Implement a simple callout to OPA

iam-login-service/src/main/java/it/infn/mw/iam/config/IamConfig.java

@@ -15,6 +15,8 @@
  */
 package it.infn.mw.iam.config;
 
+import it.infn.mw.iam.core.oauth.scope.pdp.DefaultScopePolicyEngine;
+import it.infn.mw.iam.core.oauth.scope.pdp.OpaScopePolicyEngine;
 import java.security.SecureRandom;
 import java.time.Clock;
 import java.util.Arrays;
@@ -52,6 +54,7 @@
 import it.infn.mw.iam.api.account.AccountUtils;
 import it.infn.mw.iam.api.account.multi_factor_authentication.IamTotpMfaService;
 import it.infn.mw.iam.api.scim.converter.SshKeyConverter;
+import it.infn.mw.iam.authn.oidc.RestTemplateFactory;
 import it.infn.mw.iam.config.mfa.IamTotpMfaProperties;
 import it.infn.mw.iam.core.oauth.attributes.AttributeMapHelper;
 import it.infn.mw.iam.core.oauth.profile.JWTProfile;
@@ -90,6 +93,7 @@
 import it.infn.mw.iam.core.oauth.scope.matchers.ScopeMatchersProperties;
 import it.infn.mw.iam.core.oauth.scope.matchers.ScopeMatchersPropertiesParser;
 import it.infn.mw.iam.core.oauth.scope.pdp.ScopeFilter;
+import it.infn.mw.iam.core.oauth.scope.pdp.ScopePolicyEngine;
 import it.infn.mw.iam.core.oidc.AuthorizationClientResolver;
 import it.infn.mw.iam.core.oidc.AuthorizationRequestFilter;
 import it.infn.mw.iam.core.oidc.LoginHintService;
@@ -109,6 +113,7 @@
 import it.infn.mw.iam.notification.service.resolver.NotifyGmStrategy;
 import it.infn.mw.iam.notification.service.resolver.NotifyGmsAndAdminsStrategy;
 import it.infn.mw.iam.persistence.repository.IamAupRepository;
+import it.infn.mw.iam.persistence.repository.IamScopePolicyRepository;
 import it.infn.mw.iam.persistence.repository.IamTotpMfaRepository;
 import it.infn.mw.iam.registration.validation.UsernameValidator;
 import it.infn.mw.iam.service.aup.AUPSignatureCheckService;
@@ -393,4 +398,13 @@ CommandLineRunner logDs(DataSource ds) {
       }
     };
   }
+
+  @Bean
+  ScopePolicyEngine scopePolicyEngine(IamScopePolicyRepository policyRepo, RestTemplateFactory restTemplateFactory, IamProperties iamProperties) {
+    if (iamProperties.getOpa().isEnabled()) {
+      return new OpaScopePolicyEngine(policyRepo, restTemplateFactory, iamProperties.getOpa());
+    }
+
+    return new DefaultScopePolicyEngine(policyRepo);
+  }
 }

iam-login-service/src/main/java/it/infn/mw/iam/config/IamProperties.java

@@ -707,6 +707,27 @@ public void setUrnSubnamespaces(String urnSubnamespaces) {
     }
   }
 
+  public static class OpaProperties {
+    private boolean enabled;
+    private String url;
+
+    public void setEnabled(boolean enabled) {
+      this.enabled = enabled;
+    }
+
+    public boolean isEnabled() {
+      return this.enabled;
+    }
+
+    public void setUrl(String url) {
+      this.url = url;
+    }
+
+    public String getUrl() {
+      return this.url;
+    }
+  }
+
   private String host;
 
   private String issuer;
@@ -719,6 +740,8 @@ public void setUrnSubnamespaces(String urnSubnamespaces) {
 
   private boolean showSql = false;
 
+  private OpaProperties opa = new OpaProperties();
+
   private LocalResources localResources = new LocalResources();
 
   private Logo logo = new Logo();
@@ -838,6 +861,14 @@ public void setShowSql(boolean showSql) {
     this.showSql = showSql;
   }
 
+  public OpaProperties getOpa() {
+    return opa;
+  }
+
+  public void setOpa(OpaProperties opa) {
+    this.opa = opa;
+  }
+
   public LoginButtonProperties getLoginButton() {
     return loginButton;
   }

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/scope/pdp/DefaultScopeFilter.java

@@ -16,7 +16,6 @@
 package it.infn.mw.iam.core.oauth.scope.pdp;
 
 import java.util.HashSet;
-import java.util.List;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -29,45 +28,29 @@
 import org.springframework.security.oauth2.provider.OAuth2Request;
 import org.springframework.stereotype.Component;
 
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
-import com.google.common.collect.Sets;
-
 import it.infn.mw.iam.api.account.AccountUtils;
 import it.infn.mw.iam.config.IamProperties;
-import it.infn.mw.iam.core.oauth.scope.matchers.ScopeMatcher;
 import it.infn.mw.iam.persistence.model.IamAccount;
-import it.infn.mw.iam.persistence.model.IamAccountGroupMembership;
-import it.infn.mw.iam.persistence.model.IamScopePolicy;
-import it.infn.mw.iam.persistence.repository.IamScopePolicyRepository;
 
