Merge pull request #5501 from brucehoff/PLFM-9353

PLFM-9353

Author: john-hill

lib/jdomodels/src/test/java/org/sagebionetworks/repo/model/dbo/auth/DBOAuthenticationDAOImplTest.java

@@ -163,7 +163,7 @@ public void testBootstrap() throws Exception {
 		// Most bootstrapped users should have signed the terms
 		List<BootstrapPrincipal> ugs = userGroupDAO.getBootstrapPrincipals();
 		for (BootstrapPrincipal agg: ugs) {
-			if (agg instanceof BootstrapUser && !AuthorizationUtils.isDefaultRealmAnonymousId(agg.getId())) {
+			if (agg instanceof BootstrapUser && !BOOTSTRAP_PRINCIPAL.ANONYMOUS_USER.getPrincipalId().equals(agg.getId())) {
 				MapSqlParameterSource param = new MapSqlParameterSource();
 				param.addValue("principalId", agg.getId());
 				basicDAO.getObjectByPrimaryKey(DBOCredential.class, param).get();

lib/models/src/main/java/org/sagebionetworks/repo/model/AuthorizationConstants.java

@@ -80,6 +80,13 @@ public enum ACL_SCHEME{
 	 */
 	public static final String USER_ID_PARAM = "userId";
 
+	/**
+	 * Request parameter indicating whether the user is anonymous. Note that
+	 * callers of the service do not actually use this parameter. Instead they
+	 * use a token parameter which is then validated to determine if the user is anonymous
+	 */
+	public static final String ANONYMOUS_PARAM = "anonymous";
+	
 	/**
 	 * The name of the client make the REST call. For a few calls, behavior will change depending on domain (at the
 	 * least, email contents change).

lib/models/src/main/java/org/sagebionetworks/repo/model/AuthorizationUtils.java

@@ -1,16 +1,11 @@
 package org.sagebionetworks.repo.model;
 
-import org.sagebionetworks.repo.model.AuthorizationConstants.BOOTSTRAP_PRINCIPAL;
 import org.sagebionetworks.repo.model.auth.AuthorizationStatus;
 
 public class AuthorizationUtils {
 
 	private static final String FILE_HANDLE_UNAUTHORIZED_TEMPLATE = "Only the creator of a FileHandle can access it directly by its ID.  FileHandleId = '%1$s', UserId = '%2$s'";
 
-	public static boolean isDefaultRealmAnonymousId(Long id) {
-		return id == null || BOOTSTRAP_PRINCIPAL.ANONYMOUS_USER.getPrincipalId().equals(id);
-	}
-
 	/**
 	 * returns true iff the user is a certified user
 	 * 

services/repository-managers/src/test/java/org/sagebionetworks/repo/manager/UserManagerImplTest.java

@@ -56,8 +56,8 @@ public void tearDown() throws Exception {
 	public void testGetAnonymous() throws Exception {
 		UserInfo ui = userManager.getUserInfo(BOOTSTRAP_PRINCIPAL.ANONYMOUS_USER.getPrincipalId());
 		assertTrue(ui.isUserAnonymous());
-		assertTrue(AuthorizationUtils.isDefaultRealmAnonymousId(ui.getId()));
-		assertTrue(AuthorizationUtils.isDefaultRealmAnonymousId(Long.parseLong(ui.getId().toString())));
+		assertEquals(BOOTSTRAP_PRINCIPAL.ANONYMOUS_USER.getPrincipalId(), ui.getId());
+		assertEquals(BOOTSTRAP_PRINCIPAL.ANONYMOUS_USER.getPrincipalId(), Long.parseLong(ui.getId().toString()));
 		assertNotNull(ui.getId());
 		assertEquals(2, ui.getGroups().size());
 		assertTrue(ui.getGroups().contains(ui.getId()));

services/repository/src/main/java/org/sagebionetworks/auth/HttpAuthUtil.java

@@ -198,5 +198,10 @@ public static void rejectWithOAuthError(HttpServletResponse resp, OAuthErrorCode
 		}
 		reject(resp, er, status);
 	}
+	
+	public static boolean isAnonymous(HttpServletRequest httpRequest) {
+		String param = httpRequest.getParameter(AuthorizationConstants.ANONYMOUS_PARAM);
+		return Boolean.parseBoolean(param);
+	}
 
 }

services/repository/src/main/java/org/sagebionetworks/auth/filter/AcceptTermsOfUseFilter.java

@@ -32,9 +32,6 @@ public class AcceptTermsOfUseFilter implements Filter {
 
 	@Autowired
 	private AuthenticationService authenticationService;
-	
-	@Autowired
-	private UserManager userManager;
 
