add authentication with zitadel

lib/policy_service_web/api_spec.ex

@@ -1,5 +1,5 @@
 defmodule PolicyServiceWeb.ApiSpec do
-  alias OpenApiSpex.{OpenApi, Info, Server}
+  alias OpenApiSpex.{OpenApi, Info, Server, Components, SecurityScheme}
   alias OpenApiSpex.{Info, OpenApi, Paths, Server}
   alias PolicyServiceWeb.{Endpoint, Router}
   @behaviour OpenApi
@@ -16,7 +16,18 @@ defmodule PolicyServiceWeb.ApiSpec do
         version: "1.0"
       },
       # Populate the paths from a phoenix router
-      paths: Paths.from_router(Router)
+      paths: Paths.from_router(Router),
+      components: %Components{
+        securitySchemes: %{
+          "bearerAuth" => %SecurityScheme{
+            type: "http",
+            scheme: "bearer",
+            bearerFormat: "JWT",
+            description: "Zitadel JWT bearer token for authentication"
+          }
+        }
+      },
+      security: [%{"bearerAuth" => []}]
     }
     # Discover request/response schemas from path specs
     |> OpenApiSpex.resolve_schema_modules()

lib/policy_service_web/controllers/policy_controller.ex

@@ -31,7 +31,7 @@ defmodule PolicyServiceWeb.PolicyController do
   )
 
   def index(conn, params) do
-    org_id = conn.assigns[:org_id] || "test"
+    org_id = conn.assigns[:org_id]
 
     case PolicyQueries.list_by_org(org_id, params) do
       {:ok, {policies, meta}} ->
@@ -63,7 +63,7 @@ defmodule PolicyServiceWeb.PolicyController do
   )
 
   def show(conn, %{"application_id" => application_id}) do
-    org_id = conn.assigns[:org_id] || "test"
+    org_id = conn.assigns[:org_id]
 
     case PolicyQueries.get_by_application_id(org_id, application_id) do
       {:ok, policy} ->
@@ -89,8 +89,8 @@ defmodule PolicyServiceWeb.PolicyController do
 
   def create(conn, params) do
     application_id = Ecto.UUID.generate()
-    org_id = conn.assigns[:org_id] || "test"
-    submitted_by = conn.assigns[:user_id] || "test"
+    org_id = conn.assigns[:org_id]
+    submitted_by = conn.assigns[:user_id]
 
     with {:ok, policy_type} <- parse_policy_type(params["policy_type"]),
          {:ok, insured} <- parse_insured(params["insured"]),
@@ -173,7 +173,7 @@ defmodule PolicyServiceWeb.PolicyController do
   )
 
   def accept(conn, %{"application_id" => application_id} = params) do
-    org_id = conn.assigns[:org_id] || "test"
+    org_id = conn.assigns[:org_id]
 
     with {:ok, policy} <- PolicyQueries.get_by_application_id(org_id, application_id) do
       command =

