Improved role functionality

This commit is contained in:
Konstantinos Spyrou 2023-02-17 16:17:37 +02:00
parent 0f0163dc2d
commit b67e98976d
6 changed files with 85 additions and 106 deletions

View File

@ -67,8 +67,9 @@ public class AaiSecurityConfiguration extends WebSecurityConfigurerAdapter {
.anyRequest().authenticated()
.and()
.logout().logoutUrl("/openid_logout")
.clearAuthentication(true)
.invalidateHttpSession(true)
.deleteCookies("openAIRESession")
.deleteCookies()
.logoutSuccessUrl(logoutSuccessUrl)
.and()
.addFilterBefore(openIdConnectAuthenticationFilter(), AbstractPreAuthenticatedProcessingFilter.class)

View File

@ -28,6 +28,7 @@ import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.*;
import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;
import org.springframework.web.client.RestTemplate;
@ -38,6 +39,7 @@ import javax.annotation.PostConstruct;
import java.sql.Timestamp;
import java.util.*;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
@Service("repositoryService")
public class RepositoryServiceImpl implements RepositoryService {
@ -284,14 +286,14 @@ public class RepositoryServiceImpl implements RepositoryService {
public List<Repository> getRepositoriesOfUser(String page, String size) {
logger.debug("Retrieving repositories of authenticated user : {}",
((OIDCAuthenticationToken) SecurityContextHolder.getContext().getAuthentication()).getUserInfo().getEmail());
Collection<String> repoIds = roleMappingService.getRepoIdsByRoleIds(authorizationService.getUserRoles());
Collection<String> repoIds = roleMappingService.getRepositoryIds(authorizationService.getUserRoles());
return getRepositories(new ArrayList<>(repoIds));
}
@Override
public List<Repository> getRepositoriesOfUser(String userEmail, String page, String size) {
logger.debug("Retrieving repositories of authenticated user : {}", userEmail);
Collection<String> repoIds = roleMappingService.getRepoIdsByRoleIds(authorizationService.getUserRolesByEmail(userEmail));
Collection<String> repoIds = roleMappingService.getRepositoryIds(authorizationService.getUserRolesByEmail(userEmail));
return getRepositories(new ArrayList<>(repoIds));
}
@ -304,12 +306,7 @@ public class RepositoryServiceImpl implements RepositoryService {
public List<RepositorySnippet> getRepositoriesSnippetsOfUser(String userEmail, String page, String size) {
int from = Integer.parseInt(page) * Integer.parseInt(size);
int to = from + Integer.parseInt(size);
List<String> repoIds = new ArrayList<>();
if (userEmail != null && !"".equals(userEmail)) {
repoIds.addAll(roleMappingService.getRepoIdsByRoleIds(authorizationService.getUserRolesByEmail(userEmail)));
} else {
repoIds.addAll(roleMappingService.getRepoIdsByRoleIds(authorizationService.getUserRoles()));
}
List<String> repoIds = getRepoIdsOfUser(userEmail);
if (repoIds.size() < from) {
return Collections.emptyList();
@ -957,10 +954,27 @@ public class RepositoryServiceImpl implements RepositoryService {
return repositories;
}
private List<String> getRepoIdsOfUser(String userEmail) {
List<String> repoIds;
if (userEmail != null && !"".equals(userEmail)) {
repoIds = new ArrayList<>(roleMappingService.getRepositoryIds(authorizationService.getUserRolesByEmail(userEmail)));
} else {
Collection<?> authorities = SecurityContextHolder.getContext().getAuthentication().getAuthorities();
repoIds = authorities
.stream()
.map(a -> roleMappingService.authorityToRepositoryId((GrantedAuthority) a))
.filter(Objects::nonNull)
.collect(Collectors.toList());
}
return repoIds;
}
@Deprecated
private String getRepositoryType(String typology) {
return invertedDataSourceClass.get(typology);
}
@Deprecated
private List<String> getRoleIdsFromUserRoles(String userEmail) {
List<Integer> coPersonId = registryCalls.getCoPersonIdsByEmail(userEmail);
JsonArray roles;

View File

@ -165,6 +165,7 @@ public class RegistryCalls implements AaiRegistryService {
@Override
public JsonArray getRoles(Integer coPersonId) {
Map<String, String> params = new HashMap<>();
params.put("coid", coid);
params.put("copersonid", coPersonId.toString());
JsonElement response = httpUtils.get("co_person_roles.json", params);
return (response != null) ? response.getAsJsonObject().get("CoPersonRoles").getAsJsonArray() : new JsonArray();

