Commit cdc85827 authored by Sonia Zorba's avatar Sonia Zorba
Browse files

Set root always traversable; LoggingDAO fix

parent 3b4ded02
Pipeline #1220 passed with stages
in 34 seconds
...@@ -56,13 +56,14 @@ public class JWTFilter implements Filter { ...@@ -56,13 +56,14 @@ public class JWTFilter implements Filter {
Map<String, Object> claims = userManager.parseIdTokenClaims(token); Map<String, Object> claims = userManager.parseIdTokenClaims(token);
if (claims.get("sub") == null) { if (claims.get("sub") == null) {
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token", request); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token " + request.getRequestURI(), request);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim"); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim");
return; return;
} }
ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims); ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims);
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "API access from " + wrappedRequest.getUserPrincipal().getName(), request);
loggingDAO.logAction(ActionType.API_CALL, request.getRequestURI() + " called by " + wrappedRequest.getUserPrincipal().getName(), request);
fc.doFilter(wrappedRequest, res); fc.doFilter(wrappedRequest, res);
} }
......
package it.inaf.ia2.gms.controller; package it.inaf.ia2.gms.controller;
import it.inaf.ia2.gms.authn.SessionData; import it.inaf.ia2.gms.authn.SessionData;
import it.inaf.ia2.gms.exception.UnauthorizedException;
import it.inaf.ia2.gms.manager.InvitedRegistrationManager; import it.inaf.ia2.gms.manager.InvitedRegistrationManager;
import it.inaf.ia2.gms.model.GroupBreadcrumb;
import it.inaf.ia2.gms.model.GroupNode;
import it.inaf.ia2.gms.model.Permission;
import it.inaf.ia2.gms.model.request.GroupsRequest; import it.inaf.ia2.gms.model.request.GroupsRequest;
import it.inaf.ia2.gms.model.response.GroupsTabResponse; import it.inaf.ia2.gms.model.response.GroupsTabResponse;
import it.inaf.ia2.gms.model.response.HomePageResponse; import it.inaf.ia2.gms.model.response.HomePageResponse;
import it.inaf.ia2.gms.model.response.PaginatedData;
import it.inaf.ia2.gms.persistence.model.InvitedRegistration; import it.inaf.ia2.gms.persistence.model.InvitedRegistration;
import java.io.IOException; import java.io.IOException;
import java.util.ArrayList;
import java.util.List; import java.util.List;
import java.util.Optional; import java.util.Optional;
import javax.servlet.ServletException; import javax.servlet.ServletException;
...@@ -48,37 +42,14 @@ public class HomePageController { ...@@ -48,37 +42,14 @@ public class HomePageController {
response.setUser(session.getUserName()); response.setUser(session.getUserName());
try { GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request);
GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request); response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs());
response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs()); response.setGroupsPanel(groupsTabResponse.getGroupsPanel());
response.setGroupsPanel(groupsTabResponse.getGroupsPanel()); response.setPermission(groupsTabResponse.getPermission());
response.setPermission(groupsTabResponse.getPermission());
} catch (UnauthorizedException ex) {
if ("ROOT".equals(request.getGroupId())) {
response.setBreadcrumbs(getRootBreadcrumbs());
response.setGroupsPanel(getEmptyGroupsPanel(request));
response.setPermission(Permission.TRAVERSE);
} else {
throw ex;
}
}
return ResponseEntity.ok(response); return ResponseEntity.ok(response);
} }
private List<GroupBreadcrumb> getRootBreadcrumbs() {
List<GroupBreadcrumb> breadcrumbs = new ArrayList<>();
GroupBreadcrumb breadcrumb = new GroupBreadcrumb();
breadcrumb.setGroupId("ROOT");
breadcrumb.setGroupName("ROOT");
breadcrumbs.add(breadcrumb);
return breadcrumbs;
}
private PaginatedData<GroupNode> getEmptyGroupsPanel(GroupsRequest request) {
return new PaginatedData<>(new ArrayList<>(), 1, request.getPaginatorPageSize());
}
@GetMapping(value = "/", produces = MediaType.TEXT_HTML_VALUE) @GetMapping(value = "/", produces = MediaType.TEXT_HTML_VALUE)
public String index(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { public String index(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
......
...@@ -84,6 +84,10 @@ public class GroupsManager extends UserAwareComponent { ...@@ -84,6 +84,10 @@ public class GroupsManager extends UserAwareComponent {
} }
public void verifyUserCanReadGroup(GroupEntity group) { public void verifyUserCanReadGroup(GroupEntity group) {
if (GroupsService.ROOT.equals(group.getId())) {
// Everybody can read the root
return;
}
if (permissionsManager.getCurrentUserPermission(group) == null) { if (permissionsManager.getCurrentUserPermission(group) == null) {
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId()); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId());
throw new UnauthorizedException("Missing permission to see this group"); throw new UnauthorizedException("Missing permission to see this group");
......
