Feature/354 openid auth (#1007)

Adds support for initial user creation from a trusted JWT.

NOTES:
- Requires "execute on cwms_upass" for the web_user role.
- Still some work to be done on mapping claims, some will be ignored but
the test keycloak just doesn't have several configured at the moment.

Uses the "principle_name" (note: spelled incorrectly in database) field
to store the combination of JWT issuer and subject claim . The subject
is a UUID and so the combination of issue+subject is always unique. This
was done after discovering that the one of the test infrastructure OIDC
providers doesn't include the CAC EDIPI anywhere and it could not be
used for user lookup.

Using a full identity provider principal is better anyways, so may as
well start here.

Additionally updates the docker-compose to require no external setup.
This should make testing and development far easier for newcomers to the
project.

Author: MikeNeilson

Dockerfile

@@ -1,11 +1,11 @@
-FROM gradle:8.5-jdk8 as builder
+FROM gradle:8.5-jdk8 AS builder
 USER $USER
 RUN --mount=type=cache,target=/home/gradle/.gradle
 WORKDIR /builddir
 COPY . /builddir/
-RUN  gradle clean prepareDockerBuild --info --no-daemon
+RUN  gradle prepareDockerBuild --info --no-daemon
 
-FROM alpine:3.21.0 as tomcat_base
+FROM alpine:3.21.0 AS tomcat_base
 RUN apk --no-cache upgrade && \
     apk --no-cache add \
         openjdk8-jre \
@@ -41,10 +41,10 @@ ENV CDA_POOL_MAX_ACTIVE "30"
 ENV CDA_POOL_MAX_IDLE "10"
 ENV CDA_POOL_MIN_IDLE "5"
 ENV cwms.dataapi.access.providers "KeyAccessManager,OpenID"
-ENV cwms.dataapi.access.openid.wellKnownUrl "https://identity-test.cwbi.us/auth/realms/cwbi/.well-known/openid-configuration"
-ENV cwms.dataapi.access.openid.issuer "https://identity-test.cwbi.us/auth/realms/cwbi"
+ENV cwms.dataapi.access.openid.wellKnownUrl "https://<prefix>/.well-known/openid-configuration"
+ENV cwms.dataapi.access.openid.issuer "<issuer>"
 ENV cwms.dataapi.access.openid.timeout "604800"
-ENV cwms.dataapi.access.openid.altAuthUrl "https://identityc-test.cwbi.us/auth/realms/cwbi"
+#ENV cwms.dataapi.access.openid.altAuthUrl "https://identityc-test.cwbi.us/auth/realms/cwbi"
 
 # used to simplify redeploy in certain contexts. Update to match -<marker> in image label
 ENV IMAGE_MARKER="a"

compose_files/keycloak/realm.json

@@ -26,7 +26,7 @@
   "oauth2DeviceCodeLifespan": 600,
   "oauth2DevicePollingInterval": 5,
   "enabled": true,
-  "sslRequired": "external",
+  "sslRequired": "none",
   "registrationAllowed": false,
   "registrationEmailAsUsername": false,
   "rememberMe": false,
@@ -662,7 +662,8 @@
       "alwaysDisplayInConsole": true,
       "clientAuthenticatorType": "client-secret",
       "redirectUris": [
-        "cwms-data.test"
+        "https://cwms-data.test:8444/*",
+        "https://localhost:5010/*"
       ],
       "webOrigins": [
         "*"
@@ -671,7 +672,7 @@
       "bearerOnly": false,
       "consentRequired": false,
       "standardFlowEnabled": true,
-      "implicitFlowEnabled": false,
+      "implicitFlowEnabled": true,
       "directAccessGrantsEnabled": true,
       "serviceAccountsEnabled": false,
       "publicClient": true,
@@ -2291,6 +2292,8 @@
     {
       "username": "m5hectest",
       "enabled": true,
+      "email": "noreply@data.test",
+      "emailVerified": true,
       "credentials": [
         {
           "type": "password",
@@ -2300,6 +2303,22 @@
       "realmRoles": [
           "cwms_user"
       ]
+    },
+    {
+      "username": "q0hecoidc",
+      "enabled": true,
+      "email": "noreply-oidc@data.test",
+      "emailVerified": true,
+      "credentials": [
+        {
+          "type": "password",
+          "value": "q0hecoidc"
+      }
+      ],
+      "realmRoles": [
+          "cwms_user",
+          "new_user"
+      ]
     }
   ]
 }

