From f89ce19b1f6c217e90face2e1bc689bbb9ef3e4e Mon Sep 17 00:00:00 2001
From: vzikratyi <vzikratyi@thingsboard.io>
Date: Thu, 13 Aug 2020 14:14:38 +0300
Subject: [PATCH] Added logic to send 'access token' to custom mapper

---
 .../main/data/upgrade/3.1.0/schema_update.sql    |  3 ++-
 .../auth/oauth2/BasicOAuth2ClientMapper.java     |  2 +-
 .../auth/oauth2/CustomOAuth2ClientMapper.java    | 11 ++++++++---
 .../security/auth/oauth2/OAuth2ClientMapper.java |  2 +-
 .../Oauth2AuthenticationSuccessHandler.java      | 16 +++++++++++-----
 .../data/oauth2/OAuth2CustomMapperConfig.java    |  1 +
 .../server/dao/model/ModelConstants.java         |  1 +
 .../sql/OAuth2ClientRegistrationEntity.java      |  4 ++++
 .../server/dao/oauth2/OAuth2ServiceImpl.java     |  3 ---
 .../main/resources/sql/schema-entities-hsql.sql  |  3 ++-
 dao/src/main/resources/sql/schema-entities.sql   |  3 ++-
 11 files changed, 33 insertions(+), 16 deletions(-)

diff --git a/application/src/main/data/upgrade/3.1.0/schema_update.sql b/application/src/main/data/upgrade/3.1.0/schema_update.sql
index 445df2b97e..639fb09432 100644
--- a/application/src/main/data/upgrade/3.1.0/schema_update.sql
+++ b/application/src/main/data/upgrade/3.1.0/schema_update.sql
@@ -47,7 +47,8 @@ CREATE TABLE IF NOT EXISTS oauth2_client_registration (
     basic_always_full_screen boolean,
     custom_url varchar(255),
     custom_username varchar(255),
-    custom_password varchar(255)
+    custom_password varchar(255),
+    custom_send_token boolean
 );
 
 DROP TABLE IF EXISTS oauth2_client_registration_template;
diff --git a/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/BasicOAuth2ClientMapper.java b/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/BasicOAuth2ClientMapper.java
index 8c7c4d9bb4..5bee8e866e 100644
--- a/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/BasicOAuth2ClientMapper.java
+++ b/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/BasicOAuth2ClientMapper.java
@@ -35,7 +35,7 @@ public class BasicOAuth2ClientMapper extends AbstractOAuth2ClientMapper implemen
     private static final String END_PLACEHOLDER_PREFIX = "}";
 
     @Override
-    public SecurityUser getOrCreateUserByClientPrincipal(OAuth2AuthenticationToken token, TenantId parentTenantId, OAuth2MapperConfig config) {
+    public SecurityUser getOrCreateUserByClientPrincipal(OAuth2AuthenticationToken token, String providerAccessToken, TenantId parentTenantId, OAuth2MapperConfig config) {
         OAuth2User oauth2User = new OAuth2User();
         Map<String, Object> attributes = token.getPrincipal().getAttributes();
         String email = getStringAttributeByKey(attributes, config.getBasic().getEmailAttributeKey());
diff --git a/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/CustomOAuth2ClientMapper.java b/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/CustomOAuth2ClientMapper.java
index 0dce6f1e98..21c60b943b 100644
--- a/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/CustomOAuth2ClientMapper.java
+++ b/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/CustomOAuth2ClientMapper.java
@@ -32,21 +32,26 @@ import org.thingsboard.server.service.security.model.SecurityUser;
 @Service(value = "customOAuth2ClientMapper")
 @Slf4j
 public class CustomOAuth2ClientMapper extends AbstractOAuth2ClientMapper implements OAuth2ClientMapper {
+    private static final String PROVIDER_ACCESS_TOKEN = "provider-access-token";
 
     private static final ObjectMapper json = new ObjectMapper();
 
     private RestTemplateBuilder restTemplateBuilder = new RestTemplateBuilder();
 