lib/policy_service_web/plugs/authentication_plug.ex

@@ -0,0 +1,200 @@
+defmodule PolicyServiceWeb.Plugs.AuthenticationPlug do
+  @moduledoc """
+  Authentication plug for validating JWT tokens using Zitadel.
+
+  This plug validates JWT tokens using the oidcc library and extracts
+  user claims for use throughout the application.
+  """
+
+  import Plug.Conn
+  require Logger
+
+  @doc """
+  Initializes the authentication plug.
+
+  ## Options
+  - :provider - The OIDCC provider configuration worker name (required)
+  - :client_id - OAuth2 client ID (required) - can be a string or {module, function, args} tuple
+  - :client_secret - OAuth2 client secret (required) - can be a string or {module, function, args} tuple
+  - :required_scopes - List of required scopes (optional)
+  """
+  def init(opts) do
+    provider = Keyword.fetch!(opts, :provider)
+    client_id = Keyword.fetch!(opts, :client_id)
+    client_secret = Keyword.fetch!(opts, :client_secret)
+    required_scopes = Keyword.get(opts, :required_scopes, [])
+
+    %{
+      provider: provider,
+      client_id: resolve_config(client_id),
+      client_secret: resolve_config(client_secret),
+      required_scopes: required_scopes
+    }
+  end
+
+  defp resolve_config({module, function, args})
+       when is_atom(module) and is_atom(function) and is_list(args) do
+    apply(module, function, args)
+  end
+
+  defp resolve_config(value) when is_binary(value), do: value
+  defp resolve_config(value) when is_function(value, 0), do: value.()
+  defp resolve_config(value), do: value
+
+  @doc """
+  Authenticates the request by validating the JWT token.
+
+  Extracts the Authorization header, validates the JWT token using
+  Zitadel's JWKS, and assigns the extracted claims to the connection.
+  """
+  def call(conn, config) do
+    with {:ok, token} <- extract_token(conn),
+         {:ok, validated_token} <- validate_token(token, config),
+         {:ok, claims} <- extract_claims(validated_token) do
+      conn
+      |> assign(:authenticated, true)
+      |> assign(:current_user, claims)
+      |> assign(:user_id, claims.user_id)
+      |> assign(:org_id, claims.org_id)
+      |> assign(:roles, claims.roles)
+      |> assign(:scopes, claims.scopes)
+    else
+      {:error, :missing_token} ->
+        handle_missing_token(conn)
+
+      {:error, :invalid_token} = error ->
+        handle_invalid_token(conn, error)
+
+      {:error, :expired_token} = error ->
+        handle_expired_token(conn, error)
+
+      {:error, :insufficient_scopes} = error ->
+        handle_insufficient_scopes(conn, error)
+
+      {:error, reason} = error ->
+        handle_authentication_error(conn, error, reason)
+    end
+  end
+
+  defp extract_token(conn) do
+    case get_req_header(conn, "authorization") do
+      ["Bearer " <> token] when token != "" ->
+        {:ok, token}
+
+      ["Bearer " <> token] when token == "" ->
+        {:error, :missing_token}
+
+      ["bearer " <> token] when token != "" ->
+        {:ok, token}
+
+      [] ->
+        {:error, :missing_token}
+
+      _ ->
+        {:error, :invalid_token}
+    end
+  end
+
+  defp validate_token(token, config) do
+    try do
+      case Oidcc.Token.validate_jwt(
+             token,
+             config.provider,
+             %{}
+           ) do
+        {:ok, validated_token} ->
+          validate_required_scopes(validated_token, config)
+
+        {:error, :invalid_token} ->
+          Logger.warning("Invalid JWT token provided")
+          {:error, :invalid_token}
+
+        {:error, :expired_token} ->
+          Logger.warning("Expired JWT token provided")
+          {:error, :expired_token}
+
+        {:error, reason} ->
+          Logger.error("Token validation failed: #{inspect(reason)}")
+          {:error, :invalid_token}
+      end
+    rescue
+      error ->
+        Logger.error("Token validation error: #{inspect(error)}")
+        {:error, :invalid_token}
+    end
+  end
+
+  defp validate_required_scopes(validated_token, config) do
+    required_scopes = config.required_scopes || []
+
+    if required_scopes == [] do
+      {:ok, validated_token}
+    else
+      token_scopes = PolicyServiceWeb.Plugs.ClaimsExtractor.get_scopes(validated_token.claims)
+
+      if has_all_required_scopes?(token_scopes, required_scopes) do
+        {:ok, validated_token}
+      else
+        missing_scopes = required_scopes -- token_scopes
+        Logger.warning("Token missing required scopes: #{inspect(missing_scopes)}")
+        {:error, :insufficient_scopes}
+      end
+    end
+  end
+
+  defp has_all_required_scopes?(token_scopes, required_scopes) do
+    Enum.all?(required_scopes, fn scope -> scope in token_scopes end)
+  end
+
+  defp extract_claims(validated_token) do
+    try do
+      claims = PolicyServiceWeb.Plugs.ClaimsExtractor.extract_claims(validated_token)
+      PolicyServiceWeb.Plugs.ClaimsExtractor.validate_claims!(validated_token.claims)
+      {:ok, claims}
+    rescue
+      error ->
+        Logger.error("Failed to extract claims: #{inspect(error)}")
+        {:error, :invalid_claims}
+    end
+  end
+
+  defp handle_missing_token(conn) do
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(401, Jason.encode!(%{error: "Missing authentication token"}))
+    |> halt()
+  end
+
+  defp handle_invalid_token(conn, _error) do
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(401, Jason.encode!(%{error: "Invalid authentication token"}))
+    |> halt()
+  end
+
+  defp handle_expired_token(conn, _error) do
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(401, Jason.encode!(%{error: "Authentication token has expired"}))
+    |> halt()
+  end
+
+  defp handle_insufficient_scopes(conn, _error) do
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(
+      403,
+      Jason.encode!(%{error: "Insufficient permissions - required scopes not granted"})
+    )
+    |> halt()
+  end
+
+  defp handle_authentication_error(conn, _error, reason) do
+    Logger.error("Authentication error: #{inspect(reason)}")
+
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(401, Jason.encode!(%{error: "Authentication failed"}))
+    |> halt()
+  end
+end