compose_files/sql/users.sql

@@ -1,7 +1,6 @@
 set define on
 define OFFICE_EROC=&1
-begin 
-
+begin
     cwms_sec.add_user_to_group('&&OFFICE_EROC.webtest','All Users', 'HQ');
     cwms_sec.add_user_to_group('&&OFFICE_EROC.webtest','All Users', 'SPK');
     cwms_sec.add_user_to_group('&&OFFICE_EROC.webtest','CWMS Users', 'HQ');
@@ -21,6 +20,7 @@ begin
     cwms_sec.add_cwms_user('m5hectest',NULL,'SWT');
     cwms_sec.add_user_to_group('m5hectest','All Users', 'SWT');
     cwms_sec.add_user_to_group('m5hectest','CWMS Users', 'SWT');
+    execute immediate 'grant excecute on cwms_upass to web_user';
 end;
 /
 quit;

compose_files/tomcat/logging.properties

@@ -42,3 +42,4 @@ org.apache.catalina.util.LifecycleBase.handlers = java.util.logging.ConsoleHandl
 
 org.apache.tomcat.jdbc.level = INFO
 org.apache.tomcat.jdbc.handlers = java.util.logging.ConsoleHandler
+cwms.cda.security.level = FINE

compose_files/traefik/traefik.yml

@@ -149,6 +149,8 @@ dependencies {
     testImplementation(libs.cwms.tomcat.auth)
     testImplementation(libs.apache.freemarker)
 
+    testRuntimeOnly("org.slf4j:slf4j-jdk14:2.0.16")
+
     webjars(libs.swagger.ui) {
         transitive = false
     }

cwms-data-api/build.gradle

@@ -457,6 +457,7 @@ public void init() {
                 })
                 .routes(this::configureRoutes)
                 .javalinServlet();
+        logger.atInfo().log("Javalin initialized.");
     }
 
     private String obtainFullVersion(ServletConfig servletConfig) throws ServletException {
@@ -479,7 +480,6 @@ private CdaAccessManager buildAccessManager(String provider) {
         } catch (ServiceNotFoundException err) {
             throw new RuntimeException("Unable to initialize access manager",err);
         }
-
     }
 
     protected void configureRoutes() {

cwms-data-api/src/main/java/cwms/cda/ApiServlet.java

@@ -17,13 +17,16 @@
 import io.javalin.core.security.RouteRole;
 import io.javalin.http.Context;
 import io.javalin.http.HttpCode;
+import usace.cwms.db.jooq.codegen.packages.cwms_sec.UPDATE_USER_DATA;
+
 import java.security.NoSuchAlgorithmException;
 import java.security.SecureRandom;
 import java.sql.Connection;
 import java.sql.Date;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
+import java.sql.Types;
 import java.time.ZoneId;
 import java.time.ZonedDateTime;
 import java.util.ArrayList;
@@ -66,6 +69,13 @@ public class AuthDao extends Dao<DataApiPrincipal> {
     private static final String USER_FOR_EDIPI =
         "select userid from cwms_20.at_sec_cwms_users where edipi = ?";
 
+    // NOTE: the column name *should* be principal_name. It was spelled incorrectly and never changed for the life of the schema.
+    private static final String USER_EXISTS =
+        "select userid from cwms_20.at_sec_cwms_users where principle_name = ?";
+
+    private static final String ADD_CWMS_USER = "CALL cwms_20.cwms_sec.create_user(?,?,?,?)";
+    private static final String UPDATE_INFO = "CALL cwms_20.cwms_upass.update_user_data(?,?,null,null,null,?,?)";
+
     public static final String CREATE_API_KEY = "insert into cwms_20.at_api_keys"
             + "(userid, key_name, apikey, created, expires) values(UPPER(?),?,?,?,?)";
     public static final String REMOVE_API_KEY = "delete from cwms_20.at_api_keys "
@@ -239,6 +249,27 @@ private String userForEdipi(long edipi) throws CwmsAuthException {
         }
     }
 
