For #6668: add support for WildFly OIDC in FormRunnerAuthFilter

obruchez · obruchez · commit 38ec4aa29094 · 2024-12-19T12:31:38.000+01:00
diff --git a/build.sbt b/build.sbt
@@ -713,9 +713,10 @@ lazy val formRunnerJVM = formRunner.jvm
     DebugDatabaseTest / sourceDirectory := (DatabaseTest / sourceDirectory).value,
     DebugDatabaseTest / javaOptions     += "-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005"
   ).settings(
-    libraryDependencies += "javax.servlet"   % "javax.servlet-api"   % JavaxServletApiVersion   % Provided,
-    libraryDependencies += "jakarta.servlet" % "jakarta.servlet-api" % JakartaServletApiVersion % Provided,
-    libraryDependencies += "javax.portlet"   % "portlet-api"         % PortletApiVersion        % Provided,
+    libraryDependencies += "javax.servlet"        % "javax.servlet-api"         % JavaxServletApiVersion   % Provided,
+    libraryDependencies += "jakarta.servlet"      % "jakarta.servlet-api"       % JakartaServletApiVersion % Provided,
+    libraryDependencies += "javax.portlet"        % "portlet-api"               % PortletApiVersion        % Provided,
+    libraryDependencies += "org.wildfly.security" % "wildfly-elytron-http-oidc" % "2.6.0.Final"            % Provided,
 
     libraryDependencies += "org.scala-lang.modules" %% "scala-parallel-collections" % ScalaParallelCollectionsVersion,
 
diff --git a/form-runner/jvm/src/main/scala/org/orbeon/oxf/fr/FormRunnerAuth.scala b/form-runner/jvm/src/main/scala/org/orbeon/oxf/fr/FormRunnerAuth.scala
@@ -39,14 +39,23 @@ object FormRunnerAuth {
     Headers.OrbeonCredentials
   )
 
-  import Private._
+  import Private.*
 
   def getCredentialsAsHeadersUseSession(
-    userRoles  : UserRolesFacade,
-    session    : ExternalContext.Session,
-    getHeader  : String => List[String]
+    userRoles: UserRolesFacade,
+    session  : ExternalContext.Session,
+    getHeader: String => List[String]
   ): List[(String, NonEmptyList[String])] =
-    getCredentialsUseSession(userRoles, session, getHeader) match {
+    getCredentialsAsHeadersUseSession(
+      findCredentialsFromContainerOrHeaders(userRoles, getHeader),
+      session
+    )
+
+  def getCredentialsAsHeadersUseSession(
+    credentialsOpt: => Option[Credentials],
+    session       : ExternalContext.Session
+  ): List[(String, NonEmptyList[String])] =
+    getCredentialsUseSession(credentialsOpt, session) match {
       case Some(credentials) =>
         val result = CredentialsSerializer.toHeaders[List](credentials)
         Logger.debug(s"setting auth headers to: ${headersAsJSONString(result)}")
@@ -109,17 +118,16 @@ object FormRunnerAuth {
     // - https://github.com/orbeon/orbeon-forms/issues/4436
     //
     def getCredentialsUseSession(
-      userRoles : UserRolesFacade,
-      session   : ExternalContext.Session,
-      getHeader : String => List[String]
+      credentialsOpt: => Option[Credentials],
+      session       : ExternalContext.Session
     ): Option[Credentials] = {
 
       val sessionCredentialsOpt = ServletPortletRequest.findCredentialsInSession(session)
 
       lazy val stickyHeadersConfigured =
         Properties.instance.getPropertySet.getBoolean(HeaderStickyPropertyName, default = false)
 
-      lazy val newCredentialsOpt = findCredentialsFromContainerOrHeaders(userRoles, getHeader)
+      lazy val newCredentialsOpt = credentialsOpt
 
       def storeAndReturnNewCredentials(): Option[Credentials] = {
         ServletPortletRequest.storeCredentialsInSession(session, newCredentialsOpt)
diff --git a/form-runner/jvm/src/main/scala/org/orbeon/oxf/servlet/FormRunnerAuthFilter.scala b/form-runner/jvm/src/main/scala/org/orbeon/oxf/servlet/FormRunnerAuthFilter.scala
@@ -13,16 +13,15 @@
  */
 package org.orbeon.oxf.servlet
 
+import cats.data.NonEmptyList
 import org.apache.logging.log4j.ThreadContext
-import org.orbeon.oxf.externalcontext.ServletPortletRequest
+import org.orbeon.oxf.externalcontext.{Credentials, ServletPortletRequest}
 import org.orbeon.oxf.fr.FormRunnerAuth
 import org.orbeon.oxf.http.Headers
 import org.orbeon.oxf.properties.Properties
 import org.orbeon.oxf.util.StringUtils.*
 import org.slf4j.LoggerFactory
 
-import scala.jdk.CollectionConverters.*
-
 // For backward compatibility
 class FormRunnerAuthFilter extends JavaxFormRunnerAuthFilter
 
@@ -31,7 +30,7 @@ class JakartaFormRunnerAuthFilter extends JakartaFilter(new FormRunnerAuthFilter
 
 class FormRunnerAuthFilterImpl extends Filter {
 
-  import FormRunnerAuthFilterImpl._
+  import FormRunnerAuthFilterImpl.*
 
   private case class FilterSettings(contentSecurityPolicy: Option[String])
 
@@ -85,48 +84,90 @@ object FormRunnerAuthFilterImpl {
     // The Form Runner service path is hardcoded but that's ok. When we are filtering a service, we don't retrieve the
     // credentials, which would be provided by the container or by incoming headers. Instead, credentials are provided
     // directly with `Orbeon-*` headers. See https://github.com/orbeon/orbeon-forms/issues/2275
-    val requestWithAmendedHeaders =
-      if (servletRequest.getRequestPathInfo.startsWith("/fr/service/")) {
-
-        // `ServletPortletRequest` gets credentials from the session, which means we need to store the credentials into
-        // the session. This is done by `getCredentialsAsHeadersUseSession()` if we are not a service, but here we
-        // don't use that function so we need to do make sure they are stored.
-
-        ServletPortletRequest.findCredentialsInSession(httpSession) match {
-          case None =>
-            ServletPortletRequest.storeCredentialsInSession(
-              httpSession,
-              FormRunnerAuth.fromHeaderValues(
-                credentialsOpt = servletRequest.headerFirstValueOpt(Headers.OrbeonCredentials),
-                usernameOpt    = servletRequest.headerFirstValueOpt(Headers.OrbeonUsername),
-                rolesList      = getHttpHeaders(Headers.OrbeonRoles),
-                groupOpt       = servletRequest.headerFirstValueOpt(Headers.OrbeonGroup),
-              )
-            )
-          case Some(_) =>
-        }
+    val ServicePath = "/fr/service/"
 
-        servletRequest
-      } else if (servletRequest.getRequestPathInfo.endsWith(".map")) {
+    val requestWithAmendedHeaders =
+      if (WildflyOidcAuth.hasWildflyOidcAuth(servletRequest)) {
+        credentialsFromSessionOrParameter(httpSession, servletRequest, WildflyOidcAuth.credentialsOpt(servletRequest))
+      } else if (servletRequest.getRequestPathInfo.startsWith(ServicePath)) {
+        credentialsFromSessionOrHeaders(httpSession, servletRequest, getHttpHeaders)
+      } else if (servletRequest.isSourceMap) {
         // Don't amend headers for `.map` as this would cause the credentials code to clear the credentials
         // unnecessarily. https://github.com/orbeon/orbeon-forms/issues/6080
         servletRequest
       } else {
-
-        trait CustomHeaders extends RequestRemoveHeaders with RequestPrependHeaders  {
-          override def headersToRemoveAsSet: Set[String] = FormRunnerAuth.AllAuthHeaderNames
-          val headersToPrependAsMap = FormRunnerAuth.getCredentialsAsHeadersUseSession(
-            userRoles = servletRequest,
-            session   = httpSession,
-            getHeader = getHttpHeaders
-          ).toMap
-        }
-
-        new HttpServletRequestWrapper(servletRequest) with CustomHeaders
+        credentialsFromSessionHeadersOrContainer(httpSession, servletRequest, getHttpHeaders)
       }
 
     logger.debug(s"amended headers:\n${requestWithAmendedHeaders.headersAsString}")
 
