Add jwt-client as principal type

italiangrid · Dec 5, 2024 · a81305a · a81305a
1 parent fdddb64
commit a81305a
Show file tree

Hide file tree

Showing 12 changed files with 314 additions and 15 deletions.
diff --git a/src/main/java/org/italiangrid/storm/webdav/config/FineGrainedAuthzPolicyParser.java b/src/main/java/org/italiangrid/storm/webdav/config/FineGrainedAuthzPolicyParser.java
@@ -40,6 +40,7 @@
 import org.italiangrid.storm.webdav.config.FineGrainedAuthzPolicyProperties.Action;
 import org.italiangrid.storm.webdav.config.FineGrainedAuthzPolicyProperties.PrincipalProperties;
 import org.italiangrid.storm.webdav.config.FineGrainedAuthzPolicyProperties.PrincipalProperties.PrincipalType;
+import org.italiangrid.storm.webdav.oauth.authority.JwtClientAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtGroupAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtIssuerAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtScopeAuthority;
@@ -137,6 +138,9 @@ PrincipalMatcher parsePrincipal(PrincipalProperties p) {
     } else if (PrincipalType.JWT_SUBJECT.equals(p.getType())) {
       matcher = AuthorityHolder.fromAuthority(
           new JwtSubjectAuthority(p.getParams().get("iss"), p.getParams().get("sub")));
+    } else if (PrincipalType.JWT_CLIENT.equals(p.getType())) {
+        matcher = AuthorityHolder.fromAuthority(
+          new JwtClientAuthority(p.getParams().get("iss"), p.getParams().get("id")));
     } else if (PrincipalType.VO.equals(p.getType())) {
       matcher = AuthorityHolder.fromAuthority(new VOMSVOAuthority(p.getParams().get("vo")));
     } else if (PrincipalType.VO_MAP.equals(p.getType())) {

diff --git a/src/main/java/org/italiangrid/storm/webdav/config/FineGrainedAuthzPolicyProperties.java b/src/main/java/org/italiangrid/storm/webdav/config/FineGrainedAuthzPolicyProperties.java
@@ -45,6 +45,7 @@ public enum PrincipalType {
       JWT_SCOPE,
       JWT_ISSUER,
       JWT_SUBJECT,
+      JWT_CLIENT,
       VO,
       FQAN,
       VO_MAP,

diff --git a/src/main/java/org/italiangrid/storm/webdav/config/validation/PrincipalValidator.java b/src/main/java/org/italiangrid/storm/webdav/config/validation/PrincipalValidator.java
@@ -18,6 +18,7 @@
 import static com.google.common.base.Strings.isNullOrEmpty;
 import static java.lang.String.format;
 import static org.italiangrid.storm.webdav.config.FineGrainedAuthzPolicyProperties.PrincipalProperties.PrincipalType.FQAN;
+import static org.italiangrid.storm.webdav.config.FineGrainedAuthzPolicyProperties.PrincipalProperties.PrincipalType.JWT_CLIENT;
 import static org.italiangrid.storm.webdav.config.FineGrainedAuthzPolicyProperties.PrincipalProperties.PrincipalType.JWT_GROUP;
 import static org.italiangrid.storm.webdav.config.FineGrainedAuthzPolicyProperties.PrincipalProperties.PrincipalType.JWT_SCOPE;
 import static org.italiangrid.storm.webdav.config.FineGrainedAuthzPolicyProperties.PrincipalProperties.PrincipalType.JWT_ISSUER;
@@ -50,6 +51,8 @@ public class PrincipalValidator implements
         .put(JWT_SUBJECT, "iss")
         .put(JWT_SUBJECT, "sub")
         .put(JWT_ISSUER, "iss")
+        .put(JWT_CLIENT, "iss")
+        .put(JWT_CLIENT, "id")
         .put(VO, "vo")
         .put(VO_MAP, "vo")
         .put(X509_SUBJECT, "subject")

