Update ala security and jdk #271

Author: chrisala

build.gradle

@@ -17,7 +17,7 @@ plugins {
     id 'jacoco'
 }
 
-version "7.2-SNAPSHOT"
+version "7.2-java17-SNAPSHOT"
 group "org.grails.plugins"
 
 apply plugin:"eclipse"
@@ -49,6 +49,8 @@ configurations {
         extendsFrom developmentOnly
     }
 }
+sourceCompatibility = '11'
+targetCompatibility = '17'
 
 dependencies {
     developmentOnly("org.springframework.boot:spring-boot-devtools")

gradle.properties

@@ -1,4 +1,4 @@
-grailsVersion=6.2.0
+grailsVersion=6.2.3
 gorm.version=8.1.2
 grailsGradlePluginVersion=6.1.2
 org.gradle.daemon=true
@@ -13,4 +13,4 @@ org.gradle.jvmargs=-Dfile.encoding=UTF-8 -Xss2048k -Xmx1024M
 exploded=true
 enableClover=false
 enableJacoco=true
-alaSecurityLibsVersion=6.2.0
+alaSecurityLibsVersion=6.4.0-SNAPSHOT

grails-app/services/au/org/ala/ecodata/forms/UserInfoService.groovy

@@ -2,12 +2,14 @@ package au.org.ala.ecodata.forms
 
 import au.org.ala.web.UserDetails
 import org.grails.web.servlet.mvc.GrailsWebRequest
+import org.pac4j.core.adapter.FrameworkAdapter
 import org.pac4j.core.config.Config
+import org.pac4j.core.context.CallContext
 import org.pac4j.core.context.WebContext
-import org.pac4j.core.credentials.Credentials
-import org.pac4j.core.util.FindBest
-import org.pac4j.jee.context.JEEContextFactory
-import au.org.ala.ws.security.client.AlaOidcClient
+import org.pac4j.core.context.session.SessionStore
+import org.pac4j.core.credentials.TokenCredentials
+import org.pac4j.http.client.direct.DirectBearerAuthClient
+import org.pac4j.jee.context.JEEFrameworkParameters
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.http.HttpStatus
 
@@ -37,7 +39,8 @@ class UserInfoService {
     @Autowired(required = false)
     Config config
     @Autowired(required = false)
-    AlaOidcClient alaOidcClient
+    DirectBearerAuthClient alaOidcClient
+
 
     static String USER_NAME_HEADER_FIELD = "userName"
     static String AUTH_KEY_HEADER_FIELD = "authKey"
@@ -113,19 +116,25 @@ class UserInfoService {
             if (!authorizationHeader)
                 authorizationHeader = request?.getHeader(AUTHORIZATION_HEADER_FIELD)
             if (authorizationHeader?.startsWith("Bearer")) {
-                final WebContext context = FindBest.webContextFactory(null, config, JEEContextFactory.INSTANCE).newContext(request, response)
-                def optCredentials = alaOidcClient.getCredentials(context, config.sessionStore)
-                if (optCredentials.isPresent()) {
-                    Credentials credentials = optCredentials.get()
-                    def optUserProfile = alaOidcClient.getUserProfile(credentials, context, config.sessionStore)
-                    if (optUserProfile.isPresent()) {
-                        def userProfile = optUserProfile.get()
-                        String userId = userProfile?.userId ?: userProfile?.getAttribute(grailsApplication.config.getProperty('userProfile.userIdAttribute'))
-                        if (userId) {
-                            return authService.getUserForUserId(userId)
-                        }
+                def params = new JEEFrameworkParameters(request, response)
+
+                FrameworkAdapter.INSTANCE.applyDefaultSettingsIfUndefined(config)
+                final WebContext context = config.getWebContextFactory().newContext(params)
+                final SessionStore sessionStore = config.getSessionStoreFactory().newSessionStore(params)
+                final callContext = new CallContext(context, sessionStore, config.profileManagerFactory)
+
+                def credentials = alaOidcClient.getCredentials(callContext).orElse(null)
+                credentials = alaOidcClient.validateCredentials(callContext, credentials).orElse(null)
+                if (credentials && credentials instanceof TokenCredentials) {
+                    def userProfile = credentials.userProfile
+
+                    //String userId = userProfile?.getAttribute(grailsApplication.config.getProperty('userProfile.userIdAttribute'))
+                    String userId = userProfile?.getAttribute("username")
+                    if (userId) {
+                        return authService.getUserForUserId(userId)
                     }
                 }
+
             }
         } catch (Throwable e) {
             log.error("Failed to get user details from JWT", e)

src/test/groovy/au/org/ala/ecodata/forms/UserInfoServiceSpec.groovy

@@ -1,14 +1,16 @@
 package au.org.ala.ecodata.forms
 
 import au.org.ala.web.UserDetails
-import au.org.ala.ws.security.client.AlaOidcClient
-import au.org.ala.ws.security.profile.AlaOidcUserProfile
 import grails.testing.services.ServiceUnitTest
 import grails.testing.web.GrailsWebUnitTest
+import org.pac4j.core.client.DirectClient
 import org.pac4j.core.config.Config
-import org.pac4j.core.credentials.AnonymousCredentials
+import org.pac4j.core.context.WebContextFactory
+import org.pac4j.core.context.session.SessionStoreFactory
 import org.pac4j.core.credentials.Credentials
-import org.pac4j.core.profile.UserProfile
+import org.pac4j.core.credentials.TokenCredentials
+import org.pac4j.http.client.direct.DirectBearerAuthClient
+import org.pac4j.jwt.profile.JwtProfile
 import spock.lang.Specification
 
