AIRAVATA-2316 Adding authz checks to user profile modification methods
Project: http://git-wip-us.apache.org/repos/asf/airavata/repo Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/ee8d5eed Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/ee8d5eed Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/ee8d5eed Branch: refs/heads/develop Commit: ee8d5eede9fafd9353be8f36635449efa391800f Parents: 08fd8c4 Author: Marcus Christie <[email protected]> Authored: Tue Feb 28 11:55:41 2017 -0500 Committer: Anuj Bhandar <[email protected]> Committed: Tue Feb 28 13:07:18 2017 -0500 ---------------------------------------------------------------------- .../server/handler/AiravataServerHandler.java | 24 ++++++++++++++------ .../server/UserProfileServiceHandler.java | 1 + 2 files changed, 18 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/airavata/blob/ee8d5eed/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java ---------------------------------------------------------------------- diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java index 8415c21..588a61a 100644 --- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java +++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java @@ -4773,7 +4773,12 @@ public class AiravataServerHandler implements Airavata.Iface { public String addUserProfile(AuthzToken authzToken, UserProfile userProfile) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { - // TODO: check that username and gatewayId match authzToken + // check that username and gatewayId match authzToken + String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID); + String userId = authzToken.getClaimsMap().get(Constants.USER_NAME); + if( !userProfile.getUserId().equals(userId) || !userProfile.getGatewayId().equals(gatewayId) ){ + throw new AuthorizationException("User isn't authorized to add user profile for this user and/or gateway"); + } try { return getUserProfileServiceClient().addUserProfile(userProfile); } catch (Exception e) { @@ -4790,7 +4795,12 @@ public class AiravataServerHandler implements Airavata.Iface { public boolean updateUserProfile(AuthzToken authzToken, UserProfile userProfile) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { - // TODO: check that username and gatewayId match authzToken + // check that username and gatewayId match authzToken + String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID); + String userId = authzToken.getClaimsMap().get(Constants.USER_NAME); + if( !userProfile.getUserId().equals(userId) || !userProfile.getGatewayId().equals(gatewayId) ){ + throw new AuthorizationException("User isn't authorized to update user profile for this user and/or gateway"); + } try { return getUserProfileServiceClient().updateUserProfile(userProfile); } catch (Exception e) { @@ -4807,7 +4817,6 @@ public class AiravataServerHandler implements Airavata.Iface { public UserProfile getUserProfileById(AuthzToken authzToken, String userId, String gatewayId) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { - // TODO: check that username and gatewayId match authzToken try { return getUserProfileServiceClient().getUserProfileById(userId, gatewayId); } catch (Exception e) { @@ -4821,10 +4830,14 @@ public class AiravataServerHandler implements Airavata.Iface { @Override @SecurityCheck + // FIXME: deleting user profile should require the gatewayId as well! public boolean deleteUserProfile(AuthzToken authzToken, String userId) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { - // TODO: check that username match authzToken + // check that userId match authzToken + if( !authzToken.getClaimsMap().get(Constants.USER_NAME).equals(userId) ){ + throw new AuthorizationException("User isn't authorized to delete user profile for this user"); + } try { return getUserProfileServiceClient().deleteUserProfile(userId); } catch (Exception e) { @@ -4841,7 +4854,6 @@ public class AiravataServerHandler implements Airavata.Iface { public List<UserProfile> getAllUserProfilesInGateway(AuthzToken authzToken, String gatewayId, int offset, int limit) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { - // TODO: check that gatewayId match authzToken try { return getUserProfileServiceClient().getAllUserProfilesInGateway(gatewayId, offset, limit); } catch (Exception e) { @@ -4858,7 +4870,6 @@ public class AiravataServerHandler implements Airavata.Iface { public UserProfile getUserProfileByName(AuthzToken authzToken, String userName, String gatewayId) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { - // TODO: check that username and gatewayId match authzToken try { return getUserProfileServiceClient().getUserProfileByName(userName, gatewayId); } catch (Exception e) { @@ -4875,7 +4886,6 @@ public class AiravataServerHandler implements Airavata.Iface { public boolean doesUserProfileExist(AuthzToken authzToken, String userName, String gatewayId) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException { - // TODO: verify that authzToken gatewayId matches try { return getUserProfileServiceClient().doesUserExist(userName, gatewayId); } catch (Exception e) { http://git-wip-us.apache.org/repos/asf/airavata/blob/ee8d5eed/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java ---------------------------------------------------------------------- diff --git a/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java b/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java index ddefbc7..598adc0 100644 --- a/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java +++ b/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java @@ -82,6 +82,7 @@ public class UserProfileServiceHandler implements UserProfileService.Iface { } } + // FIXME: shouldn't deleteUserProfile require the gatewayId as well? public boolean deleteUserProfile(String userId) throws UserProfileServiceException { try{ boolean deleteResult = userProfileRepository.delete(userId);