View File

@ -7,6 +7,8 @@ import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Service;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.Collection;
import java.util.Objects;
@ -20,21 +22,8 @@ public class AaiRoleMappingService implements RoleMappingService {
@Value("${services.provide.aai.registry.production:true}")
private boolean production;
private String createRepoRoleName(String prefix, String repoId) {
return prefix + "." + repoId.replace(":", "$");
}
@Override
public String getRepoNameWithoutType(String fullName, String prefix) {
if (fullName != null && prefix != null && fullName.startsWith(prefix)) {
return fullName.substring(prefix.length());
}
return null;
}
@Override
public String getRepoIdByRoleId(String roleId) {
public String getRepositoryId(String roleId) {
if (!roleActive(roleId)) {
return null;
}
@ -42,43 +31,46 @@ public class AaiRoleMappingService implements RoleMappingService {
}
@Override
public Collection<String> getRepoIdsByRoleIds(Collection<String> roleIds) {
public Collection<String> getRepositoryIds(Collection<String> roleIds) {
return roleIds
.stream()
//.filter(this::roleActive) // implicitly executed in the next statement
.map(this::getRepoIdByRoleId)
.map(this::getRepositoryId)
.filter(Objects::nonNull)
.collect(Collectors.toList());
}
@Override
public String getRoleIdByRepoId(String repoId) {
String roleId = "";
public String getRole(String repoId) {
String role = null;
String prefix = (production ? "" : "beta.") + "datasource";
if (repoId != null) {
roleId = createRepoRoleName(prefix, repoId);
return roleId;
} else {
return null;
role = createRole(prefix, repoId);
}
return role;
}
@Override
public Collection<String> getRoleIdsByRepoIds(Collection<String> repoIds) {
public Collection<String> getRoles(Collection<String> repoIds) {
return repoIds
.stream()
.map(this::getRoleIdByRepoId)
.map(this::getRole)
.filter(Objects::nonNull)
.collect(Collectors.toList());
}
@Override
public String convertAuthorityIdToRepoId(String authorityId) {
String repo = "";
if (authorityId != null && roleActive(authorityId)) {
repo = authorityId
.replaceFirst(".*datasource\\.", "")
public String authorityToRepositoryId(GrantedAuthority authority) {
String repo = null;
String auth = null;
try {
auth = URLDecoder.decode(authority.getAuthority(), "UTF-8").toLowerCase();
} catch (UnsupportedEncodingException e) {
logger.error("", e);
}
if (auth != null && roleActive(auth)) {
repo = auth
.replaceFirst(".*datasource\\_", "")
.replace("$", ":")
.toLowerCase();
}
@ -86,12 +78,26 @@ public class AaiRoleMappingService implements RoleMappingService {
}
@Override
public String convertAuthorityToRepoId(GrantedAuthority authority) {
return convertAuthorityIdToRepoId(authority.toString());
public GrantedAuthority repositoryIdToAuthority(String repoId) {
String role = null;
try {
role = URLEncoder.encode(convertRepoIdToAuthorityId(repoId), "UTF-8");
} catch (UnsupportedEncodingException e) {
logger.error("", e);
}
return new SimpleGrantedAuthority(role);
}
@Override
public String convertRepoIdToAuthorityId(String repoId) {
private String createRole(String prefix, String repoId) {
return prefix + "." + repoId.replace(":", "$");
}
private boolean roleActive(String roleId) {
return (production && !roleId.toLowerCase().startsWith("beta"))
|| (!production && roleId.toLowerCase().startsWith("beta"));
}
private String convertRepoIdToAuthorityId(String repoId) {
StringBuilder roleBuilder = new StringBuilder();
String role = "";
if (repoId != null) {
@ -102,20 +108,4 @@ public class AaiRoleMappingService implements RoleMappingService {
}
return role;
}
@Override
public String convertRepoIdToEncodedAuthorityId(String repoId) {
return URLEncoder.encode(convertRepoIdToAuthorityId(repoId));
}
@Override
public SimpleGrantedAuthority convertRepoIdToAuthority(String repoId) {
String role = convertRepoIdToEncodedAuthorityId(repoId);
return new SimpleGrantedAuthority(role);
}
private boolean roleActive(String roleId) {
return (production && !roleId.toLowerCase().startsWith("beta."))
|| (!production && roleId.toLowerCase().startsWith("beta."));
}
}

