Merge pull request #181 from companieshouse/feature/configure-authentication-interceptor

Feature/configure authentication interceptor

Author: clewis1

src/itest/java/uk/gov/companieshouse/pscdataapi/steps/PscDataSteps.java

@@ -766,6 +766,10 @@ private HttpHeaders setupHeaders(final boolean includeEric, final String keyRole
             headers.set("ERIC-Authorised-Key-Roles", keyRoles);
         }
 
+        if (keyRoles.equals("*")) {
+            headers.set("ERIC-Authorised-Key-Privileges", "sensitive-data");
+        }
+
         return headers;
     }
 

src/main/java/uk/gov/companieshouse/pscdataapi/config/WebSecurityConfig.java

@@ -17,23 +17,31 @@
 import uk.gov.companieshouse.api.filter.CustomCorsFilter;
 import uk.gov.companieshouse.api.interceptor.InternalUserInterceptor;
 import uk.gov.companieshouse.api.interceptor.UserAuthenticationInterceptor;
+import uk.gov.companieshouse.pscdataapi.interceptor.AuthenticationHelperImpl;
+import uk.gov.companieshouse.pscdataapi.interceptor.FullRecordAuthenticationInterceptor;
 
 @Configuration
 public class WebSecurityConfig implements WebMvcConfigurer {
     // feature flag marked for future removal
     @Value("${feature.identity_verification:false}")
     private Boolean identityVerificationEnabled;
 
+    public static final String PATTERN_FULL_RECORD =
+        "/company/{company_number}/persons-with-significant-control/individual/{notification_id}/full_record";
+    public static final String PATTERN_VERIFICATION_STATE =
+        "/company/{company_number}/persons-with-significant-control/individual/{notification_id}/verification-state";
+
     List<String> otherAllowedAuthMethods = Arrays.asList("oauth2");
 
     @Override
     public void addInterceptors(final InterceptorRegistry registry) {
         registry.addInterceptor(userAuthenticationInterceptor());
-        if (identityVerificationEnabled)
+        if (Boolean.TRUE.equals(identityVerificationEnabled))
         {
             registry.addInterceptor(internalUserInterceptor())
-                .addPathPatterns("/company/{company_number}/persons-with-significant-control/individual/{notification_id}/full_record")
-                .addPathPatterns("/company/{company_number}/persons-with-significant-control/individual/{notification_id}/verification-state");
+                .addPathPatterns(PATTERN_VERIFICATION_STATE);
+            registry.addInterceptor(fullRecordAuthenticationInterceptor())
+                .addPathPatterns(PATTERN_FULL_RECORD);
         }
     }
 
@@ -47,6 +55,15 @@ public InternalUserInterceptor internalUserInterceptor() {
         return new InternalUserInterceptor();
     }
 
+    @Bean
+    public FullRecordAuthenticationInterceptor fullRecordAuthenticationInterceptor() {
+        return new FullRecordAuthenticationInterceptor(authenticationHelper());
+    }
+
+    public AuthenticationHelperImpl authenticationHelper() {
+        return new AuthenticationHelperImpl();
+    }
+
     /**
      * Create UserAuthenticationInterceptor.
      */

src/main/java/uk/gov/companieshouse/pscdataapi/interceptor/AuthenticationHelper.java

@@ -0,0 +1,75 @@
+package uk.gov.companieshouse.pscdataapi.interceptor;
+
+import java.util.List;
+import java.util.Map;
+import jakarta.servlet.http.HttpServletRequest;
+
+/**
+ * Helper class for authenticating users
+ */
+public interface AuthenticationHelper {
+
+    /**
+     * Returns the authorised identity type
+     *
+     * @param request the {@link HttpServletRequest}
+     * @return the identity type
+     */
+    String getAuthorisedIdentityType(HttpServletRequest request);
+
+    /**
+     * Verifies that the identity type is key
+     *
+     * @param identityType the identify type to be checked
+     * @return true if the identity type is the key
+     */
+    boolean isApiKeyIdentityType(final String identityType);
+
+    /**
+     * Verifies that the identity type is Oauth2
+     *
+     * @param identityType the identity type to be checked
+     * @return true if the identity type is Oauth2
+     */
+    boolean isOauth2IdentityType(final String identityType);
+
+    /**
+     * Returns the authorised user information
+     *
+     * @param request the {@link HttpServletRequest}
+     * @return the authorised user
+     */
+    String getAuthorisedUser(HttpServletRequest request);
+
+    /**
+     * Returns the privileges granted to the API key
+     *
+     * @param request the {@link HttpServletRequest}
+     * @return the privileges of the API key
+     */
+    String[] getApiKeyPrivileges(HttpServletRequest request);
+
+    /**
+     * Checks whether the key has elevated privileges
+     *
+     * @param request the {@link HttpServletRequest}
+     * @return true if the key has elevated privileges
+     */
+    boolean isKeyElevatedPrivilegesAuthorised(HttpServletRequest request);
+
+    /**
+     * Returns the permissions granted to the OAuth2 Token
+     *
+     * @param request the {@link HttpServletRequest}
+     * @return the privileges of the OAuth2 Token
+     */
+    Map<String, List<String>> getTokenPermissions(HttpServletRequest request);
+
+    /**
+     * Checks whether the token has required permissions
+     *
+     * @param request the {@link HttpServletRequest}
+     * @return true if the token has required permissions
+     */
+    boolean isTokenProtected(HttpServletRequest request);
+}

src/main/java/uk/gov/companieshouse/pscdataapi/interceptor/AuthenticationHelperImpl.java

