restricted access for simrels api

2020-09-29 11:34:31 +02:00 · 2020-09-29 11:34:31 +02:00 · 5c04deadd4
parent 7465134e8b
commit 5c04deadd4
6 changed files with 87 additions and 35 deletions
--- a/apps/dnet-orgs-database-application/src/main/java/META-INF/additional-spring-configuration-metadata.json
+++ b/apps/dnet-orgs-database-application/src/main/java/META-INF/additional-spring-configuration-metadata.json
@ -0,0 +1,5 @@
+{"properties": [{
+  "name": "openaire.api.valid.subnet",
+  "type": "java.lang.String",
+  "description": "A description for 'openaire.api.valid.subnet'"
+}]}
--- a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java
+++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java
@ -3,6 +3,7 @@ package eu.dnetlib.organizations;
 import javax.sql.DataSource;

 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@ -25,43 +26,48 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Autowired
 	private AccessDeniedHandler accessDeniedHandler;

+	@Value("${openaire.api.valid.subnet}")
+	private String openaireApiValidSubnet;
+
 	@Override
 	protected void configure(final HttpSecurity http) throws Exception {

 		http.csrf()
-				.disable()
-				.authorizeRequests()
-				.antMatchers("/", "/api/**")
-				.hasAnyRole(UserRole.ADMIN.name(), UserRole.NATIONAL_ADMIN.name(), UserRole.USER.name())
-				.antMatchers("/registration_api/**")
-				.hasRole(UserRole.NOT_AUTHORIZED.name())
-				.antMatchers("/resources/**", "/webjars/**")
-				.permitAll()
-				.anyRequest()
-				.authenticated()
-				.and()
-				.formLogin()
-				.loginPage("/login")
-				.permitAll()
-				.and()
-				.logout()
-				.permitAll()
-				.and()
-				.exceptionHandling()
-				.accessDeniedHandler(accessDeniedHandler);
+			.disable()
+			.authorizeRequests()
+			.antMatchers("/", "/api/**")
+			.hasAnyRole(UserRole.ADMIN.name(), UserRole.NATIONAL_ADMIN.name(), UserRole.USER.name())
+			.antMatchers("/registration_api/**")
+			.hasRole(UserRole.NOT_AUTHORIZED.name())
+			.antMatchers("/resources/**", "/webjars/**")
+			.permitAll()
+			.antMatchers("/oa_api/**")
+			.hasIpAddress(openaireApiValidSubnet)
+			.anyRequest()
+			.authenticated()
+			.and()
+			.formLogin()
+			.loginPage("/login")
+			.permitAll()
+			.and()
+			.logout()
+			.permitAll()
+			.and()
+			.exceptionHandling()
+			.accessDeniedHandler(accessDeniedHandler);
 	}

 	@Autowired
 	public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
 		auth.jdbcAuthentication()
-				.dataSource(dataSource)
-				.usersByUsernameQuery("select ?, '{MD5}60c4a0eb167dd41e915a885f582414df', true")  // TODO: this is a MOCK, the user should
-																								  // be authenticated using the openaire
-																								  // credentials
-				.authoritiesByUsernameQuery("with const as (SELECT ? as email) "
-						+ "select c.email, 'ROLE_'||coalesce(u.role, '"
-						+ UserRole.NOT_AUTHORIZED
-						+ "') from const c left outer join users u on (u.email = c.email)");
+			.dataSource(dataSource)
+			.usersByUsernameQuery("select ?, '{MD5}60c4a0eb167dd41e915a885f582414df', true")  // TODO: this is a MOCK, the user should
+																							  // be authenticated using the openaire
+																							  // credentials
+			.authoritiesByUsernameQuery("with const as (SELECT ? as email) "
+				+ "select c.email, 'ROLE_'||coalesce(u.role, '"
+				+ UserRole.NOT_AUTHORIZED
+				+ "') from const c left outer join users u on (u.email = c.email)");
 	}

 	@Bean
--- a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OpenaireInternalApiController.java
+++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OpenaireInternalApiController.java
@ -0,0 +1,39 @@
+package eu.dnetlib.organizations.controller;
+
+import java.util.Arrays;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import eu.dnetlib.organizations.utils.DatabaseUtils;
+
+@RestController
+@RequestMapping("/oa_api")
+public class OpenaireInternalApiController {
+
+	@Autowired
+	private DatabaseUtils databaseUtils;
+
+	@Value("${openaire.api.https.proxy}")
+	private String httpsProxy;
+
+	private static final Log log = LogFactory.getLog(OpenaireInternalApiController.class);
+
+	@GetMapping("/import/simrels")
+	public List<String> importSimRels(final HttpServletRequest req) {
+		if (req.getRemoteAddr().equals(httpsProxy)) {
+			log.warn("Call received by blaklisted ip (https proxy): " + req.getRemoteAddr());
+			throw new RuntimeException("Call received by blaklisted ip (https proxy): " + req.getRemoteAddr());
+		}
+		new Thread(databaseUtils::importSimRels).run();
+		return Arrays.asList("Importing simrels (request from " + req.getRemoteAddr() + ") ...");
+	}
+}
--- a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OrganizationController.java
+++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OrganizationController.java
@ -273,10 +273,4 @@ public class OrganizationController {

 	}

-	@GetMapping("/import/simrels")
-	public List<String> importSimRels() {
-		new Thread(databaseUtils::importSimRels).run();
-		return Arrays.asList("Importing...");
-	}
-
 }
--- a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/utils/DatabaseUtils.java
+++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/utils/DatabaseUtils.java
@ -289,9 +289,11 @@ public class DatabaseUtils {

 	public void importSimRels() {
 		try {
+			log.info("Importing conflicts and duplicates...");
 			jdbcTemplate.update(IOUtils.toString(getClass().getResourceAsStream("/sql/importNewRels.sql")));
+			log.info("...done");
 		} catch (final Exception e) {
-			log.error("Error importing simrels", e);
+			log.error("Error importing conflicts and duplicates", e);
 		}
 	}

--- a/apps/dnet-orgs-database-application/src/main/resources/application.properties
+++ b/apps/dnet-orgs-database-application/src/main/resources/application.properties
@ -16,3 +16,9 @@ spring.jpa.open-in-view=true
 spring.jpa.properties.hibernate.show_sql=true
 spring.jpa.properties.hibernate.use_sql_comments=true
 spring.jpa.properties.hibernate.format_sql=true
+
+# the ICM private network 
+openaire.api.valid.subnet = 10.19.65.0/24
+openaire.api.https.proxy = 10.19.65.35
+
+