Add How-to: Implement Multitenancy

Closes gh-663
This commit is contained in:
Joe Grandja
2024-04-26 18:30:30 -04:00
parent 2b5808bcef
commit 76322dcfde
8 changed files with 723 additions and 0 deletions

View File

@@ -0,0 +1,55 @@
/*
* Copyright 2020-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample.multitenancy;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabase;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseBuilder;
import org.springframework.jdbc.datasource.embedded.EmbeddedDatabaseType;
@Configuration(proxyBeanMethods = false)
public class DataSourceConfig {
@Bean("issuer1-data-source")
public EmbeddedDatabase issuer1DataSource() {
// @formatter:off
return new EmbeddedDatabaseBuilder()
.setName("issuer1-db") // <1>
.setType(EmbeddedDatabaseType.H2)
.setScriptEncoding("UTF-8")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql")
.build();
// @formatter:on
}
@Bean("issuer2-data-source")
public EmbeddedDatabase issuer2DataSource() {
// @formatter:off
return new EmbeddedDatabaseBuilder()
.setName("issuer2-db") // <2>
.setType(EmbeddedDatabaseType.H2)
.setScriptEncoding("UTF-8")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/oauth2-authorization-consent-schema.sql")
.addScript("org/springframework/security/oauth2/server/authorization/client/oauth2-registered-client-schema.sql")
.build();
// @formatter:on
}
}

View File

@@ -0,0 +1,103 @@
/*
* Copyright 2020-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample.multitenancy;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
@Configuration(proxyBeanMethods = false)
public class JWKSourceConfig {
@Bean
public JWKSource<SecurityContext> jwkSource() {
Map<String, JWKSet> jwkSetMap = new HashMap<>();
jwkSetMap.put("issuer1", new JWKSet(generateRSAJwk())); // <1>
jwkSetMap.put("issuer2", new JWKSet(generateRSAJwk())); // <2>
return new DelegatingJWKSource(jwkSetMap);
}
// @fold:on
private static RSAKey generateRSAJwk() {
KeyPair keyPair;
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(2048);
keyPair = keyPairGenerator.generateKeyPair();
} catch (Exception ex) {
throw new IllegalStateException(ex);
}
RSAPublicKey publicKey = (RSAPublicKey) keyPair.getPublic();
RSAPrivateKey privateKey = (RSAPrivateKey) keyPair.getPrivate();
// @formatter:off
return new RSAKey.Builder(publicKey)
.privateKey(privateKey)
.keyID(UUID.randomUUID().toString())
.build();
// @formatter:on
}
// @fold:off
private static class DelegatingJWKSource implements JWKSource<SecurityContext> { // <3>
private final Map<String, JWKSet> jwkSetMap;
private DelegatingJWKSource(Map<String, JWKSet> jwkSetMap) {
this.jwkSetMap = jwkSetMap;
}
@Override
public List<JWK> get(JWKSelector jwkSelector, SecurityContext context) throws KeySourceException {
JWKSet jwkSet = getJwkSet();
return (jwkSet != null) ? jwkSelector.select(jwkSet) : Collections.emptyList();
}
private JWKSet getJwkSet() {
if (AuthorizationServerContextHolder.getContext() == null ||
AuthorizationServerContextHolder.getContext().getIssuer() == null) {
return null;
}
String issuer = AuthorizationServerContextHolder.getContext().getIssuer(); // <4>
for (Map.Entry<String, JWKSet> entry : this.jwkSetMap.entrySet()) {
if (issuer.endsWith(entry.getKey())) {
return entry.getValue();
}
}
return null;
}
}
}

