gh-1294 Add support for OAUTH authorization

* Add role support to OAuth2-enabled security
  - Uses same rules (matchers) as traditional security
* Add `DefaultDataflowAuthoritiesExtractor`
  - Assigns all roles by default
  - Allows for user-customization, if providing own `AuthoritiesExtractor` bean
* Add tests

resolves #1294

gh-1294 Add documentation

gh-1294 Polishing

gh-1294 Polishing

Author: ghillert

spring-cloud-dataflow-docs/src/main/asciidoc/configuration.adoc

@@ -699,10 +699,6 @@ security:
 
 <1> Providing the Client Id in the OAuth Configuration Section will activate OAuth2 security
 
-NOTE: As of the current version, Spring Cloud Data Flow does not provide
-finer-grained authorization when OAUTH is used as authentication mechanism. Thus,
-once you are logged in, you have full access to all functionality.
-
 You can verify that basic authentication is working properly using _curl_:
 
 [source,bash]
@@ -721,6 +717,28 @@ the REST Api using the **Authorization** Http header:
 $ curl -H "Authorization: Bearer <ACCESS_TOKEN>" http://localhost:9393/
 ```
 
+[[configuration-security-oauth2-authorization]]
+==== OAuth REST Endpoint Authorization
+
+The OAuth2 authentication option uses the same authorization rules as used by the
+<<configuration-security-basic-authentication, Traditional Authentication>> option.
+
+[TIP]
+====
+The authorization rules are defined in `dataflow-server-defaults.yml` (Part of
+the Spring Cloud Data Flow Core Module). Please see the chapter on
+<<customizing-authorization, customizing authorization>> for more details.
+====
+
+Due to fact that the determination of security roles is very environment-specific,
+_Spring Cloud Data Flow_ will by default assign all roles to authenticated OAuth2
+users using the `DefaultDataflowAuthoritiesExtractor` class.
+
+You can customize that behavior by providing your own Spring bean definition that
+extends Spring Security OAuth's `AuthoritiesExtractor` interface. In that case,
+the custom bean definition will take precedence over the default one provided by
+_Spring Cloud Data Flow_
+
 [[configuration-security-oauth2-shell]]
 ==== OAuth Authentication using the Spring Cloud Data Flow Shell
 

spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/config/DataFlowControllerAutoConfiguration.java

@@ -42,7 +42,7 @@
 import org.springframework.cloud.dataflow.registry.RdbmsUriRegistry;
 import org.springframework.cloud.dataflow.server.config.apps.CommonApplicationProperties;
 import org.springframework.cloud.dataflow.server.config.features.FeaturesProperties;
-import org.springframework.cloud.dataflow.server.config.security.BasicAuthSecurityConfiguration.AuthorizationConfig;
+import org.springframework.cloud.dataflow.server.config.security.AuthorizationConfig;
 import org.springframework.cloud.dataflow.server.config.security.support.OnSecurityEnabledAndOAuth2Disabled;
 import org.springframework.cloud.dataflow.server.config.security.support.SecurityStateBean;
 import org.springframework.cloud.dataflow.server.controller.AboutController;

spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/config/security/AuthorizationConfig.java

@@ -0,0 +1,53 @@
+/*
+ * Copyright 2016-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.cloud.dataflow.server.config.security;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.cloud.dataflow.core.DataFlowPropertyKeys;
+
+/**
+ * Holds configuration for the authorization aspects of security.
+ *
+ * @author Eric Bottard
+ * @author Gunnar Hillert
+ */
+@ConfigurationProperties(prefix = DataFlowPropertyKeys.PREFIX + "security.authorization")
+public class AuthorizationConfig {
+
+	private boolean enabled = true;
+
+	private List<String> rules = new ArrayList<>();
+