diff --git a/src/main/java/org/italiangrid/storm/webdav/oauth/StormJwtAuthoritiesConverter.java b/src/main/java/org/italiangrid/storm/webdav/oauth/StormJwtAuthoritiesConverter.java
@@ -24,11 +24,11 @@
 import org.italiangrid.storm.webdav.authz.SAPermission;
 import org.italiangrid.storm.webdav.config.ServiceConfigurationProperties;
 import org.italiangrid.storm.webdav.config.StorageAreaConfiguration;
+import org.italiangrid.storm.webdav.oauth.authority.JwtClientAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtGroupAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtIssuerAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtScopeAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtSubjectAuthority;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.jwt.Jwt;
@@ -41,7 +41,6 @@
 public class StormJwtAuthoritiesConverter extends GrantedAuthoritiesMapperSupport
     implements Converter<Jwt, Collection<GrantedAuthority>> {
 
-  @Autowired
   public StormJwtAuthoritiesConverter(StorageAreaConfiguration conf,
       ServiceConfigurationProperties props) {
     super(conf, props);
@@ -108,8 +107,11 @@ protected Collection<GrantedAuthority> extractAuthorities(Jwt jwt) {
     authorities.addAll(extractOauthGroupAuthorities(jwt));
     authorities.addAll(extractOauthScopeAuthorities(jwt));
 
-    authorities.add(new JwtIssuerAuthority(jwt.getIssuer().toString()));
-    authorities.add(new JwtSubjectAuthority(jwt.getIssuer().toString(), jwt.getSubject()));
+    authorities.add(new JwtIssuerAuthority(issuer));
+    authorities.add(new JwtSubjectAuthority(issuer, jwt.getSubject()));
+    if (jwt.getClaim("client_id") != null) {
+      authorities.add(new JwtClientAuthority(issuer, jwt.getClaim("client_id")));
+    }
 
     return authorities;
   }

diff --git a/src/main/java/org/italiangrid/storm/webdav/oauth/authority/JwtClientAuthority.java b/src/main/java/org/italiangrid/storm/webdav/oauth/authority/JwtClientAuthority.java
@@ -0,0 +1,56 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare, 2014-2023.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.italiangrid.storm.webdav.oauth.authority;
+
+public class JwtClientAuthority extends JwtAuthority {
+
+  private static final long serialVersionUID = 1L;
+
+  public static final String AUTH_TEMPLATE = "O_client(%s,%s)";
+
+  private final String clientId;
+
+  public JwtClientAuthority(String issuer, String clientId) {
+    super(issuer, String.format(AUTH_TEMPLATE, issuer, clientId));
+    this.clientId = clientId;
+  }
+
+  @Override
+  public int hashCode() {
+    final int prime = 31;
+    int result = super.hashCode();
+    result = prime * result + ((clientId == null) ? 0 : clientId.hashCode());
+    return result;
+  }
+
+  @Override
+  public boolean equals(Object obj) {
+    if (this == obj)
+      return true;
+    if (!super.equals(obj))
+      return false;
+    if (getClass() != obj.getClass())
+      return false;
+    JwtClientAuthority other = (JwtClientAuthority) obj;
+    if (clientId == null) {
+      if (other.clientId != null)
+        return false;
+    } else if (!clientId.equals(other.clientId))
+      return false;
+    return true;
+  }
+
+}
diff --git a/src/main/java/org/italiangrid/storm/webdav/oidc/OidcGrantedAuthoritiesMapper.java b/src/main/java/org/italiangrid/storm/webdav/oidc/OidcGrantedAuthoritiesMapper.java
@@ -17,15 +17,16 @@
 
 import java.util.Collection;
 import java.util.List;
+import java.util.Optional;
 import java.util.Set;
 
 import org.italiangrid.storm.webdav.config.ServiceConfigurationProperties;
 import org.italiangrid.storm.webdav.config.StorageAreaConfiguration;
 import org.italiangrid.storm.webdav.oauth.GrantedAuthoritiesMapperSupport;
+import org.italiangrid.storm.webdav.oauth.authority.JwtClientAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtGroupAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtIssuerAuthority;
 import org.italiangrid.storm.webdav.oauth.authority.JwtSubjectAuthority;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper;
 import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority;
@@ -37,7 +38,6 @@
 public class OidcGrantedAuthoritiesMapper extends GrantedAuthoritiesMapperSupport
     implements GrantedAuthoritiesMapper {
 
