Support to get transitive groups for authorization (Azure#17162)

* Fix spring readme broken link; Support to get transitive groups for authorization, https://github.com/MicrosoftDocs/azure-dev-docs/issues/329

Author: M

sdk/spring/azure-spring-boot-starter-active-directory/README.md

@@ -34,6 +34,11 @@ The authorization flow is composed of 3 phrases:
 * Get On-Behalf-Of token and membership info from Azure AD Graph API
 * Evaluate the permission based on membership info to grant or deny access
 
+### Group membership
+The way to obtain group relationship that will determine which graph api will be used. You can change it using the `azure.activedirectory.user-group.group-relationship` configuration.
+* **direct**: the default value, get groups that the user is a direct member of. For details, see [list memberOf][graph-api-list-member-of] api.
+* **transitive**: Get groups that the user is a member of, and will also return all groups the user is a nested member of. For details, see [list transitive memberOf][graph-api-list-transitive-member-of] api.
+
 ### Authenticate in frontend
 Sends bearer authorization code to backend, in backend a Spring Security filter `AADAuthenticationFilter` validates the Jwt token from Azure AD and save authentication. The Jwt token is also used to acquire a On-Behalf-Of token for Azure AD Graph API so that authenticated user's membership information is available for authorization of access of API resources. 
 Below is a diagram that shows the layers and typical flow for Single Page Application with Spring Boot web API backend that uses the filter for Authentication and Authorization.
@@ -278,3 +283,6 @@ Please follow [instructions here](https://github.com/Azure/azure-sdk-for-java/bl
 [logging]: https://github.com/Azure/azure-sdk-for-java/wiki/Logging-with-Azure-SDK#use-logback-logging-framework-in-a-spring-boot-application
 [azure_subscription]: https://azure.microsoft.com/free
 [jdk_link]: https://docs.microsoft.com/java/azure/jdk/?view=azure-java-stable
+
+[graph-api-list-member-of]: https://docs.microsoft.com/graph/api/user-list-memberof?view=graph-rest-1.0
+[graph-api-list-transitive-member-of]: https://docs.microsoft.com/graph/api/user-list-transitivememberof?view=graph-rest-1.0

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationProperties.java

@@ -30,6 +30,8 @@ public class AADAuthenticationProperties {
     private static final Logger LOGGER = LoggerFactory.getLogger(AADAuthenticationProperties.class);
     private static final String DEFAULT_SERVICE_ENVIRONMENT = "global";
     private static final long DEFAULT_JWK_SET_CACHE_LIFESPAN = TimeUnit.MINUTES.toMillis(5);
+    private static final String GROUP_RELATIONSHIP_DIRECT = "direct";
+    private static final String GROUP_RELATIONSHIP_TRANSITIVE = "transitive";
 
     /**
      * Default UserGroup configuration.
@@ -112,6 +114,7 @@ public class AADAuthenticationProperties {
     public List<String> getActiveDirectoryGroups() {
         return userGroup.getAllowedGroups();
     }
+
     /**
      * Properties dedicated to changing the behavior of how the groups are mapped from the Azure AD response. Depending
      * on the graph API used the object will not be the same.
@@ -144,6 +147,16 @@ public static class UserGroupProperties {
         @NotEmpty
         private String objectIDKey = "objectId";
 
+
+        /**
+         * The way to obtain group relationship.<br/>
+         * direct: the default value, get groups that the user is a direct member of;<br/>
+         * transitive: Get groups that the user is a member of, and will also return all
+         *  groups the user is a nested member of;
+         */
+        @NotEmpty
+        private String groupRelationship = GROUP_RELATIONSHIP_DIRECT;
+
         public List<String> getAllowedGroups() {
             return allowedGroups;
         }
@@ -176,13 +189,22 @@ public void setObjectIDKey(String objectIDKey) {
             this.objectIDKey = objectIDKey;
         }
 
