From 028c3966b28ecf04121f5946aa69e493acd1e55e Mon Sep 17 00:00:00 2001
From: slisson <sl@q60.de>
Date: Wed, 11 Dec 2024 10:57:33 +0100
Subject: [PATCH] chore(authorization): deduplicate constant strings

---
 .../modelix/authorization/AuthorizationPlugin.kt   |  2 +-
 .../authorization/KeycloakTokenConstants.kt        |  8 ++++++++
 .../org/modelix/authorization/KtorAuthUtils.kt     |  4 ----
 .../org/modelix/authorization/ModelixJWTUtil.kt    | 14 +++++++-------
 .../modelix/authorization/ModelixTokenConstants.kt |  5 +++++
 .../modelix/authorization/AccessControlDataTest.kt |  2 +-
 6 files changed, 22 insertions(+), 13 deletions(-)
 create mode 100644 authorization/src/main/kotlin/org/modelix/authorization/KeycloakTokenConstants.kt
 create mode 100644 authorization/src/main/kotlin/org/modelix/authorization/ModelixTokenConstants.kt

diff --git a/authorization/src/main/kotlin/org/modelix/authorization/AuthorizationPlugin.kt b/authorization/src/main/kotlin/org/modelix/authorization/AuthorizationPlugin.kt
index 8aa8c17dae..4409631eb9 100644
--- a/authorization/src/main/kotlin/org/modelix/authorization/AuthorizationPlugin.kt
+++ b/authorization/src/main/kotlin/org/modelix/authorization/AuthorizationPlugin.kt
@@ -66,7 +66,7 @@ object ModelixAuthorization : BaseRouteScopedPlugin<IModelixAuthorizationConfig,
                         val token = JWT.create()
                             .withIssuer("modelix")
                             .withAudience("modelix")
-                            .withClaim("email", "unit-tests@example.com")
+                            .withClaim(KeycloakTokenConstants.EMAIL, "unit-tests@example.com")
                             .sign(Algorithm.HMAC256("unit-tests"))
                         // The signing algorithm and key isn't relevant because the token is already considered valid
                         // and the signature is never checked.
diff --git a/authorization/src/main/kotlin/org/modelix/authorization/KeycloakTokenConstants.kt b/authorization/src/main/kotlin/org/modelix/authorization/KeycloakTokenConstants.kt
new file mode 100644
index 0000000000..6ca036f7fd
--- /dev/null
+++ b/authorization/src/main/kotlin/org/modelix/authorization/KeycloakTokenConstants.kt
@@ -0,0 +1,8 @@
+package org.modelix.authorization
+
+object KeycloakTokenConstants {
+    val EMAIL = "email"
+    val PREFERRED_USERNAME = "preferred_username"
+    val REALM_ACCESS = "realm_access"
+    val REALM_ACCESS_ROLES = "roles"
+}
diff --git a/authorization/src/main/kotlin/org/modelix/authorization/KtorAuthUtils.kt b/authorization/src/main/kotlin/org/modelix/authorization/KtorAuthUtils.kt
index e6f5912201..18908fbc28 100644
--- a/authorization/src/main/kotlin/org/modelix/authorization/KtorAuthUtils.kt
+++ b/authorization/src/main/kotlin/org/modelix/authorization/KtorAuthUtils.kt
@@ -61,10 +61,6 @@ fun createModelixAccessToken(hmac512key: String, user: String, grantedPermission
     }
 }
 
-private fun Map<String, Any>?.readRolesArray(): List<String> {
-    return this?.get("roles") as? List<String> ?: emptyList()
-}
-
 fun ApplicationCall.getBearerToken(): String? {
     val authHeader = request.parseAuthorizationHeader()
     if (authHeader == null || authHeader.authScheme != AuthScheme.Bearer) return null
diff --git a/authorization/src/main/kotlin/org/modelix/authorization/ModelixJWTUtil.kt b/authorization/src/main/kotlin/org/modelix/authorization/ModelixJWTUtil.kt
index bd24a65b15..5101f5e732 100644
--- a/authorization/src/main/kotlin/org/modelix/authorization/ModelixJWTUtil.kt
+++ b/authorization/src/main/kotlin/org/modelix/authorization/ModelixJWTUtil.kt
@@ -144,8 +144,8 @@ class ModelixJWTUtil {
         }
 
         val payload = JWTClaimsSet.Builder()
-            .claim("preferred_username", user)
-            .claim("permissions", grantedPermissions)
+            .claim(KeycloakTokenConstants.PREFERRED_USERNAME, user)
+            .claim(ModelixTokenConstants.PERMISSIONS, grantedPermissions)
             .expirationTime(Date(Instant.now().plus(12, ChronoUnit.HOURS).toEpochMilli()))
             .also { additionalTokenContent(TokenBuilder(it)) }
             .build()
@@ -171,7 +171,7 @@ class ModelixJWTUtil {
     }
 
     fun extractPermissions(token: DecodedJWT): List<String>? {
-        return token.claims["permissions"]?.asList(String::class.java)
+        return token.claims[ModelixTokenConstants.PERMISSIONS]?.asList(String::class.java)
     }
 
     fun loadGrantedPermissions(token: DecodedJWT, evaluator: PermissionEvaluator) {
@@ -197,14 +197,14 @@ class ModelixJWTUtil {
     }
 
     fun extractUserId(jwt: DecodedJWT): String? {
-        return jwt.getClaim("email")?.asString()
-            ?: jwt.getClaim("preferred_username")?.asString()
+        return jwt.getClaim(KeycloakTokenConstants.EMAIL)?.asString()
+            ?: jwt.getClaim(KeycloakTokenConstants.PREFERRED_USERNAME)?.asString()
     }
 
     fun extractUserRoles(jwt: DecodedJWT): List<String> {
         val keycloakRoles = jwt
-            .getClaim("realm_access")?.asMap()
-            ?.get("roles")
+            .getClaim(KeycloakTokenConstants.REALM_ACCESS)?.asMap()
+            ?.get(KeycloakTokenConstants.REALM_ACCESS_ROLES)
             ?.let { it as? List<*> }
             ?.mapNotNull { it as? String }
             ?: emptyList()
diff --git a/authorization/src/main/kotlin/org/modelix/authorization/ModelixTokenConstants.kt b/authorization/src/main/kotlin/org/modelix/authorization/ModelixTokenConstants.kt
new file mode 100644
index 0000000000..ec8d34d47c
--- /dev/null
+++ b/authorization/src/main/kotlin/org/modelix/authorization/ModelixTokenConstants.kt
@@ -0,0 +1,5 @@
+package org.modelix.authorization
+
+object ModelixTokenConstants {
+    val PERMISSIONS = "permissions"
+}
diff --git a/authorization/src/test/kotlin/org/modelix/authorization/AccessControlDataTest.kt b/authorization/src/test/kotlin/org/modelix/authorization/AccessControlDataTest.kt
index 205a915835..0590369805 100644
--- a/authorization/src/test/kotlin/org/modelix/authorization/AccessControlDataTest.kt
+++ b/authorization/src/test/kotlin/org/modelix/authorization/AccessControlDataTest.kt
@@ -26,7 +26,7 @@ class AccessControlDataTest {
     @Test
     fun `can grant permissions to identity tokens`() {
         val token = JWT.create()
-            .withClaim("email", email)
+            .withClaim(KeycloakTokenConstants.EMAIL, email)
             .sign(Algorithm.HMAC256("unit-tests"))
             .let { JWT.decode(it) }
         val data = AccessControlData().withGrantToUser(email, PermissionParts("r1", "write").fullId)