     @Override
-    public SecurityUser getOrCreateUserByClientPrincipal(OAuth2AuthenticationToken token, TenantId parentTenantId, OAuth2MapperConfig config) {
-        OAuth2User oauth2User = getOAuth2User(token, config.getCustom());
+    public SecurityUser getOrCreateUserByClientPrincipal(OAuth2AuthenticationToken token, String providerAccessToken, TenantId parentTenantId, OAuth2MapperConfig config) {
+        OAuth2User oauth2User = getOAuth2User(token, providerAccessToken, config.getCustom());
         return getOrCreateSecurityUserFromOAuth2User(parentTenantId, oauth2User, config.isAllowUserCreation(), config.isActivateUser());
     }
 
-    private synchronized OAuth2User getOAuth2User(OAuth2AuthenticationToken token, OAuth2CustomMapperConfig custom) {
+    private synchronized OAuth2User getOAuth2User(OAuth2AuthenticationToken token, String providerAccessToken, OAuth2CustomMapperConfig custom) {
         if (!StringUtils.isEmpty(custom.getUsername()) && !StringUtils.isEmpty(custom.getPassword())) {
             restTemplateBuilder = restTemplateBuilder.basicAuthentication(custom.getUsername(), custom.getPassword());
         }
+        if (custom.isSendToken() && !StringUtils.isEmpty(providerAccessToken)) {
+            restTemplateBuilder = restTemplateBuilder.defaultHeader(PROVIDER_ACCESS_TOKEN, providerAccessToken);
+        }
+
         RestTemplate restTemplate = restTemplateBuilder.build();
         String request;
         try {
diff --git a/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/OAuth2ClientMapper.java b/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/OAuth2ClientMapper.java
index 6490322b0b..cdd0313f51 100644
--- a/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/OAuth2ClientMapper.java
+++ b/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/OAuth2ClientMapper.java
@@ -21,5 +21,5 @@ import org.thingsboard.server.common.data.oauth2.OAuth2MapperConfig;
 import org.thingsboard.server.service.security.model.SecurityUser;
 
 public interface OAuth2ClientMapper {
-    SecurityUser getOrCreateUserByClientPrincipal(OAuth2AuthenticationToken token, TenantId parentTenantId, OAuth2MapperConfig config);
+    SecurityUser getOrCreateUserByClientPrincipal(OAuth2AuthenticationToken token, String providerAccessToken, TenantId parentTenantId, OAuth2MapperConfig config);
 }
diff --git a/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/Oauth2AuthenticationSuccessHandler.java b/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/Oauth2AuthenticationSuccessHandler.java
index 9274e08939..7c0097fbfb 100644
--- a/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/Oauth2AuthenticationSuccessHandler.java
+++ b/application/src/main/java/org/thingsboard/server/service/security/auth/oauth2/Oauth2AuthenticationSuccessHandler.java
@@ -15,14 +15,13 @@
  */
 package org.thingsboard.server.service.security.auth.oauth2;
 
-import org.apache.commons.lang3.tuple.Pair;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClient;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
 import org.springframework.security.oauth2.client.authentication.OAuth2AuthenticationToken;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
 import org.springframework.stereotype.Component;
-import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.oauth2.OAuth2ClientRegistration;
 import org.thingsboard.server.dao.oauth2.OAuth2Service;
 import org.thingsboard.server.service.security.auth.jwt.RefreshTokenRepository;
@@ -45,16 +44,19 @@ public class Oauth2AuthenticationSuccessHandler extends SimpleUrlAuthenticationS
     private final RefreshTokenRepository refreshTokenRepository;
     private final OAuth2ClientMapperProvider oauth2ClientMapperProvider;
     private final OAuth2Service oAuth2Service;
+    private final OAuth2AuthorizedClientService oAuth2AuthorizedClientService;
 
