OpenId / Use the user profile configured locally if the configuration…

… option OPENIDCONNECT_USERPROFILEUPDATEENABLED is disabled (geonetwork#7445) * OpenId / Use the user profile configured locally if the configuration option OPENIDCONNECT_USERPROFILEUPDATEENABLED is disabled * OpenId / Use the user profile configured locally if the configuration option OPENIDCONNECT_USERPROFILEUPDATEENABLED is disabled - additional change required * OpenId / Use the user local authorities if the configuration option OPENIDCONNECT_USERPROFILEUPDATEENABLED is disabled
GeoCat · Dec 7, 2023 · 13bca4b · 13bca4b
1 parent aa52494
commit 13bca4b
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 5 deletions.
diff --git a/...src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcUserService.java b/...src/main/java/org/fao/geonet/kernel/security/openidconnect/GeonetworkOidcUserService.java
@@ -22,9 +22,11 @@
  */
 package org.fao.geonet.kernel.security.openidconnect;
 
+import org.fao.geonet.kernel.security.GeonetworkAuthenticationProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
 import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
 import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
@@ -55,12 +57,33 @@ public class GeonetworkOidcUserService extends OidcUserService {
     @Autowired
     RoleHierarchy roleHierarchy;
 
+    @Autowired
+    GeonetworkAuthenticationProvider geonetworkAuthenticationProvider;
+
+    @Autowired
+    protected SimpleOidcUserFactory simpleOidcUserFactory;
+
     @Override
     public OidcUser loadUser(OidcUserRequest userRequest) throws OAuth2AuthenticationException {
         OidcUser user = super.loadUser(userRequest);
 
+        Collection<? extends GrantedAuthority> authorities;
+
+        if (!oidcConfiguration.isUpdateProfile()) {
+            // Retrieve the authorities from the local user
+            try {
+                SimpleOidcUser simpleUser = simpleOidcUserFactory.create(user.getAttributes());
+                UserDetails userDetails = geonetworkAuthenticationProvider.loadUserByUsername(simpleUser.getUsername());
+
+                authorities = userDetails.getAuthorities();
+            } catch (Exception ex) {
+                authorities = createAuthorities(user);
+            }
+        } else {
+            authorities = createAuthorities(user);
+        }
+
         OidcUserInfo userInfo = user.getUserInfo();
-        Collection<? extends GrantedAuthority> authorities = createAuthorities(user);
 
         //get the user name from a specific attribute (if specified) or use default.
         String userNameAttributeName = userRequest.getClientRegistration()

diff --git a/core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OidcUser2GeonetworkUser.java b/core/src/main/java/org/fao/geonet/kernel/security/openidconnect/OidcUser2GeonetworkUser.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2022 Food and Agriculture Organization of the
+ * Copyright (C) 2023 Food and Agriculture Organization of the
  * United Nations (FAO-UN), United Nations World Food Programme (WFP)
  * and United Nations Environment Programme (UNEP)
  *
@@ -76,6 +76,12 @@ public UserDetails getUserDetails(Map attributes, boolean withDbUpdate) throws E
         if (!StringUtils.hasText(simpleUser.getUsername()))
             return null;
 
+        if (!oidcConfiguration.isUpdateProfile()) {
+            // SimpleOidcUser.updateUser assigns the user profile to the OpenId user profile, unless
+            // SimpleOidcUser.profile is empty. Force the empty value, to avoid the assignment.
+            simpleUser.setProfile("");
+        }
+
         User user;
         boolean newUserFlag = false;
         try {
@@ -90,8 +96,9 @@ public UserDetails getUserDetails(Map attributes, boolean withDbUpdate) throws E
         simpleUser.updateUser(user); // copy attributes from the IDToken to the GN user
 
         Map<Profile, List<String>> profileGroups = oidcRoleProcessor.getProfileGroups(attributes);
-        user.setProfile(oidcRoleProcessor.getProfile(attributes));
-
+        if (newUserFlag || oidcConfiguration.isUpdateProfile()) {
+            user.setProfile(oidcRoleProcessor.getProfile(attributes));
+        }
 
         //Apply changes to database is required.
         if (withDbUpdate) {
@@ -124,6 +131,12 @@ public UserDetails getUserDetails(OidcIdToken idToken, Map attributes, boolean w
         if (!StringUtils.hasText(simpleUser.getUsername()))
             return null;
 
+        if (!oidcConfiguration.isUpdateProfile()) {
+            // SimpleOidcUser.updateUser assigns the user profile to the OpenId user profile, unless
+            // SimpleOidcUser.profile is empty. Force the empty value, to avoid the assignment.
+            simpleUser.setProfile("");
+        }
+
         User user;
         boolean newUserFlag = false;
         try {
@@ -138,7 +151,9 @@ public UserDetails getUserDetails(OidcIdToken idToken, Map attributes, boolean w
         simpleUser.updateUser(user); // copy attributes from the IDToken to the GN user
 
         Map<Profile, List<String>> profileGroups = oidcRoleProcessor.getProfileGroups(idToken);
-        user.setProfile(oidcRoleProcessor.getProfile(idToken));
+        if (newUserFlag || oidcConfiguration.isUpdateProfile()) {
+            user.setProfile(oidcRoleProcessor.getProfile(idToken));
+        }
 
 
         //Apply changes to database is required.