wip - added UsernameAttribute enum for useAsUsername

2025-02-07 00:17:07 +01:00 · 2025-01-31 13:20:31 +00:00 · 2025-01-31 13:20:31 +00:00 · eeb7498fe1
commit eeb7498fe1
parent bc57977f9e
11 changed files with 157 additions and 73 deletions
--- a/src/main/java/stirling/software/SPDF/config/security/oauth2/CustomOAuth2UserService.java
+++ b/src/main/java/stirling/software/SPDF/config/security/oauth2/CustomOAuth2UserService.java
@ -16,8 +16,8 @@ import stirling.software.SPDF.config.security.LoginAttemptService;
 import stirling.software.SPDF.config.security.UserService;
 import stirling.software.SPDF.model.ApplicationProperties;
 import stirling.software.SPDF.model.ApplicationProperties.Security.OAUTH2;
 import stirling.software.SPDF.model.ApplicationProperties.Security.OAUTH2.Client;
 import stirling.software.SPDF.model.User;
 import stirling.software.SPDF.model.UsernameAttribute;
@Slf4j
 public class CustomOAuth2UserService implements OAuth2UserService<OidcUserRequest, OidcUser> {
@ -41,28 +41,12 @@ public class CustomOAuth2UserService implements OAuth2UserService<OidcUserReques
    @Override
    public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
        OAUTH2 oauth2 = applicationProperties.getSecurity().getOauth2();
        String usernameAttribute = oauth2.getUseAsUsername();
        if (usernameAttribute == null || usernameAttribute.isEmpty()) {
            Client client = oauth2.getClient();
            if (client != null && client.getKeycloak() != null) {
                usernameAttribute = client.getKeycloak().getUseAsUsername();
            } else {
                usernameAttribute = "email";
            }
        }
        try {
            OidcUser user = delegate.loadUser(userRequest);
-            String username = user.getUserInfo().getClaimAsString(usernameAttribute);
+            OAUTH2 oauth2 = applicationProperties.getSecurity().getOauth2();
-
+            UsernameAttribute usernameAttribute =
-            // Check if the username claim is null or empty
+                    UsernameAttribute.valueOf(oauth2.getUseAsUsername().toUpperCase());
-            if (username == null || username.isBlank()) {
+            String username = usernameAttribute.getName();
                throw new IllegalArgumentException(
                        "Claim '" + usernameAttribute + "' cannot be null or empty");
            }
            Optional<User> internalUser = userService.findByUsernameIgnoreCase(username);
@ -78,10 +62,7 @@ public class CustomOAuth2UserService implements OAuth2UserService<OidcUserReques
            // Return a new OidcUser with adjusted attributes
            return new DefaultOidcUser(
-                    user.getAuthorities(),
+                    user.getAuthorities(), userRequest.getIdToken(), user.getUserInfo(), username);
                    userRequest.getIdToken(),
                    user.getUserInfo(),
                    usernameAttribute);
        } catch (IllegalArgumentException e) {
            log.error("Error loading OIDC user: {}", e.getMessage());
            throw new OAuth2AuthenticationException(new OAuth2Error(e.getMessage()), e);
--- a/src/main/java/stirling/software/SPDF/config/security/oauth2/OAuth2Configuration.java
+++ b/src/main/java/stirling/software/SPDF/config/security/oauth2/OAuth2Configuration.java
@ -28,6 +28,7 @@ import stirling.software.SPDF.model.ApplicationProperties;
 import stirling.software.SPDF.model.ApplicationProperties.Security.OAUTH2;
 import stirling.software.SPDF.model.ApplicationProperties.Security.OAUTH2.Client;
 import stirling.software.SPDF.model.User;
 import stirling.software.SPDF.model.UsernameAttribute;
 import stirling.software.SPDF.model.exception.NoProviderFoundException;
 import stirling.software.SPDF.model.provider.GitHubProvider;
 import stirling.software.SPDF.model.provider.GoogleProvider;
@ -92,7 +93,7 @@ public class OAuth2Configuration {
                                .clientId(keycloak.getClientId())
                                .clientSecret(keycloak.getClientSecret())
                                .scope(keycloak.getScopes())
-                                .userNameAttributeName(keycloak.getUseAsUsername())
+                                .userNameAttributeName(keycloak.getUseAsUsername().name())