...@@ -10,6 +10,7 @@ import it.inaf.ia2.gms.service.PermissionUtils; ...@@ -10,6 +10,7 @@ import it.inaf.ia2.gms.service.PermissionUtils;
import it.inaf.ia2.gms.service.PermissionsService; import it.inaf.ia2.gms.service.PermissionsService;
import it.inaf.ia2.gms.authn.RapClient; import it.inaf.ia2.gms.authn.RapClient;
import it.inaf.ia2.gms.persistence.model.ActionType; import it.inaf.ia2.gms.persistence.model.ActionType;
import it.inaf.ia2.gms.service.GroupsService;
import it.inaf.ia2.rap.data.RapUser; import it.inaf.ia2.rap.data.RapUser;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
...@@ -159,6 +160,8 @@ public class PermissionsManager extends UserAwareComponent { ...@@ -159,6 +160,8 @@ public class PermissionsManager extends UserAwareComponent {
public Permission getCurrentUserPermission(GroupEntity group) { public Permission getCurrentUserPermission(GroupEntity group) {
List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, getCurrentUserId()); List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, getCurrentUserId());
return PermissionUtils.getGroupPermission(group, permissions).orElse(null); return PermissionUtils.getGroupPermission(group, permissions).orElse(
GroupsService.ROOT.equals(group.getId()) ? Permission.TRAVERSE : null
);
} }
} }
...@@ -15,5 +15,6 @@ public enum ActionType { ...@@ -15,5 +15,6 @@ public enum ActionType {
INVITED_REGISTRATION_OPENED, INVITED_REGISTRATION_OPENED,
INVITED_REGISTRATION_DELETED, INVITED_REGISTRATION_DELETED,
INVITED_REGISTRATION_COMPLETED, INVITED_REGISTRATION_COMPLETED,
API_CALL,
UNAUTHORIZED_ACCESS_ATTEMPT UNAUTHORIZED_ACCESS_ATTEMPT
} }
package it.inaf.ia2.gms.manager;
import it.inaf.ia2.gms.exception.UnauthorizedException;
import it.inaf.ia2.gms.persistence.LoggingDAO;
import it.inaf.ia2.gms.persistence.model.GroupEntity;
import it.inaf.ia2.gms.service.GroupsService;
import static org.junit.Assert.assertTrue;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.InjectMocks;
import org.mockito.Mock;
import org.mockito.junit.MockitoJUnitRunner;
@RunWith(MockitoJUnitRunner.class)
public class GroupsManagerTest {
@Mock
private GroupsService groupsService;
@Mock
private PermissionsManager permissionsManager;
@Mock
private LoggingDAO loggingDAO;
@InjectMocks
private GroupsManager groupsManager;
@Test
public void testRootAlwaysReadable() {
GroupEntity root = new GroupEntity();
root.setName("ROOT");
root.setId(GroupsService.ROOT);
root.setPath("");
groupsManager.verifyUserCanReadGroup(root);
}
@Test
public void testVerifyUserCanReadGroupFails() {
boolean exception = false;
GroupEntity group = new GroupEntity();
group.setName("group_name");
group.setId("group_id");
group.setPath("group_id");
try {
groupsManager.verifyUserCanReadGroup(group);
} catch (UnauthorizedException ex) {
exception = true;
}
assertTrue(exception);
}
}
...@@ -5,11 +5,13 @@ import it.inaf.ia2.gms.model.Permission; ...@@ -5,11 +5,13 @@ import it.inaf.ia2.gms.model.Permission;
import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.gms.persistence.LoggingDAO;
import it.inaf.ia2.gms.persistence.model.GroupEntity; import it.inaf.ia2.gms.persistence.model.GroupEntity;
import it.inaf.ia2.gms.persistence.model.PermissionEntity; import it.inaf.ia2.gms.persistence.model.PermissionEntity;
import it.inaf.ia2.gms.service.GroupsService;
import it.inaf.ia2.gms.service.PermissionsService; import it.inaf.ia2.gms.service.PermissionsService;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.List; import java.util.List;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import static org.junit.Assert.assertEquals;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
...@@ -137,6 +139,18 @@ public class PermissionsManagerTest { ...@@ -137,6 +139,18 @@ public class PermissionsManagerTest {
permissionsManager.removePermission(group, TARGET_USER_ID); permissionsManager.removePermission(group, TARGET_USER_ID);
} }
@Test
public void testGetCurrentUserPermissionAlwaysTraverseRoot() {
when(permissionsService.findUserPermissions(any(), any())).thenReturn(new ArrayList<>());
GroupEntity root = new GroupEntity();
root.setName("ROOT");
root.setId(GroupsService.ROOT);
root.setPath("");
assertEquals(Permission.TRAVERSE, permissionsManager.getCurrentUserPermission(root));
}
private List<PermissionEntity> getUserPermissions(GroupEntity group, Permission permission) { private List<PermissionEntity> getUserPermissions(GroupEntity group, Permission permission) {
PermissionEntity entity = new PermissionEntity(); PermissionEntity entity = new PermissionEntity();
entity.setPermission(permission); entity.setPermission(permission);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment