Fix #33886: allow to use serverName in access-expression

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/auth/impl/OpenIDAuthenticationBackend.java

@@ -277,7 +277,7 @@ public LogoutSuccessHandler getLogoutSuccessHandler() {
         return (httpServletRequest, httpServletResponse, authentication) -> {
             String resolvedLogoutUrl;
             if (authentication != null) {
-                SpecExpressionContext context = SpecExpressionContext.create(authentication.getPrincipal(), authentication.getCredentials());
+                SpecExpressionContext context = SpecExpressionContext.create(authentication.getPrincipal(), authentication.getCredentials()).build();
                 resolvedLogoutUrl = specExpressionResolver.evaluateToString(getLogoutSuccessURL(), context);
             } else {
                 resolvedLogoutUrl = getLogoutSuccessURL();

src/main/java/eu/openanalytics/containerproxy/auth/impl/WebServiceAuthenticationBackend.java

@@ -153,7 +153,7 @@ private User createUser(String username, String body) {
             try {
                 jsonResponse = objectMapper.readTree(body);
                 if (groupsExpression != null) {
-                    SpecExpressionContext context = SpecExpressionContext.create(jsonResponse);
+                    SpecExpressionContext context = SpecExpressionContext.create(jsonResponse).build();
                     List<String> groups = specExpressionResolver.evaluateToList(List.of(groupsExpression), context);
                     for (String role: groups) {
                         String mappedRole = role.toUpperCase().startsWith("ROLE_") ? role : "ROLE_" + role;

src/main/java/eu/openanalytics/containerproxy/backend/dispatcher/proxysharing/ProxySharingScaler.java

@@ -400,7 +400,7 @@ private Runnable createDelegateProxyJob(DelegateProxy originalDelegateProxy) {
                 DelegateProxy delegateProxy = originalDelegateProxy.toBuilder().proxy(proxy).build();
                 delegateProxyStore.updateDelegateProxy(delegateProxy);
 
-                SpecExpressionContext context = SpecExpressionContext.create(proxy, proxySpec);
+                SpecExpressionContext context = SpecExpressionContext.create(proxy, proxySpec).build();
                 ProxySpec resolvedSpec = proxySpec.firstResolve(expressionResolver, context);
                 context = context.copy(resolvedSpec, proxy);
                 resolvedSpec = resolvedSpec.finalResolve(expressionResolver, context);

src/main/java/eu/openanalytics/containerproxy/backend/strategy/IProxyLogoutStrategy.java

@@ -20,12 +20,26 @@
  */
 package eu.openanalytics.containerproxy.backend.strategy;
 
+import org.springframework.security.core.Authentication;
+
 /**
  * Defines a strategy for deciding what to do with a user's proxies when
  * the user logs out.
  */
 public interface IProxyLogoutStrategy {
 
+    /**
+     * Handles the proxies owned by this user and verifies whether the user can still access them.
+     * Only handles proxies for which the spec can be accessed by the current session.
+     * @param authentication authentication object of the user
+     */
+    void onLogout(Authentication authentication);
+
+    /**
+     * Handles the proxies owned by this user and verifies whether the user can still access them.
+     * Handles all proxies of the user, even if the current session cannot access the spec.
+     * @param userId id of the user
+     */
     void onLogout(String userId);
 
 }

src/main/java/eu/openanalytics/containerproxy/backend/strategy/impl/DefaultProxyLogoutStrategy.java

@@ -28,6 +28,7 @@
 import eu.openanalytics.containerproxy.spec.IProxySpecProvider;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.core.env.Environment;
+import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Component;
 
 import javax.annotation.PostConstruct;
@@ -62,6 +63,20 @@ public void init() {
         defaultStopProxyOnLogout = environment.getProperty(PROP_DEFAULT_STOP_PROXIES_ON_LOGOUT, Boolean.class, true);
     }
 
+    @Override
+    public void onLogout(Authentication authentication) {
+        for (Proxy proxy : proxyService.getUserProxies(authentication)) {
+            if (shouldBeStopped(proxy)) {
+                asyncProxyService.stopProxy(proxy, true);
+            }
+        }
+    }
+
+    /**
+     * Should only be used if authentication is none.
+     * In this case all proxies can be stopped, since they can't belong to a different domain (#33886).
+     * @param userId id of the user
+     */
     @Override
     public void onLogout(String userId) {
         for (Proxy proxy : proxyService.getUserProxies(userId)) {

src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java

@@ -25,7 +25,6 @@
 import eu.openanalytics.containerproxy.model.spec.ProxySpec;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
-import org.apache.commons.lang3.ArrayUtils;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
@@ -48,10 +47,12 @@ public AccessControlEvaluationService(@Lazy IAuthenticationBackend authBackend,
     public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {
         if (auth instanceof AnonymousAuthenticationToken) {
             // if anonymous -> only allow access if the backend has no authorization enabled
-            return !authBackend.hasAuthorization();
+            if (authBackend.hasAuthorization()) {
+                return false;
+            }
         }
 
