Enhance authorization and authentication in save-cloud

[kgevorkyan]

TODO:

• test API after changing
  • Removed authorizationSource from header + prefix in username save-backend-tests#71
• Pre authenticated user #2386
  • refactor BackendService and receive save's entity\class instead of spring's one to allow to provide ID
  • refactor api-gateway and authentication-service to pass user's ID from api-gateway instead of second fetch to database in authentication-service's logic
  • removed using Authentication: Basic ***:*** in authentication-service -- we can create save's token with required info without checking ReactiveUserDetailsService. We can try to use org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken. It can be easy to migrate to X.509 authentication in future
• Update swagger\open-api annotations:
  • remove com.saveourtool.save.configs.RequiresAuthorizationSourceHeader or maybe leave because it's useful for local testing
  • update com.saveourtool.save.configs.ApiSwaggerSupport, we support oauth2 and basic auth
• cover by tests
• update readme #2407
• User should updates UserInfo for User found by Authentication #2631
• Endpoints /sec/user and /api/v1/users/global-role are not required #2629
• Gateway should invalidate cached SaveUserDetails when User is updated #2633
• Fetching user's role #2540

Separator for user and auth provider should be revised

For now we are using @ for separate the user name and auth provider at least in WebSecurityConfig and in UserUtils.kt

But this symbol is not the variable and just the hardcoded symbol, so its hard to maintain this functionality

First of all, it should be extracted into the variable in save-cloud-common

And after this, we probably will need to change @ to something else, since @ is too dangerous to be a spec symbol

This work should be done under separate issue and very carefully, since it influence on core functionality - API application, auth. integration tests, db

[orchestr7]

CRITICAL thing we have just found:

1. User VLAD comes from Github
2. Initially spring register him as VLAD@GITHUB
3. Then he is redirected to a registration view, where he CAN change VLAD name to ANDREY
4. ANDREY comes from GITHUB
5. Now ANDREY is not even able to press OAuth registration button

[orchestr7]

That's why we need to GENERATE a our own SAVE ID for user when he first time register!

[kgevorkyan]

seems, that @ should not influent on problems with email at all, since its only used in basic auth, but should be extracted anyway

[Cheshiriks]

        .httpBasic { httpBasicSpec ->
            // Authenticate by comparing received basic credentials with existing one from DB
            httpBasicSpec.authenticationManager(
                UserDetailsRepositoryReactiveAuthenticationManager { username ->
                    // Looking for user in DB by received source and name
                    require(username.contains("@")) {
                        "Provided user information should keep the following form: oauth2Source@username"
                    }

Also be careful with Basic oauth

[Cheshiriks]

That's why we need to GENERATE a our own SAVE ID for user when he first time register!

    fun findByName(name: String): User? {
        val record = namedParameterJdbcTemplate.queryForList(
            "SELECT * FROM save_cloud.user WHERE name = :name",
            mapOf("name" to name)
        ).singleOrNull() ?:
        namedParameterJdbcTemplate.queryForList(
            "SELECT * FROM save_cloud.user WHERE id = (select user_id from save_cloud.original_login where name = :name)",
            mapOf("name" to name)
        ).singleOrNull()
            .orNotFound {
                "There is no user with name $name"
            }
        return record.toUserEntity()
    }

[nulls]

For history

A&A in save-cloud:

Basic auth:

1. Request comes to api-gateway with header Authorization: Basic ***:***
2. api-gateway has UserDetailsRepositoryReactiveAuthenticationManager (com.saveourtool.save.gateway.security.WebSecurityConfig) which uses internal endpoint in backend to get all entities from user with user.name, user.password (token) and user.role.
3. Authenticated request comes then to com.saveourtool.save.gateway.utils.ConvertAuthorizationHeaderGatewayFilterFactory which adds a new header Authorization to request to backend. It passes only user name without password.
4. Backend uses com.saveourtool.save.authservice.security.ConvertingAuthenticationManager to authenticate: it checks only username

OAUTH2

1. Request comes to api-gateway after successful authentication on oauth2 server (github, google and etc).
2. Authenticated request comes then to com.saveourtool.save.gateway.utils.ConvertAuthorizationHeaderGatewayFilterFactory which searches user.name via internal endpoint in backend and adds a new header Authorization to request to backend. It passes only user name without password.
3. Backend uses com.saveourtool.save.authservice.security.ConvertingAuthenticationManager to authenticate: it checks only username

[kgevorkyan]

For history

A&A in save-cloud:

Basic auth:

1. Request comes to api-gateway with header Authorization: Basic ***:***
2. api-gateway has UserDetailsRepositoryReactiveAuthenticationManager (com.saveourtool.save.gateway.security.WebSecurityConfig) which uses internal endpoint in backend to get all entities from user with user.name, user.password (token) and user.role.
3. Authenticated request comes then to com.saveourtool.save.gateway.utils.ConvertAuthorizationHeaderGatewayFilterFactory which adds a new header Authorization to request to backend. It passes only user name without password.
4. Backend uses com.saveourtool.save.authservice.security.ConvertingAuthenticationManager to authenticate: it checks only username

OAUTH2

1. Request comes to api-gateway after successful authentication on oauth2 server (github, google and etc).
2. Authenticated request comes then to com.saveourtool.save.gateway.utils.ConvertAuthorizationHeaderGatewayFilterFactory which searches user.name via internal endpoint in backend and adds a new header Authorization to request to backend. It passes only user name without password.
3. Backend uses com.saveourtool.save.authservice.security.ConvertingAuthenticationManager to authenticate: it checks only username

may be add in readme, into some dev guide?

[nulls]

For history

A&A in save-cloud:

Basic auth:

1. Request comes to api-gateway with header Authorization: Basic ***:***
2. api-gateway has UserDetailsRepositoryReactiveAuthenticationManager (com.saveourtool.save.gateway.security.WebSecurityConfig) which uses internal endpoint in backend to get all entities from user with user.name, user.password (token) and user.role.
3. Authenticated request comes then to com.saveourtool.save.gateway.utils.ConvertAuthorizationHeaderGatewayFilterFactory which adds a new header Authorization to request to backend. It passes only user name without password.
4. Backend uses com.saveourtool.save.authservice.security.ConvertingAuthenticationManager to authenticate: it checks only username

OAUTH2

1. Request comes to api-gateway after successful authentication on oauth2 server (github, google and etc).
2. Authenticated request comes then to com.saveourtool.save.gateway.utils.ConvertAuthorizationHeaderGatewayFilterFactory which searches user.name via internal endpoint in backend and adds a new header Authorization to request to backend. It passes only user name without password.
3. Backend uses com.saveourtool.save.authservice.security.ConvertingAuthenticationManager to authenticate: it checks only username

may be add in readme, into some dev guide?

will do, when finish with this issue