From a42f193d7e5168c4ddb05a15605558a7f1f29578 Mon Sep 17 00:00:00 2001 From: Stoyan Tzenkov Date: Fri, 4 Jan 2019 10:15:48 +0200 Subject: [PATCH] NY-XXXX: accesspoint keyspace taken out Signed-off-by: Stoyan Tzenkov --- .../CassandraAccessPointConfig.java | 118 ++---- .../configuration/CassandraAccountConfig.java | 69 ++-- .../configuration/CassandraBaseConfig.java | 29 +- .../configuration/CassandraConfig.java | 77 ++++ .../permissions/PermissionsInterceptor.java | 336 +++++++++--------- .../account/services/AccountServiceTests.java | 1 - 6 files changed, 306 insertions(+), 324 deletions(-) create mode 100644 src/main/java/biz/nynja/account/configuration/CassandraConfig.java diff --git a/src/main/java/biz/nynja/account/configuration/CassandraAccessPointConfig.java b/src/main/java/biz/nynja/account/configuration/CassandraAccessPointConfig.java index 1b5472a..1c67b4d 100644 --- a/src/main/java/biz/nynja/account/configuration/CassandraAccessPointConfig.java +++ b/src/main/java/biz/nynja/account/configuration/CassandraAccessPointConfig.java @@ -1,92 +1,26 @@ -package biz.nynja.account.configuration; - -import java.util.Arrays; -import java.util.List; - -import org.springframework.beans.factory.annotation.Value; -import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass; -import org.springframework.boot.context.properties.ConfigurationProperties; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.context.annotation.Primary; -import org.springframework.data.cassandra.config.CassandraClusterFactoryBean; -import org.springframework.data.cassandra.config.CassandraSessionFactoryBean; -import org.springframework.data.cassandra.core.CassandraAdminOperations; -import org.springframework.data.cassandra.core.CassandraAdminTemplate; -import org.springframework.data.cassandra.core.cql.keyspace.CreateKeyspaceSpecification; -import org.springframework.data.cassandra.core.mapping.CassandraMappingContext; -import org.springframework.data.cassandra.repository.config.EnableCassandraRepositories; - -import biz.nynja.account.StartupScriptsListener; - -@Configuration -@ConfigurationProperties("spring.data.cassandra.accesspoint") -@EnableCassandraRepositories( - basePackages = { "biz.nynja.account.accesspoints" }, - cassandraTemplateRef = "CassandraAccessPointTemplate") -@ConditionalOnMissingClass("org.springframework.test.context.junit4.SpringRunner") -public class CassandraAccessPointConfig extends CassandraBaseConfig { - - @Value("${spring.data.cassandra.accesspoint.keyspace-name}") - protected String keyspaceName; - - @Override - protected String getKeyspaceName() { - return keyspaceName; - } - - public void setKeyspaceName(String keyspaceName) { - this.keyspaceName = keyspaceName; - } - - @Bean - public CassandraMappingContext mappingContext() { - return new CassandraMappingContext(); - } - - @Override - public String[] getEntityBasePackages() { - return new String[] { "biz.nynja.account.accesspoints" }; - } - - @Override - @Primary - @Bean(name = "CassandraAccessPointTemplate") - public CassandraAdminOperations cassandraTemplate() throws Exception { - return new CassandraAdminTemplate(session().getObject(), cassandraConverter()); - } - - @Override - @Bean(name = "accessPointSession") - public CassandraSessionFactoryBean session() { - - CassandraSessionFactoryBean session = new CassandraSessionFactoryBean(); - - session.setCluster(cluster().getObject()); - session.setConverter(cassandraConverter()); - session.setKeyspaceName(getKeyspaceName()); - session.setSchemaAction(getSchemaAction()); - session.setStartupScripts(getStartupScripts()); - session.setShutdownScripts(getShutdownScripts()); - - return session; - } - - @Override - protected List getKeyspaceCreations() { - CreateKeyspaceSpecification specification = CreateKeyspaceSpecification.createKeyspace(getKeyspaceName()) - .ifNotExists().withSimpleReplication(); - return Arrays.asList(specification); - } - - @Bean - public CassandraClusterFactoryBean cluster() { - CassandraClusterFactoryBean cluster = new