feat: Initial Commit

pom.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>fr.lucasdupont</groupId>
+    <artifactId>spring-keycloak-starter</artifactId>
+    <version>0.0.1</version>
+
+    <properties>
+        <maven.compiler.source>21</maven.compiler.source>
+        <maven.compiler.target>21</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+
+        <spring.boot.version>3.5.5</spring.boot.version>
+    </properties>
+
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-dependencies</artifactId>
+                <version>${spring.boot.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-configuration-processor</artifactId>
+            <optional>true</optional>
+        </dependency>
+    </dependencies>
+
+</project>

src/main/java/fr/lucasdupont/security/CallerId.java

@@ -0,0 +1,5 @@
+package fr.lucasdupont.security;
+
+public record CallerId(String id, Type type) {
+    public enum Type { USER, CLIENT }
+}

src/main/java/fr/lucasdupont/security/CallerIdArgumentResolver.java

@@ -0,0 +1,47 @@
+package fr.lucasdupont.security;
+
+import org.springframework.core.MethodParameter;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
+import org.springframework.web.bind.support.WebDataBinderFactory;
+import org.springframework.web.context.request.NativeWebRequest;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
+import org.springframework.web.method.support.ModelAndViewContainer;
+
+public class CallerIdArgumentResolver implements HandlerMethodArgumentResolver {
+
+    @Override
+    public boolean supportsParameter(MethodParameter parameter) {
+        return CallerId.class.isAssignableFrom(parameter.getParameterType());
+    }
+
+    @Override
+    public Object resolveArgument(MethodParameter parameter,
+                                  ModelAndViewContainer mavContainer,
+                                  NativeWebRequest webRequest,
+                                  WebDataBinderFactory binderFactory) throws IllegalAccessException {
+
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        if (!(auth instanceof JwtAuthenticationToken jwtAuth)) {
+            throw new IllegalAccessException("Authentication is not of type JwtAuthenticationToken");
+        }
+
+        Jwt jwt = jwtAuth.getToken();
+        if (jwt == null) {
+            throw new IllegalAccessException("No JWT token found in authentication");
+        }
+
+        String sub = jwt.getClaimAsString("sub");
+        String clientId = jwt.getClaimAsString("client_id");
+        String preferredUsername = jwt.getClaimAsString("preferred_username");
+
+        boolean looksLikeServiceAccount = preferredUsername != null && preferredUsername.startsWith("service-account-");
+        if (clientId != null && looksLikeServiceAccount) {
+            return new CallerId(clientId, CallerId.Type.CLIENT);
+        } else {
+            return new CallerId(sub, CallerId.Type.USER);
+        }
+    }
+}

src/main/java/fr/lucasdupont/security/KeycloakAuthProperties.java

@@ -0,0 +1,28 @@
+package fr.lucasdupont.security;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+@ConfigurationProperties(prefix = "keycloak.auth")
+public class KeycloakAuthProperties {
+
+    private String role;
+
+    private boolean checkClientRole = false;
+
+    public String getRole() {
+        return role;
+    }
+
+    public void setRole(String role) {
+        this.role = role;
+    }
+
+    public boolean isCheckClientRole() {
+        return checkClientRole;
+    }
+
+    public void setCheckClientRole(boolean checkClientRole) {
+        this.checkClientRole = checkClientRole;
+    }
+
+}

src/main/java/fr/lucasdupont/security/KeycloakAutoConfiguration.java

@@ -0,0 +1,65 @@
+package fr.lucasdupont.security;
+
+import org.springframework.boot.autoconfigure.AutoConfiguration;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnClass;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.method.support.HandlerMethodArgumentResolver;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import java.util.List;
+
+@AutoConfiguration
+@ConditionalOnClass(HttpSecurity.class)
+@EnableConfigurationProperties(KeycloakAuthProperties.class)
+public class KeycloakAutoConfiguration {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http,
+                                                   KeycloakAuthProperties props,
+                                                   RequiredRoleFilter roleFilter) throws Exception {
+
+        JwtAuthenticationConverter jwtConverter = new JwtAuthenticationConverter();
+        jwtConverter.setJwtGrantedAuthoritiesConverter(new KeycloakRealmAndClientRoleConverter());
+
+        http
+                .csrf(AbstractHttpConfigurer::disable)
+                .authorizeHttpRequests(registry -> registry
+                        .requestMatchers("/actuator/health", "/actuator/info").permitAll()
+                        .anyRequest().authenticated()
+                )
+                .oauth2ResourceServer(oauth2 -> oauth2
+                        .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtConverter))
+                );
+
+        http.addFilterAfter(roleFilter, UsernamePasswordAuthenticationFilter.class);
+
+        return http.build();
+    }
+
+    @Bean
+    public RequiredRoleFilter requiredRoleFilter(KeycloakAuthProperties props) {
+        return new RequiredRoleFilter(props);
+    }
+
+    @Bean
+    public WebMvcConfigurer callerIdArgumentResolverConfigurer(CallerIdArgumentResolver resolver) {
+        return new WebMvcConfigurer() {
+            @Override
+            public void addArgumentResolvers(List<HandlerMethodArgumentResolver> resolvers) {
+                resolvers.add(resolver);
+            }
+        };
+    }
+
+    @Bean
+    public CallerIdArgumentResolver callerIdArgumentResolver() {
+        return new CallerIdArgumentResolver();
+    }
+
+}

src/main/java/fr/lucasdupont/security/KeycloakRealmAndClientRoleConverter.java

@@ -0,0 +1,45 @@
+package fr.lucasdupont.security;
+
+import org.springframework.core.convert.converter.Converter;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.jwt.Jwt;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
+import java.util.*;
+import java.util.stream.Collectors;
+
+public class KeycloakRealmAndClientRoleConverter implements Converter<Jwt, Collection<GrantedAuthority>> {
+
+    @Override
+    public Collection<GrantedAuthority> convert(Jwt jwt) {
+        Set<String> roles = new HashSet<>();
+
+        Map<String, Object> realmAccess = jwt.getClaim("realm_access");
+        if (realmAccess != null) {
+            Object rolesObj = realmAccess.get("roles");
+            if (rolesObj instanceof Collection<?> coll) {
+                coll.forEach(r -> roles.add(String.valueOf(r)));
+            }
+        }
+
+        Map<String, Object> resourceAccess = jwt.getClaim("resource_access");
+        if (resourceAccess != null) {
+            for (Object clientEntry : resourceAccess.values()) {
+                if (clientEntry instanceof Map<?, ?> map) {
+                    Object rolesObj = map.get("roles");
+                    if (rolesObj instanceof Collection<?> coll) {
+                        coll.forEach(r -> roles.add(String.valueOf(r)));
+                    }
+                }
+            }
+        }
+
+        return roles.stream()
+                .filter(Objects::nonNull)
+                .map(String::trim)
+                .filter(s -> !s.isEmpty())
+                .map(r -> r.startsWith("ROLE_") ? r : "ROLE_" + r)
+                .map(SimpleGrantedAuthority::new)
+                .collect(Collectors.toSet());
+    }
+}

src/main/java/fr/lucasdupont/security/RequiredRoleFilter.java

@@ -0,0 +1,45 @@
+package fr.lucasdupont.security;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.util.StringUtils;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+
+public class RequiredRoleFilter extends OncePerRequestFilter {
+
+    private final KeycloakAuthProperties props;
+
+    public RequiredRoleFilter(KeycloakAuthProperties props) {
+        this.props = props;
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request,
+                                    HttpServletResponse response,
+                                    FilterChain filterChain)
+            throws ServletException, IOException {
+
+        String required = props.getRole();
+        if (!StringUtils.hasText(required)) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        String authority = required.startsWith("ROLE_") ? required : ("ROLE_" + required);
+
+        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+        if (auth == null || auth.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(authority))) {
+            response.setStatus(HttpStatus.UNAUTHORIZED.value());
+            return;
+        }
+
+        filterChain.doFilter(request, response);
+    }
+}

src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports

@@ -0,0 +1 @@
+fr.lucasdupont.security.KeycloakAutoConfiguration