MID-9062: revert collecting of authorization during authentication

Evolveum · Oct 2, 2023 · 5966ebf · 5966ebf
1 parent 6da3b6a
commit 5966ebf
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 58 deletions.
diff --git a/...src/main/java/com/evolveum/midpoint/authentication/api/config/MidpointAuthentication.java b/...src/main/java/com/evolveum/midpoint/authentication/api/config/MidpointAuthentication.java
@@ -9,7 +9,6 @@
 import java.util.*;
 import java.util.stream.Stream;
 
-import com.evolveum.midpoint.security.api.Authorization;
 import com.evolveum.midpoint.util.logging.Trace;
 
 import com.evolveum.midpoint.util.logging.TraceManager;
@@ -97,6 +96,13 @@ public class MidpointAuthentication extends AbstractAuthenticationToken implemen
     private String archetypeOid;
     private boolean archetypeSelected;
 
+    /**
+     * Indicates if the profile of midpoint principal was compiled after successful authentication.
+     * It should be recorded only for whole sequence and after the whole sequence
+     * was reliably evaluated. E.g. all modules run and authentication was successful.
+     */
+    private boolean alreadyCompiledGui;
+
     public MidpointAuthentication(AuthenticationSequenceType sequence) {
         super(null);
         this.sequence = sequence;
@@ -667,4 +673,11 @@ public void setToken(Authentication token) {
         moduleAuthentication.setAuthentication(token);
     }
 
+    public boolean isAlreadyCompiledGui() {
+        return alreadyCompiledGui;
+    }
+
+    public void setAlreadyCompiledGui(boolean alreadyCompiledGui) {
+        this.alreadyCompiledGui = alreadyCompiledGui;
+    }
 }
diff --git a/...java/com/evolveum/midpoint/authentication/impl/evaluator/AuthenticationEvaluatorImpl.java b/...java/com/evolveum/midpoint/authentication/impl/evaluator/AuthenticationEvaluatorImpl.java
@@ -96,7 +96,7 @@ protected <C extends AbstractAuthenticationContext> MidPointPrincipal getAndChec
     }
 
     protected ProfileCompilerOptions createOptionForGettingPrincipal() {
-        return ProfileCompilerOptions.createOnlyPrincipalOption();
+        return ProfileCompilerOptions.createOnlyPrincipalOption().collectAuthorization(true);
     }
 
     protected boolean hasNoAuthorizations(MidPointPrincipal principal) {

diff --git a/...olveum/midpoint/authentication/impl/evaluator/CredentialsAuthenticationEvaluatorImpl.java b/...olveum/midpoint/authentication/impl/evaluator/CredentialsAuthenticationEvaluatorImpl.java
@@ -94,33 +94,11 @@ public UsernamePasswordAuthenticationToken authenticate(ConnectionEnvironment co
             throw new BadCredentialsException(AuthUtil.generateBadCredentialsMessageKey(SecurityContextHolder.getContext().getAuthentication()));
         }
 
-//        checkAuthorizations(principal, connEnv, authnCtx);
+        checkAuthorizations(principal, connEnv, authnCtx);
         recordModuleAuthenticationSuccess(principal, connEnv);
         return new UsernamePasswordAuthenticationToken(principal, authnCtx.getEnteredCredential(), principal.getAuthorities());
     }
 
-//    @Override
-//    @NotNull
-//    public FocusType checkCredentials(ConnectionEnvironment connEnv, T authnCtx)
-//            throws BadCredentialsException, AuthenticationCredentialsNotFoundException, DisabledException, LockedException,
-//            CredentialsExpiredException, AuthenticationServiceException, AccessDeniedException, UsernameNotFoundException {
-//
-//        checkEnteredCredentials(connEnv, authnCtx);
-//
-//        MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx, false);
-//
-//        FocusType focusType = principal.getFocus();
-//        CredentialPolicyType credentialsPolicy = getCredentialsPolicy(principal, authnCtx);
-//
-//        if (!checkCredentials(principal, authnCtx, connEnv)) {
-//            recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, credentialsPolicy, "password mismatch");
-//            throw new BadCredentialsException(AuthUtil.generateBadCredentialsMessageKey(SecurityContextHolder.getContext().getAuthentication()));
-//        }
-//        checkAuthorizations(principal, connEnv, authnCtx);
-//        recordModuleAuthenticationSuccess(principal, connEnv, false);
-//        return focusType;
-//    }
-
     private void checkAuthorizations(MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv, T authnCtx) {
         if (supportsAuthzCheck()) {
             // Authorizations
@@ -321,34 +299,14 @@ private LoginEventType getLastFailedLogin(AuthenticationAttemptDataType authenti
         return authenticationAttemptData.getLastFailedAuthentication();
     }
 
-//    protected void recordModuleAuthenticationSuccess(@NotNull MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv,
-//            boolean audit) {
-//        authenticationRecorder.recordModuleAuthenticationAttemptSuccess(principal, connEnv);
-//    }
-//
-//    protected void recordModuleAuthenticationFailure(String username, MidPointPrincipal principal, @NotNull ConnectionEnvironment connEnv,
-//            CredentialPolicyType credentialsPolicy, String reason) {
-//        if (principal != null) {
-//            authenticationRecorder.recordModuleAuthenticationAttemptFailure(principal, credentialsPolicy, connEnv);
-//        }
-//        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-//        if (authentication instanceof MidpointAuthentication) {
-//            MidpointAuthentication mpAuthentication = (MidpointAuthentication) authentication;
-//            ModuleAuthentication moduleAuthentication = mpAuthentication.getProcessingModuleAuthentication();
-//            if (moduleAuthentication != null) {
-//                moduleAuthentication.setFailureData(new AutheticationFailedData(reason, username));
-//            }
-//        }
-//    }
-
     public AuthenticationAttemptDataType getAuthenticationData(MidPointPrincipal principal, ConnectionEnvironment connectionEnvironment) {
         return AuthUtil.findAuthAttemptDataForModule(connectionEnvironment, principal);
     }
 
