use of org.pmiops.workbench.auth.UserAuthentication in project workbench by all-of-us.
the class AuthInterceptor method preHandle.
/**
* Returns true iff the request is auth'd and should proceed. Publishes authenticated user info
* using Spring's SecurityContext.
* @param handler The Swagger-generated ApiController. It contains our handler as a private
* delegate.
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
// OPTIONS methods requests don't need authorization.
if (request.getMethod().equals(HttpMethods.OPTIONS)) {
return true;
}
HandlerMethod method = (HandlerMethod) handler;
boolean isAuthRequired = false;
ApiOperation apiOp = AnnotationUtils.findAnnotation(method.getMethod(), ApiOperation.class);
if (apiOp != null) {
for (Authorization auth : apiOp.authorizations()) {
if (auth.value().equals(authName)) {
isAuthRequired = true;
break;
}
}
}
if (!isAuthRequired) {
return true;
}
String authorizationHeader = request.getHeader(HttpHeaders.AUTHORIZATION);
if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer ")) {
log.warning("No bearer token found in request");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
String token = authorizationHeader.substring("Bearer".length()).trim();
Userinfoplus userInfo;
try {
userInfo = userInfoService.getUserInfo(token);
} catch (HttpResponseException e) {
log.log(Level.WARNING, "{0} response getting user info for bearer token {1}: {2}", new Object[] { e.getStatusCode(), token, e.getStatusMessage() });
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
// TODO: check Google group membership to ensure user is in registered user group
String userEmail = userInfo.getEmail();
WorkbenchConfig workbenchConfig = workbenchConfigProvider.get();
if (workbenchConfig.auth.serviceAccountApiUsers.contains(userEmail)) {
// Whitelisted service accounts are able to make API calls, too.
// TODO: stop treating service accounts as normal users, have a separate table for them,
// administrators.
User user = userDao.findUserByEmail(userEmail);
if (user == null) {
user = userService.createServiceAccountUser(userEmail);
}
SecurityContextHolder.getContext().setAuthentication(new UserAuthentication(user, userInfo, token, UserType.SERVICE_ACCOUNT));
log.log(Level.INFO, "{0} service account in use", userInfo.getEmail());
return true;
}
String gsuiteDomainSuffix = "@" + workbenchConfig.googleDirectoryService.gSuiteDomain;
if (!userEmail.endsWith(gsuiteDomainSuffix)) {
try {
// If the email isn't in our GSuite domain, try FireCloud; we could be dealing with a
// pet service account. In both AofU and FireCloud, the pet SA is treated as if it were
// the user it was created for.
userEmail = fireCloudService.getMe().getUserInfo().getUserEmail();
} catch (ApiException e) {
log.log(Level.INFO, "FireCloud lookup for {0} failed, can't access the workbench: {1}", new Object[] { userInfo.getEmail(), e.getMessage() });
response.sendError(e.getCode());
return false;
}
if (!userEmail.endsWith(gsuiteDomainSuffix)) {
log.log(Level.INFO, "User {0} isn't in domain {1}, can't access the workbench", new Object[] { userEmail, gsuiteDomainSuffix });
response.sendError(HttpServletResponse.SC_NOT_FOUND);
return false;
}
}
User user = userDao.findUserByEmail(userEmail);
if (user == null) {
// TODO(danrodney): start populating contact email in Google account, use it here.
user = userService.createUser(userInfo.getGivenName(), userInfo.getFamilyName(), userInfo.getEmail(), null);
} else {
if (user.getDisabled()) {
throw new ForbiddenException(ExceptionUtils.errorResponse(ErrorCode.USER_DISABLED, "This user account has been disabled."));
}
}
SecurityContextHolder.getContext().setAuthentication(new UserAuthentication(user, userInfo, token, UserType.RESEARCHER));
// TODO: setup this in the context, get rid of log statement
log.log(Level.INFO, "{0} logged in", userInfo.getEmail());
if (!hasRequiredAuthority(method, user)) {
response.sendError(HttpServletResponse.SC_FORBIDDEN);
return false;
}
return true;
}
use of org.pmiops.workbench.auth.UserAuthentication in project workbench by all-of-us.
