Remaining pieces for save&restore authentication/authorization: filters

ControlSystemStudio · Nov 9, 2023 · db12971 · db12971
1 parent 1a6c789
commit db12971
Show file tree

Hide file tree

Showing 11 changed files with 290 additions and 265 deletions.
diff --git a/.../main/java/org/phoebus/applications/saveandrestore/client/SaveAndRestoreJerseyClient.java b/.../main/java/org/phoebus/applications/saveandrestore/client/SaveAndRestoreJerseyClient.java
@@ -181,7 +181,9 @@ public List<Node> getChildNodes(String uniqueNodeId) throws SaveAndRestoreClient
 
     @Override
     public Node createNewNode(String parentNodeId, Node node) {
-        WebResource webResource = getClient().resource(jmasarServiceUrl + "/node").queryParam("parentNodeId", parentNodeId);
+        WebResource webResource = getClient().resource(jmasarServiceUrl + "/node")
+                .queryParam("parentNodeId", parentNodeId)   // Request parameter username is needed in case authorization/authentication is disabled.
+                .queryParam("username", System.getProperty("user.name"));
         ClientResponse response = webResource.accept(CONTENT_TYPE_JSON)
                 .entity(node, CONTENT_TYPE_JSON)
                 .put(ClientResponse.class);
@@ -205,7 +207,9 @@ public Node updateNode(Node nodeToUpdate) {
     @Override
     public Node updateNode(Node nodeToUpdate, boolean customTimeForMigration) {
         WebResource webResource = getClient().resource(jmasarServiceUrl + "/node")
-                .queryParam("customTimeForMigration", customTimeForMigration ? "true" : "false");
+                .queryParam("customTimeForMigration", customTimeForMigration ? "true" : "false")
+                // Request parameter username is needed in case authorization/authentication is disabled.
+                .queryParam("username", System.getProperty("user.name"));
 
         ClientResponse response = webResource.accept(CONTENT_TYPE_JSON)
                 .entity(nodeToUpdate, CONTENT_TYPE_JSON)
@@ -343,7 +347,9 @@ public ConfigurationData getConfigurationData(String nodeId) {
     public Configuration createConfiguration(String parentNodeId, Configuration configuration) {
         WebResource webResource =
                 getClient().resource(jmasarServiceUrl + "/config")
-                        .queryParam("parentNodeId", parentNodeId);
+                        .queryParam("parentNodeId", parentNodeId)
+                        // Request parameter username is needed in case authorization/authentication is disabled.
+                        .queryParam("username", System.getProperty("user.name"));
         ClientResponse response = webResource.accept(CONTENT_TYPE_JSON)
                 .entity(configuration, CONTENT_TYPE_JSON)
                 .put(ClientResponse.class);
@@ -361,7 +367,9 @@ public Configuration createConfiguration(String parentNodeId, Configuration conf
 
     @Override
     public Configuration updateConfiguration(Configuration configuration) {
-        WebResource webResource = getClient().resource(jmasarServiceUrl + "/config");
+        WebResource webResource = getClient().resource(jmasarServiceUrl + "/config")
+                // Request parameter username is needed in case authorization/authentication is disabled.
+                .queryParam("username", System.getProperty("user.name"));
 
         ClientResponse response = webResource.accept(CONTENT_TYPE_JSON)
                 .entity(configuration, CONTENT_TYPE_JSON)
@@ -388,7 +396,9 @@ public SnapshotData getSnapshotData(String nodeId) {
     public Snapshot saveSnapshot(String parentNodeId, Snapshot snapshot) {
         WebResource webResource =
                 getClient().resource(jmasarServiceUrl + "/snapshot")
-                        .queryParam("parentNodeId", parentNodeId);
+                        .queryParam("parentNodeId", parentNodeId)
+                        // Request parameter username is needed in case authorization/authentication is disabled.
+                        .queryParam("username", System.getProperty("user.name"));
         ClientResponse response;
         try {
             response = webResource.accept(CONTENT_TYPE_JSON)
@@ -413,7 +423,9 @@ public Snapshot saveSnapshot(String parentNodeId, Snapshot snapshot) {
     public CompositeSnapshot createCompositeSnapshot(String parentNodeId, CompositeSnapshot compositeSnapshot) {
         WebResource webResource =
                 getClient().resource(jmasarServiceUrl + "/composite-snapshot")
-                        .queryParam("parentNodeId", parentNodeId);
+                        .queryParam("parentNodeId", parentNodeId)
+                        // Request parameter username is needed in case authorization/authentication is disabled.
+                        .queryParam("username", System.getProperty("user.name"));
         ClientResponse response = webResource.accept(CONTENT_TYPE_JSON)
                 .entity(compositeSnapshot, CONTENT_TYPE_JSON)
                 .put(ClientResponse.class);
@@ -451,7 +463,9 @@ public List<String> checkCompositeSnapshotConsistency(List<String> snapshotNodeI
 