 	@Override
 	public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain)
@@ -58,8 +55,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 		Long userId = Long.parseLong(userIdParam);
 
 		// If the user is not anonymous, check if they have accepted the terms of use
-		UserInfo userInfo = userManager.getUserInfo(userId);
-		if (!userInfo.isUserAnonymous()) {
+		boolean isAnonymous = HttpAuthUtil.isAnonymous(httpRequest);
+		if (!isAnonymous) {
 			if (!authenticationService.hasUserAcceptedTermsOfService(userId)) {
 				HttpAuthUtil.rejectWithErrorResponse(httpResponse, TOU_UNSIGNED_REASON, HttpStatus.FORBIDDEN);
 				return;

services/repository/src/main/java/org/sagebionetworks/auth/filter/AuthenticationFilter.java

@@ -3,6 +3,7 @@
 import java.io.IOException;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Optional;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -22,6 +23,7 @@
 import org.sagebionetworks.repo.model.AuthenticationMethod;
 import org.sagebionetworks.repo.model.AuthorizationConstants;
 import org.sagebionetworks.repo.model.AuthorizationConstants.BOOTSTRAP_PRINCIPAL;
+import org.sagebionetworks.repo.model.RealmDao;
 import org.sagebionetworks.repo.web.ForbiddenException;
 import org.sagebionetworks.repo.web.OAuthException;
 import org.sagebionetworks.util.ThreadLocalProvider;
@@ -46,6 +48,9 @@ public class AuthenticationFilter implements Filter {
 
 	@Autowired
 	private OpenIDConnectManager oidcManager;
+	
+	@Autowired
+	private RealmDao realmDao;
 
 	@Override
 	public void destroy() { }
@@ -68,6 +73,7 @@ public void doFilter(ServletRequest servletRqst, ServletResponse servletResponse
 		}
 
 		Long userId = null;
+		boolean isAnonymous = false;
 
 			if (!isTokenEmptyOrNull(accessToken)) {
 				try {
@@ -76,6 +82,8 @@ public void doFilter(ServletRequest servletRqst, ServletResponse servletResponse
 					if (authenticationMethod == null) { // accessToken came in as sessionToken
 						authenticationMethod = AuthenticationMethod.BEARERTOKEN;
 					}
+					Optional<String> anonymousUserRealm = realmDao.getRealmForAnonymousPrincipal(userId.toString());
+					isAnonymous = anonymousUserRealm.isPresent(); // true if userId is the anonymous user in some realm
 				} catch (IllegalArgumentException | ForbiddenException | OAuthClientNotVerifiedException e) {
 					String failureReason = "Invalid access token";
 					HttpAuthUtil.reject((HttpServletResponse)servletResponse, failureReason);
@@ -88,6 +96,7 @@ public void doFilter(ServletRequest servletRqst, ServletResponse servletResponse
 				}
 			} else { // anonymous
 				userId = BOOTSTRAP_PRINCIPAL.ANONYMOUS_USER.getPrincipalId();
+				isAnonymous = true;
 			}
 
 		if (authenticationMethod == null && HttpAuthUtil.usesBasicAuthentication(req)) {
@@ -104,6 +113,7 @@ public void doFilter(ServletRequest servletRqst, ServletResponse servletResponse
 		try {
 			Map<String, String[]> modParams = new HashMap<String, String[]>(req.getParameterMap());
 			modParams.put(AuthorizationConstants.USER_ID_PARAM, new String[] { userId.toString() });
+			modParams.put(AuthorizationConstants.ANONYMOUS_PARAM, new String[] { ""+isAnonymous });
 			Map<String, String[]> modHeaders = HttpAuthUtil.filterAuthorizationHeaders(req);
 			if (accessToken!=null) {
 				HttpAuthUtil.setBearerTokenHeader(modHeaders, accessToken);

services/repository/src/main/java/org/sagebionetworks/auth/filter/TwoFactorAuthRequiredFilter.java

@@ -8,11 +8,11 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.sagebionetworks.auth.HttpAuthUtil;
 import org.sagebionetworks.repo.manager.feature.FeatureManager;
 import org.sagebionetworks.repo.model.AuthorizationConstants;
 import org.sagebionetworks.repo.model.AuthorizationConstants.BOOTSTRAP_PRINCIPAL;
 import org.sagebionetworks.repo.model.GroupMembersDAO;
-import org.sagebionetworks.repo.model.RealmDao;
 import org.sagebionetworks.repo.model.auth.AuthenticationDAO;
 import org.sagebionetworks.repo.model.feature.Feature;
 import org.sagebionetworks.repo.web.TwoFactorAuthEnabledRequiredException;
@@ -28,14 +28,12 @@ public class TwoFactorAuthRequiredFilter extends OncePerRequestFilter {
 	private GroupMembersDAO groupMemberDao;
 	private AuthenticationDAO authDao;
 	private FeatureManager featureManager;
-	private RealmDao realmDao;
 