the class ProfileControllerTest method createUser.
private Profile createUser() throws Exception {
when(cloudStorageService.readInvitationKey()).thenReturn(INVITATION_KEY);
when(directoryService.createUser(GIVEN_NAME, FAMILY_NAME, USERNAME, PASSWORD)).thenReturn(googleUser);
when(fireCloudService.isRequesterEnabledInFirecloud()).thenReturn(false);
Profile result = profileController.createAccount(createAccountRequest).getBody();
user = userDao.findUserByEmail(PRIMARY_EMAIL);
user.setEmailVerificationStatus(EmailVerificationStatus.SUBSCRIBED);
userDao.save(user);
when(userProvider.get()).thenReturn(user);
when(userAuthenticationProvider.get()).thenReturn(new UserAuthentication(user, null, null, UserType.RESEARCHER));
return result;
}
use of org.pmiops.workbench.auth.UserAuthentication in project workbench by all-of-us.
the class ProfileController method initializeUserIfNeeded.
private User initializeUserIfNeeded() {
UserAuthentication userAuthentication = userAuthenticationProvider.get();
User user = userAuthentication.getUser();
if (userAuthentication.getUserType() == UserType.SERVICE_ACCOUNT) {
// Service accounts don't need further initialization.
return user;
}
// On first sign-in, create a FC user, billing project, and set the first sign in time.
if (user.getFirstSignInTime() == null) {
// instead use the freeTierBillingProjectStatus.
if (user.getFreeTierBillingProjectName() == null) {
String billingProjectName = createFirecloudUserAndBillingProject(user);
user.setFreeTierBillingProjectName(billingProjectName);
user.setFreeTierBillingProjectStatus(BillingProjectStatus.PENDING);
}
user.setFirstSignInTime(new Timestamp(clock.instant().toEpochMilli()));
try {
return userDao.save(user);
} catch (ObjectOptimisticLockingFailureException e) {
log.log(Level.WARNING, "version conflict for user update", e);
throw new ConflictException("Failed due to concurrent modification");
}
}
// Free tier billing project setup is complete; nothing to do.
if (BillingProjectStatus.READY.equals(user.getFreeTierBillingProjectStatus())) {
return user;
}
// On subsequent sign-ins to the first, attempt to complete the setup of the FC billing project
// and mark the Workbench's project setup as completed. FC project creation is asynchronous, so
// first confirm whether Firecloud claims the project setup is complete.
BillingProjectStatus status = null;
try {
status = fireCloudService.getBillingProjectMemberships().stream().filter(m -> user.getFreeTierBillingProjectName().equals(m.getProjectName())).map(m -> fcToWorkbenchBillingMap.get(m.getCreationStatus())).findFirst().orElse(BillingProjectStatus.NONE);
} catch (ApiException e) {
log.log(Level.WARNING, "failed to retrieve billing projects, continuing", e);
return user;
}
switch(status) {
case NONE:
case PENDING:
log.log(Level.INFO, "free tier project is still initializing, continuing");
return user;
case ERROR:
log.log(Level.SEVERE, String.format("free tier project %s failed to be created", user.getFreeTierBillingProjectName()));
user.setFreeTierBillingProjectStatus(status);
return userDao.save(user);
case READY:
break;
default:
log.log(Level.SEVERE, String.format("unrecognized status '%s'", status));
return user;
}
// notebooks.
try {
fireCloudService.grantGoogleRoleToUser(user.getFreeTierBillingProjectName(), FireCloudService.BIGQUERY_JOB_USER_GOOGLE_ROLE, user.getEmail());
} catch (ApiException e) {
log.log(Level.WARNING, "granting BigQuery role on created free tier billing project failed", e);
// Allow the user to continue, as most workbench functionality will still be usable.
return user;
}
log.log(Level.INFO, "free tier project initialized and BigQuery role granted");
user.setFreeTierBillingProjectStatus(BillingProjectStatus.READY);
return userDao.save(user);
}
Aggregations