CassandraClusterFactoryBean(); - cluster.setContactPoints(getContactPoints()); - cluster.setPort(getPort()); - cluster.setKeyspaceCreations(getKeyspaceCreations()); - - return cluster; - } - -} \ No newline at end of file +//package biz.nynja.account.configuration; +// +//import org.springframework.beans.factory.annotation.Value; +//import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass; +//import org.springframework.context.annotation.Configuration; +//import org.springframework.data.cassandra.repository.config.EnableCassandraRepositories; +// +//@Configuration +//@EnableCassandraRepositories(basePackages = { "biz.nynja.account.accesspoints" }) +//@ConditionalOnMissingClass("org.springframework.test.context.junit4.SpringRunner") +//public class CassandraAccessPointConfig extends CassandraBaseConfig { +// +// @Value("${spring.data.cassandra.accesspoint.keyspace-name}") +// private String keyspaceName; +// +// @Override +// protected String getKeyspaceName() { +// return keyspaceName; +// } +// +// @Override +// public String[] getEntityBasePackages() { +// return new String[] { "biz.nynja.account.accesspoints" }; +// } +// +//} diff --git a/src/main/java/biz/nynja/account/configuration/CassandraAccountConfig.java b/src/main/java/biz/nynja/account/configuration/CassandraAccountConfig.java index 311fa8d..547b535 100644 --- a/src/main/java/biz/nynja/account/configuration/CassandraAccountConfig.java +++ b/src/main/java/biz/nynja/account/configuration/CassandraAccountConfig.java @@ -7,23 +7,21 @@ import java.util.List; import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass; -import org.springframework.boot.context.properties.ConfigurationProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.data.cassandra.config.CassandraClusterFactoryBean; +import org.springframework.context.annotation.Primary; import org.springframework.data.cassandra.config.CassandraSessionFactoryBean; +import org.springframework.data.cassandra.config.SchemaAction; import org.springframework.data.cassandra.core.CassandraAdminOperations; import org.springframework.data.cassandra.core.CassandraAdminTemplate; import org.springframework.data.cassandra.core.cql.keyspace.CreateKeyspaceSpecification; -import org.springframework.data.cassandra.core.mapping.CassandraMappingContext; import org.springframework.data.cassandra.repository.config.EnableCassandraRepositories; import biz.nynja.account.StartupScriptsListener; @Configuration -@ConfigurationProperties("spring.data.cassandra.account") @EnableCassandraRepositories( - basePackages = { "biz.nynja.account.models", "biz.nynja.account.repositories"}, + basePackages = { "biz.nynja.account.models", "biz.nynja.account.repositories" }, cassandraTemplateRef = "CassandraAccountTemplate") @ConditionalOnMissingClass("org.springframework.test.context.junit4.SpringRunner") public class CassandraAccountConfig extends CassandraBaseConfig { @@ -36,21 +34,38 @@ public class CassandraAccountConfig extends CassandraBaseConfig { return keyspaceName; } - public void setKeyspaceName(String keyspaceName) { - this.keyspaceName = keyspaceName; + @Override + public String[] getEntityBasePackages() { + return new String[] { "biz.nynja.account.models", "biz.nynja.account.repositories" }; } - @Bean - public CassandraMappingContext mappingContext() { - return new CassandraMappingContext(); + @Override + public SchemaAction getSchemaAction() { + return SchemaAction.CREATE_IF_NOT_EXISTS; } + /** + * See {@link StartupScriptsListener} for scripts + * that require JPA annotated tables + */ @Override - public String[] getEntityBasePackages() { - return new String[] { "biz.nynja.account.models", "biz.nynja.account.repositories" }; + protected List getStartupScripts() { + return super.getStartupScripts(); + } + + public String getConfiguredKeyspaceName() { + return getKeyspaceName(); + } + + @Override + protected List getKeyspaceCreations() { + CreateKeyspaceSpecification specification = CreateKeyspaceSpecification.createKeyspace(getKeyspaceName()) + .ifNotExists().withSimpleReplication(); + return Arrays.asList(specification); } @Override +// @Primary @Bean(name = "CassandraAccountTemplate") public