 
-	public TwoFactorAuthRequiredFilter(GroupMembersDAO groupMemberDao, AuthenticationDAO authDao, FeatureManager featureManager, RealmDao realmDao) {
+	public TwoFactorAuthRequiredFilter(GroupMembersDAO groupMemberDao, AuthenticationDAO authDao, FeatureManager featureManager) {
 		this.groupMemberDao = groupMemberDao;
 		this.authDao = authDao;
 		this.featureManager = featureManager;
-		this.realmDao = realmDao;
 	}
 
 	@Override
@@ -46,7 +44,7 @@ protected void doFilterInternal(HttpServletRequest httpRequest, HttpServletRespo
 
 		// The anonymous user is not a conventional user and cannot enable 2fa
 		// we check to see if the given user is the anonymous user in any realm
-		if (realmDao.getRealmForAnonymousPrincipal(userId.toString()).isPresent()) {
+		if (HttpAuthUtil.isAnonymous(httpRequest)) {
 			filterChain.doFilter(httpRequest, httpResponse);
 			return;
 		}

services/repository/src/main/java/org/sagebionetworks/repo/web/OAuthScopeInterceptor.java

@@ -16,7 +16,6 @@
 import org.sagebionetworks.repo.manager.oauth.ClaimsJsonUtil;
 import org.sagebionetworks.repo.manager.oauth.OIDCTokenManager;
 import org.sagebionetworks.repo.model.AuthorizationConstants;
-import org.sagebionetworks.repo.model.AuthorizationUtils;
 import org.sagebionetworks.repo.model.oauth.OAuthScope;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.core.MethodParameter;
@@ -59,15 +58,6 @@ public static boolean hasUserIdParameterOrAccessTokenHeader(HandlerMethod handle
 		return false;
 	}
 
-	public static boolean isUnAuthenticated(HttpServletRequest request) {
-		// if a request is unauthenticated then AuthenticationFilter will fill in
-		// user-id with the id of the default anonymous user
-		String userIdRequestParameter = request.getParameter(AuthorizationConstants.USER_ID_PARAM);
-
-		return userIdRequestParameter==null ||
-			AuthorizationUtils.isDefaultRealmAnonymousId(Long.parseLong(userIdRequestParameter));
-	}
-	
 	public static boolean isServiceCall(HttpServletRequest request) {
 		String serviceName = request.getHeader(AuthorizationConstants.SYNAPSE_HEADER_SERVICE_NAME);
 		return serviceName != null;
@@ -83,7 +73,7 @@ public boolean preHandle(HttpServletRequest request, HttpServletResponse respons
 		}
 
 		// unauthenticated requests can't have scope checked, as there is no access token defining scopes
-		if (isUnAuthenticated(request)) {
+		if (HttpAuthUtil.isAnonymous(request)) {
 			return true;
 		}
 

services/repository/src/main/java/org/sagebionetworks/repo/web/filter/throttle/RequestThrottleFilter.java

@@ -11,9 +11,10 @@
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
 
+import org.sagebionetworks.auth.HttpAuthUtil;
 import org.sagebionetworks.cloudwatch.Consumer;
-import org.sagebionetworks.repo.model.AuthorizationUtils;
 import org.sagebionetworks.repo.web.HttpRequestIdentifier;
 import org.sagebionetworks.repo.web.HttpRequestIdentifierUtils;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -34,7 +35,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
 		HttpRequestIdentifier httpRequestIdentifier = HttpRequestIdentifierUtils.getRequestIdentifier(request);
 
 		//TODO: remove exception for anonymous users once java client has a way to get session id from cookies
-		if (isMigrationAdmin(httpRequestIdentifier.getUserId()) || AuthorizationUtils.isDefaultRealmAnonymousId(httpRequestIdentifier.getUserId())) { //do not throttle the admin responsible for migration.
+		if (isMigrationAdmin(httpRequestIdentifier.getUserId()) || HttpAuthUtil.isAnonymous((HttpServletRequest)request)) { //do not throttle the admin responsible for migration.
 			//proceed to next filter and exit early
 			chain.doFilter(request, response);
 			return;