                                .clientName(keycloak.getClientName())
                                .build())
                : Optional.empty();
@ -123,7 +124,7 @@ public class OAuth2Configuration {
                                .authorizationUri(google.getAuthorizationUri())
                                .tokenUri(google.getTokenUri())
                                .userInfoUri(google.getUserInfoUri())
-                                .userNameAttributeName(google.getUseAsUsername())
+                                .userNameAttributeName(google.getUseAsUsername().name())
                                .clientName(google.getClientName())
                                .redirectUri(REDIRECT_URI_PATH + google.getName())
                                .authorizationGrantType(AUTHORIZATION_CODE)
@ -156,7 +157,7 @@ public class OAuth2Configuration {
                                .authorizationUri(github.getAuthorizationUri())
                                .tokenUri(github.getTokenUri())
                                .userInfoUri(github.getUserInfoUri())
-                                .userNameAttributeName(github.getUseAsUsername())
+                                .userNameAttributeName(github.getUseAsUsername().name())
                                .clientName(github.getClientName())
                                .redirectUri(REDIRECT_URI_PATH + github.getName())
                                .authorizationGrantType(AUTHORIZATION_CODE)
@ -171,29 +172,36 @@ public class OAuth2Configuration {
            return Optional.empty();
        }
        if (isStringEmpty(oauth.getIssuer())
                || isStringEmpty(oauth.getClientId())
                || isStringEmpty(oauth.getClientSecret())
                || isCollectionEmpty(oauth.getScopes())
                || isStringEmpty(oauth.getUseAsUsername())) {
            return Optional.empty();
        }
        String name = oauth.getProvider();
        String firstChar = String.valueOf(name.charAt(0));
        String clientName = name.replaceFirst(firstChar, firstChar.toUpperCase());
-        return Optional.of(
+        Provider oidcProvider =
-                ClientRegistrations.fromIssuerLocation(oauth.getIssuer())
+                new Provider(
-                        .registrationId(name)
+                        oauth.getIssuer(),
-                        .clientId(oauth.getClientId())
+                        name,
-                        .clientSecret(oauth.getClientSecret())
+                        clientName,
-                        .scope(oauth.getScopes())
+                        oauth.getClientId(),
-                        .userNameAttributeName(oauth.getUseAsUsername())
+                        oauth.getClientSecret(),
-                        .clientName(clientName)
+                        oauth.getScopes(),
-                        .redirectUri(REDIRECT_URI_PATH + name)
+                        UsernameAttribute.valueOf(oauth.getUseAsUsername().toUpperCase()),
-                        .authorizationGrantType(AUTHORIZATION_CODE)
+                        null,
-                        .build());
+                        null,
                        null);
        return !isStringEmpty(oidcProvider.getIssuer()) || validateProvider(oidcProvider)
                ? Optional.of(
                        ClientRegistrations.fromIssuerLocation(oauth.getIssuer())
                                .registrationId(name)
                                .clientId(oidcProvider.getClientId())
                                .clientSecret(oidcProvider.getClientSecret())
                                .scope(oidcProvider.getScopes())
                                .userNameAttributeName(oidcProvider.getUseAsUsername().getName())
                                .clientName(clientName)
                                .redirectUri(REDIRECT_URI_PATH + name)
                                .authorizationGrantType(AUTHORIZATION_CODE)
                                .build())
                : Optional.empty();
    }
    private boolean isOAuth2Enabled(OAUTH2 oAuth2) {
@ -213,8 +221,7 @@ public class OAuth2Configuration {
    @Bean
    @ConditionalOnProperty(
            value = "security.oauth2.enabled",
