Ref #33886: add access-strict-expression

LEDfan · LEDfan · commit 2a60eb29748b · 2025-06-17T14:53:52.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/model/spec/AccessControl.java b/src/main/java/eu/openanalytics/containerproxy/model/spec/AccessControl.java
@@ -25,6 +25,7 @@ public class AccessControl {
     private String[] groups;
     private String[] users;
     private String expression;
+    private String strictExpression;
 
     public String[] getGroups() {
         return groups;
@@ -50,6 +51,14 @@ public void setExpression(String expression) {
         this.expression = expression;
     }
 
+    public String getStrictExpression() {
+        return strictExpression;
+    }
+
+    public void setStrictExpression(String strictExpression) {
+        this.strictExpression = strictExpression;
+    }
+
     public boolean hasGroupAccess() {
         return groups != null && groups.length > 0;
     }
@@ -62,4 +71,8 @@ public boolean hasExpressionAccess() {
         return expression != null && expression.length() > 0;
     }
 
+    public boolean hasStrictExpressionAccess() {
+        return strictExpression != null && strictExpression.length() > 0;
+    }
+
 }
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java b/src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java
@@ -20,6 +20,8 @@
  */
 package eu.openanalytics.containerproxy.service;
 
+import com.google.common.base.Supplier;
+import com.google.common.base.Suppliers;
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.model.spec.AccessControl;
 import eu.openanalytics.containerproxy.model.spec.ProxySpec;
@@ -57,6 +59,26 @@ public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl ac
             }
         }
 
+        // create context only when necessary (lazy)
+        Supplier<SpecExpressionContext> context = Suppliers.memoize(() -> {
+            SpecExpressionContext.SpecExpressionContextBuilder contextBuilder = SpecExpressionContext
+                .create(objects)
+                .addServerName()
+                .extend(spec);
+            if (auth != null) {
+                contextBuilder.extend(auth, auth.getPrincipal(), auth.getCredentials());
+            }
+            return contextBuilder.build();
+        });
+
+        if (accessControl.hasStrictExpressionAccess()) {
+            // strict expression is always checked
+            if (!specExpressionResolver.evaluateToBoolean(accessControl.getStrictExpression(), context.get())) {
+                // not allowed by strict expression
+                return false;
+            }
+        }
+
         if (hasNoAccessControl(accessControl)) {
             return true;
         }
@@ -69,7 +91,7 @@ public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl ac
             return true;
         }
 
-        return allowedByExpression(auth, spec, accessControl, objects);
+        return allowedByExpression(context.get(), accessControl);
     }
 
     public boolean hasNoAccessControl(AccessControl accessControl) {
@@ -108,20 +130,13 @@ public boolean allowedByUsers(Authentication auth, AccessControl accessControl)
         return false;
     }
 
-    public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessControl accessControl, Object... objects) {
+    public boolean allowedByExpression(SpecExpressionContext context, AccessControl accessControl) {
         if (!accessControl.hasExpressionAccess()) {
             // no expression defined -> this user has no access based on the expression
             return false;
         }
-        SpecExpressionContext.SpecExpressionContextBuilder contextBuilder = SpecExpressionContext
-            .create(objects)
-            .addServerName()
-            .extend(spec);
 
-        if (auth != null) {
-            contextBuilder.extend(auth, auth.getPrincipal(), auth.getCredentials());
-        }
-        return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), contextBuilder.build());
+        return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), context);
     }
 
     public boolean usernameEquals(String authenticatedUser, String other) {
diff --git a/src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java b/src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java
@@ -247,6 +247,44 @@ public void expressionTest() {
         Assertions.assertTrue(accessControlService.canAccess(auth2, createProxySpec(proxyAccessControl)));
     }
 
+    @Test
+    public void accessStrictExpressionTest() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        AccessControl proxyAccessControl = new AccessControl();
+//        proxyAccessControl.setGroups(new String[]{"myGroup1", "myGroupAbc", "xxy"});
+//        proxyAccessControl.setUsers(new String[]{"myUser1", "myUser2"});
+        proxyAccessControl.setStrictExpression("#{false}");
+
+        // no access control + expression is false -> never access to app
+        Authentication auth1 = mock(Authentication.class);
+        when(auth1.getName()).thenReturn("myUser1");
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // access-groups + expression is false -> no access to app
+        proxyAccessControl.setGroups(new String[]{"myGroup1", "myGroupAbc", "xxy"});
+        when(userService.isMember(auth1, "myGroup1")).thenReturn(true);
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // access-users + expression is false -> no access to app
+        proxyAccessControl.setUsers(new String[]{"myUser1", "myUser2"});
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // access-expression + expression is false -> no access to app
+        proxyAccessControl.setExpression("#{true}");
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // change expression to return true
+        proxyAccessControl.setStrictExpression("#{true}");
+
+        // expression is true -> access to app based on group
+        when(userService.isMember(auth1, "myGroup1")).thenReturn(true);
+        Assertions.assertTrue(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // expression is true -> access to app based on user
+        when(userService.isMember(auth1, "myGroup1")).thenReturn(false);
+        Assertions.assertTrue(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+    }
+
     private ProxySpec createProxySpec(AccessControl proxyAccessControl) {
         return ProxySpec.builder()
             .id("myId")
