MID-3690 fix for url pattern matching in security

(cherry picked from commit 3cb2436)

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/DescriptorLoader.java

@@ -25,8 +25,10 @@
 import com.evolveum.midpoint.util.logging.Trace;
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.security.MidPointApplication;
+import com.evolveum.midpoint.web.util.ExactMatchMountedMapper;
 import com.evolveum.midpoint.xml.ns._public.gui.admin_1.DescriptorType;
 import com.evolveum.midpoint.xml.ns._public.gui.admin_1.ObjectFactory;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.wicket.core.request.mapper.MountedMapper;
 import org.apache.wicket.markup.html.WebPage;
 import org.apache.wicket.request.mapper.parameter.IPageParametersEncoder;
@@ -133,48 +135,80 @@ private void scanPackagesForPages(List<String> packages, MidPointApplication app
     }
 
     private void loadActions(PageDescriptor descriptor) {
-        for (String url : descriptor.url()) {
-            List<AuthorizationActionValue> actions = new ArrayList<>();
+        List<AuthorizationActionValue> actions = new ArrayList<>();
 
-            //avoid of setting guiAll authz for "public" pages (e.g. login page)
-            if (descriptor.action() == null || descriptor.action().length == 0) {
-                return;
-            }
+        //avoid of setting guiAll authz for "public" pages (e.g. login page)
+        if (descriptor.action() == null || descriptor.action().length == 0) {
+            return;
+        }
 
-            boolean canAccess = true;
+        boolean canAccess = true;
 
-            for (AuthorizationAction action : descriptor.action()) {
-                actions.add(new AuthorizationActionValue(action.actionUri(), action.label(), action.description()));
-                if (AuthorizationConstants.AUTZ_NO_ACCESS_URL.equals(action.actionUri())) {
-                    canAccess = false;
-                    break;
-                }
+        for (AuthorizationAction action : descriptor.action()) {
+            actions.add(new AuthorizationActionValue(action.actionUri(), action.label(), action.description()));
+            if (AuthorizationConstants.AUTZ_NO_ACCESS_URL.equals(action.actionUri())) {
+                canAccess = false;
+                break;
             }
+        }
 
-            //add http://.../..#guiAll authorization only for displayable pages, not for pages used for development..
-            if (canAccess) {
+        //add http://.../..#guiAll authorization only for displayable pages, not for pages used for development..
+        if (canAccess) {
 
-                actions.add(new AuthorizationActionValue(AuthorizationConstants.AUTZ_GUI_ALL_DEPRECATED_URL,
-                        AuthorizationConstants.AUTZ_GUI_ALL_LABEL, AuthorizationConstants.AUTZ_GUI_ALL_DESCRIPTION));
-                actions.add(new AuthorizationActionValue(AuthorizationConstants.AUTZ_GUI_ALL_URL,
-                        AuthorizationConstants.AUTZ_GUI_ALL_LABEL, AuthorizationConstants.AUTZ_GUI_ALL_DESCRIPTION));
+            actions.add(new AuthorizationActionValue(AuthorizationConstants.AUTZ_GUI_ALL_DEPRECATED_URL,
+                    AuthorizationConstants.AUTZ_GUI_ALL_LABEL, AuthorizationConstants.AUTZ_GUI_ALL_DESCRIPTION));
+            actions.add(new AuthorizationActionValue(AuthorizationConstants.AUTZ_GUI_ALL_URL,
+                    AuthorizationConstants.AUTZ_GUI_ALL_LABEL, AuthorizationConstants.AUTZ_GUI_ALL_DESCRIPTION));
+        }
+
+        for (String url : descriptor.url()) {
+            this.actions.put(buildPrefixUrl(url), actions.toArray(new DisplayableValue[actions.size()]));
+        }
+
+        for (Url url : descriptor.urls()) {
+            String urlForSecurity = url.matchUrlForSecurity();
+            if (StringUtils.isEmpty(urlForSecurity)) {
+                urlForSecurity = buildPrefixUrl(url.mountUrl());
             }
-            this.actions.put(url, actions.toArray(new DisplayableValue[actions.size()]));
+            this.actions.put(urlForSecurity, actions.toArray(new DisplayableValue[actions.size()]));
+        }
+    }
+
+    public String buildPrefixUrl(String url) {
+        StringBuilder sb = new StringBuilder();
+        sb.append(url);
+
+        if (!url.endsWith("/")) {
+            sb.append("/");
         }
+        sb.append("**");
+
+        return sb.toString();
     }
 
     private void mountPage(PageDescriptor descriptor, Class clazz, MidPointApplication application)
             throws InstantiationException, IllegalAccessException {
 
