Merge pull request #231 from ARGOeu/devel

Version 1.7.0

Author: nikosT

CHANGELOG.md

@@ -26,7 +26,32 @@ According to [Keep a Changelog](https://keepachangelog.com/en/1.0.0/) , the
 
 ---
 
-### Unreleased - Added
+## 1.7.0 - 2025-07-25
+
+---
+
+## 1.7.0 - Added
+
+- [#219](https://github.com/ARGOeu/argo-accounting/pull/219) - ACC-345 Sys Admin 
+  should be able to manage all projects.
+- [#221](https://github.com/ARGOeu/argo-accounting/pull/221) - ACC-355 Implement multitenancy 
+  via supporting different OIDC providers.
+- [#223](https://github.com/ARGOeu/argo-accounting/pull/223) - ACC-360 Installation
+  Report.
+- [#224](https://github.com/ARGOeu/argo-accounting/pull/224) - ACC-361 Provider
+  Report.
+- [#225](https://github.com/ARGOeu/argo-accounting/pull/225) - ACC-362 Project
+  Report.
+- [#226](https://github.com/ARGOeu/argo-accounting/pull/226) - ACC-369 Aggregated 
+  Provider report.
+- [#227](https://github.com/ARGOeu/argo-accounting/pull/227) - ACC-366 Add issuer 
+  in the client's id.
+
+## 1.6.1 - 2025-03-21
+
+---
+
+### 1.6.1 - Added
 
 - [#211](https://github.com/ARGOeu/argo-accounting/pull/211) - ACC-319 Create 
   an admin-only endpoint to update user information.

pom.xml

@@ -4,7 +4,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.grnet</groupId>
   <artifactId>accounting-system</artifactId>
-  <version>1.6.0</version>
+  <version>1.7.0</version>
   <properties>
     <apache.common3.version>3.12.0</apache.common3.version>
     <compiler-plugin.version>3.8.1</compiler-plugin.version>
@@ -197,6 +197,11 @@
       <groupId>io.quarkus</groupId>
       <artifactId>quarkus-smallrye-metrics</artifactId>
     </dependency>
+    <dependency>
+      <groupId>commons-codec</groupId>
+      <artifactId>commons-codec</artifactId>
+      <version>1.18.0</version>
+    </dependency>
   </dependencies>
   <build>
     <resources>

src/main/java/org/accounting/system/beans/RequestUserContext.java

@@ -7,42 +7,59 @@
 import lombok.Getter;
 import lombok.Setter;
 import org.accounting.system.enums.AccessType;
+import org.accounting.system.repositories.OidcTenantConfigRepository;
+import org.apache.commons.codec.digest.DigestUtils;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 
 import java.util.Optional;
 
 @RequestScoped
 public class RequestUserContext {
 
+
     @ConfigProperty(name = "person.key.to.retrieve.id.from.access.token")
+    @Getter
     String personKey;
 
     @ConfigProperty(name = "service.key.to.retrieve.id.from.access.token")
+    @Getter
     String serviceKey;
 
     @Inject
-    private final TokenIntrospection tokenIntrospection;
+    TokenIntrospection tokenIntrospection;
+
+    @Inject
+    OidcTenantConfigRepository oidcTenantConfigRepository;
 
     @Getter
     @Setter
     private AccessType accessType;
 
-    public RequestUserContext(TokenIntrospection tokenIntrospection) {
+    public String getId() {
 
-        this.tokenIntrospection = tokenIntrospection;
-    }
+        var optional = oidcTenantConfigRepository.fetchOidcTenantConfigByIssuer(getIssuer());
+
+        if(optional.isPresent()){
 
-    public String getId(){
+            var config = optional.get();
+
+            personKey = config.getUserIdTokenClaim();
+            serviceKey = config.getServiceIdTokenClaim();
+        }
 
         try {
 
-            return tokenIntrospection.getJsonObject().getString(personKey);
+            var input = tokenIntrospection.getJsonObject().getString(personKey)+ "|" + getIssuer();
+
+            return DigestUtils.sha256Hex(input);
 
         } catch (Exception e) {
 
             try{
 
-                return tokenIntrospection.getJsonObject().getString(serviceKey);
+                var input = tokenIntrospection.getJsonObject().getString(serviceKey)+ "|" + getIssuer();
+
+                return DigestUtils.sha256Hex(input);
 
