Merge pull request #131 from georchestra/allow-external-provider-in-p…

…reauth Adds preauth external provider header
georchestra · Jun 26, 2024 · 9cf7a71 · 9cf7a71
2 parents a1f921c + 0f177ea
commit 9cf7a71
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/docs/pre-authentication.adoc b/docs/pre-authentication.adoc
@@ -30,6 +30,8 @@ The following headers are expected to be received by the Gateway:
 * `preauth-firstname`: the first name of the user (e.g. "Pierre")
 * `preauth-lastname`: the surname of the user (e.g. "Mauduit")
 * `preauth-org`: the organisation identifier (e.g. "geOrchestra")
+* `preauth-provider`: __(optional)__ the external provider (e.g. "myexternalprovider")
+* `preauth-provider-id`: __(optional)__ the external provider identifier (e.g. "user_123456")
 
 == Charset considerations & encoded headers
 
@@ -152,6 +154,8 @@ The following Apache configuration has been used in a setup to interact with the
  RequestHeader unset preauth-firstname
  RequestHeader unset preauth-lastname
  RequestHeader unset preauth-org
+ RequestHeader unset preauth-provider
+ RequestHeader unset preauth-provider-id
 
  # The following ones are used by geOrchestra
  # You can find a list of headers here:
@@ -177,6 +181,8 @@ The following Apache configuration has been used in a setup to interact with the
  RequestHeader set preauth-firstname %{MELLON_GIVEN_NAME}e "expr=-n env('MELLON_GIVEN_NAME')"
  RequestHeader set preauth-lastname %{MELLON_SN}e "expr=-n env('MELLON_SN')"
  RequestHeader set preauth-org %{MELLON_O}e "expr=-n env('MELLON_O')"
+ RequestHeader set preauth-provider myexternalprovider "expr=-n env('MELLON_O')"
+ RequestHeader set preauth-provider-id %{MELLON_EPPN}e "expr=-n env('MELLON_EPPN')"
  # If needed to base64-encode the headers because of them containing accented characters, you can
  # use the following syntax and adapt the other headers above:
  # RequestHeader set preauth-lastname "expr={base64}%{base64:%{env:MELLON_SN}}" "expr=-n env('MELLON_SN')"

diff --git a/.../src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java b/.../src/main/java/org/georchestra/gateway/security/preauth/PreauthAuthenticationManager.java
@@ -48,6 +48,8 @@ public class PreauthAuthenticationManager implements ReactiveAuthenticationManag
  public static final String PREAUTH_LASTNAME = "preauth-lastname";
  public static final String PREAUTH_ORG = "preauth-org";
  public static final String PREAUTH_ROLES = "preauth-roles";
+ public static final String PREAUTH_PROVIDER = "preauth-provider";
+ public static final String PREAUTH_PROVIDER_ID = "preauth-provider-id";
 
  /**
  * @return {@code Mono.empty()} if the pre-auth request headers are not
@@ -93,6 +95,9 @@ public static GeorchestraUser map(Map<String, String> requestHeaders) {
  String lastName = SecurityHeaders.decode(requestHeaders.get(PREAUTH_LASTNAME));
  String org = SecurityHeaders.decode(requestHeaders.get(PREAUTH_ORG));
  String rolesValue = SecurityHeaders.decode(requestHeaders.get(PREAUTH_ROLES));
+ String provider = SecurityHeaders.decode(requestHeaders.get(PREAUTH_PROVIDER));
+ String providerId = SecurityHeaders.decode(requestHeaders.get(PREAUTH_PROVIDER_ID));
+
  List<String> roleNames = Optional.ofNullable(rolesValue)
  .map(roles -> Stream
  .concat(Stream.of("ROLE_USER"), Stream.of(roles.split(";")).filter(StringUtils::hasText))
@@ -106,6 +111,9 @@ public static GeorchestraUser map(Map<String, String> requestHeaders) {
  user.setLastName(lastName);
  user.setOrganization(org);
  user.setRoles(roleNames);
+ user.setOAuth2Provider(provider);
+ user.setOAuth2Uid(providerId);
+ //TODO rename oauth2 fields to a more generic name : externalProvider ?
  return user;
  }
 
@@ -117,5 +125,7 @@ public void removePreauthHeaders(HttpHeaders mutableHeaders) {
  mutableHeaders.remove(PREAUTH_LASTNAME);
  mutableHeaders.remove(PREAUTH_ORG);
  mutableHeaders.remove(PREAUTH_ROLES);
+ mutableHeaders.remove(PREAUTH_PROVIDER);
+ mutableHeaders.remove(PREAUTH_PROVIDER_ID);
  }
 }
diff --git a/...y/src/test/java/org/georchestra/gateway/accounts/admin/CreateAccountUserCustomizerIT.java b/...y/src/test/java/org/georchestra/gateway/accounts/admin/CreateAccountUserCustomizerIT.java
@@ -60,7 +60,10 @@ public class CreateAccountUserCustomizerIT {
  "preauth-email", "pierre.martin2@example.org", //
  "preauth-firstname", "Pierre-Jean-Pierre", //
  "preauth-lastname", "Martin", //
- "preauth-org", "NEWORG");
+ "preauth-org", "NEWORG",
+ "preauth-provider", "georchestra",
+ "preauth-provider-id", "georchestra12"
+ );
 
  private static final Map<String, String> ANOTHER_NOT_EXISTING_ACCOUNT_HEADERS_EXISTING_ORG = Map.of( //
  "sec-georchestra-preauthenticated", "true", //
@@ -113,7 +116,9 @@ private WebTestClient.RequestHeadersUriSpec<?> prepareWebTestClientHeaders(
  .is2xxSuccessful()//
  .expectBody()//
  .jsonPath("$.GeorchestraUser").isNotEmpty()//
- .jsonPath("$.GeorchestraUser.organization").isEqualTo("NEWORG");
+ .jsonPath("$.GeorchestraUser.organization").isEqualTo("NEWORG")
+ .jsonPath("$.GeorchestraUser.oauth2Provider").isEqualTo("georchestra")
+ .jsonPath("$.GeorchestraUser.oauth2Uid").isEqualTo("georchestra12");
 
  // Make sure the account has been created
  assertNotNull(accountDao.findByUID("pmartin2"));