From 65a91b9f2c674ea2a8c60c02d92ca694d928cefa Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Thu, 19 Mar 2020 22:48:57 +0100
Subject: [PATCH] Access token management changes and Docker issue fix

---
 README.md                                                | 8 ++++++++
 database/Dockerfile                                      | 1 +
 .../it/inaf/ia2/gms/authn/CustomIdTokenConverter.java    | 9 +++++----
 gms/src/main/resources/application.properties            | 2 +-
 4 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index ca093b5..ca0046b 100644
--- a/README.md
+++ b/README.md
@@ -20,6 +20,14 @@ To run:
 
     docker run --env-file docker-env -d -p 8081:8081 -i -t gms:latest
 
+## Create the first super-admin
+
+The first super admin user must be added manually, then he/she will be able to add other administrators from the UI:
+
+    INSERT INTO gms_permission (group_id, user_id, permission, group_path) VALUES('ROOT', '1', 'ADMIN', '');
+
+The value `user_id` is the RAP user id.
+
 ## Command line clients
 
 To add a command line client first generate the sha256 of its password:
diff --git a/database/Dockerfile b/database/Dockerfile
index bb94ba2..d73d745 100644
--- a/database/Dockerfile
+++ b/database/Dockerfile
@@ -1,3 +1,4 @@
 FROM library/postgres:11
 COPY gms/src/main/resources/sql/init.sql /docker-entrypoint-initdb.d/
 COPY database/user.sql /docker-entrypoint-initdb.d/
+ENV POSTGRES_HOST_AUTH_METHOD=trust
diff --git a/gms/src/main/java/it/inaf/ia2/gms/authn/CustomIdTokenConverter.java b/gms/src/main/java/it/inaf/ia2/gms/authn/CustomIdTokenConverter.java
index b4582d4..ee5d1e5 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/authn/CustomIdTokenConverter.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/authn/CustomIdTokenConverter.java
@@ -23,10 +23,11 @@ public class CustomIdTokenConverter extends DefaultUserAuthenticationConverter {
     @Override
     public Authentication extractAuthentication(Map<String, ?> map) {
 
-        String idToken = (String) map.get("id_token");
-
-        OAuth2AccessToken token = jwkTokenStore.readAccessToken(idToken);
+        String idTokenString = (String) map.get("id_token");
+        String accessTokenString = (String) map.get("access_token");
 
+        OAuth2AccessToken token = jwkTokenStore.readAccessToken(idTokenString);
+        OAuth2AccessToken accessToken = jwkTokenStore.readAccessToken(accessTokenString);
         String refreshToken = (String) map.get("refresh_token");
 
         Map<String, Object> claims = token.getAdditionalInformation();
@@ -36,6 +37,6 @@ public class CustomIdTokenConverter extends DefaultUserAuthenticationConverter {
 
         List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_USER");
 
-        return new CustomAuthenticationData(principal, claims, authorities, token, refreshToken);
+        return new CustomAuthenticationData(principal, claims, authorities, accessToken, refreshToken);
     }
 }
diff --git a/gms/src/main/resources/application.properties b/gms/src/main/resources/application.properties
index 9b45427..902956e 100644
--- a/gms/src/main/resources/application.properties
+++ b/gms/src/main/resources/application.properties
@@ -8,7 +8,7 @@ security.oauth2.client.client-secret=gms-secret
 security.oauth2.client.access-token-uri=http://localhost/rap-ia2/auth/oauth2/token
 security.oauth2.client.user-authorization-uri=http://localhost/rap-ia2/auth/oauth2/authorize
 security.oauth2.resource.token-info-uri=http://localhost/rap-ia2/auth/oauth2/check_token
-security.oauth2.client.scope=openid,email,profile
+security.oauth2.client.scope=openid,email,profile,read:rap
 security.oauth2.resource.jwk.key-set-uri=http://localhost/rap-ia2/auth/oidc/jwks
 
 logging.level.it.inaf=TRACE
-- 
GitLab