     @Override
     protected ProfileCompilerOptions createOptionForGettingPrincipal() {
         return ProfileCompilerOptions.createNotCompileGuiAdminConfiguration()
-                .collectAuthorization(false)
+                .collectAuthorization(true)
                 .locateSecurityPolicy(true);
     }
 }
diff --git a/...va/com/evolveum/midpoint/authentication/impl/evaluator/PreAuthenticatedEvaluatorImpl.java b/...va/com/evolveum/midpoint/authentication/impl/evaluator/PreAuthenticatedEvaluatorImpl.java
@@ -49,10 +49,10 @@ public PreAuthenticatedAuthenticationToken authenticate(
         MidPointPrincipal principal = getAndCheckPrincipal(connEnv, authnCtx, authnCtx.isSupportActivationByChannel());
 
         // Authorizations
-//        if (hasNoAuthorizations(principal)) {
-//            recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no authorizations");
-//            throw new DisabledException("web.security.provider.access.denied");
-//        }
+        if (hasNoAuthorizations(principal)) {
+            recordModuleAuthenticationFailure(principal.getUsername(), principal, connEnv, null, "no authorizations");
+            throw new DisabledException("web.security.provider.access.denied");
+        }
 
         if (AuthenticationEvaluatorUtil.checkRequiredAssignmentTargets(principal.getFocus(), authnCtx.getRequireAssignments())) {
             PreAuthenticatedAuthenticationToken token = new PreAuthenticatedAuthenticationToken(principal, null, principal.getAuthorities());

diff --git a/...ain/java/com/evolveum/midpoint/authentication/impl/filter/FinishAuthenticationFilter.java b/...ain/java/com/evolveum/midpoint/authentication/impl/filter/FinishAuthenticationFilter.java
@@ -61,13 +61,12 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
         LOGGER.trace("Running FinishAuthenticationFilter");
 
         Authentication authentication = SecurityUtil.getAuthentication();
-        if (!(authentication instanceof MidpointAuthentication)) {
+        if (!(authentication instanceof MidpointAuthentication mpAuthentication)) {
             LOGGER.trace("No MidpointAuthentication present, continue with filter chain");
             filterChain.doFilter(request, response);
             return;
         }
 
-        MidpointAuthentication mpAuthentication = (MidpointAuthentication) authentication;
         if (!mpAuthentication.isAuthenticated()) {
             LOGGER.trace("Skipping compile principal profile, failed authentication.");
             filterChain.doFilter(request, response);
@@ -80,14 +79,14 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
             return;
         }
 
-        if (!(mpAuthentication.getPrincipal() instanceof MidPointPrincipal)) {
-            LOGGER.trace("Skipping compile principal profile, because couldn't find MidPointPrincipal.");
+        if (mpAuthentication.isAlreadyCompiledGui()) {
+            LOGGER.trace("Skipping compile principal profile, already was compiled.");
             filterChain.doFilter(request, response);
             return;
         }
 
-        if (!((MidPointPrincipal)mpAuthentication.getPrincipal()).getAuthorities().isEmpty()) {
-            LOGGER.trace("Skipping compile principal profile, already was compiled.");
+        if (!(mpAuthentication.getPrincipal() instanceof MidPointPrincipal)) {
+            LOGGER.trace("Skipping compile principal profile, because couldn't find MidPointPrincipal.");
             filterChain.doFilter(request, response);
             return;
         }
@@ -100,16 +99,23 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
     private void compileGuiProfile(MidpointAuthentication mpAuthentication) {
         AuthenticationChannel channel = mpAuthentication.getAuthenticationChannel();
         boolean supportGuiConfig = channel == null || channel.isSupportGuiConfigByChannel();
+        MidPointPrincipal principal = (MidPointPrincipal) mpAuthentication.getPrincipal();
+
+        if (!supportGuiConfig) {
+            return;
+        }
+
         try {
             mpAuthentication.setPrincipal(
                     focusProfileService.getPrincipal(
-                            ((MidPointPrincipal) mpAuthentication.getPrincipal()).getFocusPrismObject(),
+                            principal.getFocusPrismObject(),
                             ProfileCompilerOptions.create()
                                     .collectAuthorization(true)
                                     .compileGuiAdminConfiguration(supportGuiConfig)
                                     .locateSecurityPolicy(supportGuiConfig)
                                     .tryReusingSecurityPolicy(true),
                             new OperationResult("reload principal")));
+            mpAuthentication.setAlreadyCompiledGui(true);
         } catch (CommonException e) {
             LOGGER.debug("Couldn't reload principal after authentication", e);
         }

diff --git a/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java b/testing/rest/src/test/java/com/evolveum/midpoint/testing/rest/TestAbstractRestService.java
@@ -261,7 +261,7 @@ public void test017GetUnauthorizedUser() {
         Response response = client.get();
 
         then();
-        assertStatus(response, 403);
+        assertStatus(response, 401);
 
         displayDumpable("Audit", getDummyAuditService());
         getDummyAuditService().assertRecords(1);