feat: filtering of groups in access control filter

AccessControl filter (PerunAuthorizationFilter) now support specifying a resource attribute, which if set and non-null on Resource object, groups from this resource will not be considered for controlling access.

feat: filtering of groups in access control filter
76ce6903 · Dominik Frantisek Bucik · 7f1cf4c5 · 76ce6903 · 76ce6903 · 76ce6903
Verified Commit 76ce6903 authored 1 year ago by Dominik Frantisek Bucik
--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/PerunAdapterMethods.java
@@ -86,11 +86,12 @@ public interface PerunAdapterMethods {
 	 * Perform check if user can access service based on his/her membership
 	 * in groups assigned to facility resources
 	 *
-	 * @param facility Facility object
+	 * @param facility                  Facility object
-	 * @param userId ID of user
+	 * @param userId                    ID of user
+	 * @param accessControlDisabledAttr
 	 * @return TRUE if user can access, FALSE otherwise
 	 */
-	boolean canUserAccessBasedOnMembership(Facility facility, Long userId);
+	boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr);
 	/**
 	 * Fetch facility attribute values

--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterImpl.java
@@ -62,12 +62,12 @@ public class PerunAdapterImpl extends PerunAdapter {
    }
    @Override
-    public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) {
+    public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr) {
        try {
-            return this.getAdapterPrimary().canUserAccessBasedOnMembership(facility, userId);
+            return this.getAdapterPrimary().canUserAccessBasedOnMembership(facility, userId, accessControlDisabledAttr);
        } catch (UnsupportedOperationException e) {
            if (this.isCallFallback()) {
-                return this.getAdapterFallback().canUserAccessBasedOnMembership(facility, userId);
+                return this.getAdapterFallback().canUserAccessBasedOnMembership(facility, userId, accessControlDisabledAttr);
            } else {
                throw e;
            }

--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterLdap.java
@@ -142,14 +142,14 @@ public class PerunAdapterLdap extends PerunAdapterWithMappingServices implements
 	}
 	@Override
-	public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) {
+	public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String accessControlDisabledAttr) {
-		Set<Long> groupsWithAccessIds = getGroupIdsAssignedToFacility(facility.getId(), null);
+		Set<Long> groupsWithAccessIds = getGroupIdsAssignedToFacility(facility.getId(), accessControlDisabledAttr);
 		if (groupsWithAccessIds == null || groupsWithAccessIds.isEmpty()) {
 			return false;
 		}
 		Set<Long> userGroupIds = getGroupIdsWhereUserIsMember(userId, null);
-		if (userGroupIds == null || userGroupIds.isEmpty()) {
+		if (userGroupIds.isEmpty()) {
 			return false;
 		}

--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/adapters/impl/PerunAdapterRpc.java
@@ -132,12 +132,12 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
 	}
 	@Override
-	public boolean canUserAccessBasedOnMembership(Facility facility, Long userId) {
+	public boolean canUserAccessBasedOnMembership(Facility facility, Long userId, String ignoreAttr) {
 		if (!this.connectorRpc.isEnabled()) {
 			return true;
 		}
-		List<Group> activeGroups = getGroupsWhereUserIsActiveByFacility(facility.getId(), userId);
+		Set<Group> activeGroups = getGroupsWhereUserIsActive(facility.getId(), userId, ignoreAttr);
 		return !activeGroups.isEmpty();
 	}
@@ -1002,6 +1002,19 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
 		return groups;
 	}
+	private Set<Group> getGroupsWhereUserIsActiveByFacility(Long facilityId, Long userId) {
+		if (!this.connectorRpc.isEnabled()) {
+			return new HashSet<>();
+		}
+		Map<String, Object> map = new LinkedHashMap<>();
+		map.put("facility", facilityId);
+		map.put("user", userId);
+		JsonNode jsonNode = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map);
+		return new HashSet<>(RpcMapper.mapGroups(jsonNode));
+	}
 	private Set<Resource> getResourcesAssignedToFacility(Long facilityId, Long userId, String ignoreAttribute) {
 		if (!this.connectorRpc.isEnabled()) {
 			return new HashSet<>();
@@ -1010,7 +1023,7 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
 		Set<Resource> result = new HashSet<>();
 		for (Resource resource : resources) {
 			PerunAttributeValue attrValue = getResourceAttributeValue(resource.getId(), ignoreAttribute);
-			if (attrValue == null || attrValue.isNullValue()) {
+			if (attrValue == null || attrValue.isNullValue() || !attrValue.valueAsBoolean()) {
 				result.add(resource);
 			} else {
 				log.debug(
@@ -1251,19 +1264,6 @@ public class PerunAdapterRpc extends PerunAdapterWithMappingServices implements
 		return true;
 	}
-	private List<Group> getGroupsWhereUserIsActiveByFacility(Long facilityId, Long userId) {
-		if (!this.connectorRpc.isEnabled()) {
-			return new ArrayList<>();
-		}
-		Map<String, Object> map = new LinkedHashMap<>();
-		map.put("facility", facilityId);
-		map.put("user", userId);
-		JsonNode jsonNode = connectorRpc.post(USERS_MANAGER, "getGroupsWhereUserIsActive", map);
-		return RpcMapper.mapGroups(jsonNode);
-	}
 	private Map<Long, Vo> convertVoListToMap(List<Vo> vos) {
 		if (!this.connectorRpc.isEnabled()) {
 			return new HashMap<>();

