From 3ac49f932b80c537e8b444b172d96d6147f0f8d1 Mon Sep 17 00:00:00 2001 From: Mauro Mugnaini Date: Mon, 22 Jun 2020 12:00:20 +0200 Subject: [PATCH] OIDC UMA token in threadlocal changes --- pom.xml | 6 + .../GCubeHookSiteRoleLocalService.java | 219 ++++++++++-------- .../plugins/GCubeHookUserLocalService.java | 12 +- 3 files changed, 133 insertions(+), 104 deletions(-) diff --git a/pom.xml b/pom.xml index 4b474a7..c199b9d 100644 --- a/pom.xml +++ b/pom.xml @@ -64,6 +64,12 @@ common-scope provided + + org.gcube.portal + oidc-library-portal + [0.1.0,) + provided + org.slf4j slf4j-log4j12 diff --git a/src/main/java/org/gcube/portal/plugins/GCubeHookSiteRoleLocalService.java b/src/main/java/org/gcube/portal/plugins/GCubeHookSiteRoleLocalService.java index f2de26d..6972e3d 100644 --- a/src/main/java/org/gcube/portal/plugins/GCubeHookSiteRoleLocalService.java +++ b/src/main/java/org/gcube/portal/plugins/GCubeHookSiteRoleLocalService.java @@ -6,11 +6,13 @@ import java.util.ArrayList; import java.util.List; import org.gcube.common.authorization.library.provider.SecurityTokenProvider; +import org.gcube.common.authorization.library.provider.UmaJWTProvider; import org.gcube.common.portal.PortalContext; import org.gcube.common.scope.api.ScopeProvider; import org.gcube.common.storagehub.client.dsl.StorageHubClient; import org.gcube.common.storagehub.client.dsl.Util; import org.gcube.common.storagehub.client.dsl.VREFolderManager; +import org.gcube.portal.oidc.lr62.OIDCUmaUtil; import org.gcube.vomanagement.usermanagement.GroupManager; import org.gcube.vomanagement.usermanagement.RoleManager; import org.gcube.vomanagement.usermanagement.impl.LiferayGroupManager; @@ -32,114 +34,125 @@ import com.liferay.portal.service.UserGroupRoleLocalServiceWrapper; import com.liferay.portal.service.UserLocalServiceUtil; public class GCubeHookSiteRoleLocalService extends UserGroupRoleLocalServiceWrapper { - /** - * logger - */ - private static final Logger _log = LoggerFactory.getLogger(GCubeHookSiteRoleLocalService.class); - private GroupManager gm; - private LiferayUserManager uMan; - public GCubeHookSiteRoleLocalService(UserGroupRoleLocalService userGroupRoleLocalService) { - super(userGroupRoleLocalService); - gm = new LiferayGroupManager(); - uMan = new LiferayUserManager(); - System.out.println("GCubeHookSiteRoleLocalService hook is UP & Listening ..."); - } + /** + * logger + */ + private static final Logger _log = LoggerFactory.getLogger(GCubeHookSiteRoleLocalService.class); + private GroupManager gm; + private LiferayUserManager uMan; - //TODO: as soon as Feature https://support.d4science.org/issues/17726 is delivered take care of this also - @Override - public java.util.List addUserGroupRoles(long[] userIds, long groupId, long roleId) throws com.liferay.portal.kernel.exception.SystemException { - List toReturn = super.addUserGroupRoles(userIds, groupId, roleId); - return toReturn; - } + public GCubeHookSiteRoleLocalService(UserGroupRoleLocalService userGroupRoleLocalService) { + super(userGroupRoleLocalService); + gm = new LiferayGroupManager(); + uMan = new LiferayUserManager(); + System.out.println("GCubeHookSiteRoleLocalService hook is UP & Listening ..."); + } - @Override - public java.util.List addUserGroupRoles(long userId, long groupId, long[] roleIds) throws com.liferay.portal.kernel.exception.SystemException { - List toReturn = super.addUserGroupRoles(userId, groupId, roleIds); - try { - String context = gm.getInfrastructureScope(groupId); - String username = UserLocalServiceUtil.getUser(userId).getScreenName(); - /* Check this part CAREFULLY as when the user is just created it fails*/ - String userToken = authorizationService().resolveTokenByUserAndContext(username, context); - List userRoles = getUserRoles(roleIds); - authorizationService().setTokenRoles(userToken, userRoles); - _log.debug("Check if addUserGroupRoles is done in a VRE"); - if (gm.isVRE(groupId)) { - _log.debug("addUserGroupRoles performed in a VRE, groupId=" + groupId); - boolean vreManagerRolePresent = false; - for (int i = 0; i < roleIds.length; i++) { - Role role = RoleLocalServiceUtil.getRole(roleIds[i]); - if (role.getName().compareTo(GCubeRole.VRE_MANAGER_LABEL) == 0) { - _log.info("User is being promoted (or was) as VREFolder Administrator, userId=" + userId + " on Site groupId="+groupId); - vreManagerRolePresent = true; - break; - } - } - setVREFolderAdministrator(userId, groupId, vreManagerRolePresent); - } else { - _log.debug("addUserGroupRoles NOT done in a VRE, groupId=" + groupId); - } - } - catch (Exception e) { - e.printStackTrace(); - } - return toReturn; - } + //TODO: as soon as Feature https://support.d4science.org/issues/17726 is delivered take care of this also + @Override + public java.util.List addUserGroupRoles(long[] userIds, long groupId, + long roleId) throws com.liferay.portal.kernel.exception.SystemException { + List toReturn = super.addUserGroupRoles(userIds, groupId, roleId); + return toReturn; + } - private List getUserRoles(long[] roleIds) throws PortalException, SystemException { - List toReturn = new ArrayList<>(); - for (int i = 0; i < roleIds.length; i++) { - Role role = RoleLocalServiceUtil.getRole(roleIds[i]); - toReturn.add(role.getName()); - } - return toReturn; - } + @Override + public java.util.List addUserGroupRoles(long userId, long groupId, + long[] roleIds) throws com.liferay.portal.kernel.exception.SystemException { + List toReturn = super.addUserGroupRoles(userId, groupId, roleIds); + try { + String context = gm.getInfrastructureScope(groupId); + String username = UserLocalServiceUtil.getUser(userId).getScreenName(); + /* Check this part CAREFULLY as when the user is just created it fails*/ + String userToken = authorizationService().resolveTokenByUserAndContext(username, context); + List userRoles = getUserRoles(roleIds); + authorizationService().setTokenRoles(userToken, userRoles); + _log.debug("Check if addUserGroupRoles is done in a VRE"); + if (gm.isVRE(groupId)) { + _log.debug("addUserGroupRoles performed in a VRE, groupId=" + groupId); + boolean vreManagerRolePresent = false; + for (int i = 0; i < roleIds.length; i++) { + Role role = RoleLocalServiceUtil.getRole(roleIds[i]); + if (role.getName().compareTo(GCubeRole.VRE_MANAGER_LABEL) == 0) { + _log.info("User is being promoted (or was) as VREFolder Administrator, userId=" + userId + + " on Site groupId=" + groupId); + vreManagerRolePresent = true; + break; + } + } + setVREFolderAdministrator(userId, groupId, vreManagerRolePresent); + } else { + _log.debug("addUserGroupRoles NOT done in a VRE, groupId=" + groupId); + } + } catch (Exception e) { + e.printStackTrace(); + } + return toReturn; + } - private boolean setVREFolderAdministrator(long userId, long groupId, boolean enable) throws Exception { - String context = gm.getInfrastructureScope(groupId); - ScopeProvider.instance.set(context); - String vreFolderTitle = Util.getVREGroupFromContext(context); - _log.info("The vreFolderTitle on which the VREFolder role is being {} is {}", enable, vreFolderTitle); - _log.info("Before StorageHubClient shc = new StorageHubClient();"); - StorageHubClient shc = new StorageHubClient(); - _log.info("Before shc.getVreFolderManager(vreFolderTitle);"); - VREFolderManager vreFolderManager = shc.getVreFolderManager(vreFolderTitle); - - String previousToken = SecurityTokenProvider.instance.get(); - //get the super user - _log.info("//get the super user"); + private List getUserRoles(long[] roleIds) throws PortalException, SystemException { + List toReturn = new ArrayList<>(); + for (int i = 0; i < roleIds.length; i++) { + Role role = RoleLocalServiceUtil.getRole(roleIds[i]); + toReturn.add(role.getName()); + } + return toReturn; + } - String infraContext = "/"+PortalContext.getConfiguration().getInfrastructureName(); - long rootgroupId = gm.getGroupIdFromInfrastructureScope(infraContext); - User theAdmin = LiferayUserManager.getRandomUserWithRole(rootgroupId, GatewayRolesNames.INFRASTRUCTURE_MANAGER); - if (theAdmin == null) { - _log.warn("Cannot add the user as VRE Folder admin: there is no user having role " + GatewayRolesNames.INFRASTRUCTURE_MANAGER); - return false; - } - else { - RoleManager rm = new LiferayRoleManager(); - String adminUsername = theAdmin.getScreenName(); - _log.info("Got the super user: " +adminUsername); - String theAdminToken = PortalContext.getConfiguration().getCurrentUserToken(infraContext, adminUsername); - List rolesString = new ArrayList(); - List theAdminRoles = rm.listRolesByUserAndGroup(theAdmin.getUserId(), rootgroupId); - for (GCubeRole gCubeRole : theAdminRoles) { - rolesString.add(gCubeRole.getRoleName()); - } - rolesString.add(GatewayRolesNames.INFRASTRUCTURE_MANAGER.getRoleName()); - _log.info("authorizationService().setTokenRoles(theAdminToken, rolesString);" +theAdminToken); - authorizationService().setTokenRoles(theAdminToken, rolesString); - SecurityTokenProvider.instance.set(theAdminToken); - - String theUserToPromoteOrDeclass = uMan.getUserById(userId).getUsername(); - _log.info("The {} is being promoted? {} ", theUserToPromoteOrDeclass, enable); - if (enable) - vreFolderManager.setAdmin(theUserToPromoteOrDeclass); - else - vreFolderManager.removeAdmin(theUserToPromoteOrDeclass); - SecurityTokenProvider.instance.set(previousToken); - return true; - } - } + private boolean setVREFolderAdministrator(long userId, long groupId, boolean enable) throws Exception { + String context = gm.getInfrastructureScope(groupId); + ScopeProvider.instance.set(context); + String vreFolderTitle = Util.getVREGroupFromContext(context); + _log.info("The vreFolderTitle on which the VREFolder role is being {} is {}", enable, vreFolderTitle); + _log.info("Before StorageHubClient shc = new StorageHubClient();"); + StorageHubClient shc = new StorageHubClient(); + _log.info("Before shc.getVreFolderManager(vreFolderTitle);"); + VREFolderManager vreFolderManager = shc.getVreFolderManager(vreFolderTitle); + String previousToken = SecurityTokenProvider.instance.get(); + + //get the super user + _log.info("//get the super user"); + + String infraContext = "/" + PortalContext.getConfiguration().getInfrastructureName(); + long rootgroupId = gm.getGroupIdFromInfrastructureScope(infraContext); + User theAdmin = LiferayUserManager.getRandomUserWithRole(rootgroupId, GatewayRolesNames.INFRASTRUCTURE_MANAGER); + if (theAdmin == null) { + _log.warn("Cannot add the user as VRE Folder admin: there is no user having role " + + GatewayRolesNames.INFRASTRUCTURE_MANAGER); + return false; + } else { + RoleManager rm = new LiferayRoleManager(); + String adminUsername = theAdmin.getScreenName(); + _log.info("Got the super user: " + adminUsername); + String theAdminToken = PortalContext.getConfiguration().getCurrentUserToken(infraContext, adminUsername); + List rolesString = new ArrayList(); + List theAdminRoles = rm.listRolesByUserAndGroup(theAdmin.getUserId(), rootgroupId); + for (GCubeRole gCubeRole : theAdminRoles) { + rolesString.add(gCubeRole.getRoleName()); + } + rolesString.add(GatewayRolesNames.INFRASTRUCTURE_MANAGER.getRoleName()); + _log.info("authorizationService().setTokenRoles(theAdminToken, rolesString);" + theAdminToken); + authorizationService().setTokenRoles(theAdminToken, rolesString); + SecurityTokenProvider.instance.set(theAdminToken); + + String previousUmaToken = UmaJWTProvider.instance.get(); + OIDCUmaUtil.provideConfiguredPortalClientUMATokenInThreadLocal(infraContext); + + String theUserToPromoteOrDeclass = uMan.getUserById(userId).getUsername(); + _log.info("The {} is being promoted? {} ", theUserToPromoteOrDeclass, enable); + if (enable) + vreFolderManager.setAdmin(theUserToPromoteOrDeclass); + else + vreFolderManager.removeAdmin(theUserToPromoteOrDeclass); + SecurityTokenProvider.instance.set(previousToken); + + if (previousUmaToken != null) { + UmaJWTProvider.instance.set(previousUmaToken); + } + + return true; + } + } } diff --git a/src/main/java/org/gcube/portal/plugins/GCubeHookUserLocalService.java b/src/main/java/org/gcube/portal/plugins/GCubeHookUserLocalService.java index 6ace958..a65112c 100644 --- a/src/main/java/org/gcube/portal/plugins/GCubeHookUserLocalService.java +++ b/src/main/java/org/gcube/portal/plugins/GCubeHookUserLocalService.java @@ -6,10 +6,12 @@ import java.util.ArrayList; import java.util.List; import org.gcube.common.authorization.library.provider.SecurityTokenProvider; +import org.gcube.common.authorization.library.provider.UmaJWTProvider; import org.gcube.common.portal.PortalContext; import org.gcube.common.scope.api.ScopeProvider; import org.gcube.common.storagehub.client.plugins.AbstractPlugin; import org.gcube.common.storagehub.client.proxies.GroupManagerClient; +import org.gcube.portal.oidc.lr62.OIDCUmaUtil; import org.gcube.portal.plugins.thread.CheckShareLatexUserThread; import org.gcube.portal.plugins.thread.RemoveUserTokenFromVREThread; import org.gcube.portal.plugins.thread.UpdateUserToLDAPGroupThread; @@ -174,13 +176,21 @@ public class GCubeHookUserLocalService extends UserLocalServiceWrapper { _log.info("authorizationService().setTokenRoles(theAdminToken, rolesString);" +theAdminToken); authorizationService().setTokenRoles(theAdminToken, rolesString); SecurityTokenProvider.instance.set(theAdminToken); + + String previousUmaToken = UmaJWTProvider.instance.get(); + OIDCUmaUtil.provideConfiguredPortalClientUMATokenInThreadLocal(infraContext); GroupManagerClient client = AbstractPlugin.groups().build(); if (add) client.addUserToGroup(username2Add, getVREFolderNameFromContext(context)); else client.removeUserFromGroup(username2Add, getVREFolderNameFromContext(context)); SecurityTokenProvider.instance.set(previousToken); - return true; + + if (previousUmaToken != null) { + UmaJWTProvider.instance.set(previousUmaToken); + } + + return true; } }