From 6b71d7fd7e209c39d5e4a11b41512be286a2acc7 Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Wed, 24 Jan 2018 11:07:15 +0100 Subject: [PATCH 1/9] #180: reactivate code removed for #59 --- app/api/ApiAction.scala | 4 ++-- app/api/ApiRequest.scala | 16 ++++++++-------- app/controllers/OAuth2Controller.scala | 4 ++-- conf/routes | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/app/api/ApiAction.scala b/app/api/ApiAction.scala index c57ad05c..f9de603e 100644 --- a/app/api/ApiAction.scala +++ b/app/api/ApiAction.scala @@ -25,10 +25,10 @@ class ApiAction @Inject()( def invokeBlock[A](request: Request[A], block: (ApiRequest[A]) => Future[Result]) = { implicit val messages : Messages = messagesApi.preferred(request) Try(apiRequestProvider.get[A](request)) match { - case Success(apiRequest) => block(apiRequest)/*apiRequest.getClient.flatMap(_ match { + case Success(apiRequest) => apiRequest.getClient.flatMap(_ match { case Some(oauthClient) => block(apiRequest) case _ => Future.successful(BadRequest(Json.obj("error" -> Messages("rest.api.noValidAPIClient")))) - })*/ + }) case Failure(f) => Future.successful(BadRequest(Json.obj("error" -> Messages("rest.api.noValidAPIRequest", f.getMessage)))) } } diff --git a/app/api/ApiRequest.scala b/app/api/ApiRequest.scala index 7351a985..0a1af189 100644 --- a/app/api/ApiRequest.scala +++ b/app/api/ApiRequest.scala @@ -23,12 +23,12 @@ class ApiRequestProvider @Inject() ( * Created by johann on 21.12.16. */ case class ApiRequest[A](request : Request[A], oauthClientDao : OauthClientDao, userDao: UserDao){ -// val cĺientId = request.queryString("client_id").headOption.getOrElse( -// throw new Exception // Todo: Meaningful Exception -// ) -// val clientSecret = request.queryString("client_secret").headOption.getOrElse( -// throw new Exception // Todo: Meaningful Exception -// ) + val cĺientId = request.queryString("client_id").headOption.getOrElse( + throw new Exception // Todo: Meaningful Exception + ) + val clientSecret = request.queryString("client_secret").headOption.getOrElse( + throw new Exception // Todo: Meaningful Exception + ) val version = request.queryString.getOrElse("version", request.queryString.getOrElse("v", Seq("1.1.0") // change this, if a new version of the webservice was implemented (so it uses the new version by default) @@ -57,6 +57,6 @@ case class ApiRequest[A](request : Request[A], oauthClientDao : OauthClientDao, case _ => None // all other possible contents are unknown to me } -// def getClient : Future[Option[OauthClient]] = -// oauthClientDao.find(cĺientId, clientSecret) + def getClient : Future[Option[OauthClient]] = + oauthClientDao.find(cĺientId, clientSecret) } diff --git a/app/controllers/OAuth2Controller.scala b/app/controllers/OAuth2Controller.scala index 1c460b60..8fd8196e 100644 --- a/app/controllers/OAuth2Controller.scala +++ b/app/controllers/OAuth2Controller.scala @@ -38,8 +38,8 @@ class OAuth2Controller @Inject() ( issueAccessToken(oauthDataHandler) } - def getCode(clientId : String) = SecuredAction.async { implicit request => - oauthClientDao.find(clientId, None, "authorization_code").flatMap(_ match { + def getCode(clientId : String, clientSecret : String) = SecuredAction.async { implicit request => + oauthClientDao.find(clientId, Some(clientSecret), "authorization_code").flatMap(_ match { case Some(client) => oauthCodeDao.save(OauthCode(request.identity, client)).map( code => code.client.redirectUri.map( (uri) => Redirect( uri + code.code)).getOrElse( BadRequest(Messages("oauth2server.clientHasNoRedirectURI")) diff --git a/conf/routes b/conf/routes index 131caf9f..264aba59 100644 --- a/conf/routes +++ b/conf/routes @@ -40,7 +40,7 @@ POST /rest/access controllers.RestApi. # OAuth2 Rest API GET /oauth2/rest/profile controllers.Oauth2RestApi.profile -GET /oauth2/code/get/:clientId controllers.OAuth2Controller.getCode(clientId : String) +GET /oauth2/code/get/:clientId/:clientSecret controllers.OAuth2Controller.getCode(clientId : String, clientSecret : String) # Authentication GET /auth/init controllers.Auth.init From 8631c221f74e95149db30358a02d4f35f63b075e Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Wed, 24 Jan 2018 13:03:46 +0100 Subject: [PATCH 2/9] #180 make security function for OAuth communication configurable (none, secret, sluice) --- app/controllers/OAuth2Controller.scala | 33 ++++++++++++++++++++++---- conf/application.conf | 2 ++ conf/messages | 2 ++ conf/messages.de | 2 ++ conf/routes | 1 + 5 files changed, 36 insertions(+), 4 deletions(-) diff --git a/app/controllers/OAuth2Controller.scala b/app/controllers/OAuth2Controller.scala index 8fd8196e..14a24a29 100644 --- a/app/controllers/OAuth2Controller.scala +++ b/app/controllers/OAuth2Controller.scala @@ -30,6 +30,7 @@ class OAuth2Controller @Inject() ( oauthClientDao: OauthClientDao, oauthDataHandler: OAuthDataHandler, val messagesApi: MessagesApi, + configuration: Configuration, val env:Environment[User,CookieAuthenticator] ) extends Silhouette[User,CookieAuthenticator] with OAuth2Provider { override val tokenEndpoint = new DropsTokenEndpoint() @@ -38,14 +39,38 @@ class OAuth2Controller @Inject() ( issueAccessToken(oauthDataHandler) } - def getCode(clientId : String, clientSecret : String) = SecuredAction.async { implicit request => - oauthClientDao.find(clientId, Some(clientSecret), "authorization_code").flatMap(_ match { + /** + * If a valid client was submitted, a new OAuth code will be generated and send to the clients redirect URI. + * + * Different possibilities to secure webservice communication are supported. First, you can use no security ('none'). + * Secondly, you can use a secret ('secret') and last the microservices can be identified using Sluice. Method in use + * will be defined in your application.conf + * + * @author Johann Sell + * @param clientId identifies the client + * @param clientSecret secures the communication, if this method is configured. + * @return + */ + def getCode(clientId : String, clientSecret : String) = SecuredAction.async { implicit request => { + + def bodyWithSecret(secret : Option[String]) = oauthClientDao.find(clientId, secret, "authorization_code").flatMap(_ match { case Some(client) => oauthCodeDao.save(OauthCode(request.identity, client)).map( - code => code.client.redirectUri.map( (uri) => Redirect( uri + code.code)).getOrElse( + code => code.client.redirectUri.map((uri) => Redirect(uri + code.code)).getOrElse( BadRequest(Messages("oauth2server.clientHasNoRedirectURI")) ) ) case _ => Future.successful(BadRequest(Messages("oauth2server.clientId.notFound"))) }) - } + + configuration.getString("drops.ws.security").getOrElse("secret") match { + case "none" => bodyWithSecret(None) + case "secret" if clientSecret != "" => bodyWithSecret(Some(clientSecret)) + case "sluice" => { + // TODO: Implement integration for using sluice in intra-microservice communication + Future.successful(BadRequest(Messages("oauth2server.security.method.notImplemented", "sluice"))) + } + case _ => Future.successful(BadRequest(Messages("oauth2server.clientSecret.missing"))) + } + + }} } diff --git a/conf/application.conf b/conf/application.conf index d1401004..b8d33a45 100644 --- a/conf/application.conf +++ b/conf/application.conf @@ -49,6 +49,8 @@ play.mailer { # connectiontimeout (defaults to 60s in milliseconds) } +drops.ws.security="secret" // other options: "sluice" or "none" + include "silhouette.conf" include "admin.conf" include "crews.conf" diff --git a/conf/messages b/conf/messages index 78cfdb9d..99a4807f 100644 --- a/conf/messages +++ b/conf/messages @@ -141,7 +141,9 @@ crew.update.noProfileForLogin=Internal Server Error: Found no profile for the cu crew.select.one=Please, select a crew oauth2server.clientId.notFound=No client application is registered with the given client ID. +oauth2server.clientSecret.missing=No client secret is given. oauth2server.clientId.missing=No client ID is given. +oauth2server.security.method.notImplemented=Configured security method ''{0}'' is not implemented yet. Please change ''drops.ws.security'' in your application.conf. oauth2.register.title=Register Oauth2 Client oauth2.register.legend=Register Oauth2 Client diff --git a/conf/messages.de b/conf/messages.de index 8e6740f6..35b29a58 100644 --- a/conf/messages.de +++ b/conf/messages.de @@ -141,7 +141,9 @@ crew.update.noProfileForLogin=Ooohh!! Kein Tropfenprofil für den eingeloggten N crew.select.one=Bitte wähle deine Crew aus oauth2server.clientId.notFound=Keinen OAuth 2 Client gefunden, der zu der angegebenen ID passt. +oauth2server.clientSecret.missing=Kein OAuth 2 Client Secret angegeben! oauth2server.clientId.missing=Keine