This is an automated email from the ASF dual-hosted git repository. martin_s pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/archiva-redback-core.git
commit d9fe4b0b8cad5b320b2bd39ffdea8a185d5f41e3 Author: Martin Stockhammer <[email protected]> AuthorDate: Sat Aug 22 15:08:38 2020 +0200 Changing user REST interface V2 --- .../redback/rest/api/services/v2/UserService.java | 3 +- .../interceptors/BearerAuthInterceptor.java | 2 + .../services/v2/DefaultAuthenticationService.java | 2 - .../rest/services/v2/DefaultUserService.java | 115 ++++++++++----------- 4 files changed, 61 insertions(+), 61 deletions(-) diff --git a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java index f1a9899..bb81317 100644 --- a/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java +++ b/redback-integrations/redback-rest/redback-rest-api/src/main/java/org/apache/archiva/redback/rest/api/services/v2/UserService.java @@ -239,12 +239,13 @@ public interface UserService /** * update only the current logged in user and this fields: fullname, email, password. * The service verifies the current logged user with the one passed in the method + * @return */ @Path( "me" ) @PUT @Produces( { MediaType.APPLICATION_JSON } ) @RedbackAuthorization( noPermission = true ) - ActionStatus updateMe( User user ) + User updateMe( User user ) throws RedbackServiceException; @Path( "___ping___" ) diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/BearerAuthInterceptor.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/BearerAuthInterceptor.java index 94cf2c2..c02580e 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/BearerAuthInterceptor.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/BearerAuthInterceptor.java @@ -220,6 +220,8 @@ public class BearerAuthInterceptor extends AbstractInterceptor // message.put( AuthenticationResult.class, authenticationResult ); requestContext.setProperty( AUTHENTICATION_RESULT, authenticationResult ); requestContext.setProperty( SECURITY_SESSION, securitySession ); + RedbackSecurityContext securityContext = new RedbackSecurityContext(requestContext.getUriInfo(), user, securitySession ); + requestContext.setSecurityContext( securityContext ); return; } catch ( AuthenticationException e ) diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultAuthenticationService.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultAuthenticationService.java index 9be5b98..d2d99c5 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultAuthenticationService.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultAuthenticationService.java @@ -83,8 +83,6 @@ public class DefaultAuthenticationService @Context private SecurityContext securityContext; - private RedbackPrincipal redbackPrincipal; - @Context private ContainerRequestContext requestContext; diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultUserService.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultUserService.java index 9f29c04..5462b1b 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultUserService.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/v2/DefaultUserService.java @@ -47,7 +47,6 @@ import org.apache.archiva.redback.rest.api.model.ActionStatus; import org.apache.archiva.redback.rest.api.model.v2.AvailabilityStatus; import org.apache.archiva.redback.rest.api.model.ErrorMessage; import org.apache.archiva.redback.rest.api.model.Operation; -import org.apache.archiva.redback.rest.api.model.v2.PasswordStatus; import org.apache.archiva.redback.rest.api.model.Permission; import org.apache.archiva.redback.rest.api.model.v2.RegistrationKey; import org.apache.archiva.redback.rest.api.model.ResetPasswordRequest; @@ -61,6 +60,7 @@ import org.apache.archiva.redback.rest.api.services.RedbackServiceException; import org.apache.archiva.redback.rest.api.services.v2.UserService; import org.apache.archiva.redback.rest.services.RedbackAuthenticationThreadLocal; import org.apache.archiva.redback.rest.services.RedbackRequestInformation; +import org.apache.archiva.redback.rest.services.interceptors.RedbackPrincipal; import org.apache.archiva.redback.rest.services.utils.PasswordValidator; import org.apache.archiva.redback.role.RoleManager; import org.apache.archiva.redback.role.RoleManagerException; @@ -82,7 +82,9 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.ws.rs.core.Context; import javax.ws.rs.core.Response; +import javax.ws.rs.core.SecurityContext; import javax.ws.rs.core.UriInfo; +import java.security.Principal; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -160,6 +162,9 @@ public class DefaultUserService @Context private UriInfo uriInfo; + @Context + private SecurityContext securityContext; + @Inject public DefaultUserService( @Named( value = "userManager#default" ) UserManager userManager, SecuritySystem securitySystem ) @@ -168,6 +173,15 @@ public class DefaultUserService this.securitySystem = securitySystem; } + RedbackPrincipal getPrincipal() { + if (this.securityContext!