Fix #34710: align case-sensitivity of username

LEDfan · LEDfan · commit 018244cbea74 · 2025-05-26T15:04:39.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/MemoryStoreConfiguration.java b/src/main/java/eu/openanalytics/containerproxy/MemoryStoreConfiguration.java
@@ -24,6 +24,7 @@
 import eu.openanalytics.containerproxy.model.store.IProxyStore;
 import eu.openanalytics.containerproxy.model.store.memory.MemoryHeartbeatStore;
 import eu.openanalytics.containerproxy.model.store.memory.MemoryProxyStore;
+import eu.openanalytics.containerproxy.service.AccessControlEvaluationService;
 import eu.openanalytics.containerproxy.service.leader.memory.MemoryLeaderService;
 import eu.openanalytics.containerproxy.service.portallocator.memory.MemoryPortAllocator;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
@@ -37,8 +38,8 @@
 public class MemoryStoreConfiguration {
 
     @Bean
-    public IProxyStore proxyStore() {
-        return new MemoryProxyStore();
+    public IProxyStore proxyStore(AccessControlEvaluationService accessControlEvaluationService) {
+        return new MemoryProxyStore(accessControlEvaluationService);
     }
 
     @Bean
diff --git a/src/main/java/eu/openanalytics/containerproxy/RedisStoreConfiguration.java b/src/main/java/eu/openanalytics/containerproxy/RedisStoreConfiguration.java
@@ -31,6 +31,7 @@
 import eu.openanalytics.containerproxy.model.store.IProxyStore;
 import eu.openanalytics.containerproxy.model.store.redis.RedisHeartbeatStore;
 import eu.openanalytics.containerproxy.model.store.redis.RedisProxyStore;
+import eu.openanalytics.containerproxy.service.AccessControlEvaluationService;
 import eu.openanalytics.containerproxy.service.IdentifierService;
 import eu.openanalytics.containerproxy.service.RedisEventBridge;
 import eu.openanalytics.containerproxy.service.leader.GlobalEventLoopService;
@@ -79,8 +80,8 @@ public class RedisStoreConfiguration {
     // Store beans
 
     @Bean
-    public IProxyStore proxyStore() {
-        return new RedisProxyStore();
+    public IProxyStore proxyStore(AccessControlEvaluationService accessControlEvaluationService) {
+        return new RedisProxyStore(accessControlEvaluationService);
     }
 
     @Bean
diff --git a/src/main/java/eu/openanalytics/containerproxy/model/store/memory/MemoryProxyStore.java b/src/main/java/eu/openanalytics/containerproxy/model/store/memory/MemoryProxyStore.java
@@ -25,6 +25,7 @@
 import com.google.common.collect.Multimaps;
 import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import eu.openanalytics.containerproxy.model.store.IProxyStore;
+import eu.openanalytics.containerproxy.service.AccessControlEvaluationService;
 
 import java.util.ArrayList;
 import java.util.Collection;
@@ -36,6 +37,11 @@ public class MemoryProxyStore implements IProxyStore {
 
     private final ConcurrentHashMap<String, Proxy> activeProxies = new ConcurrentHashMap<>();
     private final ListMultimap<String, String> userProxies = Multimaps.synchronizedListMultimap(ArrayListMultimap.create());
+    private final AccessControlEvaluationService accessControlEvaluationService;
+
+    public MemoryProxyStore(AccessControlEvaluationService accessControlEvaluationService) {
+        this.accessControlEvaluationService = accessControlEvaluationService;
+    }
 