OAuth 2 Client ID angegeben! +oauth2server.security.method.notImplemented=Konfigurierte Methode zur Absicherung der Webservices ''{0}'' ist bisher nicht implementiert. Bitte ändere den Wert der Variablen ''drops.ws.security'' in deiner application.conf. oauth2.register.title=Registriere Oauth2 Client oauth2.register.legend=Registriere Oauth2 Client diff --git a/conf/routes b/conf/routes index 264aba59..78853de5 100644 --- a/conf/routes +++ b/conf/routes @@ -40,6 +40,7 @@ POST /rest/access controllers.RestApi. # OAuth2 Rest API GET /oauth2/rest/profile controllers.Oauth2RestApi.profile +GET /oauth2/code/get/:clientId controllers.OAuth2Controller.getCode(clientId : String, clientSecret = "") GET /oauth2/code/get/:clientId/:clientSecret controllers.OAuth2Controller.getCode(clientId : String, clientSecret : String) # Authentication From c89cbcb1ff3f18dae300979d0780259aa0dee44b Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Wed, 24 Jan 2018 13:38:34 +0100 Subject: [PATCH 3/9] #180 make security function for RESTful WS configurable (none, secret, sluice) --- app/api/ApiAction.scala | 4 ++-- app/api/ApiRequest.scala | 31 ++++++++++++++++++++++++------- conf/messages | 3 +++ conf/messages.de | 5 ++++- 4 files changed, 33 insertions(+), 10 deletions(-) diff --git a/app/api/ApiAction.scala b/app/api/ApiAction.scala index f9de603e..f374e7f6 100644 --- a/app/api/ApiAction.scala +++ b/app/api/ApiAction.scala @@ -26,8 +26,8 @@ class ApiAction @Inject()( implicit val messages : Messages = messagesApi.preferred(request) Try(apiRequestProvider.get[A](request)) match { case Success(apiRequest) => apiRequest.getClient.flatMap(_ match { - case Some(oauthClient) => block(apiRequest) - case _ => Future.successful(BadRequest(Json.obj("error" -> Messages("rest.api.noValidAPIClient")))) + case Left(oauthClient) => block(apiRequest) + case Right(e) => Future.successful(BadRequest(Json.obj("error" -> Messages(e.getMessage)))) }) case Failure(f) => Future.successful(BadRequest(Json.obj("error" -> Messages("rest.api.noValidAPIRequest", f.getMessage)))) } diff --git a/app/api/ApiRequest.scala b/app/api/ApiRequest.scala index 0a1af189..bf4540c2 100644 --- a/app/api/ApiRequest.scala +++ b/app/api/ApiRequest.scala @@ -5,30 +5,31 @@ import javax.inject.Inject import api.query._ import daos.{OauthClientDao, UserDao} import models.OauthClient +import play.api.Configuration import play.api.libs.json._ import play.api.mvc.Request import play.api.mvc.AnyContent +import scala.concurrent.ExecutionContext.Implicits.global import scala.concurrent.Future import scala.util.{Failure, Success, Try} class ApiRequestProvider @Inject() ( + configuration: Configuration, oauthClientDao : OauthClientDao, userDao: UserDao ) { - def get[A](request: Request[A]) = ApiRequest[A](request, oauthClientDao, userDao) + def get[A](request: Request[A]) = ApiRequest[A](request, oauthClientDao, userDao, configuration) } /** * Created by johann on 21.12.16. */ -case class ApiRequest[A](request : Request[A], oauthClientDao : OauthClientDao, userDao: UserDao){ +case class ApiRequest[A](request : Request[A], oauthClientDao : OauthClientDao, userDao: UserDao, config: Configuration){ val cĺientId = request.queryString("client_id").headOption.getOrElse( throw new Exception // Todo: Meaningful Exception ) - val clientSecret = request.queryString("client_secret").headOption.getOrElse( - throw new Exception // Todo: Meaningful Exception - ) + val clientSecret = request.queryString("client_secret").headOption val version = request.queryString.getOrElse("version", request.queryString.getOrElse("v", Seq("1.1.0") // change this, if a new version of the webservice was implemented (so it uses the new version by default) @@ -57,6 +58,22 @@ case class ApiRequest[A](request : Request[A], oauthClientDao : OauthClientDao, case _ => None // all other possible contents are unknown to me } - def getClient : Future[Option[OauthClient]] = - oauthClientDao.find(cĺientId, clientSecret) + def getClient : Future[Either[OauthClient, Exception]] = + config.getString("drops.ws.security").getOrElse("none") match { + case "none" => oauthClientDao.find(cĺientId).map(_ match { + case Some(client) => Left(client) + case _ => Right(new Exception("rest.api.givenClientNotFound")) + }) + case "secret" => clientSecret match { + case Some(secret) => oauthClientDao.find(cĺientId, secret).map(_ match { + case Some(client) => Left(client) + case _ => Right(new Exception("rest.api.givenClientNotFound")) + }) + case _ => Future.successful(Right(new Exception("rest.api.noClientSecretGiven"))) + } + case "sluice" => { + // Todo: Implement integration for using sluice in intra-microservice communication + Future.successful(Right(new Exception("rest.api.securityMethodNotImplemented"))) + } + } } diff --git a/conf/messages b/conf/messages index 99a4807f..5687a49c 100644 --- a/conf/messages +++ b/conf/messages @@ -177,6 +177,9 @@ rest.api.syntaxError=The query has an syntax error rest.api.syntaxGrammar=The query has an grammar error rest.api.missingFilterValue=There is no filter value for one or more query parts rest.api.queryFunctionsNotImplementedYet=One or more query functions are not implemented yet +rest.api.givenClientNotFound=Found no valid client for the given ID. +rest.api.noClientSecretGiven=Security method ''secret'' is currently configured, but no client secret was given. +rest.api.securityMethodNotImplemented=The currently configured security method is not implemented yet, please change ''drops.ws.security'' in your application.conf pool1.error.config.noURI=No Pool 1 system configured (missing URL) pool1.debug.not.activated=Export not activated in configuration! Set `pool1.export=true` in your applications conf file. diff --git a/conf/messages.de b/conf/messages.de index 35b29a58..ea8eead8 100644 --- a/conf/messages.de +++ b/conf/messages.de @@ -175,4 +175,7 @@ rest.api.noValidAPIClient=Das ist kein valider API Client rest.api.syntaxError=Die Anfrage hat einen syntaktischen Fehler rest.api.syntaxGrammar=Die Anfrage hat einen grammatikalischen Fehler rest.api.missingFilterValue=Für Teile der Filteranfrage ist kein Wert gesetzt -rest.api.queryFunctionsNotImplementedYet=Mindestens eine Funktion in der Anfrage ist noch nicht implementiert. \ No newline at end of file +rest.api.queryFunctionsNotImplementedYet=Mindestens eine Funktion in der Anfrage ist noch nicht implementiert. +rest.api.givenClientNotFound=Es konnte der angebenen ID kein valider Client zugeordnet werden. +rest.api.noClientSecretGiven=Methode zur Absicherung der Webservices ist momentan ''secret'', aber es wurde kein Client Secret angegeben. +rest.api.securityMethodNotImplemented=Konfigurierte Methode zur Absicherung der Webservices ist derzeit nicht implementiert, bitte ändere ''drops.ws.security'' in deiner application.conf \ No newline at end of file From 71a0116a420cdaac7c53350eeac8fd15e256f5ac Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Wed, 24 Jan 2018 13:45:24 +0100 Subject: [PATCH 4/9] update version number #180 --- build.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.sbt b/build.sbt index f16f186b..f59dc994 100644 --- a/build.sbt +++ b/build.sbt @@ -2,7 +2,7 @@ import com.typesafe.sbt.packager.docker.Cmd name := """Drops""" -version := "0.20.14" +version := "0.21.14" lazy val root = (project in file(".")).enablePlugins(PlayScala).enablePlugins(DockerPlugin) From a629ac6ae90688d5d93c26a16e5c050cb75b0f36 Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Wed, 24 Jan 2018 13:46:29 +0100 Subject: [PATCH 5/9] update version number and changelog #180 --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bb598916..e134becb 100644 --- a/README.md +++ b/README.md @@ -359,7 +359,8 @@ and your service. ChangeLog ========= -## Version 0.20.14 (2018-01-09) +## Version 0.21.14 (2018-01-24) +* [[F] #180 - Allow webservice secrets](https://github.com/Viva-con-Agua/drops/issues/180) * [[F] #106 - Send new registered user to Pool 1](https://github.com/Viva-con-Agua/drops/issues/106) ## Version 0.19.14 (2017-12-14) From 1e973328908004742e6d1ca1f14395d7521f6ba6 Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Wed, 24 Jan 2018 15:37:08 +0100 Subject: [PATCH 6/9] #183: add new authorization restriction to handle Pool 1 connection --- app/controllers/Application.scala | 4 +-- app/controllers/Roles.scala | 4 +-- .../authorization/CombinableRestriction.scala | 27 +++++++++++++++++++ .../authorization/Pool1Restriction.scala | 25 +++++++++++++++++ app/utils/{ => authorization}/WithRole.scala | 6 ++--- 5 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 app/utils/authorization/CombinableRestriction.scala create mode 100644 app/utils/authorization/Pool1Restriction.scala rename app/utils/{ => authorization}/WithRole.scala (90%) diff --git a/app/controllers/Application.scala b/app/controllers/Application.scala index 7b193470..33e33513 100644 --- a/app/controllers/Application.scala +++ b/app/controllers/Application.scala @@ -19,7 +19,7 @@ import services.UserService import daos.