Add openid integration (#121)

Author: gjong

domain/src/main/java/com/jongsoft/finance/domain/FinTrack.java

@@ -3,7 +3,9 @@
 import com.jongsoft.finance.core.Encoder;
 import com.jongsoft.finance.domain.user.UserAccount;
 import com.jongsoft.finance.messaging.commands.user.RegisterTokenCommand;
+import com.jongsoft.lang.Collections;
 import java.time.LocalDateTime;
+import java.util.List;
 import lombok.Getter;
 
 public class FinTrack {
@@ -18,6 +20,10 @@ public UserAccount createUser(String username, String password) {
     return new UserAccount(username, password);
   }
 
+  public UserAccount createOathUser(String username, String oathKey, List<String> roles) {
+    return new UserAccount(username, oathKey, Collections.List(roles));
+  }
+
   public void registerToken(String username, String token, Integer expiresIn) {
     RegisterTokenCommand.tokenRegistered(
         username, token, LocalDateTime.now().plusSeconds(expiresIn));

domain/src/main/java/com/jongsoft/finance/domain/user/UserAccount.java

@@ -9,11 +9,9 @@
 import com.jongsoft.finance.domain.transaction.Tag;
 import com.jongsoft.finance.domain.transaction.TransactionRule;
 import com.jongsoft.finance.messaging.commands.tag.CreateTagCommand;
-import com.jongsoft.finance.messaging.commands.user.ChangeMultiFactorCommand;
-import com.jongsoft.finance.messaging.commands.user.ChangePasswordCommand;
-import com.jongsoft.finance.messaging.commands.user.ChangeUserSettingCommand;
-import com.jongsoft.finance.messaging.commands.user.CreateUserCommand;
+import com.jongsoft.finance.messaging.commands.user.*;
 import com.jongsoft.lang.Collections;
+import com.jongsoft.lang.collection.Collectors;
 import com.jongsoft.lang.collection.List;
 import java.io.Serializable;
 import java.time.LocalDate;
@@ -33,6 +31,7 @@ public class UserAccount implements AggregateBase, Serializable {
 
   private Long id;
   private UserIdentifier username;
+  private String externalUserId;
   private String password;
   private List<Role> roles;
 
@@ -49,6 +48,13 @@ public UserAccount(String username, String password) {
     CreateUserCommand.userCreated(username, password);
   }
 
+  public UserAccount(String username, String externalUserId, List<String> roles) {
+    this.username = new UserIdentifier(username);
+    this.externalUserId = externalUserId;
+    this.roles = roles.stream().map(Role::new).collect(Collectors.toList());
+    CreateExternalUserCommand.externalUserCreated(username, externalUserId, roles);
+  }
+
   /**
    * Change the password of the user to the provided new password.
    *

domain/src/main/java/com/jongsoft/finance/messaging/commands/user/CreateExternalUserCommand.java

@@ -0,0 +1,12 @@
+package com.jongsoft.finance.messaging.commands.user;
+
+import com.jongsoft.finance.messaging.ApplicationEvent;
+import com.jongsoft.lang.collection.List;
+
+public record CreateExternalUserCommand(String username, String oauthToken, List<String> roles)
+    implements ApplicationEvent {
+
+  public static void externalUserCreated(String username, String oauthToken, List<String> roles) {
+    new CreateExternalUserCommand(username, oauthToken, roles).publish();
+  }
+}

fintrack-api/build.gradle.kts

@@ -48,6 +48,7 @@ dependencies {
     implementation(mn.micronaut.security.jwt)
     implementation(mn.micronaut.http.server.jetty)
     implementation(mn.micronaut.http.validation)
+    implementation(mn.micronaut.http.client)
     implementation(mn.micronaut.email.template)
     implementation(mn.micronaut.views.velocity)
 

fintrack-api/src/integration/java/com/jongsoft/finance/MultiFactorLoginTest.java

@@ -20,7 +20,7 @@ void registerAndLoginWithMFA(TestContext testContext) {
 
         profileContext
                 .get(response -> response
-                        .body("theme", equalTo("dark"))
+                        .body("theme", equalTo("light"))
                         .body("currency", equalTo("EUR"))
                         .body("mfa", equalTo(false)))
                 .qrCode();
@@ -32,7 +32,7 @@ void registerAndLoginWithMFA(TestContext testContext) {
                 .multiFactor()
                 .profile()
                 .get(response -> response
-                        .body("theme", equalTo("dark"))
+                        .body("theme", equalTo("light"))
                         .body("currency", equalTo("EUR"))
                         .body("mfa", equalTo(true)));
     }

fintrack-api/src/main/java/com/jongsoft/finance/filter/AuthenticationFailureHandler.java

