Merge remote-tracking branch 'origin/development' into development

smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthorizationService.java

+package eu.europa.ec.edelivery.smp.auth;
+
+import eu.europa.ec.edelivery.smp.data.ui.UserRO;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Service;
+
+import static eu.europa.ec.edelivery.smp.auth.SMPAuthority.S_AUTHORITY_TOKEN_SYSTEM_ADMIN;
+import static java.util.stream.Collectors.toList;
+
+/**
+ * @author Sebastian-Ion TINCU
+ */
+@Service("smpAuthorizationService")
+public class SMPAuthorizationService {
+
+    public boolean isSystemAdministrator() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        return authentication instanceof SMPAuthenticationToken
+                && authentication.getAuthorities().stream().anyMatch(grantedAuthority -> S_AUTHORITY_TOKEN_SYSTEM_ADMIN.equals(grantedAuthority.getAuthority()));
+    }
+
+    public boolean isCurrentlyLoggedIn(Long userId) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if(authentication instanceof SMPAuthenticationToken) {
+            Long loggedInUserId = ((SMPAuthenticationToken) authentication).getUser().getId();
+            return loggedInUserId.equals(userId);
+        }
+
+        return false;
+    }
+    /**
+     * Returns a user resource with password credentials removed and authorities populated for use in the front-end.
+     *
+     * @param userRO The user resource to sanitize for use in the front-end.
+     * @return the sanitized user resource
+     */
+    public UserRO sanitize(UserRO userRO) {
+        userRO.setPassword("");
+
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if(authentication instanceof SMPAuthenticationToken) {
+            userRO.setAuthorities(
+                    authentication.getAuthorities()
+                            .stream()
+                            .map(authority -> authority.getAuthority())
+                            .collect(toList()));
+        }
+
+        return userRO;
+    }
+}

smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/config/SmpWebAppConfig.java

@@ -42,6 +42,7 @@ import static org.springframework.core.Ordered.HIGHEST_PRECEDENCE;
 @ComponentScan(basePackages = {
         "eu.europa.ec.edelivery.smp.controllers",
         "eu.europa.ec.edelivery.smp.validation",
+        "eu.europa.ec.edelivery.smp.conversion",
         "eu.europa.ec.edelivery.smp.monitor",
         "eu.europa.ec.edelivery.smp.ui"})
 @Import({GlobalMethodSecurityConfig.class, ErrorMappingControllerAdvice.class})

smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/ui/AuthenticationResource.java

 package eu.europa.ec.edelivery.smp.ui;
 
 
+import eu.europa.ec.edelivery.smp.auth.SMPAuthenticationService;
+import eu.europa.ec.edelivery.smp.auth.SMPAuthenticationToken;
 import eu.europa.ec.edelivery.smp.auth.SMPAuthority;
+import eu.europa.ec.edelivery.smp.auth.SMPAuthorizationService;
 import eu.europa.ec.edelivery.smp.data.ui.ErrorRO;
 import eu.europa.ec.edelivery.smp.data.ui.LoginRO;
 import eu.europa.ec.edelivery.smp.data.ui.UserRO;
 import eu.europa.ec.edelivery.smp.logging.SMPLogger;
 import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory;
-import eu.europa.ec.edelivery.smp.auth.SMPAuthenticationService;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.core.convert.ConversionService;
 import org.springframework.http.HttpStatus;
 import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.authentication.BadCredentialsException;
@@ -23,8 +26,6 @@ import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import static java.util.stream.Collectors.toList;
-
 /**
  * @author Sebastian-Ion TINCU
  * @since 4.0
@@ -38,6 +39,12 @@ public class AuthenticationResource {
     @Autowired
     protected SMPAuthenticationService authenticationService;
 