-@SuppressWarnings("deprecation")
 @Component
+@SuppressWarnings("deprecation")
 public class DefaultScopeFilter implements ScopeFilter {
-
   public static final Logger LOG = LoggerFactory.getLogger(DefaultScopeFilter.class);
-
   public static final Set<String> ADMIN_SCOPES = Set.of("iam:admin.read", "iam:admin.write", "scim:read", "scim:write");
-
   private static final Set<String> EXCLUDED_SCOPES = Set.of("openid");
 
-  private Cache<String, ScopeMatcher> matchersCache =
-      CacheBuilder.newBuilder().maximumSize(30).build();
-
   private final IamProperties config;
-  private final IamScopePolicyRepository policyRepo;
   private final AccountUtils accountUtils;
+  private final ScopePolicyEngine policyEngine;
 
-  public DefaultScopeFilter(IamProperties config, IamScopePolicyRepository policyRepo,
-      AccountUtils accountUtils) {
+  public DefaultScopeFilter(IamProperties config, AccountUtils accountUtils, ScopePolicyEngine policyEngine) {
     this.config = config;
-    this.policyRepo = policyRepo;
     this.accountUtils = accountUtils;
+    this.policyEngine = policyEngine;
   }
 
   @Override
   public Set<String> filterScopes(Set<String> requestedScopes, Authentication authn) {
-
     Optional<IamAccount> account = accountUtils.getAuthenticatedUserAccount(authn);
     if (account.isEmpty()) {
       return requestedScopes;
@@ -77,108 +60,44 @@ public Set<String> filterScopes(Set<String> requestedScopes, Authentication auth
 
   @Override
   public Set<String> filterScopes(Set<String> requestedScopes, IamAccount account) {
-
     Set<String> filteredScopes = new HashSet<>();
     filteredScopes.addAll(requestedScopes);
 
     filteredScopes.retainAll(adminPolicies(requestedScopes, account));
     if (config.isEnableScopeAuthz()) {
-      filteredScopes.retainAll(scopePolicies(filteredScopes, account));
+      filteredScopes.retainAll(policyEngine.apply(filteredScopes, account));
     }
     filteredScopes.addAll(excludedScopes(requestedScopes));
     return filteredScopes;
   }
 
-  @Override
-  public AuthenticationHolderEntity filterScopes(AuthenticationHolderEntity authHolder) {
-
-    authHolder.setScope(filterScopes(authHolder.getScope(), authHolder.getAuthentication()));
-    return authHolder;
-  }
-
-  @Override
-  public OAuth2Authentication filterScopes(OAuth2Authentication authn) {
-
-    OAuth2Request oldRequest = authn.getOAuth2Request();
-    OAuth2Request updatedRequest = new OAuth2Request(oldRequest.getRequestParameters(), oldRequest.getClientId(),
-        oldRequest.getAuthorities(), oldRequest.isApproved(), filterScopes(oldRequest.getScope(), authn),
-        oldRequest.getResourceIds(), oldRequest.getRedirectUri(), oldRequest.getResponseTypes(),
-        oldRequest.getExtensions());
-    return new OAuth2Authentication(updatedRequest, authn.getUserAuthentication());
-  }
-
   private Set<String> excludedScopes(Set<String> requestedScopes) {
-
     return EXCLUDED_SCOPES.stream()
-      .distinct()
-      .filter(requestedScopes::contains)
-      .collect(Collectors.toSet());
+        .distinct()
+        .filter(requestedScopes::contains)
+        .collect(Collectors.toSet());
   }
 
   private Set<String> adminPolicies(Set<String> requestedScopes, IamAccount account) {
-
     if (!accountUtils.isAdmin(account)) {
       return requestedScopes.stream()
-        .filter(s -> !ADMIN_SCOPES.contains(s))
-        .collect(Collectors.toSet());
+          .filter(s -> !ADMIN_SCOPES.contains(s))
+          .collect(Collectors.toSet());
     }
     return requestedScopes;
   }
 
-  private Set<String> scopePolicies(Set<String> requestedScopes, IamAccount account) {
-
-    DecisionContext dc = new DecisionContext(matchersCache, requestedScopes);
-
-    // Apply user policies
-    for (IamScopePolicy p : account.getScopePolicies()) {
-      dc.applyPolicy(p, account);
-    }
-
-    Set<String> allowedScopes = dc.getAllowedScopes();
-
-    if (!dc.hasUnprocessedScopes()) {
-      return allowedScopes;
-    }
-
-    Set<IamScopePolicy> groupPolicies = resolveGroupScopePolicies(account);
-
-    // Apply group policies only on unprocessed scopes
-    dc.forgetProcessedEntries();
-
-    // Group policies are naturally composed with the deny overrides behavior
-    for (IamScopePolicy p : groupPolicies) {
-      dc.applyPolicy(p, account);
-    }
-
-    allowedScopes.addAll(dc.getAllowedScopes());
-
-    if (!dc.hasUnprocessedScopes()) {
-      return allowedScopes;
-    }
-
-    dc.forgetProcessedEntries();
-
-    List<IamScopePolicy> defaultPolicies = policyRepo.findDefaultPolicies();
-
-    for (IamScopePolicy p : defaultPolicies) {
-      dc.applyPolicy(p, account);
-    }
-
-    allowedScopes.addAll(dc.getAllowedScopes());
-
-    return allowedScopes;
+  public AuthenticationHolderEntity filterScopes(AuthenticationHolderEntity authHolder) {
+    authHolder.setScope(filterScopes(authHolder.getScope(), authHolder.getAuthentication()));
+    return authHolder;
   }
 