     @Override
     public Collection<Proxy> getAllProxies() {
@@ -70,7 +76,7 @@ public List<Proxy> getUserProxies(String userId) {
         List<String> ids = userProxies.get(userId);
         for (String proxyId : ids) {
             Proxy proxy = activeProxies.get(proxyId);
-            if (proxy != null && proxy.getUserId().equalsIgnoreCase(userId)) {
+            if (proxy != null && accessControlEvaluationService.usernameEquals(proxy.getUserId(), userId)) {
                 result.add(proxy);
             }
         }
diff --git a/src/main/java/eu/openanalytics/containerproxy/model/store/redis/RedisProxyStore.java b/src/main/java/eu/openanalytics/containerproxy/model/store/redis/RedisProxyStore.java
@@ -23,6 +23,7 @@
 import eu.openanalytics.containerproxy.event.ProxyStopEvent;
 import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import eu.openanalytics.containerproxy.model.store.IProxyStore;
+import eu.openanalytics.containerproxy.service.AccessControlEvaluationService;
 import eu.openanalytics.containerproxy.service.IdentifierService;
 import eu.openanalytics.containerproxy.util.ProxyHashMap;
 import eu.openanalytics.containerproxy.util.ProxyMappingManager;
@@ -43,6 +44,7 @@
 public class RedisProxyStore implements IProxyStore {
 
     private final Logger logger = LogManager.getLogger(RedisProxyStore.class);
+    private final AccessControlEvaluationService accessControlEvaluationService;
     @Inject
     private RedisTemplate<String, Proxy> redisTemplate;
     @Inject
@@ -58,6 +60,10 @@ public class RedisProxyStore implements IProxyStore {
     private final ConcurrentHashMap<String, Proxy> cache = ProxyHashMap.create();
     private String userProxyRedisKey;
 
+    public RedisProxyStore(AccessControlEvaluationService accessControlEvaluationService) {
+        this.accessControlEvaluationService = accessControlEvaluationService;
+    }
+
     @PostConstruct
     public void init() {
         redisKey = "shinyproxy_" + identifierService.realmId + "__active_proxies";
@@ -114,7 +120,7 @@ public List<Proxy> getUserProxies(String userId) {
         }
         List<Proxy> proxies = ops.multiGet(redisKey, ids);
         for (Proxy proxy : proxies) {
-            if (proxy != null && proxy.getUserId().equalsIgnoreCase(userId)) {
+            if (proxy != null && accessControlEvaluationService.usernameEquals(proxy.getUserId(), userId)) {
                 result.add(proxy);
             }
         }
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java b/src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java
@@ -26,22 +26,27 @@
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
 import org.springframework.context.annotation.Lazy;
+import org.springframework.core.env.Environment;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Service;
 
 @Service
 public class AccessControlEvaluationService {
 
+    public static final String PROP_USERNAME_CASE_SENSITIVE = "proxy.username-case-sensitive";
+
     private final IAuthenticationBackend authBackend;
     private final UserService userService;
 
     private final SpecExpressionResolver specExpressionResolver;
+    private final Boolean usernameCaseSensitive;
 
-    public AccessControlEvaluationService(@Lazy IAuthenticationBackend authBackend, UserService userService, SpecExpressionResolver specExpressionResolver) {
+    public AccessControlEvaluationService(@Lazy IAuthenticationBackend authBackend, UserService userService, SpecExpressionResolver specExpressionResolver, Environment environment) {
         this.authBackend = authBackend;
         this.userService = userService;
         this.specExpressionResolver = specExpressionResolver;
+        usernameCaseSensitive = environment.getProperty(PROP_USERNAME_CASE_SENSITIVE, Boolean.class, true);
     }
 
     public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {
@@ -96,7 +101,7 @@ public boolean allowedByUsers(Authentication auth, AccessControl accessControl)
             return false;
         }
         for (String user : accessControl.getUsers()) {
-            if (auth.getName().equals(user)) {
+            if (usernameEquals(auth.getName(), user)) {
                 return true;
             }
         }
@@ -119,4 +124,11 @@ public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessCo
         return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), contextBuilder.build());
     }
 
