SHIBUI-2001

Wrapping up endpoint for enabling
TIER · Aug 16, 2021 · 0b12ec9 · 0b12ec9
1 parent b0f5a89
commit 0b12ec9
Show file tree

Hide file tree

Showing 8 changed files with 287 additions and 98 deletions.
diff --git a/...oovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy b/...oovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy
@@ -560,7 +560,6 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
 
     public edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver updateMetadataResolverEnabledStatus(edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver updatedResolver) throws ForbiddenException, MetadataFileNotFoundException, InitializationException {
         if (!userService.currentUserCanEnable(updatedResolver)) {
-//        if (!userService.currentUserHasExpectedRole(["ROLE_ADMIN", "ROLE_ENABLE"])) {
             throw new ForbiddenException("You do not have the permissions necessary to change the enable status of this filter.")
         }
 

diff --git a/...d/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/MetadataFilter.java b/...d/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/filters/MetadataFilter.java
@@ -1,9 +1,6 @@
 package edu.internet2.tier.shibboleth.admin.ui.domain.filters;
 
-import com.fasterxml.jackson.annotation.JsonGetter;
-import com.fasterxml.jackson.annotation.JsonProperty;
-import com.fasterxml.jackson.annotation.JsonSubTypes;
-import com.fasterxml.jackson.annotation.JsonTypeInfo;
+import com.fasterxml.jackson.annotation.*;
 import edu.internet2.tier.shibboleth.admin.ui.domain.AbstractAuditable;
 import edu.internet2.tier.shibboleth.admin.ui.domain.ActivatableType;
 import edu.internet2.tier.shibboleth.admin.ui.domain.IActivatable;
@@ -58,6 +55,7 @@ public abstract class MetadataFilter extends AbstractAuditable implements IConcr
     @Transient
     private transient Integer version;
 
+    @JsonIgnore
     public ActivatableType getActivatableType() {
         return FILTER;
     }

diff --git a/...c/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/MetadataResolver.java b/...c/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/resolvers/MetadataResolver.java
@@ -104,7 +104,9 @@ public void entityAttributesFilterIntoTransientRepresentation() {
                         .forEach(EntityAttributesFilter::intoTransientRepresentation);
     }
 
-    @Override public ActivatableType getActivatableType() {
+    @Override
+    @JsonIgnore
+    public ActivatableType getActivatableType() {
         return METADATA_RESOLVER;
     }
 

diff --git a/...nd/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java b/...nd/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/service/UserService.java
@@ -50,18 +50,18 @@ public UserService(IGroupService groupService, OwnershipRepository ownershipRepo
     }
 
     public boolean currentUserCanEnable(IActivatable activatableObject) {
+        if (currentUserIsAdmin()) { return true; }
         switch (activatableObject.getActivatableType()) {
         case ENTITY_DESCRIPTOR: {
-            if (getCurrentUserAccess() == ADMIN) { return true; }
-            if (currentUserHasExpectedRole(Arrays.asList("ROLE_ENABLE" )) && getCurrentUserGroup().getOwnerId().equals(((EntityDescriptor) activatableObject).getIdOfOwner())) {
-                return true;
-            }
+            return currentUserHasExpectedRole(Arrays.asList("ROLE_ENABLE" )) && getCurrentUserGroup().getOwnerId().equals(((EntityDescriptor) activatableObject).getIdOfOwner());
         }
+        // Currently filters and providers dont have ownership, so we just look for the right role
         case FILTER:
         case METADATA_RESOLVER:
-            return currentUserHasExpectedRole(Arrays.asList("ROLE_ADMIN", "ROLE_ENABLE" ));
+            return currentUserHasExpectedRole(Arrays.asList("ROLE_ENABLE" ));
+        default:
+            return false;
         }
-        return false;
     }
 
     /**
@@ -137,6 +137,7 @@ public Set<String> getUserRoles(String username) {
         return result;
     }
 