CassandraAdminOperations cassandraTemplate( @Qualifier("accountSession") final CassandraSessionFactoryBean session) throws Exception { @@ -72,32 +87,4 @@ public class CassandraAccountConfig extends CassandraBaseConfig { return session; } - - @Override - protected List getKeyspaceCreations() { - CreateKeyspaceSpecification specification = CreateKeyspaceSpecification.createKeyspace(getKeyspaceName()) - .ifNotExists().withSimpleReplication(); - return Arrays.asList(specification); - } - - @Bean - public CassandraClusterFactoryBean cluster() { - CassandraClusterFactoryBean cluster = new CassandraClusterFactoryBean(); - cluster.setContactPoints(getContactPoints()); -// cluster.setContactPoints(InetAddress.getLocalHost().getHostName()); - cluster.setPort(getPort()); - cluster.setKeyspaceCreations(getKeyspaceCreations()); - - return cluster; - } - - /** - * See {@link StartupScriptsListener} for scripts - * that require JPA annotated tables - */ - @Override - protected List getStartupScripts() { - return super.getStartupScripts(); - } - -} \ No newline at end of file +} diff --git a/src/main/java/biz/nynja/account/configuration/CassandraBaseConfig.java b/src/main/java/biz/nynja/account/configuration/CassandraBaseConfig.java index 873dae4..98dcffb 100644 --- a/src/main/java/biz/nynja/account/configuration/CassandraBaseConfig.java +++ b/src/main/java/biz/nynja/account/configuration/CassandraBaseConfig.java @@ -1,7 +1,6 @@ package biz.nynja.account.configuration; - - +import java.util.Arrays; import java.util.List; import org.springframework.beans.factory.annotation.Value; @@ -13,24 +12,25 @@ import org.springframework.data.cassandra.config.CassandraClusterFactoryBean; import org.springframework.data.cassandra.config.CassandraSessionFactoryBean; import org.springframework.data.cassandra.config.SchemaAction; import org.springframework.data.cassandra.core.CassandraAdminOperations; +import org.springframework.data.cassandra.core.cql.keyspace.CreateKeyspaceSpecification; import org.springframework.data.cassandra.repository.config.EnableCassandraRepositories; @Configuration -@EnableCassandraRepositories +@EnableCassandraRepositories(basePackages = { "biz.nynja.account.accesspoints" }) // to be moved to CassandraAccessPointConfig @ConditionalOnMissingClass("org.springframework.test.context.junit4.SpringRunner") public abstract class CassandraBaseConfig extends AbstractCassandraConfiguration { - + @Value("${spring.data.cassandra.contact-points}") protected String contactPoints; - + @Value("${spring.data.cassandra.port}") protected int port; - + @Override protected String getContactPoints() { return contactPoints; } - + public void setContactPoints(String contactPoints) { this.contactPoints = contactPoints; } @@ -44,23 +44,8 @@ public abstract class CassandraBaseConfig extends AbstractCassandraConfiguration return port; } - @Override - public SchemaAction getSchemaAction() { - return SchemaAction.CREATE_IF_NOT_EXISTS; - } - - @Override - protected List getStartupScripts() { - return super.getStartupScripts(); - } - - public String getConfiguredKeyspaceName() { - return getKeyspaceName(); - } - public CassandraAdminOperations cassandraTemplate(CassandraSessionFactoryBean session) throws Exception { return null; } - } diff --git a/src/main/java/biz/nynja/account/configuration/CassandraConfig.java b/src/main/java/biz/nynja/account/configuration/CassandraConfig.java new file mode 100644 index 0000000..35906d7 --- /dev/null +++ b/src/main/java/biz/nynja/account/configuration/CassandraConfig.java @@ -0,0 +1,77 @@ +///** +// * Copyright (C) 2018 Nynja Inc. All rights reserved. +// */ +//package biz.nynja.account.configuration; +// +//import java.util.Arrays; +//import java.util.List; +// +//import org.springframework.beans.factory.annotation.Value; +//import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingClass; +//import org.springframework.context.annotation.Configuration; +//import org.springframework.data.cassandra.config.AbstractCassandraConfiguration; +//import org.springframework.data.cassandra.config.SchemaAction; +//import