From b67e98976d789d809fa5b9ee38a86b9a0a44aa90 Mon Sep 17 00:00:00 2001 From: Konstantinos Spyrou Date: Fri, 17 Feb 2023 16:17:37 +0200 Subject: [PATCH] Improved role functionality --- .../config/AaiSecurityConfiguration.java | 3 +- .../service/RepositoryServiceImpl.java | 34 +++++-- .../service/aai/registry/RegistryCalls.java | 1 + .../security/AaiRoleMappingService.java | 92 +++++++++---------- .../security/AuthorizationServiceImpl.java | 18 ++-- .../service/security/RoleMappingService.java | 43 ++------- 6 files changed, 85 insertions(+), 106 deletions(-) diff --git a/src/main/java/eu/dnetlib/repo/manager/config/AaiSecurityConfiguration.java b/src/main/java/eu/dnetlib/repo/manager/config/AaiSecurityConfiguration.java index 0a02ce5..0782850 100644 --- a/src/main/java/eu/dnetlib/repo/manager/config/AaiSecurityConfiguration.java +++ b/src/main/java/eu/dnetlib/repo/manager/config/AaiSecurityConfiguration.java @@ -67,8 +67,9 @@ public class AaiSecurityConfiguration extends WebSecurityConfigurerAdapter { .anyRequest().authenticated() .and() .logout().logoutUrl("/openid_logout") + .clearAuthentication(true) .invalidateHttpSession(true) - .deleteCookies("openAIRESession") + .deleteCookies() .logoutSuccessUrl(logoutSuccessUrl) .and() .addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class) diff --git a/src/main/java/eu/dnetlib/repo/manager/service/RepositoryServiceImpl.java b/src/main/java/eu/dnetlib/repo/manager/service/RepositoryServiceImpl.java index effafa5..65383f9 100644 --- a/src/main/java/eu/dnetlib/repo/manager/service/RepositoryServiceImpl.java +++ b/src/main/java/eu/dnetlib/repo/manager/service/RepositoryServiceImpl.java @@ -28,6 +28,7 @@ import org.springframework.core.ParameterizedTypeReference; import org.springframework.http.*; import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter; import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Service; import org.springframework.web.client.RestTemplate; @@ -38,6 +39,7 @@ import javax.annotation.PostConstruct; import java.sql.Timestamp; import java.util.*; import java.util.concurrent.ConcurrentHashMap; +import java.util.stream.Collectors; @Service("repositoryService") public class RepositoryServiceImpl implements RepositoryService { @@ -284,14 +286,14 @@ public class RepositoryServiceImpl implements RepositoryService { public List getRepositoriesOfUser(String page, String size) { logger.debug("Retrieving repositories of authenticated user : {}", ((OIDCAuthenticationToken) SecurityContextHolder.getContext().getAuthentication()).getUserInfo().getEmail()); - Collection repoIds = roleMappingService.getRepoIdsByRoleIds(authorizationService.getUserRoles()); + Collection repoIds = roleMappingService.getRepositoryIds(authorizationService.getUserRoles()); return getRepositories(new ArrayList<>(repoIds)); } @Override public List getRepositoriesOfUser(String userEmail, String page, String size) { logger.debug("Retrieving repositories of authenticated user : {}", userEmail); - Collection repoIds = roleMappingService.getRepoIdsByRoleIds(authorizationService.getUserRolesByEmail(userEmail)); + Collection repoIds = roleMappingService.getRepositoryIds(authorizationService.getUserRolesByEmail(userEmail)); return getRepositories(new ArrayList<>(repoIds)); } @@ -304,12 +306,7 @@ public class RepositoryServiceImpl implements RepositoryService { public List getRepositoriesSnippetsOfUser(String userEmail, String page, String size) { int from = Integer.parseInt(page) * Integer.parseInt(size); int to = from + Integer.parseInt(size); - List repoIds = new ArrayList<>(); - if (userEmail != null && !"".equals(userEmail)) { - repoIds.addAll(roleMappingService.getRepoIdsByRoleIds(authorizationService.getUserRolesByEmail(userEmail))); - } else { - repoIds.addAll(roleMappingService.getRepoIdsByRoleIds(authorizationService.getUserRoles())); - } + List repoIds = getRepoIdsOfUser(userEmail); if (repoIds.size() < from) { return Collections.emptyList(); @@ -534,8 +531,8 @@ public class RepositoryServiceImpl implements RepositoryService { emailUtils.sendUserRegisterInterfaceEmail(repo, comment, repositoryInterface, desiredCompatibilityLevel, authentication); String prevCompatibilityLevel = repositoryInterface.getCompatibility(); - if ( (desiredCompatibilityLevel != null) - && ((prevCompatibilityLevel == null) || ! prevCompatibilityLevel.equals(desiredCompatibilityLevel))) { + if ((desiredCompatibilityLevel != null) + && ((prevCompatibilityLevel == null) || !prevCompatibilityLevel.equals(desiredCompatibilityLevel))) { InterfaceComplianceRequest request = new InterfaceComplianceRequest(repoId, repositoryInterface.getId(), desiredCompatibilityLevel); interfaceComplianceService.create(request); } @@ -957,10 +954,27 @@ public class RepositoryServiceImpl implements RepositoryService { return repositories; } + private List getRepoIdsOfUser(String userEmail) { + List repoIds; + if (userEmail != null && !"".equals(userEmail)) { + repoIds = new ArrayList<>(roleMappingService.getRepositoryIds(authorizationService.getUserRolesByEmail(userEmail))); + } else { + Collection authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities(); + repoIds = authorities + .stream() + .map(a -> roleMappingService.authorityToRepositoryId((GrantedAuthority) a)) + .filter(Objects::nonNull) + .collect(Collectors.toList()); + } + return repoIds; + } + + @Deprecated private String getRepositoryType(String typology) { return invertedDataSourceClass.get(typology); } + @Deprecated private List getRoleIdsFromUserRoles(String userEmail) { List coPersonId = registryCalls.getCoPersonIdsByEmail(userEmail); JsonArray roles; diff --git a/src/main/java/eu/dnetlib/repo/manager/service/aai/registry/RegistryCalls.java b/src/main/java/eu/dnetlib/repo/manager/service/aai/registry/RegistryCalls.java index c7d4743..12d2cfc 100644 --- a/src/main/java/eu/dnetlib/repo/manager/service/aai/registry/RegistryCalls.java +++ b/src/main/java/eu/dnetlib/repo/manager/service/aai/registry/RegistryCalls.java @@ -165,6 +165,7 @@ public class RegistryCalls implements AaiRegistryService { @Override public JsonArray getRoles(Integer coPersonId) { Map params = new HashMap<>(); + params.put("coid", coid); params.put("copersonid", coPersonId.toString()); JsonElement response = httpUtils.get("co_person_roles.json", params); return (response != null) ? response.getAsJsonObject().get("CoPersonRoles").getAsJsonArray() : new JsonArray(); diff --git a/src/main/java/eu/dnetlib/repo/manager/service/security/AaiRoleMappingService.java b/src/main/java/eu/dnetlib/repo/manager/service/security/AaiRoleMappingService.java index 96c91d6..b9de706 100644 --- a/src/main/java/eu/dnetlib/repo/manager/service/security/AaiRoleMappingService.java +++ b/src/main/java/eu/dnetlib/repo/manager/service/security/AaiRoleMappingService.java @@ -7,6 +7,8 @@ import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.stereotype.Service; +import java.io.UnsupportedEncodingException; +import java.net.URLDecoder; import java.net.URLEncoder; import java.util.Collection; import java.util.Objects; @@ -20,21 +22,8 @@ public class AaiRoleMappingService implements RoleMappingService { @Value("${services.provide.aai.registry.production:true}") private boolean production; - - private String createRepoRoleName(String prefix, String repoId) { - return prefix + "." + repoId.replace(":", "$"); - } - @Override - public String getRepoNameWithoutType(String fullName, String prefix) { - if (fullName != null && prefix != null && fullName.startsWith(prefix)) { - return fullName.substring(prefix.length()); - } - return null; - } - - @Override - public String getRepoIdByRoleId(String roleId) { + public String getRepositoryId(String roleId) { if (!roleActive(roleId)) { return null; } @@ -42,43 +31,46 @@ public class AaiRoleMappingService implements RoleMappingService { } @Override - public Collection getRepoIdsByRoleIds(Collection roleIds) { + public Collection getRepositoryIds(Collection roleIds) { return roleIds .stream() - //.filter(this::roleActive) // implicitly executed in the next statement - .map(this::getRepoIdByRoleId) + .map(this::getRepositoryId) .filter(Objects::nonNull) .collect(Collectors.toList()); } @Override - public String getRoleIdByRepoId(String repoId) { - String roleId = ""; + public String getRole(String repoId) { + String role = null; String prefix = (production ? "" : "beta.") + "datasource"; if (repoId != null) { - roleId = createRepoRoleName(prefix, repoId); - return roleId; - } else { - return null; + role = createRole(prefix, repoId); } - + return role; } @Override - public Collection getRoleIdsByRepoIds(Collection repoIds) { + public Collection getRoles(Collection repoIds) { return repoIds .stream() - .map(this::getRoleIdByRepoId) + .map(this::getRole) .filter(Objects::nonNull) .collect(Collectors.toList()); } @Override - public String convertAuthorityIdToRepoId(String authorityId) { - String repo = ""; - if (authorityId != null && roleActive(authorityId)) { - repo = authorityId - .replaceFirst(".