From cdc85827792efeb827b0677229dc5603a5734040 Mon Sep 17 00:00:00 2001
From: Sonia Zorba <sonia.zorba@inaf.it>
Date: Mon, 22 Mar 2021 12:01:53 +0100
Subject: [PATCH] Set root always traversable; LoggingDAO fix
---
.../java/it/inaf/ia2/gms/authn/JWTFilter.java | 5 +-
.../gms/controller/HomePageController.java | 37 ++----------
.../inaf/ia2/gms/manager/GroupsManager.java | 4 ++
.../ia2/gms/manager/PermissionsManager.java | 5 +-
.../ia2/gms/persistence/model/ActionType.java | 1 +
.../ia2/gms/manager/GroupsManagerTest.java | 56 +++++++++++++++++++
.../gms/manager/PermissionsManagerTest.java | 14 +++++
7 files changed, 86 insertions(+), 36 deletions(-)
create mode 100644 gms/src/test/java/it/inaf/ia2/gms/manager/GroupsManagerTest.java
diff --git a/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java b/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
index ed7be0d..72d55a1 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/authn/JWTFilter.java
@@ -56,13 +56,14 @@ public class JWTFilter implements Filter {
Map<String, Object> claims = userManager.parseIdTokenClaims(token);
if (claims.get("sub") == null) {
- loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token", request);
+ loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Attempt to access API with invalid token " + request.getRequestURI(), request);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid access token: missing sub claim");
return;
}
ServletRequestWithJWTPrincipal wrappedRequest = new ServletRequestWithJWTPrincipal(request, token, claims);
- loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "API access from " + wrappedRequest.getUserPrincipal().getName(), request);
+
+ loggingDAO.logAction(ActionType.API_CALL, request.getRequestURI() + " called by " + wrappedRequest.getUserPrincipal().getName(), request);
fc.doFilter(wrappedRequest, res);
}
diff --git a/gms/src/main/java/it/inaf/ia2/gms/controller/HomePageController.java b/gms/src/main/java/it/inaf/ia2/gms/controller/HomePageController.java
index d9f18f6..6fbf33f 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/controller/HomePageController.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/controller/HomePageController.java
@@ -1,18 +1,12 @@
package it.inaf.ia2.gms.controller;
import it.inaf.ia2.gms.authn.SessionData;
-import it.inaf.ia2.gms.exception.UnauthorizedException;
import it.inaf.ia2.gms.manager.InvitedRegistrationManager;
-import it.inaf.ia2.gms.model.GroupBreadcrumb;
-import it.inaf.ia2.gms.model.GroupNode;
-import it.inaf.ia2.gms.model.Permission;
import it.inaf.ia2.gms.model.request.GroupsRequest;
import it.inaf.ia2.gms.model.response.GroupsTabResponse;
import it.inaf.ia2.gms.model.response.HomePageResponse;
-import it.inaf.ia2.gms.model.response.PaginatedData;
import it.inaf.ia2.gms.persistence.model.InvitedRegistration;
import java.io.IOException;
-import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import javax.servlet.ServletException;
@@ -48,37 +42,14 @@ public class HomePageController {
response.setUser(session.getUserName());
- try {
- GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request);
- response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs());
- response.setGroupsPanel(groupsTabResponse.getGroupsPanel());
- response.setPermission(groupsTabResponse.getPermission());
- } catch (UnauthorizedException ex) {
- if ("ROOT".equals(request.getGroupId())) {
- response.setBreadcrumbs(getRootBreadcrumbs());
- response.setGroupsPanel(getEmptyGroupsPanel(request));
- response.setPermission(Permission.TRAVERSE);
- } else {
- throw ex;
- }
- }
+ GroupsTabResponse groupsTabResponse = groupsTabResponseBuilder.getGroupsTab(request);
+ response.setBreadcrumbs(groupsTabResponse.getBreadcrumbs());
+ response.setGroupsPanel(groupsTabResponse.getGroupsPanel());
+ response.setPermission(groupsTabResponse.getPermission());
return ResponseEntity.ok(response);
}
- private List<GroupBreadcrumb> getRootBreadcrumbs() {
- List<GroupBreadcrumb> breadcrumbs = new ArrayList<>();
- GroupBreadcrumb breadcrumb = new GroupBreadcrumb();
- breadcrumb.setGroupId("ROOT");
- breadcrumb.setGroupName("ROOT");
- breadcrumbs.add(breadcrumb);
- return breadcrumbs;
- }
-
- private PaginatedData<GroupNode> getEmptyGroupsPanel(GroupsRequest request) {
- return new PaginatedData<>(new ArrayList<>(), 1, request.getPaginatorPageSize());
- }
-
@GetMapping(value = "/", produces = MediaType.TEXT_HTML_VALUE)
public String index(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
diff --git a/gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java b/gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java
index dcbadea..6a76c6b 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/manager/GroupsManager.java
@@ -84,6 +84,10 @@ public class GroupsManager extends UserAwareComponent {
}
public void verifyUserCanReadGroup(GroupEntity group) {