+     // @TODO - probably delegate this out to something plugable at some point
     public boolean isAuthorizedFor(Ownable ownableObject) {
         switch (getCurrentUserAccess()) {
         case ADMIN: // Pure admin is authorized to do anything

diff --git a/...n/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java b/...n/java/edu/internet2/tier/shibboleth/admin/ui/service/JPAEntityDescriptorServiceImpl.java
@@ -363,7 +363,7 @@ public EntityDescriptorRepresentation update(EntityDescriptorRepresentation edRe
         if (existingEd == null) {
             throw new EntityNotFoundException(String.format("The entity descriptor with entity id [%s] was not found for update.", edRep.getId()));
         }
-        if (edRep.isServiceEnabled() && !userService.currentUserIsAdmin()) {
+        if (edRep.isServiceEnabled() && !userService.currentUserCanEnable(existingEd)) {
             throw new ForbiddenException("You do not have the permissions necessary to enable this service.");
         }
         if (!userService.isAuthorizedFor(existingEd)) {
@@ -392,7 +392,6 @@ public EntityDescriptorRepresentation updateEntityDescriptorEnabledStatus(String
             throw new EntityNotFoundException("Entity with resourceid[" + resourceId + "] was not found for update");
         }
         if (!userService.currentUserCanEnable(ed)) {
-//        if (!userService.currentUserHasExpectedRole(Arrays.asList(new String[] { "ROLE_ADMIN", "ROLE_ENABLE" }))) {
             throw new ForbiddenException("You do not have the permissions necessary to change the enable status of this entity descriptor.");
         }
         ed.setServiceEnabled(status);

diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties
@@ -87,7 +87,7 @@ shibui.mail.text-email-template-path-prefix=/mail/text/
 shibui.mail.html.email-template-path-prefix=/mail/html/
 shibui.mail.system-email-address=doNotReply@shibui.org
 
-shibui.roles=ROLE_ADMIN,ROLE_USER,ROLE_NONE
+shibui.roles=ROLE_ADMIN,ROLE_ENABLE,ROLE_USER,ROLE_NONE
 
 #In order to enable authentication via configured pac4j library (with external SAMl Idp, for example)
 #This property must be set to true and pac4j properties configured. For sample pac4j properties, see application.yml
@@ -97,4 +97,4 @@ shibui.roles=ROLE_ADMIN,ROLE_USER,ROLE_NONE
 #This property must be set to true in order to enable posting stats to beacon endpoint. Furthermore, appropriate
 #environment variables must be set for beacon publisher to be used (the ones that are set when running shib-ui in
 #docker container
-shibui.beacon-enabled=true
+shibui.beacon-enabled=true
diff --git a/...t2/tier/shibboleth/admin/ui/controller/MetadataResolversControllerIntegrationTests.groovy b/...t2/tier/shibboleth/admin/ui/controller/MetadataResolversControllerIntegrationTests.groovy
@@ -4,6 +4,7 @@ import com.fasterxml.jackson.databind.ObjectMapper
 import com.fasterxml.jackson.databind.SerializationFeature
 import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule
 import edu.internet2.tier.shibboleth.admin.ui.configuration.CustomPropertiesConfiguration
+import edu.internet2.tier.shibboleth.admin.ui.configuration.StringTrimModule
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.EntityAttributesFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicHttpMetadataResolver
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.FileBackedHttpMetadataResolver
@@ -21,6 +22,7 @@ import org.springframework.boot.test.context.SpringBootTest
 import org.springframework.boot.test.context.TestConfiguration
 import org.springframework.boot.test.web.client.TestRestTemplate
 import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Profile
 import org.springframework.http.HttpEntity
 import org.springframework.http.HttpHeaders
 import org.springframework.test.annotation.DirtiesContext
@@ -63,6 +65,7 @@ class MetadataResolversControllerIntegrationTests extends Specification {
         mapper.enable(SerializationFeature.INDENT_OUTPUT)
         mapper.setSerializationInclusion(NON_NULL)
         mapper.registerModule(new JavaTimeModule())
+        mapper.registerModule(new StringTrimModule())
         metadataResolverRepository.deleteAll()
     }
 
@@ -206,7 +209,7 @@ class MetadataResolversControllerIntegrationTests extends Specification {
             'ResourceBacked' | _
             'Filesystem'     | _
     }
-    
+
     @DirtiesContext
     def "SHIBUI-1992 - error creating FileBackedHTTPMetadata"() {
         def resolver = new FileBackedHttpMetadataResolver().with {
@@ -360,10 +363,10 @@ class MetadataResolversControllerIntegrationTests extends Specification {
     }
 
     @TestConfiguration
-    static class Config {
+    static class LocalConfig {
         @Bean
         MetadataResolver metadataResolver() {
             new OpenSamlChainingMetadataResolver()
         }
     }
-}
+}