SimpleUI: add oauth2 support (#2400)

* simple-ui: add oauth2 support

This uses a trick to ensure that the id token is refreshed; it needs to be revisited after Spring Security 6.5 is released

* fixed style and added a way to enable / disable oauth2 client
This commit is contained in:
Mohamed Zenadi
2025-05-20 08:59:41 +02:00
committed by GitHub
parent 5f836c1ed1
commit 424520bb72
6 changed files with 261 additions and 44 deletions

View File

@@ -81,6 +81,10 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-client</artifactId>
</dependency>
</dependencies>
<build>

View File

@@ -9,13 +9,6 @@
*/
package org.eclipse.hawkbit.ui.simple;
import static feign.Util.ISO_8859_1;
import java.util.Base64;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import com.vaadin.flow.component.page.AppShellConfigurator;
import com.vaadin.flow.server.PWA;
import com.vaadin.flow.theme.Theme;
@@ -28,7 +21,9 @@ import feign.codec.ErrorDecoder;
import org.eclipse.hawkbit.sdk.HawkbitClient;
import org.eclipse.hawkbit.sdk.HawkbitServer;
import org.eclipse.hawkbit.sdk.Tenant;
import org.eclipse.hawkbit.ui.simple.security.OAuth2TokenManager;
import org.eclipse.hawkbit.ui.simple.view.util.Utils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.cloud.openfeign.FeignClientsConfiguration;
@@ -40,6 +35,21 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import java.util.Base64;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.function.Function;
import static feign.Util.ISO_8859_1;
import static java.util.Collections.emptyList;
@Theme(themeClass = Lumo.class)
@PWA(name = "hawkBit UI", shortName = "hawkBit UI")
@@ -47,11 +57,18 @@ import org.springframework.security.core.context.SecurityContextHolder;
@Import(FeignClientsConfiguration.class)
public class SimpleUIApp implements AppShellConfigurator {
private static final RequestInterceptor AUTHORIZATION = requestTemplate -> {
private static final Function<OAuth2TokenManager, RequestInterceptor> AUTHORIZATION = (oAuth2TokenManager) -> requestTemplate -> {
final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
requestTemplate.header("Authorization", "Basic " + Base64.getEncoder().encodeToString(
(Objects.requireNonNull(authentication.getPrincipal(), "User is null!") + ":" + Objects.requireNonNull(
authentication.getCredentials(), "Password is not available!")).getBytes(ISO_8859_1)));
if (oAuth2TokenManager != null && authentication instanceof OAuth2AuthenticationToken oAuth2AuthenticationToken) {
String bearerToken = oAuth2TokenManager.getToken(oAuth2AuthenticationToken);
requestTemplate.header("Authorization", "Bearer " + bearerToken);
} else {
requestTemplate.header(
"Authorization", "Basic " + Base64.getEncoder().encodeToString(
(Objects.requireNonNull(authentication.getPrincipal(), "User is null!") + ":" + Objects.requireNonNull(
authentication.getCredentials(), "Password is not available!")).getBytes(ISO_8859_1))
);
}
};
private static final ErrorDecoder DEFAULT_ERROR_DECODER = new ErrorDecoder.Default();
@@ -67,13 +84,21 @@ public class SimpleUIApp implements AppShellConfigurator {
@Bean
HawkbitClient hawkbitClient(
final HawkbitServer hawkBitServer, final Encoder encoder, final Decoder decoder, final Contract contract) {
final HawkbitServer hawkBitServer,
final Encoder encoder,
final Decoder decoder,
final Contract contract,
@Autowired(required = false)
final OAuth2TokenManager oAuth2TokenManager
) {
return new HawkbitClient(
hawkBitServer, encoder, decoder, contract,
ERROR_DECODER,
(tenant, controller) ->
controller == null ?
AUTHORIZATION : HawkbitClient.DEFAULT_REQUEST_INTERCEPTOR_FN.apply(tenant, controller));