@@ -0,0 +1,98 @@
+package uk.gov.companieshouse.pscdataapi.interceptor;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import jakarta.servlet.http.HttpServletRequest;
+import org.apache.commons.lang.ArrayUtils;
+import org.springframework.stereotype.Component;
+
+/**
+ * Helper class for user authentication
+ */
+@Component
+public class AuthenticationHelperImpl implements AuthenticationHelper {
+    public static final String OAUTH2_IDENTITY_TYPE = "oauth2";
+    public static final String API_KEY_IDENTITY_TYPE = "key";
+
+    public static final String INTERNAL_APP_PRIVILEGE = "internal-app";
+    private static final String SENSITIVE_DATA_PRIVILEGE = "sensitive-data";
+    public static final String ERIC_AUTHORISED_KEY_PRIVILEGES_HEADER
+            = "ERIC-Authorised-Key-Privileges";
+    private static final String ERIC_AUTHORISED_TOKEN_PERMISSIONS_HEADER
+            = "ERIC-Authorised-Token-Permissions";
+    private static final String ERIC_IDENTITY_TYPE = "ERIC-Identity-Type";
+    private static final String ERIC_AUTHORISED_USER = "ERIC-Authorised-User";
+    private static final String COMPANY_PSCS_PERMISSION = "company_pscs";
+    private static final String READ_PROTECTED = "readprotected";
+
+    private static final String GET_METHOD = "GET";
+
+    @Override
+    public String getAuthorisedIdentityType(HttpServletRequest request) {
+        return getRequestHeader(request, ERIC_IDENTITY_TYPE);
+    }
+
+    @Override
+    public boolean isApiKeyIdentityType(final String identityType) {
+        return API_KEY_IDENTITY_TYPE.equals(identityType);
+    }
+
+    @Override
+    public boolean isOauth2IdentityType(final String identityType) {
+        return OAUTH2_IDENTITY_TYPE.equals(identityType);
+    }
+
+    @Override
+    public String getAuthorisedUser(HttpServletRequest request) {
+        return getRequestHeader(request, ERIC_AUTHORISED_USER);
+    }
+
+    @Override
+    public String[] getApiKeyPrivileges(HttpServletRequest request) {
+        // Could be null if header is not present
+        final String commaSeparatedPrivilegeString = request
+                .getHeader(ERIC_AUTHORISED_KEY_PRIVILEGES_HEADER);
+
+        return Optional.ofNullable(commaSeparatedPrivilegeString)
+                .map(v -> v.split(","))
+                .orElse(new String[]{});
+    }
+
+    @Override
+    public boolean isKeyElevatedPrivilegesAuthorised(HttpServletRequest request) {
+        String[] privileges = getApiKeyPrivileges(request);
+        return request.getMethod().equals(GET_METHOD) ? ArrayUtils.contains(privileges, SENSITIVE_DATA_PRIVILEGE) :
+                ArrayUtils.contains(privileges, INTERNAL_APP_PRIVILEGE);
+    }
+
+    @Override
+    public Map<String, List<String>> getTokenPermissions(HttpServletRequest request) {
+        String tokenPermissionsHeader = request.getHeader(ERIC_AUTHORISED_TOKEN_PERMISSIONS_HEADER);
+
+        Map<String, List<String>> permissions = new HashMap<>();
+
+        if (tokenPermissionsHeader != null) {
+            for (String pair : tokenPermissionsHeader.split(" ")) {
+                String[] parts = pair.split("=");
+                permissions.put(parts[0], Arrays.asList(parts[1].split(",")));
+            }
+        }
+
+        return permissions;
+    }
+
+    @Override
+    public boolean isTokenProtected(HttpServletRequest request) {
+        Map<String, List<String>> privileges = getTokenPermissions(request);
+
+        return privileges.containsKey(COMPANY_PSCS_PERMISSION) &&
+                privileges.get(COMPANY_PSCS_PERMISSION).contains(READ_PROTECTED);
+    }
+
+    private String getRequestHeader(HttpServletRequest request, String header) {
+        return request == null ? null : request.getHeader(header);
+    }
+}

src/main/java/uk/gov/companieshouse/pscdataapi/interceptor/FullRecordAuthenticationInterceptor.java