{CrewDao, OauthClientDao, TaskDao} import play.api.libs.json.{JsPath, JsValue, Json, Reads} import play.api.libs.ws._ -import utils.{WithAlternativeRoles, WithRole} +import utils.authorization.{Pool1Restriction, WithAlternativeRoles, WithRole} import scala.collection.JavaConversions._ import scala.concurrent.ExecutionContext.Implicits.global @@ -40,7 +40,7 @@ class Application @Inject() ( Future.successful(Ok(views.html.index(request.identity, request.authenticator.loginInfo))) } - def profile = SecuredAction.async { implicit request => + def profile = SecuredAction(Pool1Restriction(true)).async { implicit request => crewDao.list.map(l => Ok(views.html.profile(request.identity, request.authenticator.loginInfo, socialProviderRegistry, UserForms.userForm, CrewForms.geoForm, l.toSet, PillarForms.define)) ) diff --git a/app/controllers/Roles.scala b/app/controllers/Roles.scala index 44f981e8..5537ffe1 100644 --- a/app/controllers/Roles.scala +++ b/app/controllers/Roles.scala @@ -13,7 +13,7 @@ import models._ import play.api.data.Form import play.api.data.Forms._ import services.UserService -import utils.WithRole +import utils.authorization.{Pool1Restriction, WithRole} import scala.concurrent.ExecutionContext.Implicits.global /** @@ -24,7 +24,7 @@ class Roles @Inject() ( val messagesApi: MessagesApi, val env:Environment[User,CookieAuthenticator]) extends Silhouette[User,CookieAuthenticator] { - def index = SecuredAction(WithRole(RoleAdmin)).async { request => + def index = SecuredAction(WithRole(RoleAdmin) && Pool1Restriction(true)).async { request => userService.list.map(users => Ok(views.html.roles.index(request.identity, request.authenticator.loginInfo, RolesForms.setUsers(users))(request, messagesApi.preferred(request)))) //RolesForms.setUsers(users) } diff --git a/app/utils/authorization/CombinableRestriction.scala b/app/utils/authorization/CombinableRestriction.scala new file mode 100644 index 00000000..6d0797f6 --- /dev/null +++ b/app/utils/authorization/CombinableRestriction.scala @@ -0,0 +1,27 @@ +package utils.authorization + +import com.mohiva.play.silhouette.api.Authorization +import com.mohiva.play.silhouette.impl.authenticators.CookieAuthenticator +import models.User +import play.api.i18n.Messages +import play.api.mvc.Request +import scala.concurrent.ExecutionContext.Implicits.global + +import scala.concurrent.Future + +case class AuthCombination(one: CombinableRestriction, two: CombinableRestriction) extends Authorization[User,CookieAuthenticator] { + override def isAuthorized[B](identity: User, authenticator: CookieAuthenticator)(implicit request: Request[B], messages: Messages): Future[Boolean] = + one.isAuthorized(identity, authenticator).flatMap( + (first) => two.isAuthorized(identity, authenticator).map( + (second) => first && second + ) + ) +} + +trait CombinableRestriction extends Authorization[User,CookieAuthenticator] { + def isAuthorized[B](identity: User, authenticator: CookieAuthenticator)(implicit request: Request[B], messages: Messages): Future[Boolean] + + def &&(other: CombinableRestriction) : Authorization[User,CookieAuthenticator] = { + AuthCombination(this, other) + } +} diff --git a/app/utils/authorization/Pool1Restriction.scala b/app/utils/authorization/Pool1Restriction.scala new file mode 100644 index 00000000..d8934324 --- /dev/null +++ b/app/utils/authorization/Pool1Restriction.scala @@ -0,0 +1,25 @@ +package utils.authorization + +import com.mohiva.play.silhouette.api.Authorization +import com.mohiva.play.silhouette.impl.authenticators.CookieAuthenticator +import models.