@@ -30,7 +30,10 @@ public HttpResponse<JsonError> handle(HttpRequest request, AuthorizationExceptio
           "{}: {} - User {} does not have access based upon the roles {}.",
           request.getMethod(),
           request.getPath(),
-          exception.getAuthentication().getName(),
+          exception
+              .getAuthentication()
+              .getAttributes()
+              .getOrDefault("email", exception.getAuthentication().getName()),
           exception.getAuthentication().getRoles());
 
       return HttpResponse.status(HttpStatus.FORBIDDEN)

fintrack-api/src/main/java/com/jongsoft/finance/filter/AuthenticationFilter.java

@@ -1,5 +1,6 @@
 package com.jongsoft.finance.filter;
 
+import com.jongsoft.finance.domain.FinTrack;
 import com.jongsoft.finance.messaging.InternalAuthenticationEvent;
 import com.jongsoft.lang.Control;
 import io.micronaut.context.event.ApplicationEventPublisher;
@@ -10,10 +11,12 @@
 import io.micronaut.http.filter.HttpServerFilter;
 import io.micronaut.http.filter.ServerFilterChain;
 import io.micronaut.http.filter.ServerFilterPhase;
+import io.micronaut.security.authentication.ServerAuthentication;
 import io.micronaut.serde.ObjectMapper;
 import java.security.Principal;
 import java.time.Duration;
 import java.time.Instant;
+import java.util.List;
 import java.util.UUID;
 import org.reactivestreams.Publisher;
 import org.slf4j.Logger;
@@ -27,12 +30,15 @@ public class AuthenticationFilter implements HttpServerFilter {
 
   private final ApplicationEventPublisher<InternalAuthenticationEvent> eventPublisher;
   private final ObjectMapper objectMapper;
+  private final FinTrack finTrack;
 
   public AuthenticationFilter(
       ApplicationEventPublisher<InternalAuthenticationEvent> eventPublisher,
-      ObjectMapper objectMapper) {
+      ObjectMapper objectMapper,
+      FinTrack finTrack) {
     this.eventPublisher = eventPublisher;
     this.objectMapper = objectMapper;
+    this.finTrack = finTrack;
   }
 
   @Override
@@ -79,7 +85,16 @@ public Publisher<MutableHttpResponse<?>> doFilter(
   }
 
   private void handleAuthentication(Principal principal) {
-    log.trace("Authenticated user {}", principal.getName());
-    eventPublisher.publishEvent(new InternalAuthenticationEvent(this, principal.getName()));
+    var userName = principal.getName();
+    if (principal instanceof ServerAuthentication authentication) {
+      var hasEmail = authentication.getAttributes().containsKey("email");
+      if (hasEmail) {
+        userName = authentication.getAttributes().get("email").toString();
+        finTrack.createOathUser(
+            userName, principal.getName(), List.copyOf(authentication.getRoles()));
+      }
+    }
+    log.trace("Authenticated user {}", userName);
+    eventPublisher.publishEvent(new InternalAuthenticationEvent(this, userName));
   }
 }

fintrack-api/src/main/java/com/jongsoft/finance/rest/security/OpenIdResource.java

@@ -0,0 +1,31 @@
+package com.jongsoft.finance.rest.security;
+
+import com.jongsoft.finance.security.OpenIdConfiguration;
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.http.annotation.Controller;
+import io.micronaut.http.annotation.Get;
+import io.micronaut.security.annotation.Secured;
+import io.micronaut.security.rules.SecurityRule;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+
+@Controller
+@Requires(env = "openid")
+@Tag(name = "Authentication")
+public class OpenIdResource {
+
+  private final OpenIdConfiguration configuration;
+
+  public OpenIdResource(OpenIdConfiguration openIdConfiguration) {
+    this.configuration = openIdConfiguration;
+  }
+
+  @Secured(SecurityRule.IS_ANONYMOUS)
+  @Get(value = "/.well-known/openid-connect")
+  @Operation(
+      summary = "Get the OpenId Connect",
+      description = "Use this operation to get the OpenId connect details.")
+  public OpenIdConfiguration openIdConfiguration() {
+    return configuration;
+  }
+}

fintrack-api/src/main/java/com/jongsoft/finance/security/OpenIdConfiguration.java

@@ -0,0 +1,39 @@
+package com.jongsoft.finance.security;
+
+import io.micronaut.context.annotation.ConfigurationProperties;
+import io.micronaut.context.annotation.Requires;
+import io.micronaut.serde.annotation.Serdeable;
+
+@Requires(env = "openid")
+@Serdeable.Serializable
+@ConfigurationProperties("application.openid")
+public class OpenIdConfiguration {
+
+  private String authority;
+  private String clientId;
+  private String clientSecret;
+
+  public String getAuthority() {
+    return authority;
+  }
+
+  public void setAuthority(String authority) {
+    this.authority = authority;
+  }
+
+  public String getClientId() {
+    return clientId;
+  }
+
+  public void setClientId(String clientId) {
+    this.clientId = clientId;
+  }
+
+  public String getClientSecret() {
+    return clientSecret;
+  }
+
+  public void setClientSecret(String clientSecret) {
+    this.clientSecret = clientSecret;
+  }
+}

