feat: access control and user management with Keycloak

wipp-backend-application/pom.xml

@@ -63,7 +63,7 @@
 			</activation>
 			<properties>
 				<mongodb.host>localhost</mongodb.host>
-				<mongodb.database>wipp-plugins</mongodb.database>
+				<mongodb.database>wipp-plugins-keycloak</mongodb.database>
 				<workflow.management.system>argo</workflow.management.system>
 				<workflow.binary>argo</workflow.binary>
 				<kube.wippdata.pvc>wippdata-pvc</kube.wippdata.pvc>
@@ -110,7 +110,6 @@
 				<ome.converter.threads>6</ome.converter.threads>
 			</properties>
 		</profile>
-
 	</profiles>
 
 	<dependencies>
@@ -124,6 +123,22 @@
 			<artifactId>wipp-backend-argo-workflows</artifactId>
 			<version>${project.version}</version>
 		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>           
+		</dependency>
+		<dependency>
+		    <groupId>de.flapdoodle.embed</groupId>
+		    <artifactId>de.flapdoodle.embed.mongo</artifactId>
+		    <scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
+		</dependency>
 	</dependencies>
 
 </project>

wipp-backend-application/src/main/java/gov/nist/itl/ssd/wipp/backend/app/MyKeycloakSpringBootConfigResolver.java

@@ -0,0 +1,32 @@
+package gov.nist.itl.ssd.wipp.backend.app;
+
+import org.keycloak.adapters.KeycloakDeployment;
+import org.keycloak.adapters.KeycloakDeploymentBuilder;
+import org.keycloak.adapters.spi.HttpFacade;
+import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
+import org.keycloak.adapters.springboot.KeycloakSpringBootProperties;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * This class is needed for Keycloak to work because of a bug in Keycloak : see https://stackoverflow.com/questions/57787768/issues-running-example-keycloak-spring-boot-app
+ */
+
+@Configuration
+public class MyKeycloakSpringBootConfigResolver extends KeycloakSpringBootConfigResolver {
+
+    @Autowired
+    private KeycloakSpringBootProperties properties;
+
+    private KeycloakDeployment keycloakDeployment;
+
+    @Override
+    public KeycloakDeployment resolve(HttpFacade.Request facade) {
+        if (keycloakDeployment != null) {
+            return keycloakDeployment;
+        }
+
+        keycloakDeployment = KeycloakDeploymentBuilder.build(properties);
+        return keycloakDeployment;
+    }
+}

wipp-backend-application/src/main/java/gov/nist/itl/ssd/wipp/backend/app/SecurityConfig.java

@@ -0,0 +1,95 @@
+package gov.nist.itl.ssd.wipp.backend.app;
+
+import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
+import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
+import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.http.HttpMethod;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.core.authority.mapping.SimpleAuthorityMapper;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.data.repository.query.SecurityEvaluationContextExtension;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
+import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
+
+import gov.nist.itl.ssd.wipp.backend.core.CoreConfig;
+
+/**
+ * Keycloak/Spring security configuration
+ */
+@KeycloakConfiguration
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true,
+        securedEnabled = true,
+        jsr250Enabled = true)
+public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter
+{
+
+
+    @Bean
+    public SecurityEvaluationContextExtension securityEvaluationContextExtension() {
+        return new SecurityEvaluationContextExtension();
+    }
+
+    /**
+     * Registers the KeycloakAuthenticationProvider with the authentication manager.
+     * SimpleAuthorityMapper is used to make sure roles are not prefixed with ROLE_
+     */
+    @Autowired
+    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
+    	KeycloakAuthenticationProvider keycloakAuthenticationProvider
+        = keycloakAuthenticationProvider();
+       keycloakAuthenticationProvider.setGrantedAuthoritiesMapper(
+         new SimpleAuthorityMapper());
+       auth.authenticationProvider(keycloakAuthenticationProvider);    
+    }
+
+    /**
+     * Defines the session authentication strategy.
+     */
+    @Bean
+    @Override
+    protected SessionAuthenticationStrategy sessionAuthenticationStrategy() {
+        return new RegisterSessionAuthenticationStrategy(new SessionRegistryImpl());
+    }
+
+    /**
+     * Configures HTTP security
+     */
+    @Override
+    protected void configure(HttpSecurity http) throws Exception
+    {
+		super.configure(http);
+
+		http
+			.csrf().disable() 
+			// restrict Create/Update/Delete operations to authenticated users
+			.authorizeRequests()
+				.antMatchers(HttpMethod.POST).authenticated()
+				.antMatchers(HttpMethod.PUT).authenticated()
+				.antMatchers(HttpMethod.PATCH).authenticated()
+				.antMatchers(HttpMethod.DELETE).authenticated()
+				.anyRequest().permitAll()
+			// return 401 Unauthorized instead of 302 redirect to login page 
+			// for unauthorized access by anonymous user
+			.and()			
+				.exceptionHandling()
+				.authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
+    }
+
+    /**
+     * Exclude workflow exit controller from requiring authentication to allow Argo 
+     * to POST workflow exit status
+     */
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.ignoring().antMatchers(HttpMethod.POST, CoreConfig.BASE_URI + "/workflows/{workflowId}/exit");
+    }
+}

wipp-backend-application/src/main/resources/application.properties

@@ -65,3 +65,21 @@ logging.path=logs
 logging.level.org.springframework.web=INFO
 logging.level.loci.formats.in=WARN
 server.tomcat.accessLogEnabled=true
+
+# Keycloak configuration
+# Name of the Keycloak realm
+keycloak.realm=WIPPKeycloak
+# URL of Keycloak's auth server
+keycloak.auth-server-url=http://localhost:8081/auth
+keycloak.cors=true
+# SSL not required in dev
+keycloak.ssl-required=none
+# Name of Keycloak client
+keycloak.resource=wipp-keycloak-client
+keycloak.public-client=true
+# Needed because of https://stackoverflow.com/questions/53318134/unable-to-use-keycloak-in-spring-boot-2-1-due-to-duplicated-bean-registration-ht
+spring.main.allow-bean-definition-overriding=true
+# Uncomment to enable Keycloak's debug logging
+logging.level.org.keycloak=DEBUG
+# This will map principal.name to the connected user's username
+keycloak.principal-attribute=preferred_username