Loading gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java +3 −2 Original line number Diff line number Diff line Loading @@ -3,6 +3,7 @@ package it.inaf.ia2.gms.authn; import it.inaf.ia2.aa.UserManager; import it.inaf.ia2.aa.data.User; import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.gms.persistence.model.ActionType; import java.io.IOException; import java.security.Principal; import java.util.Map; Loading Loading @@ -55,13 +56,13 @@ public class JWTFilter implements Filter { Map<String, Object> claims = userManager.parseIdTokenClaims(token); if (claims.get("sub") == null) { loggingDAO.logAction("Attempt to access WS with invalid token", request); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token", request); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim"); return; } ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims); loggingDAO.logAction("WS access from " + wrappedRequest.getUserPrincipal().getName(), request); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "API access from " + wrappedRequest.getUserPrincipal().getName(), request); fc.doFilter(wrappedRequest, res); } Loading gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java +3 −2 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ import it.inaf.ia2.gms.exception.BadRequestException; import it.inaf.ia2.gms.exception.UnauthorizedException; import it.inaf.ia2.gms.model.Permission; import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.gms.persistence.model.ActionType; import it.inaf.ia2.gms.persistence.model.GroupEntity; import it.inaf.ia2.gms.persistence.model.PermissionEntity; import it.inaf.ia2.gms.service.GroupsService; Loading Loading @@ -84,14 +85,14 @@ public class GroupsManager extends UserAwareComponent { public void verifyUserCanReadGroup(GroupEntity group) { if (permissionsManager.getCurrentUserPermission(group) == null) { loggingDAO.logAction("Unauthorized group management request, group_id=" + group.getId()); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId()); throw new UnauthorizedException("Missing permission to see this group"); } } private void verifyUserCanManageGroup(GroupEntity group) { if (permissionsManager.getCurrentUserPermission(group) != Permission.ADMIN) { loggingDAO.logAction("Unauthorized group management request, group_id=" + group.getId()); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId()); throw new UnauthorizedException("Missing admin permission"); } } Loading gms/src/main/java/it/inaf/ia2/gms/manager/InvitedRegistrationManager.java +14 −5 Original line number Diff line number Diff line Loading @@ -14,6 +14,7 @@ import it.inaf.ia2.gms.persistence.model.InvitedRegistration; import it.inaf.ia2.gms.persistence.model.MembershipEntity; import it.inaf.ia2.gms.service.PermissionsService; import it.inaf.ia2.gms.authn.RapClient; import static it.inaf.ia2.gms.persistence.model.ActionType.*; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; Loading Loading @@ -68,6 +69,7 @@ public class InvitedRegistrationManager extends UserAwareComponent { for (Map.Entry<GroupEntity, Permission> entry : groupsPermissions.entrySet()) { GroupEntity group = entry.getKey(); if (permissionsManager.getCurrentUserPermission(group) != Permission.ADMIN) { loggingDAO.logAction(UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to add invited registration for group " + group.getId()); throw new UnauthorizedException("You don't have the permission to perform invited registrations"); } groupIdsPermissions.put(group.getId(), entry.getValue()); Loading @@ -80,6 +82,8 @@ public class InvitedRegistrationManager extends UserAwareComponent { .setGroupsPermissions(groupIdsPermissions); invitedRegistrationDAO.addInvitedRegistration(invitedRegistration); loggingDAO.logAction(INVITED_REGISTRATION_ADDED, "Email=" + email); } public InvitedRegistration getInvitedRegistrationFromToken(String token) { Loading @@ -94,7 +98,7 @@ public class InvitedRegistrationManager extends UserAwareComponent { httpSession.setAttribute(INVITED_REGISTRATION, invitedRegistration); loggingDAO.logAction("Started invited registration for email " + invitedRegistration.getEmail()); loggingDAO.logAction(INVITED_REGISTRATION_OPENED, "Started invited registration for email " + invitedRegistration.getEmail()); return invitedRegistration; } catch (NoSuchAlgorithmException ex) { Loading Loading @@ -144,9 +148,11 @@ public class InvitedRegistrationManager extends UserAwareComponent { } private void completeInvitedRegistration(InvitedRegistration invitedRegistration) { String userId = getCurrentUserId(); for (Map.Entry<String, Permission> entry : invitedRegistration.getGroupsPermissions().entrySet()) { String