diff --git a/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java b/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java index 7a37de8e11b6aedf94ee692b6c545e67f03f8170..0a6a6f5d1c1f5325493d3e0bb4f8678c32f21d52 100644 --- a/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java +++ b/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java @@ -15,18 +15,15 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; -import com.auth0.jwt.JWT; import com.auth0.jwt.interfaces.Claim; import com.auth0.jwt.interfaces.DecodedJWT; -import biz.nynja.account.services.AccountServiceImpl; -import biz.nynja.account.accesspoints.AccessPointService; import biz.nynja.account.accesspoints.AccessPoint; +import biz.nynja.account.accesspoints.AccessPointService; +import biz.nynja.account.services.AccountServiceImpl; import io.grpc.Context; -import io.grpc.Contexts; import io.grpc.Metadata; import io.grpc.ServerCall; -import io.grpc.ServerCall.Listener; import io.grpc.ServerCallHandler; import io.grpc.ServerInterceptor; import io.grpc.Status; diff --git a/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java b/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java index c213cab71771f05f1aac833e789a35445d75a1a2..7b451644f43f0a44e261ac4abad3fdb2d39789ec 100644 --- a/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java +++ b/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java @@ -3,10 +3,9 @@ */ package biz.nynja.account.permissions; -import java.util.Arrays; -import java.util.Base64; import java.util.List; +import org.apache.commons.lang3.StringUtils; import org.springframework.stereotype.Component; import com.auth0.jwt.JWT; @@ -24,8 +23,7 @@ public class PermissionsValidator { // when Istio starts sending an access token with each and every request return true; -// String accessToken = (String) PermissionsInterceptor.ACCESS_TOKEN_CTX.get(); -// DecodedJWT decodedToken = JWT.decode(accessToken); +// DecodedJWT decodedToken = retrieveDecodedToken(); // String requestingAccountId = new String(Base64.getDecoder().decode(decodedToken.getSubject())); // // if (requestingAccountId.equals(accountId)) { @@ -34,6 +32,16 @@ public class PermissionsValidator { // return isAuthorizedRequestingRole(decodedToken); } + private DecodedJWT retrieveDecodedToken() { + String accessToken = (String) PermissionsInterceptor.ACCESS_TOKEN_CTX.get(); + // This check is for isAdminToken method + if(StringUtils.isEmpty(accessToken)) { + return null; + } + DecodedJWT decodedToken = JWT.decode(accessToken); + return decodedToken; + } + public boolean isRpcAllowed(List existingAccountsForProfile) { // WARNING: The line bellow is to be removed and code following uncommented @@ -75,5 +83,12 @@ public class PermissionsValidator { } return false; } + + public boolean isAdminToken() { + DecodedJWT decodedToken = retrieveDecodedToken(); + if(decodedToken != null) { + return isAuthorizedRequestingRole(decodedToken); + } else return false; + } } diff --git a/src/main/java/biz/nynja/account/repositories/AccountRepositoryAdditionalImpl.java b/src/main/java/biz/nynja/account/repositories/AccountRepositoryAdditionalImpl.java index 6522ae12ec25c8fac22e49ee202bc0071d62e57a..199cf34146d148703ade1ff9d6ece0aea7d78627 100644 --- a/src/main/java/biz/nynja/account/repositories/AccountRepositoryAdditionalImpl.java +++ b/src/main/java/biz/nynja/account/repositories/AccountRepositoryAdditionalImpl.java @@ -15,10 +15,6 @@ import java.util.Set; import java.util.UUID; import java.util.stream.Collectors; -import biz.nynja.account.repositories.batch.SagaTransaction; -import biz.nynja.account.repositories.batch.Transaction; -import biz.nynja.account.services.erlang.ErlangAccountBridge; -import io.grpc.StatusRuntimeException; import org.apache.commons.lang3.SerializationUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -54,8 +50,11 @@ import biz.nynja.account.models.PendingAccountByAuthenticationProvider; import biz.nynja.account.models.Profile; import biz.nynja.account.models.ProfileByAuthenticationProvider; import biz.nynja.account.permissions.PermissionsValidator; +import biz.nynja.account.repositories.batch.SagaTransaction; +import biz.nynja.account.repositories.batch.Transaction; import biz.nynja.account.services.decomposition.IncorrectAccountCountException; -import