View File

@@ -0,0 +1,98 @@
/*
* Copyright 2020-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample.multitenancy;
import java.util.HashMap;
import java.util.Map;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsent;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationConsentService;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
@Configuration(proxyBeanMethods = false)
public class OAuth2AuthorizationConsentServiceConfig {
@Bean
public OAuth2AuthorizationConsentService authorizationConsentService(
@Qualifier("issuer1-data-source") DataSource issuer1DataSource,
@Qualifier("issuer2-data-source") DataSource issuer2DataSource,
RegisteredClientRepository registeredClientRepository) {
Map<String, OAuth2AuthorizationConsentService> authorizationConsentServiceMap = new HashMap<>();
authorizationConsentServiceMap.put("issuer1", new JdbcOAuth2AuthorizationConsentService( // <1>
new JdbcTemplate(issuer1DataSource), registeredClientRepository));
authorizationConsentServiceMap.put("issuer2", new JdbcOAuth2AuthorizationConsentService( // <2>
new JdbcTemplate(issuer2DataSource), registeredClientRepository));
return new DelegatingOAuth2AuthorizationConsentService(authorizationConsentServiceMap);
}
private static class DelegatingOAuth2AuthorizationConsentService implements OAuth2AuthorizationConsentService { // <3>
private final Map<String, OAuth2AuthorizationConsentService> authorizationConsentServiceMap;
private DelegatingOAuth2AuthorizationConsentService(Map<String, OAuth2AuthorizationConsentService> authorizationConsentServiceMap) {
this.authorizationConsentServiceMap = authorizationConsentServiceMap;
}
@Override
public void save(OAuth2AuthorizationConsent authorizationConsent) {
OAuth2AuthorizationConsentService authorizationConsentService = getAuthorizationConsentService();
if (authorizationConsentService != null) {
authorizationConsentService.save(authorizationConsent);
}
}
@Override
public void remove(OAuth2AuthorizationConsent authorizationConsent) {
OAuth2AuthorizationConsentService authorizationConsentService = getAuthorizationConsentService();
if (authorizationConsentService != null) {
authorizationConsentService.remove(authorizationConsent);
}
}
@Override
public OAuth2AuthorizationConsent findById(String registeredClientId, String principalName) {
OAuth2AuthorizationConsentService authorizationConsentService = getAuthorizationConsentService();
return (authorizationConsentService != null) ?
authorizationConsentService.findById(registeredClientId, principalName) :
null;
}
private OAuth2AuthorizationConsentService getAuthorizationConsentService() {
if (AuthorizationServerContextHolder.getContext() == null ||
AuthorizationServerContextHolder.getContext().getIssuer() == null) {
return null;
}
String issuer = AuthorizationServerContextHolder.getContext().getIssuer(); // <4>
for (Map.Entry<String, OAuth2AuthorizationConsentService> entry : this.authorizationConsentServiceMap.entrySet()) {
if (issuer.endsWith(entry.getKey())) {
return entry.getValue();
}
}
return null;
}
}
}