org.springframework.data.cassandra.core.cql.keyspace.CreateKeyspaceSpecification; +//import org.springframework.data.cassandra.repository.config.EnableCassandraRepositories; +// +//import biz.nynja.account.StartupScriptsListener; +// +//@Configuration +//@EnableCassandraRepositories +//@ConditionalOnMissingClass("org.springframework.test.context.junit4.SpringRunner") +//public class CassandraConfig extends AbstractCassandraConfiguration { +// +// @Value("${spring.data.cassandra.account.keyspace-name}") +// private String keyspace; +// +// @Override +// protected String getKeyspaceName() { +// return keyspace; +// } +// +// @Value("${spring.data.cassandra.contact-points}") +// private String contactPoints; +// +// @Override +// protected String getContactPoints() { +// return contactPoints; +// } +// +// @Value("${spring.data.cassandra.port}") +// private int port; +// +// @Override +// protected int getPort() { +// return port; +// } +// +// @Override +// public SchemaAction getSchemaAction() { +// return SchemaAction.CREATE_IF_NOT_EXISTS; +// } +// +// @Override +// protected List getKeyspaceCreations() { +// CreateKeyspaceSpecification specification = CreateKeyspaceSpecification.createKeyspace(getKeyspaceName()) +// .ifNotExists().withSimpleReplication(); +// return Arrays.asList(specification); +// } +// +// @Override +// public String[] getEntityBasePackages() { +// return new String[] { "biz.nynja.account.models" }; +// } +// +// /** +// * See {@link StartupScriptsListener} for scripts +// * that require JPA annotated tables +// */ +// @Override +// protected List getStartupScripts() { +// return super.getStartupScripts(); +// } +// +// public String getConfiguredKeyspaceName() { +// return getKeyspaceName(); +// } +//} \ No newline at end of file diff --git a/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java b/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java index 7a37de8..b67ce52 100644 --- a/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java +++ b/src/main/java/biz/nynja/account/permissions/PermissionsInterceptor.java @@ -1,177 +1,177 @@ -/** - * Copyright (C) 2018 Nynja Inc. All rights reserved. - */ -package biz.nynja.account.permissions; - -import static io.grpc.Metadata.ASCII_STRING_MARSHALLER; - -import java.lang.reflect.Method; -import java.util.Base64; -import java.util.Optional; -import java.util.UUID; - -import org.lognet.springboot.grpc.GRpcGlobalInterceptor; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.beans.factory.annotation.Autowired; - -import com.auth0.jwt.JWT; -import com.auth0.jwt.interfaces.Claim; -import com.auth0.jwt.interfaces.DecodedJWT; - -import biz.nynja.account.services.AccountServiceImpl; -import biz.nynja.account.accesspoints.AccessPointService; -import biz.nynja.account.accesspoints.AccessPoint; -import io.grpc.Context; -import io.grpc.Contexts; -import io.grpc.Metadata; -import io.grpc.ServerCall; -import io.grpc.ServerCall.Listener; -import io.grpc.ServerCallHandler; -import io.grpc.ServerInterceptor; -import io.grpc.Status; - -/** - * @author Stoyan.Tzenkov - account-service ServerInterceptor. - * Validates roles for granting permissions to account-service endpoints(rpcs). - * General rules: - * - if access token is not present - PERMISSION DENIED; - * - if no accesspoint found for the requesting account ID and access token - PERMISSION DENIED; - * - if no roles found in the access token - PERMISSION DENIED; - * - if rpc not found in the account-service class - PERMISSION DENIED; - * - if no Permitted annotation found for the rpc method - PERMISSION DENIED; - * - if rpc has either @Permitted(role = RoleConstants.ANY) - PERMISSION GRANTED; - * - if rpc has an annotation @PerformPermissionCheck - @Permitted annotations are checked and an additional check is performed in the rpc; - * - if no role from the request matches any Permitted annotation for the rpc - PERMISSION DENIED - */ - -@GRpcGlobalInterceptor -public class PermissionsInterceptor implements ServerInterceptor { - - private static final Logger logger = LoggerFactory.getLogger(PermissionsInterceptor.class); - private static final Class SERVICE_CLASS = AccountServiceImpl.class; - - public static final Metadata.Key ACCESS_TOKEN_METADATA = Metadata.Key.of("Authorization", - ASCII_STRING_MARSHALLER); - public static final Context.Key ACCESS_TOKEN_CTX = Context.key("accessToken"); - - private static final ServerCall.Listener NOOP_LISTENER = new ServerCall.Listener() { - }; - - @Autowired - private AccessPointService accessPointService; - - @Override - public ServerCall.Listener interceptCall(ServerCall call, Metadata headers, - ServerCallHandler next) { - - // WARNING: THe line bellow is to be removed and code following uncommented - // when Istio starts sending an access token with each and every request - return next.startCall(call, headers); - - /* - * Expected metadata is "Authorization" : "Bearer --accessTokenValue--" so we can skip validation as istio won't - * allow this request through - */ -// String accessToken = (headers.get(ACCESS_TOKEN_METADATA).split(" "))[1]; -// String rpc = getRpcName(call); -// -// boolean permitted = false; -// Context ctx = null; +///** +// * Copyright (C) 2018 Nynja Inc. All rights reserved. +// */ +//package biz.nynja.account.permissions; +// +//import static io.grpc.Metadata.ASCII_STRING_MARSHALLER; +// +//import java.lang.reflect.Method; +//import java.util.Base64; +//import java.util.Optional; +//import java.util.UUID; +// +//import org.lognet.springboot.grpc.GRpcGlobalInterceptor; +//import org.slf4j.Logger; +//import org.slf4j.LoggerFactory; +//import org.springframework.beans.factory.annotation.Autowired; +// +//import com.auth0.jwt.JWT; +//import com.auth0.jwt.interfaces.Claim; +//import com.auth0.jwt.interfaces.DecodedJWT; +// +//import biz.nynja.account.services.AccountServiceImpl; +////import biz.nynja.account.accesspoints.AccessPointService; +////import biz.nynja.account.accesspoints.AccessPoint; +//import io.grpc.Context; +//import io.grpc.Contexts; +//import io.grpc.Metadata; +//import io.grpc.ServerCall; +//import io.grpc.ServerCall.Listener; +//import io.grpc.ServerCallHandler; +//import io.grpc.ServerInterceptor; +//import io.grpc.Status; +// +///** +// * @author Stoyan.Tzenkov - account-service ServerInterceptor. +// * Validates roles for granting permissions to account-service endpoints(rpcs). +// * General rules: +// * - if access token is not present - PERMISSION DENIED; +// * - if no accesspoint found for the requesting account ID and access token - PERMISSION DENIED; +// * - if no roles found in the access token - PERMISSION DENIED; +// * - if rpc not found in the account-service class - PERMISSION DENIED; +// * - if no Permitted annotation found for the rpc method - PERMISSION DENIED; +// * - if rpc has either @Permitted(role = RoleConstants.ANY) - PERMISSION GRANTED; +// * - if rpc has an annotation @PerformPermissionCheck - @Permitted annotations are checked and an additional check is performed in the rpc; +// * - if no role from the request matches any Permitted annotation for the rpc - PERMISSION DENIED +// */ +// +//@GRpcGlobalInterceptor +//public class PermissionsInterceptor implements ServerInterceptor { +// +// private static final Logger logger = LoggerFactory.getLogger(PermissionsInterceptor.class); +// private static final Class SERVICE_CLASS = AccountServiceImpl.class; +// +// public static final Metadata.Key ACCESS_TOKEN_METADATA = Metadata.Key.of("Authorization", +// ASCII_STRING_MARSHALLER); +// public static final Context.Key ACCESS_TOKEN_CTX = Context.key("accessToken"); +// +// private static final ServerCall.Listener NOOP_LISTENER = new ServerCall.Listener() { +// }; +// +// @Autowired +//// private AccessPointService accessPointService; +// +// @Override +// public ServerCall.Listener interceptCall(ServerCall call, Metadata headers, +// ServerCallHandler next) { +// +// // WARNING: THe line bellow is to be removed and code following uncommented +// // when Istio starts sending an access token with each and every request +// return next.startCall(call, headers); +// +// /* +// * Expected metadata