public users do not have roles and they are not linked to organizations

cbellone · Apr 23, 2021 · 3c26fd5 · 3c26fd5
1 parent e5a6851
commit 3c26fd5
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 9 deletions.
diff --git a/src/main/java/alfio/config/RoleAndOrganizationsTransactionPreparer.java b/src/main/java/alfio/config/RoleAndOrganizationsTransactionPreparer.java
@@ -16,6 +16,7 @@
  */
 package alfio.config;
 
+import alfio.config.authentication.support.OpenIdAlfioAuthentication;
 import lombok.extern.log4j.Log4j2;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
@@ -26,7 +27,8 @@
 import org.springframework.web.context.request.ServletRequestAttributes;
 
 import javax.servlet.http.HttpServletRequest;
-import java.sql.*;
+import java.sql.Connection;
+import java.sql.SQLException;
 import java.util.Objects;
 import java.util.Set;
 import java.util.TreeSet;
@@ -67,6 +69,14 @@ private static boolean isLoggedUser() {
         return false;
     }
 
+    private static boolean isPublic() {
+        SecurityContext context = SecurityContextHolder.getContext();
+        if (context != null && context.getAuthentication() instanceof OpenIdAlfioAuthentication) {
+            return ((OpenIdAlfioAuthentication) context.getAuthentication()).isPublicUser();
+        }
+        return false;
+    }
+
     private static boolean isAdmin() {
         if(isLoggedUser()) {
             return SecurityContextHolder.getContext().getAuthentication()
@@ -85,7 +95,7 @@ public static void prepareTransactionalConnection(Connection connection) throws
         if (!isInAHttpRequest()) {
             return;
         }
-        boolean mustCheck = !isCurrentlyInAPublicUrlRequest() && isLoggedUser() && !isAdmin();
+        boolean mustCheck = !isCurrentlyInAPublicUrlRequest() && isLoggedUser() && !isPublic() && !isAdmin();
         if (!mustCheck) {
             return;
         }

diff --git a/src/main/java/alfio/config/authentication/support/OpenIdAlfioAuthentication.java b/src/main/java/alfio/config/authentication/support/OpenIdAlfioAuthentication.java
@@ -19,20 +19,28 @@
 import org.springframework.security.authentication.AbstractAuthenticationToken;
 import org.springframework.security.core.GrantedAuthority;
 
+import java.io.Serializable;
 import java.util.Collection;
 
-public class OpenIdAlfioAuthentication extends AbstractAuthenticationToken {
+public class OpenIdAlfioAuthentication extends AbstractAuthenticationToken implements Serializable {
     private final String idToken;
     private final String subject;
     private final String email;
     private final String idpLogoutRedirectionUrl;
+    private final boolean publicUser;
 
-    public OpenIdAlfioAuthentication(Collection<? extends GrantedAuthority> authorities, String idToken, String subject, String email, String idpLogoutRedirectionUrl) {
+    public OpenIdAlfioAuthentication(Collection<? extends GrantedAuthority> authorities,
+                                     String idToken,
+                                     String subject,
+                                     String email,
+                                     String idpLogoutRedirectionUrl,
+                                     boolean publicUser) {
         super(authorities);
         this.idToken = idToken;
         this.subject = subject;
         this.email = email;
         this.idpLogoutRedirectionUrl = idpLogoutRedirectionUrl;
+        this.publicUser = publicUser;
     }
 
     @Override
@@ -53,4 +61,8 @@ public String getName() {
     public String getIdpLogoutRedirectionUrl() {
         return idpLogoutRedirectionUrl;
     }
+
+    public boolean isPublicUser() {
+        return publicUser;
+    }
 }
diff --git a/src/main/java/alfio/config/authentication/support/OpenIdAlfioUser.java b/src/main/java/alfio/config/authentication/support/OpenIdAlfioUser.java
@@ -17,6 +17,7 @@
 package alfio.config.authentication.support;
 
 import alfio.model.user.Role;
+import alfio.model.user.User;
 import lombok.AllArgsConstructor;
 import lombok.Getter;
 
@@ -29,7 +30,15 @@ public class OpenIdAlfioUser {
     private final String idToken;
     private final String subject;
     private final String email;
-    private final boolean isAdmin;
+    private final User.Type userType;
     private final Set<Role> alfioRoles;
     private final Map<String, Set<String>> alfioOrganizationAuthorizations;
+
+    public boolean isAdmin() {
+        return userType == User.Type.INTERNAL && alfioRoles.contains(Role.ADMIN);
+    }
+
+    public boolean isPublicUser() {
+        return userType == User.Type.PUBLIC;
+    }
 }
diff --git a/src/main/java/alfio/manager/openid/AdminOpenIdAuthenticationManager.java b/src/main/java/alfio/manager/openid/AdminOpenIdAuthenticationManager.java
@@ -81,7 +81,7 @@ protected OpenIdAlfioUser fromToken(String idToken, String subject, String email
 
         if (isAdmin) {
             log.trace("User is admin");
-            return new OpenIdAlfioUser(idToken, subject, email, true, Set.of(Role.ADMIN), null);
+            return new OpenIdAlfioUser(idToken, subject, email, getUserType(), Set.of(Role.ADMIN), null);
         }
 
         log.trace("User is NOT admin");
@@ -96,7 +96,7 @@ protected OpenIdAlfioUser fromToken(String idToken, String subject, String email
         log.trace("IdToken contains the following alfioGroups: {}", alfioOrganizationAuthorizationsRaw);
         Map<String, Set<String>> alfioOrganizationAuthorizations = extractOrganizationRoles(alfioOrganizationAuthorizationsRaw);
         Set<Role> alfioRoles = extractAlfioRoles(alfioOrganizationAuthorizations);
-        return new OpenIdAlfioUser(idToken, subject, email, false, alfioRoles, alfioOrganizationAuthorizations);
+        return new OpenIdAlfioUser(idToken, subject, email, getUserType(), alfioRoles, alfioOrganizationAuthorizations);
     }
 
     @SneakyThrows

diff --git a/src/main/java/alfio/manager/openid/BaseOpenIdAuthenticationManager.java b/src/main/java/alfio/manager/openid/BaseOpenIdAuthenticationManager.java
@@ -124,7 +124,7 @@ private OpenIdAlfioAuthentication createOrRetrieveUser(OpenIdAlfioUser user, Map
 
         List<GrantedAuthority> authorities = user.getAlfioRoles().stream().map(Role::getRoleName)
             .map(SimpleGrantedAuthority::new).collect(Collectors.toList());
-        return new OpenIdAlfioAuthentication(authorities, user.getIdToken(), user.getSubject(), user.getEmail(), buildLogoutUrl());
+        return new OpenIdAlfioAuthentication(authorities, user.getIdToken(), user.getSubject(), user.getEmail(), buildLogoutUrl(), user.isPublicUser());
     }
 
     private static String retrieveClaimOrBlank(Map<String, Claim> claims, String name) {

diff --git a/src/main/java/alfio/manager/openid/PublicOpenIdAuthenticationManager.java b/src/main/java/alfio/manager/openid/PublicOpenIdAuthenticationManager.java
@@ -67,7 +67,7 @@ public PublicOpenIdAuthenticationManager(HttpClient httpClient,
 
     @Override
     protected OpenIdAlfioUser fromToken(String idToken, String subject, String email, Map<String, Claim> claims) {
-        return new OpenIdAlfioUser(idToken, subject, email, false, Set.of(), Map.of());
+        return new OpenIdAlfioUser(idToken, subject, email, getUserType(), Set.of(), Map.of());
     }
 
     @Override