     requestWithAmendedHeaders
   }
+
+  private def credentialsFromSessionOrHeaders(
+    httpSession   : ServletSessionImpl,
+    servletRequest: HttpServletRequest,
+    getHttpHeaders: String => List[String]
+  ): HttpServletRequest = {
+
+    // `ServletPortletRequest` gets credentials from the session, which means we need to store the credentials into
+    // the session. This is done by `getCredentialsAsHeadersUseSession()` if we are not a service, but here we
+    // don't use that function so we need to do make sure they are stored.
+
+    ServletPortletRequest.findCredentialsInSession(httpSession) match {
+      case None =>
+        ServletPortletRequest.storeCredentialsInSession(
+          httpSession,
+          FormRunnerAuth.fromHeaderValues(
+            credentialsOpt = servletRequest.headerFirstValueOpt(Headers.OrbeonCredentials),
+            usernameOpt    = servletRequest.headerFirstValueOpt(Headers.OrbeonUsername),
+            rolesList      = getHttpHeaders(Headers.OrbeonRoles),
+            groupOpt       = servletRequest.headerFirstValueOpt(Headers.OrbeonGroup),
+          )
+        )
+      case Some(_) =>
+    }
+
+    servletRequest
+  }
+
+  private def credentialsFromSessionOrParameter(
+    httpSession   : ServletSessionImpl,
+    servletRequest: HttpServletRequest,
+    credentialsOpt: => Option[Credentials]
+  ): HttpServletRequest =
+    requestWithCredentialsHeaders(
+      servletRequest    = servletRequest,
+      credentialHeaders = FormRunnerAuth.getCredentialsAsHeadersUseSession(
+        credentialsOpt = credentialsOpt,
+        session        = httpSession
+      ).toMap
+    )
+
+  private def credentialsFromSessionHeadersOrContainer(
+    httpSession   : ServletSessionImpl,
+    servletRequest: HttpServletRequest,
+    getHttpHeaders: String => List[String]
+  ): HttpServletRequest =
+    requestWithCredentialsHeaders(
+      servletRequest    = servletRequest,
+      credentialHeaders = FormRunnerAuth.getCredentialsAsHeadersUseSession(
+        userRoles = servletRequest,
+        session   = httpSession,
+        getHeader = getHttpHeaders
+      ).toMap
+    )
+
+  private def requestWithCredentialsHeaders(
+    servletRequest   : HttpServletRequest,
+    credentialHeaders: Map[String, NonEmptyList[String]]
+  ): HttpServletRequest = {
+
+    trait CustomHeaders extends RequestRemoveHeaders with RequestPrependHeaders  {
+      override def headersToRemoveAsSet: Set[String] = FormRunnerAuth.AllAuthHeaderNames
+      val headersToPrependAsMap: Map[String, NonEmptyList[String]] = credentialHeaders
+    }
+
+    new HttpServletRequestWrapper(servletRequest) with CustomHeaders
+  }
 }
diff --git a/form-runner/jvm/src/main/scala/org/orbeon/oxf/servlet/WildflyOidcAuth.scala b/form-runner/jvm/src/main/scala/org/orbeon/oxf/servlet/WildflyOidcAuth.scala
@@ -0,0 +1,43 @@
+/**
+ * Copyright (C) 2024 Orbeon, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it under the terms of the
+ * GNU Lesser General Public License as published by the Free Software Foundation; either version
+ * 2.1 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+ * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU Lesser General Public License for more details.
+ *
+ * The full text of the license is available at http://www.gnu.org/copyleft/lesser.html
+ */
+package org.orbeon.oxf.servlet
+
+import org.orbeon.oxf.externalcontext.{Credentials, SimpleRole, UserAndGroup}
+import org.wildfly.security.http.oidc.OidcSecurityContext
+
+import scala.jdk.CollectionConverters.*
+
+object WildflyOidcAuth {
+
+  private val OidcSecurityContextClassName = "org.wildfly.security.http.oidc.OidcSecurityContext"
+  private val ObjectIDClaimName            = "oid"
+
+  def hasWildflyOidcAuth(servletRequest: HttpServletRequest): Boolean =
+    Option(servletRequest.getAttribute(OidcSecurityContextClassName)).isDefined
+
+  def credentialsOpt(servletRequest: HttpServletRequest): Option[Credentials] =
+    Option(servletRequest.getAttribute(OidcSecurityContextClassName)) collect {
+      case oidcSecurityContext: OidcSecurityContext =>
+
+        val objectIdOpt = Option(oidcSecurityContext.getToken.getClaimValue(ObjectIDClaimName)).map(_.toString)
+        val objectId    = objectIdOpt.getOrElse(throw new RuntimeException(s"Claim '$ObjectIDClaimName' not found in OIDC token"))
+        val roleIds     = oidcSecurityContext.getToken.getRolesClaim.asScala.toList
+
+        Credentials(
+          userAndGroup  = UserAndGroup(username = objectId, groupname = None),
+          roles         = roleIds.map(SimpleRole.apply),
+          organizations = Nil
+        )
+    }
+}
diff --git a/servlet-support/src/main/scala/org/orbeon/oxf/servlet/HttpServletRequest.scala b/servlet-support/src/main/scala/org/orbeon/oxf/servlet/HttpServletRequest.scala
@@ -131,11 +131,10 @@ trait HttpServletRequest extends ServletRequest {
   def isFont: Boolean      = hasFileExtension(Set("otf", "ttf", "woff", "woff2"))
   def isSourceMap: Boolean = hasFileExtension(Set("map"))
 
-  private def hasFileExtension(extensions: Set[String]): Boolean =
-    (for {
-      url  <- Option(getRequestURL)
-      path <- Option(URI.create(url.toString).getPath)
-    } yield extensions.exists(ext => path.endsWith(s".$ext"))).getOrElse(false)
+  private def hasFileExtension(extensions: Set[String]): Boolean = {
+    val requestPathInfo = getRequestPathInfo
+    extensions.exists(ext => requestPathInfo.endsWith(s".$ext"))
+  }
 }
 
 class JavaxHttpServletRequest(httpServletRequest: javax.servlet.http.HttpServletRequest) extends JavaxServletRequest(httpServletRequest) with HttpServletRequest {