-  @Autowired
   public OidcGrantedAuthoritiesMapper(StorageAreaConfiguration conf,
       ServiceConfigurationProperties props) {
     super(conf, props);
@@ -66,9 +66,13 @@ protected Collection<GrantedAuthority> mapAuthorities(OidcUserAuthority userAuth
 
     authorities.addAll(authzMap.get(idTokenIssuer));
     authorities.addAll(grantGroupAuthorities(userAuthority));
-    authorities.add(new JwtIssuerAuthority(userAuthority.getIdToken().getIssuer().toString()));
-    authorities.add(new JwtSubjectAuthority(userAuthority.getIdToken().getIssuer().toString(),
-        userAuthority.getIdToken().getSubject()));
+    authorities.add(new JwtIssuerAuthority(idTokenIssuer));
+    authorities.add(new JwtSubjectAuthority(idTokenIssuer, userAuthority.getIdToken().getSubject()));
+    Optional<String> clientIdClaim =
+        Optional.ofNullable(userAuthority.getIdToken().getClaim("client_id"));
+    if (clientIdClaim.isPresent()) {
+      authorities.add(new JwtClientAuthority(idTokenIssuer, clientIdClaim.get()));
+    }
 
     return authorities;
   }

diff --git a/src/main/resources/application-fga.yml b/src/main/resources/application-fga.yml
@@ -0,0 +1,51 @@
+server:
+  jetty:
+    accesslog:
+      enabled: false
+
+management:
+  endpoints:
+    web:
+      exposure:
+        include: env
+
+oauth:
+  enable-oidc: false
+  issuers:
+      - name: iam-dev
+        issuer: https://iam-dev.cloud.cnaf.infn.it/
+
+storm:
+  connector:
+    port: 8086
+    securePort: 9443
+  sa:
+    config-dir: src/test/resources/conf/sa.d
+  tls:
+    trust-anchors-dir: src/test/resources/trust-anchors
+    certificate-path: src/test/resources/hostcert/hostcert.pem
+    private-key-path: src/test/resources/hostcert/hostkey.pem
+  authz-server:
+    enabled: true
+  voms:
+    trust-store:
+      dir: src/test/resources/vomsdir
+  tape:
+    well-known:
+      source: src/test/resources/well-known/wlcg-tape-rest-api.json
+
+  authz:
+    policies:  
+    - sa: fga
+      actions:
+      - all
+      effect: permit
+      description: Grant read/write access to a specific client
+      paths:
+      - /**
+      principals:
+      - type: jwt-client
+        params:
+          iss: https://iam-dev.cloud.cnaf.infn.it/
+          id: 42999a63-7449-43fb-952e-42f2d75b865b
+
diff --git a/...va/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java b/...va/org/italiangrid/storm/webdav/test/authz/integration/AuthorizationIntegrationTests.java
@@ -57,6 +57,9 @@ public class AuthorizationIntegrationTests {
   public static final String UNKNOWN_ISSUER = "https://unknown.example";
   public static final String EXAMPLE_ISSUER = "https://issuer.example";
 
+  public static final String AUTHORIZED_JWT_CLIENT_ID = "1234";
+  public static final String UNAUTHORIZED_JWT_CLIENT_ID = "5678";
+
 
   @Autowired
   private MockMvc mvc;
@@ -127,11 +130,8 @@ void issuerChecksAreEnforcedForWlcgScopeBasedAuthz() throws Exception {
 