=null) { + Principal pri = this.securityContext.getUserPrincipal( ); + if (pri!=null && pri instanceof RedbackPrincipal) { + return (RedbackPrincipal) pri; + } + } + return null; + } @Override public User createUser( User user ) @@ -345,74 +359,57 @@ public class DefaultUserService } @Override - public ActionStatus updateMe( User user ) + public User updateMe( User user ) throws RedbackServiceException { // check username == one in the session - RedbackRequestInformation redbackRequestInformation = RedbackAuthenticationThreadLocal.get(); - if ( redbackRequestInformation == null || redbackRequestInformation.getUser() == null ) - { - log.warn( "RedbackRequestInformation from ThreadLocal is null" ); - throw new RedbackServiceException( new ErrorMessage( "you must be logged to update your profile" ), - Response.Status.FORBIDDEN.getStatusCode() ); - } - if ( user == null ) - { - throw new RedbackServiceException( new ErrorMessage( "user parameter is mandatory" ), - Response.Status.BAD_REQUEST.getStatusCode() ); - } - if ( !StringUtils.equals( redbackRequestInformation.getUser().getUsername(), user.getUserId() ) ) - { - throw new RedbackServiceException( new ErrorMessage( "you can update only your profile" ), - Response.Status.FORBIDDEN.getStatusCode() ); - } - if ( StringUtils.isEmpty( user.getPreviousPassword() ) ) - { - throw new RedbackServiceException( new ErrorMessage( "previous password is empty" ), - Response.Status.BAD_REQUEST.getStatusCode() ); + RedbackPrincipal principal = getPrincipal( ); + if (principal==null) { + throw new RedbackServiceException( ErrorMessage.of( ERR_AUTH_UNAUTHORIZED_REQUEST ), 403 ); } - User realUser = getUser( user.getUserId() ); - try - { - String previousEncodedPassword = - securitySystem.getUserManager().findUser( user.getUserId(), false ).getEncodedPassword(); + // check oldPassword with the current one + // only 3 fields to update + // ui can limit to not update password + org.apache.archiva.redback.users.User foundUser = updateUser( user.getUserId( ), realUser -> { + try + { + String previousEncodedPassword = + securitySystem.getUserManager( ).findUser( user.getUserId( ), false ).getEncodedPassword( ); - // check oldPassword with the current one + // check oldPassword with the current one - PasswordEncoder encoder = securitySystem.getPolicy().getPasswordEncoder(); + PasswordEncoder encoder = securitySystem.getPolicy( ).getPasswordEncoder( ); - if ( !encoder.isPasswordValid( previousEncodedPassword, user.getPreviousPassword() ) ) - { + if ( !encoder.isPasswordValid( previousEncodedPassword, user.getPreviousPassword( ) ) ) + { - throw new RedbackServiceException( new ErrorMessage( "password.provided.does.not.match.existing" ), - Response.Status.BAD_REQUEST.getStatusCode() ); + return new RedbackServiceException( new ErrorMessage( "password.provided.does.not.match.existing" ), + Response.Status.BAD_REQUEST.getStatusCode( ) ); + } } - } - catch ( UserNotFoundException e ) - { - throw new RedbackServiceException( new ErrorMessage( "user not found" ), - Response.Status.BAD_REQUEST.getStatusCode() ); - } - catch ( UserManagerException e ) - { - throw new RedbackServiceException( new ErrorMessage( e.getMessage() ) ); - } - // only 3 fields to update - realUser.setFullName( user.getFullName() ); - realUser.setEmail( user.getEmail() ); - // ui can limit to not update password - if ( StringUtils.isNotBlank( user.getPassword() ) ) - { - passwordValidator.validatePassword( user.getPassword(), user.getUserId() ); - - realUser.setPassword( user.getPassword() ); - } - - updateUser( realUser.getUserId(), realUser ); + catch ( UserNotFoundException e ) + { + return new RedbackServiceException( new ErrorMessage( "user not found" ), + Response.Status.BAD_REQUEST.getStatusCode( ) ); + } + catch ( UserManagerException e ) + { + return new RedbackServiceException( ErrorMessage.of( ERR_USERMANAGER_FAIL, e.getMessage( ) ) ); + } + // only 3 fields to update + realUser.setFullName( user.getFullName( ) ); + realUser.setEmail( user.getEmail( ) ); + // ui can limit to not update password + if ( StringUtils.isNotBlank( user.getPassword( ) ) ) + { + realUser.setPassword( user.getPassword( ) ); + } + return null; + } ); - return ActionStatus.SUCCESS; + return getRestUser( foundUser ); } @Override @@ -1036,8 +1033,9 @@ public class DefaultUserService } - private void updateUser( String userId, Function<org.apache.archiva.redback.users.User, RedbackServiceException> updateFunction ) throws RedbackServiceException + private org.apache.archiva.redback.users.User updateUser( String userId, Function<org.apache.archiva.redback.users.User, RedbackServiceException> updateFunction ) throws RedbackServiceException { + try { org.apache.archiva.redback.users.User rawUser = userManager.findUser( userId, false ); @@ -1051,6 +1049,7 @@ public class DefaultUserService } else { throw new RedbackServiceException( ErrorMessage.of( ERR_USER_NOT_FOUND, userId ), 404 ); } + return rawUser; } catch ( UserNotFoundException e ) {