+        public String getGroupRelationship() {
+            return groupRelationship;
+        }
+
+        public void setGroupRelationship(String groupRelationship) {
+            this.groupRelationship = groupRelationship;
+        }
+
         @Override
         public String toString() {
             return "UserGroupProperties{"
                 +  "allowedGroups=" + allowedGroups
                 +  ", key='" + key + '\''
                 +  ", value='" + value + '\''
                 +  ", objectIDKey='" + objectIDKey + '\''
+                +  ", groupRelationship='" + groupRelationship + '\''
                 +  '}';
         }
 
@@ -198,7 +220,8 @@ public boolean equals(Object o) {
             return Objects.equals(allowedGroups, that.allowedGroups)
                 && Objects.equals(key, that.key)
                 && Objects.equals(value, that.value)
-                && Objects.equals(objectIDKey, that.objectIDKey);
+                && Objects.equals(objectIDKey, that.objectIDKey)
+                && Objects.equals(groupRelationship, that.groupRelationship);
         }
 
         @Override
@@ -230,6 +253,11 @@ public void validateUserGroupProperties() {
             throw new IllegalArgumentException("One of the User Group Properties must be populated. "
                 + "Please populate azure.activedirectory.user-group.allowed-groups");
         }
+        if (!GROUP_RELATIONSHIP_DIRECT.equalsIgnoreCase(userGroup.groupRelationship)
+            && !GROUP_RELATIONSHIP_TRANSITIVE.equalsIgnoreCase(userGroup.groupRelationship)) {
+            throw new IllegalArgumentException("Configuration 'azure.activedirectory.user-group.group-relationship' "
+                + "should be 'direct' or 'transitive'.");
+        }
     }
 
     public UserGroupProperties getUserGroup() {
@@ -349,6 +377,14 @@ public void setSessionStateless(Boolean sessionStateless) {
         this.sessionStateless = sessionStateless;
     }
 
+    public static String getDirectGroupRelationship() {
+        return GROUP_RELATIONSHIP_DIRECT;
+    }
+
+    public static String getTransitiveGroupRelationship() {
+        return GROUP_RELATIONSHIP_TRANSITIVE;
+    }
+
     public boolean isAllowedGroup(String group) {
         return Optional.ofNullable(getUserGroup())
                        .map(UserGroupProperties::getAllowedGroups)

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AzureADGraphClient.java

@@ -119,7 +119,7 @@ private static String getResponseString(HttpURLConnection connection) throws IOE
     public Set<String> getGroups(String graphApiToken) throws IOException {
         final Set<String> groups = new LinkedHashSet<>();
         final ObjectMapper objectMapper = JacksonObjectMapperFactory.getInstance();
-        String aadMembershipRestUri = serviceEndpoints.getAadMembershipRestUri();
+        String aadMembershipRestUri = getAadMembershipRestUri();
         while (aadMembershipRestUri != null) {
             String membershipsJson = getUserMemberships(graphApiToken, aadMembershipRestUri);
             Memberships memberships = objectMapper.readValue(membershipsJson, Memberships.class);
@@ -136,6 +136,20 @@ public Set<String> getGroups(String graphApiToken) throws IOException {
         return groups;
     }
 
+    /**
+     * Get the rest url to get the groups that the user is a member of.
+     * @return rest url
+     */
+    private String getAadMembershipRestUri() {
+        if (AADAuthenticationProperties.getDirectGroupRelationship()
+                                       .equalsIgnoreCase(aadAuthenticationProperties
+                                           .getUserGroup().getGroupRelationship())) {
+            return serviceEndpoints.getAadMembershipRestUri();
+        } else {
+            return serviceEndpoints.getAadTransitiveMemberRestUri();
+        }
+    }
+
     private boolean isGroupObject(final Membership membership) {
         return membership.getObjectType().equals(aadAuthenticationProperties.getUserGroup().getValue());
     }

sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/ServiceEndpoints.java

@@ -12,6 +12,7 @@ public class ServiceEndpoints {
     private String aadGraphApiUri;
     private String aadKeyDiscoveryUri;
     private String aadMembershipRestUri;
+    private String aadTransitiveMemberRestUri;
 
     public String getAadSigninUri() {
         return aadSigninUri;
@@ -44,4 +45,12 @@ public String getAadMembershipRestUri() {
     public void setAadMembershipRestUri(String aadMembershipRestUri) {
         this.aadMembershipRestUri = aadMembershipRestUri;
     }
+
+    public String getAadTransitiveMemberRestUri() {
+        return aadTransitiveMemberRestUri;
+    }
+
+    public void setAadTransitiveMemberRestUri(String aadTransitiveMemberRestUri) {
+        this.aadTransitiveMemberRestUri = aadTransitiveMemberRestUri;
+    }
 }

sdk/spring/azure-spring-boot/src/main/resources/service-endpoints.properties

@@ -2,15 +2,23 @@ azure.service.endpoints.cn.aadSigninUri=https://login.partner.microsoftonline.cn
 azure.service.endpoints.cn.aadGraphApiUri=https://graph.chinacloudapi.cn/
 azure.service.endpoints.cn.aadKeyDiscoveryUri=https://login.partner.microsoftonline.cn/common/discovery/keys
 azure.service.endpoints.cn.aadMembershipRestUri=https://graph.chinacloudapi.cn/me/memberOf?api-version=1.6
+azure.service.endpoints.cn.aadTransitiveMemberRestUri=https://graph.chinacloudapi.cn\
+  /me/transitiveMemberOf?api-version=1.6
 azure.service.endpoints.cn-v2-graph.aadSigninUri=https://login.partner.microsoftonline.cn/
 azure.service.endpoints.cn-v2-graph.aadGraphApiUri=https://microsoftgraph.chinacloudapi.cn/
 azure.service.endpoints.cn-v2-graph.aadKeyDiscoveryUri=https://login.partner.microsoftonline.cn/common/discovery/keys
 azure.service.endpoints.cn-v2-graph.aadMembershipRestUri=https://microsoftgraph.chinacloudapi.cn/v1.0/me/memberOf
+azure.service.endpoints.cn-v2-graph.aadTransitiveMemberRestUri=https://microsoftgraph.chinacloudapi.cn\
+  /v1.0/me/transitiveMemberOf
 azure.service.endpoints.global.aadSigninUri=https://login.microsoftonline.com/
 azure.service.endpoints.global.aadGraphApiUri=https://graph.windows.net/
 azure.service.endpoints.global.aadKeyDiscoveryUri=https://login.microsoftonline.com/common/discovery/keys/
 azure.service.endpoints.global.aadMembershipRestUri=https://graph.windows.net/me/memberOf?api-version=1.6
+azure.service.endpoints.global.aadTransitiveMemberRestUri=https://graph.windows.net\
+  /me/transitiveMemberOf?api-version=1.6
 azure.service.endpoints.global-v2-graph.aadSigninUri=https://login.microsoftonline.com/
 azure.service.endpoints.global-v2-graph.aadGraphApiUri=https://graph.microsoft.com/
 azure.service.endpoints.global-v2-graph.aadKeyDiscoveryUri=https://login.microsoftonline.com/common/discovery/keys/
 azure.service.endpoints.global-v2-graph.aadMembershipRestUri=https://graph.microsoft.com/v1.0/me/memberOf
+azure.service.endpoints.global-v2-graph.aadTransitiveMemberRestUri=https://graph.microsoft.com\
+  /v1.0/me/transitiveMemberOf

sdk/spring/azure-spring-boot/src/test/java/com/azure/spring/autoconfigure/aad/UserPrincipalMicrosoftGraphTest.java

