[NOISSUE]

move no role filter
update for testing

backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy

@@ -68,8 +68,8 @@ class DevConfig {
                 roles.add(roleRepository.findByName('ROLE_ADMIN').get())
                 it
             }, new User().with {
-                username = 'nonadmin'
-                password = '{noop}nonadminpass'
+                username = 'user'
+                password = '{noop}userpass'
                 firstName = 'Peter'
                 lastName = 'Vandelay'
                 emailAddress = 'peter@institution.edu'

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/EmailConfiguration.java

@@ -17,6 +17,7 @@
 import org.thymeleaf.templateresolver.ITemplateResolver;
 
 import java.util.Collections;
+import java.util.Optional;
 
 /**
  * @author Bill Smith (wsmith@unicon.net)
@@ -42,7 +43,7 @@ public class EmailConfiguration {
     @Setter
     private String systemEmailAddress = "doNotReply@shibui.org";
 
-    @Autowired
+    @Autowired(required = false)
     private JavaMailSender javaMailSender;
 
     @Autowired
@@ -96,12 +97,16 @@ private ITemplateResolver htmlTemplateResolver() {
     }
 
     @Bean
-    public EmailService emailService() {
-        return new EmailServiceImpl(javaMailSender,
-                emailMessageSource(),
-                textEmailTemplateEngine(),
-                htmlEmailTemplateEngine(),
-                systemEmailAddress,
-                userRepository);
+    public Optional<EmailService> emailService() {
+        if (this.javaMailSender != null) {
+            return Optional.of(new EmailServiceImpl(javaMailSender,
+                    emailMessageSource(),
+                    textEmailTemplateEngine(),
+                    htmlEmailTemplateEngine(),
+                    systemEmailAddress,
+                    userRepository));
+        } else {
+            return Optional.empty();
+        }
     }
 }

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java

@@ -12,17 +12,24 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
 import org.springframework.data.domain.AuditorAware;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.access.AccessDeniedHandler;
 import org.springframework.security.web.csrf.CookieCsrfTokenRepository;
 import org.springframework.security.web.firewall.HttpFirewall;
 import org.springframework.security.web.firewall.StrictHttpFirewall;
 import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
 
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
 /**
  * Web security configuration.
  * <p>
@@ -60,7 +67,10 @@ protected void configure(HttpSecurity http) throws Exception {
                         .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                         .and()
                         .authorizeRequests()
-                        .anyRequest().authenticated()
+                        .antMatchers("/unsecured/**/*").permitAll()
+                        .anyRequest().hasAnyRole("USER", "ADMIN")
+                        .and()
+                        .exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html"))
                         .and()
                         .formLogin().and()
                         .httpBasic().and()

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/filter/NoneRoleFilter.java

@@ -0,0 +1,51 @@
+package edu.internet2.tier.shibboleth.admin.ui.security.filter;
+
+import edu.internet2.tier.shibboleth.admin.ui.security.model.User;
+import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Optional;
+
+public class NoneRoleFilter implements Filter {
+    private final UserRepository userRepository;
+
+    private static final String ROLE_NONE = "ROLE_HONE";
+
+    public NoneRoleFilter(final UserRepository userRepository) {
+        this.userRepository = userRepository;
+    }
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication != null) {
+            Optional<User> user = userRepository.findByUsername(authentication.getName());
+            if (user.isPresent()) {
+                if (!user.get().getRole().equals(ROLE_NONE)) {
+                    chain.doFilter(request, response);
+                    return;
+                }
+            }
+        }
+        ((HttpServletResponse)response).sendRedirect("/unsecured/error.html");
+    }
+
+    @Override
+    public void destroy() {
+
+    }
+}

backend/src/main/resources/application.properties

@@ -67,12 +67,12 @@ shibui.nameid-filter-ui-schema-location=classpath:nameid-filter.schema.json
 # shibui.metadataProviders.taskRunRate=30000
 
 # Email configuration (local mailhog)
-spring.mail.host=mailhog
-spring.mail.port=1025
-spring.mail.username=username
-spring.mail.password=password
-spring.mail.properties.mail.smtp.auth=false
-spring.mail.properties.mail.smtp.starttls.enable=false
+# spring.mail.host=mailhog
+# spring.mail.port=1025
+# spring.mail.username=username
+# spring.mail.password=password
+# spring.mail.properties.mail.smtp.auth=false
+# spring.mail.properties.mail.smtp.starttls.enable=false
 
 shibui.mail.text-email-template-path-prefix=/mail/text/
 shibui.mail.html.email-template-path-prefix=/mail/html/

backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersControllerIntegrationTests.groovy

@@ -52,10 +52,19 @@ class UsersControllerIntegrationTests extends Specification {
     "firstName" : "Peter",
     "emailAddress" : "peter@institution.edu",
     "role" : "ROLE_USER",
-    "username" : "nonadmin",
+    "username" : "user",
     "createdBy" : null,
     "lastName" : "Vandelay"
   },
+  {
+    "modifiedBy" : null,
+    "firstName" : "Bad",
+    "emailAddress" : "badboy@institution.edu",
+    "role" : "ROLE_NONE",
+    "username" : "none",
+    "createdBy" : null,
+    "lastName" : "robot"
+  },
   {
     "modifiedBy" : null,
     "firstName" : "Anon",