+    private String userForPrincipal(String principal) throws CwmsAuthException {
+        try {
+            return dsl.connectionResult(c -> {
+                setSessionForAuthCheck(c);
+                try (PreparedStatement userForEdipi = c.prepareStatement(USER_EXISTS)) {
+                    userForEdipi.setString(1, principal);
+                    try (ResultSet rs = userForEdipi.executeQuery()) {
+                        if (rs.next()) {
+                            return rs.getString(1);
+                        } else {
+                            return null;
+                        }
+                    }
+                }
+            });
+        } catch (DataAccessException ex) {
+            logger.atInfo().withCause(ex).log("Unable to lookup user.");
+            throw new CwmsAuthException("Unable to lookup user.", ex);
+        }
+    }
+
     /**
      * Build a DataApiPrincipal from a given EDIPI value.
      * @param edipi the Edipi value to look up.
@@ -489,4 +520,58 @@ public DataApiPrincipal getDataApiPrincipal(Context ctx) {
     public void resetContext(DSLContext dslContext) {
         this.dsl = dslContext;
     }
+
+    /**
+     * Returns a principal from user if that user exists. otherwise empty optional
+     *
+     * Uses the "principle" column directly with the provided value as-is.
+     *
+     * @param principal provider + subject principal to lookup.
+     * @return
+     * @throws CwmsAuthException if anything goes wrong with the database query.
+     */
+    public Optional<DataApiPrincipal> getPrincipalFromPrincipal(String principal) throws CwmsAuthException {
+        String user = userForPrincipal(principal);
+        if (user != null) {
+            Set<RouteRole> roles = this.getRolesForUser(user);
+            // In this case "cac_auth" just means the user is an actually user verify by some sort of
+            // identify management system. E.g. "not an apikey"
+            roles.add(new Role("cac_auth"));
+            return Optional.of(new DataApiPrincipal(user, roles));
+        } else {
+            return Optional.empty();
+        }
+    }
+
+
+    public DataApiPrincipal createUser(String username, String principal, String fullname, String email) throws CwmsAuthException {
+        try {
+            dsl.connection(c -> {
+                setSessionForAuthCheck(c);
+                try (PreparedStatement createUser = c.prepareStatement(ADD_CWMS_USER);
+                     PreparedStatement updateData = c.prepareStatement(UPDATE_INFO)) {
+                    createUser.setString(1, username);
+                    createUser.setNull(2, Types.VARCHAR);
+                    createUser.setNull(3, Types.ARRAY, "CWMS_T_CHAR_32_ARRAY");
+                    createUser.setNull(4, Types.VARCHAR);
+                    createUser.execute();
+
+                    updateData.setString(1, username);
+                    updateData.setString(2,fullname);
+                    updateData.setString(3, email);
+                    updateData.setString(4, principal);
+                    updateData.execute();
+                } 
+            });
+            Optional<DataApiPrincipal> apiPrincipal = getPrincipalFromPrincipal(principal);
+            if (apiPrincipal.isPresent()) {
+                return apiPrincipal.get();
+            } else {
+                throw new CwmsAuthException("User " + username + " was created, however no principal object could be created.");
+            }
+        } catch (DataAccessException ex) {
+            logger.atInfo().withCause(ex).log("Unable to create user " + username);
+            throw new CwmsAuthException("Unable to create user " + username, ex);
+        }
+    }
 }

cwms-data-api/src/main/java/cwms/cda/data/dao/AuthDao.java

@@ -32,6 +32,7 @@
 import java.util.Base64.Decoder;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Optional;
 import java.util.Set;
 import javax.servlet.http.HttpServletResponse;
 import org.jetbrains.annotations.NotNull;
@@ -42,6 +43,14 @@
 public class OpenIDAccessManager extends CdaAccessManager {
     private static final FluentLogger log = FluentLogger.forEnclosingClass();
     public static final String AUTHORIZATION = "Authorization";
+    public static final String CREATE_USERS_KEY = "cwms.dataapi.access.openid.create_users";
+    public static final String EMAIL_CLAIM = "email";
+    public static final String PREFERRED_USERNAME_CLAIM = "preferred_username";
+    public static final String GIVEN_NAME_CLAIM = "given_name";
+
+
+    private static final boolean CREATE_USERS = Boolean.parseBoolean(System.getProperty(CREATE_USERS_KEY,"true"));
+
     private JwtParser jwtParser = null;
     private OpenIDConfig config = null;
 
