignmentExtractor();
+  public UserInfoExtractor userInfoExtractor() {
+    return new JwtUserInfoExtractor();
+  }
+
+  @Bean
+  public UserContextService userContextService(
+    ProviderRepository providerRepository,
+    RoleAssignmentExtractor roleAssignmentExtractor,
+    UserInfoExtractor userInfoExtractor
+  ) {
+    return new EnturUserContextService(
+      providerRepository,
+      roleAssignmentExtractor,
+      userInfoExtractor
+    );
   }
 
   @Bean

src/ext/java/no/entur/uttu/ext/entur/security/EnturUserContextService.java

@@ -1,85 +1,50 @@
 package no.entur.uttu.ext.entur.security;
 
-import static org.rutebanken.helper.organisation.AuthorizationConstants.ROLE_ROUTE_DATA_ADMIN;
-import static org.rutebanken.helper.organisation.AuthorizationConstants.ROLE_ROUTE_DATA_EDIT;
-
-import java.util.List;
 import no.entur.uttu.model.Provider;
 import no.entur.uttu.repository.ProviderRepository;
 import no.entur.uttu.security.spi.UserContextService;
-import org.rutebanken.helper.organisation.RoleAssignment;
 import org.rutebanken.helper.organisation.RoleAssignmentExtractor;
-import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.oauth2.jwt.Jwt;
-import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.rutebanken.helper.organisation.authorization.AuthorizationService;
+import org.rutebanken.helper.organisation.authorization.DefaultAuthorizationService;
+import org.rutebanken.helper.organisation.user.UserInfoExtractor;
 
 public class EnturUserContextService implements UserContextService {
 
   private final ProviderRepository providerRepository;
-
-  private final RoleAssignmentExtractor roleAssignmentExtractor;
+  private final AuthorizationService<String> authorizationService;
+  private final UserInfoExtractor userInfoExtractor;
 
   public EnturUserContextService(
     ProviderRepository providerRepository,
-    RoleAssignmentExtractor roleAssignmentExtractor
+    RoleAssignmentExtractor roleAssignmentExtractor,
+    UserInfoExtractor userInfoExtractor
   ) {
     this.providerRepository = providerRepository;
-    this.roleAssignmentExtractor = roleAssignmentExtractor;
+    this.userInfoExtractor = userInfoExtractor;
+    authorizationService =
+      new DefaultAuthorizationService<>(
+        this::getProviderCodespaceByProviderCode,
+        roleAssignmentExtractor
+      );
   }
 
   @Override
   public String getPreferredName() {
-    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-    JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) auth;
-    Jwt jwt = (Jwt) jwtAuthenticationToken.getPrincipal();
-    return jwt.getClaimAsString("https://ror.entur.io/preferred_name");
+    return userInfoExtractor.getPreferredName();
   }
 
   @Override
   public boolean isAdmin() {
-    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-    List<RoleAssignment> roleAssignments =
-      roleAssignmentExtractor.getRoleAssignmentsForUser(auth);
-
-    return roleAssignments
-      .stream()
-      .anyMatch(roleAssignment ->
-        roleAssignment.getRole().equals(ROLE_ROUTE_DATA_ADMIN) &&
-        roleAssignment.getOrganisation().equals("RB")
-      );
+    return authorizationService.isRouteDataAdmin();
   }
 
   @Override
   public boolean hasAccessToProvider(String providerCode) {
-    if (providerCode == null) {
-      return false;
-    }
-    Provider provider = providerRepository.getOne(providerCode);
-    if (provider == null) {
-      return false;
-    }
-
-    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-
-    List<RoleAssignment> roleAssignments =
-      roleAssignmentExtractor.getRoleAssignmentsForUser(auth);
-
-    return roleAssignments
-      .stream()
-      .anyMatch(roleAssignment ->
-        (
-          roleAssignment.getRole().equals(ROLE_ROUTE_DATA_ADMIN) &&
-          roleAssignment.getOrganisation().equals("RB")
-        ) ||
-        match(roleAssignment, ROLE_ROUTE_DATA_EDIT, provider)
-      );
+    return authorizationService.canEditRouteData(providerCode);
   }
 
-  private boolean match(RoleAssignment roleAssignment, String role, Provider provider) {
-    return (
-      role.equals(roleAssignment.getRole()) &&
-      provider.getCodespace().getXmlns().equals(roleAssignment.getOrganisation())
-    );
+  private String getProviderCodespaceByProviderCode(String providerCode) {
+    Provider provider = providerRepository.getOne(providerCode);
+    return provider == null ? null : provider.getCodespace().getXmlns();
   }
 }