Adds roles properties to whitelisted users

keeps · Oct 16, 2024 · f8d0f5f · f8d0f5f
1 parent 32e095d
commit f8d0f5f
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 3 deletions.
diff --git a/src/main/java/com/databasepreservation/common/server/ViewerConfiguration.java b/src/main/java/com/databasepreservation/common/server/ViewerConfiguration.java
@@ -104,6 +104,7 @@ public class ViewerConfiguration extends ViewerAbstractConfiguration {
   public static final String PROPERTY_FILTER_ONOFF_ALLOW_ALL_IPS = "ui.filter.onOff.protectedResourcesAllowAllIPs";
   public static final String PROPERTY_FILTER_ONOFF_WHITELISTED_IPS = "ui.filter.onOff.protectedResourcesWhitelistedIP[].ip";
   public static final String PROPERTY_FILTER_ONOFF_WHITELISTED_USERNAME = "ui.filter.onOff.protectedResourcesWhitelistedIP[].username";
+  public static final String PROPERTY_FILTER_ONOFF_WHITELISTED_ROLES = "ui.filter.onOff.protectedResourcesWhitelistedIP[].roles";
 
   public static final String PROPERTY_AUTHORIZATION_FULLNAME_ATTRIBUTE = "user.attribute.fullname";
   public static final String PROPERTY_AUTHORIZATION_EMAIL_ATTRIBUTE = "user.attribute.email";
@@ -162,6 +163,7 @@ public class ViewerConfiguration extends ViewerAbstractConfiguration {
 
   private List<String> cachedWhitelistedIPs = null;
   private List<String> cachedWhiteListedUsername = null;
+  private List<String> cachedWhiteListedRoles = null;
   private Boolean cachedWhitelistAllIPs = null;
   private static LoadingCache<Locale, Messages> I18N_CACHE = CacheBuilder.newBuilder()
     .build(new CacheLoader<Locale, Messages>() {
@@ -336,6 +338,7 @@ public void clearViewerCachableObjectsAfterConfigurationChange() {
     cachedWhitelistAllIPs = null;
     cachedWhitelistedIPs = null;
     cachedWhiteListedUsername = null;
+    cachedWhiteListedRoles = null;
     sharedConfigurationPropertiesCache = null;
     LOGGER.info("Reloaded dbvtk configurations after file change!");
   }
@@ -454,6 +457,14 @@ public List<String> getWhiteListedUsername() {
     return cachedWhiteListedUsername;
   }
 
+  public List<String> getWhiteListedRoles() {
+    if (cachedWhiteListedRoles == null) {
+      cachedWhiteListedRoles = getViewerConfigurationAsList(
+        ViewerConfiguration.PROPERTY_FILTER_ONOFF_WHITELISTED_ROLES);
+    }
+    return cachedWhiteListedRoles;
+  }
+
   public List<String> getWhitelistedIPs() {
     Boolean disableWhitelistCache = ViewerConfiguration.getInstance().getViewerConfigurationAsBoolean(null,
       ViewerConfiguration.PROPERTY_DISABLE_WHITELIST_CACHE);

diff --git a/src/main/java/com/databasepreservation/common/utils/ControllerAssistant.java b/src/main/java/com/databasepreservation/common/utils/ControllerAssistant.java
@@ -12,10 +12,12 @@
 import java.net.UnknownHostException;
 import java.util.Arrays;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.commons.lang3.StringUtils;
 import org.roda.core.data.exceptions.AuthorizationDeniedException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -26,6 +28,7 @@
 import com.databasepreservation.common.client.models.user.User;
 import com.databasepreservation.common.server.ViewerConfiguration;
 import com.databasepreservation.common.server.ViewerFactory;
+import com.google.common.collect.Sets;
 
 /**
  * @author Miguel Guimarães <mguimaraes@keep.pt>
@@ -51,10 +54,14 @@ public User checkWhitelistedIPs(HttpServletRequest request) {
           if (Arrays.equals(address.getAddress(), whitelistAddress.getAddress())) {
             final String username = ViewerConfiguration.getInstance().getWhiteListedUsername().get(index);
             User user = new User(username);
-            //user.setAdmin(true);
-            user.setWhiteList(true);
             user.setIpAddress(address.toString());
-
+            setWhiteListedUserRoles(index, user);
+            if (user.getAllRoles().isEmpty()) {
+              // If no role is configured for the whitelist, the IP will be treated as
+              // administrator, this was the behavior before the addition of roles in the
+              // whitelist properties.
+              user.setWhiteList(true);
+            }
             return user;
           }
         } catch (UnknownHostException e) {
@@ -69,6 +76,25 @@ public User checkWhitelistedIPs(HttpServletRequest request) {
     return null;
   }
 
+  private void setWhiteListedUserRoles(int index, User user) {
+    final List<String> whiteListedRoles = ViewerConfiguration.getInstance().getWhiteListedRoles();
+    if (!whiteListedRoles.isEmpty()) {
+      final String roles = whiteListedRoles.get(index);
+      if (StringUtils.isNotBlank(roles)) {
+        List<String> whitelistedRoles = Arrays.asList(roles.split(","));
+        user.setDirectRoles(new HashSet<>(whitelistedRoles));
+        user.setAllRoles(new HashSet<>(whitelistedRoles));
+
+        final List<String> adminRoles = ViewerConfiguration.getInstance()
+          .getViewerConfigurationAsList(ViewerConfiguration.PROPERTY_AUTHORIZATION_ADMINISTRATORS);
+
+        if (!Sets.intersection(user.getAllRoles(), new HashSet<>(adminRoles)).isEmpty()) {
+          user.setAdmin(true);
+        }
+      }
+    }
+  }
+
   public User checkRoles(HttpServletRequest request) {
     if (!ViewerFactory.getViewerConfiguration().getIsAuthenticationEnabled()) {
       final User noAuthenticationUser = UserUtility.getNoAuthenticationUser();
@@ -87,13 +113,25 @@ public User checkRoles(HttpServletRequest request) {
           registerAction(UserUtility.getGuest(request), LogEntryState.UNAUTHORIZED);
           throw new AuthorizationException(e);
         }
+        checkWhitelistedUserRoles(request, user);
         return user;
       }
     } else {
       return UserUtility.getGuest(request);
     }
   }
 
+  private void checkWhitelistedUserRoles(HttpServletRequest request, User user) {
+    if (!user.getAllRoles().isEmpty()) {
+      try {
+        UserUtility.checkRoles(user, this.getClass());
+      } catch (AuthorizationDeniedException e) {
+        registerAction(UserUtility.getGuest(request), LogEntryState.UNAUTHORIZED);
+        throw new AuthorizationException(e);
+      }
+    }
+  }
+
   public void registerAction(final User user, final String relatedObjectId, final LogEntryState state,
     final Object... parameters) {
     final long duration = new Date().getTime() - startDate.getTime();

diff --git a/src/main/resources/config/dbvtk-viewer.properties b/src/main/resources/config/dbvtk-viewer.properties
@@ -107,6 +107,7 @@ user.attribute.roles.users=users
 #ui.filter.onOff.protectedResourcesAllowAllIPs=false
 #ui.filter.onOff.protectedResourcesWhitelistedIP[].ip=127.0.0.1
 #ui.filter.onOff.protectedResourcesWhitelistedIP[].username=localhost-whitelist-access
+#ui.filter.onOff.protectedResourcesWhitelistedIP[].roles=administrators,users
 ##############################################
 # Facets
 ##############################################