Set root always traversable; LoggingDAO fix

cdc85827 · Sonia Zorba · 3b4ded02 · cdc85827 · cdc85827 · cdc85827
Commit cdc85827 authored Mar 22, 2021 by Sonia Zorba
--- a/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
@@ -56,13 +56,14 @@ public class JWTFilter implements Filter {
        Map<String, Object> claims = userManager.parseIdTokenClaims(token);

        if (claims.get("sub") == null) {
-            loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token", request);
+            loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token " + request.getRequestURI(), request);
            response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim");
            return;
        }

        ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims);
-        loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "API access from " + wrappedRequest.getUserPrincipal().getName(), request);
+
+        loggingDAO.logAction(ActionType.API_CALL, request.getRequestURI() + " called by " + wrappedRequest.getUserPrincipal().getName(), request);

        fc.doFilter(wrappedRequest, res);
    }

--- a/gms/src/main/java/it/inaf/ia2/gms/controller/HomePageController.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/controller/HomePageController.java
 package it.inaf.ia2.gms.controller;

 import it.inaf.ia2.gms.authn.SessionData;
-import it.inaf.ia2.gms.exception.UnauthorizedException;
 import it.inaf.ia2.gms.manager.InvitedRegistrationManager;
-import it.inaf.ia2.gms.model.GroupBreadcrumb;
-import it.inaf.ia2.gms.model.GroupNode;
-import it.inaf.ia2.gms.model.Permission;
 import it.inaf.ia2.gms.model.request.GroupsRequest;
 import it.inaf.ia2.gms.model.response.GroupsTabResponse;
 import it.inaf.ia2.gms.model.response.HomePageResponse;
-import it.inaf.ia2.gms.model.response.PaginatedData;
 import it.inaf.ia2.gms.persistence.model.InvitedRegistration;
 import java.io.IOException;
-import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
 import javax.servlet.ServletException;
@@ -48,37 +42,14 @@ public class HomePageController {

        response.setUser(session.getUserName());

-        try {
-            GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request);
-            response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs());
-            response.setGroupsPanel(groupsTabResponse.getGroupsPanel());
-            response.setPermission(groupsTabResponse.getPermission());
-        } catch (UnauthorizedException ex) {
-            if ("ROOT".equals(request.getGroupId())) {
-                response.setBreadcrumbs(getRootBreadcrumbs());
-                response.setGroupsPanel(getEmptyGroupsPanel(request));
-                response.setPermission(Permission.TRAVERSE);
-            } else {
-                throw ex;
-            }
-        }
+        GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request);
+        response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs());
+        response.setGroupsPanel(groupsTabResponse.getGroupsPanel());
+        response.setPermission(groupsTabResponse.getPermission());

        return ResponseEntity.ok(response);
    }

-    private List<GroupBreadcrumb> getRootBreadcrumbs() {
-        List<GroupBreadcrumb> breadcrumbs = new ArrayList<>();
-        GroupBreadcrumb breadcrumb = new GroupBreadcrumb();
-        breadcrumb.setGroupId("ROOT");
-        breadcrumb.setGroupName("ROOT");
-        breadcrumbs.add(breadcrumb);
-        return breadcrumbs;
-    }
-
-    private PaginatedData<GroupNode> getEmptyGroupsPanel(GroupsRequest request) {
-        return new PaginatedData<>(new ArrayList<>(), 1, request.getPaginatorPageSize());
-    }
-
    @GetMapping(value = "/", produces = MediaType.TEXT_HTML_VALUE)
    public String index(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {


--- a/gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java
@@ -84,6 +84,10 @@ public class GroupsManager extends UserAwareComponent {
    }

    public void verifyUserCanReadGroup(GroupEntity group) {
+        if (GroupsService.ROOT.equals(group.getId())) {
+            // Everybody can read the root
+            return;
+        }
        if (permissionsManager.getCurrentUserPermission(group) == null) {
            loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId());
            throw new UnauthorizedException("Missing permission to see this group");

