use of org.sagebionetworks.bridge.exceptions.NotAuthenticatedException in project BridgeServer2 by Sage-Bionetworks.
the class CRCController method httpBasicAuthentication.
/**
* This is bound to specific “machine” accounts that are enumerated in the controller. Authentication is
* session-less. The account itself has no administrative roles, so it can only execute these endpoints that
* specifically allows it, in the app to which it is bound.
*/
App httpBasicAuthentication() {
String value = request().getHeader(AUTHORIZATION);
if (value == null || value.length() < 5) {
throw new NotAuthenticatedException();
}
// Remove "Basic ";
value = value.substring(5).trim();
// Decode the credentials from base 64
value = new String(Base64.getDecoder().decode(value), Charset.defaultCharset());
// Split to username and password
String[] credentials = value.split(":");
if (credentials.length != 2) {
throw new NotAuthenticatedException();
}
String appId = ACCOUNTS.get(credentials[0]);
if (appId == null) {
throw new NotAuthenticatedException();
}
SignIn.Builder signInBuilder = new SignIn.Builder().withAppId(appId).withPassword(credentials[1]);
if (credentials[0].contains("@sagebase.org")) {
signInBuilder.withEmail(credentials[0]);
} else {
signInBuilder.withExternalId(credentials[0]);
}
App app = appService.getApp(appId);
// Verify the password
SignIn signIn = signInBuilder.build();
Account account = accountService.authenticate(app, signIn);
// This method of verification sidesteps RequestContext initialization
// through a session. Set up what is needed in the controller.
Set<String> studies = BridgeUtils.collectStudyIds(account);
RequestContext.Builder builder = new RequestContext.Builder().withCallerAppId(appId).withCallerRoles(account.getRoles()).withCallerUserId(account.getId()).withOrgSponsoredStudies(studies).withCallerOrgMembership(account.getOrgMembership());
RequestContext.set(builder.build());
return app;
}
use of org.sagebionetworks.bridge.exceptions.NotAuthenticatedException in project BridgeServer2 by Sage-Bionetworks.
the class StudyParticipantControllerTest method getTimelineForSelf_notAuthenticated.
@Test(expectedExceptions = NotAuthenticatedException.class)
public void getTimelineForSelf_notAuthenticated() {
doThrow(new NotAuthenticatedException()).when(controller).getAuthenticatedAndConsentedSession();
controller.getTimelineForSelf(TEST_STUDY_ID);
}
use of org.sagebionetworks.bridge.exceptions.NotAuthenticatedException in project BridgeServer2 by Sage-Bionetworks.
the class EtagComponent method checkEtag.
@Around("@annotation(EtagSupport)")
public Object checkEtag(ProceedingJoinPoint joinPoint) throws Throwable {
EtagContext context = context(joinPoint);
HttpServletResponse response = response();
HttpServletRequest request = request();
String requestEtag = request.getHeader(IF_NONE_MATCH);
String sessionToken = request.getHeader(SESSION_TOKEN_HEADER);
// Because this tag executes before security checks, it requires that the caller be
// authenticated. We can add a flag if we want to use this code on public endpoints
// to skip a check of the session.
UserSession session = cacheProvider.getUserSession(sessionToken);
if (session == null) {
throw new NotAuthenticatedException();
}
// Etag can be null (until all dependent objects have cached their timestamps,
// or when a dependent object is deleted).
String etag = calculateEtag(context, session);
if (requestEtag != null) {
if (requestEtag.equals(etag)) {
if (LOG.isDebugEnabled()) {
LOG.debug("Returning 304 for etag: " + etag);
}
response.addHeader(HttpHeaders.ETAG, etag);
response.setStatus(304);
return null;
}
}
Object retValue = joinPoint.proceed();
if (etag != null) {
response.addHeader(HttpHeaders.ETAG, etag);
if (LOG.isDebugEnabled()) {
LOG.debug("Returning etag to response: " + etag);
}
}
return retValue;
}
use of org.sagebionetworks.bridge.exceptions.NotAuthenticatedException in project BridgeServer2 by Sage-Bionetworks.
the class BaseController method getAuthenticatedSession.
/**
* This method centralizes session checking. If consent is required, user must be consented, if roles are supplied,
* the user must have one of the roles, and if both are provided, the user must be EITHER consented OR in one of the
* given roles. If neither is supplied (<code>getAuthenticatedSession(false)</code>), than you just need to be
* authenticated. This method also ensures that the user's app version is up-to-date if consent is required.
*/
UserSession getAuthenticatedSession(boolean consentRequired, Roles... roles) {
final UserSession session = getSessionIfItExists();
if (session == null || !session.isAuthenticated()) {
throw new NotAuthenticatedException();
}
getLanguages(session);
// Sessions are locked to an IP address if (a) it is enabled in the app for unprivileged participant accounts
// or (b) always for privileged accounts.
App app = appService.getApp(session.getAppId());
Set<Roles> userRoles = session.getParticipant().getRoles();
boolean userHasRoles = !userRoles.isEmpty();
if (app.isParticipantIpLockingEnabled() || userHasRoles) {
String sessionIpAddress = session.getIpAddress();
String requestIpAddress = RequestContext.get().getCallerIpAddress();
if (!Objects.equals(sessionIpAddress, requestIpAddress)) {
throw new NotAuthenticatedException();
}
}
// Any method that can throw a 412 can also throw a 410 (min app version not met).
if (consentRequired) {
verifySupportedVersionOrThrowException(app);
}
// if there are roles, they are required
boolean rolesRequired = (roles != null && roles.length > 0);
boolean isInRole = (rolesRequired) ? session.isInRole(ImmutableSet.copyOf(roles)) : false;
if ((consentRequired && session.doesConsent()) || (rolesRequired && isInRole)) {
return session;
}
// and the ConsentRequiredException first for users without any roles.
if (userHasRoles && rolesRequired && !isInRole) {
throw new UnauthorizedException();
}
if (consentRequired && !session.doesConsent()) {
throw new ConsentRequiredException(session);
}
if (rolesRequired && !isInRole) {
throw new UnauthorizedException();
}
// user doesn't need to be consented or to possess any specific role.
return session;
}
Aggregations