Feature/organization UI permissions

.github/workflows/main.yml

@@ -69,11 +69,10 @@ jobs:
         run: |
           cp src/test/resources/config/keystore.p12 src/main/resources/config/keystore.p12
           ./gradlew bootRun &>mp.log </dev/null &
-          BOOTRUN_PROCESS=$!
           yarn run wait-for-managementportal
           ./gradlew generateOpenApiSpec
           yarn e2e
-          kill $BOOTRUN_PROCESS
+          ./gradlew --stop
 
       - name: Has SNAPSHOT version
         id: is-snapshot

config/checkstyle/checkstyle.xml

@@ -52,9 +52,7 @@
       <property name="tokens" value="LITERAL_TRY, LITERAL_FINALLY, LITERAL_IF, LITERAL_ELSE, LITERAL_SWITCH"/>
     </module>
     <module name="NeedBraces"/>
-    <module name="LeftCurly">
-    </module>
-    <module name="RightCurly"/>
+    <module name="LeftCurly"/>
     <module name="RightCurly">
       <property name="option" value="alone"/>
       <property name="tokens" value="CLASS_DEF, METHOD_DEF, CTOR_DEF, LITERAL_FOR, LITERAL_WHILE, LITERAL_DO, STATIC_INIT, INSTANCE_INIT"/>

src/main/java/org/radarbase/management/config/OAuth2ServerConfiguration.java

@@ -1,6 +1,7 @@
 package org.radarbase.management.config;
 
 import org.radarbase.auth.authorization.RoleAuthority;
+import org.radarbase.management.repository.UserRepository;
 import org.radarbase.management.security.ClaimsTokenEnhancer;
 import org.radarbase.management.security.Http401UnauthorizedEntryPoint;
 import org.radarbase.management.security.JwtAuthenticationFilter;
@@ -112,9 +113,12 @@ protected static class ResourceServerConfiguration extends ResourceServerConfigu
         @Autowired
         private AuthenticationManager authenticationManager;
 
+        @Autowired
+        private UserRepository userRepository;
+
         public JwtAuthenticationFilter jwtAuthenticationFilter() {
             return new JwtAuthenticationFilter(
-                    keyStoreHandler.getTokenValidator(), authenticationManager)
+                    keyStoreHandler.getTokenValidator(), authenticationManager, userRepository)
                     .skipUrlPattern(HttpMethod.GET, "/management/health")
                     .skipUrlPattern(HttpMethod.GET, "/api/meta-token/*");
         }

src/main/java/org/radarbase/management/repository/filters/PredicateBuilder.java

@@ -42,6 +42,10 @@ public void add(Predicate predicate) {
         predicates.add(predicate);
     }
 
+    public void isNull(Expression<?> expression) {
+        predicates.add(builder.isNull(expression));
+    }
+
     /**
      * Build the predicates as an AND predicate.
      */

src/main/java/org/radarbase/management/repository/filters/UserFilter.java

@@ -14,6 +14,7 @@
 import javax.persistence.criteria.CriteriaQuery;
 import javax.persistence.criteria.From;
 import javax.persistence.criteria.Join;
+import javax.persistence.criteria.JoinType;
 import javax.persistence.criteria.Predicate;
 import javax.persistence.criteria.Root;
 import javax.persistence.criteria.Subquery;
@@ -40,7 +41,7 @@ public Predicate toPredicate(Root<User> root, @Nonnull CriteriaQuery<?> query,
         predicates.likeLower(root.get("login"), login);
         predicates.likeLower(root.get("email"), email);
 
-        filterRoles(predicates, root.join("roles"), query);
+        filterRoles(predicates, root.join("roles", JoinType.LEFT), query);
 
         query.distinct(true);
         var result = predicates.toAndPredicate();
@@ -52,11 +53,13 @@ private void filterRoles(PredicateBuilder predicates, Join<User, Role> roleJoin,
             CriteriaQuery<?> query) {
         Stream<RoleAuthority> authoritiesFiltered = Stream.of(RoleAuthority.values())
                 .filter(java.util.function.Predicate.not(RoleAuthority::isPersonal));
+        boolean allowNoRole = true;
 
         if (predicates.isValidValue(authority)) {
             String authorityUpper = authority.toUpperCase(Locale.ROOT);
             authoritiesFiltered = authoritiesFiltered
-                    .filter(r -> r.authority().contains(authorityUpper));
+                    .filter(r -> r != null && r.authority().contains(authorityUpper));
+            allowNoRole = false;
         }
         List<RoleAuthority> authoritiesAllowed = authoritiesFiltered.collect(Collectors.toList());
         if (authoritiesAllowed.isEmpty()) {
@@ -66,18 +69,21 @@ private void filterRoles(PredicateBuilder predicates, Join<User, Role> roleJoin,
             return;
         }
 
-        determineScope(predicates, roleJoin, query, authoritiesAllowed);
+        determineScope(predicates, roleJoin, query, authoritiesAllowed, allowNoRole);
     }
 
     private void determineScope(
             PredicateBuilder predicates,
             Join<User, Role> roleJoin,
             CriteriaQuery<?> query,
-            List<RoleAuthority> authoritiesAllowed) {
+            List<RoleAuthority> authoritiesAllowed,
+            boolean allowNoRole) {
         PredicateBuilder authorityPredicates = predicates.newBuilder();
 
+        boolean allowNoRoleInScope = allowNoRole;
         // Is organization admin
         if (predicates.isValidValue(projectName)) {
+            allowNoRoleInScope = false;
             // Is project admin
             entitySubquery(RoleAuthority.Scope.PROJECT, roleJoin,
                     query, authorityPredicates, authoritiesAllowed,
@@ -91,6 +97,7 @@ private void determineScope(
                                 org.join("projects").get("projectName"), projectName));
             }
         } else if (predicates.isValidValue(organization)) {
+            allowNoRoleInScope = false;
             entitySubquery(RoleAuthority.Scope.ORGANIZATION, roleJoin,
                     query, authorityPredicates, authoritiesAllowed,
                     (b, org) -> b.likeLower(org.get("name"), organization));
@@ -104,6 +111,9 @@ private void determineScope(
             addAllowedAuthorities(authorityPredicates, roleJoin, authoritiesAllowed,
                     RoleAuthority.Scope.GLOBAL);
         }
+        if (allowNoRoleInScope) {
+            authorityPredicates.isNull(roleJoin.get("id"));
+        }
 
         predicates.add(authorityPredicates.toOrPredicate());
     }

src/main/java/org/radarbase/management/security/ClaimsTokenEnhancer.java

@@ -18,6 +18,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.actuate.audit.AuditEvent;
 import org.springframework.boot.actuate.audit.AuditEventRepository;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
 import org.springframework.security.oauth2.common.OAuth2AccessToken;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
@@ -44,13 +45,14 @@ public class ClaimsTokenEnhancer implements TokenEnhancer, InitializingBean {
     @Override
     public OAuth2AccessToken enhance(OAuth2AccessToken accessToken,
             OAuth2Authentication authentication) {
-        logger.debug("Enhancing token {} with authentication {}" , accessToken, authentication);
+        logger.debug("Enhancing token of authentication {}" , authentication);
 
         Map<String, Object> additionalInfo = new HashMap<>();
 
         String userName = authentication.getName();
 
-        if (authentication.getPrincipal() instanceof Principal) {
+        if (authentication.getPrincipal() instanceof Principal
+                || authentication.getPrincipal() instanceof UserDetails) {
             // add the 'sub' claim in accordance with JWT spec
             additionalInfo.put("sub", userName);
 

src/main/java/org/radarbase/management/security/JwtAuthenticationFilter.java

@@ -2,7 +2,9 @@
 
 import org.radarbase.auth.authentication.TokenValidator;
 import org.radarbase.auth.exception.TokenValidationException;
+import org.radarbase.auth.token.AuthorityReference;
 import org.radarbase.auth.token.RadarToken;
+import org.radarbase.management.repository.UserRepository;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpHeaders;
@@ -26,6 +28,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
+import java.util.stream.Collectors;
 
 /**
  * Created by dverbeec on 29/09/2017.
@@ -36,16 +39,19 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
     private final AuthenticationManager authenticationManager;
     public static final String TOKEN_ATTRIBUTE = "jwt";
     private final List<AntPathRequestMatcher> ignoreUrls;
+    private final UserRepository userRepository;
 
