sync permissions from M2M

Author: marcelomonteironosi

.igrpstudio/shared/dto/PermissionDTO.json

@@ -61,7 +61,7 @@
       "name": "departmentCode",
       "objectType": "java",
       "type": "string",
-      "required": true,
+      "required": false,
       "before": false,
       "after": false,
       "positive": false,

src/main/java/cv/igrp/platform/access_management/m2m/domain/service/PermissionSyncService.java

@@ -5,7 +5,10 @@
 import cv.igrp.platform.access_management.shared.application.dto.PermissionDTO;
 import cv.igrp.platform.access_management.shared.domain.exceptions.IgrpResponseStatusException;
 import cv.igrp.platform.access_management.shared.infrastructure.persistence.entity.PermissionEntity;
+import cv.igrp.platform.access_management.shared.infrastructure.persistence.entity.ResourceEntity;
 import cv.igrp.platform.access_management.shared.infrastructure.persistence.repository.PermissionEntityRepository;
+import cv.igrp.platform.access_management.shared.infrastructure.persistence.repository.ResourceEntityRepository;
+import cv.igrp.platform.access_management.shared.security.AuthenticationHelper;
 import org.apache.commons.codec.digest.DigestUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -26,11 +29,15 @@ public class PermissionSyncService {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(PermissionSyncService.class);
 
+    private final AuthenticationHelper authenticationHelper;
     private final PermissionEntityRepository permissionRepository;
+    private final ResourceEntityRepository resourceEntityRepository;
     private final ObjectMapper objectMapper;
 
-    public PermissionSyncService(PermissionEntityRepository permissionRepository, ObjectMapper objectMapper) {
+    public PermissionSyncService(PermissionEntityRepository permissionRepository, ResourceEntityRepository resourceEntityRepository, ObjectMapper objectMapper, AuthenticationHelper authenticationHelper) {
+        this.authenticationHelper = authenticationHelper;
         this.permissionRepository = permissionRepository;
+        this.resourceEntityRepository = resourceEntityRepository;
         this.objectMapper = objectMapper;
     }
 
@@ -68,8 +75,15 @@ public void synchronizePermissions(List<PermissionDTO> permissions) {
             );
         }
 
-        // Get all existing permissions
-        List<PermissionEntity> existingPermissions = permissionRepository.findAll();
+        // Get all existing permissions for the current resource
+        ResourceEntity resource = resourceEntityRepository.findByNameAndStatusNot(authenticationHelper.getPreferredUsername(), Status.DELETED)
+                .orElseThrow(() -> IgrpResponseStatusException.notFound("Resource not found", "Resource with name: " + authenticationHelper.getPreferredUsername() + " not found."));
+
+        Set<ResourceEntity> resourceEntities = new HashSet<>();
+        resourceEntities.add(resource);
+
+        List<PermissionEntity> existingPermissions = permissionRepository.findAllByResourcesAndStatusNot(resourceEntities, Status.DELETED);
+
         Map<String, PermissionEntity> existingByName = existingPermissions.stream()
                 .collect(Collectors.toMap(
                         p -> p.getName().toLowerCase(Locale.ROOT),
@@ -91,7 +105,9 @@ public void synchronizePermissions(List<PermissionDTO> permissions) {
                 newPerm.setName(dto.getName());
                 newPerm.setDescription(dto.getDescription());
                 newPerm.setStatus(dto.getStatus() != null ? dto.getStatus() : Status.ACTIVE);
-                permissionRepository.save(newPerm);
+                PermissionEntity savedPerm = permissionRepository.save(newPerm);
+                resource.getPermissions().add(savedPerm);
+                resourceEntityRepository.save(resource);
                 LOGGER.info("[PermissionSync] Created new permission '{}'", dto.getName());
             } else {
                 // Check for difference using structural hash
@@ -116,7 +132,8 @@ public void synchronizePermissions(List<PermissionDTO> permissions) {
 
         if (!toDelete.isEmpty()) {
             for (PermissionEntity perm : toDelete) {
-                permissionRepository.delete(perm);
+                perm.setStatus(Status.DELETED);
+                permissionRepository.save(perm);
                 LOGGER.info("[PermissionSync] Deleted permission '{}'", perm.getName());
             }
         }

src/main/java/cv/igrp/platform/access_management/permission/application/commands/CreatePermissionCommandHandler.java