             } catch (Exception ex){
 
@@ -74,4 +91,9 @@ public Optional<String> getEmail(){
             return Optional.empty();
         }
     }
+
+    public String getIssuer(){
+
+        return tokenIntrospection.getJsonObject().getString("iss");
+    }
 }

src/main/java/org/accounting/system/dtos/client/ClientResponseDto.java

@@ -48,9 +48,18 @@ public class ClientResponseDto {
     @Schema(
             type = SchemaType.BOOLEAN,
             implementation = Boolean.class,
-            description = "Whether a client is system admin or not",
+            description = "Whether a client is system admin or not.",
             example = "false"
     )
     @JsonProperty("system_admin")
     public boolean systemAdmin;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "The issuer URI that issued the access token the client receives.",
+            example = "http://localhost:58080/realms/quarkus"
+    )
+    @JsonProperty("issuer")
+    public String issuer;
 }

src/main/java/org/accounting/system/dtos/tenant/OidcTenantConfigRequest.java

@@ -0,0 +1,132 @@
+package org.accounting.system.dtos.tenant;
+
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import jakarta.validation.constraints.NotEmpty;
+import org.eclipse.microprofile.openapi.annotations.enums.SchemaType;
+import org.eclipse.microprofile.openapi.annotations.media.Schema;
+
+@Schema(name="OidcTenantConfig", description="An object represents a request for creating an Oidc Tenant Configuration.")
+public class OidcTenantConfigRequest {
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "Issuer URI for the tokens (often the same as `authServerUrl`).",
+            required = true,
+            example = "http://localhost:58080/realms/quarkus"
+    )
+    @JsonProperty("issuer")
+    @NotEmpty(message = "issuer may not be empty.")
+    public String issuer;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "Unique identifier for the tenant.",
+            required = true,
+            example = "default"
+    )
+    @JsonProperty("tenant_id")
+    @NotEmpty(message = "tenant_id may not be empty.")
+    public String tenantId;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "Client ID registered with the identity provider.",
+            required = true,
+            example = "backend-service"
+    )
+    @JsonProperty("client_id")
+    @NotEmpty(message = "client_id may not be empty.")
+    public String clientId;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "Client secret for authenticating the client.",
+            required = true,
+            example = "secret"
+    )
+    @JsonProperty("secret")
+    @NotEmpty(message = "secret may not be empty.")
+    public String secret;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "Path to the authorization endpoint.",
+            required = true,
+            example = "/protocol/openid-connect/auth"
+    )
+    @JsonProperty("authorization_path")
+    @NotEmpty(message = "authorization_path may not be empty.")
+    public String authorizationPath;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "Path to the token introspection endpoint.",
+            required = true,
+            example = "/protocol/openid-connect/token/introspect"
+    )
+    @JsonProperty("introspection_path")
+    @NotEmpty(message = "introspection_path may not be empty.")
+    public String introspectionPath;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "Path to the user info endpoint.",
+            required = true,
+            example = "/protocol/openid-connect/userinfo"
+    )
+    @JsonProperty("user_info_path")
+    @NotEmpty(message = "user_info_path may not be empty.")
+    public String userInfoPath;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "Path to the token endpoint.",
+            required = true,
+            example = "/protocol/openid-connect/token"
+    )
+    @JsonProperty("token_path")
+    @NotEmpty(message = "token_path may not be empty.")
+    public String tokenPath;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "URL of the OIDC server (e.g., Keycloak realm URL).",
+            required = true,
+            example = "http://localhost:58080/realms/quarkus"
+    )
+    @JsonProperty("auth_server_url")
+    @NotEmpty(message = "auth_server_url may not be empty.")
+    public String authServerUrl;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "The name of the claim in the access token that uniquely identifies the user (e.g., 'sub', 'voperson_id').",
+            required = true,
+            example = "voperson_id"
+    )
+    @JsonProperty("user_id_token_claim")
+    @NotEmpty(message = "user_id_token_claim may not be empty.")
+    public String userIdTokenClaim;
+
+    @Schema(
+            type = SchemaType.STRING,
+            implementation = String.class,
+            description = "The name of the claim in the access token that uniquely identifies the service (e.g., 'client_id').",
+            required = true,
+            example = "client_id"
+    )
+    @JsonProperty("service_id_token_claim")
+    @NotEmpty(message = "service_id_token_claim may not be empty.")
+    public String serviceIdTokenClaim;
+}