Assume login feature

[KevinVdV]

References

Add references/links to any related tickets or PRs. These may include:

• Link to REST Contract

Description

Rest api implementation for the assume login feature. Included are the actual "login as" implementation by making use of the "X-On-Behalf-Of" header & code to support "loginOnBehalfOf" on the "features" feature.

Instructions for Reviewers

Please add a more detailed description of the changes made by your PR. At a minimum, providing a bulleted list of changes in your PR is helpful to reviewers.

List of changes in this PR:

• StatelessAuthenticationFilter: contains the code for the actual "login as"
• LoginOnBehalfOfFeature: contains the code for the feature

Checklist

This checklist provides a reminder of what we are going to look for when reviewing your PR. You need not complete this checklist prior to creating your PR (draft PRs are always welcome). If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!

• My PR is small in size (e.g. less than 1,000 lines of code, not including comments & integration tests). Exceptions may be made if previously agreed upon.
• My PR passes Checkstyle validation based on the Code Style Guide
• My PR includes Javadoc for all new (or modified) public methods and classes. It also includes Javadoc for large or complex private methods.
• My PR passes all tests and includes new/updated Unit or Integration Tests for any bug fixes, improvements or new features. A few reminders about what constitutes good tests:
  • Include tests for different user types, including: (1) Anonymous user, (2) Logged in user (non-admin), and (3) Administrator.
  • Include tests for known error scenarios and error codes (e.g. 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, etc)
  • For bug fixes, include a test that reproduces the bug and proves it is fixed. For clarity, it may be useful to provide the test in a separate commit from the bug fix.
• If my PR includes new, third-party dependencies (in any pom.xml), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.
• If my PR modifies the REST API, I've linked to the REST Contract page (or open PR) related to this change.

[abollini]

I have added just minor suggestions about the IT. The only coding issue is related to the use of an instance attribute in the Spring Security Filter that should be removed (maybe refactoring the code to use a custom exception)

[abollini]

I suggest to support also EPersonRest object as we will need a way to inform the UI that the loginAs can or cannot be used on a specific user (You cannot assume the login of another admin in the current version)

[abollini]

please move this test in a dedicated class. This class should contains only general tests to validate the authorization framework and not specific features. See for instance https://github.com/DSpace/DSpace/blob/0039b309d11e3d55a2a92699b25458fe9bfc4740/dspace-server-webapp/src/test/java/org/dspace/app/rest/authorization/WithdrawFeatureRestIT.java

[abollini]

I would suggest to check for an empty list here instead than exclude the authorization object

[KevinVdV]

@abollini We can't test on an empty list here as some features are always returned by default. For example the "AlwaysTrueFeature". As we can't anticipate which features will be returned it would be best to check for an exclusion.

[abollini]

we should have test to verify that we cannot loginas another admin

[abollini]

this cannot be an instance attribute otherwise there are issue when multiple login request are processed at the same time

[abollini]

it is not really needed, we can simplify the code here

[abollini]

the turnOff is not really needed

[abollini]

I would suggest to don't revert the configuration manually here the change as this is already done in a Before method (just to avoid in future confusion in other developers)

[tdonohue]

@KevinVdV : Besides what @abollini has already noted (which I agree with), I added one other request about simply refactoring the filter to remove the isErrorOnBehalfOf flag altogether (as I agree it's fragile, and it's not really necessary anyways).

[KevinVdV]

@tdonohue @abollini We have processed your test feedback, let us know if there is anything else or if we missed something.

[benbosman]

I've deployed and tested this branch, and I couldn't see any problems.
I was able to verify:

• Without webui.user.assumelogin = true the X-On-Behalf-Of header is denied
• With webui.user.assumelogin = true the pages return the content based on the user's permissions, including e.g. the workflow tasks, or claiming a workflow task
• With webui.user.assumelogin = true the pages return forbidden for pages the user is not authorized to use

[tdonohue]

@KevinVdV : I gave this another review today. While I think it's looking better, the Pair logic seems really odd to me. I'd like to either better understand why you decided on this route (which means better code commenting here), or replace it with normal error handling. See more inline below.

[KevinVdV]

@tdonohue We have processed your feedback, can you review again ?

[abollini]

thanks @Raf-atmire to have addressed my feedback. I have just added a small cleanup comment inline

[abollini]

all my feedback have been processed. Can be merged once @tdonohue is satisfied

[tdonohue]

👍 Looks good to me now. Thanks @KevinVdV and @Raf-atmire