Adapt CsmRbac mecanism and CsmPlatformProperties to accept identifier other than mail

src/main/kotlin/com/cosmotech/api/config/CsmPlatformProperties.kt

@@ -98,6 +98,9 @@ data class CsmPlatformProperties(
       /** The JWT Claim where the roles information is stored */
       val rolesJwtClaim: String = "roles",
 
+      /** The JWT Claim used to define application id in ACL */
+      val applicationIdJwtClaim: String = "oid",
+
       /**
        * List of additional tenants allowed to register, besides the configured
        * `csm.platform.azure.credentials.tenantId`

src/main/kotlin/com/cosmotech/api/metrics/MonitorServiceAspect.kt

@@ -2,6 +2,7 @@
 // Licensed under the MIT license.
 package com.cosmotech.api.metrics
 
+import com.cosmotech.api.config.CsmPlatformProperties
 import com.cosmotech.api.events.CsmEventPublisher
 import com.cosmotech.api.events.PersistentMetricEvent
 import com.cosmotech.api.utils.getCurrentAuthenticatedIssuer
@@ -25,6 +26,7 @@ private const val SERVICE_NAME = "API"
 class MonitorServiceAspect(
     private var meterRegistry: MeterRegistry,
     private val eventPublisher: CsmEventPublisher,
+    private val csmPlatformProperties: CsmPlatformProperties
 ) {
   private val logger: Logger = LoggerFactory.getLogger(this::class.java)
 
@@ -55,10 +57,10 @@ class MonitorServiceAspect(
           Tag.of(parameterNames[idx], args[idx] as String)
         }
     val name = signature.name
-    val user = getCurrentAuthenticatedUserName()
+    val user = getCurrentAuthenticatedUserName(csmPlatformProperties)
     var issuer = getCurrentAuthenticatedIssuer()
     Counter.builder("cosmotech.$name")
-        .description("$name")
+        .description(name)
         .tag("method", name)
         .tag("user", user)
         .tag("issuer", issuer)

src/main/kotlin/com/cosmotech/api/rbac/CsmRbac.kt

@@ -8,7 +8,7 @@ import com.cosmotech.api.exceptions.CsmClientException
 import com.cosmotech.api.exceptions.CsmResourceNotFoundException
 import com.cosmotech.api.rbac.model.RbacAccessControl
 import com.cosmotech.api.rbac.model.RbacSecurity
-import com.cosmotech.api.utils.getCurrentAuthenticatedMail
+import com.cosmotech.api.utils.getCurrentAccountIdentifier
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.stereotype.Component
@@ -44,7 +44,7 @@ open class CsmRbac(
     }
     var userIsAdminOrHasPermission = this.isAdmin(rbacSecurity, rolesDefinition)
     if (!userIsAdminOrHasPermission) {
-      val user = getCurrentAuthenticatedMail(this.csmPlatformProperties)
+      val user = getCurrentAccountIdentifier(this.csmPlatformProperties)
       userIsAdminOrHasPermission = this.verifyRbac(rbacSecurity, permission, rolesDefinition, user)
     }
     return userIsAdminOrHasPermission
@@ -145,7 +145,7 @@ open class CsmRbac(
   fun isAdmin(rbacSecurity: RbacSecurity, rolesDefinition: RolesDefinition): Boolean {
     var isAdmin = this.isAdminToken(rbacSecurity)
     if (!isAdmin) {
-      val user = getCurrentAuthenticatedMail(this.csmPlatformProperties)
+      val user = getCurrentAccountIdentifier(this.csmPlatformProperties)
       isAdmin = this.verifyAdminRole(rbacSecurity, user, rolesDefinition)
     }
     return isAdmin
@@ -214,8 +214,9 @@ open class CsmRbac(
     return rolesDefinition[role] ?: listOf()
   }
 
-  internal fun getUserRole(rbacSecurity: RbacSecurity, user: String): String? {
+  internal fun getUserRole(rbacSecurity: RbacSecurity, user: String): String {
     return rbacSecurity.accessControlList.firstOrNull { it.id == user }?.role
+        ?: rbacSecurity.default
   }
 
   internal fun getAdminCount(rbacSecurity: RbacSecurity, rolesDefinition: RolesDefinition): Int {

src/main/kotlin/com/cosmotech/api/utils/SecurityUtils.kt

@@ -13,24 +13,29 @@ import org.springframework.security.oauth2.server.resource.authentication.JwtAut
 
 fun getCurrentAuthentication(): Authentication? = SecurityContextHolder.getContext().authentication
 
-fun getCurrentUserName(): String? = getCurrentAuthentication()?.name
-
-fun getCurrentAuthenticatedUserName() =
-    getCurrentUserName()
-        ?: throw IllegalStateException("User Authentication not found in Security Context")
+fun getCurrentAuthenticatedUserName(configuration: CsmPlatformProperties): String {
+  return getValueFromAuthenticatedToken {
+    val jwtClaimsSet = JWTParser.parse(it).jwtClaimsSet
+    jwtClaimsSet.getStringClaim("name")
+        ?: jwtClaimsSet.getStringClaim(configuration.authorization.applicationIdJwtClaim)
+            ?: throw IllegalStateException("User Authentication not found in Security Context")
+  }
+}
 
 fun getCurrentAuthenticatedIssuer(): String {
-  return getValueFromAuthenticatedToken() { JWTParser.parse(it).jwtClaimsSet.issuer }
+  return getValueFromAuthenticatedToken { JWTParser.parse(it).jwtClaimsSet.issuer }
 }
 
-fun getCurrentAuthenticatedMail(configuration: CsmPlatformProperties): String {
-  return getValueFromAuthenticatedToken() {
-    JWTParser.parse(it).jwtClaimsSet.getStringClaim(configuration.authorization.mailJwtClaim)
+fun getCurrentAccountIdentifier(configuration: CsmPlatformProperties): String {
+  return getValueFromAuthenticatedToken {
+    val jwtClaimsSet = JWTParser.parse(it).jwtClaimsSet
+    jwtClaimsSet.getStringClaim(configuration.authorization.mailJwtClaim)
+        ?: jwtClaimsSet.getStringClaim(configuration.authorization.applicationIdJwtClaim)
   }
 }
 
 fun getCurrentAuthenticatedRoles(configuration: CsmPlatformProperties): List<String> {
-  return getValueFromAuthenticatedToken() {
+  return getValueFromAuthenticatedToken {
     JWTParser.parse(it).jwtClaimsSet.getStringListClaim(configuration.authorization.rolesJwtClaim)
   }
 }