fintrack-api/src/main/resources/application-demo.yml

@@ -10,5 +10,5 @@ datasources:
 flyway:
   datasources:
     default:
-      locations: ["classpath:db/camunda/h2", "classpath:db/migration", "classpath:db/sample"]
+      locations: ["classpath:db/camunda/h2", "classpath:db/migration/mysql", "classpath:db/sample"]
       fail-on-missing-locations: true

fintrack-api/src/main/resources/application-openid.yaml

@@ -0,0 +1,16 @@
+micronaut:
+  security:
+    token:
+      jwt:
+        signatures:
+          jwks:
+            keycloak:
+              url: ${OPENID_URI}
+              key-type: RSA
+
+application:
+  openid:
+    client-id: ${OPENID_CLIENT:pledger-io}
+    client-secret: ${OPENID_SECRET:-}
+    authority: ${OPENID_AUTHORITY:-}
+

fintrack-api/src/main/resources/i18n/messages.properties

@@ -602,3 +602,4 @@ page.transactions.generate.info=Paste a transaction description from your bank s
 page.transactions.generated=Extracted transaction
 page.transactions.generate.confirm=Create transaction
 common.action.back=Back
+page.login.openid_connect=OpenId Connect

jpa-repository/src/main/java/com/jongsoft/finance/jpa/user/CreateExternalUserHandler.java

@@ -0,0 +1,61 @@
+package com.jongsoft.finance.jpa.user;
+
+import com.jongsoft.finance.annotation.BusinessEventListener;
+import com.jongsoft.finance.jpa.query.ReactiveEntityManager;
+import com.jongsoft.finance.jpa.user.entity.RoleJpa;
+import com.jongsoft.finance.jpa.user.entity.UserAccountJpa;
+import com.jongsoft.finance.messaging.CommandHandler;
+import com.jongsoft.finance.messaging.commands.user.CreateExternalUserCommand;
+import dev.samstevens.totp.secret.SecretGenerator;
+import jakarta.inject.Singleton;
+import jakarta.transaction.Transactional;
+import org.slf4j.Logger;
+
+@Singleton
+@Transactional
+class CreateExternalUserHandler implements CommandHandler<CreateExternalUserCommand> {
+  private final Logger log = org.slf4j.LoggerFactory.getLogger(this.getClass());
+
+  private final ReactiveEntityManager entityManager;
+  private final SecretGenerator secretGenerator;
+
+  public CreateExternalUserHandler(ReactiveEntityManager entityManager) {
+    this.entityManager = entityManager;
+    secretGenerator = new dev.samstevens.totp.secret.DefaultSecretGenerator();
+  }
+
+  @Override
+  @BusinessEventListener
+  public void handle(CreateExternalUserCommand command) {
+    if (validateUserExists(command.username())) {
+      log.debug("[{}] - External user already exists, skipping creation.", command.username());
+      return;
+    }
+
+    log.info("[{}] - Creating external user", command.username());
+    var builder =
+        UserAccountJpa.builder()
+            .username(command.username())
+            .password("")
+            .theme("light")
+            .twoFactorSecret(secretGenerator.generate());
+
+    for (var role : command.roles()) {
+      entityManager
+          .from(RoleJpa.class)
+          .fieldEq("name", role)
+          .singleResult()
+          .ifPresent(builder::role);
+    }
+
+    entityManager.persist(builder.build());
+  }
+
+  private synchronized boolean validateUserExists(String username) {
+    return entityManager
+        .from(UserAccountJpa.class)
+        .fieldEq("username", username)
+        .singleResult()
+        .isPresent();
+  }
+}

jpa-repository/src/main/java/com/jongsoft/finance/jpa/user/CreateUserHandler.java

@@ -37,7 +37,7 @@ public void handle(CreateUserCommand command) {
             .username(command.username())
             .password(command.password())
             .twoFactorSecret(secretGenerator.generate())
-            .theme("dark")
+            .theme("light")
             .roles(
                 new HashSet<>(
                     Arrays.asList(

jpa-repository/src/main/java/com/jongsoft/finance/jpa/user/entity/UserAccountJpa.java

@@ -7,6 +7,7 @@
 import java.util.Set;
 import lombok.Builder;
 import lombok.Getter;
+import lombok.Singular;
 
 @Getter
 @Entity
@@ -45,7 +46,7 @@ private UserAccountJpa(
       String theme,
       Currency currency,
       byte[] gravatar,
-      Set<RoleJpa> roles) {
+      @Singular Set<RoleJpa> roles) {
     this.username = username;
     this.password = password;
     this.twoFactorEnabled = twoFactorEnabled;