@@ -78,12 +78,16 @@ public void setup() {
         serviceEndpointsProperties = new ServiceEndpointsProperties();
         final ServiceEndpoints serviceEndpoints = new ServiceEndpoints();
         serviceEndpoints.setAadMembershipRestUri("http://localhost:9519/memberOf");
+        serviceEndpoints.setAadTransitiveMemberRestUri("http://localhost:9519/transitiveMemberOf");
         serviceEndpointsProperties.getEndpoints().put("global-v2-graph", serviceEndpoints);
     }
 
     @Test
     public void getAuthoritiesByUserGroups() throws Exception {
+        aadAuthenticationProperties.getUserGroup().setGroupRelationship("direct");
         aadAuthenticationProperties.getUserGroup().setAllowedGroups(Collections.singletonList("group1"));
+        serviceEndpointsProperties.getServiceEndpoints("global-v2-graph")
+                                  .setAadMembershipRestUri("http://localhost:9519/memberOf");
         this.graphClientMock = new AzureADGraphClient(aadAuthenticationProperties, serviceEndpointsProperties);
 
         stubFor(get(urlEqualTo("/memberOf"))
@@ -104,8 +108,11 @@ public void getAuthoritiesByUserGroups() throws Exception {
     }
 
     @Test
-    public void getGroups() throws Exception {
-        aadAuthenticationProperties.setActiveDirectoryGroups(Arrays.asList("group1", "group2", "group3"));
+    public void getDirectGroups() throws Exception {
+        aadAuthenticationProperties.getUserGroup().setGroupRelationship("direct");
+        AADAuthenticationProperties.UserGroupProperties userGroupProperties = aadAuthenticationProperties.getUserGroup();
+        userGroupProperties.setAllowedGroups(Arrays.asList("group1", "group2", "group3"));
+        aadAuthenticationProperties.setUserGroup(userGroupProperties);
         this.graphClientMock = new AzureADGraphClient(aadAuthenticationProperties, serviceEndpointsProperties);
 
         stubFor(get(urlEqualTo("/memberOf"))
@@ -128,6 +135,34 @@ public void getGroups() throws Exception {
             .withHeader(ACCEPT, equalTo(APPLICATION_JSON_VALUE)));
     }
 
+    @Test
+    public void getTransitiveGroups() throws Exception {
+        aadAuthenticationProperties.getUserGroup().setGroupRelationship("transitive");
+        AADAuthenticationProperties.UserGroupProperties userGroupProperties = aadAuthenticationProperties.getUserGroup();
+        userGroupProperties.setAllowedGroups(Arrays.asList("group1", "group2", "group3"));
+        aadAuthenticationProperties.setUserGroup(userGroupProperties);
+        this.graphClientMock = new AzureADGraphClient(aadAuthenticationProperties, serviceEndpointsProperties);
+
+        stubFor(get(urlEqualTo("/transitiveMemberOf"))
+            .withHeader(ACCEPT, equalTo(APPLICATION_JSON_VALUE))
+            .willReturn(aResponse()
+                .withStatus(200)
+                .withHeader(CONTENT_TYPE, APPLICATION_JSON_VALUE)
+                .withBody(userGroupsJson)));
+
+        final Collection<? extends GrantedAuthority> authorities = graphClientMock
+            .getGrantedAuthorities(MicrosoftGraphConstants.BEARER_TOKEN);
+
+        assertThat(authorities)
+            .isNotEmpty()
+            .extracting(GrantedAuthority::getAuthority)
+            .containsExactlyInAnyOrder("ROLE_group1", "ROLE_group2", "ROLE_group3");
+
+        verify(getRequestedFor(urlMatching("/transitiveMemberOf"))
+            .withHeader(AUTHORIZATION, equalTo(String.format("Bearer %s", accessToken)))
+            .withHeader(ACCEPT, equalTo(APPLICATION_JSON_VALUE)));
+    }
+
     @Test
     public void userPrincipalIsSerializable() throws ParseException, IOException, ClassNotFoundException {
         final File tmpOutputFile = File.createTempFile("test-user-principal", "txt");