+    @Autowired
+    protected SMPAuthorizationService authorizationService;
+
+    @Autowired
+    private ConversionService conversionService;
+
     @ResponseStatus(value = HttpStatus.FORBIDDEN)
     @ExceptionHandler({AuthenticationException.class})
     public ErrorRO handleException(Exception ex) {
@@ -49,16 +56,9 @@ public class AuthenticationResource {
     @Transactional(noRollbackFor = BadCredentialsException.class)
     public UserRO authenticate(@RequestBody LoginRO loginRO, HttpServletResponse response) {
         LOG.debug("Authenticating user [{}]", loginRO.getUsername());
-        final Authentication principal = authenticationService.authenticate(loginRO.getUsername(), loginRO.getPassword());
-
-        UserRO userRO = new UserRO();
-        userRO.setUsername(loginRO.getUsername());
-        userRO.setAuthorities(
-                principal.getAuthorities()
-                        .stream()
-                        .map(authority -> authority.getAuthority())
-                        .collect(toList()));
-        return userRO;
+        SMPAuthenticationToken authentication = (SMPAuthenticationToken) authenticationService.authenticate(loginRO.getUsername(), loginRO.getPassword());
+        UserRO userRO = conversionService.convert(authentication.getUser(), UserRO.class);
+        return authorizationService.sanitize(userRO);
     }
 
     @RequestMapping(value = "authentication", method = RequestMethod.DELETE)
@@ -76,18 +76,16 @@ public class AuthenticationResource {
         LOG.info("Logged out");
     }
 
-   // @PutMapping(produces = {"text/plain"})
     @RequestMapping(value = "user", method = RequestMethod.GET)
     @Secured({SMPAuthority.S_AUTHORITY_TOKEN_SYSTEM_ADMIN, SMPAuthority.S_AUTHORITY_TOKEN_SMP_ADMIN, SMPAuthority.S_AUTHORITY_TOKEN_SERVICE_GROUP_ADMIN})
     public UserRO getUser() {
-      //  User securityUser = (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        //return securityUser.getUsername();
-        String username = (String)SecurityContextHolder.getContext().getAuthentication().getPrincipal();
-        System.out.println("get user: " + username);
-        UserRO ur =new UserRO();
-        ur.setUsername(username);
-        return ur;
+        UserRO user = new UserRO();
+
+        String username = (String) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
+        LOG.debug("get user: {}", username);
 
+        user.setUsername(username);
+        return user;
     }
 
 }
\ No newline at end of file

smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/ui/UserResource.java

 package eu.europa.ec.edelivery.smp.ui;
 
-
 import eu.europa.ec.edelivery.smp.auth.SMPAuthenticationToken;
 import eu.europa.ec.edelivery.smp.auth.SMPAuthority;
-import eu.europa.ec.edelivery.smp.auth.SMPRole;
+import eu.europa.ec.edelivery.smp.auth.SMPAuthorizationService;
 import eu.europa.ec.edelivery.smp.data.model.DBUser;
 import eu.europa.ec.edelivery.smp.data.ui.CertificateRO;
 import eu.europa.ec.edelivery.smp.data.ui.DeleteEntityValidation;
@@ -15,11 +14,12 @@ import eu.europa.ec.edelivery.smp.services.ui.UIUserService;
 import eu.europa.ec.edelivery.smp.services.ui.filters.UserFilter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.annotation.Secured;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.crypto.bcrypt.BCrypt;
 import org.springframework.web.bind.annotation.*;
 
-import javax.annotation.PostConstruct;
 import java.io.IOException;
 import java.security.cert.CertificateException;
 import java.util.Arrays;
@@ -29,7 +29,6 @@ import java.util.List;
  * @author Joze Rihtarsic
  * @since 4.1
  */
-
 @RestController
 @RequestMapping(value = "/ui/rest/user")
 public class UserResource {
@@ -39,15 +38,11 @@ public class UserResource {
     @Autowired
     private UIUserService uiUserService;
 
-    @PostConstruct
-    protected void init() {
-
-    }
+    @Autowired
+    protected SMPAuthorizationService authorizationService;
 
     @PutMapping(produces = {"application/json"})
-    @ResponseBody
     @RequestMapping(method = RequestMethod.GET)
-    //update gui to call this when somebody is logged in.
     @Secured({SMPAuthority.S_AUTHORITY_TOKEN_SYSTEM_ADMIN, SMPAuthority.S_AUTHORITY_TOKEN_SMP_ADMIN})
     public ServiceResult<UserRO> getUsers(
             @RequestParam(value = "page", defaultValue = "0") int page,
@@ -56,8 +51,8 @@ public class UserResource {
             @RequestParam(value = "orderType", defaultValue = "asc", required = false) String orderType,
             @RequestParam(value = "roles", required = false) String roleList
             ) {
-        UserFilter filter =null;
-        if (roleList!=null){
+        UserFilter filter = null;
+        if (roleList != null) {
             filter = new UserFilter();
             filter.setRoleList(Arrays.asList(roleList.split(",")));
         }
@@ -65,17 +60,37 @@ public class UserResource {
         return  uiUserService.getTableList(page,pageSize, orderBy, orderType, filter);
     }
 
