PR Updates

3754bfd5 · Joze RIHTARSIC · 5e4b2f4a · 3754bfd5 · 3754bfd5 · 3754bfd5
Commit 3754bfd5 authored 1 year ago by Joze RIHTARSIC
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/security/DomainGuard.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/security/DomainGuard.java
@@ -19,7 +19,6 @@ import org.springframework.stereotype.Component;

 @Component
 public class DomainGuard {
-
    private static final SMPLogger LOG = SMPLoggerFactory.getLogger(DomainGuard.class);

    final DomainResolverService domainResolverService;
@@ -97,7 +96,7 @@ public class DomainGuard {
            return true;
        }
        if (user == null || user.getUser() == null || user.getUser().getId() == null) {
-            LOG.info(SMPLogger.SECURITY_MARKER, "Anonymous user: [{}] is not authorized to read domain: [{}]", user, domain);
+            LOG.warn(SMPLogger.SECURITY_MARKER, "Anonymous user: [{}] is not authorized to read domain: [{}]", user, domain);
            return false;
        }
        // to be able to read internal(private) domain resources it must be member of domain, domain group or domain resources
@@ -144,14 +143,18 @@ public class DomainGuard {
        LOG.info(SMPLogger.SECURITY_MARKER, "User: [{}] is trying to create/update resource from domain: [{}]", user, domain);

        if (user == null || user.getUser() == null || user.getUser().getId() == null) {
-            LOG.info(SMPLogger.SECURITY_MARKER, "Anonymous user: [{}] is not authorized to create/update resources on domain: [{}]", user, domain);
+            LOG.warn(SMPLogger.SECURITY_MARKER, "Anonymous user: [{}] is not authorized to create/update resources on domain: [{}]", user, domain);
            return false;
        }
        // to be able to delete domain resources it must be member of any group on domain
        boolean isAuthorized = groupMemberDao.isUserAnyDomainGroupResourceMemberWithRole(user.getUser(), domain, MembershipRoleType.ADMIN)
                || resourceMemberDao.isUserAnyDomainResourceMemberWithRole(user.getUser(), domain, MembershipRoleType.ADMIN);

-        LOG.info(SMPLogger.SECURITY_MARKER, "User: [{}] is authorized:[{}] to create/update resources from Domain: [{}]", user, isAuthorized, domain);
+        if (isAuthorized){
+            LOG.info(SMPLogger.SECURITY_MARKER, "User: [{}] is authorized to create/update resources from Domain: [{}]", user, domain);
+        } else {
+            LOG.warn(SMPLogger.SECURITY_MARKER, "User: [{}] is NOT authorized to create/update resources from Domain: [{}]", user, domain);
+        }
        return isAuthorized;
    }
 }
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/resource/ResourceResolverService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/resource/ResourceResolverService.java
@@ -89,7 +89,8 @@ public class ResourceResolverService {
        // if domain code matches first parameter skip it!
        if (StringUtils.equals(currentParameter, domain.getDomainCode())) {
            if (pathParameters.size() <= ++iParameterIndex) {
-                throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, join(pathParameters, ","), "Not enough path parameters to locate resource (The first match the domain)!");
+                throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, join(pathParameters, ","),
+                        "Not enough path parameters to locate resource (The first match the domain)!");
            }
            currentParameter = pathParameters.get(iParameterIndex);
        }
@@ -98,7 +99,8 @@ public class ResourceResolverService {
        locationVector.setResourceDef(resourceDef);
        if (StringUtils.equals(currentParameter, resourceDef.getUrlSegment())) {
            if (pathParameters.size() <= ++iParameterIndex) {
-                throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, join(pathParameters, ","), "Not enough path parameters to locate resource (The first two match the domain and resource type)!");
+                throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, join(pathParameters, ","),
+                        "Not enough path parameters to locate resource (The first two match the domain and resource type)!");
            }
            currentParameter = pathParameters.get(iParameterIndex);
        }
@@ -117,13 +119,14 @@ public class ResourceResolverService {
        }

