Implement access-expression access control

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/service/AccessControlService.java

@@ -136,7 +136,9 @@ public boolean allowedByExpression(Authentication auth, ProxySpec spec) {
             // no expression defined -> this user has no access based on the expression
             return false;
         }
-        return false;
+        SpecExpressionContext context = SpecExpressionContext.create(auth, auth.getPrincipal(), auth.getCredentials(), spec);
+        return specExpressionResolver.evaluateToBoolean(spec.getAccessControl().getExpression(), context);
     }
 
+
 }

src/main/java/eu/openanalytics/containerproxy/service/UserService.java

@@ -106,7 +106,7 @@ public String[] getGroups() {
 		return getGroups(getCurrentAuth());
 	}
 
-	public String[] getGroups(Authentication auth) {
+	public static String[] getGroups(Authentication auth) {
 		List<String> groups = new ArrayList<>();
 		if (auth != null) {
 			for (GrantedAuthority grantedAuth: auth.getAuthorities()) {

src/main/java/eu/openanalytics/containerproxy/spec/expression/SpecExpressionContext.java

@@ -24,68 +24,82 @@
 import eu.openanalytics.containerproxy.model.runtime.Proxy;
 import eu.openanalytics.containerproxy.model.spec.ContainerSpec;
 import eu.openanalytics.containerproxy.model.spec.ProxySpec;
+import eu.openanalytics.containerproxy.service.UserService;
 import org.keycloak.KeycloakPrincipal;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.ldap.userdetails.LdapUserDetails;
 import org.springframework.security.saml.SAMLCredential;
 
+import java.util.Arrays;
+import java.util.List;
+
 public class SpecExpressionContext {
 
-	private ContainerSpec containerSpec;
-	private ProxySpec proxySpec;
-	private Proxy proxy;
-	private OpenIDAuthenticationBackend.CustomNameOidcUser oicdUser;
-	private KeycloakPrincipal keycloakUser;
-	private SAMLCredential samlCredential;
-	private LdapUserDetails ldapUser;
+    private ContainerSpec containerSpec;
+    private ProxySpec proxySpec;
+    private Proxy proxy;
+    private OpenIDAuthenticationBackend.CustomNameOidcUser oicdUser;
+    private KeycloakPrincipal keycloakUser;
+    private SAMLCredential samlCredential;
+    private LdapUserDetails ldapUser;
+    private List<String> groups;
+
+    public ContainerSpec getContainerSpec() {
+        return containerSpec;
+    }
+
+    public ProxySpec getProxySpec() {
+        return proxySpec;
+    }
 
-	public ContainerSpec getContainerSpec() {
-		return containerSpec;
-	}
+    public Proxy getProxy() {
+        return proxy;
+    }
 
-	public ProxySpec getProxySpec() {
-		return proxySpec;
-	}
+    public OpenIDAuthenticationBackend.CustomNameOidcUser getOidcUser() {
+        return oicdUser;
+    }
 
-	public Proxy getProxy() {
-		return proxy;
-	}
+    public KeycloakPrincipal getKeycloakUser() {
+        return keycloakUser;
+    }
 
-	public OpenIDAuthenticationBackend.CustomNameOidcUser getOidcUser() {
-		return oicdUser;
-	}
+    public SAMLCredential getSamlCredential() {
+        return samlCredential;
+    }
 
-	public KeycloakPrincipal getKeycloakUser() {
-		return keycloakUser;
-	}
+    public LdapUserDetails getLdapUser() {
+        return ldapUser;
+    }
 
-	public SAMLCredential getSamlCredential() {
-		return samlCredential;
-	}
+    public List<String> getGroups() {
+        return groups;
+    }
 