*datasource\\.", "") + public String authorityToRepositoryId(GrantedAuthority authority) { + String repo = null; + String auth = null; + try { + auth = URLDecoder.decode(authority.getAuthority(), "UTF-8").toLowerCase(); + } catch (UnsupportedEncodingException e) { + logger.error("", e); + } + + if (auth != null && roleActive(auth)) { + repo = auth + .replaceFirst(".*datasource\\_", "") .replace("$", ":") .toLowerCase(); } @@ -86,12 +78,26 @@ public class AaiRoleMappingService implements RoleMappingService { } @Override - public String convertAuthorityToRepoId(GrantedAuthority authority) { - return convertAuthorityIdToRepoId(authority.toString()); + public GrantedAuthority repositoryIdToAuthority(String repoId) { + String role = null; + try { + role = URLEncoder.encode(convertRepoIdToAuthorityId(repoId), "UTF-8"); + } catch (UnsupportedEncodingException e) { + logger.error("", e); + } + return new SimpleGrantedAuthority(role); } - @Override - public String convertRepoIdToAuthorityId(String repoId) { + private String createRole(String prefix, String repoId) { + return prefix + "." + repoId.replace(":", "$"); + } + + private boolean roleActive(String roleId) { + return (production && !roleId.toLowerCase().startsWith("beta")) + || (!production && roleId.toLowerCase().startsWith("beta")); + } + + private String convertRepoIdToAuthorityId(String repoId) { StringBuilder roleBuilder = new StringBuilder(); String role = ""; if (repoId != null) { @@ -102,20 +108,4 @@ public class AaiRoleMappingService implements RoleMappingService { } return role; } - - @Override - public String convertRepoIdToEncodedAuthorityId(String repoId) { - return URLEncoder.encode(convertRepoIdToAuthorityId(repoId)); - } - - @Override - public SimpleGrantedAuthority convertRepoIdToAuthority(String repoId) { - String role = convertRepoIdToEncodedAuthorityId(repoId); - return new SimpleGrantedAuthority(role); - } - - private boolean roleActive(String roleId) { - return (production && !roleId.toLowerCase().startsWith("beta.")) - || (!production && roleId.toLowerCase().startsWith("beta.")); - } } diff --git a/src/main/java/eu/dnetlib/repo/manager/service/security/AuthorizationServiceImpl.java b/src/main/java/eu/dnetlib/repo/manager/service/security/AuthorizationServiceImpl.java index e1f66f9..7c43427 100644 --- a/src/main/java/eu/dnetlib/repo/manager/service/security/AuthorizationServiceImpl.java +++ b/src/main/java/eu/dnetlib/repo/manager/service/security/AuthorizationServiceImpl.java @@ -56,9 +56,9 @@ public class AuthorizationServiceImpl implements AuthorizationService { @Override public boolean isMemberOf(String repoId) { - String repoRole = roleMappingService.convertRepoIdToEncodedAuthorityId(repoId); + String repoAuthority = roleMappingService.repositoryIdToAuthority(repoId).getAuthority(); return SecurityContextHolder.getContext().getAuthentication().getAuthorities() - .stream().anyMatch(authority -> authority.toString().equals(repoRole)); + .stream().anyMatch(authority -> authority.toString().equals(repoAuthority)); } @Override @@ -74,7 +74,7 @@ public class AuthorizationServiceImpl implements AuthorizationService { public List getAdminsOfRepo(String repoId) { // find couId by role name - String role = roleMappingService.getRoleIdByRepoId(repoId); + String role = roleMappingService.getRole(repoId); Integer couId = aaiRegistryService.getCouId(role); return aaiRegistryService.getUsers(couId); } @@ -82,7 +82,7 @@ public class AuthorizationServiceImpl implements AuthorizationService { @Override public void addAdmin(String resourceId, String email) throws ResourceNotFoundException { - String role = roleMappingService.getRoleIdByRepoId(resourceId); + String role = roleMappingService.getRole(resourceId); Integer couId = aaiRegistryService.getCouId(role); if (couId == null) { throw new ResourceNotFoundException("Cannot find CouId for role: " + role); @@ -94,14 +94,14 @@ public class AuthorizationServiceImpl implements AuthorizationService { // Add role to user current authorities for (String userId : aaiRegistryService.getUserIdentifiersByEmail(email)) { - authoritiesUpdater.addRole(userId, roleMappingService.convertRepoIdToAuthority(resourceId)); + authoritiesUpdater.addRole(userId, roleMappingService.repositoryIdToAuthority(resourceId)); } } } @Override