SSO: Use client specific user roles (#515)

* SSO: Use client specific user roles

* Reorder arguments to oauth authenticator

* Update oauth authenticator unit tests

* Update php-cs-fixer conf

Do not check for comma after last method/function argument

.php-cs-fixer.dist

@@ -23,7 +23,8 @@ return $config
             ],
         ],
         'single_line_throw' => false,
-        'global_namespace_import' => true
+        'global_namespace_import' => true,
+        'trailing_comma_in_multiline' => false
     ])
     ->setUsingCache(false)
     ->setFinder($finder);

config/services.yaml

@@ -283,6 +283,11 @@ services:
       $logoutUrl: '%app.idp.endpoint.logout%'
       $baseUri: '%app.base_url%'
 
+  mealz.oauthuserprovider: '@App\Mealz\UserBundle\Provider\OAuthUserProvider'
+  App\Mealz\UserBundle\Provider\OAuthUserProvider:
+    arguments:
+      $authClientID: '%app.idp.client_id%'
+
   App\Mealz\UserBundle\Repository\ProfileRepository:
     arguments:
       $entityClass: App\Mealz\UserBundle\Entity\Profile

src/Mealz/UserBundle/Provider/OAuthUserProvider.php

@@ -38,13 +38,11 @@ class OAuthUserProvider implements UserProviderInterface, OAuthAwareUserProvider
         'aoe_employee' => self::ROLE_USER,
     ];
 
-    private EntityManagerInterface $entityManager;
-    private RoleRepositoryInterface $roleRepo;
-
-    public function __construct(EntityManagerInterface $entityManager, RoleRepositoryInterface $roleRepo)
-    {
-        $this->entityManager = $entityManager;
-        $this->roleRepo = $roleRepo;
+    public function __construct(
+        private readonly EntityManagerInterface $entityManager,
+        private readonly RoleRepositoryInterface $roleRepo,
+        private readonly string $authClientID
+    ) {
     }
 
     public function loadUserByIdentifier(string $identifier): UserInterface
@@ -69,8 +67,10 @@ public function loadUserByOAuthUserResponse(UserResponseInterface $response): Us
         $lastName = $response->getLastName() ?? '';
         $email = $response->getEmail();
 
-        $idpUserRoles = $response->getData()['roles'] ?? [];
-        $role = $this->toMealsRole($idpUserRoles);
+        $data = $response->getData();
+        $globalUserRoles = $data['roles'] ?? [];
+        $appUserRoles = $data['resource_access'][$this->authClientID]['roles'] ?? [];
+        $role = $this->toMealsRole(array_merge($globalUserRoles, $appUserRoles));
         $roles = (null === $role) ? [] : [$role];
 
         try {

src/Mealz/UserBundle/Resources/config/services.yml

@@ -1,4 +1,2 @@
 services:
-    mealz.oauthuserprovider:
-        alias: App\Mealz\UserBundle\Provider\OAuthUserProvider
-
+  # Deprecated, do not define any services here. Use services.yaml in root level config directory instead.

src/Mealz/UserBundle/Tests/Service/OAuthProviderTest.php

@@ -20,6 +20,8 @@ class OAuthProviderTest extends AbstractControllerTestCase
 {
     use ProphecyTrait;
 
+    private const string AUTH_CLIENT_ID = 'meals-app';
+
     private OAuthUserProvider $sut;
 
     protected function setUp(): void
@@ -34,7 +36,8 @@ protected function setUp(): void
 
         $this->sut = new OAuthUserProvider(
             $em,
-            self::getContainer()->get(RoleRepositoryInterface::class)
+            self::getContainer()->get(RoleRepositoryInterface::class),
+            self::AUTH_CLIENT_ID
         );
     }
 
@@ -136,7 +139,11 @@ private function getMockedUserResponse(
             'family_name' => $lastName,
             'given_name' => $firstName,
             'email' => $email,
-            'roles' => $roles,
+            'resource_access' => [
+                self::AUTH_CLIENT_ID => [
+                    'roles' => $roles,
+                ],
+            ],
         ];
         $responseProphet = $this->prophesize(UserResponseInterface::class);
         $responseProphet->getData()->shouldBeCalledOnce()->willReturn($userData);