-  private Set<IamScopePolicy> resolveGroupScopePolicies(IamAccount account) {
-
-    Set<IamScopePolicy> groupPolicies = Sets.newHashSet();
-
-    Set<IamAccountGroupMembership> groups = account.getGroups();
-    for (IamAccountGroupMembership g : groups) {
-      groupPolicies.addAll(g.getGroup().getScopePolicies());
-    }
-
-    return groupPolicies;
+  public OAuth2Authentication filterScopes(OAuth2Authentication authn) {
+    OAuth2Request oldRequest = authn.getOAuth2Request();
+    OAuth2Request updatedRequest = new OAuth2Request(oldRequest.getRequestParameters(), oldRequest.getClientId(),
+        oldRequest.getAuthorities(), oldRequest.isApproved(), filterScopes(oldRequest.getScope(), authn),
+        oldRequest.getResourceIds(), oldRequest.getRedirectUri(), oldRequest.getResponseTypes(),
+        oldRequest.getExtensions());
+    return new OAuth2Authentication(updatedRequest, authn.getUserAuthentication());
   }
-
 }

iam-login-service/src/main/java/it/infn/mw/iam/core/oauth/scope/pdp/DefaultScopePolicyEngine.java

@@ -0,0 +1,97 @@
+/**
+ * Copyright (c) Istituto Nazionale di Fisica Nucleare (INFN). 2016-2021
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package it.infn.mw.iam.core.oauth.scope.pdp;
+
+import java.util.List;
+import java.util.Set;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.common.cache.Cache;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.collect.Sets;
+
+import it.infn.mw.iam.core.oauth.scope.matchers.ScopeMatcher;
+import it.infn.mw.iam.persistence.model.IamAccount;
+import it.infn.mw.iam.persistence.model.IamAccountGroupMembership;
+import it.infn.mw.iam.persistence.model.IamScopePolicy;
+import it.infn.mw.iam.persistence.repository.IamScopePolicyRepository;
+
+public class DefaultScopePolicyEngine implements ScopePolicyEngine {
+  public static final Logger LOG = LoggerFactory.getLogger(DefaultScopePolicyEngine.class);
+  private Cache<String, ScopeMatcher> matchersCache = CacheBuilder.newBuilder().maximumSize(30).build();
+  private final IamScopePolicyRepository policyRepo;
+
+  public DefaultScopePolicyEngine(IamScopePolicyRepository policyRepo) {
+    this.policyRepo = policyRepo;
+  }
+
+  @Override
+  public Set<String> apply(Set<String> requestedScopes, IamAccount account) {
+    DecisionContext dc = new DecisionContext(matchersCache, requestedScopes);
+
+    // Apply user policies
+    for (IamScopePolicy p : account.getScopePolicies()) {
+      dc.applyPolicy(p, account);
+    }
+
+    Set<String> allowedScopes = dc.getAllowedScopes();
+
+    if (!dc.hasUnprocessedScopes()) {
+      return allowedScopes;
+    }
+
+    Set<IamScopePolicy> groupPolicies = resolveGroupScopePolicies(account);
+
+    // Apply group policies only on unprocessed scopes
+    dc.forgetProcessedEntries();
+
+    // Group policies are naturally composed with the deny overrides behavior
+    for (IamScopePolicy p : groupPolicies) {
+      dc.applyPolicy(p, account);
+    }
+
+    allowedScopes.addAll(dc.getAllowedScopes());
+
+    if (!dc.hasUnprocessedScopes()) {
+      return allowedScopes;
+    }
+
+    dc.forgetProcessedEntries();
+
+    List<IamScopePolicy> defaultPolicies = policyRepo.findDefaultPolicies();
+
+    for (IamScopePolicy p : defaultPolicies) {
+      dc.applyPolicy(p, account);
+    }
+
+    allowedScopes.addAll(dc.getAllowedScopes());
+
+    return allowedScopes;
+  }
+
+  private Set<IamScopePolicy> resolveGroupScopePolicies(IamAccount account) {
+    Set<IamScopePolicy> groupPolicies = Sets.newHashSet();
+
+    Set<IamAccountGroupMembership> groups = account.getGroups();
+    for (IamAccountGroupMembership g : groups) {
+      groupPolicies.addAll(g.getGroup().getScopePolicies());
+    }
+
+    return groupPolicies;
+  }
+}