--- a/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
+++ b/perun-oidc-server/src/main/java/cz/muni/ics/oidc/server/filters/impl/PerunAuthorizationFilter.java
@@ -31,6 +31,11 @@ import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.STATE;
 *
 * Configuration:
 * - based on the configuration of bean "facilityAttrsConfig"
+ * Configuration of filter (replace [name] part with the name defined for the filter):
+ * <ul>
+ *     <li><b>filter.[name].accessControlDisabledAttr</b> - resource attribute which triggers if resource assigned
+ *     groups should not be used for controlling access. When not specified, all groups will be used.</li>
+ * </ul>
 * @see FacilityAttrsConfig
 * @see cz.muni.ics.oidc.server.filters.AuthProcFilter (basic configuration options)
 *
@@ -39,15 +44,19 @@ import static cz.muni.ics.openid.connect.request.ConnectRequestParameters.STATE;
 @Slf4j
 public class PerunAuthorizationFilter extends AuthProcFilter {
+	protected static final String ACCESS_CONTROL_DISABLED_ATTR = "accessControlDisabledAttr";
 	private final PerunAdapter perunAdapter;
 	private final FacilityAttrsConfig facilityAttrsConfig;
 	private final PerunOidcConfig config;
+	private final String accessControlDisabledAttr;
 	public PerunAuthorizationFilter(AuthProcFilterInitContext ctx) throws ConfigurationException {
 		super(ctx);
 		this.perunAdapter = ctx.getPerunAdapterBean();
 		this.config = ctx.getPerunOidcConfigBean();
 		this.facilityAttrsConfig = ctx.getBeanUtil().getBean(FacilityAttrsConfig.class);
+		this.accessControlDisabledAttr = ctx.getProperty(ACCESS_CONTROL_DISABLED_ATTR, null);
 	}
 	@Override
@@ -65,7 +74,7 @@ public class PerunAuthorizationFilter extends AuthProcFilter {
 		}
 		return this.decideAccess(facility, user, req, res, params.getClientIdentifier(),
-				perunAdapter, facilityAttrsConfig);
+				perunAdapter, facilityAttrsConfig, accessControlDisabledAttr);
 	}
 	@Override
@@ -73,9 +82,14 @@ public class PerunAuthorizationFilter extends AuthProcFilter {
 		return false;
 	}
-	private boolean decideAccess(Facility facility, PerunUser user, HttpServletRequest req,
+	private boolean decideAccess(Facility facility,
-								 HttpServletResponse response, String clientIdentifier, PerunAdapter perunAdapter,
+								 PerunUser user,
-								 FacilityAttrsConfig facilityAttrsConfig)
+								 HttpServletRequest req,
+								 HttpServletResponse response,
+								 String clientIdentifier,
+								 PerunAdapter perunAdapter,
+								 FacilityAttrsConfig facilityAttrsConfig,
+								 String accessControlDisabledAttr)
 	{
 		Map<String, PerunAttributeValue> facilityAttributes = perunAdapter.getFacilityAttributeValues(
 				facility, facilityAttrsConfig.getMembershipAttrNames());
@@ -85,7 +99,7 @@ public class PerunAuthorizationFilter extends AuthProcFilter {
 			return true;
 		}
-		if (perunAdapter.canUserAccessBasedOnMembership(facility, user.getId())) {
+		if (perunAdapter.canUserAccessBasedOnMembership(facility, user.getId(), accessControlDisabledAttr)) {
 			log.info("{} - user allowed to access the service", getFilterName());
 			return true;
 		} else {