+    /**
+     * Update the details of the currently logged in user (e.g. update the role, the credentials or add certificate details).
+     *
+     * @param id the identifier of the user being updated; it must match the currently logged in user's identifier
+     * @param user the updated details
+     *
+     * @throws org.springframework.security.access.AccessDeniedException when trying to update the details of another user, different than the one being currently logged in
+     */
+    @PutMapping(path = "/{id}")
+    @PreAuthorize("@smpAuthorizationService.isCurrentlyLoggedIn(#id)")
+    public UserRO updateCurrentUser(@PathVariable("id") Long id, @RequestBody UserRO user) {
+        LOG.info("Update current user: {}", user);
+
+        uiUserService.updateUserList(Arrays.asList(user));
+
+        DBUser updatedUser = uiUserService.findUser(id);
+        UserRO userRO = uiUserService.convertToRo(updatedUser);
+
+        return authorizationService.sanitize(userRO);
+    }
+
     @PutMapping(produces = {"application/json"})
-    @RequestMapping(method = RequestMethod.PUT)
     @Secured({SMPAuthority.S_AUTHORITY_TOKEN_SYSTEM_ADMIN})
-    public void updateUserList(@RequestBody(required = true) UserRO[] updateEntities ){
-        LOG.info("Update user list, count: {}" + updateEntities.length);
+    public void updateUserList(@RequestBody UserRO[] updateEntities ){
+        LOG.info("Update user list, count: {}", updateEntities.length);
         uiUserService.updateUserList(Arrays.asList(updateEntities));
     }
 
-    @RequestMapping(path = "certdata", method = RequestMethod.POST)
-    @Secured({SMPAuthority.S_AUTHORITY_TOKEN_SYSTEM_ADMIN})
-    public CertificateRO uploadFile(@RequestBody byte[] data) {
+    @PostMapping("/{id}/certdata")
+    @PreAuthorize("@smpAuthorizationService.systemAdministrator || @smpAuthorizationService.isCurrentlyLoggedIn(#id)")
+    public CertificateRO uploadFile(@PathVariable("id") Long id, @RequestBody byte[] data) {
         LOG.info("Got certificate data: " + data.length);
         try {
             return uiUserService.getCertificateData(data);
@@ -83,17 +98,21 @@ public class UserResource {
             LOG.error("Error occurred while parsing certificate.", e);
         }
         return null;
+    }
 
+    @PostMapping(path = "/{id}/samePreviousPasswordUsed", produces = {"application/json"})
+    @PreAuthorize("@smpAuthorizationService.isCurrentlyLoggedIn(#id)")
+    public boolean samePreviousPasswordUsed(@PathVariable("id") Long id, @RequestBody String password) {
+        LOG.info("Validating the password of the currently logged in user: {} ", id);
+        DBUser user = uiUserService.findUser(getCurrentUser().getId());
+        return BCrypt.checkpw(password, user.getPassword());
     }
 
     @PutMapping(produces = {"application/json"})
     @RequestMapping(path = "validateDelete", method = RequestMethod.POST)
     @Secured({SMPAuthority.S_AUTHORITY_TOKEN_SYSTEM_ADMIN})
     public DeleteEntityValidation validateDeleteUsers(@RequestBody List<Long> query) {
-        // test if looged user
-        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-        SMPAuthenticationToken authToken = (SMPAuthenticationToken) authentication;
-        DBUser user = authToken.getUser();
+        DBUser user = getCurrentUser();
         DeleteEntityValidation dres = new DeleteEntityValidation();
         if (query.contains(user.getId())){
             dres.setValidOperation(false);
@@ -103,4 +122,10 @@ public class UserResource {
         dres.getListIds().addAll(query);
         return uiUserService.validateDeleteRequest(dres);
     }
+
+    private DBUser getCurrentUser() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        SMPAuthenticationToken authToken = (SMPAuthenticationToken) authentication;
+        return authToken.getUser();
+    }
 }