From 3754bfd5a71b948f50f561e975c63a30c2273b39 Mon Sep 17 00:00:00 2001
From: RIHTARSIC Joze <joze.rihtarsic@ext.ec.europa.eu>
Date: Tue, 12 Dec 2023 15:52:47 +0100
Subject: [PATCH] PR Updates
---
.../edelivery/smp/security/DomainGuard.java | 11 ++++++----
.../resource/ResourceResolverService.java | 17 +++++++-------
.../smp/servlet/ResourceRequest.java | 22 ++++++++++++-------
3 files changed, 30 insertions(+), 20 deletions(-)
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/security/DomainGuard.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/security/DomainGuard.java
index b7161e65d..d4325675d 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/security/DomainGuard.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/security/DomainGuard.java
@@ -19,7 +19,6 @@ import org.springframework.stereotype.Component;
@Component
public class DomainGuard {
-
private static final SMPLogger LOG = SMPLoggerFactory.getLogger(DomainGuard.class);
final DomainResolverService domainResolverService;
@@ -97,7 +96,7 @@ public class DomainGuard {
return true;
}
if (user == null || user.getUser() == null || user.getUser().getId() == null) {
- LOG.info(SMPLogger.SECURITY_MARKER, "Anonymous user: [{}] is not authorized to read domain: [{}]", user, domain);
+ LOG.warn(SMPLogger.SECURITY_MARKER, "Anonymous user: [{}] is not authorized to read domain: [{}]", user, domain);
return false;
}
// to be able to read internal(private) domain resources it must be member of domain, domain group or domain resources
@@ -144,14 +143,18 @@ public class DomainGuard {
LOG.info(SMPLogger.SECURITY_MARKER, "User: [{}] is trying to create/update resource from domain: [{}]", user, domain);
if (user == null || user.getUser() == null || user.getUser().getId() == null) {
- LOG.info(SMPLogger.SECURITY_MARKER, "Anonymous user: [{}] is not authorized to create/update resources on domain: [{}]", user, domain);
+ LOG.warn(SMPLogger.SECURITY_MARKER, "Anonymous user: [{}] is not authorized to create/update resources on domain: [{}]", user, domain);
return false;
}
// to be able to delete domain resources it must be member of any group on domain
boolean isAuthorized = groupMemberDao.isUserAnyDomainGroupResourceMemberWithRole(user.getUser(), domain, MembershipRoleType.ADMIN)
|| resourceMemberDao.isUserAnyDomainResourceMemberWithRole(user.getUser(), domain, MembershipRoleType.ADMIN);
- LOG.info(SMPLogger.SECURITY_MARKER, "User: [{}] is authorized:[{}] to create/update resources from Domain: [{}]", user, isAuthorized, domain);
+ if (isAuthorized){
+ LOG.info(SMPLogger.SECURITY_MARKER, "User: [{}] is authorized to create/update resources from Domain: [{}]", user, domain);
+ } else {
+ LOG.warn(SMPLogger.SECURITY_MARKER, "User: [{}] is NOT authorized to create/update resources from Domain: [{}]", user, domain);
+ }
return isAuthorized;
}
}
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/resource/ResourceResolverService.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/resource/ResourceResolverService.java
index 502259ace..ad492a431 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/resource/ResourceResolverService.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/resource/ResourceResolverService.java
@@ -89,7 +89,8 @@ public class ResourceResolverService {
// if domain code matches first parameter skip it!
if (StringUtils.equals(currentParameter, domain.getDomainCode())) {
if (pathParameters.size() <= ++iParameterIndex) {
- throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, join(pathParameters, ","), "Not enough path parameters to locate resource (The first match the domain)!");
+ throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, join(pathParameters, ","),
+ "Not enough path parameters to locate resource (The first match the domain)!");
}
currentParameter = pathParameters.get(iParameterIndex);
}
@@ -98,7 +99,8 @@ public class ResourceResolverService {
locationVector.setResourceDef(resourceDef);
if (StringUtils.equals(currentParameter, resourceDef.getUrlSegment())) {
if (pathParameters.size() <= ++iParameterIndex) {
- throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, join(pathParameters, ","), "Not enough path parameters to locate resource (The first two match the domain and resource type)!");
+ throw new SMPRuntimeException(ErrorCode.INVALID_REQUEST, join(pathParameters, ","),
+ "Not enough path parameters to locate resource (The first two match the domain and resource type)!");
}
currentParameter = pathParameters.get(iParameterIndex);
}
@@ -117,13 +119,14 @@ public class ResourceResolverService {
}
locationVector.setResource(resource);
+ // get ready for next url path parameter.
