Merged in feature/shibui-2394-perms (pull request #628)

Feature/shibui 2394 perms

Approved-by: Dmitriy Kopylenko

.gitignore

@@ -415,3 +415,8 @@ beacon/spring/out
 /a.xml
 /application.yml
 /backend/src/test/resources/conf/deletem.xml
+/testbed/authentication/shibui/saml-signing-cert.crt
+/testbed/authentication/shibui/saml-signing-cert.key
+/testbed/authentication/shibui/saml-signing-cert.pem
+/testbed/authentication/shibui/samlKeystore.jks
+/testbed/authentication/shibui/sp-metadata.xml

backend/src/enversTest/groovy/edu/internet2/tier/shibboleth/admin/ui/controller/MetadataResolverControllerVersionEndpointsIntegrationTests.groovy

@@ -9,7 +9,6 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.filters.EntityAttributesFil
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.EntityRoleWhiteListFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.NameIdFormatFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.filters.NameIdFormatFilterTarget
-import edu.internet2.tier.shibboleth.admin.ui.domain.filters.SignatureValidationFilter
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.DynamicHttpMetadataResolver
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.FileBackedHttpMetadataResolver
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.FilesystemMetadataResolver
@@ -19,13 +18,9 @@ import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.RegexScheme
 import edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.TemplateScheme
 import edu.internet2.tier.shibboleth.admin.ui.repository.MetadataResolverRepository
-
 import edu.internet2.tier.shibboleth.admin.ui.service.MetadataResolverVersionService
 import edu.internet2.tier.shibboleth.admin.ui.util.TestObjectGenerator
 import edu.internet2.tier.shibboleth.admin.util.AttributeUtility
-
-import org.apache.commons.lang3.RandomStringUtils
-
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.test.context.SpringBootTest
 import org.springframework.boot.test.web.client.TestRestTemplate

backend/src/enversTest/groovy/edu/internet2/tier/shibboleth/admin/ui/repository/envers/MetadataResolverEnversVersioningTests.groovy

@@ -27,7 +27,10 @@ import javax.persistence.EntityManager
 
 import static edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.HttpMetadataResolverAttributes.HttpCachingType.file
 import static edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.HttpMetadataResolverAttributes.HttpCachingType.none
-import static edu.internet2.tier.shibboleth.admin.ui.repository.envers.EnversTestsSupport.*
+import static edu.internet2.tier.shibboleth.admin.ui.repository.envers.EnversTestsSupport.getModifiedEntityNames
+import static edu.internet2.tier.shibboleth.admin.ui.repository.envers.EnversTestsSupport.getRevisionEntityForRevisionIndex
+import static edu.internet2.tier.shibboleth.admin.ui.repository.envers.EnversTestsSupport.getTargetEntityForRevisionIndex
+import static edu.internet2.tier.shibboleth.admin.ui.repository.envers.EnversTestsSupport.updateAndGetRevisionHistoryOfMetadataResolver
 
 /**
  * Testing metadata resolver envers versioning

backend/src/integration/groovy/com/sebuilder/interpreter/webdriverfactory/Firefox.java

@@ -16,15 +16,16 @@
 
 package com.sebuilder.interpreter.webdriverfactory;
 
-import java.io.File;
-import java.util.HashMap;
 import org.openqa.selenium.firefox.FirefoxBinary;
 import org.openqa.selenium.firefox.FirefoxDriver;
 import org.openqa.selenium.firefox.FirefoxOptions;
 import org.openqa.selenium.firefox.FirefoxProfile;
 import org.openqa.selenium.remote.DesiredCapabilities;
 import org.openqa.selenium.remote.RemoteWebDriver;
 
+import java.io.File;
+import java.util.HashMap;
+
 public class Firefox implements WebDriverFactory {
     /**
      * @param config Key/value pairs treated as required capabilities, with the exception of:
@@ -50,4 +51,4 @@ public RemoteWebDriver make(HashMap<String, String> config) {
         options.setBinary(fb);
         return new FirefoxDriver(options);
     }
-}
+}

backend/src/integration/groovy/jp/vmi/selenium/selenese/Runner.java

@@ -1,38 +1,7 @@
 package jp.vmi.selenium.selenese;
 