@@ -69,11 +78,22 @@ public void manage(Handler handler, @NotNull Context ctx, @NotNull Set<RouteRole
     private DataApiPrincipal getUserFromToken(Context ctx) throws CwmsAuthException {
         try {
             Jws<Claims> token = jwtParser.parseClaimsJws(getToken(ctx));
-            String username = token.getBody().get("preferred_username",String.class);
-            AuthDao dao = AuthDao.getInstance(JooqDao.getDslContext(ctx),ctx.attribute(ApiServlet.OFFICE_ID));
-            String edipiStr = username.substring(username.lastIndexOf(".") + 1);
-            long edipi = Long.parseLong(edipiStr);
-            return dao.getPrincipalFromEdipi(edipi);
+            Claims claims = token.getBody();
+            final String issuer = claims.getIssuer();
+            final String subject = claims.getSubject();
+            final String oidcPrincipal = issuer + "::" + subject;
+            AuthDao dao = AuthDao.getInstance(JooqDao.getDslContext(ctx), ctx.attribute(ApiServlet.OFFICE_ID));
+            Optional<DataApiPrincipal> principal = dao.getPrincipalFromPrincipal(oidcPrincipal);
+            if (principal.isPresent()) {
+                return principal.get();
+            } else if (CREATE_USERS) {
+                final String preferredUserName = claims.get(PREFERRED_USERNAME_CLAIM, String.class);
+                final String givenName = claims.get(GIVEN_NAME_CLAIM, String.class);
+                final String email = claims.get(EMAIL_CLAIM, String.class);
+                return dao.createUser(preferredUserName, oidcPrincipal, givenName, email);
+            } else {
+                throw new CwmsAuthException("Not Authorized",HttpServletResponse.SC_UNAUTHORIZED);
+            }
         } catch (NumberFormatException | JwtException ex) {
             throw new CwmsAuthException("JWT not valid",ex,HttpServletResponse.SC_UNAUTHORIZED);
         }

cwms-data-api/src/main/java/cwms/cda/security/OpenIDAccessManager.java

@@ -18,7 +18,20 @@
 
 public class OpenIDConfig {
     private static final FluentLogger log = FluentLogger.forEnclosingClass();
+    private static final String ALT_WELL_KNOWN = "cwms.dataapi.access.openid.useAltWellKnown";
+    private static final boolean USE_ALT_WELLKNOWN;
+
+    static {
+        String altWellKnownStr = System.getProperty(ALT_WELL_KNOWN,System.getenv(ALT_WELL_KNOWN));
+        if (altWellKnownStr != null) {
+            USE_ALT_WELLKNOWN = Boolean.parseBoolean(altWellKnownStr);
+        } else {
+            USE_ALT_WELLKNOWN = false;
+        }
+    }
+
     private URL wellKnown;
+    private URL altWellKnown = null; // silly, but needed by the docker-compose setup so URLs match and work.
     private String issuer;
     private URL authUrl;
     private URL tokenUrl;
@@ -31,6 +44,10 @@ public class OpenIDConfig {
 
     public OpenIDConfig(URL wellKnown, String altAuthUrl) throws IOException {
         this.wellKnown = wellKnown;
+        if (USE_ALT_WELLKNOWN) {
+            this.altWellKnown = substituteBase(wellKnown, altAuthUrl);
+        }
+
         HttpURLConnection http = null;
         try
         {
@@ -96,8 +113,12 @@ public URL getJwksUrl() {
     }
 
     public SecurityScheme getScheme() {
+        URL theUrl = wellKnown;
+        if (USE_ALT_WELLKNOWN) {
+            theUrl = altWellKnown;
+        }
         return new SecurityScheme().type(Type.OPENIDCONNECT)
-                                   .openIdConnectUrl(wellKnown.toString())
+                                   .openIdConnectUrl(theUrl.toString())
                                    .name("Authorization")
                                    .flows(flows)
                                    .in(In.HEADER);