        locationVector.setResource(resource);
+        // get ready for next url path parameter.
+        iParameterIndex++;
        // check if resource is resolved - no more parameters to be resolved
-        locationVector.setResolved(pathParameters.size() == ++iParameterIndex);
-
+        locationVector.setResolved(pathParameters.size() == iParameterIndex);
        if (locationVector.isResolved()) {
            // validate if user is authorized for action
            if (resourceGuard.userIsNotAuthorizedForAction(user, resourceRequest.getAction(), resource, domain)) {
-                LOG.info(SECURITY_MARKER, "User [{}] is NOT authorized for action [{}] on the resource [{}]",
+                LOG.warn(SECURITY_MARKER, "User [{}] is NOT authorized for action [{}] on the resource [{}]",
                        getUsername(user), resourceRequest.getAction(), resource);
                throw new SMPRuntimeException(ErrorCode.UNAUTHORIZED);
            }
@@ -152,11 +155,10 @@ public class ResourceResolverService {
        }

        if (!resourceGuard.userIsAuthorizedForAction(user, resourceRequest.getAction(), subresource)) {
-            LOG.info(SECURITY_MARKER, "User [{}] is NOT authorized for action [{}] on the subresource resource [{}]",
+            LOG.warn(SECURITY_MARKER, "User [{}] is NOT authorized for action [{}] on the subresource resource [{}]",
                    getUsername(user), resourceRequest.getAction(), subresource);
            throw new SMPRuntimeException(ErrorCode.UNAUTHORIZED);
        }
-
        locationVector.setSubresource(subresource);
        locationVector.setSubResourceDef(subresourceDef);
        locationVector.setResolved(true);
@@ -208,7 +210,6 @@ public class ResourceResolverService {
    public DBResourceDef resolveResourceType(DBDomain domain, String headerParameter, String pathParameter) {
        LOG.debug("Resolve ResourceType for domain [{}] for HTTP header [{}] and path parameter [{}]", domain.getDomainCode(), headerParameter, pathParameter);

-
        // get single domain
        List<DBResourceDef> resourceDefs = resourceDefinitionDao.getAllResourceDefForDomain(domain);
        if (resourceDefs.isEmpty()) {

--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/servlet/ResourceRequest.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/servlet/ResourceRequest.java
 package eu.europa.ec.edelivery.smp.servlet;

 import eu.europa.ec.edelivery.smp.data.model.DBDomain;
+import eu.europa.ec.edelivery.smp.logging.SMPLogger;
+import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory;
 import eu.europa.ec.edelivery.smp.services.resource.ResolvedData;
 import org.apache.commons.lang3.StringUtils;

@@ -13,7 +15,7 @@ import static org.apache.commons.lang3.StringUtils.lowerCase;
 import static org.apache.commons.lang3.StringUtils.trim;

 public class ResourceRequest {
-
+    private static final SMPLogger LOG = SMPLoggerFactory.getLogger(ResourceRequest.class);
    ResourceAction action;

    Map<String, String> httpHeaders;
@@ -42,9 +44,13 @@ public class ResourceRequest {
    }

    public String getOwnerHttpParameter() {
-        String owner =  getHeader(WebConstants.HTTP_PARAM_OWNER);
+        String owner = getHeader(WebConstants.HTTP_PARAM_OWNER);
        if (StringUtils.isBlank(owner)) {
+            LOG.debug("Try with obsolete owner parameter: 'ServiceGroup-Owner'");
            owner = getHeader(WebConstants.HTTP_PARAM_OWNER_OBSOLETE);
+            if (StringUtils.isNotBlank(owner)) {
+                LOG.debug("Using obsolete owner parameter: 'ServiceGroup-Owner'. Move to new parameter: 'Resource-Owner'");
+            }
        }
        return owner;
    }
@@ -117,15 +123,15 @@ public class ResourceRequest {
                '}';
    }

-    private String headersToString(){
-        return  httpHeaders == null? null:
+    private String headersToString() {
+        return httpHeaders == null ? null :
                httpHeaders.keySet().stream()
-                .map(key -> key + "=" + httpHeaders.get(key))
-                .collect(Collectors.joining(", ", "{", "}"));
+                        .map(key -> key + "=" + httpHeaders.get(key))
+                        .collect(Collectors.joining(", ", "{", "}"));
    }

-    private String pathParameterToString(){
-        return  urlPathParameters == null? null:
+    private String pathParameterToString() {
+        return urlPathParameters == null ? null :
                urlPathParameters.stream()
                        .collect(Collectors.joining(", ", "{", "}"));
    }