From f8d0f5fb21b6ff66ea75a9fd081478cd4605f08c Mon Sep 17 00:00:00 2001
From: Gabriel Barros <g.santos.barros@gmail.com>
Date: Fri, 13 Sep 2024 16:04:25 +0100
Subject: [PATCH] Adds roles properties to whitelisted users

---
 .../common/server/ViewerConfiguration.java    | 11 +++++
 .../common/utils/ControllerAssistant.java     | 44 +++++++++++++++++--
 .../resources/config/dbvtk-viewer.properties  |  1 +
 3 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/src/main/java/com/databasepreservation/common/server/ViewerConfiguration.java b/src/main/java/com/databasepreservation/common/server/ViewerConfiguration.java
index d2461868..e75db443 100644
--- a/src/main/java/com/databasepreservation/common/server/ViewerConfiguration.java
+++ b/src/main/java/com/databasepreservation/common/server/ViewerConfiguration.java
@@ -104,6 +104,7 @@ public class ViewerConfiguration extends ViewerAbstractConfiguration {
   public static final String PROPERTY_FILTER_ONOFF_ALLOW_ALL_IPS = "ui.filter.onOff.protectedResourcesAllowAllIPs";
   public static final String PROPERTY_FILTER_ONOFF_WHITELISTED_IPS = "ui.filter.onOff.protectedResourcesWhitelistedIP[].ip";
   public static final String PROPERTY_FILTER_ONOFF_WHITELISTED_USERNAME = "ui.filter.onOff.protectedResourcesWhitelistedIP[].username";
+  public static final String PROPERTY_FILTER_ONOFF_WHITELISTED_ROLES = "ui.filter.onOff.protectedResourcesWhitelistedIP[].roles";
 
   public static final String PROPERTY_AUTHORIZATION_FULLNAME_ATTRIBUTE = "user.attribute.fullname";
   public static final String PROPERTY_AUTHORIZATION_EMAIL_ATTRIBUTE = "user.attribute.email";
@@ -162,6 +163,7 @@ public class ViewerConfiguration extends ViewerAbstractConfiguration {
 
   private List<String> cachedWhitelistedIPs = null;
   private List<String> cachedWhiteListedUsername = null;
+  private List<String> cachedWhiteListedRoles = null;
   private Boolean cachedWhitelistAllIPs = null;
   private static LoadingCache<Locale, Messages> I18N_CACHE = CacheBuilder.newBuilder()
     .build(new CacheLoader<Locale, Messages>() {
@@ -336,6 +338,7 @@ public void clearViewerCachableObjectsAfterConfigurationChange() {
     cachedWhitelistAllIPs = null;
     cachedWhitelistedIPs = null;
     cachedWhiteListedUsername = null;
+    cachedWhiteListedRoles = null;
     sharedConfigurationPropertiesCache = null;
     LOGGER.info("Reloaded dbvtk configurations after file change!");
   }
@@ -454,6 +457,14 @@ public List<String> getWhiteListedUsername() {
     return cachedWhiteListedUsername;
   }
 
+  public List<String> getWhiteListedRoles() {
+    if (cachedWhiteListedRoles == null) {
+      cachedWhiteListedRoles = getViewerConfigurationAsList(
+        ViewerConfiguration.PROPERTY_FILTER_ONOFF_WHITELISTED_ROLES);
+    }
+    return cachedWhiteListedRoles;
+  }
+
   public List<String> getWhitelistedIPs() {
     Boolean disableWhitelistCache = ViewerConfiguration.getInstance().getViewerConfigurationAsBoolean(null,
       ViewerConfiguration.PROPERTY_DISABLE_WHITELIST_CACHE);
diff --git a/src/main/java/com/databasepreservation/common/utils/ControllerAssistant.java b/src/main/java/com/databasepreservation/common/utils/ControllerAssistant.java
index 2018ad71..7197b4f4 100644
--- a/src/main/java/com/databasepreservation/common/utils/ControllerAssistant.java
+++ b/src/main/java/com/databasepreservation/common/utils/ControllerAssistant.java
@@ -12,10 +12,12 @@
 import java.net.UnknownHostException;
 import java.util.Arrays;
 import java.util.Date;
+import java.util.HashSet;
 import java.util.List;
 
 import javax.servlet.http.HttpServletRequest;
 
