fix(claims): add identityType and CompanyId claim (#364)

* fix regression leading to 403 forbidden
Refs: CPLP-3102

src/framework/Framework.ProcessIdentity/DependencyInjection/ProcessIdentityServiceCollectionExtensions.cs

@@ -28,6 +28,16 @@ namespace Org.Eclipse.TractusX.Portal.Backend.Framework.ProcessIdentity.Dependen
 public static class ProcessIdentityServiceCollectionExtensions
 {
     public static IServiceCollection AddConfigurationIdentityIdDetermination(this IServiceCollection services, IConfigurationSection section)
+    {
+        services.AddOptions<ProcessIdentitySettings>()
+            .Bind(section)
+            .ValidateOnStart();
+
+        return services
+            .AddTransient<IIdentityIdDetermination, ConfigurationIdentityIdDetermination>();
+    }
+
+    public static IServiceCollection AddConfigurationIdentityService(this IServiceCollection services, IConfigurationSection section)
     {
         services.AddOptions<ProcessIdentitySettings>()
             .Bind(section)

src/keycloak/Keycloak.Authentication/KeycloakClaimsTransformation.cs

@@ -89,23 +89,27 @@ private async ValueTask<bool> AddIdentity(ClaimsPrincipal principal, ClaimsIdent
         {
             var preferredUserName = principal.Claims.SingleOrDefault(x => x.Type == PortalClaimTypes.PreferredUserName)?.Value;
 
-            if (!string.IsNullOrWhiteSpace(preferredUserName) && Guid.TryParse(preferredUserName, out var identityId))
+            IdentityData? identityData;
+            if (!string.IsNullOrWhiteSpace(preferredUserName) && Guid.TryParse(preferredUserName, out var identityId) && (identityData = await _userRepository.GetActiveUserDataByIdentityId(identityId).ConfigureAwait(false)) != null)
             {
-                claimsIdentity.AddClaim(new Claim(PortalClaimTypes.IdentityId, identityId.ToString()));
+                claimsIdentity.AddClaim(new Claim(PortalClaimTypes.IdentityId, identityData.UserId.ToString()));
+                claimsIdentity.AddClaim(new Claim(PortalClaimTypes.IdentityType, identityData.IdentityType.ToString()));
+                claimsIdentity.AddClaim(new Claim(PortalClaimTypes.CompanyId, identityData.CompanyId.ToString()));
                 return true;
             }
 
             var sub = principal.Claims.SingleOrDefault(x => x.Type == PortalClaimTypes.Sub)?.Value;
             _logger.LogInformation("Preferred user name {PreferredUserName} couldn't be parsed to uuid for userEntityId {Sub}", preferredUserName, sub);
 
-            IdentityData? identityData;
             if (string.IsNullOrWhiteSpace(sub) || (identityData = await _userRepository.GetActiveUserDataByUserEntityId(sub).ConfigureAwait(false)) == null)
             {
                 _logger.LogWarning("No identity found for userEntityId {Sub}", sub);
                 return false;
             }
 
             claimsIdentity.AddClaim(new Claim(PortalClaimTypes.IdentityId, identityData.UserId.ToString()));
+            claimsIdentity.AddClaim(new Claim(PortalClaimTypes.IdentityType, identityData.IdentityType.ToString()));
+            claimsIdentity.AddClaim(new Claim(PortalClaimTypes.CompanyId, identityData.CompanyId.ToString()));
             return true;
         }
     }

src/portalbackend/PortalBackend.DBAccess/Repositories/IUserRepository.cs

@@ -122,6 +122,7 @@ public interface IUserRepository
     Task<string?> GetCompanyBpnForIamUserAsync(Guid companyUserId);
 
     Task<IdentityData?> GetActiveUserDataByUserEntityId(string userEntityId);
+    Task<IdentityData?> GetActiveUserDataByIdentityId(Guid identityId);
     Identity AttachAndModifyIdentity(Guid identityId, Action<Identity>? initialize, Action<Identity> modify);
     CompanyUserAssignedIdentityProvider AddCompanyUserAssignedIdentityProvider(Guid companyUserId, Guid identityProviderId, string providerId, string userName);
     IAsyncEnumerable<CompanyUserIdentityProviderProcessData> GetUserAssignedIdentityProviderForNetworkRegistration(Guid networkRegistrationId);

src/portalbackend/PortalBackend.DBAccess/Repositories/UserRepository.cs

@@ -436,6 +436,13 @@ public IAsyncEnumerable<CompanyUserAccountData> GetCompanyUserAccountDataUntrack
             .Select(x => new IdentityData(x.UserEntityId!, x.Id, x.IdentityTypeId, x.CompanyId))
             .SingleOrDefaultAsync();
 
+    /// <inheritdoc />
+    public Task<IdentityData?> GetActiveUserDataByIdentityId(Guid identityId) =>
+        _dbContext.Identities
+            .Where(x => x.Id == identityId && x.UserStatusId == UserStatusId.ACTIVE)
+            .Select(x => new IdentityData(x.UserEntityId!, x.Id, x.IdentityTypeId, x.CompanyId))
+            .SingleOrDefaultAsync();
+
     /// <inheritdoc />
     public Identity AttachAndModifyIdentity(Guid identityId, Action<Identity>? initialize, Action<Identity> modify)
     {

src/processes/Processes.Worker/Program.cs

@@ -28,6 +28,8 @@
 using Org.Eclipse.TractusX.Portal.Backend.Keycloak.Factory;
 using Org.Eclipse.TractusX.Portal.Backend.Offers.Library.DependencyInjection;
 using Org.Eclipse.TractusX.Portal.Backend.PortalBackend.DBAccess;
+using Org.Eclipse.TractusX.Portal.Backend.PortalBackend.DBAccess.Identities;
+using Org.Eclipse.TractusX.Portal.Backend.PortalBackend.PortalEntities.Identities;
 using Org.Eclipse.TractusX.Portal.Backend.Processes.ApplicationChecklist.Config.DependencyInjection;
 using Org.Eclipse.TractusX.Portal.Backend.Processes.ApplicationChecklist.Executor;
 using Org.Eclipse.TractusX.Portal.Backend.Processes.NetworkRegistration.Executor.DependencyInjection;
@@ -54,7 +56,7 @@
                 .AddApplicationChecklist(hostContext.Configuration.GetSection("ApplicationChecklist"))
                 .AddApplicationChecklistCreation()
                 .AddApplicationActivation(hostContext.Configuration)
-                .AddConfigurationIdentityIdDetermination(hostContext.Configuration.GetSection("ProcessIdentity"))
+                .AddConfigurationIdentityService(hostContext.Configuration.GetSection("ProcessIdentity"))
                 .AddNetworkRegistrationProcessExecutor(hostContext.Configuration)
                 .AddServiceAccountSyncProcessExecutor(hostContext.Configuration);