+    public boolean usernameEquals(String authenticatedUser, String other) {
+        if (usernameCaseSensitive) {
+            return authenticatedUser.equals(other);
+        }
+        return authenticatedUser.equalsIgnoreCase(other);
+    }
+
 }
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/ProxyIdIndex.java b/src/main/java/eu/openanalytics/containerproxy/service/ProxyIdIndex.java
@@ -36,9 +36,11 @@ public abstract class ProxyIdIndex<T> {
     private final LoadingCache<T, String> cache;
     private final IProxyStore proxyStore;
     private final Logger logger = LoggerFactory.getLogger(getClass());
+    private final AccessControlEvaluationService accessControlEvaluationService;
 
-    public ProxyIdIndex(IProxyStore proxyStore, Filter<T> filter) {
+    public ProxyIdIndex(IProxyStore proxyStore, AccessControlEvaluationService accessControlEvaluationService, Filter<T> filter) {
         this.proxyStore = proxyStore;
+        this.accessControlEvaluationService = accessControlEvaluationService;
         cache = Caffeine.newBuilder()
             .scheduler(Scheduler.systemScheduler())
             .expireAfterAccess(10, TimeUnit.MINUTES)
@@ -93,7 +95,7 @@ private boolean isInvalidProxy(Proxy proxy, String proxyId, String userId) {
             logger.warn("Invalid proxy state, proxyId: {}, does not match expected: {}", proxy.getId(), proxyId);
             return true;
         }
-        if (!proxy.getUserId().equals(userId)) {
+        if (!accessControlEvaluationService.usernameEquals(proxy.getUserId(), userId)) {
             logger.warn("Invalid proxy state for proxyId: {}, userId: {} does not match expected: {}", proxyId, proxy.getUserId(), userId);
             return true;
         }
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/UserAndTargetIdProxyIndex.java b/src/main/java/eu/openanalytics/containerproxy/service/UserAndTargetIdProxyIndex.java
@@ -29,8 +29,8 @@
 @Component
 public class UserAndTargetIdProxyIndex extends ProxyIdIndex<UserAndTargetIdProxyIndex.UserAndTargetIdKey> {
 
-    public UserAndTargetIdProxyIndex(IProxyStore proxyStore) {
-        super(proxyStore, (key, proxy) -> Objects.equals(proxy.getTargetId(), key.targetId) && Objects.equals(proxy.getUserId(), key.userId));
+    public UserAndTargetIdProxyIndex(IProxyStore proxyStore, AccessControlEvaluationService accessControlEvaluationService) {
+        super(proxyStore, accessControlEvaluationService, (key, proxy) -> Objects.equals(proxy.getTargetId(), key.targetId) && Objects.equals(proxy.getUserId(), key.userId));
         // use Objects.equals because some proxies might not yet be initialized
     }
 
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/UserService.java b/src/main/java/eu/openanalytics/containerproxy/service/UserService.java
@@ -81,6 +81,9 @@ public class UserService {
     @Inject
     @Lazy
     private ProxyAccessControlService accessControlService;
+    @Inject
+    @Lazy
+    private AccessControlEvaluationService accessControlEvaluationService;
 
     public UserService() {
         // cache isAdmin status results for (at least) 60 minutes, since this never changes during the lifetime of a session
@@ -174,7 +177,7 @@ public boolean isAdmin(Authentication auth) {
             }
 
             for (String adminUser : getAdminUsers()) {
-                if (userName.equalsIgnoreCase(adminUser)) {
+                if (accessControlEvaluationService.usernameEquals(userName, adminUser)) {
                     return true;
                 }
             }
@@ -195,8 +198,10 @@ public boolean isOwner(Proxy proxy) {
     }
 
     public boolean isOwner(Authentication auth, Proxy proxy) {
-        if (auth == null || proxy == null) return false;
-        return proxy.getUserId().equalsIgnoreCase(auth.getName());
+        if (auth == null || proxy == null) {
+            return false;
+        }
+        return accessControlEvaluationService.usernameEquals(proxy.getUserId(), auth.getName());
     }
 
     public boolean isMember(Authentication auth, String groupName) {
diff --git a/src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java b/src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java
@@ -32,13 +32,15 @@
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 import org.springframework.context.support.GenericApplicationContext;
+import org.springframework.core.env.Environment;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 
 import java.util.Collection;
 import java.util.Collections;
 