is "Authorization" : "Bearer --accessTokenValue--" so we can skip validation as istio won't +// * allow this request through +// */ +//// String accessToken = (headers.get(ACCESS_TOKEN_METADATA).split(" "))[1]; +//// String rpc = getRpcName(call); +//// +//// boolean permitted = false; +//// Context ctx = null; +//// String[] requestingRoles = null; +//// +//// if (accessToken == null && accessToken.isEmpty()) { +//// permissionDenied(call, headers, "Permission denied for rpc {}. Access token not in headers", rpc ); +//// } +//// ctx = Context.current().withValue(ACCESS_TOKEN_CTX, accessToken); +//// DecodedJWT decodedToken = JWT.decode(accessToken); +//// +//// if (!accessPointAvailable(accessToken, decodedToken, rpc)) { +//// permissionDenied(call, headers, "Permission denied for rpc {}. No access point available for this account and access token.", rpc ); +//// } +//// +//// requestingRoles = getRolesFromAccessToken(decodedToken); +//// if (requestingRoles == null) { +//// permissionDenied(call, headers, "Permission denied for rpc {}. No roles found for requesting account in access token.", rpc ); +//// } +//// +//// Method method = getMethod(rpc); +//// if (method == null) { +//// permissionDenied(call, headers, "Permission denied for rpc {}. Could not identify the method implementing this rpc.", rpc ); +//// } +//// +//// Permitted[] permittedRoles = method.getAnnotationsByType(Permitted.class); +//// permitted = checkPermissions(requestingRoles, permittedRoles); +//// if (permitted) { +//// logger.info("Permission granted to rpc {}.", rpc); +//// return Contexts.interceptCall(ctx, call, headers, next); +//// } else { +//// logger.error("Permission denied for rpc {}, roles {}.", rpc, requestingRoles); +//// call.close(Status.PERMISSION_DENIED.withDescription("An unauthorized call was made to " + rpc + "."), +//// headers); +//// return NOOP_LISTENER; +//// } +// } +// +// private String getRpcName(ServerCall call) { +// // Get name of endpoint/rpc called +// String callName = call.getMethodDescriptor().getFullMethodName(); +// return callName.substring(callName.lastIndexOf('/') + 1); +// } +// +//// private boolean accessPointAvailable(String accessToken, DecodedJWT decodedToken, String rpc) { +//// +//// String accountId = new String(Base64.getDecoder().decode(decodedToken.getSubject())); +//// logger.info("Verifying permissions for rpc {} for user with account id {}.", rpc, accountId); +//// +//// Optional accessPoint = accessPointService.getAccessPoint(UUID.fromString(accountId), accessToken); +//// return accessPoint.isPresent(); +//// } +// +// private String[] getRolesFromAccessToken(DecodedJWT decodedToken) { +// // Get roles from access token // String[] requestingRoles = null; // -// if (accessToken == null && accessToken.isEmpty()) { -// permissionDenied(call, headers, "Permission denied for rpc {}. Access token not in headers", rpc ); +// Claim claim = decodedToken.getClaim("roles"); +// if (claim != null) { +// requestingRoles = claim.asArray(String.class); // } -// ctx = Context.current().withValue(ACCESS_TOKEN_CTX, accessToken); -// DecodedJWT decodedToken = JWT.decode(accessToken); +// return requestingRoles; +// } // -// if (!accessPointAvailable(accessToken, decodedToken, rpc)) { -// permissionDenied(call, headers, "Permission denied for rpc {}. No access point available for this account and access token.", rpc ); -// } +// private Method getMethod(String rpc) { +// // Get the rpc method called +// Method[] allMethods = SERVICE_CLASS.getDeclaredMethods(); // -// requestingRoles = getRolesFromAccessToken(decodedToken); -// if (requestingRoles == null) { -// permissionDenied(call, headers, "Permission denied for rpc {}. No roles found for requesting account in access token.", rpc ); +// for (Method method : allMethods) { +// if (method.getName().equals(rpc)) { +// return method; +// } // } +// return null; +// } // -// Method method = getMethod(rpc); -// if (method == null) { -// permissionDenied(call, headers, "Permission denied for rpc {}. Could not identify the method implementing