+ iParameterIndex++;
// check if resource is resolved - no more parameters to be resolved
- locationVector.setResolved(pathParameters.size() == ++iParameterIndex);
-
+ locationVector.setResolved(pathParameters.size() == iParameterIndex);
if (locationVector.isResolved()) {
// validate if user is authorized for action
if (resourceGuard.userIsNotAuthorizedForAction(user, resourceRequest.getAction(), resource, domain)) {
- LOG.info(SECURITY_MARKER, "User [{}] is NOT authorized for action [{}] on the resource [{}]",
+ LOG.warn(SECURITY_MARKER, "User [{}] is NOT authorized for action [{}] on the resource [{}]",
getUsername(user), resourceRequest.getAction(), resource);
throw new SMPRuntimeException(ErrorCode.UNAUTHORIZED);
}
@@ -152,11 +155,10 @@ public class ResourceResolverService {
}
if (!resourceGuard.userIsAuthorizedForAction(user, resourceRequest.getAction(), subresource)) {
- LOG.info(SECURITY_MARKER, "User [{}] is NOT authorized for action [{}] on the subresource resource [{}]",
+ LOG.warn(SECURITY_MARKER, "User [{}] is NOT authorized for action [{}] on the subresource resource [{}]",
getUsername(user), resourceRequest.getAction(), subresource);
throw new SMPRuntimeException(ErrorCode.UNAUTHORIZED);
}
-
locationVector.setSubresource(subresource);
locationVector.setSubResourceDef(subresourceDef);
locationVector.setResolved(true);
@@ -208,7 +210,6 @@ public class ResourceResolverService {
public DBResourceDef resolveResourceType(DBDomain domain, String headerParameter, String pathParameter) {
LOG.debug("Resolve ResourceType for domain [{}] for HTTP header [{}] and path parameter [{}]", domain.getDomainCode(), headerParameter, pathParameter);
-
// get single domain
List<DBResourceDef> resourceDefs = resourceDefinitionDao.getAllResourceDefForDomain(domain);
if (resourceDefs.isEmpty()) {
diff --git a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/servlet/ResourceRequest.java b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/servlet/ResourceRequest.java
index fada3aae2..a5b213dc3 100644
--- a/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/servlet/ResourceRequest.java
+++ b/smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/servlet/ResourceRequest.java
@@ -1,6 +1,8 @@
package eu.europa.ec.edelivery.smp.servlet;
import eu.europa.ec.edelivery.smp.data.model.DBDomain;
+import eu.europa.ec.edelivery.smp.logging.SMPLogger;
+import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory;
import eu.europa.ec.edelivery.smp.services.resource.ResolvedData;
import org.apache.commons.lang3.StringUtils;
@@ -13,7 +15,7 @@ import static org.apache.commons.lang3.StringUtils.lowerCase;
import static org.apache.commons.lang3.StringUtils.trim;
public class ResourceRequest {
-
+ private static final SMPLogger LOG = SMPLoggerFactory.getLogger(ResourceRequest.class);
ResourceAction action;
Map<String, String> httpHeaders;
@@ -42,9 +44,13 @@ public class ResourceRequest {
}
public String getOwnerHttpParameter() {
- String owner = getHeader(WebConstants.HTTP_PARAM_OWNER);
+ String owner = getHeader(WebConstants.HTTP_PARAM_OWNER);
if (StringUtils.isBlank(owner)) {
+ LOG.debug("Try with obsolete owner parameter: 'ServiceGroup-Owner'");
owner = getHeader(WebConstants.HTTP_PARAM_OWNER_OBSOLETE);
+ if (StringUtils.isNotBlank(owner)) {
+ LOG.debug("Using obsolete owner parameter: 'ServiceGroup-Owner'. Move to new parameter: 'Resource-Owner'");
+ }
}
return owner;
}
@@ -117,15 +123,15 @@ public class ResourceRequest {
'}';
}
- private String headersToString(){
- return httpHeaders == null? null:
+ private String headersToString() {
+ return httpHeaders == null ? null :
httpHeaders.keySet().stream()
- .map(key -> key + "=" + httpHeaders.get(key))
- .collect(Collectors.joining(", ", "{", "}"));
+ .map(key -> key + "=" + httpHeaders.get(key))
+ .collect(Collectors.joining(", ", "{", "}"));
}
- private String pathParameterToString(){
- return urlPathParameters == null? null:
+ private String pathParameterToString() {
+ return urlPathParameters == null ? null :
urlPathParameters.stream()
.collect(Collectors.joining(", ", "{", "}"));
}
--
GitLab