From ff8e064b7741560714f98efb6c0b2cf098f57bea Mon Sep 17 00:00:00 2001 From: Jj! Date: Wed, 20 Feb 2019 14:13:53 -0600 Subject: [PATCH] [NOISSUE] move no role filter update for testing --- .../admin/ui/configuration/DevConfig.groovy | 4 +- .../ui/configuration/EmailConfiguration.java | 21 +++++--- .../configuration/auto/WebSecurityConfig.java | 12 ++++- .../ui/security/filter/NoneRoleFilter.java | 51 +++++++++++++++++++ .../src/main/resources/application.properties | 12 ++--- .../UsersControllerIntegrationTests.groovy | 11 +++- 6 files changed, 93 insertions(+), 18 deletions(-) create mode 100644 backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/filter/NoneRoleFilter.java diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy index 95129b55e..92a7ce6b9 100644 --- a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy +++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/configuration/DevConfig.groovy @@ -68,8 +68,8 @@ class DevConfig { roles.add(roleRepository.findByName('ROLE_ADMIN').get()) it }, new User().with { - username = 'nonadmin' - password = '{noop}nonadminpass' + username = 'user' + password = '{noop}userpass' firstName = 'Peter' lastName = 'Vandelay' emailAddress = 'peter@institution.edu' diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/EmailConfiguration.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/EmailConfiguration.java index aa11a2076..6198f951a 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/EmailConfiguration.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/EmailConfiguration.java @@ -17,6 +17,7 @@ import org.thymeleaf.templateresolver.ITemplateResolver; import java.util.Collections; +import java.util.Optional; /** * @author Bill Smith (wsmith@unicon.net) @@ -42,7 +43,7 @@ public class EmailConfiguration { @Setter private String systemEmailAddress = "doNotReply@shibui.org"; - @Autowired + @Autowired(required = false) private JavaMailSender javaMailSender; @Autowired @@ -96,12 +97,16 @@ private ITemplateResolver htmlTemplateResolver() { } @Bean - public EmailService emailService() { - return new EmailServiceImpl(javaMailSender, - emailMessageSource(), - textEmailTemplateEngine(), - htmlEmailTemplateEngine(), - systemEmailAddress, - userRepository); + public Optional emailService() { + if (this.javaMailSender != null) { + return Optional.of(new EmailServiceImpl(javaMailSender, + emailMessageSource(), + textEmailTemplateEngine(), + htmlEmailTemplateEngine(), + systemEmailAddress, + userRepository)); + } else { + return Optional.empty(); + } } } diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java index 1dcdc6ce7..e330e0c05 100644 --- a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/configuration/auto/WebSecurityConfig.java @@ -12,17 +12,24 @@ import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Profile; import org.springframework.data.domain.AuditorAware; +import org.springframework.security.access.AccessDeniedException; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.crypto.factory.PasswordEncoderFactories; import org.springframework.security.crypto.password.PasswordEncoder; +import org.springframework.security.web.access.AccessDeniedHandler; import org.springframework.security.web.csrf.CookieCsrfTokenRepository; import org.springframework.security.web.firewall.HttpFirewall; import org.springframework.security.web.firewall.StrictHttpFirewall; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + /** * Web security configuration. *

@@ -60,7 +67,10 @@ protected void configure(HttpSecurity http) throws Exception { .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse()) .and() .authorizeRequests() - .anyRequest().authenticated() + .antMatchers("/unsecured/**/*").permitAll() + .anyRequest().hasAnyRole("USER", "ADMIN") + .and() + .exceptionHandling().accessDeniedHandler((request, response, accessDeniedException) -> response.sendRedirect("/unsecured/error.html")) .and() .formLogin().and() .httpBasic().and() diff --git a/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/filter/NoneRoleFilter.java b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/filter/NoneRoleFilter.java new file mode 100644 index 000000000..69b2d1aae --- /dev/null +++ b/backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/filter/NoneRoleFilter.java @@ -0,0 +1,51 @@ +package edu.internet2.tier.shibboleth.admin.ui.security.filter; + +import edu.internet2.tier.shibboleth.admin.ui.security.model.User; +import edu.internet2.tier.shibboleth.admin.ui.security.repository.UserRepository; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Optional; + +public class NoneRoleFilter implements Filter { + private final UserRepository userRepository; + + private static final String ROLE_NONE = "ROLE_HONE"; + + public NoneRoleFilter(final UserRepository userRepository) { + this.userRepository = userRepository; + } + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + + } + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { + final Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + if (authentication != null) { + Optional user = userRepository.findByUsername(authentication.getName()); + if (user.isPresent()) { + if (!user.get().getRole().equals(ROLE_NONE)) { + chain.doFilter(request, response); + return; + } + } + } + ((HttpServletResponse)response).sendRedirect("/unsecured/error.html"); + } + + @Override + public void destroy() { + + } +} diff --git a/backend/src/main/resources/application.properties b/backend/src/main/resources/application.properties index 3a18fb01a..69c2ed7fe 100644 --- a/backend/src/main/resources/application.properties +++ b/backend/src/main/resources/application.properties @@ -67,12 +67,12 @@ shibui.nameid-filter-ui-schema-location=classpath:nameid-filter.schema.json # shibui.metadataProviders.taskRunRate=30000 # Email configuration (local mailhog) -spring.mail.host=mailhog -spring.mail.port=1025 -spring.mail.username=username -spring.mail.password=password -spring.mail.properties.mail.smtp.auth=false -spring.mail.properties.mail.smtp.starttls.enable=false +# spring.mail.host=mailhog +# spring.mail.port=1025 +# spring.mail.username=username +# spring.mail.password=password +# spring.mail.properties.mail.smtp.auth=false +# spring.mail.properties.mail.smtp.starttls.enable=false shibui.mail.text-email-template-path-prefix=/mail/text/ shibui.mail.html.email-template-path-prefix=/mail/html/ diff --git a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersControllerIntegrationTests.groovy b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersControllerIntegrationTests.groovy index 0e96fc1b7..ec9338d02 100644 --- a/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersControllerIntegrationTests.groovy +++ b/backend/src/test/groovy/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersControllerIntegrationTests.groovy @@ -52,10 +52,19 @@ class UsersControllerIntegrationTests extends Specification { "firstName" : "Peter", "emailAddress" : "peter@institution.edu", "role" : "ROLE_USER", - "username" : "nonadmin", + "username" : "user", "createdBy" : null, "lastName" : "Vandelay" }, + { + "modifiedBy" : null, + "firstName" : "Bad", + "emailAddress" : "badboy@institution.edu", + "role" : "ROLE_NONE", + "username" : "none", + "createdBy" : null, + "lastName" : "robot" + }, { "modifiedBy" : null, "firstName" : "Anon",