   @Test
   void getAccessAsJwtUserWithoutScopeLeadsToAccessDenied() throws Exception {
-    Jwt token = Jwt.withTokenValue("test")
-      .header("kid", "rsa1")
-      .issuer(WLCG_ISSUER)
-      .subject("123")
-      .build();
+    Jwt token =
+        Jwt.withTokenValue("test").header("kid", "rsa1").issuer(WLCG_ISSUER).subject("123").build();
 
     mvc.perform(get(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token)))
       .andExpect(status().isForbidden());
@@ -180,6 +180,104 @@ void getAccessAsJwtWithWriteCapabilityResultsInAccessDenied() throws Exception {
 
   }
 
+  @Test
+  void readAccessAsJwtWithAllowedClient() throws Exception {
+    Jwt token = Jwt.withTokenValue("test")
+      .header("kid", "rsa1")
+      .issuer(EXAMPLE_ISSUER)
+      .claim("client_id", AUTHORIZED_JWT_CLIENT_ID)
+      .build();
+
+    mvc.perform(get(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isNotFound());
+
+  }
+
+  @Test
+  void readAccessWithoutMatchedJWTIsDenied() throws Exception {
+    Jwt token = Jwt.withTokenValue("test")
+      .header("kid", "rsa1")
+      .issuer(EXAMPLE_ISSUER)
+      .claim("client_id", UNAUTHORIZED_JWT_CLIENT_ID)
+      .build();
+
+    mvc.perform(get(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isForbidden());
+
+    token = Jwt.withTokenValue("test")
+      .header("kid", "rsa1")
+      .issuer(UNKNOWN_ISSUER)
+      .claim("client_id", AUTHORIZED_JWT_CLIENT_ID)
+      .build();
+
+    mvc.perform(get(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isForbidden());
+
+    token = Jwt.withTokenValue("test")
+      .header("kid", "rsa1")
+      .issuer(UNKNOWN_ISSUER)
+      .claim("client_id", UNAUTHORIZED_JWT_CLIENT_ID)
+      .build();
+
+    mvc.perform(get(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isForbidden());
+
+    token = Jwt.withTokenValue("test").header("kid", "rsa1").issuer(UNKNOWN_ISSUER).build();
+
+    mvc.perform(get(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isForbidden());
+
+  }
+
+  @Test
+  void writeAccessAsJwtWithAllowedClient() throws Exception {
+    Jwt token = Jwt.withTokenValue("test")
+      .header("kid", "rsa1")
+      .issuer(EXAMPLE_ISSUER)
+      .claim("client_id", AUTHORIZED_JWT_CLIENT_ID)
+      .build();
+
+    mvc.perform(put(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isOk());
+
+  }
+
+  @Test
+  void writeAccessWithoutMatchedJWTIsDenied() throws Exception {
+    Jwt token = Jwt.withTokenValue("test")
+      .header("kid", "rsa1")
+      .issuer(EXAMPLE_ISSUER)
+      .claim("client_id", UNAUTHORIZED_JWT_CLIENT_ID)
+      .build();
+
+    mvc.perform(put(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isForbidden());
+
+    token = Jwt.withTokenValue("test")
+      .header("kid", "rsa1")
+      .issuer(UNKNOWN_ISSUER)
+      .claim("client_id", AUTHORIZED_JWT_CLIENT_ID)
+      .build();
+
+    mvc.perform(put(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isForbidden());
+
+    token = Jwt.withTokenValue("test")
+      .header("kid", "rsa1")
+      .issuer(UNKNOWN_ISSUER)
+      .claim("client_id", UNAUTHORIZED_JWT_CLIENT_ID)
+      .build();
+
+    mvc.perform(put(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isForbidden());
+
+    token = Jwt.withTokenValue("test").header("kid", "rsa1").issuer(UNKNOWN_ISSUER).build();
+
+    mvc.perform(put(SLASH_WLCG_SLASH_FILE).with(jwt().jwt(token).authorities(authConverter)))
+      .andExpect(status().isForbidden());
+
+  }
+
   @WithMockVOMSUser(vos = "wlcg", saReadPermissions = {"wlcg"})
   @Test
   void localVomsCopyRequiresWithReadPermissionsGetsAccessDenied() throws Exception {