security: Prevent non GSuiteID users from access

Signed-off-by: Shashank Verma <[email protected]>
CC-MNNIT · Sep 24, 2023 · 5aa56bd · 5aa56bd
1 parent a1f0fc1
commit 5aa56bd
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 24 deletions.
diff --git a/src/main/kotlin/com/mnnit/moticlubs/MotiClubsServiceApplication.kt b/src/main/kotlin/com/mnnit/moticlubs/MotiClubsServiceApplication.kt
@@ -1,28 +1,19 @@
 package com.mnnit.moticlubs
 
-import io.swagger.v3.oas.annotations.Hidden
 import org.springframework.boot.autoconfigure.SpringBootApplication
 import org.springframework.boot.autoconfigure.security.reactive.ReactiveUserDetailsServiceAutoConfiguration
 import org.springframework.boot.context.properties.ConfigurationPropertiesScan
 import org.springframework.boot.runApplication
 import org.springframework.cache.annotation.EnableCaching
 import org.springframework.data.r2dbc.repository.config.EnableR2dbcRepositories
 import org.springframework.scheduling.annotation.EnableScheduling
-import org.springframework.web.bind.annotation.GetMapping
-import org.springframework.web.server.ServerWebExchange
-import reactor.core.publisher.Mono
 
 @SpringBootApplication(exclude = [ReactiveUserDetailsServiceAutoConfiguration::class])
 @EnableR2dbcRepositories
 @ConfigurationPropertiesScan
 @EnableCaching
 @EnableScheduling
-class MotiClubsServiceApplication {
-
-    @GetMapping("/logout")
-    @Hidden
-    fun logout(exchange: ServerWebExchange): Mono<Void> = exchange.session.flatMap { session -> session.invalidate() }
-}
+class MotiClubsServiceApplication
 
 fun main(args: Array<String>) {
     runApplication<MotiClubsServiceApplication>(*args)

diff --git a/src/main/kotlin/com/mnnit/moticlubs/utils/Constants.kt b/src/main/kotlin/com/mnnit/moticlubs/utils/Constants.kt
@@ -1,6 +1,7 @@
 package com.mnnit.moticlubs.utils
 
 object Constants {
+    val EMAIL_REGEX = "^[a-zA-Z0-9_!#$%&'*+/=?`{|}~^-]+(?:\\.[a-zA-Z0-9_!#$%&'*+/=?`{|}~^-]+)*@mnnit.ac.in$".toRegex()
 
     const val STAMP_HEADER = "X-Stamp-Value"
 

diff --git a/src/main/kotlin/com/mnnit/moticlubs/web/security/PathAuthorization.kt b/src/main/kotlin/com/mnnit/moticlubs/web/security/PathAuthorization.kt
@@ -8,7 +8,6 @@ import com.mnnit.moticlubs.utils.ServiceLogger
 import com.mnnit.moticlubs.utils.UnauthorizedException
 import com.mnnit.moticlubs.utils.getReqId
 import com.mnnit.moticlubs.utils.putReqId
-import com.nimbusds.jwt.JWTParser
 import org.springframework.security.core.context.ReactiveSecurityContextHolder
 import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser
 import org.springframework.stereotype.Component
@@ -46,17 +45,11 @@ class PathAuthorization(
             Mono.just(userId)
         }
 
-    private fun validateOidcUser(user: DefaultOidcUser): Mono<Pair<Long, Boolean>> {
-        val jwtClaims = JWTParser.parse(user.idToken.tokenValue).jwtClaimsSet
-        val isEmailVerified = jwtClaims.claims["email_verified"]?.toString()?.toBoolean() ?: false
-        val email = jwtClaims.claims["email"]?.toString()
-
-        email ?: return Mono.error(UnauthorizedException("Missing email"))
-
-        return userRepository.findByEmail(email)
-            .map { Pair(it.uid, isEmailVerified) }
-            .switchIfEmpty { Mono.error(UnauthorizedException("Invalid user")) }
-    }
+    private fun validateOidcUser(
+        user: DefaultOidcUser,
+    ): Mono<Pair<Long, Boolean>> = userRepository.findByEmail(user.email)
+        .map { Pair(it.uid, user.emailVerified) }
+        .switchIfEmpty { Mono.error(UnauthorizedException("Invalid user")) }
 
     fun clubAuthorization(cid: Long): Mono<Long> = userAuthorization()
         .flatMap { uid ->

diff --git a/src/main/kotlin/com/mnnit/moticlubs/web/security/SecurityConfig.kt b/src/main/kotlin/com/mnnit/moticlubs/web/security/SecurityConfig.kt
@@ -1,6 +1,7 @@
 package com.mnnit.moticlubs.web.security
 
 import com.mnnit.moticlubs.utils.Constants.BASE_PATH
+import com.mnnit.moticlubs.utils.Constants.EMAIL_REGEX
 import com.mnnit.moticlubs.utils.ServiceLogger
 import com.mnnit.moticlubs.utils.UnauthorizedException
 import com.mnnit.moticlubs.utils.putReqId
@@ -9,10 +10,12 @@ import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.http.HttpHeaders
 import org.springframework.security.authentication.ReactiveAuthenticationManager
+import org.springframework.security.authorization.AuthorizationDecision
 import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity
 import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity
 import org.springframework.security.config.web.server.SecurityWebFiltersOrder
 import org.springframework.security.config.web.server.ServerHttpSecurity
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser
 import org.springframework.security.web.server.SecurityWebFilterChain
 import org.springframework.security.web.server.authentication.AuthenticationWebFilter
 import reactor.core.publisher.Mono
@@ -75,12 +78,20 @@ class SecurityConfig(
                 "/actuator/**",
                 "/login/**",
             ).permitAll()
-                .anyExchange().authenticated()
+                .anyExchange().access { authentication, _ ->
+                    authentication.map { auth ->
+                        when (val principal = auth.principal) {
+                            is AuthenticationToken -> AuthorizationDecision(true)
+                            is DefaultOidcUser -> AuthorizationDecision(principal.email matches EMAIL_REGEX)
+                            else -> AuthorizationDecision(false)
+                        }
+                    }
+                }
         }
         .oauth2Login { }
         .oauth2Client { }
         .oauth2ResourceServer { it.jwt { } }
-        .logout { }
+        .logout { it.logoutUrl("/logout") }
         .build()
 
     private fun firebaseAuthTokenFilter(keyProvider: KeyProvider): AuthenticationWebFilter = AuthenticationWebFilter(