Ref #25533: access control for value sets

Author: LEDfan

…proxy/model/spec/ProxyAccessControl.java …ainerproxy/model/spec/AccessControl.javasrc/main/java/eu/openanalytics/containerproxy/model/spec/ProxyAccessControl.java renamed to src/main/java/eu/openanalytics/containerproxy/model/spec/AccessControl.java src/main/java/eu/openanalytics/containerproxy/model/spec/ProxyAccessControl.java renamed to src/main/java/eu/openanalytics/containerproxy/model/spec/AccessControl.java

@@ -20,9 +20,7 @@
  */
 package eu.openanalytics.containerproxy.model.spec;
 
-import java.util.Arrays;
-
-public class ProxyAccessControl {
+public class AccessControl {
 
 	private String[] groups;
 	private String[] users;
@@ -52,18 +50,6 @@ public void setExpression(String expression) {
 		this.expression = expression;
 	}
 
-	public void copy(ProxyAccessControl target) {
-		if (groups != null) {
-			target.setGroups(Arrays.copyOf(groups, groups.length));
-		}
-		if (users != null) {
-			target.setUsers(Arrays.copyOf(users, users.length));
-		}
-		if (expression != null) {
-			target.setExpression(expression);
-		}
-	}
-
 	public boolean hasGroupAccess() {
 		return groups != null && groups.length > 0;
 	}

src/main/java/eu/openanalytics/containerproxy/model/spec/Parameters.java

@@ -22,12 +22,13 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.Set;
 import java.util.stream.Collectors;
 
 public class Parameters {
 
     private List<ParameterDefinition> definitions;
-    private List<Map<String, List<String>>> values;
+    private List<ValueSet> valueSets;
 
     public List<ParameterDefinition> getDefinitions() {
         return definitions;
@@ -41,11 +42,41 @@ public void setDefinitions(List<ParameterDefinition> definitions) {
         this.definitions = definitions;
     }
 
-    public List<Map<String, List<String>>> getValues() {
-        return values;
+    public List<ValueSet> getValueSets() {
+        return valueSets;
     }
 
-    public void setValues(List<Map<String, List<String>>> values) {
-        this.values = values;
+    public void setValueSets(List<ValueSet> valueSets) {
+        this.valueSets = valueSets;
+    }
+
+    public static class ValueSet {
+
+        private AccessControl accessControl;
+        private Map<String, List<String>> values;
+
+        public void setValues(Map<String, List<String>> values) {
+            this.values = values;
+        }
+
+        public AccessControl getAccessControl() {
+            return accessControl;
+        }
+
+        public void setAccessControl(AccessControl accessControl) {
+            this.accessControl = accessControl;
+        }
+
+        public boolean containsParameter(String parameterId) {
+            return values.containsKey(parameterId) && !values.get(parameterId).isEmpty();
+        }
+
+        public List<String> getParameterValues(String parameterId) {
+            return values.get(parameterId);
+        }
+
+        public Set<String> getParameterIds() {
+            return values.keySet();
+        }
     }
 }

src/main/java/eu/openanalytics/containerproxy/model/spec/ProxySpec.java

@@ -21,10 +21,7 @@
 package eu.openanalytics.containerproxy.model.spec;
 
 import java.util.ArrayList;
-import java.util.HashMap;
 import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
 
 public class ProxySpec {
 
@@ -33,7 +30,7 @@ public class ProxySpec {
 	private String description;
 	private String logoURL;
 
-	private ProxyAccessControl accessControl;
+	private AccessControl accessControl;
 	private List<ContainerSpec> containerSpecs;
 
 	private String kubernetesPodPatches;
@@ -78,11 +75,11 @@ public void setLogoURL(String logoURL) {
 		this.logoURL = logoURL;
 	}
 
-	public ProxyAccessControl getAccessControl() {
+	public AccessControl getAccessControl() {
 		return accessControl;
 	}
 
-	public void setAccessControl(ProxyAccessControl accessControl) {
+	public void setAccessControl(AccessControl accessControl) {
 		this.accessControl = accessControl;
 	}
 

src/main/java/eu/openanalytics/containerproxy/service/AccessControlEvaluationService.java

@@ -0,0 +1,118 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.service;
+
+import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
+import eu.openanalytics.containerproxy.model.spec.AccessControl;
+import eu.openanalytics.containerproxy.model.spec.ProxySpec;
+import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
+import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
+import org.springframework.context.annotation.Lazy;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Service;
+
+@Service
+public class AccessControlEvaluationService {
+
+    private final IAuthenticationBackend authBackend;
+    private final UserService userService;
+
+    private final SpecExpressionResolver specExpressionResolver;
+
+    public AccessControlEvaluationService(@Lazy IAuthenticationBackend authBackend, UserService userService, SpecExpressionResolver specExpressionResolver) {
+        this.authBackend = authBackend;
+        this.userService = userService;
+        this.specExpressionResolver = specExpressionResolver;
+    }
+
+    public boolean checkAccess(Authentication auth, ProxySpec spec, AccessControl accessControl) {
+        if (auth instanceof AnonymousAuthenticationToken) {
+            // TODO test with parameters
+            // if anonymous -> only allow access if the backend has no authorization enabled
+            return !authBackend.hasAuthorization();
+        }
+
+        if (hasAccessControl(accessControl)) {
+            return true;
+        }
+
+        if (allowedByGroups(auth, accessControl)) {
+            return true;
+        }
+
+        if (allowedByUsers(auth, accessControl)) {
+            return true;
+        }
+
+        if (allowedByExpression(auth, spec, accessControl)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public boolean hasAccessControl(AccessControl accessControl) {
+        if (accessControl == null) {
+            return true;
+        }
+
+        return !accessControl.hasGroupAccess()
+                && !accessControl.hasUserAccess()
+                && !accessControl.hasExpressionAccess();
+    }
+
+    public boolean allowedByGroups(Authentication auth, AccessControl accessControl) {
+        if (!accessControl.hasGroupAccess()) {
+            // no groups defined -> this user has no access based on the groups
+            return false;
+        }
+        for (String group : accessControl.getGroups()) {
+            if (userService.isMember(auth, group)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public boolean allowedByUsers(Authentication auth, AccessControl accessControl) {
+        if (!accessControl.hasUserAccess()) {
+            // no users defined -> this user has no access based on the users
+            return false;
+        }
+        for (String user : accessControl.getUsers()) {
+            if (auth.getName().equals(user)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public boolean allowedByExpression(Authentication auth, ProxySpec spec, AccessControl accessControl) {
+        if (!accessControl.hasExpressionAccess()) {
+            // no expression defined -> this user has no access based on the expression
+            return false;
+        }
+        SpecExpressionContext context = SpecExpressionContext.create(auth, auth.getPrincipal(), auth.getCredentials(), spec);
+        return specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), context);
+    }
+
+}