-	public LdapUserDetails getLdapUser() {
-		return ldapUser;
-	}
+    public static SpecExpressionContext create(Object... objects) {
+        SpecExpressionContext ctx = new SpecExpressionContext();
+        for (Object o : objects) {
+            if (o instanceof ContainerSpec) {
+                ctx.containerSpec = (ContainerSpec) o;
+            } else if (o instanceof ProxySpec) {
+                ctx.proxySpec = (ProxySpec) o;
+            } else if (o instanceof Proxy) {
+                ctx.proxy = (Proxy) o;
+            } else if (o instanceof OpenIDAuthenticationBackend.CustomNameOidcUser) {
+                ctx.oicdUser = (OpenIDAuthenticationBackend.CustomNameOidcUser) o;
+            } else if (o instanceof KeycloakPrincipal) {
+                ctx.keycloakUser = (KeycloakPrincipal) o;
+            } else if (o instanceof SAMLCredential) {
+                ctx.samlCredential = (SAMLCredential) o;
+            } else if (o instanceof LdapUserDetails) {
+                ctx.ldapUser = (LdapUserDetails) o;
+            }
+            if (o instanceof Authentication) {
+				ctx.groups = Arrays.asList(UserService.getGroups((Authentication) o));
+            }
+        }
+        return ctx;
+    }
 
-	public static SpecExpressionContext create(Object...objects) {
-		SpecExpressionContext ctx = new SpecExpressionContext();
-		for (Object o: objects) {
-			if (o instanceof ContainerSpec) {
-				ctx.containerSpec = (ContainerSpec) o;
-			} else if (o instanceof ProxySpec) {
-				ctx.proxySpec = (ProxySpec) o;
-			} else if (o instanceof Proxy) {
-				ctx.proxy = (Proxy) o;
-			} else if (o instanceof OpenIDAuthenticationBackend.CustomNameOidcUser) {
-			    ctx.oicdUser = (OpenIDAuthenticationBackend.CustomNameOidcUser) o;
-			} else if (o instanceof KeycloakPrincipal) {
-				ctx.keycloakUser = (KeycloakPrincipal) o;
-			} else if (o instanceof SAMLCredential) {
-				ctx.samlCredential = (SAMLCredential) o;
-			} else if (o instanceof LdapUserDetails) {
-				ctx.ldapUser = (LdapUserDetails) o;
-			}
-		}
-		return ctx;
-	}
 }

src/main/java/eu/openanalytics/containerproxy/spec/expression/SpecExpressionResolver.java

@@ -23,8 +23,6 @@
 import java.util.Map;
 import java.util.concurrent.ConcurrentHashMap;
 
-import javax.inject.Inject;
-
 import org.springframework.beans.factory.config.ConfigurableBeanFactory;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ConfigurableApplicationContext;
@@ -50,13 +48,10 @@
 @Component
 public class SpecExpressionResolver {
 
-	@Inject
-	private ApplicationContext appContext;
-	
-	private ExpressionParser expressionParser;
-	
+	private final ApplicationContext appContext;
+	private final ExpressionParser expressionParser;
 	private final Map<SpecExpressionContext, StandardEvaluationContext> evaluationCache = new ConcurrentHashMap<>(8);
-	
+
 	private final ParserContext beanExpressionParserContext = new ParserContext() {
 		@Override
 		public boolean isTemplate() {
@@ -72,7 +67,8 @@ public String getExpressionSuffix() {
 		}
 	};
 
-	public SpecExpressionResolver() {
+	public SpecExpressionResolver(ApplicationContext appContext) {
+		this.appContext = appContext;
 		this.expressionParser = new SpelExpressionParser();
 	}
 
@@ -105,4 +101,8 @@ public Object evaluate(String expression, SpecExpressionContext context) {
 	public String evaluateToString(String expression, SpecExpressionContext context) {
 		return String.valueOf(evaluate(expression, context));
 	}
+
+	public Boolean evaluateToBoolean(String expression, SpecExpressionContext context) {
+		return Boolean.valueOf(evaluateToString(expression, context));
+	}
 }

src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java

@@ -6,8 +6,10 @@
 import eu.openanalytics.containerproxy.service.AccessControlService;
 import eu.openanalytics.containerproxy.service.UserService;
 import eu.openanalytics.containerproxy.spec.IProxySpecProvider;
+import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
+import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 
@@ -25,7 +27,8 @@ public AccessControlServiceTest() {
         authBackend = mock(IAuthenticationBackend.class);
         userService = mock(UserService.class);
         specProvider = mock(IProxySpecProvider.class);
-        accessControlService = new AccessControlService(authBackend, userService, specProvider);
+        SpecExpressionResolver specExpressionResolver = new SpecExpressionResolver(mock(ApplicationContext.class));
+        accessControlService = new AccessControlService(authBackend, userService, specProvider, specExpressionResolver);
     }
 
     @Test