+import org.apache.commons.lang3.StringUtils;
 import org.roda.core.data.exceptions.AuthorizationDeniedException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -26,6 +28,7 @@
 import com.databasepreservation.common.client.models.user.User;
 import com.databasepreservation.common.server.ViewerConfiguration;
 import com.databasepreservation.common.server.ViewerFactory;
+import com.google.common.collect.Sets;
 
 /**
  * @author Miguel Guimarães <mguimaraes@keep.pt>
@@ -51,10 +54,14 @@ public User checkWhitelistedIPs(HttpServletRequest request) {
           if (Arrays.equals(address.getAddress(), whitelistAddress.getAddress())) {
             final String username = ViewerConfiguration.getInstance().getWhiteListedUsername().get(index);
             User user = new User(username);
-            //user.setAdmin(true);
-            user.setWhiteList(true);
             user.setIpAddress(address.toString());
-
+            setWhiteListedUserRoles(index, user);
+            if (user.getAllRoles().isEmpty()) {
+              // If no role is configured for the whitelist, the IP will be treated as
+              // administrator, this was the behavior before the addition of roles in the
+              // whitelist properties.
+              user.setWhiteList(true);
+            }
             return user;
           }
         } catch (UnknownHostException e) {
@@ -69,6 +76,25 @@ public User checkWhitelistedIPs(HttpServletRequest request) {
     return null;
   }
 
+  private void setWhiteListedUserRoles(int index, User user) {
+    final List<String> whiteListedRoles = ViewerConfiguration.getInstance().getWhiteListedRoles();
+    if (!whiteListedRoles.isEmpty()) {
+      final String roles = whiteListedRoles.get(index);
+      if (StringUtils.isNotBlank(roles)) {
+        List<String> whitelistedRoles = Arrays.asList(roles.split(","));
+        user.setDirectRoles(new HashSet<>(whitelistedRoles));
+        user.setAllRoles(new HashSet<>(whitelistedRoles));
+
+        final List<String> adminRoles = ViewerConfiguration.getInstance()
+          .getViewerConfigurationAsList(ViewerConfiguration.PROPERTY_AUTHORIZATION_ADMINISTRATORS);
+
+        if (!Sets.intersection(user.getAllRoles(), new HashSet<>(adminRoles)).isEmpty()) {
+          user.setAdmin(true);
+        }
+      }
+    }
+  }
+
   public User checkRoles(HttpServletRequest request) {
     if (!ViewerFactory.getViewerConfiguration().getIsAuthenticationEnabled()) {
       final User noAuthenticationUser = UserUtility.getNoAuthenticationUser();
@@ -87,6 +113,7 @@ public User checkRoles(HttpServletRequest request) {
           registerAction(UserUtility.getGuest(request), LogEntryState.UNAUTHORIZED);
           throw new AuthorizationException(e);
         }
+        checkWhitelistedUserRoles(request, user);
         return user;
       }
     } else {
@@ -94,6 +121,17 @@ public User checkRoles(HttpServletRequest request) {
     }
   }
 
+  private void checkWhitelistedUserRoles(HttpServletRequest request, User user) {
+    if (!user.getAllRoles().isEmpty()) {
+      try {
+        UserUtility.checkRoles(user, this.getClass());
+      } catch (AuthorizationDeniedException e) {
+        registerAction(UserUtility.getGuest(request), LogEntryState.UNAUTHORIZED);
+        throw new AuthorizationException(e);
+      }
+    }
+  }
+
   public void registerAction(final User user, final String relatedObjectId, final LogEntryState state,
     final Object... parameters) {
     final long duration = new Date().getTime() - startDate.getTime();
diff --git a/src/main/resources/config/dbvtk-viewer.properties b/src/main/resources/config/dbvtk-viewer.properties
index 8ce32501..4b1d33f2 100644
--- a/src/main/resources/config/dbvtk-viewer.properties
+++ b/src/main/resources/config/dbvtk-viewer.properties
@@ -107,6 +107,7 @@ user.attribute.roles.users=users
 #ui.filter.onOff.protectedResourcesAllowAllIPs=false
 #ui.filter.onOff.protectedResourcesWhitelistedIP[].ip=127.0.0.1
 #ui.filter.onOff.protectedResourcesWhitelistedIP[].username=localhost-whitelist-access
+#ui.filter.onOff.protectedResourcesWhitelistedIP[].roles=administrators,users
 ##############################################
 # Facets
 ##############################################