@@ -0,0 +1,65 @@
+package uk.gov.companieshouse.pscdataapi.interceptor;
+
+import static uk.gov.companieshouse.pscdataapi.PscDataApiApplication.APPLICATION_NAME_SPACE;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.util.Arrays;
+import java.util.Map;
+import org.apache.http.HttpStatus;
+import org.springframework.lang.NonNull;
+import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.HandlerInterceptor;
+import uk.gov.companieshouse.logging.Logger;
+import uk.gov.companieshouse.logging.LoggerFactory;
+import uk.gov.companieshouse.pscdataapi.logging.DataMapHolder;
+
+@Component
+public class FullRecordAuthenticationInterceptor implements HandlerInterceptor {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(APPLICATION_NAME_SPACE);
+
+    private final AuthenticationHelper authHelper;
+
+    public FullRecordAuthenticationInterceptor(AuthenticationHelper authHelper) {
+        this.authHelper = authHelper;
+    }
+
+    @Override
+    public boolean preHandle(@NonNull HttpServletRequest request, @NonNull HttpServletResponse response,
+            @NonNull Object handler) {
+        final String identityType = authHelper.getAuthorisedIdentityType(request);
+        Map<String, Object> logMap = DataMapHolder.getLogMap();
+
+        if (authHelper.isOauth2IdentityType(identityType)) {
+
+            if (authHelper.isTokenProtected(request)) {
+                return true;
+            } else {
+                LOGGER.errorRequest(request, "User not authorised. Token has insufficient permissions.", logMap);
+                response.setStatus(HttpStatus.SC_UNAUTHORIZED);
+                return false;
+            }
+        }
+
+        if (!authHelper.isApiKeyIdentityType(identityType)) {
+            logMap.put("identityType", identityType);
+            LOGGER.errorRequest(request, "User not authorised. Identity type not correct", logMap);
+
+            response.setStatus(HttpStatus.SC_UNAUTHORIZED);
+            return false;
+        }
+
+        if (!authHelper.isKeyElevatedPrivilegesAuthorised(request)) {
+            logMap.put("privileges", Arrays.asList(authHelper.getApiKeyPrivileges(request)));
+            LOGGER.errorRequest(request,
+                    "User not authorised. API key does not have sufficient privileges.",
+                    logMap);
+
+            response.setStatus(HttpStatus.SC_FORBIDDEN);
+            return false;
+        }
+
+        return true;
+    }
+}

src/test/java/uk/gov/companieshouse/pscdataapi/config/WebSecurityConfigTest.java

@@ -3,6 +3,7 @@
 import static org.springframework.http.MediaType.APPLICATION_JSON;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
+import static uk.gov.companieshouse.pscdataapi.interceptor.AuthenticationHelperImpl.ERIC_AUTHORISED_KEY_PRIVILEGES_HEADER;
 
 import org.junit.jupiter.api.DisplayName;
 import org.junit.jupiter.api.Test;
@@ -83,6 +84,8 @@ private HttpHeaders createHttpHeaders(final boolean hasInternalPrivilege) {
         headers.add(EricConstants.ERIC_IDENTITY_TYPE, SecurityConstants.API_KEY_IDENTITY_TYPE);
         headers.add(EricConstants.ERIC_AUTHORISED_KEY_ROLES,
             hasInternalPrivilege ? SecurityConstants.INTERNAL_USER_ROLE : "any_other_role");
+        headers.add(ERIC_AUTHORISED_KEY_PRIVILEGES_HEADER,
+            hasInternalPrivilege ? "sensitive-data" : "internal-app");
 
         return headers;
     }

src/test/java/uk/gov/companieshouse/pscdataapi/controller/CompanyPscFullRecordGetControllerTest.java

@@ -39,7 +39,7 @@ class CompanyPscFullRecordGetControllerTest {
     private static final String ERIC_IDENTITY = "Test-Identity";
     private static final String ERIC_IDENTITY_TYPE = "key";
     private static final String ERIC_PRIVILEGES = "*";
-    private static final String ERIC_AUTH_INTERNAL = "internal-app";
+    private static final String ERIC_AUTH_SENSITIVE = "sensitive-data";
 
     private static final String GET_INDIVIDUAL_FULL_RECORD_URL = String.format(
         "/company/%s/persons-with-significant-control/individual/%s/full_record", MOCK_COMPANY_NUMBER,
@@ -109,7 +109,7 @@ void getIndividualPSC() throws Exception {
             .contentType(APPLICATION_JSON)
             .header("x-request-id", X_REQUEST_ID)
             .header("ERIC-Authorised-Key-Roles", ERIC_PRIVILEGES)
-            .header("ERIC-Authorised-Key-Privileges", ERIC_AUTH_INTERNAL)).andExpect(status().isOk())
+            .header("ERIC-Authorised-Key-Privileges", ERIC_AUTH_SENSITIVE)).andExpect(status().isOk())
             .andDo(print())
             .andExpect(content().json(expectedData, true));
     }
@@ -126,7 +126,7 @@ void shouldReturn404WhenIndividualPscNotFound() throws Exception {
                 .contentType(APPLICATION_JSON)
                 .header("x-request-id", X_REQUEST_ID)
                 .header("ERIC-Authorised-Key-Roles", ERIC_PRIVILEGES)
-                .header("ERIC-Authorised-Key-Privileges", ERIC_AUTH_INTERNAL))
+                .header("ERIC-Authorised-Key-Privileges", ERIC_AUTH_SENSITIVE))
             .andDo(print())
             .andExpect(status().isNotFound());
     }