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.PrintStream;
-import java.util.ArrayDeque;
-import java.util.ArrayList;
-import java.util.Calendar;
-import java.util.Deque;
-import java.util.EnumSet;
-import java.util.List;
-import java.util.Map;
-import java.util.concurrent.TimeUnit;
-
-import org.apache.commons.io.FileUtils;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.io.output.NullOutputStream;
-import org.apache.commons.lang3.StringUtils;
-import org.apache.commons.lang3.time.FastDateFormat;
-import org.openqa.selenium.Alert;
-import org.openqa.selenium.HasCapabilities;
-import org.openqa.selenium.JavascriptExecutor;
-import org.openqa.selenium.OutputType;
-import org.openqa.selenium.TakesScreenshot;
-import org.openqa.selenium.WebDriver;
-import org.openqa.selenium.WebDriverException;
-import org.openqa.selenium.remote.Augmenter;
-import org.openqa.selenium.remote.RemoteWebDriver;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
 import com.assertthat.selenium_shutterbug.core.Shutterbug;
 import com.assertthat.selenium_shutterbug.utils.web.ScrollStrategy;
-
 import jp.vmi.html.result.HtmlResult;
 import jp.vmi.html.result.HtmlResultHolder;
 import jp.vmi.junit.result.JUnitResult;
@@ -55,9 +24,38 @@
 import jp.vmi.selenium.selenese.utils.MouseUtils;
 import jp.vmi.selenium.selenese.utils.PathUtils;
 import jp.vmi.selenium.webdriver.WebDriverPreparator;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.output.NullOutputStream;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.commons.lang3.time.FastDateFormat;
+import org.openqa.selenium.Alert;
+import org.openqa.selenium.HasCapabilities;
+import org.openqa.selenium.JavascriptExecutor;
+import org.openqa.selenium.OutputType;
+import org.openqa.selenium.TakesScreenshot;
+import org.openqa.selenium.WebDriver;
+import org.openqa.selenium.WebDriverException;
+import org.openqa.selenium.remote.Augmenter;
+import org.openqa.selenium.remote.RemoteWebDriver;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PrintStream;
+import java.util.ArrayDeque;
+import java.util.ArrayList;
+import java.util.Calendar;
+import java.util.Deque;
+import java.util.EnumSet;
+import java.util.List;
+import java.util.Map;
+import java.util.concurrent.TimeUnit;
 
-import static jp.vmi.selenium.selenese.result.Unexecuted.*;
-import static org.openqa.selenium.remote.CapabilityType.*;
+import static jp.vmi.selenium.selenese.result.Unexecuted.UNEXECUTED;
+import static org.openqa.selenium.remote.CapabilityType.TAKES_SCREENSHOT;
 
 /**
  * Provide Java API to run Selenese script.
@@ -851,4 +849,4 @@ public void unhighlight() {
     void setupMaxTimeTimer(long maxTime) {
         this.maxTimeTimer = new MaxTimeActiveTimer(maxTime);
     }
-}
+}

backend/src/integration/groovy/jp/vmi/selenium/selenese/command/AttachFile.java

@@ -25,25 +25,24 @@
 
 package jp.vmi.selenium.selenese.command;
 
-import java.io.File;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.net.URL;
-
-import org.apache.commons.io.FilenameUtils;
-import org.openqa.selenium.WebElement;
-import org.openqa.selenium.io.TemporaryFilesystem;
-
 import com.google.common.io.Resources;
-
 import jp.vmi.selenium.selenese.Context;
 import jp.vmi.selenium.selenese.result.Error;
 import jp.vmi.selenium.selenese.result.Result;
 import jp.vmi.selenium.selenese.result.Warning;
+import org.apache.commons.io.FilenameUtils;
+import org.openqa.selenium.WebElement;
+import org.openqa.selenium.io.TemporaryFilesystem;
+
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
 
-import static jp.vmi.selenium.selenese.command.ArgumentType.*;
-import static jp.vmi.selenium.selenese.result.Success.*;
+import static jp.vmi.selenium.selenese.command.ArgumentType.LOCATOR;
+import static jp.vmi.selenium.selenese.command.ArgumentType.VALUE;
+import static jp.vmi.selenium.selenese.result.Success.SUCCESS;
 
