From 5c04deadd4a4fc69da1ddd4b3d290859244770da Mon Sep 17 00:00:00 2001
From: "michele.artini" <michele.artini@isti.cnr.it>
Date: Tue, 29 Sep 2020 11:34:31 +0200
Subject: [PATCH] restricted access for simrels api

---
 ...itional-spring-configuration-metadata.json |  5 ++
 .../organizations/WebSecurityConfig.java      | 62 ++++++++++---------
 .../OpenaireInternalApiController.java        | 39 ++++++++++++
 .../controller/OrganizationController.java    |  6 --
 .../organizations/utils/DatabaseUtils.java    |  4 +-
 .../src/main/resources/application.properties |  6 ++
 6 files changed, 87 insertions(+), 35 deletions(-)
 create mode 100644 apps/dnet-orgs-database-application/src/main/java/META-INF/additional-spring-configuration-metadata.json
 create mode 100644 apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OpenaireInternalApiController.java

diff --git a/apps/dnet-orgs-database-application/src/main/java/META-INF/additional-spring-configuration-metadata.json b/apps/dnet-orgs-database-application/src/main/java/META-INF/additional-spring-configuration-metadata.json
new file mode 100644
index 00000000..81d99e13
--- /dev/null
+++ b/apps/dnet-orgs-database-application/src/main/java/META-INF/additional-spring-configuration-metadata.json
@@ -0,0 +1,5 @@
+{"properties": [{
+  "name": "openaire.api.valid.subnet",
+  "type": "java.lang.String",
+  "description": "A description for 'openaire.api.valid.subnet'"
+}]}
\ No newline at end of file
diff --git a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java
index 3c1e63e6..283f0427 100644
--- a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java
+++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/WebSecurityConfig.java
@@ -3,6 +3,7 @@ package eu.dnetlib.organizations;
 import javax.sql.DataSource;
 
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
@@ -25,43 +26,48 @@ public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
 	@Autowired
 	private AccessDeniedHandler accessDeniedHandler;
 
+	@Value("${openaire.api.valid.subnet}")
+	private String openaireApiValidSubnet;
+
 	@Override
 	protected void configure(final HttpSecurity http) throws Exception {
 
 		http.csrf()
-				.disable()
-				.authorizeRequests()
-				.antMatchers("/", "/api/**")
-				.hasAnyRole(UserRole.ADMIN.name(), UserRole.NATIONAL_ADMIN.name(), UserRole.USER.name())
-				.antMatchers("/registration_api/**")
-				.hasRole(UserRole.NOT_AUTHORIZED.name())
-				.antMatchers("/resources/**", "/webjars/**")
-				.permitAll()
-				.anyRequest()
-				.authenticated()
-				.and()
-				.formLogin()
-				.loginPage("/login")
-				.permitAll()
-				.and()
-				.logout()
-				.permitAll()
-				.and()
-				.exceptionHandling()
-				.accessDeniedHandler(accessDeniedHandler);
+			.disable()
+			.authorizeRequests()
+			.antMatchers("/", "/api/**")
+			.hasAnyRole(UserRole.ADMIN.name(), UserRole.NATIONAL_ADMIN.name(), UserRole.USER.name())
+			.antMatchers("/registration_api/**")
+			.hasRole(UserRole.NOT_AUTHORIZED.name())
+			.antMatchers("/resources/**", "/webjars/**")
+			.permitAll()
+			.antMatchers("/oa_api/**")
+			.hasIpAddress(openaireApiValidSubnet)
+			.anyRequest()
+			.authenticated()
+			.and()
+			.formLogin()
+			.loginPage("/login")
+			.permitAll()
+			.and()
+			.logout()
+			.permitAll()
+			.and()
+			.exceptionHandling()
+			.accessDeniedHandler(accessDeniedHandler);
 	}
 