     @Autowired
     public Oauth2AuthenticationSuccessHandler(final JwtTokenFactory tokenFactory,
                                               final RefreshTokenRepository refreshTokenRepository,
                                               final OAuth2ClientMapperProvider oauth2ClientMapperProvider,
-                                              final OAuth2Service oAuth2Service) {
+                                              final OAuth2Service oAuth2Service,
+                                              final OAuth2AuthorizedClientService oAuth2AuthorizedClientService) {
         this.tokenFactory = tokenFactory;
         this.refreshTokenRepository = refreshTokenRepository;
         this.oauth2ClientMapperProvider = oauth2ClientMapperProvider;
         this.oAuth2Service = oAuth2Service;
+        this.oAuth2AuthorizedClientService = oAuth2AuthorizedClientService;
     }
 
     @Override
@@ -67,8 +69,12 @@ public class Oauth2AuthenticationSuccessHandler extends SimpleUrlAuthenticationS
             OAuth2AuthenticationToken token = (OAuth2AuthenticationToken) authentication;
 
             OAuth2ClientRegistration clientRegistration = oAuth2Service.findClientRegistration(UUID.fromString(token.getAuthorizedClientRegistrationId()));
+            OAuth2AuthorizedClient oAuth2AuthorizedClient = oAuth2AuthorizedClientService.loadAuthorizedClient(
+                    token.getAuthorizedClientRegistrationId(),
+                    token.getPrincipal().getName());
             OAuth2ClientMapper mapper = oauth2ClientMapperProvider.getOAuth2ClientMapperByType(clientRegistration.getMapperConfig().getType());
-            SecurityUser securityUser = mapper.getOrCreateUserByClientPrincipal(token, clientRegistration.getTenantId(), clientRegistration.getMapperConfig());
+            SecurityUser securityUser = mapper.getOrCreateUserByClientPrincipal(token, oAuth2AuthorizedClient.getAccessToken().getTokenValue(),
+                    clientRegistration.getTenantId(), clientRegistration.getMapperConfig());
 
             JwtToken accessToken = tokenFactory.createAccessJwtToken(securityUser);
             JwtToken refreshToken = refreshTokenRepository.requestRefreshToken(securityUser);
diff --git a/common/data/src/main/java/org/thingsboard/server/common/data/oauth2/OAuth2CustomMapperConfig.java b/common/data/src/main/java/org/thingsboard/server/common/data/oauth2/OAuth2CustomMapperConfig.java
index 8ac72e9d8a..cead19c39c 100644
--- a/common/data/src/main/java/org/thingsboard/server/common/data/oauth2/OAuth2CustomMapperConfig.java
+++ b/common/data/src/main/java/org/thingsboard/server/common/data/oauth2/OAuth2CustomMapperConfig.java
@@ -25,4 +25,5 @@ public class OAuth2CustomMapperConfig {
     private final String url;
     private final String username;
     private final String password;
+    private final boolean sendToken;
 }
diff --git a/dao/src/main/java/org/thingsboard/server/dao/model/ModelConstants.java b/dao/src/main/java/org/thingsboard/server/dao/model/ModelConstants.java
index 8042d13927..1bd80240bc 100644
--- a/dao/src/main/java/org/thingsboard/server/dao/model/ModelConstants.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/model/ModelConstants.java
@@ -388,6 +388,7 @@ public class ModelConstants {
     public static final String OAUTH2_MAPPER_URL_PROPERTY = "custom_url";
     public static final String OAUTH2_MAPPER_USERNAME_PROPERTY = "custom_username";
     public static final String OAUTH2_MAPPER_PASSWORD_PROPERTY = "custom_password";
+    public static final String OAUTH2_MAPPER_SEND_TOKEN_PROPERTY = "custom_send_token";
     public static final String OAUTH2_TEMPLATE_COMMENT_PROPERTY = "comment";
 
