Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5511 - Add Org Validation #55

Merged
merged 2 commits into from
Mar 4, 2022
Merged

5511 - Add Org Validation #55

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a25a193
5511 - Add Org Validation
AnumehaSrivastava05 Mar 3, 2022
d1b7af4
Updated logging to make it clearer when there's an error.
weskubo-cgi Mar 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions backend/src/main/java/ca/bc/gov/hlth/hnweb/security/AudienceValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,8 +52,8 @@ public OAuth2TokenValidatorResult validate(Jwt jwt) {
Transaction transaction = auditService.createTransaction(request.getRemoteAddr(), TransactionType.UNKNOWN);
auditService.createTransactionEvent(transaction, TransactionEventType.UNAUTHORIZED);

logger.debug(error.getDescription());
logger.warn("User {} is missing aud claim {} ", jwt.getClaim(SecurityUtil.CLAIM_USERNAME).toString(), audience);
return OAuth2TokenValidatorResult.failure(error);
}
}
}
}
53 changes: 53 additions & 0 deletions backend/src/main/java/ca/bc/gov/hlth/hnweb/security/OrganizationValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package ca.bc.gov.hlth.hnweb.security;

import javax.servlet.http.HttpServletRequest;

import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2ErrorCodes;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.stereotype.Component;
import org.springframework.util.Assert;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

import ca.bc.gov.hlth.hnweb.persistence.entity.Transaction;
import ca.bc.gov.hlth.hnweb.persistence.entity.TransactionEventType;
import ca.bc.gov.hlth.hnweb.service.AuditService;

@Component
public class OrganizationValidator implements OAuth2TokenValidator<Jwt> {

private static final Logger logger = LoggerFactory.getLogger(OrganizationValidator.class);

private static final OAuth2Error error = new OAuth2Error(OAuth2ErrorCodes.INVALID_REQUEST, " User has no org_details",
"https://tools.ietf.org/html/rfc6750#section-3.1");

@Autowired
private AuditService auditService;

@Override
public OAuth2TokenValidatorResult validate(Jwt jwt) {
Assert.notNull(jwt, "Token cannot be null");

String org = jwt.getClaim(SecurityUtil.CLAIM_ORGANIZATION);

if (StringUtils.isNotEmpty(org)) {
return OAuth2TokenValidatorResult.success();
} else {
// Audit the failure. Only users with defined Organization should be considered as authorized and able to access MSP Direct.
HttpServletRequest request = ((ServletRequestAttributes) RequestContextHolder.getRequestAttributes()).getRequest();

Transaction transaction = auditService.createTransaction(request.getRemoteAddr(), TransactionType.UNKNOWN);
auditService.createTransactionEvent(transaction, TransactionEventType.UNAUTHORIZED);

logger.warn("User {} has no org_details (Organization)", jwt.getClaim(SecurityUtil.CLAIM_USERNAME).toString());
return OAuth2TokenValidatorResult.failure(error);
}
}
}
6 changes: 5 additions & 1 deletion backend/src/main/java/ca/bc/gov/hlth/hnweb/security/SecurityConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private AudienceValidator audienceValidator;

@Autowired
private OrganizationValidator organizationValidator;

@Autowired
private CustomAccessDeniedHandler accessDeniedHandler;

Expand Down Expand Up @@ -73,8 +76,9 @@ public JwtDecoder jwtDecoder() {

OAuth2TokenValidator<Jwt> withIssuer = JwtValidators.createDefaultWithIssuer(issuerUri);
OAuth2TokenValidator<Jwt> withAudience = new DelegatingOAuth2TokenValidator<>(withIssuer, audienceValidator);
OAuth2TokenValidator<Jwt> withOrganization = new DelegatingOAuth2TokenValidator<>(withAudience, organizationValidator);

jwtDecoder.setJwtValidator(withAudience);
jwtDecoder.setJwtValidator(withOrganization);

return jwtDecoder;
}
Expand Down
4 changes: 2 additions & 2 deletions backend/src/main/java/ca/bc/gov/hlth/hnweb/security/SecurityUtil.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ public class SecurityUtil {

private static final String CLAIM_RESOURCE_ACCESS = "resource_access";
private static final String CLAIM_SESSION_STATE = "session_state";
private static final String CLAIM_USERNAME = "preferred_username";
private static final String CLAIM_ORGANIZATION = "org_details";
public static final String CLAIM_USERNAME = "preferred_username";
public static final String CLAIM_ORGANIZATION = "org_details";

private static final String ORGANIZATION_ID = "id";

Expand Down