Commit cdc85827 authored by Sonia Zorba's avatar Sonia Zorba
Browse files

Set root always traversable; LoggingDAO fix

parent 3b4ded02
Pipeline #1220 passed with stages
in 34 seconds
......@@ -56,13 +56,14 @@ public class JWTFilter implements Filter {
Map<String, Object> claims = userManager.parseIdTokenClaims(token);
if (claims.get("sub") == null) {
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token", request);
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token " + request.getRequestURI(), request);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim");
return;
}
ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims);
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "API access from " + wrappedRequest.getUserPrincipal().getName(), request);
loggingDAO.logAction(ActionType.API_CALL, request.getRequestURI() + " called by " + wrappedRequest.getUserPrincipal().getName(), request);
fc.doFilter(wrappedRequest, res);
}
......
package it.inaf.ia2.gms.controller;
import it.inaf.ia2.gms.authn.SessionData;
import it.inaf.ia2.gms.exception.UnauthorizedException;
import it.inaf.ia2.gms.manager.InvitedRegistrationManager;
import it.inaf.ia2.gms.model.GroupBreadcrumb;
import it.inaf.ia2.gms.model.GroupNode;
import it.inaf.ia2.gms.model.Permission;
import it.inaf.ia2.gms.model.request.GroupsRequest;
import it.inaf.ia2.gms.model.response.GroupsTabResponse;
import it.inaf.ia2.gms.model.response.HomePageResponse;
import it.inaf.ia2.gms.model.response.PaginatedData;
import it.inaf.ia2.gms.persistence.model.InvitedRegistration;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import javax.servlet.ServletException;
......@@ -48,37 +42,14 @@ public class HomePageController {
response.setUser(session.getUserName());
try {
GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request);
response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs());
response.setGroupsPanel(groupsTabResponse.getGroupsPanel());
response.setPermission(groupsTabResponse.getPermission());
} catch (UnauthorizedException ex) {
if ("ROOT".equals(request.getGroupId())) {
response.setBreadcrumbs(getRootBreadcrumbs());
response.setGroupsPanel(getEmptyGroupsPanel(request));
response.setPermission(Permission.TRAVERSE);
} else {
throw ex;
}
}
GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request);
response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs());
response.setGroupsPanel(groupsTabResponse.getGroupsPanel());
response.setPermission(groupsTabResponse.getPermission());
return ResponseEntity.ok(response);
}
private List<GroupBreadcrumb> getRootBreadcrumbs() {
List<GroupBreadcrumb> breadcrumbs = new ArrayList<>();
GroupBreadcrumb breadcrumb = new GroupBreadcrumb();
breadcrumb.setGroupId("ROOT");
breadcrumb.setGroupName("ROOT");
breadcrumbs.add(breadcrumb);
return breadcrumbs;
}
private PaginatedData<GroupNode> getEmptyGroupsPanel(GroupsRequest request) {
return new PaginatedData<>(new ArrayList<>(), 1, request.getPaginatorPageSize());
}
@GetMapping(value = "/", produces = MediaType.TEXT_HTML_VALUE)
public String index(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
......
......@@ -84,6 +84,10 @@ public class GroupsManager extends UserAwareComponent {
}
public void verifyUserCanReadGroup(GroupEntity group) {
if (GroupsService.ROOT.equals(group.getId())) {
// Everybody can read the root
return;
}
if (permissionsManager.getCurrentUserPermission(group) == null) {
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId());
throw new UnauthorizedException("Missing permission to see this group");
......
......@@ -10,6 +10,7 @@ import it.inaf.ia2.gms.service.PermissionUtils;
import it.inaf.ia2.gms.service.PermissionsService;
import it.inaf.ia2.gms.authn.RapClient;
import it.inaf.ia2.gms.persistence.model.ActionType;
import it.inaf.ia2.gms.service.GroupsService;
import it.inaf.ia2.rap.data.RapUser;
import java.util.ArrayList;
import java.util.List;
......@@ -159,6 +160,8 @@ public class PermissionsManager extends UserAwareComponent {
public Permission getCurrentUserPermission(GroupEntity group) {
List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, getCurrentUserId());
return PermissionUtils.getGroupPermission(group, permissions).orElse(null);
return PermissionUtils.getGroupPermission(group, permissions).orElse(
GroupsService.ROOT.equals(group.getId()) ? Permission.TRAVERSE : null
);
}
}
......@@ -15,5 +15,6 @@ public enum ActionType {
INVITED_REGISTRATION_OPENED,
INVITED_REGISTRATION_DELETED,
INVITED_REGISTRATION_COMPLETED,
API_CALL,
UNAUTHORIZED_ACCESS_ATTEMPT
}
package it.inaf.ia2.gms.manager;
import it.inaf.ia2.gms.exception.UnauthorizedException;
import it.inaf.ia2.gms.persistence.LoggingDAO;
import it.inaf.ia2.gms.persistence.model.GroupEntity;
import it.inaf.ia2.gms.service.GroupsService;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
@RunWith(MockitoJUnitRunner.class)
public class GroupsManagerTest {
@Mock
private GroupsService groupsService;
@Mock
private PermissionsManager permissionsManager;
@Mock
private LoggingDAO loggingDAO;
@InjectMocks
private GroupsManager groupsManager;
@Test
public void testRootAlwaysReadable() {
GroupEntity root = new GroupEntity();
root.setName("ROOT");
root.setId(GroupsService.ROOT);
root.setPath("");
groupsManager.verifyUserCanReadGroup(root);
}
@Test
public void testVerifyUserCanReadGroupFails() {
boolean exception = false;
GroupEntity group = new GroupEntity();
group.setName("group_name");
group.setId("group_id");
group.setPath("group_id");
try {
groupsManager.verifyUserCanReadGroup(group);
} catch (UnauthorizedException ex) {
exception = true;
}
assertTrue(exception);
}
}
......@@ -5,11 +5,13 @@ import it.inaf.ia2.gms.model.Permission;
import it.inaf.ia2.gms.persistence.LoggingDAO;
import it.inaf.ia2.gms.persistence.model.GroupEntity;
import it.inaf.ia2.gms.persistence.model.PermissionEntity;
import it.inaf.ia2.gms.service.GroupsService;
import it.inaf.ia2.gms.service.PermissionsService;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
......@@ -137,6 +139,18 @@ public class PermissionsManagerTest {
permissionsManager.removePermission(group, TARGET_USER_ID);
}
@Test
public void testGetCurrentUserPermissionAlwaysTraverseRoot() {
when(permissionsService.findUserPermissions(any(), any())).thenReturn(new ArrayList<>());
GroupEntity root = new GroupEntity();
root.setName("ROOT");
root.setId(GroupsService.ROOT);
root.setPath("");
assertEquals(Permission.TRAVERSE, permissionsManager.getCurrentUserPermission(root));
}
private List<PermissionEntity> getUserPermissions(GroupEntity group, Permission permission) {
PermissionEntity entity = new PermissionEntity();
entity.setPermission(permission);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment