Ref #25533: access control tests

Author: LEDfan

src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java

@@ -46,7 +46,6 @@ public AccessControlEvaluationService(@Lazy IAuthenticationBackend authBackend,
 
     public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl) {
         if (auth instanceof AnonymousAuthenticationToken) {
-            // TODO test with parameters
             // if anonymous -> only allow access if the backend has no authorization enabled
             return !authBackend.hasAuthorization();
         }

src/main/java/eu/openanalytics/containerproxy/service/ParametersService.java

@@ -29,11 +29,9 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.lang3.tuple.Pair;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 
 import javax.annotation.PostConstruct;
-import javax.inject.Inject;
 import java.util.ArrayList;
 import java.util.Comparator;
 import java.util.HashMap;
@@ -47,14 +45,17 @@
 @Service
 public class ParametersService {
 
-    @Inject
-    private IProxySpecProvider baseSpecProvider;
+    private final IProxySpecProvider baseSpecProvider;
 
-    @Inject
-    private AccessControlEvaluationService accessControlEvaluationService;
+    private final AccessControlEvaluationService accessControlEvaluationService;
 
     private static final Pattern PARAMETER_ID_PATTERN = Pattern.compile("[a-zA-Z\\d_-]*");
 
+    public ParametersService(IProxySpecProvider baseSpecProvider, AccessControlEvaluationService accessControlEvaluationService) {
+        this.baseSpecProvider = baseSpecProvider;
+        this.accessControlEvaluationService = accessControlEvaluationService;
+    }
+
     @PostConstruct
     public void init() {
         for (ProxySpec spec : baseSpecProvider.getSpecs()) {
@@ -117,7 +118,7 @@ private void validateSpec(ProxySpec spec) {
 
     }
 
-    public boolean validateRequest(ProxySpec resolvedSpec, ProvidedParameters providedParameters) throws InvalidParametersException {
+    public boolean validateRequest(Authentication auth, ProxySpec resolvedSpec, ProvidedParameters providedParameters) throws InvalidParametersException {
         Parameters parameters = resolvedSpec.getParameters();
         if (parameters == null) {
             return false;
@@ -139,8 +140,6 @@ public boolean validateRequest(ProxySpec resolvedSpec, ProvidedParameters provid
             }
         }
 
-        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-
         // check if the combination of values is allowed
         for (Parameters.ValueSet valueSet : parameters.getValueSets()) {
             if (!accessControlEvaluationService.checkAccess(auth, resolvedSpec, valueSet.getAccessControl())) {
@@ -168,16 +167,15 @@ private boolean areParametersAllowedByValueSet(List<String> parameterIds, Parame
         return true;
     }
 
-    public AllowedParametersForUser calculateAllowedParametersForUser(ProxySpec proxySpec) {
+    public AllowedParametersForUser calculateAllowedParametersForUser(Authentication auth, ProxySpec proxySpec) {
         Parameters parameters = proxySpec.getParameters();
         if (parameters == null) {
             return new AllowedParametersForUser(new HashMap<>(), new HashSet<>());
         }
         List<String> parameterIds = parameters.getIds();
 
         // 1. check which ValueSets are allowed for this
-        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
-        List< Parameters.ValueSet> allowedValueSets = parameters.getValueSets().stream()
+        List<Parameters.ValueSet> allowedValueSets = parameters.getValueSets().stream()
                 .filter(v -> accessControlEvaluationService.checkAccess(auth, proxySpec, v.getAccessControl()))
                 .collect(Collectors.toList());
 

src/main/java/eu/openanalytics/containerproxy/service/ProxyService.java

@@ -259,7 +259,7 @@ public Proxy startProxy(ProxySpec spec, boolean ignoreAccessControl, List<Runtim
 		if (runtimeValues != null) {
 			proxy.addRuntimeValues(runtimeValues);
 		}
-        if (parametersService.validateRequest(spec, parameters)) {
+        if (parametersService.validateRequest(userService.getCurrentAuth(), spec, parameters)) {
             proxy.addRuntimeValue(new RuntimeValue(ParametersKey.inst, parameters));
         }
 

src/test/java/eu/openanalytics/containerproxy/test/auth/AccessControlServiceTest.java

@@ -30,9 +30,13 @@
 import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
-import org.springframework.context.ApplicationContext;
+import org.springframework.context.support.GenericApplicationContext;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
+import java.util.Collection;
+import java.util.Collections;
 
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -48,7 +52,7 @@ public AccessControlServiceTest() {
         authBackend = mock(IAuthenticationBackend.class);
         userService = mock(UserService.class);
         specProvider = mock(IProxySpecProvider.class);
-        SpecExpressionResolver specExpressionResolver = new SpecExpressionResolver(mock(ApplicationContext.class));
+        SpecExpressionResolver specExpressionResolver = new SpecExpressionResolver(new GenericApplicationContext());
         accessControlService = new ProxyAccessControlService(specProvider, new AccessControlEvaluationService(authBackend, userService, specExpressionResolver));
     }
 
@@ -182,6 +186,23 @@ public void combinationOfGroupAndUserTest() {
         Assertions.assertTrue(accessControlService.canAccess(auth4, createProxySpec(proxyAccessControl)));
     }
 
+    @Test
+    public void expressionTest() {
+        when(authBackend.hasAuthorization()).thenReturn(true);
+        AccessControl proxyAccessControl = new AccessControl();
+        proxyAccessControl.setExpression("#{groups.contains('DEV')}");
+
+        // user is not part of the DEV group-> no access
+        Authentication auth1 = mock(Authentication.class);
+        when(auth1.getAuthorities()).thenReturn((Collection) Collections.singletonList(new SimpleGrantedAuthority("ROLE_PROD")));
+        Assertions.assertFalse(accessControlService.canAccess(auth1, createProxySpec(proxyAccessControl)));
+
+        // user is part of the DEV group -> has access
+        Authentication auth2 = mock(Authentication.class);
+        when(auth2.getAuthorities()).thenReturn((Collection) Collections.singletonList(new SimpleGrantedAuthority("ROLE_DEV")));
+        Assertions.assertTrue(accessControlService.canAccess(auth2, createProxySpec(proxyAccessControl)));
+    }
+
     private ProxySpec createProxySpec(AccessControl proxyAccessControl) {
         ProxySpec proxySpec = new ProxySpec();
         proxySpec.setId("myId");