Add zone admin to be able to invoke all /Users and /Groups end points

We converted them to use expressions Remove classes and configurations no longer needed https://www.pivotaltracker.com/story/show/98490322 [#98490322]
cloudfoundry · Jul 13, 2015 · 52990e0 · 52990e0
1 parent 87e942c
commit 52990e0
Show file tree

Hide file tree

Showing 11 changed files with 226 additions and 255 deletions.
diff --git a/common/src/main/java/org/cloudfoundry/identity/uaa/oauth/expression/IsUserSelfCheck.java b/common/src/main/java/org/cloudfoundry/identity/uaa/oauth/expression/IsUserSelfCheck.java
@@ -16,6 +16,7 @@
 
 
 import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
+import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
@@ -65,14 +66,7 @@ protected String extractIdFromAuthentication(Authentication authentication) {
     }
 
     protected String extractIdFromUrl(int pathParameterIndex, String pathInfo) {
-        if (pathInfo.startsWith("/")) {
+        return UaaUrlUtils.extractPathVariableFromUrl(pathParameterIndex, pathInfo);
-            pathInfo = pathInfo.substring(1);
-        }
-        String[] paths = StringUtils.delimitedListToStringArray(pathInfo, "/");
-        if (paths.length!=0 && pathParameterIndex<paths.length) {
-            return paths[pathParameterIndex];
-        }
-        return null;
     }
 
 }
diff --git a/common/src/main/java/org/cloudfoundry/identity/uaa/util/UaaUrlUtils.java b/common/src/main/java/org/cloudfoundry/identity/uaa/util/UaaUrlUtils.java
@@ -78,5 +78,16 @@ public static String getSubdomain() {
         return subdomain.trim();
     }
 
+    public static String extractPathVariableFromUrl(int pathParameterIndex, String pathInfo) {
+        if (pathInfo.startsWith("/")) {
+            pathInfo = pathInfo.substring(1);
+        }
+        String[] paths = StringUtils.delimitedListToStringArray(pathInfo, "/");
+        if (paths.length!=0 && pathParameterIndex<paths.length) {
+            return paths[pathParameterIndex];
+        }
+        return null;
+    }
+
 
 }
diff --git a/scim/src/main/java/org/cloudfoundry/identity/uaa/scim/security/GroupRoleCheck.java b/scim/src/main/java/org/cloudfoundry/identity/uaa/scim/security/GroupRoleCheck.java
@@ -0,0 +1,59 @@
+/*
+ * *****************************************************************************
+ *      Cloud Foundry
+ *      Copyright (c) [2009-2015] Pivotal Software, Inc. All Rights Reserved.
+ *      This product is licensed to you under the Apache License, Version 2.0 (the "License").
+ *      You may not use this product except in compliance with the License.
+ *
+ *      This product includes a number of subcomponents with
+ *      separate copyright notices and license terms. Your use of these
+ *      subcomponents is subject to the terms and conditions of the
+ *      subcomponent's license, as noted in the LICENSE file.
+ * *****************************************************************************
+ */
+
+package org.cloudfoundry.identity.uaa.scim.security;
+
+
+import org.cloudfoundry.identity.uaa.authentication.UaaPrincipal;
+import org.cloudfoundry.identity.uaa.scim.ScimGroupMember;
+import org.cloudfoundry.identity.uaa.scim.ScimGroupMembershipManager;
+import org.cloudfoundry.identity.uaa.util.UaaUrlUtils;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import javax.servlet.http.HttpServletRequest;
+
+public class GroupRoleCheck {
+
+    private final ScimGroupMembershipManager manager;
+
+    public GroupRoleCheck(ScimGroupMembershipManager manager) {
+        this.manager = manager;
+    }
+
+    public boolean isGroupWriter(HttpServletRequest request, int pathVariableIndex) {
+        return isGroupRole(request, pathVariableIndex, ScimGroupMember.Role.WRITER);
+    }
+
+    public boolean isGroupReader(HttpServletRequest request, int pathVariableIndex) {
+        return isGroupRole(request, pathVariableIndex, ScimGroupMember.Role.READER);
+    }
+
+    public boolean isGroupMember(HttpServletRequest request, int pathVariableIndex) {
+        return isGroupRole(request, pathVariableIndex, ScimGroupMember.Role.MEMBER);
+    }
+
+    public boolean isGroupRole(HttpServletRequest request, int pathVariableIndex, ScimGroupMember.Role role) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if ( authentication!=null && authentication.getPrincipal() instanceof UaaPrincipal) {
+            String userId = ((UaaPrincipal) authentication.getPrincipal()).getId();
+            String groupId = UaaUrlUtils.extractPathVariableFromUrl(pathVariableIndex, request.getPathInfo());
+            if (manager.getMembers(groupId, role).contains(new ScimGroupMember(userId))) {
+                return true;
+            }
+        }
+            return false;
+    }
+
+}
diff --git a/scim/src/main/java/org/cloudfoundry/identity/uaa/scim/security/GroupVoter.java b/scim/src/main/java/org/cloudfoundry/identity/uaa/scim/security/GroupVoter.java
diff --git a/scim/src/main/java/org/cloudfoundry/identity/uaa/scim/security/UserVoter.java b/scim/src/main/java/org/cloudfoundry/identity/uaa/scim/security/UserVoter.java
diff --git a/uaa/src/main/webapp/WEB-INF/spring-servlet.xml b/uaa/src/main/webapp/WEB-INF/spring-servlet.xml
@@ -227,13 +227,12 @@
         <property name="enabled" value="${oauth.client.encoder_cache:true}"/>
     </bean>
 
-    <!--<oauth:web-expression-handler id="oauthWebExpressionHandler" />-->
     <bean id="uaaIdentityZone" class="org.cloudfoundry.identity.uaa.zone.IdentityZone" factory-method="getUaa"/>
+
     <bean id="oauthWebExpressionHandler"
       class="org.cloudfoundry.identity.uaa.oauth.expression.ContextSensitiveOAuth2WebSecurityExpressionHandler">
         <property name="identityZone" ref="uaaIdentityZone"/>
     </bean>
-    <!--<mvc:resources location="/" mapping="/**" />-->
 
     <mvc:default-servlet-handler />
 

diff --git a/uaa/src/main/webapp/WEB-INF/spring/codestore-endpoints.xml b/uaa/src/main/webapp/WEB-INF/spring/codestore-endpoints.xml
@@ -23,11 +23,13 @@
         </property>
     </bean>
 
-    <http create-session="stateless" entry-point-ref="oauthAuthenticationEntryPoint" authentication-manager-ref="emptyAuthenticationManager"
+    <http  name="codeStoreSecurity" pattern="/Codes/**" create-session="stateless" authentication-manager-ref="emptyAuthenticationManager"
-          access-decision-manager-ref="userAccessDecisionManager" pattern="/Codes/**" xmlns="http://www.springframework.org/schema/security" use-expressions="false">
+           entry-point-ref="oauthAuthenticationEntryPoint"
-        <intercept-url pattern="/**" access="scope=scim.create,scope=scim.write,scope=password.write" />
+           xmlns="http://www.springframework.org/schema/security" use-expressions="true">
+        <intercept-url pattern="/**" access="#oauth2.hasAnyScope('scim.create','scim.write','password.write')"/>
         <custom-filter ref="resourceAgnosticAuthenticationFilter" position="PRE_AUTH_FILTER" />
         <anonymous enabled="false" />
+        <expression-handler ref="oauthWebExpressionHandler" />
         <access-denied-handler ref="oauthAccessDeniedHandler" />
         <csrf disabled="true"/>
     </http>