Search in sources :

Example 1 with NotAuthenticatedException

use of org.sagebionetworks.bridge.exceptions.NotAuthenticatedException in project BridgeServer2 by Sage-Bionetworks.

the class CRCController method httpBasicAuthentication.

/**
 * This is bound to specific “machine” accounts that are enumerated in the controller. Authentication is
 * session-less. The account itself has no administrative roles, so it can only execute these endpoints that
 * specifically allows it, in the app to which it is bound.
 */
App httpBasicAuthentication() {
    String value = request().getHeader(AUTHORIZATION);
    if (value == null || value.length() < 5) {
        throw new NotAuthenticatedException();
    }
    // Remove "Basic ";
    value = value.substring(5).trim();
    // Decode the credentials from base 64
    value = new String(Base64.getDecoder().decode(value), Charset.defaultCharset());
    // Split to username and password
    String[] credentials = value.split(":");
    if (credentials.length != 2) {
        throw new NotAuthenticatedException();
    }
    String appId = ACCOUNTS.get(credentials[0]);
    if (appId == null) {
        throw new NotAuthenticatedException();
    }
    SignIn.Builder signInBuilder = new SignIn.Builder().withAppId(appId).withPassword(credentials[1]);
    if (credentials[0].contains("@sagebase.org")) {
        signInBuilder.withEmail(credentials[0]);
    } else {
        signInBuilder.withExternalId(credentials[0]);
    }
    App app = appService.getApp(appId);
    // Verify the password
    SignIn signIn = signInBuilder.build();
    Account account = accountService.authenticate(app, signIn);
    // This method of verification sidesteps RequestContext initialization
    // through a session. Set up what is needed in the controller.
    Set<String> studies = BridgeUtils.collectStudyIds(account);
    RequestContext.Builder builder = new RequestContext.Builder().withCallerAppId(appId).withCallerRoles(account.getRoles()).withCallerUserId(account.getId()).withOrgSponsoredStudies(studies).withCallerOrgMembership(account.getOrgMembership());
    RequestContext.set(builder.build());
    return app;
}
Also used : App(org.sagebionetworks.bridge.models.apps.App) Account(org.sagebionetworks.bridge.models.accounts.Account) NotAuthenticatedException(org.sagebionetworks.bridge.exceptions.NotAuthenticatedException) SignIn(org.sagebionetworks.bridge.models.accounts.SignIn) RequestContext(org.sagebionetworks.bridge.RequestContext)

Example 2 with NotAuthenticatedException

use of org.sagebionetworks.bridge.exceptions.NotAuthenticatedException in project BridgeServer2 by Sage-Bionetworks.

the class StudyParticipantControllerTest method getTimelineForSelf_notAuthenticated.

@Test(expectedExceptions = NotAuthenticatedException.class)
public void getTimelineForSelf_notAuthenticated() {
    doThrow(new NotAuthenticatedException()).when(controller).getAuthenticatedAndConsentedSession();
    controller.getTimelineForSelf(TEST_STUDY_ID);
}
Also used : NotAuthenticatedException(org.sagebionetworks.bridge.exceptions.NotAuthenticatedException) Test(org.testng.annotations.Test)

Example 3 with NotAuthenticatedException

use of org.sagebionetworks.bridge.exceptions.NotAuthenticatedException in project BridgeServer2 by Sage-Bionetworks.

the class EtagComponent method checkEtag.

@Around("@annotation(EtagSupport)")
public Object checkEtag(ProceedingJoinPoint joinPoint) throws Throwable {
    EtagContext context = context(joinPoint);
    HttpServletResponse response = response();
    HttpServletRequest request = request();
    String requestEtag = request.getHeader(IF_NONE_MATCH);
    String sessionToken = request.getHeader(SESSION_TOKEN_HEADER);
    // Because this tag executes before security checks, it requires that the caller be
    // authenticated. We can add a flag if we want to use this code on public endpoints
    // to skip a check of the session.
    UserSession session = cacheProvider.getUserSession(sessionToken);
    if (session == null) {
        throw new NotAuthenticatedException();
    }
    // Etag can be null (until all dependent objects have cached their timestamps,
    // or when a dependent object is deleted).
    String etag = calculateEtag(context, session);
    if (requestEtag != null) {
        if (requestEtag.equals(etag)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Returning 304 for etag: " + etag);
            }
            response.addHeader(HttpHeaders.ETAG, etag);
            response.setStatus(304);
            return null;
        }
    }
    Object retValue = joinPoint.proceed();
    if (etag != null) {
        response.addHeader(HttpHeaders.ETAG, etag);
        if (LOG.isDebugEnabled()) {
            LOG.debug("Returning etag to response: " + etag);
        }
    }
    return retValue;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) NotAuthenticatedException(org.sagebionetworks.bridge.exceptions.NotAuthenticatedException) UserSession(org.sagebionetworks.bridge.models.accounts.UserSession) HttpServletResponse(javax.servlet.http.HttpServletResponse) Around(org.aspectj.lang.annotation.Around)

