refactor(keycloak): migrate Keycloak plugin to NestJS

Signed-off-by: William Phetsinorath <william.phetsinorath-open@interieur.gouv.fr>

Author: shikanime

apps/server-nestjs/.env-example

@@ -15,6 +15,14 @@ KEYCLOAK_PROTOCOL=http
 KEYCLOAK_CLIENT_ID=dso-console-backend
 # Secret du client Keycloak backend (confidentiel)
 KEYCLOAK_CLIENT_SECRET=client-secret-backend
+# Identifiant de l'administrateur Keycloak
+KEYCLOAK_ADMIN=admin
+# Mot de passe de l'administrateur Keycloak
+KEYCLOAK_ADMIN_PASSWORD=admin
+# Identifiant administrateur Keycloak (utilisé pour l'API admin)
+KEYCLOAK_ADMIN=admin
+# Mot de passe administrateur Keycloak (confidentiel)
+KEYCLOAK_ADMIN_PASSWORD=admin
 # URL de redirection après authentification Keycloak
 KEYCLOAK_REDIRECT_URI=http://localhost:8080
 # Port d'écoute du serveur backend

apps/server-nestjs/.env.docker-example

@@ -16,6 +16,10 @@ KEYCLOAK_PROTOCOL=http
 KEYCLOAK_CLIENT_ID=dso-console-backend
 # Secret du client Keycloak backend (confidentiel)
 KEYCLOAK_CLIENT_SECRET=client-secret-backend
+# Identifiant de l'administrateur Keycloak
+KEYCLOAK_ADMIN=admin
+# Mot de passe de l'administrateur Keycloak
+KEYCLOAK_ADMIN_PASSWORD=admin
 # URL de redirection après authentification Keycloak
 KEYCLOAK_REDIRECT_URI=http://localhost:8080
 # Port d'écoute du serveur dans le réseau Docker

apps/server-nestjs/src/cpin-module/infrastructure/configuration/configuration.service.ts

@@ -24,7 +24,10 @@ export class ConfigurationService {
   keycloakRealm = process.env.KEYCLOAK_REALM
   keycloakClientId = process.env.KEYCLOAK_CLIENT_ID
   keycloakClientSecret = process.env.KEYCLOAK_CLIENT_SECRET
+  keycloakAdmin = process.env.KEYCLOAK_ADMIN
+  keycloakAdminPassword = process.env.KEYCLOAK_ADMIN_PASSWORD
   keycloakRedirectUri = process.env.KEYCLOAK_REDIRECT_URI
+
   adminsUserId = process.env.ADMIN_KC_USER_ID
     ? process.env.ADMIN_KC_USER_ID.split(',')
     : []

apps/server-nestjs/src/cpin-module/infrastructure/database/prisma.service.ts

@@ -0,0 +1,14 @@
+import type { OnModuleInit, OnModuleDestroy } from '@nestjs/common'
+import { Injectable } from '@nestjs/common'
+import { PrismaClient } from '@prisma/client'
+
+@Injectable()
+export class PrismaService extends PrismaClient implements OnModuleInit, OnModuleDestroy {
+  async onModuleInit() {
+    await this.$connect()
+  }
+
+  async onModuleDestroy() {
+    await this.$disconnect()
+  }
+}

apps/server-nestjs/src/cpin-module/infrastructure/infrastructure.module.ts

@@ -2,13 +2,14 @@ import { Module } from '@nestjs/common'
 
 import { ConfigurationModule } from './configuration/configuration.module'
 import { DatabaseService } from './database/database.service'
+import { PrismaService } from './database/prisma.service'
 import { HttpClientService } from './http-client/http-client.service'
 import { LoggerModule } from './logger/logger.module'
 import { ServerService } from './server/server.service'
 
 @Module({
-  providers: [DatabaseService, HttpClientService, ServerService],
+  providers: [DatabaseService, PrismaService, HttpClientService, ServerService],
   imports: [LoggerModule, ConfigurationModule],
-  exports: [DatabaseService, HttpClientService, ServerService],
+  exports: [DatabaseService, PrismaService, HttpClientService, ServerService],
 })
 export class InfrastructureModule {}

apps/server-nestjs/src/main.module.ts

@@ -1,11 +1,19 @@
 import { Module } from '@nestjs/common'
+import { EventEmitterModule } from '@nestjs/event-emitter'
+import { ScheduleModule } from '@nestjs/schedule'
 
 import { CpinModule } from './cpin-module/cpin.module'
+import { KeycloakModule } from './modules/keycloak/keycloak.module'
 