-            havingValue = "true",
+            havingValue = "true")
            matchIfMissing = false)
    GrantedAuthoritiesMapper userAuthoritiesMapper() {
        return (authorities) -> {
            Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
--- a/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java
+++ b/src/main/java/stirling/software/SPDF/controller/web/AccountWebController.java
@ -140,23 +140,19 @@ public class AccountWebController {
                case "userAlreadyExistsWeb" -> errorOAuth = "userAlreadyExistsWebMessage";
                case "oAuth2AuthenticationErrorWeb" -> errorOAuth = "login.oauth2InvalidUserType";
                case "invalid_token_response" -> errorOAuth = "login.oauth2InvalidTokenResponse";
-                case "authorization_request_not_found" ->
+                case "authorization_request_not_found" -> errorOAuth = "login.oauth2RequestNotFound";
                        errorOAuth = "login.oauth2RequestNotFound";
                case "access_denied" -> errorOAuth = "login.oauth2AccessDenied";
-                case "invalid_user_info_response" ->
+                case "invalid_user_info_response" -> errorOAuth = "login.oauth2InvalidUserInfoResponse";
                        errorOAuth = "login.oauth2InvalidUserInfoResponse";
                case "invalid_request" -> errorOAuth = "login.oauth2invalidRequest";
                case "invalid_id_token" -> errorOAuth = "login.oauth2InvalidIdToken";
                case "oAuth2AdminBlockedUser" -> errorOAuth = "login.oAuth2AdminBlockedUser";
                case "userIsDisabled" -> errorOAuth = "login.userIsDisabled";
                case "invalid_destination" -> errorOAuth = "login.invalid_destination";
-                case "relying_party_registration_not_found" ->
+                case "relying_party_registration_not_found" -> errorOAuth = "login.relyingPartyRegistrationNotFound";
                        errorOAuth = "login.relyingPartyRegistrationNotFound";
                // Valid InResponseTo was not available from the validation context, unable to
                // evaluate
                case "invalid_in_response_to" -> errorOAuth = "login.invalid_in_response_to";
-                case "not_authentication_provider_found" ->
+                case "not_authentication_provider_found" -> errorOAuth = "login.not_authentication_provider_found";
                        errorOAuth = "login.not_authentication_provider_found";
            }
            model.addAttribute("errorOAuth", errorOAuth);
--- a/src/main/java/stirling/software/SPDF/model/UsernameAttribute.java
+++ b/src/main/java/stirling/software/SPDF/model/UsernameAttribute.java
@ -0,0 +1,21 @@
 package stirling.software.SPDF.model;
 import lombok.Getter;
@Getter
 public enum UsernameAttribute {
    NAME("name"),
    EMAIL("email"),
    GIVEN_NAME("given_name"),
    PREFERRED_NAME("preferred_name"),
    PREFERRED_USERNAME("preferred_username"),
    LOGIN("login"),
    FAMILY_NAME("family_name"),
    NICKNAME("nickname");
    private final String name;
    UsernameAttribute(final String name) {
        this.name = name;
    }
 }
--- a/src/main/java/stirling/software/SPDF/model/exception/UnsupportedUsernameAttribute.java
+++ b/src/main/java/stirling/software/SPDF/model/exception/UnsupportedUsernameAttribute.java
@ -0,0 +1,7 @@
 package stirling.software.SPDF.model.exception;
 public class UnsupportedUsernameAttribute extends RuntimeException {
    public UnsupportedUsernameAttribute(String message) {
        super(message);
    }
 }
--- a/src/main/java/stirling/software/SPDF/model/provider/GitHubProvider.java
+++ b/src/main/java/stirling/software/SPDF/model/provider/GitHubProvider.java
@ -4,6 +4,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import lombok.NoArgsConstructor;
 import stirling.software.SPDF.model.UsernameAttribute;
@NoArgsConstructor
 public class GitHubProvider extends Provider {
@ -15,7 +16,10 @@ public class GitHubProvider extends Provider {
    private static final String USER_INFO_URI = "https://api.github.com/user";
    public GitHubProvider(
-            String clientId, String clientSecret, Collection<String> scopes, String useAsUsername) {
+            String clientId,
            String clientSecret,