@@ -83,13 +83,18 @@ public CreatePermissionCommandHandler(PermissionEntityRepository repository, Dep
    @Transactional
    public ResponseEntity<PermissionDTO> handle(CreatePermissionCommand command) {
       PermissionDTO request = command.getPermissiondto();
-      DepartmentEntity foundDepartment = departmentRepository.findByCodeAndStatusNot(command.getPermissiondto().getDepartmentCode(), DepartmentStatus.DELETED)
-              .orElseThrow(() -> {
-                 log.warn("Department with code {} not found.", command.getPermissiondto().getDepartmentCode());
-                 return IgrpResponseStatusException.of(
-                         HttpStatus.NOT_FOUND, "Create Permission", "Department with code: " + command.getPermissiondto().getDepartmentCode() + " not found."
-                 );
-              });
+      DepartmentEntity foundDepartment = null;
+
+      if(command.getPermissiondto().getDepartmentCode() != null && !command.getPermissiondto().getDepartmentCode().isEmpty()) {
+         log.info("Finding Department with code: {}", command.getPermissiondto().getDepartmentCode());
+         foundDepartment = departmentRepository.findByCodeAndStatusNot(command.getPermissiondto().getDepartmentCode(), DepartmentStatus.DELETED)
+                 .orElseThrow(() -> {
+                    log.warn("Department with code {} not found.", command.getPermissiondto().getDepartmentCode());
+                    return IgrpResponseStatusException.of(
+                            HttpStatus.NOT_FOUND, "Create Permission", "Department with code: " + command.getPermissiondto().getDepartmentCode() + " not found."
+                    );
+                 });
+      }
 
       command.getPermissiondto().setName(command.getPermissiondto().getName());
 

src/main/java/cv/igrp/platform/access_management/shared/application/dto/PermissionDTO.java

@@ -22,8 +22,8 @@ public class PermissionDTO  {
 
 
   private Integer id ;
-  @NotBlank(message = "The field <name> is required")
-	@Size(max = 60, message = "The field length <name> cannot be more than 60 characters")
+  @NotBlank(message = "The field <name> is required")
+	@Size(max = 60, message = "The field length <name> cannot be more than 60 characters")
 	@Pattern(message = "Invalid value format for field <name>.", regexp = "^[A-Za-z0-9_-]+$")
 
   private String name ;
@@ -33,7 +33,7 @@ public class PermissionDTO  {
 
 
   private Status status ;
-  @NotBlank(message = "The field <departmentCode> is required")
+  
 
   private String departmentCode ;
 

src/main/java/cv/igrp/platform/access_management/shared/infrastructure/persistence/repository/PermissionEntityRepository.java

@@ -3,6 +3,7 @@
 import cv.igrp.platform.access_management.shared.application.constants.Status;
 import cv.igrp.platform.access_management.shared.infrastructure.persistence.entity.MenuEntryEntity;
 import cv.igrp.platform.access_management.shared.infrastructure.persistence.entity.PermissionEntity;
+import cv.igrp.platform.access_management.shared.infrastructure.persistence.entity.ResourceEntity;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;
 import org.springframework.stereotype.Repository;
@@ -11,6 +12,7 @@
 
 import java.util.List;
 import java.util.Optional;
+import java.util.Set;
 
 import org.springframework.data.repository.history.RevisionRepository;
 
@@ -82,5 +84,6 @@ AND p.id NOT IN (
             """)
     List<PermissionEntity> findAvailablePermissionsForRole(@Param("name") String name);
 
+    List<PermissionEntity> findAllByResourcesAndStatusNot(Set<ResourceEntity> resources, Status status);
 
 }

src/main/java/cv/igrp/platform/access_management/shared/security/AuthenticationHelper.java

@@ -2,6 +2,7 @@
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.stereotype.Component;
 