-        if (hasAccessControl(accessControl)) {
+        if (hasNoAccessControl(accessControl)) {
             return true;
         }
 
@@ -66,7 +67,7 @@ public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl ac
         return allowedByExpression(auth, spec, accessControl, objects);
     }
 
-    public boolean hasAccessControl(AccessControl accessControl) {
+    public boolean hasNoAccessControl(AccessControl accessControl) {
         if (accessControl == null) {
             return true;
         }
@@ -107,14 +108,15 @@ public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessCo
             // no expression defined -> this user has no access based on the expression
             return false;
         }
-        Object[] args;
-        if (auth == null) {
-             args = ArrayUtils.addAll(new Object[]{spec}, objects);
-        } else {
-            args = ArrayUtils.addAll(new Object[]{auth, auth.getPrincipal(), auth.getCredentials(), spec}, objects);
+        SpecExpressionContext.SpecExpressionContextBuilder contextBuilder = SpecExpressionContext
+            .create(objects)
+            .addServerName()
+            .extend(spec);
+
+        if (auth != null) {
+            contextBuilder.extend(auth, auth.getPrincipal(), auth.getCredentials());
         }
-        SpecExpressionContext context = SpecExpressionContext.create(args);
-        return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), context);
+        return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), contextBuilder.build());
     }
 
 }

src/main/java/eu/openanalytics/containerproxy/service/ProxyAccessControlService.java

@@ -71,7 +71,7 @@ public boolean canAccess(Authentication auth, String specId) {
 
     /**
      * @param auth   the current user
-     * @param specId the specId the user is trying to access
+     * @param context the request context, should include the specId the user is trying to access
      * @return whether the user can access the given specId or when this spec does not exist whether the user already
      * has a proxy with this spec id
      */

src/main/java/eu/openanalytics/containerproxy/service/ProxyService.java

@@ -46,6 +46,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.core.env.Environment;
 import org.springframework.data.util.Pair;
 import org.springframework.security.access.AccessDeniedException;
@@ -111,6 +112,9 @@ public class ProxyService {
     private SpecExpressionResolver expressionResolver;
     @Inject
     private LogService logService;
+    @Inject
+    @Lazy
+    private ProxyAccessControlService proxyAccessControlService;
     private boolean stopAppsOnShutdown;
     private Pair<String, Instant> lastStop = null;
     private int requestTimeout;
@@ -199,15 +203,29 @@ public Stream<Proxy> getUserProxiesBySpecId(String specId) {
 
     /**
      * Get all proxies that are owned by the current user.
+     * Checks whether the user can still access the spec.
      *
      * @return A List of matching proxies, may be empty.
      */
     public List<Proxy> getUserProxies() {
-        return proxyStore.getUserProxies(userService.getCurrentUserId());
+        return getUserProxies(userService.getCurrentAuth());
+    }
+
+    /**
+     * Get all proxies that are owned by the given user.
+     * Checks whether the user can still access the spec.
+     *
+     * @return A List of matching proxies, may be empty.
+     */
+    public List<Proxy> getUserProxies(Authentication authentication) {
+        return proxyStore.getUserProxies(authentication.getName())
+            .stream()
+            .filter(p -> proxyAccessControlService.canAccess(authentication, p.getSpecId())).toList();
     }
 
     /**
      * Get all proxies that are owned by the given user.
+     * Does **not** check whether the user can still access the spec.
      *
      * @return A List of matching proxies, may be empty.
      */
@@ -470,7 +488,7 @@ private Pair<ProxySpec, Proxy> prepareProxyForStart(Authentication user, Proxy p
                 spec,
                 user,
                 user.getPrincipal(),
-                user.getCredentials());
+                user.getCredentials()).build();
 
             // resolve SpEL expression in spec
             spec = spec.firstResolve(expressionResolver, context);

src/main/java/eu/openanalytics/containerproxy/service/UserService.java

@@ -224,7 +224,9 @@ public void logout(Authentication auth) {
         if (authNull(auth)) return;
         String userId = auth.getName();
 
-        if (logoutStrategy != null) logoutStrategy.onLogout(userId);
+        if (logoutStrategy != null) {
+            logoutStrategy.onLogout(auth);
+        }
         log.info(String.format("User logged out [user: %s]", userId));
 
         HttpSession session = ((ServletRequestAttributes) RequestContextHolder.currentRequestAttributes()).getRequest().getSession();
@@ -267,7 +269,9 @@ public void onHttpSessionDestroyedEvent(HttpSessionDestroyedEvent event) {
 
                 Authentication auth = securityContext.getAuthentication();
                 String userId = securityContext.getAuthentication().getName();
-                if (logoutStrategy != null) logoutStrategy.onLogout(userId);
+                if (logoutStrategy != null) {
+                    logoutStrategy.onLogout(auth);
+                }
 
                 log.info(String.format("User logged out [user: %s]", userId));
                 applicationEventPublisher.publishEvent(new UserLogoutEvent(
@@ -278,8 +282,12 @@ public void onHttpSessionDestroyedEvent(HttpSessionDestroyedEvent event) {
                 ));
             } else if (authBackend.getName().equals("none")) {
                 String userId = NoAuthenticationBackend.extractUserId(event.getSession());
-                if (userId == null) return;
-                if (logoutStrategy != null) logoutStrategy.onLogout(userId);
+                if (userId == null) {
+                    return;
+                }
+                if (logoutStrategy != null) {
+                    logoutStrategy.onLogout(userId);
+                }
 
                 log.info(String.format("Anonymous user logged out [user: %s]", userId));
                 applicationEventPublisher.publishEvent(new UserLogoutEvent(

src/main/java/eu/openanalytics/containerproxy/spec/expression/SpecExpressionContext.java

