Closes #793 Allow API access to Elide for services without user authe…

…ntication

src/inttest/java/com/faforever/api/AbstractIntegrationTest.java

@@ -106,7 +106,11 @@ protected RequestPostProcessor getOAuthTokenWithActiveUser(String scope, String
   }
 
   protected RequestPostProcessor getOAuthTokenWithActiveUser(Set<String> scopes, Set<String> authorities) {
-    return oAuthHelper.addBearerToken(5, scopes, authorities);
+    return oAuthHelper.addActiveUserBearerToken(5, scopes, authorities);
+  }
+
+  protected RequestPostProcessor getOAuthTokenWithService(Set<String> scopes) {
+    return oAuthHelper.addServiceBearerToken("faf-service", scopes);
   }
 
   protected RequestPostProcessor getOAuthTokenForUserId(int userId, String... scopes) {

src/inttest/java/com/faforever/api/user/MeControllerTest.java

@@ -36,4 +36,11 @@ public void withActiveUserGetResult() throws Exception {
           ROLE_USER, FafRole.ROLE_PREFIX + ROLE_USER
           )));
   }
+
+  @Test
+  public void withServiceTokenUnauthorized() throws Exception {
+    mockMvc.perform(get("/me")
+        .with(getOAuthTokenWithService(Set.of())))
+      .andExpect(status().isForbidden());
+  }
 }

src/inttest/java/com/faforever/api/utils/OAuthHelper.java

@@ -4,6 +4,7 @@
 import com.faforever.api.player.PlayerRepository;
 import com.faforever.api.security.FafRole;
 import com.faforever.api.security.FafScope;
+import com.faforever.api.security.FafServiceAuthenticationToken;
 import com.faforever.api.security.FafUserAuthenticationToken;
 import org.jetbrains.annotations.NotNull;
 import org.springframework.stereotype.Component;
@@ -35,7 +36,7 @@ public RequestPostProcessor addBearerTokenForUser(int userId, @NotNull Set<Strin
     return authentication(new FafUserAuthenticationToken(userId, user.getLogin(), fafScopes, roles));
   }
 
-  public RequestPostProcessor addBearerToken(
+  public RequestPostProcessor addActiveUserBearerToken(
     Integer userId,
     @NotNull Set<String> scopes,
     @NotNull Set<String> roles
@@ -45,4 +46,13 @@ public RequestPostProcessor addBearerToken(
 
     return authentication(new FafUserAuthenticationToken(userId, "[undefined]", fafScopes, fafRoles));
   }
+
+  public RequestPostProcessor addServiceBearerToken(
+    String serviceName,
+    @NotNull Set<String> scopes
+  ) {
+    var fafScopes = scopes.stream().map(FafScope::new).toList();
+
+    return authentication(new FafServiceAuthenticationToken(serviceName, fafScopes));
+  }
 }

src/test/java/com/faforever/api/security/FafAuthenticationConverterTest.java

@@ -0,0 +1,55 @@
+package com.faforever.api.security;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.security.authentication.AbstractAuthenticationToken;
+import org.springframework.security.oauth2.jwt.Jwt;
+
+import java.util.List;
+import java.util.Map;
+
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+class FafAuthenticationConverterTest {
+  @Test
+  void jwtWithUsernameShouldBeConvertedToUserToken() {
+    Jwt jwt = new Jwt(
+      "abc",
+      null,
+      null,
+      Map.of(
+        "alg", "RS256",
+        "kid", "public:hydra.jwt.access-token",
+        "typ", "JWT"
+      ),
+      Map.of(
+        "sub", "123",
+        "scp", List.of(),
+        "ext", Map.of(
+          "username", "fafuser"
+        )
+      )
+    );
+    AbstractAuthenticationToken converted = new FafAuthenticationConverter().convert(jwt);
+    assertTrue(converted instanceof FafUserAuthenticationToken);
+  }
+  @Test
+  void jwtWithoutUsernameShouldBeConvertedToServiceToken() {
+    Jwt jwt = new Jwt(
+      "abc",
+      null,
+      null,
+      Map.of(
+        "alg", "RS256",
+        "kid", "public:hydra.jwt.access-token",
+        "typ", "JWT"
+      ),
+      Map.of(
+        "sub", "service",
+        "scp", List.of(),
+        "ext", Map.of()
+      )
+    );
+    AbstractAuthenticationToken converted = new FafAuthenticationConverter().convert(jwt);
+    assertTrue(converted instanceof FafServiceAuthenticationToken);
+  }
+}