     /**
      * Authentication filter using given validator.
      * @param validator validates the JWT token.
      * @param authenticationManager authentication manager to pass valid authentication to.
      */
     public JwtAuthenticationFilter(TokenValidator validator,
-            AuthenticationManager authenticationManager) {
+            AuthenticationManager authenticationManager,
+            UserRepository userRepository) {
         this.validator = validator;
         this.authenticationManager = authenticationManager;
+        this.userRepository = userRepository;
         this.ignoreUrls = new ArrayList<>();
     }
 
@@ -73,29 +79,58 @@ protected void doFilterInternal(@Nonnull HttpServletRequest httpRequest,
         }
 
         HttpSession session = httpRequest.getSession(false);
-        RadarToken token = null;
+        SessionRadarToken token = null;
         if (session != null) {
-            token = (RadarToken) session.getAttribute(TOKEN_ATTRIBUTE);
+            token = SessionRadarToken.from((RadarToken) session.getAttribute(TOKEN_ATTRIBUTE));
         }
         if (token == null) {
             try {
-                token = validator.validateAccessToken(getToken(httpRequest,
-                        httpResponse));
+                token = SessionRadarToken.from(validator.validateAccessToken(getToken(httpRequest,
+                        httpResponse)));
             } catch (TokenValidationException ex) {
                 logger.error(ex.getMessage());
                 httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                 httpResponse.setHeader(HttpHeaders.WWW_AUTHENTICATE, OAuth2AccessToken.BEARER_TYPE);
                 httpResponse.getOutputStream().println(
                         "{\"error\": \"" + "Unauthorized" + ",\n"
                                 + "\"status\": \"" + HttpServletResponse.SC_UNAUTHORIZED + ",\n"
-                                + "\"message\": \"" + ex.getMessage() + ",\n"
+                                + "\"message\": \"" + ex.getMessage() + "\",\n"
+                                + "\"path\": \"" + httpRequest.getRequestURI() + "\n"
+                                + "\"}");
+                return;
+            }
+        } else if (!token.isClientCredentials()) {
+            var user = userRepository.findOneByLogin(token.getUsername());
+            if (user.isPresent()) {
+                var roles = user.get().getRoles().stream()
+                        .map(role -> {
+                            var auth = role.getRole();
+                            return switch (role.getRole().scope()) {
+                                case GLOBAL -> new AuthorityReference(auth);
+                                case ORGANIZATION -> new AuthorityReference(auth,
+                                        role.getOrganization().getName());
+                                case PROJECT -> new AuthorityReference(auth,
+                                        role.getProject().getProjectName());
+                            };
+                        })
+                        .collect(Collectors.toSet());
+                token = token.withRoles(roles);
+            } else {
+                session.removeAttribute(TOKEN_ATTRIBUTE);
+                httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+                httpResponse.setHeader(HttpHeaders.WWW_AUTHENTICATE, OAuth2AccessToken.BEARER_TYPE);
+                httpResponse.getOutputStream().println(
+                        "{\"error\": \"" + "Unauthorized" + ",\n"
+                                + "\"status\": \"" + HttpServletResponse.SC_UNAUTHORIZED + ",\n"
+                                + "\"message\": \"User not found\",\n"
                                 + "\"path\": \"" + httpRequest.getRequestURI() + "\n"
                                 + "\"}");
                 return;
             }
         }
+
         httpRequest.setAttribute(TOKEN_ATTRIBUTE, token);
-        RadarAuthentication authentication = new RadarAuthentication(new SessionRadarToken(token));
+        RadarAuthentication authentication = new RadarAuthentication(token);
         authenticationManager.authenticate(authentication);
         SecurityContextHolder.getContext().setAuthentication(authentication);
         chain.doFilter(httpRequest, httpResponse);

src/main/java/org/radarbase/management/security/SessionRadarToken.java

@@ -36,7 +36,12 @@ public class SessionRadarToken extends AbstractRadarToken implements Serializabl
 
