feat: switch to a service layer architecture

2025-02-18 22:15:14 +01:00
parent 11ab5e1dc4
commit 04a73073c1
42 changed files with 1295 additions and 1146 deletions
--- a/MyINPulse-back/src/main/java/enseirb/myinpulse/config/KeycloakJwtRolesConverter.java
+++ b/MyINPulse-back/src/main/java/enseirb/myinpulse/config/KeycloakJwtRolesConverter.java
@ -0,0 +1,107 @@
+/*
+ * Source: https://github.com/ChristianHuff-DEV/secure-spring-rest-api-using-keycloak/blob/main/src/main/java/io/betweendata/RestApi/security/oauth2/KeycloakJwtRolesConverter.java
+ * edited by Pierre Tellier
+ */
+package enseirb.myinpulse.config;
+
+import static java.util.stream.Collectors.toSet;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+public class KeycloakJwtRolesConverter implements Converter<Jwt, AbstractAuthenticationToken> {
+    /** Prefix used for realm level roles. */
+    public static final String PREFIX_REALM_ROLE = "ROLE_REALM_";
+
+    /** Prefix used in combination with the resource (client) name for resource level roles. */
+    public static final String PREFIX_RESOURCE_ROLE = "ROLE_";
+
+    /** Name of the claim containing the realm level roles */
+    private static final String CLAIM_REALM_ACCESS = "realm_access";
+
+    /** Name of the claim containing the resources (clients) the user has access to. */
+    private static final String CLAIM_RESOURCE_ACCESS = "resource_access";
+
+    /** Name of the claim containing roles. (Applicable to realm and resource level.) */
+    private static final String CLAIM_ROLES = "roles";
+
+    @Override
+    public AbstractAuthenticationToken convert(Jwt source) {
+        return new JwtAuthenticationToken(
+                source,
+                Stream.concat(
+                                new JwtGrantedAuthoritiesConverter().convert(source).stream(),
+                                tokenRolesExtractor(source).stream())
+                        .collect(toSet()));
+    }
+
+    /**
+     * Extracts the realm and resource level roles from a JWT token distinguishing between them
+     * using prefixes.
+     */
+    public Collection<GrantedAuthority> tokenRolesExtractor(Jwt jwt) {
+        // Collection that will hold the extracted roles
+        Collection<GrantedAuthority> grantedAuthorities = new ArrayList<>();
+
+        // Realm roles
+        // Get the part of the access token that holds the roles assigned on realm level
+        Map<String, Collection<String>> realmAccess = jwt.getClaim(CLAIM_REALM_ACCESS);
+
+        // Verify that the claim exists and is not empty
+        if (realmAccess != null && !realmAccess.isEmpty()) {
+            // From the realm_access claim get the roles
+            Collection<String> roles = realmAccess.get(CLAIM_ROLES);
+            // Check if any roles are present
+            if (roles != null && !roles.isEmpty()) {
+                // Iterate of the roles and add them to the granted authorities
+                Collection<GrantedAuthority> realmRoles =
+                        roles.stream()
+                                // Prefix all realm roles with "ROLE_realm_"
+                                .map(role -> new SimpleGrantedAuthority(PREFIX_REALM_ROLE + role))
+                                .collect(Collectors.toList());
+                grantedAuthorities.addAll(realmRoles);
+            }
+        }
+
+        // Resource (client) roles
+        // A user might have access to multiple resources all containing their own roles. Therefore,
+        // it is a map of
+        // resource each possibly containing a "roles" property.
+        Map<String, Map<String, Collection<String>>> resourceAccess =
+                jwt.getClaim(CLAIM_RESOURCE_ACCESS);
+
+        // Check if resources are assigned
+        if (resourceAccess != null && !resourceAccess.isEmpty()) {
+            // Iterate of all the resources
+            resourceAccess.forEach(
+                    (resource, resourceClaims) -> {
+                        // Iterate of the "roles" claim inside the resource claims
+                        resourceClaims
+                                .get(CLAIM_ROLES)
+                                .forEach(
+                                        // Add the role to the granted authority prefixed with ROLE_
+                                        // and the name of the resource
+                                        role ->
+                                                grantedAuthorities.add(
+                                                        new SimpleGrantedAuthority(
+                                                                PREFIX_RESOURCE_ROLE
+                                                                        + resource
+                                                                        + "_"
+                                                                        + role)));
+                    });
+        }
+
+        return grantedAuthorities;
+    }
+}