View File

@@ -0,0 +1,107 @@
/*
* Copyright 2020-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample.multitenancy;
import java.util.HashMap;
import java.util.Map;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.oauth2.server.authorization.JdbcOAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2Authorization;
import org.springframework.security.oauth2.server.authorization.OAuth2AuthorizationService;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
@Configuration(proxyBeanMethods = false)
public class OAuth2AuthorizationServiceConfig {
@Bean
public OAuth2AuthorizationService authorizationService(
@Qualifier("issuer1-data-source") DataSource issuer1DataSource,
@Qualifier("issuer2-data-source") DataSource issuer2DataSource,
RegisteredClientRepository registeredClientRepository) {
Map<String, OAuth2AuthorizationService> authorizationServiceMap = new HashMap<>();
authorizationServiceMap.put("issuer1", new JdbcOAuth2AuthorizationService( // <1>
new JdbcTemplate(issuer1DataSource), registeredClientRepository));
authorizationServiceMap.put("issuer2", new JdbcOAuth2AuthorizationService( // <2>
new JdbcTemplate(issuer2DataSource), registeredClientRepository));
return new DelegatingOAuth2AuthorizationService(authorizationServiceMap);
}
private static class DelegatingOAuth2AuthorizationService implements OAuth2AuthorizationService { // <3>
private final Map<String, OAuth2AuthorizationService> authorizationServiceMap;
private DelegatingOAuth2AuthorizationService(Map<String, OAuth2AuthorizationService> authorizationServiceMap) {
this.authorizationServiceMap = authorizationServiceMap;
}
@Override
public void save(OAuth2Authorization authorization) {
OAuth2AuthorizationService authorizationService = getAuthorizationService();
if (authorizationService != null) {
authorizationService.save(authorization);
}
}
@Override
public void remove(OAuth2Authorization authorization) {
OAuth2AuthorizationService authorizationService = getAuthorizationService();
if (authorizationService != null) {
authorizationService.remove(authorization);
}
}
@Override
public OAuth2Authorization findById(String id) {
OAuth2AuthorizationService authorizationService = getAuthorizationService();
return (authorizationService != null) ?
authorizationService.findById(id) :
null;
}
@Override
public OAuth2Authorization findByToken(String token, OAuth2TokenType tokenType) {
OAuth2AuthorizationService authorizationService = getAuthorizationService();
return (authorizationService != null) ?
authorizationService.findByToken(token, tokenType) :
null;
}
private OAuth2AuthorizationService getAuthorizationService() {
if (AuthorizationServerContextHolder.getContext() == null ||
AuthorizationServerContextHolder.getContext().getIssuer() == null) {
return null;
}
String issuer = AuthorizationServerContextHolder.getContext().getIssuer(); // <4>
for (Map.Entry<String, OAuth2AuthorizationService> entry : this.authorizationServiceMap.entrySet()) {
if (issuer.endsWith(entry.getKey())) {
return entry.getValue();
}
}
return null;
}
}
}

View File

@@ -0,0 +1,131 @@
/*
* Copyright 2020-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample.multitenancy;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import javax.sql.DataSource;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.server.authorization.client.JdbcRegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClientRepository;
import org.springframework.security.oauth2.server.authorization.context.AuthorizationServerContextHolder;
@Configuration(proxyBeanMethods = false)
public class RegisteredClientRepositoryConfig {
@Bean
public RegisteredClientRepository registeredClientRepository(
@Qualifier("issuer1-data-source") DataSource issuer1DataSource,
@Qualifier("issuer2-data-source") DataSource issuer2DataSource) {
JdbcRegisteredClientRepository issuer1RegisteredClientRepository =
new JdbcRegisteredClientRepository(new JdbcTemplate(issuer1DataSource)); // <1>
// @fold:on
// @formatter:off
issuer1RegisteredClientRepository.save(
RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client-1")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope("scope-1")
.build()
);
// @formatter:on
// @fold:off
JdbcRegisteredClientRepository issuer2RegisteredClientRepository =
new JdbcRegisteredClientRepository(new JdbcTemplate(issuer2DataSource)); // <2>
// @fold:on
// @formatter:off
issuer2RegisteredClientRepository.save(
RegisteredClient.withId(UUID.randomUUID().toString())
.clientId("client-2")
.clientSecret("{noop}secret")
.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC)
.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
.scope("scope-2")
.build()
);
// @formatter:on
// @fold:off
Map<String, RegisteredClientRepository> registeredClientRepositoryMap = new HashMap<>();
registeredClientRepositoryMap.put("issuer1", issuer1RegisteredClientRepository);
registeredClientRepositoryMap.put("issuer2", issuer2RegisteredClientRepository);
return new DelegatingRegisteredClientRepository(registeredClientRepositoryMap);
}
private static class DelegatingRegisteredClientRepository implements RegisteredClientRepository { // <3>
private final Map<String, RegisteredClientRepository> registeredClientRepositoryMap;
private DelegatingRegisteredClientRepository(Map<String, RegisteredClientRepository> registeredClientRepositoryMap) {
this.registeredClientRepositoryMap = registeredClientRepositoryMap;
}
@Override
public void save(RegisteredClient registeredClient) {
RegisteredClientRepository registeredClientRepository = getRegisteredClientRepository();
if (registeredClientRepository != null) {
registeredClientRepository.save(registeredClient);
}
}
@Override
public RegisteredClient findById(String id) {
RegisteredClientRepository registeredClientRepository = getRegisteredClientRepository();
return (registeredClientRepository != null) ?
registeredClientRepository.findById(id) :
null;
}
@Override
public RegisteredClient findByClientId(String clientId) {
RegisteredClientRepository registeredClientRepository = getRegisteredClientRepository();
return (registeredClientRepository != null) ?
registeredClientRepository.findByClientId(clientId) :
null;
}
private RegisteredClientRepository getRegisteredClientRepository() {
if (AuthorizationServerContextHolder.getContext() == null ||
AuthorizationServerContextHolder.getContext().getIssuer() == null) {
return null;
}
String issuer = AuthorizationServerContextHolder.getContext().getIssuer(); // <4>
for (Map.Entry<String, RegisteredClientRepository> entry : this.registeredClientRepositoryMap.entrySet()) {
if (issuer.endsWith(entry.getKey())) {
return entry.getValue();
}
}
return null;
}
}
}

