EDELIVERY-4054 Existing password is being accepted in change password

Allow normal authenticated users to upload certificates as part of editing their details.

EDELIVERY-4054 Existing password is being accepted in change password
cd877f1e · Sebastian-Ion TINCU · f616a3b8 · cd877f1e · cd877f1e · cd877f1e
Commit cd877f1e authored 6 years ago by Sebastian-Ion TINCU
--- a/smp-angular/src/app/service-group-edit/service-metadata-wizard-dialog/service-metadata-wizard-dialog.component.ts
+++ b/smp-angular/src/app/service-group-edit/service-metadata-wizard-dialog/service-metadata-wizard-dialog.component.ts
@@ -4,7 +4,7 @@ import {FormBuilder, FormControl, FormGroup, Validators} from "@angular/forms";
 import {HttpClient} from "@angular/common/http";
 import {SmpConstants} from "../../smp.constants";
 import {ServiceMetadataEditRo} from "../service-metadata-edit-ro.model";
-
+import {CertificateService} from "../../user/certificate.service";

 @Component({
  selector: 'service-metadata-wizard-dialog',
@@ -17,22 +17,22 @@ export class ServiceMetadataWizardDialogComponent {
  static readonly EDIT_MODE = 'Edit ServiceMetadata XML';

  editMode: boolean;
-  formTitle: string;
  current: ServiceMetadataEditRo & { confirmation?: string };
  dialogForm: FormGroup;
  certificateValidationMessage: string;
  isCertificateValid: string;
  selectedFile: File;

-  dummyXML: string = "<!-- Custom element is mandatory by OASIS SMP schema.\n    Replace following element with your XML structure. -->\n<ext:example xmlns:ext=\"http://my.namespace.eu\">my mandatory content</ext:example>"
-
+  // dummyXML: string = "<!-- Custom element is mandatory by OASIS SMP schema.\n    Replace following element with your XML structure. -->\n<ext:example xmlns:ext=\"http://my.namespace.eu\">my mandatory content</ext:example>"

-  constructor( protected http: HttpClient,
-               public dialogRef: MatDialogRef<ServiceMetadataWizardDialogComponent>,
-              private dialogFormBuilder: FormBuilder) {
+  constructor(
+    private http: HttpClient,
+    private dialogRef: MatDialogRef<ServiceMetadataWizardDialogComponent>,
+    private dialogFormBuilder: FormBuilder,
+    private certificateService: CertificateService,
+  ) {

    this.dialogForm = dialogFormBuilder.group({
-
      'documentIdentifier': new FormControl({value: ''}, [Validators.required]),
      'documentIdentifierScheme': new FormControl({value: ''}, null),
      'processScheme': new FormControl({value: ''}, [Validators.required]),
@@ -49,14 +49,12 @@ export class ServiceMetadataWizardDialogComponent {

  onUpload() {
    // this.http is the injected HttpClient
-    this.http.post(SmpConstants.REST_CERTIFICATE, this.selectedFile)
+    this.certificateService.uploadCertificate$(this.selectedFile)
      .subscribe(event => {
-
        console.log(event); // handle event here
      });
  }

-
  getExtensionXML() {
    /*
    var xmlString = '<Extension xmlns="http://docs.oasis-open.org/bdxr/ns/SMP/2016/05">'
@@ -79,6 +77,4 @@ export class ServiceMetadataWizardDialogComponent {
      .replace(/>/g, "&gt;")
      .replace(/"/g, "&quot;");
  }
-
-
 }
--- a/smp-angular/src/app/smp.constants.ts
+++ b/smp-angular/src/app/smp.constants.ts
@@ -9,8 +9,6 @@ export class SmpConstants {
  public static readonly REST_SECURITY_USER = 'rest/security/user';
  public static readonly REST_APPLICATION = 'rest/application/info';

-
-  public static readonly REST_CERTIFICATE = `${SmpConstants.REST_USER}/certdata`;
  public static readonly REST_USER_VALIDATE_DELETE = `${SmpConstants.REST_USER}/validateDelete`;
  public static readonly REST_DOMAIN_VALIDATE_DELETE = `${SmpConstants.REST_DOMAIN}/validateDelete`;
  public static readonly REST_SERVICE_GROUP_EXTENSION = `${SmpConstants.REST_EDIT}/extension`;

--- a/smp-angular/src/app/user/certificate.service.ts
+++ b/smp-angular/src/app/user/certificate.service.ts
@@ -3,13 +3,22 @@ import {Observable} from 'rxjs';
 import {CertificateRo} from './certificate-ro.model';
 import {HttpClient} from '@angular/common/http';
 import {SmpConstants} from "../smp.constants";
+import {SecurityService} from "../security/security.service";
+import {User} from "../security/user.model";

 @Injectable()
 export class CertificateService {

-  constructor(private http: HttpClient) {}
+  constructor(
+    private http: HttpClient,
+    private securityService: SecurityService,
+  ) { }

  uploadCertificate$(payload): Observable<CertificateRo> {
-    return this.http.post<CertificateRo>(SmpConstants.REST_CERTIFICATE, payload);
+    // The user identifier below belongs to the currently logged in user and it may or may not be the same as the
+    // identifier of the user being modified (e.g. a normal user editing his own details vs. a system administrator
+    // adding or editing another user)
+    const currentUser: User = this.securityService.getCurrentUser();
+    return this.http.post<CertificateRo>(`${SmpConstants.REST_USER}/${currentUser.id}/certdata`, payload);
  }
 }
--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthorizationService.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/auth/SMPAuthorizationService.java
@@ -5,12 +5,20 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;

+import static eu.europa.ec.edelivery.smp.auth.SMPAuthority.S_AUTHORITY_TOKEN_SYSTEM_ADMIN;
+
 /**
 * @author Sebastian-Ion TINCU
 */
 @Service("smpAuthorizationService")
 public class SMPAuthorizationService {

+    public boolean isSystemAdministrator() {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        return authentication instanceof SMPAuthenticationToken
+                && authentication.getAuthorities().stream().anyMatch(grantedAuthority -> S_AUTHORITY_TOKEN_SYSTEM_ADMIN.equals(grantedAuthority.getAuthority()));
+    }
+
    public boolean isCurrentlyLoggedIn(Long userId) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if(authentication instanceof SMPAuthenticationToken) {

--- a/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/ui/UserResource.java
+++ b/smp-webapp/src/main/java/eu/europa/ec/edelivery/smp/ui/UserResource.java
@@ -77,9 +77,9 @@ public class UserResource {
        uiUserService.updateUserList(Arrays.asList(updateEntities));
    }

-    @RequestMapping(path = "certdata", method = RequestMethod.POST)
-    @Secured({SMPAuthority.S_AUTHORITY_TOKEN_SYSTEM_ADMIN})
-    public CertificateRO uploadFile(@RequestBody byte[] data) {
+    @PostMapping("/{id}/certdata")
+    @PreAuthorize("@smpAuthorizationService.systemAdministrator || @smpAuthorizationService.isCurrentlyLoggedIn(#id)")
+    public CertificateRO uploadFile(@PathVariable("id") Long id, @RequestBody byte[] data) {
        LOG.info("Got certificate data: " + data.length);
        try {
            return uiUserService.getCertificateData(data);