diff --git a/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java b/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java index 44edf68cc891dffb4baf1a2ce9ca11d8fd5af8f6..e24cd67af7ebfe79f743ced4565fc9c92a29cc00 100644 --- a/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java +++ b/src/main/java/biz/nynja/account/permissions/PermissionsValidator.java @@ -20,10 +20,6 @@ public class PermissionsValidator { public boolean isRpcAllowed(String accountId) { - // WARNING: THe line bellow is to be removed and code following uncommented - // when Istio starts sending an access token with each and every request - // return true; - DecodedJWT decodedToken = retrieveDecodedToken(); String requestingAccountId = new String(Base64.getDecoder().decode(decodedToken.getSubject())); @@ -33,6 +29,13 @@ public class PermissionsValidator { return isAuthorizedRequestingRole(decodedToken); } + public boolean isRpcAllowedForCurrentRole() { + + DecodedJWT decodedToken = retrieveDecodedToken(); + + return isAuthorizedRequestingRole(decodedToken); + } + private DecodedJWT retrieveDecodedToken() { String accessToken = (String) PermissionsInterceptor.ACCESS_TOKEN_CTX.get(); // This check is for isAdminToken method @@ -45,10 +48,6 @@ public class PermissionsValidator { public boolean isRpcAllowed(List existingAccountsForProfile) { - // WARNING: The line bellow is to be removed and code following uncommented - // when Istio starts sending an access token with each and every request - // return true; - String accessToken = (String) PermissionsInterceptor.ACCESS_TOKEN_CTX.get(); DecodedJWT decodedToken = JWT.decode(accessToken); String requestingAccountId = new String(Base64.getDecoder().decode(decodedToken.getSubject())); diff --git a/src/main/java/biz/nynja/account/services/AccountServiceImpl.java b/src/main/java/biz/nynja/account/services/AccountServiceImpl.java index 4c2f0d213a0953e297239d0b748d3e373ac6566a..4175987985c80a9f1fa974d644302a9d553b75c4 100644 --- a/src/main/java/biz/nynja/account/services/AccountServiceImpl.java +++ b/src/main/java/biz/nynja/account/services/AccountServiceImpl.java @@ -1177,11 +1177,26 @@ public class AccountServiceImpl extends AccountServiceGrpc.AccountServiceImplBas Optional account = accountProvider.getAccountResponseByLoginOption( request.getAuthenticationType(), request.getAuthenticationIdentifier()); if (!account.isPresent()) { + // If account is not found the method isRpcAllowedForCurrentRole() is used to check the current role and + // if it is "USER" to return "ERROR_PERMISSION_DENIED" + if (!permissionsValidator.isRpcAllowedForCurrentRole()) { + logAndBuildGrpcAccountResponse(responseObserver, AccountResponse.newBuilder(), + "Account info can not be obtained for this account.", "", Cause.ERROR_PERMISSION_DENIED, + "Permission denied"); + return; + } logAndBuildGrpcAccountResponse(responseObserver, AccountResponse.newBuilder(), "Account not found for login option: " + request.getAuthenticationIdentifier() + ":" + request.getAuthenticationIdentifier(), "", Cause.ACCOUNT_NOT_FOUND, "Account not found"); } else { + + if (!permissionsValidator.isRpcAllowed(account.get().getAccountDetails().getAccountId())) { + logAndBuildGrpcAccountResponse(responseObserver, AccountResponse.newBuilder(), + "Account info can not be obtained for this account.", "", Cause.ERROR_PERMISSION_DENIED, + "Permission denied"); + return; + } AccountResponse response = account.get(); logger.info("SUCCESS: Found account by login option {}. Account Id={}.", request.getAuthenticationIdentifier(), response.getAccountDetails().getAccountId());