+import static eu.openanalytics.containerproxy.service.AccessControlEvaluationService.PROP_USERNAME_CASE_SENSITIVE;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -48,15 +50,25 @@ public class AccessControlServiceTest {
     private final UserService userService;
     private final IProxySpecProvider specProvider;
     private final ProxyAccessControlService accessControlService;
+    private final ProxyAccessControlService accessControlServiceCaseInsensitive;
     private final ProxyService proxyService;
+    private final Environment environment;
 
     public AccessControlServiceTest() {
         authBackend = mock(IAuthenticationBackend.class);
         userService = mock(UserService.class);
         specProvider = mock(IProxySpecProvider.class);
         proxyService = mock(ProxyService.class);
+        environment = mock(Environment.class);
         SpecExpressionResolver specExpressionResolver = new SpecExpressionResolver(new GenericApplicationContext());
-        accessControlService = new ProxyAccessControlService(proxyService, specProvider, new AccessControlEvaluationService(authBackend, userService, specExpressionResolver));
+
+        // case-sensitive access controller
+        when(environment.getProperty(PROP_USERNAME_CASE_SENSITIVE, Boolean.class, true)).thenReturn(true);
+        accessControlService = new ProxyAccessControlService(proxyService, specProvider, new AccessControlEvaluationService(authBackend, userService, specExpressionResolver, environment));
+
+        // case-insensitive access controller
+        when(environment.getProperty(PROP_USERNAME_CASE_SENSITIVE, Boolean.class, true)).thenReturn(false);
+        accessControlServiceCaseInsensitive = new ProxyAccessControlService(proxyService, specProvider, new AccessControlEvaluationService(authBackend, userService, specExpressionResolver, environment));
     }
 
     @Test
@@ -149,7 +161,7 @@ public void hasGroupAccessTest() {
     }
 
     @Test
-    public void hasUserAccessTest() {
+    public void hasUserAccessTestCaseSensitive() {
         when(authBackend.hasAuthorization()).thenReturn(true);
         AccessControl proxyAccessControl = new AccessControl();
         proxyAccessControl.setUsers(new String[]{"myUser1", "myUser2"});
@@ -164,6 +176,24 @@ public void hasUserAccessTest() {
         when(auth2.getName()).thenReturn("myUser1");
         when(userService.isMember(auth2, "myGroup1")).thenReturn(true);
         Assertions.assertTrue(accessControlService.canAccess(auth2, createProxySpec(proxyAccessControl)));
+
+        // test should be case-sensitive
+        Authentication auth3 = mock(Authentication.class);
+        when(auth3.getName()).thenReturn("myuser1");
+        when(userService.isMember(auth3, "myGroup1")).thenReturn(true);
+        Assertions.assertFalse(accessControlService.canAccess(auth3, createProxySpec(proxyAccessControl)));
+    }
+
+    @Test
+    public void hasUserAccessTestCaseInSensitive() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        AccessControl proxyAccessControl = new AccessControl();
+        proxyAccessControl.setUsers(new String[]{"myUser1", "myUser2"});
+
+        // user in lowercase should have access
+        Authentication auth1 = mock(Authentication.class);
+        when(auth1.getName()).thenReturn("myuser1");
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
     }
 
