Add AccessControlService to centralise Authorization/ACL

LEDfan · LEDfan · commit ef9ad99e909a · 2021-10-15T10:33:34.000+02:00
diff --git a/src/main/java/eu/openanalytics/containerproxy/model/spec/ProxyAccessControl.java b/src/main/java/eu/openanalytics/containerproxy/model/spec/ProxyAccessControl.java
@@ -25,19 +25,55 @@
 public class ProxyAccessControl {
 
 	private String[] groups;
+	private String[] users;
+	private String expression;
 
 	public String[] getGroups() {
 		return groups;
 	}
 
+	public String[] getUsers() {
+		return users;
+	}
+
+	public String getExpression() {
+		return expression;
+	}
+
 	public void setGroups(String[] groups) {
 		this.groups = groups;
 	}
-	
+
+	public void setUsers(String[] users) {
+		this.users = users;
+	}
+
+	public void setExpression(String expression) {
+		this.expression = expression;
+	}
+
 	public void copy(ProxyAccessControl target) {
 		if (groups != null) {
 			target.setGroups(Arrays.copyOf(groups, groups.length));
 		}
+		if (users != null) {
+			target.setUsers(Arrays.copyOf(users, users.length));
+		}
+		if (expression != null) {
+			target.setExpression(expression);
+		}
 	}
-	
+
+	public boolean hasGroupAccess() {
+		return groups != null && groups.length > 0;
+	}
+
+	public boolean hasUserAccess() {
+		return users != null && users.length > 0;
+	}
+
+	public boolean hasExpressionAccess() {
+		return expression != null && expression.length() > 0;
+	}
+
 }
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/AccessControlService.java b/src/main/java/eu/openanalytics/containerproxy/service/AccessControlService.java
@@ -0,0 +1,123 @@
+/**
+ * ContainerProxy
+ *
+ * Copyright (C) 2016-2021 Open Analytics
+ *
+ * ===========================================================================
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Apache License as published by
+ * The Apache Software Foundation, either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * Apache License for more details.
+ *
+ * You should have received a copy of the Apache License
+ * along with this program.  If not, see <http://www.apache.org/licenses/>
+ */
+package eu.openanalytics.containerproxy.service;
+
+import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
+import eu.openanalytics.containerproxy.model.spec.ProxyAccessControl;
+import eu.openanalytics.containerproxy.model.spec.ProxySpec;
+import eu.openanalytics.containerproxy.spec.IProxySpecProvider;
+import org.springframework.context.annotation.Lazy;
+import org.springframework.security.authentication.AnonymousAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Service;
+
+import javax.inject.Inject;
+
+@Service
+public class AccessControlService {
+
+    @Lazy
+    @Inject
+    private IAuthenticationBackend authBackend;
+
+    @Inject
+    private UserService userService;
+
+    @Inject
+    private IProxySpecProvider specProvider;
+
+    public boolean canAccess(Authentication auth, String specId) {
+        return canAccess(auth, specProvider.getSpec(specId));
+    }
+
+    public boolean canAccess(Authentication auth, ProxySpec spec) {
+        if (auth == null || spec == null) {
+            return false;
+        }
+
+        if (auth instanceof AnonymousAuthenticationToken && !authBackend.hasAuthorization()) {
+            return true;
+        }
+
+        if (specHasNoAccessControl(spec.getAccessControl())) {
+            return true;
+        }
+
+        if (allowedByGroups(auth, spec)) {
+            return true;
+        }
+
+        if (allowedByUsers(auth, spec)) {
+            return true;
+        }
+
+        if (allowedByExpression(auth, spec)) {
+            return true;
+        }
+
+        return false;
+    }
+
+    public boolean specHasNoAccessControl(ProxyAccessControl accessControl) {
+        if (accessControl == null) {
+            return true;
+        }
+
+        return !accessControl.hasGroupAccess()
+                && !accessControl.hasUserAccess()
+                && !accessControl.hasExpressionAccess();
+    }
+
+    public boolean allowedByGroups(Authentication auth, ProxySpec spec) {
+        if (!spec.getAccessControl().hasGroupAccess()) {
+            // no groups defined -> this user has no access based on the groups
+            return false;
+        }
+        for (String group : spec.getAccessControl().getGroups()) {
+            if (userService.isMember(auth, group)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public boolean allowedByUsers(Authentication auth, ProxySpec spec) {
+        if (!spec.getAccessControl().hasUserAccess()) {
+            // no users defined -> this user has no access based on the users
+            return false;
+        }
+        for (String user : spec.getAccessControl().getUsers()) {
+            if (auth.getName().equals(user)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public boolean allowedByExpression(Authentication auth, ProxySpec spec) {
+        if (!spec.getAccessControl().hasExpressionAccess()) {
+            // no expression defined -> this user has no access based on the expression
+            return false;
+        }
+        return false;
+    }
+
+}
diff --git a/src/main/java/eu/openanalytics/containerproxy/service/UserService.java b/src/main/java/eu/openanalytics/containerproxy/service/UserService.java
@@ -75,6 +75,9 @@ public class UserService {
 	@Inject
 	private ApplicationEventPublisher applicationEventPublisher;
 
+	@Inject
+	private AccessControlService accessControlService;
+
 	public Authentication getCurrentAuth() {
 		return SecurityContextHolder.getContext().getAuthentication();
 	}
@@ -127,23 +130,9 @@ public boolean isAdmin(Authentication auth) {
 	}
 	
 	public boolean canAccess(ProxySpec spec) {
-		return canAccess(getCurrentAuth(), spec);
+		return accessControlService.canAccess(getCurrentAuth(), spec);
 	}
-	
-	public boolean canAccess(Authentication auth, ProxySpec spec) {
-		if (auth == null || spec == null) return false;
-		if (auth instanceof AnonymousAuthenticationToken) return !authBackend.hasAuthorization();
 
-		if (spec.getAccessControl() == null) return true;
-		
-		String[] groups = spec.getAccessControl().getGroups();
-		if (groups == null || groups.length == 0) return true;
-		for (String group: groups) {
-			if (isMember(auth, group)) return true;
-		}
-		return false;
-	}
-	
 	public boolean isOwner(Proxy proxy) {
 		return isOwner(getCurrentAuth(), proxy);
 	}
@@ -153,7 +142,7 @@ public boolean isOwner(Authentication auth, Proxy proxy) {
 		return proxy.getUserId().equals(getUserId(auth));
 	}
 	
-	private boolean isMember(Authentication auth, String groupName) {
+	public boolean isMember(Authentication auth, String groupName) {
 		if (auth == null || auth instanceof AnonymousAuthenticationToken || groupName == null) return false;
 		for (String group: getGroups(auth)) {
 			if (group.equalsIgnoreCase(groupName)) return true;