+ if (GroupsService.ROOT.equals(group.getId())) {
+ // Everybody can read the root
+ return;
+ }
if (permissionsManager.getCurrentUserPermission(group) == null) {
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized group management request, group_id=" + group.getId());
throw new UnauthorizedException("Missing permission to see this group");
diff --git a/gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java b/gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java
index f684d6d..eb1271e 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/manager/PermissionsManager.java
@@ -10,6 +10,7 @@ import it.inaf.ia2.gms.service.PermissionUtils;
import it.inaf.ia2.gms.service.PermissionsService;
import it.inaf.ia2.gms.authn.RapClient;
import it.inaf.ia2.gms.persistence.model.ActionType;
+import it.inaf.ia2.gms.service.GroupsService;
import it.inaf.ia2.rap.data.RapUser;
import java.util.ArrayList;
import java.util.List;
@@ -159,6 +160,8 @@ public class PermissionsManager extends UserAwareComponent {
public Permission getCurrentUserPermission(GroupEntity group) {
List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, getCurrentUserId());
- return PermissionUtils.getGroupPermission(group, permissions).orElse(null);
+ return PermissionUtils.getGroupPermission(group, permissions).orElse(
+ GroupsService.ROOT.equals(group.getId()) ? Permission.TRAVERSE : null
+ );
}
}
diff --git a/gms/src/main/java/it/inaf/ia2/gms/persistence/model/ActionType.java b/gms/src/main/java/it/inaf/ia2/gms/persistence/model/ActionType.java
index f867604..9982719 100644
--- a/gms/src/main/java/it/inaf/ia2/gms/persistence/model/ActionType.java
+++ b/gms/src/main/java/it/inaf/ia2/gms/persistence/model/ActionType.java
@@ -15,5 +15,6 @@ public enum ActionType {
INVITED_REGISTRATION_OPENED,
INVITED_REGISTRATION_DELETED,
INVITED_REGISTRATION_COMPLETED,
+ API_CALL,
UNAUTHORIZED_ACCESS_ATTEMPT
}
diff --git a/gms/src/test/java/it/inaf/ia2/gms/manager/GroupsManagerTest.java b/gms/src/test/java/it/inaf/ia2/gms/manager/GroupsManagerTest.java
new file mode 100644
index 0000000..9a63a0c
--- /dev/null
+++ b/gms/src/test/java/it/inaf/ia2/gms/manager/GroupsManagerTest.java
@@ -0,0 +1,56 @@
+package it.inaf.ia2.gms.manager;
+
+import it.inaf.ia2.gms.exception.UnauthorizedException;
+import it.inaf.ia2.gms.persistence.LoggingDAO;
+import it.inaf.ia2.gms.persistence.model.GroupEntity;
+import it.inaf.ia2.gms.service.GroupsService;
+import static org.junit.Assert.assertTrue;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.MockitoJUnitRunner;
+
+@RunWith(MockitoJUnitRunner.class)
+public class GroupsManagerTest {
+
+ @Mock
+ private GroupsService groupsService;
+ @Mock
+ private PermissionsManager permissionsManager;
+ @Mock
+ private LoggingDAO loggingDAO;
+
+ @InjectMocks
+ private GroupsManager groupsManager;
+
+ @Test
+ public void testRootAlwaysReadable() {
+
+ GroupEntity root = new GroupEntity();
+ root.setName("ROOT");
+ root.setId(GroupsService.ROOT);
+ root.setPath("");
+
+ groupsManager.verifyUserCanReadGroup(root);
+ }
+
+ @Test
+ public void testVerifyUserCanReadGroupFails() {
+
+ boolean exception = false;
+
+ GroupEntity group = new GroupEntity();
+ group.setName("group_name");
+ group.setId("group_id");
+ group.setPath("group_id");
+
+ try {
+ groupsManager.verifyUserCanReadGroup(group);
+ } catch (UnauthorizedException ex) {
+ exception = true;
+ }
+
+ assertTrue(exception);
+ }
+}
diff --git a/gms/src/test/java/it/inaf/ia2/gms/manager/PermissionsManagerTest.java b/gms/src/test/java/it/inaf/ia2/gms/manager/PermissionsManagerTest.java
index 072a3ee..4032686 100644
--- a/gms/src/test/java/it/inaf/ia2/gms/manager/PermissionsManagerTest.java
+++ b/gms/src/test/java/it/inaf/ia2/gms/manager/PermissionsManagerTest.java
@@ -5,11 +5,13 @@ import it.inaf.ia2.gms.model.Permission;
import it.inaf.ia2.gms.persistence.LoggingDAO;
import it.inaf.ia2.gms.persistence.model.GroupEntity;
import it.inaf.ia2.gms.persistence.model.PermissionEntity;
+import it.inaf.ia2.gms.service.GroupsService;
import it.inaf.ia2.gms.service.PermissionsService;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
+import static org.junit.Assert.assertEquals;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -137,6 +139,18 @@ public class PermissionsManagerTest {
permissionsManager.removePermission(group, TARGET_USER_ID);
}
+ @Test
+ public void testGetCurrentUserPermissionAlwaysTraverseRoot() {
+ when(permissionsService.findUserPermissions(any(), any())).thenReturn(new ArrayList<>());
+
+ GroupEntity root = new GroupEntity();
+ root.setName("ROOT");
+ root.setId(GroupsService.ROOT);
+ root.setPath("");
+
+ assertEquals(Permission.TRAVERSE, permissionsManager.getCurrentUserPermission(root));
+ }
+
private List<PermissionEntity> getUserPermissions(GroupEntity group, Permission permission) {
PermissionEntity entity = new PermissionEntity();
entity.setPermission(permission);
--
GitLab