     @Override
     public CompositeSnapshot updateCompositeSnapshot(CompositeSnapshot compositeSnapshot) {
-        WebResource webResource = getClient().resource(jmasarServiceUrl + "/composite-snapshot");
+        WebResource webResource = getClient().resource(jmasarServiceUrl + "/composite-snapshot")
+                // Request parameter username is needed in case authorization/authentication is disabled.
+                .queryParam("username", System.getProperty("user.name"));
 
         ClientResponse response = webResource.accept(CONTENT_TYPE_JSON)
                 .entity(compositeSnapshot, CONTENT_TYPE_JSON)
@@ -488,8 +502,9 @@ public SearchResult search(MultivaluedMap<String, String> searchParams) {
 
     @Override
     public Filter saveFilter(Filter filter) {
-        WebResource webResource = getClient().resource(jmasarServiceUrl + "/filter");
-
+        WebResource webResource = getClient().resource(jmasarServiceUrl + "/filter")
+                // Request parameter username is needed in case authorization/authentication is disabled.
+                .queryParam("username", System.getProperty("user.name"));
         ClientResponse response = webResource.accept(CONTENT_TYPE_JSON)
                 .entity(filter, CONTENT_TYPE_JSON)
                 .put(ClientResponse.class);
@@ -542,15 +557,18 @@ public void deleteFilter(String name) {
     }
 
     /**
-     * Adds a tag to a list of unique node ids, see {@link TagData}
+     * Adds a tag to a list of unique node ids, see {@link TagData}.
      *
      * @param tagData see {@link TagData}
      * @return A list of updated {@link Node}s. This may contain fewer elements than the list of unique node ids
      * passed in the <code>tagData</code> parameter.
      */
     public List<Node> addTag(TagData tagData) {
+
         WebResource webResource =
-                getClient().resource(jmasarServiceUrl + "/tags");
+                getClient().resource(jmasarServiceUrl + "/tags")
+                        // Request parameter username is needed in case authorization/authentication is disabled.
+                        .queryParam("username", System.getProperty("user.name"));
         ClientResponse response;
         try {
             response = webResource.accept(CONTENT_TYPE_JSON)

diff --git a/...c/main/java/org/phoebus/service/saveandrestore/web/config/AnonymousWebSecurityConfig.java b/...c/main/java/org/phoebus/service/saveandrestore/web/config/AnonymousWebSecurityConfig.java
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2023 European Spallation Source ERIC.
+ *
+ *  This program is free software; you can redistribute it and/or
+ *  modify it under the terms of the GNU General Public License
+ *  as published by the Free Software Foundation; either version 2
+ *  of the License, or (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
+ *
+ */
+
+package org.phoebus.service.saveandrestore.web.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.SecurityFilterChain;
+
+/**
+ * Web security configuration instantiated if authorization/authentication is disabled.
+ * Despite its name it still needs to define authorization/authentication related values and beans.
+ */
+@Configuration
+@ConditionalOnProperty(name = "auth.impl", havingValue = "none")
+@SuppressWarnings("unused")
+public class AnonymousWebSecurityConfig {
+
+    @Value("${role.user:sar-user}")
+    public String roleUser;
+
+    @Value("${role.admin:sar-admin}")
+    public String roleAdmin;
+
+    @Value("${demo.user:user}")
+    public String demoUser;
+
+    @Bean
+    public String roleUser() {
+        return roleUser.toUpperCase();
+    }
+
+    @Bean
+    public String roleAdmin() {
+        return roleAdmin.toUpperCase();
+    }
+
+    @Bean
+    public String demoUser(){
+        return demoUser;
+    }
+
+    @Bean
+    public String demoUserPassword(){
+        return demoUserPassword;
+    }
+
+    @Bean
+    public String demoAdmin(){
+        return demoAdmin;
+    }
+
+    @Bean
+    public String demoAdminPassword(){
+        return demoAdminPassword;
+    }
+
+    @Bean
+    public String demoReadOnly(){
+        return demoReadOnly;
+    }
+
+    @Bean
+    public String demoReadOnlyPassword(){
+        return demoReadOnlyPassword;
+    }
+
+    @Value("${demo.user.password:userPass}")
+    public String demoUserPassword;
+
+    @Value("${demo.admin:admin}")
+    public String demoAdmin;
+
+    @Value("${demo.admin.password:adminPass}")
+    public String demoAdminPassword;
+
+    @Value("${demo.readOnly:johndoe}")
+    public String demoReadOnly;
+
+    @Value("${demo.readOnly.password:1234}")
+    public String demoReadOnlyPassword;
+
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http.csrf().disable();
+        http.anonymous();
+        return http.build();
+    }
+}
diff --git a/...estore/src/main/java/org/phoebus/service/saveandrestore/web/config/WebSecurityConfig.java b/...estore/src/main/java/org/phoebus/service/saveandrestore/web/config/WebSecurityConfig.java
@@ -29,12 +29,16 @@
 
