From 67851195f1f5fea79f2ba25a0d84f10c2154097c Mon Sep 17 00:00:00 2001 From: Bill Smith Date: Tue, 22 Jan 2019 16:52:57 -0700 Subject: [PATCH] [SHIBUI-1058] Added security checks so only Admins can set serviceEnabled to true. Still need unit tests. Also need JJ's feedback on the XML-related endpoints. --- .../EntityDescriptorController.java | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java index e76749c06..aeac1fca2 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java @@ -79,6 +79,11 @@ public ResponseEntity create(@RequestBody EntityDescriptorRepresentation edRe return existingEntityDescriptorConflictResponse; } + ResponseEntity entityDescriptorEnablingDeniedResponse = entityDescriptorEnablePermissionsCheck(edRepresentation.isServiceEnabled()); + if (entityDescriptorEnablingDeniedResponse != null) { + return entityDescriptorEnablingDeniedResponse; + } + EntityDescriptor ed = (EntityDescriptor) entityDescriptorService.createDescriptorFromRepresentation(edRepresentation); EntityDescriptor persistedEd = entityDescriptorRepository.save(ed); @@ -89,11 +94,13 @@ public ResponseEntity create(@RequestBody EntityDescriptorRepresentation edRe @PostMapping(value = "/EntityDescriptor", consumes = "application/xml") public ResponseEntity upload(@RequestBody byte[] entityDescriptorXml, @RequestParam String spName) throws Exception { + //TODO: Do we want security checks here? return handleUploadingEntityDescriptorXml(entityDescriptorXml, spName); } @PostMapping(value = "/EntityDescriptor", consumes = "application/x-www-form-urlencoded") public ResponseEntity upload(@RequestParam String metadataUrl, @RequestParam String spName) throws Exception { + //TODO: Do we want security checks here? try { byte[] xmlContents = this.restTemplate.getForObject(metadataUrl, byte[].class); return handleUploadingEntityDescriptorXml(xmlContents, spName); @@ -119,6 +126,11 @@ public ResponseEntity update(@RequestBody EntityDescriptorRepresentation edRe return new ResponseEntity(HttpStatus.CONFLICT); } + ResponseEntity entityDescriptorEnablingDeniedResponse = entityDescriptorEnablePermissionsCheck(edRepresentation.isServiceEnabled()); + if (entityDescriptorEnablingDeniedResponse != null) { + return entityDescriptorEnablingDeniedResponse; + } + EntityDescriptor updatedEd = EntityDescriptor.class.cast(entityDescriptorService.createDescriptorFromRepresentation(edRepresentation)); @@ -211,6 +223,17 @@ private ResponseEntity existingEntityDescriptorCheck(String entityId) { return null; } + private ResponseEntity entityDescriptorEnablePermissionsCheck(boolean serviceEnabled) { + User user = userService.getCurrentUser(); + if (user != null) { + if (serviceEnabled && !user.getRole().equals("ROLE_ADMIN")) { + return ResponseEntity.status(HttpStatus.FORBIDDEN) + .body(new ErrorResponse(HttpStatus.FORBIDDEN, "You do not have the permissions necessary to enable this service.")); + } + } + return null; + } + private ResponseEntity handleUploadingEntityDescriptorXml(byte[] rawXmlBytes, String spName) throws Exception { final EntityDescriptor ed = EntityDescriptor.class.cast(openSamlObjects.unmarshalFromXml(rawXmlBytes));