lib/policy_service_web/plugs/authorization_plug.ex

@@ -0,0 +1,184 @@
+defmodule PolicyServiceWeb.Plugs.AuthorizationPlug do
+  @moduledoc """
+  Authorization plug for enforcing role-based access control.
+
+  This plug checks if authenticated users have the required roles
+  and scopes to access protected resources.
+  """
+
+  import Plug.Conn
+  require Logger
+
+  @doc """
+  Initializes the authorization plug.
+
+  ## Options
+  - :required_roles - List of roles that can access the resource (optional)
+  - :required_scopes - List of scopes required to access the resource (optional)
+  - :resource_owner_check - Function to check if user owns the resource (optional)
+  """
+  def init(opts) do
+    %{
+      required_roles: Keyword.get(opts, :required_roles, []),
+      required_scopes: Keyword.get(opts, :required_scopes, []),
+      resource_owner_check: Keyword.get(opts, :resource_owner_check, nil)
+    }
+  end
+
+  @doc """
+  Authorizes the request by checking roles and scopes.
+
+  Verifies that the authenticated user has the required roles and scopes
+  to access the requested resource.
+  """
+  def call(conn, config) do
+    user_roles = conn.assigns[:roles] || []
+    user_scopes = conn.assigns[:scopes] || []
+    user_id = conn.assigns[:user_id]
+    org_id = conn.assigns[:org_id]
+
+    with :ok <- check_roles(user_roles, config.required_roles),
+         :ok <- check_scopes(user_scopes, config.required_scopes),
+         :ok <- check_resource_ownership(conn, config.resource_owner_check, user_id, org_id) do
+      conn
+    else
+      {:error, :insufficient_role} ->
+        handle_insufficient_role(conn, config.required_roles)
+
+      {:error, :insufficient_scope} ->
+        handle_insufficient_scope(conn, config.required_scopes)
+
+      {:error, :not_owner} ->
+        handle_not_owner(conn)
+    end
+  end
+
+  defp check_roles(_user_roles, required_roles) when required_roles == [] do
+    :ok
+  end
+
+  defp check_roles(user_roles, required_roles) do
+    if has_any_role?(user_roles, required_roles) do
+      :ok
+    else
+      Logger.warning(
+        "User with roles #{inspect(user_roles)} lacks required roles: #{inspect(required_roles)}"
+      )
+
+      {:error, :insufficient_role}
+    end
+  end
+
+  defp check_scopes(_user_scopes, required_scopes) when required_scopes == [] do
+    :ok
+  end
+
+  defp check_scopes(user_scopes, required_scopes) do
+    if has_all_scopes?(user_scopes, required_scopes) do
+      :ok
+    else
+      Logger.warning(
+        "User with scopes #{inspect(user_scopes)} lacks required scopes: #{inspect(required_scopes)}"
+      )
+
+      {:error, :insufficient_scope}
+    end
+  end
+
+  defp check_resource_ownership(_conn, nil, _user_id, _org_id) do
+    :ok
+  end
+
+  defp check_resource_ownership(conn, check_function, user_id, org_id) do
+    try do
+      if check_function.(conn, user_id, org_id) do
+        :ok
+      else
+        {:error, :not_owner}
+      end
+    rescue
+      error ->
+        Logger.error("Resource ownership check failed: #{inspect(error)}")
+        {:error, :not_owner}
+    end
+  end
+
+  @doc """
+  Checks if the user has any of the required roles.
+
+  Supports role hierarchy where admin has all permissions.
+  """
+  def has_any_role?(user_roles, required_roles) do
+    cond do
+      "admin" in user_roles ->
+        true
+
+      Enum.any?(required_roles, fn role -> role in user_roles end) ->
+        true
+
+      true ->
+        false
+    end
+  end
+
+  @doc """
+  Checks if the user has all of the required scopes.
+  """
+  def has_all_scopes?(user_scopes, required_scopes) do
+    Enum.all?(required_scopes, fn scope -> scope in user_scopes end)
+  end
+
+  @doc """
+  Checks if the user can access a specific resource based on ownership.
+
+  Admins can access any resource. Other users can only access their own resources.
+  """
+  def can_access_resource?(user_roles, resource_user_id, current_user_id) do
+    cond do
+      "admin" in user_roles ->
+        true
+
+      resource_user_id == current_user_id ->
+        true
+
+      true ->
+        false
+    end
+  end
+
+  defp handle_insufficient_role(conn, required_roles) do
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(
+      403,
+      Jason.encode!(%{
+        error: "Insufficient permissions",
+        required_roles: required_roles
+      })
+    )
+    |> halt()
+  end
+
+  defp handle_insufficient_scope(conn, required_scopes) do
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(
+      403,
+      Jason.encode!(%{
+        error: "Insufficient permissions",
+        required_scopes: required_scopes
+      })
+    )
+    |> halt()
+  end
+
+  defp handle_not_owner(conn) do
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(
+      403,
+      Jason.encode!(%{error: "You do not have permission to access this resource"})
+    )
+    |> halt()
+  end
+end