groupId = entry.getKey(); String userId = getCurrentUserId(); GroupEntity groupEntity = groupsDAO.findGroupById(groupId).get(); Loading @@ -156,11 +162,14 @@ public class InvitedRegistrationManager extends UserAwareComponent { membershipEntity.setCreatedBy(getCurrentUserId()); membershipsDAO.addMember(membershipEntity); permissionsService.addPermission(groupEntity, userId, entry.getValue(), getCurrentUserId()); permissionsService.addPermission(groupEntity, userId, entry.getValue(), userId); } invitedRegistration.setUserId(getCurrentUserId()); invitedRegistration.setUserId(userId); invitedRegistrationDAO.setRegistrationDone(invitedRegistration); loggingDAO.logAction(INVITED_REGISTRATION_COMPLETED, "user_id=" + userId + " groups=[" + String.join(",", invitedRegistration.getGroupsPermissions().keySet()) + "]"); } public List<InvitedRegistrationItem> getInvitedRegistrationsForGroup(GroupEntity group) { Loading Loading @@ -201,7 +210,7 @@ public class InvitedRegistrationManager extends UserAwareComponent { invitedRegistrationDAO.deleteInvitedRegistrationRequest(registrationId, groupId); loggingDAO.logAction("Deleted invited registration request. " loggingDAO.logAction(INVITED_REGISTRATION_DELETED, "Deleted invited registration request. " + "[request_id=" + registrationId + ", group_id=" + groupId + ", group_name=" + group.getName() + "]"); } Loading gms/src/main/java/it/inaf/ia2/gms/manager/MembershipManager.java +5 −2 Original line number Diff line number Diff line Loading @@ -10,6 +10,7 @@ import it.inaf.ia2.gms.persistence.model.MembershipEntity; import it.inaf.ia2.gms.persistence.model.PermissionEntity; import it.inaf.ia2.gms.service.PermissionUtils; import it.inaf.ia2.gms.authn.RapClient; import static it.inaf.ia2.gms.persistence.model.ActionType.*; import it.inaf.ia2.rap.data.RapUser; import java.util.HashSet; import java.util.List; Loading Loading @@ -49,6 +50,7 @@ public class MembershipManager extends UserAwareComponent { Permission groupPermission = permissionsManager.getCurrentUserPermission(group); if (!Permission.includes(groupPermission, Permission.VIEW_MEMBERS)) { loggingDAO.logAction(UNAUTHORIZED_ACCESS_ATTEMPT, "Attempted to view members of group " + group.getId()); throw new UnauthorizedException("You don't have the permission to view members"); } Loading Loading @@ -86,7 +88,7 @@ public class MembershipManager extends UserAwareComponent { membership.setCreatedBy(getCurrentUserId()); membership = membershipsDAO.addMember(membership); loggingDAO.logAction("Added member, group_id=" + group.getId() + ", user_id=" + userId); loggingDAO.logAction(MEMBER_ADDED, "Added member, group_id=" + group.getId() + ", user_id=" + userId); return membership; } Loading @@ -94,12 +96,13 @@ public class MembershipManager extends UserAwareComponent { public void removeMember(GroupEntity group, String userId) { verifyUserCanManageMembers(group); membershipsDAO.removeMembership(group.getId(), userId); loggingDAO.logAction("Member removed, group_id=" + group.getId() + ", user_id=" + userId); loggingDAO.logAction(MEMBER_REMOVED, "Member removed, group_id=" + group.getId() + ", user_id=" + userId); } private Permission verifyUserCanManageMembers(GroupEntity group) { Permission permission = permissionsManager.getCurrentUserPermission(group); if (!Permission.includes(permission, Permission.MANAGE_MEMBERS)) { loggingDAO.logAction(UNAUTHORIZED_ACCESS_ATTEMPT, "Attempted to manage members of group " + group.getId()); throw new UnauthorizedException("Missing manage members permissions"); } return permission; Loading gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java +2 −1 Original line number Diff line number Diff line Loading @@ -9,6 +9,7 @@ import it.inaf.ia2.gms.persistence.model.PermissionEntity; import it.inaf.ia2.gms.service.PermissionUtils; import it.inaf.ia2.gms.service.PermissionsService; import it.inaf.ia2.gms.authn.RapClient; import it.inaf.ia2.gms.persistence.model.ActionType; import it.inaf.ia2.rap.data.RapUser; import java.util.ArrayList; import java.util.List; Loading Loading @@ -144,7 +145,7 @@ public class PermissionsManager extends UserAwareComponent { } private Supplier<UnauthorizedException> unauthorizedExceptionSupplier(GroupEntity group) { loggingDAO.logAction("Unauthorized attempt to manage permissions [group_id=" + group.getId() + "]"); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized attempt to manage permissions [group_id=" + group.getId() + "]"); return () -> new UnauthorizedException("You don't have the privileges for managing the requested permission"); } Loading Loading
gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java +3 −2 Original line number Diff line number Diff line Loading @@ -3,6 +3,7 @@ package it.inaf.ia2.gms.authn; import it.inaf.ia2.aa.UserManager; import it.inaf.ia2.aa.data.User; import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.gms.persistence.model.ActionType; import java.io.IOException; import java.security.Principal; import java.util.Map; Loading Loading @@ -55,13 +56,13 @@ public class JWTFilter implements Filter { Map<String, Object> claims = userManager.parseIdTokenClaims(token); if (claims.get("sub") == null) { loggingDAO.logAction("Attempt to access WS with invalid token", request); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token", request); response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim"); return; } ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims); loggingDAO.logAction("WS access from " + wrappedRequest.getUserPrincipal().getName(), request); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "API access from " + wrappedRequest.getUserPrincipal().getName(), request); fc.doFilter(wrappedRequest, res); } Loading
gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java +3 −2 Original line number Diff line number Diff line Loading @@ -4,6 +4,7 @@ import it.inaf.ia2.gms.exception.BadRequestException; import it.inaf.ia2.gms.exception.UnauthorizedException; import it.inaf.ia2.gms.model.Permission; import it.inaf.ia2.gms.persistence.LoggingDAO; import it.inaf.ia2.gms.persistence.model.ActionType; import it.inaf.ia2.gms.persistence.model.GroupEntity; import it.inaf.ia2.gms.persistence.model.PermissionEntity; import it.inaf.ia2.gms.service.GroupsService; Loading Loading @@ -84,14 +85,14 @@ public class GroupsManager extends UserAwareComponent { public void verifyUserCanReadGroup(GroupEntity group) { if (permissionsManager.getCurrentUserPermission(group) == null) { loggingDAO.logAction("Unauthorized group management request, group_id=" + group.getId()); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId()); throw new UnauthorizedException("Missing permission to see this group"); } } private void verifyUserCanManageGroup(GroupEntity group) { if (permissionsManager.getCurrentUserPermission(group) != Permission.ADMIN) { loggingDAO.logAction("Unauthorized group management request, group_id=" + group.getId()); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId()); throw new UnauthorizedException("Missing admin permission"); } } Loading
gms/src/main/java/it/inaf/ia2/gms/manager/InvitedRegistrationManager.java +14 −5 Original line number Diff line number Diff line Loading @@ -14,6 +14,7 @@ import it.inaf.ia2.gms.persistence.model.InvitedRegistration; import it.inaf.ia2.gms.persistence.model.MembershipEntity; import it.inaf.ia2.gms.service.PermissionsService; import it.inaf.ia2.gms.authn.RapClient; import static it.inaf.ia2.gms.persistence.model.ActionType.*; import java.nio.charset.StandardCharsets; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; Loading Loading @@ -68,6 +69,7 @@ public class InvitedRegistrationManager extends UserAwareComponent { for (Map.Entry<GroupEntity, Permission> entry : groupsPermissions.entrySet()) { GroupEntity group = entry.getKey(); if (permissionsManager.getCurrentUserPermission(group) != Permission.ADMIN) { loggingDAO.logAction(UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to add invited registration for group " + group.getId()); throw new UnauthorizedException("You don't have the permission to perform invited registrations"); } groupIdsPermissions.put(group.getId(), entry.getValue()); Loading @@ -80,6 +82,8 @@ public class InvitedRegistrationManager extends UserAwareComponent { .setGroupsPermissions(groupIdsPermissions); invitedRegistrationDAO.addInvitedRegistration(invitedRegistration); loggingDAO.logAction(INVITED_REGISTRATION_ADDED, "Email=" + email); } public InvitedRegistration getInvitedRegistrationFromToken(String token) { Loading @@ -94,7 +98,7 @@ public class InvitedRegistrationManager extends UserAwareComponent { httpSession.setAttribute(INVITED_REGISTRATION, invitedRegistration); loggingDAO.logAction("Started invited registration for email " + invitedRegistration.getEmail()); loggingDAO.logAction(INVITED_REGISTRATION_OPENED, "Started invited registration for email " + invitedRegistration.getEmail()); return invitedRegistration; } catch (NoSuchAlgorithmException ex) { Loading Loading @@ -144,9 +148,11 @@ public class InvitedRegistrationManager extends UserAwareComponent { } private void completeInvitedRegistration(InvitedRegistration invitedRegistration) { String userId = getCurrentUserId(); for (Map.Entry<String, Permission> entry : invitedRegistration.getGroupsPermissions().entrySet()) { String groupId = entry.getKey(); String userId = getCurrentUserId(); GroupEntity groupEntity = groupsDAO.findGroupById(groupId).get(); Loading @@ -156,11 +162,14 @@ public class InvitedRegistrationManager extends UserAwareComponent { membershipEntity.setCreatedBy(getCurrentUserId()); membershipsDAO.addMember(membershipEntity); permissionsService.addPermission(groupEntity, userId, entry.getValue(), getCurrentUserId()); permissionsService.addPermission(groupEntity, userId, entry.getValue(), userId); } invitedRegistration.setUserId(getCurrentUserId()); invitedRegistration.setUserId(userId); invitedRegistrationDAO.setRegistrationDone(invitedRegistration); loggingDAO.logAction(INVITED_REGISTRATION_COMPLETED, "user_id=" + userId + " groups=[" + String.join(",", invitedRegistration.getGroupsPermissions().keySet()) + "]"); } public List<InvitedRegistrationItem> getInvitedRegistrationsForGroup(GroupEntity group) { Loading Loading @@ -201,7 +210,7 @@ public class InvitedRegistrationManager extends UserAwareComponent { invitedRegistrationDAO.deleteInvitedRegistrationRequest(registrationId, groupId); loggingDAO.logAction("Deleted invited registration request. " loggingDAO.logAction(INVITED_REGISTRATION_DELETED, "Deleted invited registration request. " + "[request_id=" + registrationId + ", group_id=" + groupId + ", group_name=" + group.getName() + "]"); } Loading
gms/src/main/java/it/inaf/ia2/gms/manager/MembershipManager.java +5 −2 Original line number Diff line number Diff line Loading @@ -10,6 +10,7 @@ import it.inaf.ia2.gms.persistence.model.MembershipEntity; import it.inaf.ia2.gms.persistence.model.PermissionEntity; import it.inaf.ia2.gms.service.PermissionUtils; import it.inaf.ia2.gms.authn.RapClient; import static it.inaf.ia2.gms.persistence.model.ActionType.*; import it.inaf.ia2.rap.data.RapUser; import java.util.HashSet; import java.util.List; Loading Loading @@ -49,6 +50,7 @@ public class MembershipManager extends UserAwareComponent { Permission groupPermission = permissionsManager.getCurrentUserPermission(group); if (!Permission.includes(groupPermission, Permission.VIEW_MEMBERS)) { loggingDAO.logAction(UNAUTHORIZED_ACCESS_ATTEMPT, "Attempted to view members of group " + group.getId()); throw new UnauthorizedException("You don't have the permission to view members"); } Loading Loading @@ -86,7 +88,7 @@ public class MembershipManager extends UserAwareComponent { membership.setCreatedBy(getCurrentUserId()); membership = membershipsDAO.addMember(membership); loggingDAO.logAction("Added member, group_id=" + group.getId() + ", user_id=" + userId); loggingDAO.logAction(MEMBER_ADDED, "Added member, group_id=" + group.getId() + ", user_id=" + userId); return membership; } Loading @@ -94,12 +96,13 @@ public class MembershipManager extends UserAwareComponent { public void removeMember(GroupEntity group, String userId) { verifyUserCanManageMembers(group); membershipsDAO.removeMembership(group.getId(), userId); loggingDAO.logAction("Member removed, group_id=" + group.getId() + ", user_id=" + userId); loggingDAO.logAction(MEMBER_REMOVED, "Member removed, group_id=" + group.getId() + ", user_id=" + userId); } private Permission verifyUserCanManageMembers(GroupEntity group) { Permission permission = permissionsManager.getCurrentUserPermission(group); if (!Permission.includes(permission, Permission.MANAGE_MEMBERS)) { loggingDAO.logAction(UNAUTHORIZED_ACCESS_ATTEMPT, "Attempted to manage members of group " + group.getId()); throw new UnauthorizedException("Missing manage members permissions"); } return permission; Loading
gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java +2 −1 Original line number Diff line number Diff line Loading @@ -9,6 +9,7 @@ import it.inaf.ia2.gms.persistence.model.PermissionEntity; import it.inaf.ia2.gms.service.PermissionUtils; import it.inaf.ia2.gms.service.PermissionsService; import it.inaf.ia2.gms.authn.RapClient; import it.inaf.ia2.gms.persistence.model.ActionType; import it.inaf.ia2.rap.data.RapUser; import java.util.ArrayList; import java.util.List; Loading Loading @@ -144,7 +145,7 @@ public class PermissionsManager extends UserAwareComponent { } private Supplier<UnauthorizedException> unauthorizedExceptionSupplier(GroupEntity group) { loggingDAO.logAction("Unauthorized attempt to manage permissions [group_id=" + group.getId() + "]"); loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized attempt to manage permissions [group_id=" + group.getId() + "]"); return () -> new UnauthorizedException("You don't have the privileges for managing the requested permission"); } Loading
