Jwt multi admin (geoserver#7610)

* Add JWT Header support for multiple ADMIN/ROLE_ADMINISTRATOR support * better javascript handling for when creating a new jwt headers filter * doc change for role converter * fix bug when json path doesn't exist * delete old src/ dir * afabiani review changes - (c) header, more specific import, UI: Role Source enum --------- Co-authored-by: david blasby <[email protected]>
GeoCat · May 13, 2024 · b692158 · b692158
1 parent c98f9c0
commit b692158
Show file tree

Hide file tree

Showing 43 changed files with 126 additions and 3,179 deletions.
diff --git a/doc/en/user/source/community/jwt-headers/configuration.rst b/doc/en/user/source/community/jwt-headers/configuration.rst
@@ -156,6 +156,12 @@ For example, a conversion map like `GeoserverAdministrator=ROLE_ADMINISTRATOR` w
 
 In our example, the user has two roles "GeoserverAdministrator" and "GeonetworkAdministrator".  If the "Only allow External Roles that are explicitly named above" is checked, then GeoServer will only see the "ROLE_ADMINISTRATOR" role.  If unchecked, it will see "ROLE_ADMINISTRATOR" and "GeonetworkAdministrator".  In neither case will it see the converted "GeoserverAdministrator" roles.
 
+You can also have multiple GeoServer roles from one external (OIDC) role.  For example, this role conversion:
+
+`GeoserverAdministrator=ROLE_ADMINISTRATOR;GeoserverAdministrator=ADMIN`
+
+Will give users with the OIDC role `GeoserverAdministrator` two GeoServer roles - `ROLE_ADMINISTRATOR` and `ADMIN`.
+
 
 JWT Validation
 ^^^^^^^^^^^^^^

diff --git a/...c/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java b/...c/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java
@@ -116,7 +116,12 @@ public SecurityConfig clone(boolean allowEnvParametrization) {
     /** what formats we support for roles in the header. */
     public enum JWTHeaderRoleSource implements RoleSource {
         JSON,
-        JWT;
+        JWT,
+
+        // From: PreAuthenticatedUserNameFilterConfig
+        Header,
+        UserGroupService,
+        RoleService;
 
         @Override
         public boolean equals(RoleSource other) {

diff --git a/...eaders/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html b/...eaders/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html
@@ -45,16 +45,21 @@
                 visibilityDiv.style.display = "none";
         }
 
-        // When the page is loaded, we hide  the username "json path" input if its not needed.
-        window.addEventListener('load', function () {
+        function reset() {
             usernameFormatChanged();
             showTokenValidationChanged();
             toggleVisible(document.getElementById('validateTokenSignature'),'validateTokenSignatureURLDiv');
             toggleVisible(document.getElementById('validateTokenAgainstURL'),'validateTokenAgainstURLDiv');
             toggleVisible(document.getElementById('validateTokenAudience'),'validateTokenAudienceDiv');
+        }
 
-
+        // When the page is loaded, we hide  the username "json path" input if its not needed.
+        window.addEventListener('load', function () {
+                reset();
         });
+
+        // when creating a new jwt headers filter, we need to "kick" it.
+        setTimeout(reset,100);
     </script>
 </wicket:head>
 <wicket:extend>

diff --git a/...rs/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/JwtConfiguration.java b/...rs/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/JwtConfiguration.java
@@ -1,7 +1,13 @@
+/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
+ * This code is licensed under the GPL 2.0 license, available at the root
+ * application directory.
+ */
 package org.geoserver.security.jwtheaders;
 
 import java.io.Serializable;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 public class JwtConfiguration implements Serializable {
@@ -58,8 +64,8 @@ public class JwtConfiguration implements Serializable {
     // convert string of the form:
     // "externalRoleName1=GeoServerRoleName1;externalRoleName2=GeoServerRoleName2"
     // To a Map<String,String>
-    public Map<String, String> getRoleConverterAsMap() {
-        Map<String, String> result = new HashMap<>();
+    public Map<String, List<String>> getRoleConverterAsMap() {
+        Map<String, List<String>> result = new HashMap<>();
 
         if (roleConverterString == null || roleConverterString.isBlank()) return result; // empty
 
@@ -72,7 +78,13 @@ public Map<String, String> getRoleConverterAsMap() {
             String key = goodCharacters(keyValue[0]);
             String val = goodCharacters(keyValue[1]);
             if (key.isBlank() || val.isBlank()) continue;
-            result.put(key, val);
+            if (!result.containsKey(key)) {
+                var list = new ArrayList<String>();
+                list.add(val);
+                result.put(key, list);
+            } else {
+                result.get(key).add(val);
+            }
         }
         return result;
     }

diff --git a/...jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java b/...jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java
@@ -16,7 +16,7 @@
  */
 public class RoleConverter {
 
-    Map<String, String> conversionMap;
+    Map<String, List<String>> conversionMap;
 
     boolean externalNameMustBeListed;
 
@@ -39,11 +39,11 @@ public List<String> convert(List<String> externalRoles) {
         if (externalRoles == null) return result; // empty
 
         for (String externalRole : externalRoles) {
-            String gsRole = conversionMap.get(externalRole);
+            List<String> gsRole = conversionMap.get(externalRole);
             if (gsRole == null && !externalNameMustBeListed) {
                 result.add(externalRole);
             } else if (gsRole != null) {
-                result.add(gsRole);
+                result.addAll(gsRole);
             }
         }
         return result;

diff --git a/...wt-headers-util/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java b/...wt-headers-util/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java
@@ -31,6 +31,10 @@ public TokenValidator(JwtConfiguration config) {
 
     public void validate(String accessToken) throws Exception {
 
+        accessToken = accessToken.replaceFirst("^Bearer", "");
+        accessToken = accessToken.replaceFirst("^bearer", "");
+        accessToken = accessToken.trim();
+
         if (!jwtHeadersConfig.isValidateToken()) {
             return;
         }

diff --git a/.../src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java b/.../src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java
@@ -34,7 +34,12 @@ public static Object getClaim(Map<String, Object> map, String path) {
     // if this is trivial (single item in pathList), return the value.
     // otherwise, go into the map one level (pathList[0]) and recurse on the result.
     private static Object getClaim(Map<String, Object> map, List<String> pathList) {
-        if (pathList.size() == 1) return map.get(pathList.get(0));
+        if (map == null) {
+            return null;
+        }
+        if (pathList.size() == 1) {
+            return map.get(pathList.get(0));
+        }
 
         String first = pathList.get(0);
         pathList.remove(0);

diff --git a/...l/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java b/...l/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java
@@ -39,6 +39,24 @@ public void testSimpleJwt() throws ParseException {
         Assert.assertEquals("GeoserverAdministrator", roles.get(0));
     }
 
+    /**
+     * Test Tokens that start with "Bearer ".
+     *
+     * @throws ParseException
+     */
+    @Test
+    public void testSimpleJwtBearer() throws ParseException {
+        String accessToken =
+                "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItWEdld190TnFwaWRrYTl2QXNJel82WEQtdnJmZDVyMlNWTWkwcWMyR1lNIn0.eyJleHAiOjE3MDcxNTMxNDYsImlhdCI6MTcwNzE1Mjg0NiwiYXV0aF90aW1lIjoxNzA3MTUyNjQ1LCJqdGkiOiJlMzhjY2ZmYy0zMWNjLTQ0NmEtYmU1Yy04MjliNDE0NTkyZmQiLCJpc3MiOiJodHRwczovL2xvZ2luLWxpdmUtZGV2Lmdlb2NhdC5saXZlL3JlYWxtcy9kYXZlLXRlc3QyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImVhMzNlM2NjLWYwZTEtNDIxOC04OWNiLThkNDhjMjdlZWUzZCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImxpdmUta2V5MiIsIm5vbmNlIjoiQldzc2M3cTBKZ0tHZC1OdFc1QlFhVlROMkhSa25LQmVIY0ZMTHZ5OXpYSSIsInNlc3Npb25fc3RhdGUiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJhY3IiOiIwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtZGF2ZS10ZXN0MiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJsaXZlLWtleTIiOnsicm9sZXMiOlsiR2Vvc2VydmVyQWRtaW5pc3RyYXRvciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcGhvbmUgb2ZmbGluZV9hY2Nlc3MgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGFkZHJlc3MgZW1haWwiLCJzaWQiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJ1cG4iOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYWRkcmVzcyI6e30sIm5hbWUiOiJkYXZpZCBibGFzYnkiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy1kYXZlLXRlc3QyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImdpdmVuX25hbWUiOiJkYXZpZCIsImZhbWlseV9uYW1lIjoiYmxhc2J5IiwiZW1haWwiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCJ9.fHzXd7oISnqWb09ah9wikfP2UOBeiOA3vd_aDg3Bw-xcfv9aD3CWhAK5FUDPYSPyj4whAcknZbUgUzcm0qkaI8V_aS65F3Fug4jt4nC9YPL4zMSJ5an4Dp6jlQ3OQhrKFn4FwaoW61ndMmScsZZWEQyj6gzHnn5cknqySB26tVydT6q57iTO7KQFcXRdbXd6GWIoFGS-ud9XzxQMUdNfYmsDD7e6hoWhe9PJD9Zq4KT6JN13hUU4Dos-Z5SBHjRa6ieHoOe9gqkjKyA1jT1NU42Nqr-mTV-ql22nAoXuplpvOYc5-09-KDDzSDuVKFwLCNMN3ZyRF1wWuydJeU-gOQ";
+
+        List<String> roles =
+                getExtractor(JWT.toString(), "", "resource_access.live-key2.roles")
+                        .getRoles(accessToken).stream()
+                        .collect(Collectors.toList());
+        Assert.assertEquals(1, roles.size());
+        Assert.assertEquals("GeoserverAdministrator", roles.get(0));
+    }
+
     @Test
     public void testSimpleJson() throws ParseException {
         String json =