@@ -35,6 +35,8 @@
 import org.springframework.context.ApplicationEvent;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.ldap.userdetails.LdapUserDetails;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import java.util.Arrays;
 import java.util.Collections;
@@ -57,39 +59,11 @@ public class SpecExpressionContext {
     String userId;
     JsonNode json;
     ApplicationEvent event;
+    String serverName;
 
-    public static SpecExpressionContext create(Object... objects) {
+    public static SpecExpressionContextBuilder create(Object... objects) {
         SpecExpressionContextBuilder builder = SpecExpressionContext.builder();
-        return create(builder, objects);
-    }
-
-    public static SpecExpressionContext create(SpecExpressionContextBuilder builder, Object... objects) {
-        for (Object o : objects) {
-            if (o instanceof ContainerSpec) {
-                builder.containerSpec = (ContainerSpec) o;
-            } else if (o instanceof ProxySpec) {
-                builder.proxySpec = (ProxySpec) o;
-            } else if (o instanceof Proxy) {
-                builder.proxy = (Proxy) o;
-            } else if (o instanceof OpenIDAuthenticationBackend.CustomNameOidcUser) {
-                builder.oidcUser = (OpenIDAuthenticationBackend.CustomNameOidcUser) o;
-            } else if (o instanceof ResponseAuthenticationConverter.Saml2AuthenticatedPrincipal) {
-                builder.samlCredential = (ResponseAuthenticationConverter.Saml2AuthenticatedPrincipal) o;
-            } else if (o instanceof LdapUserDetails) {
-                builder.ldapUser = (LdapUserDetails) o;
-            } else if (o instanceof WebServiceAuthenticationBackend.WebServiceUser) {
-                builder.webServiceUser = (WebServiceAuthenticationBackend.WebServiceUser) o;
-            } else if (o instanceof JsonNode) {
-                builder.json = (JsonNode) o;
-            } else if (o instanceof ApplicationEvent) {
-                builder.event = (ApplicationEvent) o;
-            }
-            if (o instanceof Authentication) {
-                builder.groups = UserService.getGroups((Authentication) o);
-                builder.userId = ((Authentication) o).getName();
-            }
-        }
-        return builder.build();
+        return builder.extend(objects);
     }
 
     /**
@@ -150,7 +124,49 @@ public boolean isOneOfIgnoreCase(String attribute, String... allowedValues) {
     }
 
     public SpecExpressionContext copy(Object... objects) {
-        return create(toBuilder(), objects);
+        return toBuilder().extend(objects).build();
     }
 
+    public static class SpecExpressionContextBuilder {
+        public SpecExpressionContextBuilder extend(Object... objects) {
+            for (Object o : objects) {
+                if (o instanceof ContainerSpec) {
+                    containerSpec = (ContainerSpec) o;
+                } else if (o instanceof ProxySpec) {
+                    proxySpec = (ProxySpec) o;
+                } else if (o instanceof Proxy) {
+                    proxy = (Proxy) o;
+                } else if (o instanceof OpenIDAuthenticationBackend.CustomNameOidcUser) {
+                    oidcUser = (OpenIDAuthenticationBackend.CustomNameOidcUser) o;
+                } else if (o instanceof ResponseAuthenticationConverter.Saml2AuthenticatedPrincipal) {
+                    samlCredential = (ResponseAuthenticationConverter.Saml2AuthenticatedPrincipal) o;
+                } else if (o instanceof LdapUserDetails) {
+                    ldapUser = (LdapUserDetails) o;
+                } else if (o instanceof WebServiceAuthenticationBackend.WebServiceUser) {
+                    webServiceUser = (WebServiceAuthenticationBackend.WebServiceUser) o;
+                } else if (o instanceof JsonNode) {
+                    json = (JsonNode) o;
+                } else if (o instanceof ApplicationEvent) {
+                    event = (ApplicationEvent) o;
+                }
+                if (o instanceof Authentication) {
+                    groups = UserService.getGroups((Authentication) o);
+                    userId = ((Authentication) o).getName();
+                }
+            }
+            return this;
+        }
+
+        public SpecExpressionContextBuilder addServerName() {
+            try {
+                ServletRequestAttributes servletRequestAttributes = (ServletRequestAttributes) RequestContextHolder.currentRequestAttributes();
+                serverName = servletRequestAttributes.getRequest().getServerName();
+            } catch (IllegalStateException ignored) {
+                // not in a request
+            }
+            return this;
+        }
+    }
+
+
 }