 /**
  * Re-implementation of AttachFile.
@@ -109,4 +108,4 @@ protected Result executeImpl(Context context, String... curArgs) {
         element.sendKeys(outputTo.getAbsolutePath());
         return SUCCESS;
     }
-}
+}

backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy

@@ -31,6 +31,8 @@ import edu.internet2.tier.shibboleth.admin.ui.exception.InitializationException
 import edu.internet2.tier.shibboleth.admin.ui.exception.PersistentEntityNotFound
 import edu.internet2.tier.shibboleth.admin.ui.opensaml.OpenSamlObjects
 import edu.internet2.tier.shibboleth.admin.ui.repository.MetadataResolverRepository
+import edu.internet2.tier.shibboleth.admin.ui.security.permission.IShibUiPermissionEvaluator
+import edu.internet2.tier.shibboleth.admin.ui.security.permission.PermissionType
 import edu.internet2.tier.shibboleth.admin.ui.security.service.UserService
 import edu.internet2.tier.shibboleth.admin.util.OpenSamlChainingMetadataResolverUtil
 import groovy.util.logging.Slf4j
@@ -79,6 +81,9 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
     @Autowired
     private ShibUIConfiguration shibUIConfiguration
 
+    @Autowired
+    private IShibUiPermissionEvaluator shibUiService;
+
     @Autowired
     private UserService userService
 
@@ -733,11 +738,13 @@ class JPAMetadataResolverServiceImpl implements MetadataResolverService {
         }
     }
 
-    public edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver updateMetadataResolverEnabledStatus(edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver updatedResolver) throws ForbiddenException, MetadataFileNotFoundException, InitializationException {
-        if (!userService.currentUserCanEnable(updatedResolver)) {
-            throw new ForbiddenException("You do not have the permissions necessary to change the enable status of this filter.")
+    public edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver updateMetadataResolverEnabledStatus(String resourceId, boolean status) throws ForbiddenException, MetadataFileNotFoundException, InitializationException {
+        edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver updatedResolver = findByResourceId(resourceId);
+        if (!shibUiService.hasPermission(userService.getCurrentUserAuthentication(), updatedResolver, PermissionType.enable)) {
+            throw new ForbiddenException("You do not have the permissions necessary to change the enable status of this resolver.")
         }
 
+        updatedResolver.setEnabled(status);
         edu.internet2.tier.shibboleth.admin.ui.domain.resolvers.MetadataResolver persistedResolver = metadataResolverRepository.save(updatedResolver)
 
         if (persistedResolver.getDoInitialization()) {

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/CoreShibUiConfiguration.java

@@ -10,6 +10,8 @@
 import edu.internet2.tier.shibboleth.admin.ui.scheduled.MetadataProvidersScheduledTasks;
 import edu.internet2.tier.shibboleth.admin.ui.security.model.listener.GroupUpdatedEntityListener;
 import edu.internet2.tier.shibboleth.admin.ui.security.model.listener.UserUpdatedEntityListener;
+import edu.internet2.tier.shibboleth.admin.ui.security.permission.IShibUiPermissionEvaluator;
+import edu.internet2.tier.shibboleth.admin.ui.security.permission.ShibUiPermissionDelegate;
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.GroupsRepository;
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.OwnershipRepository;
 import edu.internet2.tier.shibboleth.admin.ui.security.repository.RoleRepository;
@@ -230,4 +232,10 @@ public UserUpdatedEntityListener userUpdatedEntityListener(OwnershipRepository r
         listener.init(repo, groupRepo);
         return listener;
     }
+
+    @Bean
+    public IShibUiPermissionEvaluator shibUiPermissionEvaluator(EntityDescriptorRepository entityDescriptorRepository, UserService userService) {
+        // TODO: @jj define type to return for Grouper integration
+        return new ShibUiPermissionDelegate(entityDescriptorRepository, userService);
+    }
 }

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/ActivateController.java

@@ -56,10 +56,7 @@ public ResponseEntity<?> enableFilter(@PathVariable String metadataResolverId, @
     @Transactional
     public ResponseEntity<?> enableProvider(@PathVariable String resourceId, @PathVariable String mode) throws PersistentEntityNotFound, ForbiddenException, MetadataFileNotFoundException, InitializationException {
         boolean status = "enable".equalsIgnoreCase(mode);
-        MetadataResolver existingResolver = metadataResolverService.findByResourceId(resourceId);
-        existingResolver.setEnabled(status);
-        existingResolver = metadataResolverService.updateMetadataResolverEnabledStatus(existingResolver);
-
-        return ResponseEntity.ok(existingResolver);
+        MetadataResolver metadataResolver = metadataResolverService.updateMetadataResolverEnabledStatus(resourceId, status);
+        return ResponseEntity.ok(metadataResolver);
     }
 }