 // This module only exists to import other module.
 // « One module to rule them all, and in NestJs bind them »
 @Module({
-  imports: [CpinModule],
+  imports: [
+    CpinModule,
+    KeycloakModule,
+    EventEmitterModule.forRoot(),
+    ScheduleModule.forRoot(),
+  ],
   controllers: [],
   providers: [],
 })

apps/server-nestjs/src/modules/iam/decorators/check-policies.decorator.ts

@@ -0,0 +1,15 @@
+import { SetMetadata } from '@nestjs/common'
+import type { AppAbility } from '../factories/casl-ability.factory'
+
+export interface IPolicyHandler {
+  handle: (ability: AppAbility) => boolean
+}
+
+type PolicyHandlerCallback = (ability: AppAbility) => boolean
+
+export type PolicyHandler = IPolicyHandler | PolicyHandlerCallback
+
+export const CHECK_POLICIES_KEY = 'check_policy'
+export function CheckPolicies(...handlers: PolicyHandler[]) {
+  return SetMetadata(CHECK_POLICIES_KEY, handlers)
+}

apps/server-nestjs/src/modules/iam/factories/casl-ability.factory.ts

@@ -0,0 +1,58 @@
+import type { PureAbility } from '@casl/ability'
+import { AbilityBuilder } from '@casl/ability'
+import type { PrismaQuery, Subjects } from '@casl/prisma'
+import { createPrismaAbility } from '@casl/prisma'
+import { Injectable } from '@nestjs/common'
+import type { Project, Environment, User, ProjectMembers } from '@prisma/client'
+
+export type AppAbility = PureAbility<
+  [string, Subjects<{ Project: Project, Environment: Environment, User: User, ProjectMembers: ProjectMembers }>],
+  PrismaQuery
+>
+
+@Injectable()
+export class CaslAbilityFactory {
+  createForUser(user: any) {
+    const { can, build } = new AbilityBuilder<AppAbility>(
+      createPrismaAbility,
+    )
+
+    // If user is not authenticated or doesn't have an ID
+    if (!user || !user.sub) {
+      return build()
+    }
+
+    const userId = user.sub
+
+    // A user can read projects they are a member of (via ProjectMembers)
+    can('read', 'Project', {
+      members: {
+        some: {
+          userId,
+        },
+      },
+    })
+
+    // A project owner can manage everything
+    can('manage', 'Project', {
+      ownerId: userId,
+    })
+
+    // A user can update an environment if the project is not locked
+    // and they are a member of the project
+    can('update', 'Environment', {
+      project: {
+        is: {
+          locked: false,
+          members: {
+            some: {
+              userId,
+            },
+          },
+        },
+      },
+    })
+
+    return build()
+  }
+}

apps/server-nestjs/src/modules/iam/guards/policies.guard.ts

@@ -0,0 +1,37 @@
+import type { CanActivate, ExecutionContext } from '@nestjs/common'
+import { Inject, Injectable } from '@nestjs/common'
+import { Reflector } from '@nestjs/core'
+import { CaslAbilityFactory } from '../factories/casl-ability.factory'
+import type { AppAbility } from '../factories/casl-ability.factory'
+import type { PolicyHandler } from '../decorators/check-policies.decorator'
+import { CHECK_POLICIES_KEY } from '../decorators/check-policies.decorator'
+
+@Injectable()
+export class PoliciesGuard implements CanActivate {
+  constructor(
+    @Inject(Reflector) private reflector: Reflector,
+    @Inject(CaslAbilityFactory) private caslAbilityFactory: CaslAbilityFactory,
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const policyHandlers
+      = this.reflector.get<PolicyHandler[]>(
+        CHECK_POLICIES_KEY,
+        context.getHandler(),
+      ) || []
+
+    const { user } = context.switchToHttp().getRequest()
+    const ability = this.caslAbilityFactory.createForUser(user)
+
+    return policyHandlers.every(handler =>
+      this.execPolicyHandler(handler, ability),
+    )
+  }
+
+  private execPolicyHandler(handler: PolicyHandler, ability: AppAbility) {
+    if (typeof handler === 'function') {
+      return handler(ability)
+    }
+    return handler.handle(ability)
+  }
+}

apps/server-nestjs/src/modules/iam/iam.module.ts

@@ -0,0 +1,48 @@
+import { Module } from '@nestjs/common'
+import { APP_GUARD } from '@nestjs/core'
+import {
+  AuthGuard,
+  ResourceGuard,
+  KeycloakConnectModule,
+  PolicyEnforcementMode,
+  TokenValidation,
+} from 'nest-keycloak-connect'
+import { ConfigurationModule } from '../../cpin-module/infrastructure/configuration/configuration.module'
+import { ConfigurationService } from '../../cpin-module/infrastructure/configuration/configuration.service'
+import { PoliciesGuard } from './guards/policies.guard'
+import { CaslAbilityFactory } from './factories/casl-ability.factory'
+
+@Module({
+  imports: [
+    ConfigurationModule,
+    KeycloakConnectModule.registerAsync({
+      imports: [ConfigurationModule],
+      useFactory: (config: ConfigurationService) => ({
+        authServerUrl: `${config.keycloakProtocol}://${config.keycloakDomain}`,
+        realm: config.keycloakRealm!,
+        clientId: config.keycloakClientId!,
+        secret: config.keycloakClientSecret!,
+        policyEnforcement: PolicyEnforcementMode.PERMISSIVE,
+        tokenValidation: TokenValidation.ONLINE,
+      }),
+      inject: [ConfigurationService],
+    }),
+  ],
+  providers: [
+    CaslAbilityFactory,
+    {
+      provide: APP_GUARD,
+      useClass: AuthGuard,
+    },
+    {
+      provide: APP_GUARD,
+      useClass: ResourceGuard,
+    },
+    {
+      provide: APP_GUARD,
+      useClass: PoliciesGuard,
+    },
+  ],
+  exports: [CaslAbilityFactory],
+})
+export class IamModule {}