 	@Autowired
 	public void configureGlobal(final AuthenticationManagerBuilder auth) throws Exception {
 		auth.jdbcAuthentication()
-				.dataSource(dataSource)
-				.usersByUsernameQuery("select ?, '{MD5}60c4a0eb167dd41e915a885f582414df', true")  // TODO: this is a MOCK, the user should
-																								  // be authenticated using the openaire
-																								  // credentials
-				.authoritiesByUsernameQuery("with const as (SELECT ? as email) "
-						+ "select c.email, 'ROLE_'||coalesce(u.role, '"
-						+ UserRole.NOT_AUTHORIZED
-						+ "') from const c left outer join users u on (u.email = c.email)");
+			.dataSource(dataSource)
+			.usersByUsernameQuery("select ?, '{MD5}60c4a0eb167dd41e915a885f582414df', true")  // TODO: this is a MOCK, the user should
+																							  // be authenticated using the openaire
+																							  // credentials
+			.authoritiesByUsernameQuery("with const as (SELECT ? as email) "
+				+ "select c.email, 'ROLE_'||coalesce(u.role, '"
+				+ UserRole.NOT_AUTHORIZED
+				+ "') from const c left outer join users u on (u.email = c.email)");
 	}
 
 	@Bean
diff --git a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OpenaireInternalApiController.java b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OpenaireInternalApiController.java
new file mode 100644
index 00000000..992a9d6d
--- /dev/null
+++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OpenaireInternalApiController.java
@@ -0,0 +1,39 @@
+package eu.dnetlib.organizations.controller;
+
+import java.util.Arrays;
+import java.util.List;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import eu.dnetlib.organizations.utils.DatabaseUtils;
+
+@RestController
+@RequestMapping("/oa_api")
+public class OpenaireInternalApiController {
+
+	@Autowired
+	private DatabaseUtils databaseUtils;
+
+	@Value("${openaire.api.https.proxy}")
+	private String httpsProxy;
+
+	private static final Log log = LogFactory.getLog(OpenaireInternalApiController.class);
+
+	@GetMapping("/import/simrels")
+	public List<String> importSimRels(final HttpServletRequest req) {
+		if (req.getRemoteAddr().equals(httpsProxy)) {
+			log.warn("Call received by blaklisted ip (https proxy): " + req.getRemoteAddr());
+			throw new RuntimeException("Call received by blaklisted ip (https proxy): " + req.getRemoteAddr());
+		}
+		new Thread(databaseUtils::importSimRels).run();
+		return Arrays.asList("Importing simrels (request from " + req.getRemoteAddr() + ") ...");
+	}
+}
diff --git a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OrganizationController.java b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OrganizationController.java
index 1ce58198..ce387a60 100644
--- a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OrganizationController.java
+++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/controller/OrganizationController.java
@@ -273,10 +273,4 @@ public class OrganizationController {
 
 	}
 
-	@GetMapping("/import/simrels")
-	public List<String> importSimRels() {
-		new Thread(databaseUtils::importSimRels).run();
-		return Arrays.asList("Importing...");
-	}
-
 }
diff --git a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/utils/DatabaseUtils.java b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/utils/DatabaseUtils.java
index e6197f30..f3e92fac 100644
--- a/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/utils/DatabaseUtils.java
+++ b/apps/dnet-orgs-database-application/src/main/java/eu/dnetlib/organizations/utils/DatabaseUtils.java
@@ -289,9 +289,11 @@ public class DatabaseUtils {
 
 	public void importSimRels() {
 		try {
+			log.info("Importing conflicts and duplicates...");
 			jdbcTemplate.update(IOUtils.toString(getClass().getResourceAsStream("/sql/importNewRels.sql")));
+			log.info("...done");
 		} catch (final Exception e) {
-			log.error("Error importing simrels", e);
+			log.error("Error importing conflicts and duplicates", e);
 		}
 	}
 
diff --git a/apps/dnet-orgs-database-application/src/main/resources/application.properties b/apps/dnet-orgs-database-application/src/main/resources/application.properties
index 50afc9bb..3e970a79 100644
--- a/apps/dnet-orgs-database-application/src/main/resources/application.properties
+++ b/apps/dnet-orgs-database-application/src/main/resources/application.properties
@@ -16,3 +16,9 @@ spring.jpa.open-in-view=true
 spring.jpa.properties.hibernate.show_sql=true
 spring.jpa.properties.hibernate.use_sql_comments=true
 spring.jpa.properties.hibernate.format_sql=true
+
+# the ICM private network 
+openaire.api.valid.subnet = 10.19.65.0/24
+openaire.api.https.proxy = 10.19.65.35
+
+