+        //todo remove for cycle later
         for (String url : descriptor.url()) {
             IPageParametersEncoder encoder = descriptor.encoder().newInstance();
 
             LOGGER.trace("Mounting page '{}' to url '{}' with encoder '{}'.", new Object[]{
                     clazz.getName(), url, encoder.getClass().getSimpleName()});
 
-            application.mount(new MountedMapper(url, clazz, encoder));
+            application.mount(new ExactMatchMountedMapper(url, clazz, encoder));
             urlClassMap.put(url, clazz);
         }
+
+        for (Url url : descriptor.urls()) {
+            IPageParametersEncoder encoder = descriptor.encoder().newInstance();
+
+            LOGGER.trace("Mounting page '{}' to url '{}' with encoder '{}'.", new Object[]{
+                    clazz.getName(), url, encoder.getClass().getSimpleName()});
+
+            application.mount(new ExactMatchMountedMapper(url.mountUrl(), clazz, encoder));
+            urlClassMap.put(url.mountUrl(), clazz);
+        }
     }
 
 	@Override

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/PageDescriptor.java

@@ -16,8 +16,8 @@
 
 package com.evolveum.midpoint.web.application;
 
-import com.evolveum.midpoint.web.util.MidPointPageParametersEncoder;
 import org.apache.wicket.request.mapper.parameter.IPageParametersEncoder;
+import org.apache.wicket.request.mapper.parameter.PageParametersEncoder;
 
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
@@ -28,9 +28,16 @@
 @Retention(RetentionPolicy.RUNTIME)
 public @interface PageDescriptor {
 
-    String[] url();
+    /**
+     * Please use {@link PageDescriptor#urls()}
+     * @return
+     */
+    @Deprecated
+    String[] url() default {};
 
-    Class<? extends IPageParametersEncoder> encoder() default MidPointPageParametersEncoder.class;
+    Url[] urls() default {};
+
+    Class<? extends IPageParametersEncoder> encoder() default PageParametersEncoder.class;
 
     AuthorizationAction[] action() default {};
 }

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/application/Url.java

@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2010-2017 Evolveum
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.evolveum.midpoint.web.application;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+
+/**
+ * @author lazyman
+ */
+@Retention(RetentionPolicy.RUNTIME)
+public @interface Url {
+
+    String mountUrl();
+
+    /**
+     * If empty {@link Url#mountUrl()} + "/**" will be used for URL ant pattern matching in security configuration.
+     * See {@link DescriptorLoader}, {@link com.evolveum.midpoint.web.security.MidPointGuiAuthorizationEvaluator}.
+     */
+    String matchUrlForSecurity() default "";
+}

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/configuration/PageSystemConfiguration.java

@@ -20,6 +20,7 @@
 import java.util.Collection;
 import java.util.List;
 
+import com.evolveum.midpoint.web.application.Url;
 import com.evolveum.midpoint.web.page.admin.configuration.component.*;
 import com.evolveum.midpoint.web.page.admin.configuration.dto.*;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
@@ -58,9 +59,19 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = { "/admin/config", "/admin/config/system" }, action = {
-		@AuthorizationAction(actionUri = PageAdminConfiguration.AUTH_CONFIGURATION_ALL, label = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_LABEL, description = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_DESCRIPTION),
-		@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_CONFIGURATION_SYSTEM_CONFIG_URL, label = "PageSystemConfiguration.auth.configSystemConfiguration.label", description = "PageSystemConfiguration.auth.configSystemConfiguration.description") })
+@PageDescriptor(
+		urls = {
+				@Url(mountUrl = "/admin/config", matchUrlForSecurity = "/admin/config"),
+				@Url(mountUrl = "/admin/config/system"),
+		},
+		action = {
+				@AuthorizationAction(actionUri = PageAdminConfiguration.AUTH_CONFIGURATION_ALL,
+						label = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_LABEL,
+						description = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_DESCRIPTION),
+				@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_CONFIGURATION_SYSTEM_CONFIG_URL,
+						label = "PageSystemConfiguration.auth.configSystemConfiguration.label",
+						description = "PageSystemConfiguration.auth.configSystemConfiguration.description")
+		})
 public class PageSystemConfiguration extends PageAdminConfiguration {
 
 	public static final String SELECTED_TAB_INDEX = "tab";

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/home/PageDashboard.java

@@ -15,6 +15,7 @@
  */
 package com.evolveum.midpoint.web.page.admin.home;
 