View File

@ -56,9 +56,9 @@ public class AuthorizationServiceImpl implements AuthorizationService {
@Override
public boolean isMemberOf(String repoId) {
String repoRole = roleMappingService.convertRepoIdToEncodedAuthorityId(repoId);
String repoAuthority = roleMappingService.repositoryIdToAuthority(repoId).getAuthority();
return SecurityContextHolder.getContext().getAuthentication().getAuthorities()
.stream().anyMatch(authority -> authority.toString().equals(repoRole));
.stream().anyMatch(authority -> authority.toString().equals(repoAuthority));
}
@Override
@ -74,7 +74,7 @@ public class AuthorizationServiceImpl implements AuthorizationService {
public List<User> getAdminsOfRepo(String repoId) {
// find couId by role name
String role = roleMappingService.getRoleIdByRepoId(repoId);
String role = roleMappingService.getRole(repoId);
Integer couId = aaiRegistryService.getCouId(role);
return aaiRegistryService.getUsers(couId);
}
@ -82,7 +82,7 @@ public class AuthorizationServiceImpl implements AuthorizationService {
@Override
public void addAdmin(String resourceId, String email) throws ResourceNotFoundException {
String role = roleMappingService.getRoleIdByRepoId(resourceId);
String role = roleMappingService.getRole(resourceId);
Integer couId = aaiRegistryService.getCouId(role);
if (couId == null) {
throw new ResourceNotFoundException("Cannot find CouId for role: " + role);
@ -94,14 +94,14 @@ public class AuthorizationServiceImpl implements AuthorizationService {
// Add role to user current authorities
for (String userId : aaiRegistryService.getUserIdentifiersByEmail(email)) {
authoritiesUpdater.addRole(userId, roleMappingService.convertRepoIdToAuthority(resourceId));
authoritiesUpdater.addRole(userId, roleMappingService.repositoryIdToAuthority(resourceId));
}
}
}
@Override
public void removeAdmin(String resourceId, String email) throws ResourceNotFoundException {
String role = roleMappingService.getRoleIdByRepoId(resourceId);
String role = roleMappingService.getRole(resourceId);
Integer couId = aaiRegistryService.getCouId(role);
if (couId == null) {
throw new ResourceNotFoundException("Cannot find CouId for role: " + role);
@ -115,7 +115,7 @@ public class AuthorizationServiceImpl implements AuthorizationService {
// Remove role from user current authorities
for (String userId : aaiRegistryService.getUserIdentifiersByEmail(email)) {
authoritiesUpdater.removeRole(userId, roleMappingService.convertRepoIdToAuthority(resourceId));
authoritiesUpdater.removeRole(userId, roleMappingService.repositoryIdToAuthority(resourceId));
}
} else {
logger.error("Cannot find RoleId for role: {}", role);
@ -126,7 +126,7 @@ public class AuthorizationServiceImpl implements AuthorizationService {
@Override
public void createAndAssignRoleToAuthenticatedUser(String resourceId, String roleDescription) {
// Create new role
String newRoleName = roleMappingService.getRoleIdByRepoId(resourceId);
String newRoleName = roleMappingService.getRole(resourceId);
Role newRole = new Role(newRoleName, roleDescription);
Integer couId;
@ -148,7 +148,7 @@ public class AuthorizationServiceImpl implements AuthorizationService {
aaiRegistryService.assignMemberRole(coPersonId, couId);
// Add role to current user authorities
authoritiesUpdater.addRole(roleMappingService.convertRepoIdToAuthority(resourceId));
authoritiesUpdater.addRole(roleMappingService.repositoryIdToAuthority(resourceId));
}
}

View File

@ -7,68 +7,41 @@ import java.util.Collection;
public interface RoleMappingService {
/**
* @param fullName
* @param prefix
* @return
*/
String getRepoNameWithoutType(String fullName, String prefix);
/**
* @param roleId Role Id
* @return Converts {@param roleId} to a repo Id.
*/
String getRepoIdByRoleId(String roleId);
String getRepositoryId(String roleId);
/**
*
* @param roleIds Collection of roles
* @return Converts {@param roleIds} to a repo Ids.
*/
Collection<String> getRepoIdsByRoleIds(Collection<String> roleIds);
Collection<String> getRepositoryIds(Collection<String> roleIds);
/**
* @param repoId Repository Id
* @return Converts {@param repoId} to a role Id.
*/
String getRoleIdByRepoId(String repoId);
String getRole(String repoId);
/**
* @param repoIds Collection of Repository Ids
* @return Converts {@param repoIds} to role Ids.
*/
Collection<String> getRoleIdsByRepoIds(Collection<String> repoIds);
Collection<String> getRoles(Collection<String> repoIds);
/**
* @param authorityId Authority Id
* @return Converts {@param authorityId} to repo Id.
* @param authority {@link GrantedAuthority}
* @return Converts {@param authority} to repository Id.
*/
String convertAuthorityIdToRepoId(String authorityId);
/**
* @param authority Granted authority
* @return Converts {@param authority} to repo Id.
*/
String convertAuthorityToRepoId(GrantedAuthority authority);
/**
* @param repoId Repository Id
* @return
*/
String convertRepoIdToAuthorityId(String repoId);
/**
* @param repoId Repository Id
* @return Converts {@param repoId} to {@link String} role id url encoded ($ -> %24)
* // TODO: remove role encoding and perform url decoding when mapping authorities. (Must be performed in all OpenAIRE projects because of Redis)
*/
String convertRepoIdToEncodedAuthorityId(String repoId);
String authorityToRepositoryId(GrantedAuthority authority);
/**
* @param repoId Repository Id
* @return Converts {@param repoId} to {@link SimpleGrantedAuthority} with the role url encoded ($ -> %24)
* // TODO: remove role encoding and perform url decoding when mapping authorities. (Must be performed in all OpenAIRE projects because of Redis)
*/
SimpleGrantedAuthority convertRepoIdToAuthority(String repoId);
GrantedAuthority repositoryIdToAuthority(String repoId);
}