            Collection<String> scopes,
            UsernameAttribute useAsUsername) {
        super(
                null,
                NAME,
@ -23,7 +27,7 @@ public class GitHubProvider extends Provider {
                clientId,
                clientSecret,
                scopes,
-                useAsUsername != null ? useAsUsername : "login",
+                useAsUsername != null ? useAsUsername : UsernameAttribute.LOGIN,
                AUTHORIZATION_URI,
                TOKEN_URI,
                USER_INFO_URI);
--- a/src/main/java/stirling/software/SPDF/model/provider/GoogleProvider.java
+++ b/src/main/java/stirling/software/SPDF/model/provider/GoogleProvider.java
@ -4,6 +4,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import lombok.NoArgsConstructor;
 import stirling.software.SPDF.model.UsernameAttribute;
@NoArgsConstructor
 public class GoogleProvider extends Provider {
@ -16,7 +17,10 @@ public class GoogleProvider extends Provider {
            "https://www.googleapis.com/oauth2/v3/userinfo?alt=json";
    public GoogleProvider(
-            String clientId, String clientSecret, Collection<String> scopes, String useAsUsername) {
+            String clientId,
            String clientSecret,
            Collection<String> scopes,
            UsernameAttribute useAsUsername) {
        super(
                null,
                NAME,
--- a/src/main/java/stirling/software/SPDF/model/provider/KeycloakProvider.java
+++ b/src/main/java/stirling/software/SPDF/model/provider/KeycloakProvider.java
@ -4,6 +4,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import lombok.NoArgsConstructor;
 import stirling.software.SPDF.model.UsernameAttribute;
@NoArgsConstructor
 public class KeycloakProvider extends Provider {
@ -16,7 +17,7 @@ public class KeycloakProvider extends Provider {
            String clientId,
            String clientSecret,
            Collection<String> scopes,
-            String useAsUsername) {
+            UsernameAttribute useAsUsername) {
        super(
                issuer,
                NAME,
--- a/src/main/java/stirling/software/SPDF/model/provider/Provider.java
+++ b/src/main/java/stirling/software/SPDF/model/provider/Provider.java
@ -1,6 +1,6 @@
 package stirling.software.SPDF.model.provider;
-import static stirling.software.SPDF.utils.validation.Validator.isStringEmpty;
+import static stirling.software.SPDF.model.UsernameAttribute.EMAIL;
 import java.util.ArrayList;
 import java.util.Arrays;
@ -9,6 +9,8 @@ import java.util.stream.Collectors;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 import stirling.software.SPDF.model.UsernameAttribute;
 import stirling.software.SPDF.model.exception.UnsupportedUsernameAttribute;
@Data
@NoArgsConstructor
@ -20,7 +22,7 @@ public class Provider {
    private String clientId;
    private String clientSecret;
    private Collection<String> scopes;
-    private String useAsUsername;
+    private UsernameAttribute useAsUsername;
    private String authorizationUri;
    private String tokenUri;
    private String userInfoUri;
@ -32,7 +34,7 @@ public class Provider {
            String clientId,
            String clientSecret,
            Collection<String> scopes,
-            String useAsUsername,
+            UsernameAttribute useAsUsername,
            String authorizationUri,
            String tokenUri,
            String userInfoUri) {
@ -42,7 +44,8 @@ public class Provider {
        this.clientId = clientId;
        this.clientSecret = clientSecret;
        this.scopes = scopes == null ? new ArrayList<>() : scopes;
-        this.useAsUsername = isStringEmpty(useAsUsername) ? "email" : useAsUsername;
+        this.useAsUsername =
                useAsUsername != null ? validateUsernameAttribute(useAsUsername) : EMAIL;
        this.authorizationUri = authorizationUri;
        this.tokenUri = tokenUri;
        this.userInfoUri = userInfoUri;
@ -55,6 +58,69 @@ public class Provider {
        }
    }
    private UsernameAttribute validateUsernameAttribute(UsernameAttribute usernameAttribute) {
        switch (name) {
            case "google" -> {
                return validateGoogleUsernameAttribute(usernameAttribute);
            }
            case "github" -> {