this rpc.", rpc ); -// } +// private boolean checkPermissions(String[] requestingRoles, Permitted[] permittedRoles) { // -// Permitted[] permittedRoles = method.getAnnotationsByType(Permitted.class); -// permitted = checkPermissions(requestingRoles, permittedRoles); -// if (permitted) { -// logger.info("Permission granted to rpc {}.", rpc); -// return Contexts.interceptCall(ctx, call, headers, next); -// } else { -// logger.error("Permission denied for rpc {}, roles {}.", rpc, requestingRoles); -// call.close(Status.PERMISSION_DENIED.withDescription("An unauthorized call was made to " + rpc + "."), -// headers); -// return NOOP_LISTENER; +// for (Permitted permitted : permittedRoles) { +// if (permitted.role().equals(RoleConstants.ANY)) { +// return true; +// } +// for (String role : requestingRoles) { +// if (role.equals(permitted.role()) || role.equals(RoleConstants.ACCOUNT_ADMIN) +// || role.equals(RoleConstants.AUTH_SERVICE)) { +// return true; +// } +// } // } - } - - private String getRpcName(ServerCall call) { - // Get name of endpoint/rpc called - String callName = call.getMethodDescriptor().getFullMethodName(); - return callName.substring(callName.lastIndexOf('/') + 1); - } - - private boolean accessPointAvailable(String accessToken, DecodedJWT decodedToken, String rpc) { - - String accountId = new String(Base64.getDecoder().decode(decodedToken.getSubject())); - logger.info("Verifying permissions for rpc {} for user with account id {}.", rpc, accountId); - - Optional accessPoint = accessPointService.getAccessPoint(UUID.fromString(accountId), accessToken); - return accessPoint.isPresent(); - } - - private String[] getRolesFromAccessToken(DecodedJWT decodedToken) { - // Get roles from access token - String[] requestingRoles = null; - - Claim claim = decodedToken.getClaim("roles"); - if (claim != null) { - requestingRoles = claim.asArray(String.class); - } - return requestingRoles; - } - - private Method getMethod(String rpc) { - // Get the rpc method called - Method[] allMethods = SERVICE_CLASS.getDeclaredMethods(); - - for (Method method : allMethods) { - if (method.getName().equals(rpc)) { - return method; - } - } - return null; - } - - private boolean checkPermissions(String[] requestingRoles, Permitted[] permittedRoles) { - - for (Permitted permitted : permittedRoles) { - if (permitted.role().equals(RoleConstants.ANY)) { - return true; - } - for (String role : requestingRoles) { - if (role.equals(permitted.role()) || role.equals(RoleConstants.ACCOUNT_ADMIN) - || role.equals(RoleConstants.AUTH_SERVICE)) { - return true; - } - } - } - return false; - } - - private ServerCall.Listener permissionDenied(ServerCall call, Metadata headers, String message, String rpc ) { - logger.error(message, rpc); - call.close(Status.PERMISSION_DENIED.withDescription("An unauthorized call was made to " + rpc + "."), - headers); - return NOOP_LISTENER; - } - -} +// return false; +// } +// +// private ServerCall.Listener permissionDenied(ServerCall call, Metadata headers, String message, String rpc ) { +// logger.error(message, rpc); +// call.close(Status.PERMISSION_DENIED.withDescription("An unauthorized call was made to " + rpc + "."), +// headers); +// return NOOP_LISTENER; +// } +// +//} diff --git a/src/test/java/biz/nynja/account/services/AccountServiceTests.java b/src/test/java/biz/nynja/account/services/AccountServiceTests.java index 2c0415d..116a083 100644 --- a/src/test/java/biz/nynja/account/services/AccountServiceTests.java +++ b/src/test/java/biz/nynja/account/services/AccountServiceTests.java @@ -81,7 +81,6 @@ import biz.nynja.account.models.PendingAccount; import biz.nynja.account.models.PendingAccountByAuthenticationProvider; import biz.nynja.account.models.Profile; import biz.nynja.account.models.ProfileByAuthenticationProvider; -import biz.nynja.account.permissions.PermissionsInterceptor; import biz.nynja.account.repositories.AccountByAuthenticationProviderRepository; import biz.nynja.account.repositories.AccountByProfileIdRepository; import biz.nynja.account.repositories.AccountByQrCodeRepository; -- GitLab