lib/policy_service_web/plugs/claims_extractor.ex

@@ -0,0 +1,127 @@
+defmodule PolicyServiceWeb.Plugs.ClaimsExtractor do
+  @moduledoc """
+  Extracts and normalizes Zitadel claims from validated JWT tokens.
+
+  This module handles the extraction of organization ID, user ID, roles,
+  and scopes from Zitadel standard claims and normalizes them for use
+  throughout the application.
+  """
+
+  @doc """
+  Extracts and normalizes claims from a validated OIDCC token.
+
+  ## Parameters
+  - token: The validated OIDCC token struct
+
+  ## Returns
+  A map containing normalized claims:
+  - org_id: Organization ID from Zitadel claims
+  - user_id: User ID from Zitadel claims  
+  - roles: List of user roles
+  - scopes: List of granted scopes
+  """
+  def extract_claims(token) do
+    claims = token.claims
+
+    %{
+      org_id: get_org_id(claims),
+      user_id: get_user_id(claims),
+      roles: get_roles(claims),
+      scopes: get_scopes(claims)
+    }
+  end
+
+  @doc """
+  Extracts organization ID from Zitadel claims.
+
+  Uses the Zitadel-specific claim 'urn:zitadel:iam:user:resourceowner:id'
+  or falls back to the standard 'azp' (authorized party) claim.
+  """
+  def get_org_id(claims) do
+    claims["urn:zitadel:iam:user:resourceowner:id"] ||
+      claims["azp"] ||
+      "default"
+  end
+
+  @doc """
+  Extracts user ID from Zitadel claims.
+
+  Uses the standard 'sub' (subject) claim as the primary user identifier.
+  """
+  def get_user_id(claims) do
+    claims["sub"] ||
+      raise "Missing required user_id claim"
+  end
+
+  @doc """
+  Extracts roles from Zitadel claims.
+
+  Zitadel provides roles in the 'urn:zitadel:iam:org:project:roles' claim
+  with a nested structure containing role keys and organization context.
+  """
+  def get_roles(claims) do
+    project_roles = claims["urn:zitadel:iam:org:project:roles"] || []
+    extract_roles_from_project_roles(project_roles)
+  end
+
+  @doc """
+  Extracts roles from Zitadel's nested project roles structure.
+
+  The structure is typically:
+  [
+    %{"role1" => %{"id" => "org1", "primaryDomain" => "domain1"}},
+    %{"role2" => %{"id" => "org2", "primaryDomain" => "domain2"}}
+  ]
+  """
+  def extract_roles_from_project_roles(project_roles) when is_list(project_roles) do
+    project_roles
+    |> Enum.flat_map(fn role_map ->
+      role_map
+      |> Map.keys()
+      |> Enum.reject(&(&1 == "id" || &1 == "primaryDomain"))
+    end)
+    |> Enum.map(&String.downcase/1)
+    |> Enum.uniq()
+  end
+
+  def extract_roles_from_project_roles(_), do: []
+
+  @doc """
+  Extracts scopes from Zitadel claims.
+
+  Uses the standard 'scope' claim and splits it into a list.
+  """
+  def get_scopes(claims) do
+    scope_string = claims["scope"] || ""
+
+    scope_string
+    |> String.split(" ")
+    |> Enum.reject(&(&1 == ""))
+  end
+
+  @doc """
+  Checks if the given claims contain a specific role.
+  """
+  def has_role?(claims, role) when is_binary(role) do
+    roles = get_roles(claims)
+    role_lower = String.downcase(role)
+    role_lower in roles
+  end
+
+  @doc """
+  Checks if the given claims contain a specific scope.
+  """
+  def has_scope?(claims, scope) when is_binary(scope) do
+    scopes = get_scopes(claims)
+    scope in scopes
+  end
+
+  @doc """
+  Validates that all required claims are present.
+  """
+  def validate_claims!(claims) do
+    _user_id = get_user_id(claims)
+    _org_id = get_org_id(claims)
+    :ok
+  end
+end