 @Configuration
 @EnableWebSecurity
-@EnableGlobalMethodSecurity(
-        prePostEnabled = true,
-        securedEnabled = true,
-        jsr250Enabled = true)
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@Conditional(AuthEnabledCondition.class)
 @SuppressWarnings("unused")
-public class WebSecurityConfig {
+public class WebSecurityConfig extends AnonymousWebSecurityConfig {
+
+    /**
+     * Authentication implementation.
+     */
+    @Value("${auth.impl:none}")
+    protected String authenitcationImplementation;
 
     /**
      * External Active Directory configuration properties
@@ -65,45 +69,6 @@ public class WebSecurityConfig {
     @Value("${ldap.user.search.filter:invalid}")
     String ldap_user_search_filter;
 
-    /**
-     * Authentication implementation.
-     */
-    @Value("${auth.impl:none}")
-    String authenitcationImplementation;
-
-    @Value("${role.user:sar-user}")
-    private String roleUser;
-
-    @Value("${role.superuser:sar-superuser}")
-    private String roleSuperuser;
-
-    @Value("${role.admin:sar-admin}")
-    private String roleAdmin;
-
-    @Value("${demo.user:user}")
-    private String demoUser;
-
-    @Value("${demo.user.password:userPass}")
-    private String demoUserPassword;
-
-    @Value("${demo.superuser:superuser}")
-    private String demoSuperuser;
-
-    @Value("${demo.superuser.password:superuserPass}")
-    private String demoSuperuserPassword;
-
-    @Value("${demo.admin:admin}")
-    private String demoAdmin;
-
-    @Value("${demo.admin.password:adminPass}")
-    private String demoAdminPassword;
-
-    @Value("${demo.readOnly:johndoe}")
-    private String demoReadOnly;
-
-    @Value("${demo.readOnly.password:1234}")
-    private String demoReadOnlyPassword;
-
     @Bean
     public WebSecurityCustomizer ignoringCustomizer() {
         return web -> {
@@ -116,12 +81,9 @@ public WebSecurityCustomizer ignoringCustomizer() {
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http.csrf().disable();
-        if ("none".equalsIgnoreCase(authenitcationImplementation.trim())) {
-            http.anonymous();
-        } else {
-            http.authorizeRequests().anyRequest().authenticated();
-            http.httpBasic();
-        }
+        http.authorizeRequests().anyRequest().authenticated();
+        http.httpBasic();
+
         return http.build();
     }
 
@@ -183,7 +145,6 @@ public <O> O postProcess(O object) {
                 .passwordEncoder(encoder())
                 .withUser(demoAdmin).password(encoder().encode(demoAdminPassword)).roles(roleAdmin()).and()
                 .withUser(demoUser).password(encoder().encode(demoUserPassword)).roles(roleUser()).and()
-                .withUser(demoSuperuser).password(encoder().encode(demoSuperuserPassword)).roles(roleSuperuser()).and()
                 .withUser(demoReadOnly).password(encoder().encode(demoReadOnlyPassword)).roles().and().and().build();
     }
 
@@ -202,62 +163,6 @@ public ObjectMapper objectMapper() {
         return objectMapper;
     }
 
-    @Bean
-    public String roleUser() {
-        return roleUser.toUpperCase();
-    }
-
-    @Bean
-    public String roleSuperuser() {
-        return roleSuperuser.toUpperCase();
-    }
-
-    @Bean
-    public String roleAdmin() {
-        return roleAdmin.toUpperCase();
-    }
-
-    @Bean("demoUser")
-    public String demoUser() {
-        return demoUser;
-    }
-
-    @Bean("demoUserPassword")
-    public String demoUserPassword() {
-        return demoUserPassword;
-    }
-
-    @Bean("demoSuperuser")
-    public String demoSuperuser() {
-        return demoSuperuser;
-    }
-
-    @Bean("demoSuperuserPassword")
-    public String demoSuperuserPassword() {
-        return demoSuperuserPassword;
-    }
-
-    @Bean("demoAdmin")
-    public String demoAdmin() {
-        return demoAdmin;
-    }
-
-    @Bean("demoAdminPassword")
-    public String demoAdminPassword() {
-        return demoAdminPassword;
-    }
-
-    @Bean("demoReadOnly")
-    public String demoReadOnly() {
-        return demoReadOnly;
-    }
-
-    @Bean("demoReadOnlyPassword")
-    public String demoReadOnlyPassword() {
-        return demoReadOnlyPassword;
-    }
-
-
     /**
      * Configures role hierarchy, i.e. user - superuser - admin. Do not remove this {@link Bean}!
      * <h2>NOTE!</h2>