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/controller/EntityDescriptorController.java

@@ -99,11 +99,14 @@ public ResponseEntity<?> getAllVersions(@PathVariable String resourceId) throws
         return ResponseEntity.ok(versionService.findVersionsForEntityDescriptor(ed.getResourceId()));
     }
 
+    /**
+     * @throws ForbiddenException This call is used for the admin needs action list, therefore the user must be an admin
+     */
     @Secured("ROLE_ADMIN")
     @Transactional
-    @GetMapping(value = "/EntityDescriptor/disabledNonAdmin")
-    public ResponseEntity<?> getDisabledAndNotOwnedByAdmin() throws ForbiddenException {
-        return ResponseEntity.ok(entityDescriptorService.getAllDisabledAndNotOwnedByAdmin());
+    @GetMapping(value = "/EntityDescriptor/disabledSources")
+    public ResponseEntity<?> getDisabledMetadataSources() throws ForbiddenException {
+        return ResponseEntity.ok(entityDescriptorService.getDisabledMetadataSources());
     }
 
     @GetMapping("/EntityDescriptor/{resourceId}")
@@ -121,8 +124,7 @@ public ResponseEntity<?> getOneXml(@PathVariable String resourceId) throws Marsh
     }
 
     @GetMapping("/EntityDescriptor/{resourceId}/Versions/{versionId}")
-    public ResponseEntity<?> getSpecificVersion(@PathVariable String resourceId, @PathVariable String versionId) throws
-                    PersistentEntityNotFound, ForbiddenException {
+    public ResponseEntity<?> getSpecificVersion(@PathVariable String resourceId, @PathVariable String versionId) throws PersistentEntityNotFound, ForbiddenException {
         // this "get by resource id" verifies that both the ED exists and the user has proper access, so needs to remain
         EntityDescriptor ed = entityDescriptorService.getEntityDescriptorByResourceId(resourceId);
         EntityDescriptorRepresentation result = versionService.findSpecificVersionOfEntityDescriptor(ed.getResourceId(), versionId);

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/EntityDescriptor.java

@@ -37,7 +37,7 @@
 @Entity
 @EqualsAndHashCode(callSuper = true)
 @Audited
-public class EntityDescriptor extends AbstractDescriptor implements org.opensaml.saml.saml2.metadata.EntityDescriptor, Ownable, IActivatable {
+public class EntityDescriptor extends AbstractDescriptor implements org.opensaml.saml.saml2.metadata.EntityDescriptor, Ownable, IActivatable, IApprovable {
     @OneToMany(cascade = CascadeType.ALL)
     @JoinColumn(name = "entitydesc_addlmetdatlocations_id")
     @OrderColumn

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/domain/IApprovable.java

@@ -0,0 +1,5 @@
+package edu.internet2.tier.shibboleth.admin.ui.domain;
+
+public interface IApprovable {
+    String getIdOfOwner();
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorProjection.java

@@ -2,6 +2,7 @@
 
 import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptorProtocol;
 import lombok.Getter;
+import org.hibernate.criterion.Projection;
 
 import java.time.LocalDateTime;
 
@@ -53,4 +54,4 @@ public String getEntityId() {
     public EntityDescriptorProtocol getProtocol() {
         return protocol == null ? EntityDescriptorProtocol.SAML : protocol;
     }
-}
+}

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/repository/EntityDescriptorRepository.java

@@ -1,7 +1,6 @@
 package edu.internet2.tier.shibboleth.admin.ui.repository;
 
 import edu.internet2.tier.shibboleth.admin.ui.domain.EntityDescriptor;
-import edu.internet2.tier.shibboleth.admin.ui.security.model.Group;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/Approvers.java

@@ -8,12 +8,9 @@
 import javax.persistence.Entity;
 import javax.persistence.Id;
 import javax.persistence.ManyToMany;
-import javax.persistence.OneToMany;
 import javax.persistence.Transient;
 import java.util.ArrayList;
-import java.util.HashSet;
 import java.util.List;
-import java.util.Set;
 import java.util.UUID;
 
 @Data

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/model/Group.java

@@ -57,7 +57,7 @@ public class Group implements Owner {
     @Column(name = "validation_regex")
     private String validationRegex;
 
-    @OneToMany(fetch = FetchType.LAZY)
+    @OneToMany(fetch = FetchType.EAGER)
     private List<Approvers> approversList = new ArrayList<>();
 
     /**