                return validateGitHubUsernameAttribute(usernameAttribute);
            }
            case "keycloak" -> {
                return validateKeycloakUsernameAttribute(usernameAttribute);
            }
            default -> {
                return usernameAttribute;
            }
        }
    }
    private UsernameAttribute validateKeycloakUsernameAttribute(
            UsernameAttribute usernameAttribute) {
        switch (usernameAttribute) {
            case EMAIL, PREFERRED_NAME -> {
                return usernameAttribute;
            }
            default ->
                    throw new UnsupportedUsernameAttribute(
                            "The attribute "
                                    + usernameAttribute
                                    + "is not supported for "
                                    + clientName
                                    + ".");
        }
    }
    private UsernameAttribute validateGoogleUsernameAttribute(UsernameAttribute usernameAttribute) {
        switch (usernameAttribute) {
            case EMAIL, NAME, GIVEN_NAME, PREFERRED_NAME -> {
                return usernameAttribute;
            }
            default ->
                    throw new UnsupportedUsernameAttribute(
                            "The attribute "
                                    + usernameAttribute
                                    + "is not supported for "
                                    + clientName
                                    + ".");
        }
    }
    private UsernameAttribute validateGitHubUsernameAttribute(UsernameAttribute usernameAttribute) {
        switch (usernameAttribute) {
            case EMAIL, NAME, LOGIN -> {
                return usernameAttribute;
            }
            default ->
                    throw new UnsupportedUsernameAttribute(
                            "The attribute "
                                    + usernameAttribute
                                    + "is not supported for "
                                    + clientName
                                    + ".");
        }
    }
    @Override
    public String toString() {
        return "Provider [name="
--- a/src/main/java/stirling/software/SPDF/utils/validation/Validator.java
+++ b/src/main/java/stirling/software/SPDF/utils/validation/Validator.java
@ -23,10 +23,6 @@ public class Validator {
            return false;
        }
        if (isStringEmpty(provider.getUseAsUsername())) {
            return false;
        }
        return true;
    }
--- a/src/test/java/stirling/software/SPDF/utils/validation/ValidatorTest.java
+++ b/src/test/java/stirling/software/SPDF/utils/validation/ValidatorTest.java
@ -6,6 +6,7 @@ import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.mockito.junit.jupiter.MockitoExtension;
 import stirling.software.SPDF.model.UsernameAttribute;
 import stirling.software.SPDF.model.provider.GitHubProvider;
 import stirling.software.SPDF.model.provider.GoogleProvider;
 import stirling.software.SPDF.model.provider.KeycloakProvider;
@ -28,7 +29,7 @@ class ValidatorTest {
        when(provider.getClientId()).thenReturn("clientId");
        when(provider.getClientSecret()).thenReturn("clientSecret");
        when(provider.getScopes()).thenReturn(List.of("read:user"));
-        when(provider.getUseAsUsername()).thenReturn("email");
+        when(provider.getUseAsUsername()).thenReturn(UsernameAttribute.EMAIL);
        assertTrue(Validator.validateProvider(provider));
    }
@ -41,9 +42,9 @@ class ValidatorTest {
    public static Stream<Arguments> providerParams() {
        Provider generic = null;
-        var google = new GoogleProvider(null, "clientSecret", List.of("scope"), "email");
+        var google = new GoogleProvider(null, "clientSecret", List.of("scope"), UsernameAttribute.EMAIL);
-        var github = new GitHubProvider("clientId", "", List.of("scope"), "login");
+        var github = new GitHubProvider("clientId", "", List.of("scope"), UsernameAttribute.LOGIN);
-        var keycloak = new KeycloakProvider("issuer", "clientId", "clientSecret", List.of("scope"), "email");
+        var keycloak = new KeycloakProvider("issuer", "clientId", "clientSecret", List.of("scope"), UsernameAttribute.EMAIL);
        keycloak.setUseAsUsername(null);