+	public List<String> getRules() {
+		return rules;
+	}
+
+	public void setRules(List<String> rules) {
+		this.rules = rules;
+	}
+
+	public boolean isEnabled() {
+		return enabled;
+	}
+
+	public void setEnabled(boolean enabled) {
+		this.enabled = enabled;
+	}
+
+}

spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/config/security/BasicAuthSecurityConfiguration.java

@@ -15,23 +15,14 @@
  */
 package org.springframework.cloud.dataflow.server.config.security;
 
-import java.util.ArrayList;
-import java.util.List;
-import java.util.regex.Matcher;
-import java.util.regex.Pattern;
-
-import org.slf4j.LoggerFactory;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
-import org.springframework.boot.context.properties.ConfigurationProperties;
-import org.springframework.cloud.dataflow.core.DataFlowPropertyKeys;
 import org.springframework.cloud.dataflow.server.config.security.support.OnSecurityEnabledAndOAuth2Disabled;
+import org.springframework.cloud.dataflow.server.config.security.support.SecurityConfigUtils;
 import org.springframework.cloud.dataflow.server.config.security.support.SecurityStateBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Conditional;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.http.HttpMethod;
 import org.springframework.http.MediaType;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -50,8 +41,6 @@
 import org.springframework.session.SessionRepository;
 import org.springframework.session.web.http.HeaderHttpSessionStrategy;
 import org.springframework.session.web.http.SessionRepositoryFilter;
-import org.springframework.util.Assert;
-import org.springframework.util.StringUtils;
 import org.springframework.web.accept.ContentNegotiationStrategy;
 
 import static org.springframework.cloud.dataflow.server.controller.UiController.dashboard;
@@ -71,15 +60,6 @@
 @EnableWebSecurity
 public class BasicAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {
 
-	public static final Pattern AUTHORIZATION_RULE;
-
-	private static final org.slf4j.Logger logger = LoggerFactory.getLogger(BasicAuthSecurityConfiguration.class);
-
-	static {
-		String methodsRegex = StringUtils.arrayToDelimitedString(HttpMethod.values(), "|");
-		AUTHORIZATION_RULE = Pattern.compile("(" + methodsRegex + ")\\s+(.+)\\s+=>\\s+(.+)");
-	}
-
 	@Autowired
 	private ContentNegotiationStrategy contentNegotiationStrategy;
 
@@ -114,7 +94,7 @@ protected void configure(HttpSecurity http) throws Exception {
 				.permitAll();
 
 		if (authorizationConfig.isEnabled()) {
-			security = configureSimpleSecurity(security);
+			security = SecurityConfigUtils.configureSimpleSecurity(security, authorizationConfig);
 		}
 
 		security.and().formLogin().loginPage(loginPage).loginProcessingUrl(dashboard("/login"))
@@ -143,55 +123,4 @@ protected void configure(HttpSecurity http) throws Exception {
 		securityStateBean.setAuthorizationEnabled(true);
 	}
 
-	/**
-	 * Read the configuration for "simple" (that is, not ACL based) security and apply it.
-	 */
-	private ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry configureSimpleSecurity(
-			ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security) {
-		for (String rule : authorizationConfig.getRules()) {
-			Matcher matcher = AUTHORIZATION_RULE.matcher(rule);
-			Assert.isTrue(matcher.matches(),
-					String.format("Unable to parse security rule [%s], expected format is 'HTTP_METHOD ANT_PATTERN => "
-							+ "SECURITY_ATTRIBUTE(S)'", rule));
-
-			HttpMethod method = HttpMethod.valueOf(matcher.group(1).trim());
-			String urlPattern = matcher.group(2).trim();
-			String attribute = matcher.group(3).trim();
-
-			logger.info("Authorization '{}' | '{}' | '{}'", method, attribute, urlPattern);
-			security = security.antMatchers(method, urlPattern).access(attribute);