     @Test
diff --git a/src/test/java/eu/openanalytics/containerproxy/test/unit/TestParameterServiceAccessControl.java b/src/test/java/eu/openanalytics/containerproxy/test/unit/TestParameterServiceAccessControl.java
@@ -37,6 +37,7 @@
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.context.support.GenericApplicationContext;
+import org.springframework.core.env.Environment;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.test.context.ActiveProfiles;
@@ -68,14 +69,17 @@ public class TestParameterServiceAccessControl {
     @Inject
     private ObjectMapper objectMapper;
 
+    @Inject
+    private Environment environment;
+
     private UserService userService;
 
     @PostConstruct
     public void init() {
         authBackend = mock(IAuthenticationBackend.class);
         userService = mock(UserService.class);
         SpecExpressionResolver specExpressionResolver = new SpecExpressionResolver(new GenericApplicationContext());
-        AccessControlEvaluationService accessControlEvaluationService = new AccessControlEvaluationService(authBackend, userService, specExpressionResolver);
+        AccessControlEvaluationService accessControlEvaluationService = new AccessControlEvaluationService(authBackend, userService, specExpressionResolver, environment);
 
         parametersService = new ParametersService(proxySpecProvider, accessControlEvaluationService, objectMapper);
     }

Original file line number	Diff line number	Diff line change
`@@ -29,8 +29,8 @@`
`29`	`29`	`@Component`
`30`	`30`	`public class UserAndTargetIdProxyIndex extends ProxyIdIndex<UserAndTargetIdProxyIndex.UserAndTargetIdKey> {`
`31`	`31`
`32`		`- public UserAndTargetIdProxyIndex(IProxyStore proxyStore) {`
`33`		`- super(proxyStore, (key, proxy) -> Objects.equals(proxy.getTargetId(), key.targetId) && Objects.equals(proxy.getUserId(), key.userId));`
	`32`	`+ public UserAndTargetIdProxyIndex(IProxyStore proxyStore, AccessControlEvaluationService accessControlEvaluationService) {`
	`33`	`+ super(proxyStore, accessControlEvaluationService, (key, proxy) -> Objects.equals(proxy.getTargetId(), key.targetId) && Objects.equals(proxy.getUserId(), key.userId));`
`34`	`34`	`// use Objects.equals because some proxies might not yet be initialized`
`35`	`35`	`}`
`36`	`36`
Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,9 @@ public class UserService {`
`81`	`81`	`@Inject`
`82`	`82`	`@Lazy`
`83`	`83`	`private ProxyAccessControlService accessControlService;`
	`84`	`+ @Inject`
	`85`	`+ @Lazy`
	`86`	`+ private AccessControlEvaluationService accessControlEvaluationService;`
`84`	`87`
`85`	`88`	`public UserService() {`
`86`	`89`	`// cache isAdmin status results for (at least) 60 minutes, since this never changes during the lifetime of a session`
`@@ -174,7 +177,7 @@ public boolean isAdmin(Authentication auth) {`
`174`	`177`	`}`
`175`	`178`
`176`	`179`	`for (String adminUser : getAdminUsers()) {`
`177`		`- if (userName.equalsIgnoreCase(adminUser)) {`
	`180`	`+ if (accessControlEvaluationService.usernameEquals(userName, adminUser)) {`
`178`	`181`	`return true;`
`179`	`182`	`}`
`180`	`183`	`}`
`@@ -195,8 +198,10 @@ public boolean isOwner(Proxy proxy) {`
`195`	`198`	`}`
`196`	`199`
`197`	`200`	`public boolean isOwner(Authentication auth, Proxy proxy) {`
`198`		`- if (auth == null \|\| proxy == null) return false;`
`199`		`- return proxy.getUserId().equalsIgnoreCase(auth.getName());`
	`201`	`+ if (auth == null \|\| proxy == null) {`
	`202`	`+ return false;`
	`203`	`+ }`
	`204`	`+ return accessControlEvaluationService.usernameEquals(proxy.getUserId(), auth.getName());`
`200`	`205`	`}`
`201`	`206`
`202`	`207`	`public boolean isMember(Authentication auth, String groupName) {`