+import com.evolveum.midpoint.web.application.Url;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.*;
 import org.apache.wicket.Component;
 import org.apache.wicket.model.Model;
@@ -51,11 +52,19 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = {"/admin/dashboard", "/admin"}, action = {
-        @AuthorizationAction(actionUri = PageAdminHome.AUTH_HOME_ALL_URI,
-                label = PageAdminHome.AUTH_HOME_ALL_LABEL, description = PageAdminHome.AUTH_HOME_ALL_DESCRIPTION),
-        @AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_DASHBOARD_URL,
-                label = "PageDashboard.auth.dashboard.label", description = "PageDashboard.auth.dashboard.description")})
+@PageDescriptor(
+		urls = {
+				@Url(mountUrl = "/admin", matchUrlForSecurity = "/admin"),
+				@Url(mountUrl = "/admin/dashboard"),
+		},
+		action = {
+				@AuthorizationAction(actionUri = PageAdminHome.AUTH_HOME_ALL_URI,
+						label = PageAdminHome.AUTH_HOME_ALL_LABEL,
+						description = PageAdminHome.AUTH_HOME_ALL_DESCRIPTION),
+				@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_DASHBOARD_URL,
+						label = "PageDashboard.auth.dashboard.label",
+						description = "PageDashboard.auth.dashboard.description")
+		})
 public class PageDashboard extends PageAdminHome {
 	private static final long serialVersionUID = 1L;
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/reports/PageReports.java

@@ -31,6 +31,7 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.application.AuthorizationAction;
 import com.evolveum.midpoint.web.application.PageDescriptor;
+import com.evolveum.midpoint.web.application.Url;
 import com.evolveum.midpoint.web.component.BasicSearchPanel;
 import com.evolveum.midpoint.web.component.data.BoxedTablePanel;
 import com.evolveum.midpoint.web.component.data.ObjectDataProvider;
@@ -72,7 +73,11 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = "/admin/reports", action = {
+@PageDescriptor(
+        urls = {
+            @Url(mountUrl = "/admin/reports", matchUrlForSecurity = "/admin/reports")
+        },
+        action = {
         @AuthorizationAction(actionUri = PageAdminReports.AUTH_REPORTS_ALL,
                 label = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_LABEL,
                 description = PageAdminConfiguration.AUTH_CONFIGURATION_ALL_DESCRIPTION),

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResource.java

@@ -15,10 +15,8 @@
  */
 package com.evolveum.midpoint.web.page.admin.resources;
 
-import com.evolveum.midpoint.gui.api.component.result.OpResult;
 import com.evolveum.midpoint.gui.api.component.tabs.PanelTab;
 import com.evolveum.midpoint.gui.api.model.LoadableModel;
-import com.evolveum.midpoint.gui.api.page.PageBase;
 import com.evolveum.midpoint.gui.api.util.WebComponentUtil;
 import com.evolveum.midpoint.gui.api.util.WebModelServiceUtils;
 import com.evolveum.midpoint.model.api.util.ResourceUtils;
@@ -34,6 +32,7 @@
 import com.evolveum.midpoint.util.logging.TraceManager;
 import com.evolveum.midpoint.web.application.AuthorizationAction;
 import com.evolveum.midpoint.web.application.PageDescriptor;
+import com.evolveum.midpoint.web.application.Url;
 import com.evolveum.midpoint.web.component.AjaxButton;
 import com.evolveum.midpoint.web.component.AjaxTabbedPanel;
 import com.evolveum.midpoint.web.page.admin.configuration.PageDebugView;
@@ -42,13 +41,10 @@
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ShadowKindType;
 import org.apache.commons.lang.StringUtils;
-import org.apache.wicket.ajax.AjaxEventBehavior;
 import org.apache.wicket.ajax.AjaxRequestTarget;
 import org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow;
 import org.apache.wicket.extensions.markup.html.tabs.ITab;
 import org.apache.wicket.markup.html.WebMarkupContainer;
-import org.apache.wicket.markup.repeater.RepeatingView;
-import org.apache.wicket.model.util.ListModel;
 import org.apache.wicket.request.mapper.parameter.PageParameters;
 
 import java.util.ArrayList;
@@ -58,9 +54,18 @@
 /**
  * @author katkav
  */
-@PageDescriptor(url = "/admin/resource", encoder = OnePageParameterEncoder.class, action = {
-		@AuthorizationAction(actionUri = PageAdminResources.AUTH_RESOURCE_ALL, label = PageAdminResources.AUTH_RESOURCE_ALL_LABEL, description = PageAdminResources.AUTH_RESOURCE_ALL_DESCRIPTION),
-		@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_RESOURCE_URL, label = "PageResource.auth.resource.label", description = "PageResource.auth.resource.description") })
+@PageDescriptor(
+		urls = {
+				@Url(mountUrl = "/admin/resource", matchUrlForSecurity = "/admin/resource")
+		},
+		action = {
+				@AuthorizationAction(actionUri = PageAdminResources.AUTH_RESOURCE_ALL,
+						label = PageAdminResources.AUTH_RESOURCE_ALL_LABEL,
+						description = PageAdminResources.AUTH_RESOURCE_ALL_DESCRIPTION),
+				@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_RESOURCE_URL,
+						label = "PageResource.auth.resource.label",
+						description = "PageResource.auth.resource.description")
+		})
 public class PageResource extends PageAdminResources {
 	private static final long serialVersionUID = 1L;
 