-		}
-		return security;
-	}
-
-	/**
-	 * Holds configuration for the authorization aspects of security.
-	 *
-	 * @author Eric Bottard
-	 * @author Gunnar Hillert
-	 */
-	@ConfigurationProperties(prefix = DataFlowPropertyKeys.PREFIX + "security.authorization")
-	public static class AuthorizationConfig {
-
-		private boolean enabled = true;
-
-		private List<String> rules = new ArrayList<>();
-
-		public List<String> getRules() {
-			return rules;
-		}
-
-		public void setRules(List<String> rules) {
-			this.rules = rules;
-		}
-
-		public boolean isEnabled() {
-			return enabled;
-		}
-
-		public void setEnabled(boolean enabled) {
-			this.enabled = enabled;
-		}
-
-	}
 }

spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/config/security/OAuthSecurityConfiguration.java

@@ -28,7 +28,9 @@
 import org.springframework.boot.autoconfigure.security.SecurityProperties;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.ResourceServerProperties;
 import org.springframework.boot.autoconfigure.security.oauth2.resource.UserInfoTokenServices;
+import org.springframework.cloud.dataflow.server.config.security.support.DefaultDataflowAuthoritiesExtractor;
 import org.springframework.cloud.dataflow.server.config.security.support.OnSecurityEnabledAndOAuth2Enabled;
+import org.springframework.cloud.dataflow.server.config.security.support.SecurityConfigUtils;
 import org.springframework.cloud.dataflow.server.config.security.support.SecurityStateBean;
 import org.springframework.cloud.dataflow.server.service.impl.ManualOAuthAuthenticationProvider;
 import org.springframework.context.ApplicationEventPublisher;
@@ -44,6 +46,7 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.configurers.ExpressionUrlAuthorizationConfigurer;
 import org.springframework.security.oauth2.client.OAuth2ClientContext;
 import org.springframework.security.oauth2.client.OAuth2RestTemplate;
 import org.springframework.security.oauth2.client.filter.OAuth2AuthenticationFailureEvent;
@@ -97,6 +100,9 @@ public class OAuthSecurityConfiguration extends WebSecurityConfigurerAdapter {
 	@Autowired
 	private ApplicationEventPublisher applicationEventPublisher;
 
+	@Autowired
+	private AuthorizationConfig authorizationConfig;
+
 	@Override
 	protected void configure(HttpSecurity http) throws Exception {
 
@@ -116,13 +122,28 @@ protected void configure(HttpSecurity http) throws Exception {
 		http.addFilterBefore(basicAuthenticationFilter, oauthFilter.getClass());
 		http.addFilterBefore(oAuth2AuthenticationProcessingFilter(), basicAuthenticationFilter.getClass());
 
-		http.authorizeRequests()
-				.antMatchers(
-						"/security/info**", "/login**", dashboard("/logout-success-oauth.html"),
-						dashboard("/styles/**"), dashboard("/images/**"), dashboard("/fonts/**"), dashboard("/lib/**"))
-				.permitAll().anyRequest()
-				.authenticated().and()
-				.httpBasic().and()
+		ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry security =
+
+				http.authorizeRequests()
+						.antMatchers(
+								"/favicon.ico",
+								"/security/info**", "/login**", dashboard("/logout-success-oauth.html"),
+								dashboard("/styles/**"), dashboard("/images/**"), "/assets/**", dashboard("/fonts/**"),
+								dashboard("/lib/**"))
+						.permitAll()
+						.antMatchers("/", dashboard("/**"), "/dashboard", "/features").authenticated();
+
+		if (authorizationConfig.isEnabled()) {
+			security = SecurityConfigUtils.configureSimpleSecurity(security, authorizationConfig);
+			security.anyRequest().denyAll();
+			securityStateBean.setAuthorizationEnabled(true);
+		}
+		else {
+			security.anyRequest().authenticated();
+			securityStateBean.setAuthorizationEnabled(false);
+		}
+
+		http.httpBasic().and()
