Denied tar/zip generation to anonymous users

b09f782a · Sonia Zorba · 993b2a92 · b09f782a · b09f782a · b09f782a
Commit b09f782a authored 3 years ago by Sonia Zorba
--- a/src/main/java/it/inaf/ia2/transfer/controller/ArchiveFileController.java
+++ b/src/main/java/it/inaf/ia2/transfer/controller/ArchiveFileController.java
@@ -6,12 +6,12 @@
 package it.inaf.ia2.transfer.controller;

 import it.inaf.ia2.transfer.auth.TokenPrincipal;
+import it.inaf.ia2.transfer.exception.PermissionDeniedException;
 import it.inaf.ia2.transfer.service.ArchiveJob;
 import it.inaf.ia2.transfer.service.ArchiveJob.Type;
 import it.inaf.ia2.transfer.service.ArchiveService;
 import java.io.File;
 import java.util.concurrent.CompletableFuture;
-import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpHeaders;
@@ -30,9 +30,6 @@ public class ArchiveFileController extends FileController {
    @Autowired
    private ArchiveService archiveService;

-    @Autowired
-    private HttpServletRequest request;
-
    @Autowired
    private HttpServletResponse response;

@@ -42,7 +39,7 @@ public class ArchiveFileController extends FileController {
        Type type = Type.valueOf(archiveRequest.getType());

        ArchiveJob job = new ArchiveJob();
-        job.setPrincipal((TokenPrincipal) request.getUserPrincipal());
+        job.setPrincipal(getPrincipal());
        job.setJobId(archiveRequest.getJobId());
        job.setType(type);
        job.setVosPaths(archiveRequest.getPaths());
@@ -59,10 +56,20 @@ public class ArchiveFileController extends FileController {
    @GetMapping(value = "/archive/{fileName}")
    public void getArchiveFile(@PathVariable("fileName") String fileName) {

-        TokenPrincipal principal = (TokenPrincipal) request.getUserPrincipal();
+        TokenPrincipal principal = getPrincipal();

        File file = archiveService.getArchiveParentDir(principal).toPath().resolve(fileName).toFile();

        FileResponseUtil.getFileResponse(response, file);
    }
+
+    private TokenPrincipal getPrincipal() {
+        TokenPrincipal principal = (TokenPrincipal) request.getUserPrincipal();
+
+        if ("anonymous".equals(principal.getName())) {
+            throw new PermissionDeniedException("Tar/Zip archive generation not allowed to anonymous users");
+        }
+        
+        return principal;
+    }
 }
--- a/src/main/java/it/inaf/ia2/transfer/controller/GetFileController.java
+++ b/src/main/java/it/inaf/ia2/transfer/controller/GetFileController.java
@@ -65,7 +65,7 @@ public class GetFileController extends FileController {
                FileInfo fileInfo = optFileInfo.get();

                if (!authorizationService.isDownloadable(fileInfo, (TokenPrincipal) request.getUserPrincipal())) {
-                    throw new PermissionDeniedException(path);
+                    throw new PermissionDeniedException("PermissionDenied Path: " + path);
                }

                File file = new File(fileInfo.getOsPath());

--- a/src/main/java/it/inaf/ia2/transfer/exception/PermissionDeniedException.java
+++ b/src/main/java/it/inaf/ia2/transfer/exception/PermissionDeniedException.java
@@ -11,8 +11,8 @@ import org.springframework.web.bind.annotation.ResponseStatus;
 @ResponseStatus(value = HttpStatus.FORBIDDEN)
 public class PermissionDeniedException extends JobException {

-    public PermissionDeniedException(String path) {
+    public PermissionDeniedException(String errorDetail) {
        super(Type.FATAL, "Permission Denied");
-        setErrorDetail("PermissionDenied Path: " + path);
+        setErrorDetail(errorDetail);
    }
 }
--- a/src/test/java/it/inaf/ia2/transfer/controller/ArchiveFileControllerTest.java
+++ b/src/test/java/it/inaf/ia2/transfer/controller/ArchiveFileControllerTest.java
@@ -6,26 +6,34 @@
 package it.inaf.ia2.transfer.controller;

 import com.fasterxml.jackson.databind.ObjectMapper;
+import it.inaf.ia2.transfer.auth.TokenPrincipal;
 import it.inaf.ia2.transfer.service.ArchiveJob;
 import it.inaf.ia2.transfer.service.ArchiveService;
+import java.io.File;
+import java.nio.file.Files;
 import java.util.Arrays;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import org.junit.jupiter.api.Test;
+import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.argThat;
+import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.http.MediaType;
 import org.springframework.test.web.servlet.MockMvc;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import org.springframework.util.FileSystemUtils;

 @SpringBootTest
-@AutoConfigureMockMvc
+@AutoConfigureMockMvc(addFilters = false)
 public class ArchiveFileControllerTest {

    private static final ObjectMapper MAPPER = new ObjectMapper();
@@ -45,6 +53,7 @@ public class ArchiveFileControllerTest {
        request.setPaths(Arrays.asList("/path/to/file1", "/path/to/file2"));

        mockMvc.perform(post("/archive")
+                .principal(fakePrincipal("user1"))
                .contentType(MediaType.APPLICATION_JSON)
                .content(MAPPER.writeValueAsString(request)))
                .andDo(print())
@@ -53,9 +62,60 @@ public class ArchiveFileControllerTest {
        verify(archiveService, times(1)).createArchive(argThat(job -> {
            assertEquals("123", job.getJobId());
            assertEquals(ArchiveJob.Type.TAR, job.getType());
-            assertEquals("anonymous", job.getPrincipal().getName());
+            assertEquals("user1", job.getPrincipal().getName());
            assertEquals(2, job.getVosPaths().size());
            return true;
        }));
    }
+
+    @Test
+    public void testGetArchive() throws Exception {
+
+        File tmpDir = Files.createTempDirectory("tmp").toFile();
+
+        try {
+            tmpDir.toPath().resolve("123.zip").toFile().createNewFile();
+
+            when(archiveService.getArchiveParentDir(any())).thenReturn(tmpDir);
+
+            mockMvc.perform(get("/archive/123.zip")
+                    .principal(fakePrincipal("user1")))
+                    .andDo(print())
+                    .andExpect(status().isOk());
+
+        } finally {
+            FileSystemUtils.deleteRecursively(tmpDir);
+        }
+    }
+
+    @Test
+    public void testAnonymousCantCreateArchive() throws Exception {
+
+        ArchiveRequest request = new ArchiveRequest();
+        request.setJobId("123");
+        request.setType("ZIP");
+        request.setPaths(Arrays.asList("/ignore"));
+
+        mockMvc.perform(post("/archive")
+                .principal(fakePrincipal("anonymous"))
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(MAPPER.writeValueAsString(request)))
+                .andDo(print())
+                .andExpect(status().isForbidden());
+    }
+
+    @Test
+    public void testAnonymousCantGetArchive() throws Exception {
+
+        mockMvc.perform(get("/archive/123.zip")
+                .principal(fakePrincipal("anonymous")))
+                .andDo(print())
+                .andExpect(status().isForbidden());
+    }
+
+    private TokenPrincipal fakePrincipal(String name) {
+        TokenPrincipal principal = mock(TokenPrincipal.class);
+        when(principal.getName()).thenReturn(name);
+        return principal;
+    }
 }