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceVisualization.java

@@ -34,7 +34,6 @@
 import com.evolveum.midpoint.web.component.util.VisibleEnableBehaviour;
 import com.evolveum.midpoint.web.page.admin.PageAdmin;
 import com.evolveum.midpoint.web.page.admin.resources.dto.ResourceVisualizationDto;
-import com.evolveum.midpoint.web.util.MidPointPageParametersEncoder;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import org.apache.commons.configuration.Configuration;
 import org.apache.wicket.ajax.AjaxRequestTarget;
@@ -51,7 +50,7 @@
 /**
  * @author mederly
  */
-@PageDescriptor(url = "/admin/resources/visualization", encoder = MidPointPageParametersEncoder.class, action = {
+@PageDescriptor(url = "/admin/resources/visualization", action = {
 		@AuthorizationAction(actionUri = PageAdminResources.AUTH_RESOURCE_ALL,
 				label = PageAdminResources.AUTH_RESOURCE_ALL_LABEL,
 				description = PageAdminResources.AUTH_RESOURCE_ALL_DESCRIPTION),

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResourceWizard.java

@@ -38,7 +38,6 @@
 import com.evolveum.midpoint.web.component.wizard.WizardStep;
 import com.evolveum.midpoint.web.component.wizard.resource.*;
 import com.evolveum.midpoint.web.page.error.PageError;
-import com.evolveum.midpoint.web.util.MidPointPageParametersEncoder;
 import com.evolveum.midpoint.xml.ns._public.common.common_3.ResourceType;
 import org.apache.wicket.Component;
 import org.apache.wicket.RestartResponseException;
@@ -59,7 +58,7 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = "/admin/resources/wizard", encoder = MidPointPageParametersEncoder.class, action = {
+@PageDescriptor(url = "/admin/resources/wizard", action = {
         @AuthorizationAction(actionUri = PageAdminResources.AUTH_RESOURCE_ALL,
             label = PageAdminResources.AUTH_RESOURCE_ALL_LABEL,
             description = PageAdminResources.AUTH_RESOURCE_ALL_DESCRIPTION),

gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/resources/PageResources.java

@@ -20,6 +20,9 @@
 import java.util.Collection;
 import java.util.List;
 
+import com.evolveum.midpoint.web.application.Url;
+import com.evolveum.midpoint.web.component.data.column.DoubleButtonColumn;
+import com.evolveum.midpoint.web.component.data.column.InlineMenuButtonColumn;
 import com.evolveum.midpoint.web.component.dialog.ConfirmationPanel;
 import com.evolveum.midpoint.web.component.search.*;
 import com.evolveum.midpoint.web.session.PageStorage;
@@ -68,9 +71,18 @@
 /**
  * @author lazyman
  */
-@PageDescriptor(url = "/admin/resources", action = {
-		@AuthorizationAction(actionUri = PageAdminResources.AUTH_RESOURCE_ALL, label = PageAdminResources.AUTH_RESOURCE_ALL_LABEL, description = PageAdminResources.AUTH_RESOURCE_ALL_DESCRIPTION),
-		@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_RESOURCES_URL, label = "PageResources.auth.resources.label", description = "PageResources.auth.resources.description") })
+@PageDescriptor(
+		urls = {
+				@Url(mountUrl = "/admin/resources", matchUrlForSecurity = "/admin/resources")
+		},
+		action = {
+				@AuthorizationAction(actionUri = PageAdminResources.AUTH_RESOURCE_ALL,
+						label = PageAdminResources.AUTH_RESOURCE_ALL_LABEL,
+						description = PageAdminResources.AUTH_RESOURCE_ALL_DESCRIPTION),
+				@AuthorizationAction(actionUri = AuthorizationConstants.AUTZ_UI_RESOURCES_URL,
+						label = "PageResources.auth.resources.label",
+						description = "PageResources.auth.resources.description")
+		})
 public class PageResources extends PageAdminResources {
 
 	private static final long serialVersionUID = 1L;