controller == null
? AUTHORIZATION.apply(oAuth2TokenManager)
: HawkbitClient.DEFAULT_REQUEST_INTERCEPTOR_FN.apply(tenant, controller)
);
}
@Bean
@@ -81,6 +106,27 @@ public class SimpleUIApp implements AppShellConfigurator {
return new HawkbitMgmtClient(tenant, hawkbitClient);
}
@Bean
OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService(final HawkbitMgmtClient hawkbitClient) {
final OidcUserService delegate = new OidcUserService();
return (userRequest) -> {
OidcUser oidcUser = delegate.loadUser(userRequest);
final OAuth2AuthenticationToken tempToken = new OAuth2AuthenticationToken(
oidcUser,
emptyList(),
userRequest.getClientRegistration().getRegistrationId()
);
final List<SimpleGrantedAuthority> grantedAuthorities =
getGrantedAuthorities(hawkbitClient, tempToken);
return new DefaultOidcUser(
grantedAuthorities,
oidcUser.getIdToken(),
oidcUser.getUserInfo()
);
};
}
// accepts all user / pass, just delegating them to the feign client
@Bean
AuthenticationManager authenticationManager(final HawkbitMgmtClient hawkbitClient) {
@@ -88,35 +134,9 @@ public class SimpleUIApp implements AppShellConfigurator {
final String username = authentication.getName();
final String password = authentication.getCredentials().toString();
final List<String> roles = new LinkedList<>();
roles.add("ANONYMOUS");
final SecurityContext unauthorizedContext = SecurityContextHolder.createEmptyContext();
unauthorizedContext.setAuthentication(
new UsernamePasswordAuthenticationToken(username, password));
final SecurityContext currentContext = SecurityContextHolder.getContext();
try {
SecurityContextHolder.setContext(unauthorizedContext);
if (hawkbitClient.hasSoftwareModulesRead()) {
roles.add("SOFTWARE_MODULE_READ");
}
if (hawkbitClient.hasRolloutRead()) {
roles.add("ROLLOUT_READ");
}
if (hawkbitClient.hasDistributionSetRead()) {
roles.add("DISTRIBUTION_SET_READ");
}
if (hawkbitClient.hasTargetRead()) {
roles.add("TARGET_READ");
}
if (hawkbitClient.hasConfigRead()) {
roles.add("CONFIG_READ");
}
} finally {
SecurityContextHolder.setContext(currentContext);
}
return new UsernamePasswordAuthenticationToken(
username, password,
roles.stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role)).toList()) {
final List<SimpleGrantedAuthority> grantedAuthorities = getGrantedAuthorities(
hawkbitClient, new UsernamePasswordAuthenticationToken(username, password));
return new UsernamePasswordAuthenticationToken(username, password, grantedAuthorities) {
@Override
public void eraseCredentials() {
@@ -126,4 +146,33 @@ public class SimpleUIApp implements AppShellConfigurator {
};
};
}
private List<SimpleGrantedAuthority> getGrantedAuthorities(final HawkbitMgmtClient hawkbitClient, Authentication authentication) {
final List<String> roles = new LinkedList<>();
roles.add("ANONYMOUS");
final SecurityContext unauthorizedContext = SecurityContextHolder.createEmptyContext();
unauthorizedContext.setAuthentication(authentication);
final SecurityContext currentContext = SecurityContextHolder.getContext();
try {
SecurityContextHolder.setContext(unauthorizedContext);
if (hawkbitClient.hasSoftwareModulesRead()) {
roles.add("SOFTWARE_MODULE_READ");
}
if (hawkbitClient.hasRolloutRead()) {
roles.add("ROLLOUT_READ");
}
if (hawkbitClient.hasDistributionSetRead()) {
roles.add("DISTRIBUTION_SET_READ");
}
if (hawkbitClient.hasTargetRead()) {
roles.add("TARGET_READ");
}
if (hawkbitClient.hasConfigRead()) {
roles.add("CONFIG_READ");
}
} finally {
SecurityContextHolder.setContext(currentContext);
}
return roles.stream().map(role -> new SimpleGrantedAuthority("ROLE_" + role)).toList();
}
}

View File

@@ -0,0 +1,82 @@
/**
* Copyright (c) 2025 Contributors to the Eclipse Foundation
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.ui.simple.security;
import org.springframework.boot.autoconfigure.condition.ConditionalOnBean;
import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager;
import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.OAuth2AccessTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.OAuth2RefreshTokenGrantRequest;
import org.springframework.security.oauth2.client.endpoint.RestClientRefreshTokenTokenResponseClient;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2AccessToken;
import org.springframework.security.oauth2.core.OAuth2RefreshToken;
import org.springframework.security.oauth2.core.endpoint.OAuth2AccessTokenResponse;
import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
import org.springframework.stereotype.Component;
import java.util.Optional;
@Component
@ConditionalOnBean(name = "hawkbitOAuth2ClientCustomizer")
public class OAuth2TokenManager {
private final OAuth2AuthorizedClientService clientService;
private final OAuth2AuthorizedClientManager clientManager;
private final OAuth2AccessTokenResponseClient<OAuth2RefreshTokenGrantRequest> tokenResponseClient;
OAuth2TokenManager(
final OAuth2AuthorizedClientService clientService,
final OAuth2AuthorizedClientManager clientManager
) {
this.clientService = clientService;
this.clientManager = clientManager;
this.tokenResponseClient = new RestClientRefreshTokenTokenResponseClient();
}
public String getToken(final OAuth2AuthenticationToken authentication) {
return Optional.ofNullable(authorizedToken(authentication)).orElse(
((DefaultOidcUser) authentication.getPrincipal()).getIdToken().getTokenValue()
);
}
/**
* Tries to refresh the id token if it is expired and adds it to the request.
*/
private String authorizedToken(final OAuth2AuthenticationToken authentication) {
String registrationId = authentication.getAuthorizedClientRegistrationId();
OAuth2AuthorizeRequest request = OAuth2AuthorizeRequest.withClientRegistrationId(registrationId).principal(authentication).build();
// This ensures that there is a client already, otherwise we won't be able to call the manager for authorization
OAuth2AuthorizedClient authorizedClient = clientService.loadAuthorizedClient(registrationId, authentication.getName());
if (authorizedClient == null) return null;
// Will ensure that the token is refreshed if needed; do not rely on it being not null as it won't be available
// during the first calls made to get the rights and generate the authorities
OAuth2AuthorizedClient refreshClient = clientManager.authorize(request);
if (refreshClient == null) return null;
// A small trick to refresh the token if it is expired; the current spring version does not refresh the ID Token when the Access Token is refreshed
// This won't be necessary after Spring Security 6.5; cf. https://github.com/spring-projects/spring-security/pull/16589
OAuth2AccessToken accessToken = refreshClient.getAccessToken();
OAuth2RefreshToken refreshToken = refreshClient.getRefreshToken();
ClientRegistration clientRegistration = refreshClient.getClientRegistration();
// if this is null, please request it via the scopes
if (refreshToken == null) return null;
OAuth2RefreshTokenGrantRequest refreshTokenGrantRequest = new OAuth2RefreshTokenGrantRequest(
clientRegistration, accessToken, refreshToken);
OAuth2AccessTokenResponse response = tokenResponseClient.getTokenResponse(refreshTokenGrantRequest);
return (String) response.getAdditionalParameters().get("id_token");
}
}

View File

@@ -0,0 +1,28 @@
/**
* Copyright (c) 2023 Contributors to the Eclipse Foundation
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.ui.simple.security;
import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
@Configuration
public class Oauth2ClientConfig {
@Bean(name = "hawkbitOAuth2ClientCustomizer")
@ConditionalOnProperty(prefix = "hawkbit.server.security.oauth2.client", name = "enabled")
@ConditionalOnMissingBean(name = "hawkbitOAuth2ClientCustomizer")
Customizer<OAuth2LoginConfigurer<HttpSecurity>> defaultOAuth2ClientCustomizer() {
return Customizer.withDefaults();
}
}

View File

@@ -0,0 +1,34 @@
/**
* Copyright (c) 2025 Contributors to the Eclipse Foundation
*
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*/
package org.eclipse.hawkbit.ui.simple.security;
import lombok.Data;
import lombok.ToString;
import org.springframework.boot.context.properties.ConfigurationProperties;
@Data
@ToString
@ConfigurationProperties("hawkbit.server.security")
public class OidcClientProperties {
private final OidcClientProperties.Oauth2 oauth2 = new OidcClientProperties.Oauth2();
@Data
public static class Oauth2 {
private final OidcClientProperties.Oauth2.Client client = new OidcClientProperties.Oauth2.Client();
@Data
public static class Client {
private boolean enabled = false;
}
}
}

View File

@@ -11,18 +11,33 @@ package org.eclipse.hawkbit.ui.simple.security;
import com.vaadin.flow.spring.security.VaadinWebSecurity;
import org.eclipse.hawkbit.ui.simple.view.LoginView;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.boot.context.properties.EnableConfigurationProperties;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@EnableWebSecurity
@Configuration
@EnableConfigurationProperties({ OidcClientProperties.class })
public class SecurityConfiguration extends VaadinWebSecurity {
private Customizer<OAuth2LoginConfigurer<HttpSecurity>> oAuth2LoginConfigurerCustomizer;
@Autowired(required = false)
public void setOAuth2LoginConfigurerCustomizer(
@Qualifier("hawkbitOAuth2ClientCustomizer") final Customizer<OAuth2LoginConfigurer<HttpSecurity>> oauth2LoginConfigurerCustomizer
) {
this.oAuth2LoginConfigurerCustomizer = oauth2LoginConfigurerCustomizer;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
@@ -34,6 +49,11 @@ public class SecurityConfiguration extends VaadinWebSecurity {
authorize -> authorize.requestMatchers(new AntPathRequestMatcher("/images/*.png")).permitAll());
super.configure(http);
setLoginView(http, LoginView.class);
if (oAuth2LoginConfigurerCustomizer != null) {
http.oauth2Login(oAuth2LoginConfigurerCustomizer);
} else {
setLoginView(http, LoginView.class);
}
}
}