biz.nynja.account.services.erlang.ErlangAccountHttpBridge; +import biz.nynja.account.services.erlang.ErlangAccountBridge; +import io.grpc.StatusRuntimeException; // TODO: 11/19/2018 refactor this class and adding rolback cassandra data if erlang return fail state @Service @@ -200,6 +199,14 @@ public class AccountRepositoryAdditionalImpl implements AccountRepositoryAdditio public Account updateAccount(UpdateAccountRequest request) { Transaction sagaTransaction = new SagaTransaction(cassandraTemplate); Account existingAccount = accountRepository.findByAccountId(UUID.fromString(request.getAccountId())); + + if (!permissionsValidator.isAdminToken()) { + // No permission to update roles, load old ones + Set roles = existingAccount.getRoles().stream().map(Role::valueOf).collect(Collectors.toSet()); + request = UpdateAccountRequest.newBuilder(request).clearRoles().addAllRoles(roles).build(); + } + + if (existingAccount == null) { logger.error("Existing account with the provided id {} was not found.", request.getAccountId()); logger.debug("Existing account with the provided id {} was not found.", request.getAccountId()); diff --git a/src/main/java/biz/nynja/account/services/AccountServiceImpl.java b/src/main/java/biz/nynja/account/services/AccountServiceImpl.java index 72542ac18d938c727e46fa841fa3ff562b2775ba..34f207cafa15bf71b7301acb33e91dc873178656 100644 --- a/src/main/java/biz/nynja/account/services/AccountServiceImpl.java +++ b/src/main/java/biz/nynja/account/services/AccountServiceImpl.java @@ -11,14 +11,12 @@ import static biz.nynja.account.validation.Validators.util; import java.util.List; import java.util.Optional; import java.util.UUID; -import java.util.stream.Collectors; import org.apache.commons.lang3.tuple.ImmutablePair; import org.lognet.springboot.grpc.GRpcService; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import biz.nynja.account.configuration.AccountDataConfiguration; import biz.nynja.account.configuration.ProfileDataConfiguration; import biz.nynja.account.grpc.AccountByAccountIdRequest; import biz.nynja.account.grpc.AccountResponse; @@ -110,8 +108,8 @@ public class AccountServiceImpl extends AccountServiceGrpc.AccountServiceImplBas AccountByQrCodeRepository accountByQrCodeRepository, AccountByUsernameRepository accountByUsernameRepository, AccountProvider accountProvider, AccountByProfileIdRepository accountByProfileIdRepository, PhoneNumberNormalizer phoneNumberNormalizer, - AccountCreator accountCreator, ProfileProvider profileProvider, - PermissionsValidator permissionsValidator, ProfileDataConfiguration profileDataConfiguration) { + AccountCreator accountCreator, ProfileProvider profileProvider, PermissionsValidator permissionsValidator, + ProfileDataConfiguration profileDataConfiguration) { this.accountRepositoryAdditional = accountRepositoryAdditional; this.profileRepository = profileRepository; this.profileByAutheticationProviderRepository = profileByAutheticationProviderRepository; @@ -663,9 +661,11 @@ public class AccountServiceImpl extends AccountServiceGrpc.AccountServiceImplBas } // Make sure there will be no more than providers in this profile - if(profile.getAuthenticationProviders().size() >= profileDataConfiguration.getMaxAuthenticationprovidersPerProfile()) { + if (profile.getAuthenticationProviders().size() >= profileDataConfiguration + .getMaxAuthenticationprovidersPerProfile()) { logAndBuildGrpcStatusResponse(responseObserver, StatusResponse.newBuilder(), - "Max number of authentication providers reached for profile id {}.", request.getProfileId(), Cause.MAX_PROVIDERS_PER_PROFILE_REACHED); + "Max number of authentication providers reached for profile id {}.", request.getProfileId(), + Cause.MAX_PROVIDERS_PER_PROFILE_REACHED); return; } @@ -880,8 +880,8 @@ public class AccountServiceImpl extends AccountServiceGrpc.AccountServiceImplBas boolean removedFromObject = profile.removeAuthenticationProvider(existingAuthProviderToDelete.get()); if (!removedFromObject) { logAndBuildGrpcStatusResponse(responseObserver, StatusResponse.newBuilder(), - "Error removing authentication provider {}.", - existingAuthProviderToDelete.get().toString(), Cause.INTERNAL_SERVER_ERROR); + "Error removing authentication provider {}.", existingAuthProviderToDelete.get().toString(), + Cause.INTERNAL_SERVER_ERROR); return; }