@@ -13,17 +14,33 @@
 public class AuthenticationHelper {
 
     /**
-     * Retrieves the preferred username from the JWT token in the security context.
+     * Retrieves the username from the current SecurityContext.
+     * <p>
+     * Supports both JWT-based authentication (standard OAuth2 users)
+     * and machine-to-machine (M2M) authentication
      *
-     * @return preferred username
-     * @throws IllegalStateException if the JWT token is not found in the security context
+     * @return the username or client ID depending on the authentication type
+     * @throws IllegalStateException if no authentication is found
      */
     public String getPreferredUsername() {
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        if (authentication != null && authentication.getPrincipal() instanceof Jwt jwt) {
+
+        if (authentication == null) {
+            throw new IllegalStateException("No authentication found in security context");
+        }
+
+        // Case 1: JWT (OAuth2 user)
+        if (authentication.getPrincipal() instanceof Jwt jwt) {
             return jwt.getClaimAsString("preferred_username");
         }
-        throw new IllegalStateException("JWT token not found in security context");
+
+        // Case 2: M2M authentication (UsernamePasswordAuthenticationToken)
+        if (authentication.getPrincipal() instanceof User user) {
+            return user.getUsername();
+        }
+
+        // Case 3: Fallback (any other type)
+        return authentication.getName();
     }
 
     /**

src/main/java/cv/igrp/platform/access_management/shared/security/BasicAuthSecurityConfiguration.java

@@ -1,14 +1,32 @@
 package cv.igrp.platform.access_management.shared.security;
 
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.userdetails.User;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import java.io.IOException;
+import java.util.Collections;
 
 import static org.springframework.security.config.Customizer.withDefaults;
 
@@ -17,14 +35,83 @@
 @Profile("basic-auth") // Only active if 'basic-auth' profile is enabled
 public class BasicAuthSecurityConfiguration {
 
+    private static final Logger log = LoggerFactory.getLogger(BasicAuthSecurityConfiguration.class);
+
+    @Value("${igrp.access.m2m.sync-token:}")
+    private String machineAuthToken;
+
+    /**
+     * Filter that authenticates M2M requests using a static token header.
+     */
+    private class MachineAuthFilter extends OncePerRequestFilter {
+        @Override
+        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+                throws ServletException, IOException {
+
+            if (!request.getRequestURI().startsWith("/api/m2m/")) {
+                filterChain.doFilter(request, response);
+                return;
+            }
+
+            String client = request.getHeader("X-Machine-Service-ID");
+            String header = request.getHeader("X-Machine-Auth-Token");
+
+            if (header == null || !header.equals(machineAuthToken)) {
+                log.warn("[M2M] Unauthorized access: missing or invalid authentication");
+                response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+                response.getWriter().write("Unauthorized: Invalid or missing machine-to-machine authentication token.");
+                return;
+            }
+
+            var authority = new SimpleGrantedAuthority("ROLE_M2M");
+            var principal = new User(
+                    (client != null && !client.isBlank()) ? client : "m2m-client",
+                    "N/A",
+                    Collections.singletonList(authority)
+            );
+            var authentication = new UsernamePasswordAuthenticationToken(principal, null, principal.getAuthorities());
+
+            var context = SecurityContextHolder.createEmptyContext();
+            context.setAuthentication(authentication);
+            SecurityContextHolder.setContext(context);
+
+            // Persist the context
+            new RequestAttributeSecurityContextRepository().saveContext(context, request, response);
+
+            log.info("[M2M] Authenticated machine client: {}", principal.getUsername());
+
+            filterChain.doFilter(request, response);
+        }
+    }
+
+    // --- Security chain 1: machine-to-machine endpoints ---
+    @Bean
+    @Order(1)
+    public SecurityFilterChain m2mSecurityFilterChain(HttpSecurity http) throws Exception {
+        var securityContextRepository = new RequestAttributeSecurityContextRepository();
+
+        http.securityMatcher("/api/m2m/**")
+                .csrf(AbstractHttpConfigurer::disable)
+                .securityContext(ctx -> ctx
+                        .securityContextRepository(securityContextRepository)
+                )
+                .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
+                .addFilterBefore(new BasicAuthSecurityConfiguration.MachineAuthFilter(), UsernamePasswordAuthenticationFilter.class);
+
+        return http.build();
+    }
+
+    // --- Security chain 2: Basic Auth for other endpoints ---
     @Bean
+    @Order(2)
     public SecurityFilterChain basicAuthFilterChain(HttpSecurity http) throws Exception {
 
         http.csrf(AbstractHttpConfigurer::disable);
 
         http.authorizeHttpRequests(auth -> auth
                         .requestMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html",
-                                "/swagger-resources/**", "/webjars/**", "/actuator/**").permitAll()
+                                "/swagger-resources/**", "/webjars/**", "/actuator/**", "/api/m2m/**").permitAll()
                         .anyRequest().authenticated()
                 )
                 .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))