public void removeAdmin(String resourceId, String email) throws ResourceNotFoundException { - String role = roleMappingService.getRoleIdByRepoId(resourceId); + String role = roleMappingService.getRole(resourceId); Integer couId = aaiRegistryService.getCouId(role); if (couId == null) { throw new ResourceNotFoundException("Cannot find CouId for role: " + role); @@ -115,7 +115,7 @@ public class AuthorizationServiceImpl implements AuthorizationService { // Remove role from user current authorities for (String userId : aaiRegistryService.getUserIdentifiersByEmail(email)) { - authoritiesUpdater.removeRole(userId, roleMappingService.convertRepoIdToAuthority(resourceId)); + authoritiesUpdater.removeRole(userId, roleMappingService.repositoryIdToAuthority(resourceId)); } } else { logger.error("Cannot find RoleId for role: {}", role); @@ -126,7 +126,7 @@ public class AuthorizationServiceImpl implements AuthorizationService { @Override public void createAndAssignRoleToAuthenticatedUser(String resourceId, String roleDescription) { // Create new role - String newRoleName = roleMappingService.getRoleIdByRepoId(resourceId); + String newRoleName = roleMappingService.getRole(resourceId); Role newRole = new Role(newRoleName, roleDescription); Integer couId; @@ -148,7 +148,7 @@ public class AuthorizationServiceImpl implements AuthorizationService { aaiRegistryService.assignMemberRole(coPersonId, couId); // Add role to current user authorities - authoritiesUpdater.addRole(roleMappingService.convertRepoIdToAuthority(resourceId)); + authoritiesUpdater.addRole(roleMappingService.repositoryIdToAuthority(resourceId)); } } diff --git a/src/main/java/eu/dnetlib/repo/manager/service/security/RoleMappingService.java b/src/main/java/eu/dnetlib/repo/manager/service/security/RoleMappingService.java index 67439bf..c1a77c4 100644 --- a/src/main/java/eu/dnetlib/repo/manager/service/security/RoleMappingService.java +++ b/src/main/java/eu/dnetlib/repo/manager/service/security/RoleMappingService.java @@ -7,68 +7,41 @@ import java.util.Collection; public interface RoleMappingService { - /** - * @param fullName - * @param prefix - * @return - */ - String getRepoNameWithoutType(String fullName, String prefix); - /** * @param roleId Role Id * @return Converts {@param roleId} to a repo Id. */ - String getRepoIdByRoleId(String roleId); + String getRepositoryId(String roleId); /** - * * @param roleIds Collection of roles * @return Converts {@param roleIds} to a repo Ids. */ - Collection getRepoIdsByRoleIds(Collection roleIds); + Collection getRepositoryIds(Collection roleIds); /** * @param repoId Repository Id * @return Converts {@param repoId} to a role Id. */ - String getRoleIdByRepoId(String repoId); + String getRole(String repoId); /** * @param repoIds Collection of Repository Ids * @return Converts {@param repoIds} to role Ids. */ - Collection getRoleIdsByRepoIds(Collection repoIds); + Collection getRoles(Collection repoIds); /** - * @param authorityId Authority Id - * @return Converts {@param authorityId} to repo Id. + * @param authority {@link GrantedAuthority} + * @return Converts {@param authority} to repository Id. */ - String convertAuthorityIdToRepoId(String authorityId); - - /** - * @param authority Granted authority - * @return Converts {@param authority} to repo Id. - */ - String convertAuthorityToRepoId(GrantedAuthority authority); - - /** - * @param repoId Repository Id - * @return - */ - String convertRepoIdToAuthorityId(String repoId); - - /** - * @param repoId Repository Id - * @return Converts {@param repoId} to {@link String} role id url encoded ($ -> %24) - * // TODO: remove role encoding and perform url decoding when mapping authorities. (Must be performed in all OpenAIRE projects because of Redis) - */ - String convertRepoIdToEncodedAuthorityId(String repoId); + String authorityToRepositoryId(GrantedAuthority authority); /** * @param repoId Repository Id * @return Converts {@param repoId} to {@link SimpleGrantedAuthority} with the role url encoded ($ -> %24) * // TODO: remove role encoding and perform url decoding when mapping authorities. (Must be performed in all OpenAIRE projects because of Redis) */ - SimpleGrantedAuthority convertRepoIdToAuthority(String repoId); + GrantedAuthority repositoryIdToAuthority(String repoId); }