--- a/gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java
@@ -10,6 +10,7 @@ import it.inaf.ia2.gms.service.PermissionUtils;
 import it.inaf.ia2.gms.service.PermissionsService;
 import it.inaf.ia2.gms.authn.RapClient;
 import it.inaf.ia2.gms.persistence.model.ActionType;
+import it.inaf.ia2.gms.service.GroupsService;
 import it.inaf.ia2.rap.data.RapUser;
 import java.util.ArrayList;
 import java.util.List;
@@ -159,6 +160,8 @@ public class PermissionsManager extends UserAwareComponent {

    public Permission getCurrentUserPermission(GroupEntity group) {
        List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, getCurrentUserId());
-        return PermissionUtils.getGroupPermission(group, permissions).orElse(null);
+        return PermissionUtils.getGroupPermission(group, permissions).orElse(
+                GroupsService.ROOT.equals(group.getId()) ? Permission.TRAVERSE : null
+        );
    }
 }
--- a/gms/src/main/java/it/inaf/ia2/gms/persistence/model/ActionType.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/persistence/model/ActionType.java
@@ -15,5 +15,6 @@ public enum ActionType {
    INVITED_REGISTRATION_OPENED,
    INVITED_REGISTRATION_DELETED,
    INVITED_REGISTRATION_COMPLETED,
+    API_CALL,
    UNAUTHORIZED_ACCESS_ATTEMPT
 }
--- a/gms/src/test/java/it/inaf/ia2/gms/manager/GroupsManagerTest.java
+++ b/gms/src/test/java/it/inaf/ia2/gms/manager/GroupsManagerTest.java
+package it.inaf.ia2.gms.manager;
+
+import it.inaf.ia2.gms.exception.UnauthorizedException;
+import it.inaf.ia2.gms.persistence.LoggingDAO;
+import it.inaf.ia2.gms.persistence.model.GroupEntity;
+import it.inaf.ia2.gms.service.GroupsService;
+import static org.junit.Assert.assertTrue;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class GroupsManagerTest {
+
+    @Mock
+    private GroupsService groupsService;
+    @Mock
+    private PermissionsManager permissionsManager;
+    @Mock
+    private LoggingDAO loggingDAO;
+
+    @InjectMocks
+    private GroupsManager groupsManager;
+
+    @Test
+    public void testRootAlwaysReadable() {
+
+        GroupEntity root = new GroupEntity();
+        root.setName("ROOT");
+        root.setId(GroupsService.ROOT);
+        root.setPath("");
+
+        groupsManager.verifyUserCanReadGroup(root);
+    }
+
+    @Test
+    public void testVerifyUserCanReadGroupFails() {
+
+        boolean exception = false;
+
+        GroupEntity group = new GroupEntity();
+        group.setName("group_name");
+        group.setId("group_id");
+        group.setPath("group_id");
+
+        try {
+            groupsManager.verifyUserCanReadGroup(group);
+        } catch (UnauthorizedException ex) {
+            exception = true;
+        }
+
+        assertTrue(exception);
+    }
+}
--- a/gms/src/test/java/it/inaf/ia2/gms/manager/PermissionsManagerTest.java
+++ b/gms/src/test/java/it/inaf/ia2/gms/manager/PermissionsManagerTest.java
@@ -5,11 +5,13 @@ import it.inaf.ia2.gms.model.Permission;
 import it.inaf.ia2.gms.persistence.LoggingDAO;
 import it.inaf.ia2.gms.persistence.model.GroupEntity;
 import it.inaf.ia2.gms.persistence.model.PermissionEntity;
+import it.inaf.ia2.gms.service.GroupsService;
 import it.inaf.ia2.gms.service.PermissionsService;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import javax.servlet.http.HttpServletRequest;
+import static org.junit.Assert.assertEquals;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -137,6 +139,18 @@ public class PermissionsManagerTest {
        permissionsManager.removePermission(group, TARGET_USER_ID);
    }

+    @Test
+    public void testGetCurrentUserPermissionAlwaysTraverseRoot() {
+        when(permissionsService.findUserPermissions(any(), any())).thenReturn(new ArrayList<>());
+
+        GroupEntity root = new GroupEntity();
+        root.setName("ROOT");
+        root.setId(GroupsService.ROOT);
+        root.setPath("");
+
+        assertEquals(Permission.TRAVERSE, permissionsManager.getCurrentUserPermission(root));
+    }
+
    private List<PermissionEntity> getUserPermissions(GroupEntity group, Permission permission) {
        PermissionEntity entity = new PermissionEntity();
        entity.setPermission(permission);