 /*
@@ -31,7 +33,7 @@ import spock.lang.Specification
 class UserInfoServiceSpec extends Specification implements ServiceUnitTest<UserInfoService>, GrailsWebUnitTest {
     WebService webService = Mock(WebService)
     def authService = Mock(AuthService)
-    AlaOidcClient alaOidcClient
+    DirectClient alaOidcClient
     Config pack4jConfig
 
     def user
@@ -79,22 +81,26 @@ class UserInfoServiceSpec extends Specification implements ServiceUnitTest<UserI
     void "getUserFromJWT returns user when Authorization header is passed"() {
         setup:
         def result
-        alaOidcClient = GroovyMock([global: true], AlaOidcClient)
+        alaOidcClient = GroovyMock([global: true], DirectBearerAuthClient)
         pack4jConfig =  GroovyMock([global: true], Config)
         service.alaOidcClient = alaOidcClient
         service.config = pack4jConfig
-        AlaOidcUserProfile person = new AlaOidcUserProfile(user.userId)
-        Optional<Credentials> credentials = new Optional<Credentials>(AnonymousCredentials.INSTANCE)
-        Optional<UserProfile> userProfile = new Optional<UserProfile>(person)
+        pack4jConfig.getWebContextFactory() >> Mock(WebContextFactory)
+        pack4jConfig.getSessionStoreFactory() >> Mock(SessionStoreFactory)
+        Credentials tokenCredentials = Mock(TokenCredentials)
+        JwtProfile profile = Mock(JwtProfile)
+        Optional<Credentials> credentials = Optional.of(tokenCredentials)
 
         when:
         request.addHeader('Authorization', 'Bearer abcdef')
         result = service.getUserFromJWT()
 
         then:
-        alaOidcClient.getCredentials(*_) >> credentials
-        alaOidcClient.getUserProfile(*_) >> userProfile
-        authService.getUserForUserId(user.userId)  >> userDetails
+        1 * alaOidcClient.getCredentials(*_) >> credentials
+        1 * alaOidcClient.validateCredentials(_, _) >> credentials
+        1 * tokenCredentials.userProfile >> profile
+        1 * profile.getAttribute("username") >> user.userId
+        1 * authService.getUserForUserId(user.userId)  >> userDetails
         result.userName == user.userName
         result.displayName == "${user.firstName} ${user.lastName}"
         result.userId == user.userId
@@ -103,13 +109,15 @@ class UserInfoServiceSpec extends Specification implements ServiceUnitTest<UserI
     void "getCurrentUser should get current user from CAS"() {
         setup:
         def result
-        alaOidcClient = GroovyMock([global: true], AlaOidcClient)
+        alaOidcClient = GroovyMock([global: true], DirectBearerAuthClient)
         pack4jConfig =  GroovyMock([global: true], Config)
         service.alaOidcClient = alaOidcClient
         service.config = pack4jConfig
-        AlaOidcUserProfile person = new AlaOidcUserProfile(user.userId)
-        Optional<Credentials> credentials = new Optional<Credentials>(AnonymousCredentials.INSTANCE)
-        Optional<UserProfile> userProfile = new Optional<UserProfile>(person)
+        pack4jConfig.getWebContextFactory() >> Mock(WebContextFactory)
+        pack4jConfig.getSessionStoreFactory() >> Mock(SessionStoreFactory)
+        Credentials tokenCredentials = Mock(TokenCredentials)
+        JwtProfile profile = Mock(JwtProfile)
+        Optional<Credentials> credentials = Optional.of(tokenCredentials)
 
         when:
         result = service.getCurrentUserFromSupportedMethods()
@@ -124,9 +132,11 @@ class UserInfoServiceSpec extends Specification implements ServiceUnitTest<UserI
         result = service.getCurrentUserFromSupportedMethods()
 
         then:
-        alaOidcClient.getCredentials(*_) >> credentials
-        alaOidcClient.getUserProfile(*_) >> userProfile
-        1 * authService.getUserForUserId(user.userId) >> userDetails
+        1 * alaOidcClient.getCredentials(*_) >> credentials
+        1 * alaOidcClient.validateCredentials(_, _) >> credentials
+        1 * tokenCredentials.userProfile >> profile
+        1 * profile.getAttribute("username") >> user.userId
+        1 * authService.getUserForUserId(user.userId)  >> userDetails
         1 * authService.userDetails() >> null
         result.userName == user.userName
         result.displayName == "first last"