Example 4 with NotAuthenticatedException

use of org.sagebionetworks.bridge.exceptions.NotAuthenticatedException in project BridgeServer2 by Sage-Bionetworks.

the class BaseController method getAuthenticatedSession.

/**
 * This method centralizes session checking. If consent is required, user must be consented, if roles are supplied,
 * the user must have one of the roles, and if both are provided, the user must be EITHER consented OR in one of the
 * given roles. If neither is supplied (<code>getAuthenticatedSession(false)</code>), than you just need to be
 * authenticated. This method also ensures that the user's app version is up-to-date if consent is required.
 */
UserSession getAuthenticatedSession(boolean consentRequired, Roles... roles) {
    final UserSession session = getSessionIfItExists();
    if (session == null || !session.isAuthenticated()) {
        throw new NotAuthenticatedException();
    }
    getLanguages(session);
    // Sessions are locked to an IP address if (a) it is enabled in the app for unprivileged participant accounts
    // or (b) always for privileged accounts.
    App app = appService.getApp(session.getAppId());
    Set<Roles> userRoles = session.getParticipant().getRoles();
    boolean userHasRoles = !userRoles.isEmpty();
    if (app.isParticipantIpLockingEnabled() || userHasRoles) {
        String sessionIpAddress = session.getIpAddress();
        String requestIpAddress = RequestContext.get().getCallerIpAddress();
        if (!Objects.equals(sessionIpAddress, requestIpAddress)) {
            throw new NotAuthenticatedException();
        }
    }
    // Any method that can throw a 412 can also throw a 410 (min app version not met).
    if (consentRequired) {
        verifySupportedVersionOrThrowException(app);
    }
    // if there are roles, they are required
    boolean rolesRequired = (roles != null && roles.length > 0);
    boolean isInRole = (rolesRequired) ? session.isInRole(ImmutableSet.copyOf(roles)) : false;
    if ((consentRequired && session.doesConsent()) || (rolesRequired && isInRole)) {
        return session;
    }
    // and the ConsentRequiredException first for users without any roles.
    if (userHasRoles && rolesRequired && !isInRole) {
        throw new UnauthorizedException();
    }
    if (consentRequired && !session.doesConsent()) {
        throw new ConsentRequiredException(session);
    }
    if (rolesRequired && !isInRole) {
        throw new UnauthorizedException();
    }
    // user doesn't need to be consented or to possess any specific role.
    return session;
}
Also used : App(org.sagebionetworks.bridge.models.apps.App) NotAuthenticatedException(org.sagebionetworks.bridge.exceptions.NotAuthenticatedException) ConsentRequiredException(org.sagebionetworks.bridge.exceptions.ConsentRequiredException) UserSession(org.sagebionetworks.bridge.models.accounts.UserSession) UnauthorizedException(org.sagebionetworks.bridge.exceptions.UnauthorizedException) Roles(org.sagebionetworks.bridge.Roles)

Aggregations

NotAuthenticatedException (org.sagebionetworks.bridge.exceptions.NotAuthenticatedException)4 UserSession (org.sagebionetworks.bridge.models.accounts.UserSession)2 App (org.sagebionetworks.bridge.models.apps.App)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 Around (org.aspectj.lang.annotation.Around)1 RequestContext (org.sagebionetworks.bridge.RequestContext)1 Roles (org.sagebionetworks.bridge.Roles)1 ConsentRequiredException (org.sagebionetworks.bridge.exceptions.ConsentRequiredException)1 UnauthorizedException (org.sagebionetworks.bridge.exceptions.UnauthorizedException)1 Account (org.sagebionetworks.bridge.models.accounts.Account)1 SignIn (org.sagebionetworks.bridge.models.accounts.SignIn)1 Test (org.testng.annotations.Test)1