Merge pull request #266 from jusabatier/preserve_uid_patch

Allow to disable uid transformation for an IDP

Author: f-necas

datadir/gateway/security.yaml

@@ -7,11 +7,14 @@ georchestra:
       # from datadir
       moderatedSignup: ${moderatedSignup:false}
       createNonExistingUsersInLDAP: false
-#      events:
-#        accountcreated:
-#          # Set this url to console's endpoint to be able to receive an email when a new user logs in
-#          #  for the first time with an IDP and is created in LDAP.
-#          url: "http://console:8080/console/internal/events/accountcreated"
+      # You can disable UID transformation for an IDP by its identifier
+      # This lead to not prefixing or sanitize the UID from this IDP
+      #disableUidTransformation: 'icu'
+      #events:
+      #  accountcreated:
+      #    # Set this url to console's endpoint to be able to receive an email when a new user logs in
+      #    #  for the first time with an IDP and is created in LDAP.
+      #    url: "http://console:8080/console/internal/events/accountcreated"
       oauth2:
         # if enabled, make sure to have at least one OAuth2 client
         # set up at spring.security.oauth2.client below 

gateway/src/main/java/org/georchestra/gateway/security/GeorchestraGatewaySecurityConfigProperties.java

@@ -70,6 +70,14 @@ public class GeorchestraGatewaySecurityConfigProperties implements Validator {
      */
     private boolean createNonExistingUsersInLDAP = true;
 
+    /**
+     * Identifier of the Identity Provider for which UID transformation is disabled.
+     * When this value matches an IDP's id, the username from that provider is used
+     * as-is (no prefixing and no sanitization). If empty or not matching, UID
+     * transformation is applied normally.
+     */
+    private String disableUidTransformation = "";
+
     /**
      * Default organization assigned to users when no specific organization is set.
      */

gateway/src/main/java/org/georchestra/gateway/security/oauth2/OAuth2Configuration.java

@@ -198,9 +198,10 @@ OAuth2UserMapper oAuth2GeorchestraUserUserMapper() {
      */
     @Bean
     OpenIdConnectUserMapper openIdConnectGeorchestraUserUserMapper(
-            OpenIdConnectCustomClaimsConfigProperties nonStandardClaimsConfig) {
+            OpenIdConnectCustomClaimsConfigProperties nonStandardClaimsConfig,
+            GeorchestraGatewaySecurityConfigProperties securityConfigProperties) {
 
-        return new OpenIdConnectUserMapper(nonStandardClaimsConfig);
+        return new OpenIdConnectUserMapper(nonStandardClaimsConfig, securityConfigProperties);
     }
 
     /**

gateway/src/main/java/org/georchestra/gateway/security/oauth2/OpenIdConnectUserMapper.java

@@ -130,6 +130,7 @@
 public class OpenIdConnectUserMapper extends OAuth2UserMapper {
 
     private final @NonNull OpenIdConnectCustomClaimsConfigProperties nonStandardClaimsConfig;
+    private final @NonNull GeorchestraGatewaySecurityConfigProperties securityConfigProperties;
 
     /**
      * Filters authentication tokens to process only {@link OidcUser}-based
@@ -180,8 +181,13 @@ public class OpenIdConnectUserMapper extends OAuth2UserMapper {
             if (customProviderClaims.isPresent()) {
                 applyProviderNonStandardClaims(customProviderClaims.get(), oidcUser.getClaims(), user);
             }
-            user.setUsername((token.getAuthorizedClientRegistrationId() + "_" + user.getUsername())
-                    .replaceAll("[^a-zA-Z0-9-_]", "_").toLowerCase());
+
+            boolean disableTransformation = clientId.equals(securityConfigProperties.getDisableUidTransformation());
+
+            if (!disableTransformation) {
+                user.setUsername((clientId + "_" + user.getUsername()).replaceAll("[^a-zA-Z0-9-_]", "_").toLowerCase());
+            }
+
         } catch (Exception e) {
             log.error("Error mapping non-standard OIDC claims for authenticated user", e);
             throw new IllegalStateException(e);

gateway/src/test/java/org/georchestra/gateway/security/oauth2/OpenIdConnectUserMapperTest.java

@@ -28,14 +28,19 @@
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
+import java.util.Optional;
 
 import io.jsonwebtoken.Jwts;
+import org.georchestra.gateway.security.GeorchestraGatewaySecurityConfigProperties;
 import org.georchestra.security.model.GeorchestraUser;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
 import org.springframework.security.oauth2.client.registration.ClientRegistration;
 import org.springframework.security.oauth2.core.AuthorizationGrantType;
 import org.springframework.security.oauth2.core.oidc.AddressStandardClaim;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.core.oidc.StandardClaimAccessor;
 
 import com.nimbusds.oauth2.sdk.ParseException;
@@ -52,6 +57,7 @@ class OpenIdConnectUserMapperTest {
 
     OpenIdConnectUserMapper mapper;
     OpenIdConnectCustomClaimsConfigProperties nonStandardClaimsConfig;
+    GeorchestraGatewaySecurityConfigProperties securityConfigProperties;
     ExtendedOAuth2ClientProperties properties;
 
     /**
@@ -60,7 +66,8 @@ class OpenIdConnectUserMapperTest {
     @BeforeEach
     void setUp() throws Exception {
         nonStandardClaimsConfig = new OpenIdConnectCustomClaimsConfigProperties();
-        mapper = new OpenIdConnectUserMapper(nonStandardClaimsConfig);
+        securityConfigProperties = new GeorchestraGatewaySecurityConfigProperties();
+        mapper = new OpenIdConnectUserMapper(nonStandardClaimsConfig, securityConfigProperties);
     }
 