 				.logout()
 				.logoutSuccessUrl(dashboard("/logout-success-oauth.html"))
 				.and().csrf().disable()
@@ -131,16 +152,15 @@ protected void configure(HttpSecurity http) throws Exception {
 				.defaultAuthenticationEntryPointFor(basicAuthenticationEntryPoint, AnyRequestMatcher.INSTANCE);
 
 		securityStateBean.setAuthenticationEnabled(true);
-		securityStateBean.setAuthorizationEnabled(false);
 	}
 
 	@Bean
 	public UserInfoTokenServices tokenServices() {
 		final UserInfoTokenServices tokenServices = new UserInfoTokenServices(resourceServerProperties.getUserInfoUri(),
 				authorizationCodeResourceDetails.getClientId());
 		tokenServices.setRestTemplate(oAuth2RestTemplate());
+		tokenServices.setAuthoritiesExtractor(new DefaultDataflowAuthoritiesExtractor());
 		return tokenServices;
-
 	}
 
 	@Bean
@@ -189,12 +209,14 @@ public AuthenticationManager oauthAuthenticationManager() {
 	@EventListener
 	public void handleOAuth2AuthenticationFailureEvent(
 			OAuth2AuthenticationFailureEvent oAuth2AuthenticationFailureEvent) {
-		final int throwableIdex = ExceptionUtils.indexOfThrowable(oAuth2AuthenticationFailureEvent.getException(),
-				ResourceAccessException.class);
-		if (throwableIdex > -1) {
+		final int throwableIdexForResourceAccessException = ExceptionUtils
+				.indexOfThrowable(oAuth2AuthenticationFailureEvent.getException(), ResourceAccessException.class);
+
+		if (throwableIdexForResourceAccessException > -1) {
 			logger.error("An error ocurred while accessing an authentication REST resource.",
 					oAuth2AuthenticationFailureEvent.getException());
 		}
+
 	}
 
 	private static class BrowserDetectingContentNegotiationStrategy extends HeaderContentNegotiationStrategy {

spring-cloud-dataflow-server-core/src/main/java/org/springframework/cloud/dataflow/server/config/security/support/DefaultDataflowAuthoritiesExtractor.java

@@ -0,0 +1,68 @@
+/*
+ * Copyright 2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.cloud.dataflow.server.config.security.support;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
+import org.slf4j.LoggerFactory;
+
+import org.springframework.boot.autoconfigure.security.oauth2.resource.AuthoritiesExtractor;
+import org.springframework.security.config.core.GrantedAuthorityDefaults;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.util.Assert;
+import org.springframework.util.StringUtils;
+
+/**
+ * Default Spring Cloud Data Flow {@link AuthoritiesExtractor}. Will assign ALL
+ * {@link CoreSecurityRoles} to the authenticated OAuth2 user.
+ *
+ * @author Gunnar Hillert
+ *
+ */
+public class DefaultDataflowAuthoritiesExtractor implements AuthoritiesExtractor {
+
+	private static final org.slf4j.Logger logger = LoggerFactory.getLogger(DefaultDataflowAuthoritiesExtractor.class);
+
+	/**
+	 * The returned {@link List} of {@link GrantedAuthority}s contains all roles from
+	 * {@link CoreSecurityRoles}. The roles are prefixed with the value specified in
+	 * {@link GrantedAuthorityDefaults}.
+	 *
+	 *
+	 * @param Must not be null. Is only used for logging
+	 */
+	@Override
+	public List<GrantedAuthority> extractAuthorities(Map<String, Object> map) {
+		Assert.notNull(map, "The map argument must not be null.");
+
+		final List<String> rolesAsStrings = new ArrayList<>();
+		final List<GrantedAuthority> grantedAuthorities =
+			Stream.of(CoreSecurityRoles.values())
+				.map(roleEnum -> {
+					final String roleName = SecurityConfigUtils.ROLE_PREFIX + roleEnum.getKey();
+					rolesAsStrings.add(roleName);
+					return new SimpleGrantedAuthority(roleName);
+				})
+				.collect(Collectors.toList());
+		logger.info("Adding ALL roles {} to user {}", StringUtils.collectionToCommaDelimitedString(rolesAsStrings), map);
+		return grantedAuthorities;
+	}
+}