|
24 | 24 | import eu.openanalytics.containerproxy.model.spec.ProxyAccessControl; |
25 | 25 | import eu.openanalytics.containerproxy.model.spec.ProxySpec; |
26 | 26 | import eu.openanalytics.containerproxy.spec.IProxySpecProvider; |
| 27 | +import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext; |
| 28 | +import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver; |
| 29 | +import org.apache.commons.lang3.tuple.Pair; |
27 | 30 | import org.springframework.context.annotation.Lazy; |
| 31 | +import org.springframework.context.event.EventListener; |
28 | 32 | import org.springframework.security.authentication.AnonymousAuthenticationToken; |
29 | 33 | import org.springframework.security.core.Authentication; |
| 34 | +import org.springframework.security.web.session.HttpSessionDestroyedEvent; |
30 | 35 | import org.springframework.stereotype.Service; |
| 36 | +import org.springframework.web.context.request.RequestAttributes; |
| 37 | +import org.springframework.web.context.request.RequestContextHolder; |
| 38 | + |
| 39 | +import java.util.Map; |
| 40 | +import java.util.Optional; |
| 41 | +import java.util.concurrent.ConcurrentHashMap; |
31 | 42 |
|
32 | 43 | @Service |
33 | 44 | public class AccessControlService { |
34 | 45 |
|
35 | 46 | private final IAuthenticationBackend authBackend; |
36 | 47 | private final UserService userService; |
37 | 48 | private final IProxySpecProvider specProvider; |
| 49 | + private final SpecExpressionResolver specExpressionResolver; |
| 50 | + |
| 51 | + /* This map is used to cache whether a user has access to an app or not. |
| 52 | + * The reason is two-fold: |
| 53 | + * - for every request made (including static files of apps etc) the access control is checked |
| 54 | + * - when using the `access-expression` feature, checking the access control means evaluating a SpEL expression |
| 55 | + * I.e. the check can be complex and is performed a lot. |
| 56 | + * This cache uses the SessionId of the user and not the userId for two reasons: |
| 57 | + * - this ensures that the key is unique |
| 58 | + * - the roles/properties of a user change when they re-login |
| 59 | + */ |
| 60 | + private final Map<Pair<String, String>, Boolean> authorizationCache = new ConcurrentHashMap<>(); |
38 | 61 |
|
39 | | - public AccessControlService(@Lazy IAuthenticationBackend authBackend, UserService userService, IProxySpecProvider specProvider) { |
| 62 | + public AccessControlService(@Lazy IAuthenticationBackend authBackend, UserService userService, IProxySpecProvider specProvider, SpecExpressionResolver specExpressionResolver) { |
40 | 63 | this.authBackend = authBackend; |
41 | 64 | this.userService = userService; |
42 | 65 | this.specProvider = specProvider; |
| 66 | + this.specExpressionResolver = specExpressionResolver; |
43 | 67 | } |
44 | 68 |
|
45 | 69 | public boolean canAccess(Authentication auth, String specId) { |
@@ -140,5 +164,10 @@ public boolean allowedByExpression(Authentication auth, ProxySpec spec) { |
140 | 164 | return specExpressionResolver.evaluateToBoolean(spec.getAccessControl().getExpression(), context); |
141 | 165 | } |
142 | 166 |
|
| 167 | + @EventListener |
| 168 | + public void onSessionDestroyedEvent(HttpSessionDestroyedEvent event) { |
| 169 | + // remove all entries in cache for this sessionId |
| 170 | + authorizationCache.keySet().removeIf(it -> it.getLeft().equals(event.getId())); |
| 171 | + } |
143 | 172 |
|
144 | 173 | } |
0 commit comments