     @Test
@@ -328,6 +335,90 @@ public void customProviderValuesMapper() {
         assertThat(georchestraUser.getFirstName()).isEqualTo("given_name");
     }
 
+    @Test
+    void map_shouldTransformUsernameWhenDisableUidTransformationIsEmpty() {
+        OpenIdConnectUserMapper mapper = newMapper("");
+
+        OAuth2AuthenticationToken token = mock(OAuth2AuthenticationToken.class);
+        OidcUser oidcUser = mock(OidcUser.class);
+
+        when(token.getPrincipal()).thenReturn(oidcUser);
+        when(token.getAuthorizedClientRegistrationId()).thenReturn("google");
+        when(token.getAuthorities()).thenReturn(AuthorityUtils.NO_AUTHORITIES);
+
+        when(oidcUser.getSubject()).thenReturn("b7f3dd13-f9cc-4573-8482-b4fccf8e1977");
+        when(oidcUser.getPreferredUsername()).thenReturn("John.Doe@test.com");
+        when(oidcUser.getGivenName()).thenReturn("John");
+        when(oidcUser.getFamilyName()).thenReturn("Doe");
+        when(oidcUser.getEmail()).thenReturn("jdoe@test.com");
+        when(oidcUser.getPhoneNumber()).thenReturn("+123");
+        when(oidcUser.getAddress()).thenReturn(null);
+        when(oidcUser.getClaims()).thenReturn(Map.of());
+
+        Optional<GeorchestraUser> result = mapper.map(token);
+
+        assertThat(result).isPresent();
+        assertThat(result.orElseThrow().getUsername()).isEqualTo("google_john_doe_test_com");
+    }
+
+    @Test
+    void map_shouldTransformUsernameWhenDisableUidTransformationDoesNotMatchProvider() {
+        OpenIdConnectUserMapper mapper = newMapper("github");
+
+        OAuth2AuthenticationToken token = mock(OAuth2AuthenticationToken.class);
+        OidcUser oidcUser = mock(OidcUser.class);
+
+        when(token.getPrincipal()).thenReturn(oidcUser);
+        when(token.getAuthorizedClientRegistrationId()).thenReturn("google");
+        when(token.getAuthorities()).thenReturn(AuthorityUtils.NO_AUTHORITIES);
+
+        when(oidcUser.getSubject()).thenReturn("b7f3dd13-f9cc-4573-8482-b4fccf8e1977");
+        when(oidcUser.getPreferredUsername()).thenReturn("John.Doe@test.com");
+        when(oidcUser.getGivenName()).thenReturn("John");
+        when(oidcUser.getFamilyName()).thenReturn("Doe");
+        when(oidcUser.getEmail()).thenReturn("jdoe@test.com");
+        when(oidcUser.getPhoneNumber()).thenReturn("+123");
+        when(oidcUser.getAddress()).thenReturn(null);
+        when(oidcUser.getClaims()).thenReturn(Map.of());
+
+        Optional<GeorchestraUser> result = mapper.map(token);
+
+        assertThat(result).isPresent();
+        assertThat(result.orElseThrow().getUsername()).isEqualTo("google_john_doe_test_com");
+    }
+
+    @Test
+    void map_shouldNotTransformUsernameWhenDisableUidTransformationMatchesProvider() {
+        OpenIdConnectUserMapper mapper = newMapper("google");
+
+        OAuth2AuthenticationToken token = mock(OAuth2AuthenticationToken.class);
+        OidcUser oidcUser = mock(OidcUser.class);
+
+        when(token.getPrincipal()).thenReturn(oidcUser);
+        when(token.getAuthorizedClientRegistrationId()).thenReturn("google");
+        when(token.getAuthorities()).thenReturn(AuthorityUtils.NO_AUTHORITIES);
+
+        when(oidcUser.getSubject()).thenReturn("b7f3dd13-f9cc-4573-8482-b4fccf8e1977");
+        when(oidcUser.getPreferredUsername()).thenReturn("John.Doe@test.com");
+        when(oidcUser.getGivenName()).thenReturn("John");
+        when(oidcUser.getFamilyName()).thenReturn("Doe");
+        when(oidcUser.getEmail()).thenReturn("jdoe@test.com");
+        when(oidcUser.getPhoneNumber()).thenReturn("+123");
+        when(oidcUser.getAddress()).thenReturn(null);
+        when(oidcUser.getClaims()).thenReturn(Map.of());
+
+        Optional<GeorchestraUser> result = mapper.map(token);
+
+        assertThat(result).isPresent();
+        assertThat(result.orElseThrow().getUsername()).isEqualTo("John.Doe@test.com");
+    }
+
+    private OpenIdConnectUserMapper newMapper(String disableUidTransformation) {
+        GeorchestraGatewaySecurityConfigProperties securityConfigProperties = new GeorchestraGatewaySecurityConfigProperties();
+        securityConfigProperties.setDisableUidTransformation(disableUidTransformation);
+        return new OpenIdConnectUserMapper(nonStandardClaimsConfig, securityConfigProperties);
+    }
+
     private Map<String, Object> sampleClaims() throws ParseException {
         String json = SAMPLE_CLAIMS;
         return sampleClaims(json);