lib/policy_service_web/router.ex

@@ -8,6 +8,18 @@ defmodule PolicyServiceWeb.Router do
     plug OpenApiSpex.Plug.PutApiSpec, module: PolicyServiceWeb.ApiSpec
   end
 
+  pipeline :authenticated do
+    plug PolicyServiceWeb.Plugs.AuthenticationPlug,
+      provider: PolicyService.ZitadelProvider,
+      client_id: {__MODULE__, :get_zitadel_config, [:client_id]},
+      client_secret: {__MODULE__, :get_zitadel_config, [:client_secret]},
+      required_scopes: {__MODULE__, :get_zitadel_config, [:required_scopes]}
+  end
+
+  pipeline :authorized do
+    plug PolicyServiceWeb.Plugs.AuthorizationPlug
+  end
+
   get "/health", HealthController, :health
   get "/health/ready", HealthController, :ready
 
@@ -17,6 +29,8 @@ defmodule PolicyServiceWeb.Router do
     get "/openapi", OpenApiSpex.Plug.RenderSpec, []
 
     scope "/v1" do
+      pipe_through [:authenticated, :authorized]
+
       get "/policies", PolicyController, :index
       get "/policies/:application_id", PolicyController, :show
       post "/policies", PolicyController, :create
@@ -27,4 +41,8 @@ defmodule PolicyServiceWeb.Router do
   scope "/swaggerui" do
     get "/", OpenApiSpex.Plug.SwaggerUI, path: "/api/openapi"
   end
+
+  def get_zitadel_config(key) do
+    Application.get_env(:policy_service, :zitadel)[key]
+  end
 end

lib/policy_service_web/schemas/policy.ex

@@ -230,8 +230,16 @@ defmodule PolicyServiceWeb.Schemas.Policy do
         coverage_amount: %Schema{type: :number, example: 100_000},
         coverage_years: %Schema{type: :integer, example: 10},
         smoker: %Schema{type: :boolean, example: false},
-        medications: %Schema{type: :array, items: %Schema{type: :string}, example: ["Aspirin", "Lisinopril"]},
-        surgeries: %Schema{type: :array, items: %Schema{type: :string}, example: ["Appendectomy, 2015"]},
+        medications: %Schema{
+          type: :array,
+          items: %Schema{type: :string},
+          example: ["Aspirin", "Lisinopril"]
+        },
+        surgeries: %Schema{
+          type: :array,
+          items: %Schema{type: :string},
+          example: ["Appendectomy, 2015"]
+        },
         weight: %Schema{type: :number, example: 70},
         height: %Schema{type: :number, example: 175}
       }