{Role, RoleAdmin, User} +import play.api.i18n.Messages +import play.api.mvc.Request + +import scala.concurrent.Future + +/** + * Gets a parameter indicating if an active connection to Pool 1 exists. If the parameter is true (connection exists): + * Only admins have permissions to access the requested resource; all other users are rejected. If it's false, there is + * no need to consider this restriction. + * + * @author Johann Sell + * @param active indicates if a connection does exists + */ +case class Pool1Restriction(active: Boolean) extends Authorization[User,CookieAuthenticator] with CombinableRestriction { + def isAuthorized[B](user: User, authenticator: CookieAuthenticator)(implicit request : Request[B], messages: Messages) = + user.roles match { + case list: Set[Role] => Future.successful(list.contains(RoleAdmin) || !active) + case _ => Future.successful(!active) + } +} diff --git a/app/utils/WithRole.scala b/app/utils/authorization/WithRole.scala similarity index 90% rename from app/utils/WithRole.scala rename to app/utils/authorization/WithRole.scala index c25162cb..42fe08f1 100644 --- a/app/utils/WithRole.scala +++ b/app/utils/authorization/WithRole.scala @@ -1,17 +1,17 @@ -package utils +package utils.authorization import com.mohiva.play.silhouette.api.Authorization import com.mohiva.play.silhouette.impl.authenticators.CookieAuthenticator import models.{Role, User} import play.api.i18n._ -import play.api.mvc.{Request, RequestHeader} +import play.api.mvc.Request import scala.concurrent.Future /** * Check for authorization */ -case class WithRole(role: Role) extends Authorization[User,CookieAuthenticator] { +case class WithRole(role: Role) extends Authorization[User,CookieAuthenticator] with CombinableRestriction { def isAuthorized[B](user: User, authenticator: CookieAuthenticator)(implicit request : Request[B], messages: Messages) = user.roles match { case list: Set[Role] => Future.successful(list.contains(role)) From b5e2968e0e3f85bc816fb0bf998b4783c58c2df4 Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Wed, 24 Jan 2018 15:52:09 +0100 Subject: [PATCH 7/9] #183 done --- app/controllers/Application.scala | 24 ++++++++++--------- app/controllers/Files.scala | 6 ++++- app/controllers/Roles.scala | 7 ++++-- .../authorization/CombinableRestriction.scala | 18 ++++++++++++-- 4 files changed, 39 insertions(+), 16 deletions(-) diff --git a/app/controllers/Application.scala b/app/controllers/Application.scala index 33e33513..13b50df2 100644 --- a/app/controllers/Application.scala +++ b/app/controllers/Application.scala @@ -36,17 +36,19 @@ class Application @Inject() ( configuration: Configuration, socialProviderRegistry: SocialProviderRegistry) extends Silhouette[User,CookieAuthenticator] { - def index = SecuredAction.async { implicit request => + val pool1Export = configuration.getBoolean("pool1.export").getOrElse(false) + + def index = SecuredAction(Pool1Restriction(pool1Export)).async { implicit request => Future.successful(Ok(views.html.index(request.identity, request.authenticator.loginInfo))) } - def profile = SecuredAction(Pool1Restriction(true)).async { implicit request => + def profile = SecuredAction(Pool1Restriction(pool1Export)).async { implicit request => crewDao.list.map(l => Ok(views.html.profile(request.identity, request.authenticator.loginInfo, socialProviderRegistry, UserForms.userForm, CrewForms.geoForm, l.toSet, PillarForms.define)) ) } - def updateBase = SecuredAction.async { implicit request => + def updateBase = SecuredAction(Pool1Restriction(pool1Export)).async { implicit request => UserForms.userForm.bindFromRequest.fold( bogusForm => crewDao.list.map(l => BadRequest(views.html.profile(request.identity, request.authenticator.loginInfo, socialProviderRegistry, bogusForm, CrewForms.geoForm, l.toSet, PillarForms.define))), userData => request.identity.profileFor(request.authenticator.loginInfo) match { @@ -67,7 +69,7 @@ class Application @Inject() ( ) } - def updateCrew = SecuredAction.async { implicit request => + def updateCrew = SecuredAction(Pool1Restriction(pool1Export)).async { implicit request => CrewForms.geoForm.bindFromRequest.fold( bogusForm => crewDao.list.map(l => BadRequest(views.html.profile(request.identity, request.authenticator.loginInfo, socialProviderRegistry, UserForms.userForm, bogusForm, l.toSet, PillarForms.define))), crewData => { @@ -90,7 +92,7 @@ class Application @Inject() ( ) } - def updatePillar = SecuredAction.async { implicit request => + def updatePillar = SecuredAction(Pool1Restriction(pool1Export)).async { implicit request => PillarForms.define.bindFromRequest.fold( bogusForm => crewDao.list.map(l => BadRequest(views.html.profile(request.identity, request.authenticator.loginInfo, socialProviderRegistry, UserForms.userForm, CrewForms.geoForm, l.toSet, bogusForm))), pillarData => request.identity.profileFor(request.authenticator.loginInfo) match { @@ -108,12 +110,12 @@ class Application @Inject() ( ) } - def task = SecuredAction{ implicit request => + def task = SecuredAction(Pool1Restriction(pool1Export)) { implicit request => val resultingTasks: Future[Seq[Task]] = taskDao.all() Ok(views.html task(request.identity, request.authenticator.loginInfo, resultingTasks)) } - def initCrews = Action.async { request => + def initCrews = SecuredAction(WithRole(RoleAdmin) && Pool1Restriction(pool1Export)).async { request => configuration.getConfigList("crews").map(_.toList.map(c => crewDao.find(c.getString("name").get).map(_ match { case Some(crew) => crew @@ -125,7 +127,7 @@ class Application @Inject() ( Future.successful(Redirect("/")) } - def fixCrewsID = SecuredAction.async { request => + def fixCrewsID = SecuredAction(WithRole(RoleAdmin) && Pool1Restriction(pool1Export)).async { request => val crews = crewDao.listOfStubs.flatMap(l => Future.sequence(l.map(oldCrew => crewDao.update(oldCrew.toCrew)))) val users = crews.flatMap(l => userService.listOfStubs.flatMap(ul => Future.sequence(ul.map(user => { val profiles = user.profiles.map(profile => { @@ -141,7 +143,7 @@ class Application @Inject() ( res.map(pair => Ok(Json.arr(Json.toJson(pair._1), Json.toJson(pair._2)))) } - def initUsers(number: Int, specialRoleUsers : Int = 1) = SecuredAction(WithRole(RoleAdmin)).async { request => { + def initUsers(number: Int, specialRoleUsers : Int = 1) = SecuredAction(WithRole(RoleAdmin) && Pool1Restriction(pool1Export)).async { request => { val wsRequest = ws.url("https://randomuser.me/api/") .withHeaders("Accept" -> "application/json") .withRequestTimeout(10000) @@ -173,11 +175,11 @@ class Application @Inject() ( ) }} - def registration = SecuredAction(WithAlternativeRoles(RoleAdmin, RoleEmployee)) { implicit request => + def registration = SecuredAction((WithRole(RoleAdmin) || WithRole(RoleEmployee)) && Pool1Restriction(pool1Export)) { implicit request => Ok(views.html.oauth2.register(request.identity, request.authenticator.loginInfo, socialProviderRegistry, OAuth2ClientForms.register)) } - def registerOAuth2Client = SecuredAction(WithAlternativeRoles(RoleAdmin, RoleEmployee)).async { implicit request => + def registerOAuth2Client = SecuredAction((WithRole(RoleAdmin) || WithRole(RoleEmployee)) && Pool1Restriction(pool1Export)).async { implicit request => OAuth2ClientForms.register.bindFromRequest.fold( bogusForm => Future.successful(BadRequest(views.html.oauth2.register(request.identity, request.authenticator.loginInfo, socialProviderRegistry, bogusForm))), registerData => { diff --git a/app/controllers/Files.scala b/app/controllers/Files.scala index 0e528ee8..d36f5cbf 100644 --- a/app/controllers/Files.scala +++ b/app/controllers/Files.scala @@ -17,6 +17,7 @@ import models._ import play.modules.reactivemongo.json.collection.JSONCollection import services.UserService import reactivemongo.api.gridfs.{DefaultFileToSave, FileToSave, GridFS, ReadFile} +import utils.authorization.Pool1Restriction import scala.collection.JavaConversions._ import scala.concurrent.ExecutionContext.Implicits.global @@ -31,6 +32,9 @@ class Files @Inject() ( configuration: Configuration, val reactiveMongoApi: ReactiveMongoApi ) extends Silhouette[User,CookieAuthenticator] with MongoController with ReactiveMongoComponents { + + val pool1Export = configuration.getBoolean("pool1.export").getOrElse(false) + // gridFSBodyParser from `MongoController` import MongoController.readFileReads @@ -47,7 +51,7 @@ class Files @Inject() ( val files = reactiveMongoApi.db.collection[JSONCollection]("fs.files") - def uploadProfileImage = SecuredAction.async(fsParser) { implicit request => + def uploadProfileImage = SecuredAction(Pool1Restriction(pool1Export)).async(fsParser) { implicit request => val futureFile: Future[ReadFile[JSONSerializationPack.type, JsValue]] = request.body.files.head.ref diff --git a/app/controllers/Roles.scala b/app/controllers/Roles.scala index 5537ffe1..c0f830ef 100644 --- a/app/controllers/Roles.scala +++ b/app/controllers/Roles.scala @@ -22,13 +22,16 @@ import