diff --git a/...headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java b/...headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/RoleConverterTest.java
@@ -24,7 +24,7 @@ public void testParseNull() {
         JwtConfiguration config = new JwtConfiguration();
 
         config.setRoleConverterString(null);
-        Map<String, String> map = config.getRoleConverterAsMap();
+        Map<String, List<String>> map = config.getRoleConverterAsMap();
         Assert.assertEquals(0, map.size());
 
         config.setRoleConverterString("");
@@ -50,18 +50,18 @@ public void testParseSimple() {
         JwtConfiguration config = new JwtConfiguration();
 
         config.setRoleConverterString("a=b");
-        Map<String, String> map = config.getRoleConverterAsMap();
+        Map<String, List<String>> map = config.getRoleConverterAsMap();
         Assert.assertEquals(1, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
+        Assert.assertEquals(Arrays.asList("b"), map.get("a"));
 
         config.setRoleConverterString("a=b;c=d");
         map = config.getRoleConverterAsMap();
         Assert.assertEquals(2, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
+        Assert.assertEquals(Arrays.asList("b"), map.get("a"));
         Assert.assertTrue(map.containsKey("c"));
-        Assert.assertEquals("d", map.get("c"));
+        Assert.assertEquals(Arrays.asList("d"), map.get("c"));
     }
 
     /**
@@ -75,24 +75,24 @@ public void testParseBad() {
 
         // bad format
         config.setRoleConverterString("a=b;c=;d");
-        Map<String, String> map = config.getRoleConverterAsMap();
+        Map<String, List<String>> map = config.getRoleConverterAsMap();
         Assert.assertEquals(1, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
+        Assert.assertEquals(Arrays.asList("b"), map.get("a"));
 
         // bad chars
         config.setRoleConverterString("a= b** ;c=**;d");
         map = config.getRoleConverterAsMap();
         Assert.assertEquals(1, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("b", map.get("a"));
+        Assert.assertEquals(Arrays.asList("b"), map.get("a"));
 
         // removes html tags
         config.setRoleConverterString("a= <script> ;c=**;d");
         map = config.getRoleConverterAsMap();
         Assert.assertEquals(1, map.size());
         Assert.assertTrue(map.containsKey("a"));
-        Assert.assertEquals("script", map.get("a"));
+        Assert.assertEquals(Arrays.asList("script"), map.get("a"));
     }
 
     /** Tests simple conversion, with setOnlyExternalListedRoles(false); */
@@ -133,4 +133,23 @@ public void testConversionOnlyMapped() {
 
