Return-Path: <commits-return-16096-archive-asf-public=cust-asf.ponee.io@airavata.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 5086F200C39
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  1 Mar 2017 21:49:10 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 4F64A160B70; Wed,  1 Mar 2017 20:49:10 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 4A1A6160B8B
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  1 Mar 2017 21:49:08 +0100 (CET)
Received: (qmail 18209 invoked by uid 500); 1 Mar 2017 20:49:07 -0000
Mailing-List: contact commits-help@airavata.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@airavata.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@airavata.apache.org>
List-Post: <mailto:commits@airavata.apache.org>
List-Id: <commits.airavata.apache.org>
Reply-To: dev@airavata.apache.org
Delivered-To: mailing list commits@airavata.apache.org
Received: (qmail 16788 invoked by uid 99); 1 Mar 2017 20:49:06 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Mar 2017 20:49:06 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 47A64DF9AF; Wed,  1 Mar 2017 20:49:06 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: machristie@apache.org
To: commits@airavata.apache.org
Date: Wed, 01 Mar 2017 20:49:49 -0000
Message-Id: <2bb0a27a682c46d1bd35238899c1aa35@git.apache.org>
In-Reply-To: <b7690fab574e4c159635a426073570e7@git.apache.org>
References: <b7690fab574e4c159635a426073570e7@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [46/48] airavata git commit: AIRAVATA-2316 Adding authz checks to
 user profile modification methods
archived-at: Wed, 01 Mar 2017 20:49:10 -0000

AIRAVATA-2316 Adding authz checks to user profile modification methods


Project: http://git-wip-us.apache.org/repos/asf/airavata/repo
Commit: http://git-wip-us.apache.org/repos/asf/airavata/commit/ee8d5eed
Tree: http://git-wip-us.apache.org/repos/asf/airavata/tree/ee8d5eed
Diff: http://git-wip-us.apache.org/repos/asf/airavata/diff/ee8d5eed

Branch: refs/heads/user-profile
Commit: ee8d5eede9fafd9353be8f36635449efa391800f
Parents: 08fd8c4
Author: Marcus Christie <machristie@apache.org>
Authored: Tue Feb 28 11:55:41 2017 -0500
Committer: Anuj Bhandar <bhandar.anuj@gmail.com>
Committed: Tue Feb 28 13:07:18 2017 -0500

----------------------------------------------------------------------
 .../server/handler/AiravataServerHandler.java   | 24 ++++++++++++++------
 .../server/UserProfileServiceHandler.java       |  1 +
 2 files changed, 18 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/airavata/blob/ee8d5eed/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
----------------------------------------------------------------------
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
index 8415c21..588a61a 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
@@ -4773,7 +4773,12 @@ public class AiravataServerHandler implements Airavata.Iface {
     public String addUserProfile(AuthzToken authzToken, UserProfile userProfile)
             throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
 
-        // TODO: check that username and gatewayId match authzToken
+        // check that username and gatewayId match authzToken
+        String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
+        String userId = authzToken.getClaimsMap().get(Constants.USER_NAME);
+        if( !userProfile.getUserId().equals(userId) || !userProfile.getGatewayId().equals(gatewayId) ){
+            throw new AuthorizationException("User isn't authorized to add user profile for this user and/or gateway");
+        }
         try {
             return getUserProfileServiceClient().addUserProfile(userProfile);
         } catch (Exception e) {
@@ -4790,7 +4795,12 @@ public class AiravataServerHandler implements Airavata.Iface {
     public boolean updateUserProfile(AuthzToken authzToken, UserProfile userProfile)
             throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
 
-        // TODO: check that username and gatewayId match authzToken
+        // check that username and gatewayId match authzToken
+        String gatewayId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
+        String userId = authzToken.getClaimsMap().get(Constants.USER_NAME);
+        if( !userProfile.getUserId().equals(userId) || !userProfile.getGatewayId().equals(gatewayId) ){
+            throw new AuthorizationException("User isn't authorized to update user profile for this user and/or gateway");
+        }
         try {
             return getUserProfileServiceClient().updateUserProfile(userProfile);
         } catch (Exception e) {
@@ -4807,7 +4817,6 @@ public class AiravataServerHandler implements Airavata.Iface {
     public UserProfile getUserProfileById(AuthzToken authzToken, String userId, String gatewayId)
             throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
 
-        // TODO: check that username and gatewayId match authzToken
         try {
             return getUserProfileServiceClient().getUserProfileById(userId, gatewayId);
         } catch (Exception e) {
@@ -4821,10 +4830,14 @@ public class AiravataServerHandler implements Airavata.Iface {
 
     @Override
     @SecurityCheck
+    // FIXME: deleting user profile should require the gatewayId as well!
     public boolean deleteUserProfile(AuthzToken authzToken, String userId)
             throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
 
-        // TODO: check that username match authzToken
+        // check that userId match authzToken
+        if( !authzToken.getClaimsMap().get(Constants.USER_NAME).equals(userId) ){
+            throw new AuthorizationException("User isn't authorized to delete user profile for this user");
+        }
         try {
             return getUserProfileServiceClient().deleteUserProfile(userId);
         } catch (Exception e) {
@@ -4841,7 +4854,6 @@ public class AiravataServerHandler implements Airavata.Iface {
     public List<UserProfile> getAllUserProfilesInGateway(AuthzToken authzToken, String gatewayId, int offset, int limit)
             throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
 
-        // TODO: check that gatewayId match authzToken
         try {
             return getUserProfileServiceClient().getAllUserProfilesInGateway(gatewayId, offset, limit);
         } catch (Exception e) {
@@ -4858,7 +4870,6 @@ public class AiravataServerHandler implements Airavata.Iface {
     public UserProfile getUserProfileByName(AuthzToken authzToken, String userName, String gatewayId)
             throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
 
-        // TODO: check that username and gatewayId match authzToken
         try {
             return getUserProfileServiceClient().getUserProfileByName(userName, gatewayId);
         } catch (Exception e) {
@@ -4875,7 +4886,6 @@ public class AiravataServerHandler implements Airavata.Iface {
     public boolean doesUserProfileExist(AuthzToken authzToken, String userName, String gatewayId)
             throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
 
-        // TODO: verify that authzToken gatewayId matches
         try {
             return getUserProfileServiceClient().doesUserExist(userName, gatewayId);
         } catch (Exception e) {

http://git-wip-us.apache.org/repos/asf/airavata/blob/ee8d5eed/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java
----------------------------------------------------------------------
diff --git a/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java b/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java
index ddefbc7..598adc0 100644
--- a/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java
+++ b/modules/user-profile/user-profile-service/src/main/java/org/apache/airavata/user/profile/server/UserProfileServiceHandler.java
@@ -82,6 +82,7 @@ public class UserProfileServiceHandler implements UserProfileService.Iface {
         }
     }
 
+    // FIXME: shouldn't deleteUserProfile require the gatewayId as well?
     public boolean deleteUserProfile(String userId) throws UserProfileServiceException {
         try{
             boolean deleteResult = userProfileRepository.delete(userId);