     /**
diff --git a/dao/src/main/java/org/thingsboard/server/dao/model/sql/OAuth2ClientRegistrationEntity.java b/dao/src/main/java/org/thingsboard/server/dao/model/sql/OAuth2ClientRegistrationEntity.java
index db05b02a05..4e99dbbb5f 100644
--- a/dao/src/main/java/org/thingsboard/server/dao/model/sql/OAuth2ClientRegistrationEntity.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/model/sql/OAuth2ClientRegistrationEntity.java
@@ -95,6 +95,8 @@ public class OAuth2ClientRegistrationEntity extends BaseSqlEntity<OAuth2ClientRe
     private String username;
     @Column(name = ModelConstants.OAUTH2_MAPPER_PASSWORD_PROPERTY)
     private String password;
+    @Column(name = ModelConstants.OAUTH2_MAPPER_SEND_TOKEN_PROPERTY)
+    private Boolean sendToken;
 
     public OAuth2ClientRegistrationEntity() {
         super();
@@ -142,6 +144,7 @@ public class OAuth2ClientRegistrationEntity extends BaseSqlEntity<OAuth2ClientRe
                 this.url = customConfig.getUrl();
                 this.username = customConfig.getUsername();
                 this.password = customConfig.getPassword();
+                this.sendToken = customConfig.isSendToken();
             }
         }
     }
@@ -178,6 +181,7 @@ public class OAuth2ClientRegistrationEntity extends BaseSqlEntity<OAuth2ClientRe
                                                 .url(url)
                                                 .username(username)
                                                 .password(password)
+                                                .sendToken(sendToken)
                                                 .build()
                                         : null
                         )
diff --git a/dao/src/main/java/org/thingsboard/server/dao/oauth2/OAuth2ServiceImpl.java b/dao/src/main/java/org/thingsboard/server/dao/oauth2/OAuth2ServiceImpl.java
index 535378c9a8..d6a22b3c6b 100644
--- a/dao/src/main/java/org/thingsboard/server/dao/oauth2/OAuth2ServiceImpl.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/oauth2/OAuth2ServiceImpl.java
@@ -159,9 +159,6 @@ public class OAuth2ServiceImpl extends AbstractEntityService implements OAuth2Se
                     if (StringUtils.isEmpty(clientRegistration.getUserNameAttributeName())) {
                         throw new DataValidationException("User name attribute name should be specified!");
                     }
-                    if (StringUtils.isEmpty(clientRegistration.getJwkSetUri())) {
-                        throw new DataValidationException("Jwk set uri should be specified!");
-                    }
                     if (StringUtils.isEmpty(clientRegistration.getClientAuthenticationMethod())) {
                         throw new DataValidationException("Client authentication method should be specified!");
                     }
diff --git a/dao/src/main/resources/sql/schema-entities-hsql.sql b/dao/src/main/resources/sql/schema-entities-hsql.sql
index ea3a73313d..c9fc01733e 100644
--- a/dao/src/main/resources/sql/schema-entities-hsql.sql
+++ b/dao/src/main/resources/sql/schema-entities-hsql.sql
@@ -322,7 +322,8 @@ CREATE TABLE IF NOT EXISTS oauth2_client_registration (
     basic_always_full_screen boolean,
     custom_url varchar(255),
     custom_username varchar(255),
-    custom_password varchar(255)
+    custom_password varchar(255),
+    custom_send_token boolean
 );
 
 CREATE TABLE IF NOT EXISTS oauth2_client_registration_template (
diff --git a/dao/src/main/resources/sql/schema-entities.sql b/dao/src/main/resources/sql/schema-entities.sql
index c9da6a9e35..693433273f 100644
--- a/dao/src/main/resources/sql/schema-entities.sql
+++ b/dao/src/main/resources/sql/schema-entities.sql
@@ -337,7 +337,8 @@ CREATE TABLE IF NOT EXISTS oauth2_client_registration (
     basic_always_full_screen boolean,
     custom_url varchar(255),
     custom_username varchar(255),
-    custom_password varchar(255)
+    custom_password varchar(255),
+    custom_send_token boolean
 );
 
 CREATE TABLE IF NOT EXISTS oauth2_client_registration_template (