         Assert.assertEquals("d", internalRoles.get(0));
     }
+
+    /**
+     * Test for creating multiple roles. purpose - make sure that a user can get multiple GS roles
+     * from a single OIDC role.
+     */
+    @Test
+    public void testMultipleRoles() {
+        JwtConfiguration config = new JwtConfiguration();
+        config.setRoleConverterString("a=ROLE_ADMINISTRATOR;a=ADMIN");
+        config.setOnlyExternalListedRoles(true);
+
+        RoleConverter roleConverter = new RoleConverter(config);
+        List<String> externalRoles = Arrays.asList("a");
+        List<String> internalRoles = roleConverter.convert(externalRoles);
+        Assert.assertEquals(2, internalRoles.size());
+
+        Assert.assertEquals("ROLE_ADMINISTRATOR", internalRoles.get(0));
+        Assert.assertEquals("ADMIN", internalRoles.get(1));
+    }
 }
diff --git a/.../test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java b/.../test/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractorTest.java
@@ -31,10 +31,11 @@ public void testSimpleJwt() throws ParseException {
         Assert.assertEquals("[email protected]", username);
     }
 
+    String json =
+            "{\"exp\":1707155912,\"iat\":1707155612,\"jti\":\"888715ae-a79d-4633-83e5-9b97dee02bbc\",\"iss\":\"https://login-live-dev.geocat.live/realms/dave-test2\",\"aud\":\"account\",\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\",\"typ\":\"Bearer\",\"azp\":\"live-key2\",\"session_state\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"acr\":\"1\",\"realm_access\":{\"roles\":[\"default-roles-dave-test2\",\"offline_access\",\"uma_authorization\"]},\"resource_access\":{\"live-key2\":{\"roles\":[\"GeoserverAdministrator\"]},\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",\"view-profile\"]}},\"scope\":\"openidprofileemail\",\"sid\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"email_verified\":false,\"name\":\"davidblasby\",\"preferred_username\":\"[email protected]\",\"given_name\":\"david\",\"family_name\":\"blasby\",\"email\":\"[email protected]\"}";
+
     @Test
     public void testSimpleJson() throws ParseException {
-        String json =
-                "{\"exp\":1707155912,\"iat\":1707155612,\"jti\":\"888715ae-a79d-4633-83e5-9b97dee02bbc\",\"iss\":\"https://login-live-dev.geocat.live/realms/dave-test2\",\"aud\":\"account\",\"sub\":\"ea33e3cc-f0e1-4218-89cb-8d48c27eee3d\",\"typ\":\"Bearer\",\"azp\":\"live-key2\",\"session_state\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"acr\":\"1\",\"realm_access\":{\"roles\":[\"default-roles-dave-test2\",\"offline_access\",\"uma_authorization\"]},\"resource_access\":{\"live-key2\":{\"roles\":[\"GeoserverAdministrator\"]},\"account\":{\"roles\":[\"manage-account\",\"manage-account-links\",\"view-profile\"]}},\"scope\":\"openidprofileemail\",\"sid\":\"ae7796fa-b374-4754-a294-e0eb834b23b5\",\"email_verified\":false,\"name\":\"davidblasby\",\"preferred_username\":\"[email protected]\",\"given_name\":\"david\",\"family_name\":\"blasby\",\"email\":\"[email protected]\"}";
         String username =
                 getExtractor(JwtConfiguration.UserNameHeaderFormat.JSON, "preferred_username")
                         .extractUserName(json);
@@ -49,4 +50,33 @@ public void testSimpleString() throws ParseException {
                         .extractUserName(json);
         Assert.assertEquals("[email protected]", username);
     }
+
+    @Test
+    public void testNonExistentClaim() {
+        String claimValue =
+                getExtractor(JwtConfiguration.UserNameHeaderFormat.JSON, "notThere")
+                        .extractUserName(json);
+        Assert.assertNull(claimValue);
+
+        claimValue =
+                getExtractor(
+                                JwtConfiguration.UserNameHeaderFormat.JSON,
+                                "resource_access.notThere.abc")
+                        .extractUserName(json);
+        Assert.assertNull(claimValue);
+
+        claimValue =
+                getExtractor(
+                                JwtConfiguration.UserNameHeaderFormat.JSON,
+                                "resource_access.live-key2.notThere")
+                        .extractUserName(json);
+        Assert.assertNull(claimValue);
+
+        claimValue =
+                getExtractor(
+                                JwtConfiguration.UserNameHeaderFormat.JSON,
+                                "resource_access.live-key2.roles.notThere")
+                        .extractUserName(json);
+        Assert.assertNull(claimValue);
+    }
 }
diff --git a/src/community/jwt-headers/src/main/java/applicationSecurityContext.xml b/src/community/jwt-headers/src/main/java/applicationSecurityContext.xml