     /** Instantiate a serializable session token by copying an existing RadarToken. */
     public SessionRadarToken(RadarToken token) {
-        this.roles = Set.copyOf(token.getRoles());
+        this(token, token.getRoles());
+    }
+
+    /** Instantiate a serializable session token by copying an existing RadarToken. */
+    private SessionRadarToken(RadarToken token, Set<AuthorityReference> roles) {
+        this.roles = Set.copyOf(roles);
         this.subject = token.getSubject();
         this.token = token.getToken();
         this.scopes = List.copyOf(token.getScopes());
@@ -131,4 +136,20 @@ public List<String> getClaimList(String name) {
     public String getUsername() {
         return username;
     }
+
+    public SessionRadarToken withRoles(Set<AuthorityReference> roles) {
+        return new SessionRadarToken(this, roles);
+    }
+
+    /**
+     * Create a new token.
+     * @return null if provided null, a session radar token otherwise.
+     */
+    public static SessionRadarToken from(RadarToken token) {
+        if (token == null) {
+            return null;
+        } else {
+            return new SessionRadarToken(token);
+        }
+    }
 }

src/main/java/org/radarbase/management/service/OrganizationService.java

@@ -67,10 +67,10 @@ public OrganizationDTO save(OrganizationDTO organizationDto) {
      */
     @Transactional(readOnly = true)
     public List<OrganizationDTO> findAll() {
-        Stream<Organization> organizationsOfUser;
+        List<Organization> organizationsOfUser;
 
         if (token.hasGlobalAuthorityForPermission(ORGANIZATION_READ)) {
-            organizationsOfUser = organizationRepository.findAll().stream();
+            organizationsOfUser = organizationRepository.findAll();
         } else {
             List<String> projectNames = token.getReferentsWithPermission(
                     RoleAuthority.Scope.PROJECT, ORGANIZATION_READ)
@@ -86,12 +86,11 @@ public List<OrganizationDTO> findAll() {
                     .filter(Objects::nonNull);
 
             organizationsOfUser = Stream.concat(organizationsOfRole, organizationsOfProject)
-                    .distinct();
+                    .distinct()
+                    .collect(Collectors.toList());
         }
 
-        return organizationsOfUser
-            .map(organizationMapper::organizationToOrganizationDTO)
-            .collect(Collectors.toList());
+        return organizationMapper.organizationsToOrganizationDTOs(organizationsOfUser);
     }
 
     /**

src/main/java/org/radarbase/management/service/UserService.java

@@ -282,23 +282,28 @@ public void updateUser(String userName, String firstName, String lastName,
      * Update all information for a specific user, and return the modified user.
      *
      * @param userDto user to update
+     * @param updateProperties should update the user properties
      * @return updated user
      */
     @Transactional
-    public Optional<UserDTO> updateUser(UserDTO userDto) throws NotAuthorizedException {
+    public Optional<UserDTO> updateUser(
+            UserDTO userDto, boolean updateProperties) throws NotAuthorizedException {
         Optional<User> userOpt = userRepository.findById(userDto.getId());
         if (userOpt.isPresent()) {
             User user = userOpt.get();
-            user.setLogin(userDto.getLogin());
-            user.setFirstName(userDto.getFirstName());
-            user.setLastName(userDto.getLastName());
-            user.setEmail(userDto.getEmail());
-            user.setActivated(userDto.isActivated());
-            user.setLangKey(userDto.getLangKey());
+            if (updateProperties) {
+                user.setLogin(userDto.getLogin());
+                user.setFirstName(userDto.getFirstName());
+                user.setLastName(userDto.getLastName());
+                user.setEmail(userDto.getEmail());
+                user.setActivated(userDto.isActivated());
+                user.setLangKey(userDto.getLangKey());
+            }
             Set<Role> managedRoles = user.getRoles();
             Set<Role> oldRoles = Set.copyOf(managedRoles);
             managedRoles.clear();
             managedRoles.addAll(getUserRoles(userDto.getRoles(), oldRoles));
+
             user = userRepository.save(user);
             log.debug("Changed Information for User: {}", user);
             return Optional.of(userMapper.userToUserDTO(user));

src/main/java/org/radarbase/management/service/dto/AuthorityDTO.java

@@ -0,0 +1,33 @@
+package org.radarbase.management.service.dto;
+
+import org.radarbase.auth.authorization.RoleAuthority;
+
+public class AuthorityDTO {
+    private String name;
+    private String scope;
+
+    public AuthorityDTO() {
+        // POJO constructor
+    }
+
+    public AuthorityDTO(RoleAuthority role) {
+        this.name = role.authority();
+        this.scope = role.scope().name();
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public String getScope() {
+        return scope;
+    }
+
+    public void setScope(String scope) {
+        this.scope = scope;
+    }
+}