Loading gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java +3 −2 Original line number Diff line number Diff line Loading @@ -56,13 +56,14 @@ public class JWTFilter implements Filter { Map<String, Object> claims = userManager.parseIdTokenClaims(token); if (claims.get("sub") == null) { loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token", request); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token " + request.getRequestURI(), request); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim"); return; } ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "API access from " + wrappedRequest.getUserPrincipal().getName(), request); loggingDAO.logAction(ActionType.API_CALL, request.getRequestURI() + " called by " + wrappedRequest.getUserPrincipal().getName(), request); fc.doFilter(wrappedRequest, res); } Loading gms/src/main/java/it/inaf/ia2/gms/controller/HomePageController.java +4 −33 Original line number Diff line number Diff line package it.inaf.ia2.gms.controller; import it.inaf.ia2.gms.authn.SessionData; import it.inaf.ia2.gms.exception.UnauthorizedException; import it.inaf.ia2.gms.manager.InvitedRegistrationManager; import it.inaf.ia2.gms.model.GroupBreadcrumb; import it.inaf.ia2.gms.model.GroupNode; import it.inaf.ia2.gms.model.Permission; import it.inaf.ia2.gms.model.request.GroupsRequest; import it.inaf.ia2.gms.model.response.GroupsTabResponse; import it.inaf.ia2.gms.model.response.HomePageResponse; import it.inaf.ia2.gms.model.response.PaginatedData; import it.inaf.ia2.gms.persistence.model.InvitedRegistration; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Optional; import javax.servlet.ServletException; Loading Loading @@ -48,37 +42,14 @@ public class HomePageController { response.setUser(session.getUserName()); try { GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request); response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs()); response.setGroupsPanel(groupsTabResponse.getGroupsPanel()); response.setPermission(groupsTabResponse.getPermission()); } catch (UnauthorizedException ex) { if ("ROOT".equals(request.getGroupId())) { response.setBreadcrumbs(getRootBreadcrumbs()); response.setGroupsPanel(getEmptyGroupsPanel(request)); response.setPermission(Permission.TRAVERSE); } else { throw ex; } } return ResponseEntity.ok(response); } private List<GroupBreadcrumb> getRootBreadcrumbs() { List<GroupBreadcrumb> breadcrumbs = new ArrayList<>(); GroupBreadcrumb breadcrumb = new GroupBreadcrumb(); breadcrumb.setGroupId("ROOT"); breadcrumb.setGroupName("ROOT"); breadcrumbs.add(breadcrumb); return breadcrumbs; } private PaginatedData<GroupNode> getEmptyGroupsPanel(GroupsRequest request) { return new PaginatedData<>(new ArrayList<>(), 1, request.getPaginatorPageSize()); } @GetMapping(value = "/", produces = MediaType.TEXT_HTML_VALUE) public String index(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Loading gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java +4 −0 Original line number Diff line number Diff line Loading @@ -84,6 +84,10 @@ public class GroupsManager extends UserAwareComponent { } public void verifyUserCanReadGroup(GroupEntity group) { if (GroupsService.ROOT.equals(group.getId())) { // Everybody can read the root return; } if (permissionsManager.getCurrentUserPermission(group) == null) { loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId()); throw new UnauthorizedException("Missing permission to see this group"); Loading gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java +4 −1 Original line number Diff line number Diff line Loading @@ -10,6 +10,7 @@ import it.inaf.ia2.gms.service.PermissionUtils; import it.inaf.ia2.gms.service.PermissionsService; import it.inaf.ia2.gms.authn.RapClient; import it.inaf.ia2.gms.persistence.model.ActionType; import it.inaf.ia2.gms.service.GroupsService; import it.inaf.ia2.rap.data.RapUser; import java.util.ArrayList; import java.util.List; Loading Loading @@ -159,6 +160,8 @@ public class PermissionsManager extends UserAwareComponent { public Permission getCurrentUserPermission(GroupEntity group) { List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, getCurrentUserId()); return PermissionUtils.getGroupPermission(group, permissions).orElse(null); return PermissionUtils.getGroupPermission(group, permissions).orElse( GroupsService.ROOT.equals(group.getId()) ? Permission.TRAVERSE : null ); } } gms/src/main/java/it/inaf/ia2/gms/persistence/model/ActionType.java +1 −0 Original line number Diff line number Diff line Loading @@ -15,5 +15,6 @@ public enum ActionType { INVITED_REGISTRATION_OPENED, INVITED_REGISTRATION_DELETED, INVITED_REGISTRATION_COMPLETED, API_CALL, UNAUTHORIZED_ACCESS_ATTEMPT } Loading
gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java +3 −2 Original line number Diff line number Diff line Loading @@ -56,13 +56,14 @@ public class JWTFilter implements Filter { Map<String, Object> claims = userManager.parseIdTokenClaims(token); if (claims.get("sub") == null) { loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token", request); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token " + request.getRequestURI(), request); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim"); return; } ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "API access from " + wrappedRequest.getUserPrincipal().getName(), request); loggingDAO.logAction(ActionType.API_CALL, request.getRequestURI() + " called by " + wrappedRequest.getUserPrincipal().getName(), request); fc.doFilter(wrappedRequest, res); } Loading
gms/src/main/java/it/inaf/ia2/gms/controller/HomePageController.java +4 −33 Original line number Diff line number Diff line package it.inaf.ia2.gms.controller; import it.inaf.ia2.gms.authn.SessionData; import it.inaf.ia2.gms.exception.UnauthorizedException; import it.inaf.ia2.gms.manager.InvitedRegistrationManager; import it.inaf.ia2.gms.model.GroupBreadcrumb; import it.inaf.ia2.gms.model.GroupNode; import it.inaf.ia2.gms.model.Permission; import it.inaf.ia2.gms.model.request.GroupsRequest; import it.inaf.ia2.gms.model.response.GroupsTabResponse; import it.inaf.ia2.gms.model.response.HomePageResponse; import it.inaf.ia2.gms.model.response.PaginatedData; import it.inaf.ia2.gms.persistence.model.InvitedRegistration; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.Optional; import javax.servlet.ServletException; Loading Loading @@ -48,37 +42,14 @@ public class HomePageController { response.setUser(session.getUserName()); try { GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request); response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs()); response.setGroupsPanel(groupsTabResponse.getGroupsPanel()); response.setPermission(groupsTabResponse.getPermission()); } catch (UnauthorizedException ex) { if ("ROOT".equals(request.getGroupId())) { response.setBreadcrumbs(getRootBreadcrumbs()); response.setGroupsPanel(getEmptyGroupsPanel(request)); response.setPermission(Permission.TRAVERSE); } else { throw ex; } } return ResponseEntity.ok(response); } private List<GroupBreadcrumb> getRootBreadcrumbs() { List<GroupBreadcrumb> breadcrumbs = new ArrayList<>(); GroupBreadcrumb breadcrumb = new GroupBreadcrumb(); breadcrumb.setGroupId("ROOT"); breadcrumb.setGroupName("ROOT"); breadcrumbs.add(breadcrumb); return breadcrumbs; } private PaginatedData<GroupNode> getEmptyGroupsPanel(GroupsRequest request) { return new PaginatedData<>(new ArrayList<>(), 1, request.getPaginatorPageSize()); } @GetMapping(value = "/", produces = MediaType.TEXT_HTML_VALUE) public String index(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { Loading
gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java +4 −0 Original line number Diff line number Diff line Loading @@ -84,6 +84,10 @@ public class GroupsManager extends UserAwareComponent { } public void verifyUserCanReadGroup(GroupEntity group) { if (GroupsService.ROOT.equals(group.getId())) { // Everybody can read the root return; } if (permissionsManager.getCurrentUserPermission(group) == null) { loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId()); throw new UnauthorizedException("Missing permission to see this group"); Loading
gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java +4 −1 Original line number Diff line number Diff line Loading @@ -10,6 +10,7 @@ import it.inaf.ia2.gms.service.PermissionUtils; import it.inaf.ia2.gms.service.PermissionsService; import it.inaf.ia2.gms.authn.RapClient; import it.inaf.ia2.gms.persistence.model.ActionType; import it.inaf.ia2.gms.service.GroupsService; import it.inaf.ia2.rap.data.RapUser; import java.util.ArrayList; import java.util.List; Loading Loading @@ -159,6 +160,8 @@ public class PermissionsManager extends UserAwareComponent { public Permission getCurrentUserPermission(GroupEntity group) { List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, getCurrentUserId()); return PermissionUtils.getGroupPermission(group, permissions).orElse(null); return PermissionUtils.getGroupPermission(group, permissions).orElse( GroupsService.ROOT.equals(group.getId()) ? Permission.TRAVERSE : null ); } }
gms/src/main/java/it/inaf/ia2/gms/persistence/model/ActionType.java +1 −0 Original line number Diff line number Diff line Loading @@ -15,5 +15,6 @@ public enum ActionType { INVITED_REGISTRATION_OPENED, INVITED_REGISTRATION_DELETED, INVITED_REGISTRATION_COMPLETED, API_CALL, UNAUTHORIZED_ACCESS_ATTEMPT }