View File

@@ -0,0 +1,105 @@
/*
* Copyright 2020-2024 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package sample.multitenancy;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
import org.springframework.boot.autoconfigure.data.jpa.JpaRepositoriesAutoConfiguration;
import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
import org.springframework.boot.test.context.SpringBootTest;
import org.springframework.context.annotation.ComponentScan;
import org.springframework.http.MediaType;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.test.web.servlet.MockMvc;
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.httpBasic;
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
/**
* Tests for the guide How-to: Implement Multitenancy.
*
* @author Joe Grandja
*/
@SpringBootTest(classes = {MultitenancyTests.AuthorizationServerConfig.class} )
@AutoConfigureMockMvc
public class MultitenancyTests {
@Autowired
private MockMvc mvc;
@Test
public void requestWhenTokenRequestForIssuer1ThenTokenResponse() throws Exception {
// @formatter:off
this.mvc.perform(post("/issuer1/oauth2/token")
.with(httpBasic("client-1", "secret"))
.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.param(OAuth2ParameterNames.SCOPE, "scope-1")
.contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE))
.andExpect(status().isOk())
.andExpect(jsonPath("$.access_token").isNotEmpty());
// @formatter:on
}
@Test
public void requestWhenTokenRequestForIssuer1WithInvalidClientThenUnauthorized() throws Exception {
// @formatter:off
this.mvc.perform(post("/issuer1/oauth2/token")
.with(httpBasic("client-2", "secret"))
.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.param(OAuth2ParameterNames.SCOPE, "scope-2")
.contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE))
.andExpect(status().isUnauthorized());
// @formatter:on
}
@Test
public void requestWhenTokenRequestForIssuer2ThenTokenResponse() throws Exception {
// @formatter:off
this.mvc.perform(post("/issuer2/oauth2/token")
.with(httpBasic("client-2", "secret"))
.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.param(OAuth2ParameterNames.SCOPE, "scope-2")
.contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE))
.andExpect(status().isOk())
.andExpect(jsonPath("$.access_token").isNotEmpty());
// @formatter:on
}
@Test
public void requestWhenTokenRequestForIssuer2WithInvalidClientThenUnauthorized() throws Exception {
// @formatter:off
this.mvc.perform(post("/issuer2/oauth2/token")
.with(httpBasic("client-1", "secret"))
.param(OAuth2ParameterNames.GRANT_TYPE, AuthorizationGrantType.CLIENT_CREDENTIALS.getValue())
.param(OAuth2ParameterNames.SCOPE, "scope-1")
.contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE))
.andExpect(status().isUnauthorized());
// @formatter:on
}
@EnableAutoConfiguration(exclude = JpaRepositoriesAutoConfiguration.class)
@EnableWebSecurity
@ComponentScan
static class AuthorizationServerConfig {
}
}