scala.concurrent.ExecutionContext.Implicits.global class Roles @Inject() ( userService: UserService, val messagesApi: MessagesApi, + configuration: Configuration, val env:Environment[User,CookieAuthenticator]) extends Silhouette[User,CookieAuthenticator] { - def index = SecuredAction(WithRole(RoleAdmin) && Pool1Restriction(true)).async { request => + val pool1Export = configuration.getBoolean("pool1.export").getOrElse(false) + + def index = SecuredAction(WithRole(RoleAdmin) && Pool1Restriction(pool1Export)).async { request => userService.list.map(users => Ok(views.html.roles.index(request.identity, request.authenticator.loginInfo, RolesForms.setUsers(users))(request, messagesApi.preferred(request)))) //RolesForms.setUsers(users) } - def update = SecuredAction(WithRole(RoleAdmin)).async { request => + def update = SecuredAction(WithRole(RoleAdmin) && Pool1Restriction(pool1Export)).async { request => RolesForms.set.bindFromRequest()(request).fold( bogusForm => Future.successful(BadRequest( views.html.roles.index(request.identity, request.authenticator.loginInfo, bogusForm)(request, messagesApi.preferred(request)) diff --git a/app/utils/authorization/CombinableRestriction.scala b/app/utils/authorization/CombinableRestriction.scala index 6d0797f6..2b9ebfab 100644 --- a/app/utils/authorization/CombinableRestriction.scala +++ b/app/utils/authorization/CombinableRestriction.scala @@ -9,7 +9,7 @@ import scala.concurrent.ExecutionContext.Implicits.global import scala.concurrent.Future -case class AuthCombination(one: CombinableRestriction, two: CombinableRestriction) extends Authorization[User,CookieAuthenticator] { +case class AuthAndCombination(one: CombinableRestriction, two: CombinableRestriction) extends Authorization[User,CookieAuthenticator] { override def isAuthorized[B](identity: User, authenticator: CookieAuthenticator)(implicit request: Request[B], messages: Messages): Future[Boolean] = one.isAuthorized(identity, authenticator).flatMap( (first) => two.isAuthorized(identity, authenticator).map( @@ -18,10 +18,24 @@ case class AuthCombination(one: CombinableRestriction, two: CombinableRestrictio ) } + +case class AuthOrCombination(one: CombinableRestriction, two: CombinableRestriction) extends Authorization[User,CookieAuthenticator] { + override def isAuthorized[B](identity: User, authenticator: CookieAuthenticator)(implicit request: Request[B], messages: Messages): Future[Boolean] = + one.isAuthorized(identity, authenticator).flatMap( + (first) => two.isAuthorized(identity, authenticator).map( + (second) => first || second + ) + ) +} + trait CombinableRestriction extends Authorization[User,CookieAuthenticator] { def isAuthorized[B](identity: User, authenticator: CookieAuthenticator)(implicit request: Request[B], messages: Messages): Future[Boolean] def &&(other: CombinableRestriction) : Authorization[User,CookieAuthenticator] = { - AuthCombination(this, other) + AuthAndCombination(this, other) + } + + def ||(other: CombinableRestriction) : Authorization[User,CookieAuthenticator] = { + AuthOrCombination(this, other) } } From 373e9e783472d4a8d2cf84b8ef5b9cbae514f328 Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Thu, 25 Jan 2018 08:53:25 +0100 Subject: [PATCH 8/9] Update version number for #183 --- build.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.sbt b/build.sbt index f59dc994..a4754274 100644 --- a/build.sbt +++ b/build.sbt @@ -2,7 +2,7 @@ import com.typesafe.sbt.packager.docker.Cmd name := """Drops""" -version := "0.21.14" +version := "0.21.15" lazy val root = (project in file(".")).enablePlugins(PlayScala).enablePlugins(DockerPlugin) From 041b1c5f884b6ce0f494a7934c00e59e92b81ccb Mon Sep 17 00:00:00 2001 From: Johann Sell Date: Thu, 25 Jan 2018 08:54:26 +0100 Subject: [PATCH 9/9] Update version number #183 --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e134becb..8338967e 100644 --- a/README.md +++ b/README.md @@ -359,7 +359,8 @@ and your service. ChangeLog ========= -## Version 0.21.14 (2018-01-24) +## Version 0.21.15 (2018-01-25) +* [[I] #183 - Accessibility of views bases on Pool 1 connection](https://github.com/Viva-con-Agua/drops/issues/183) * [[F] #180 - Allow webservice secrets](https://github.com/Viva-con-Agua/drops/issues/180) * [[F] #106 - Send new registered user to Pool 1](https://github.com/Viva-con-Agua/drops/issues/106)