Rewrite authorization mechanism: more flexibility

DrTom · DrTom · commit f08d5c18cca3 · 2022-06-20T15:44:03.000+02:00
diff --git a/spec/features/media_stores_spec.rb b/spec/features/media_stores_spec.rb
@@ -16,7 +16,6 @@
     end
 
     it_displays "authentication error"
-    it_displays "authorization error"
   end
 
   context "for an ordinary user" do
@@ -63,13 +62,13 @@
     end
 
     specify "page has links to users" do
-      expect(page).to have_link("0", href: "/media-service/stores/legacy-file-store/users/")      
-      expect(page).to have_link("0", href: "/media-service/stores/database/users/")      
+      expect(page).to have_link("0", href: "/media-service/stores/legacy-file-store/users/")
+      expect(page).to have_link("0", href: "/media-service/stores/database/users/")
     end
 
     specify "page has links to groups" do
-      expect(page).to have_link("0", href: "/media-service/stores/legacy-file-store/groups/")      
-      expect(page).to have_link("0", href: "/media-service/stores/database/groups/")      
+      expect(page).to have_link("0", href: "/media-service/stores/legacy-file-store/groups/")
+      expect(page).to have_link("0", href: "/media-service/stores/database/groups/")
     end
   end
 end
diff --git a/spec/features/settings_spec.rb b/spec/features/settings_spec.rb
@@ -21,7 +21,6 @@
       end
 
       it_displays "authentication error"
-      it_displays "authorization error"
     end
 
     context "for an ordinary user" do
diff --git a/spec/features/shared/authorization_error.rb b/spec/features/shared/authorization_error.rb
@@ -7,7 +7,7 @@
     visit path
     within(".modal") do
       expect(page).to have_css(".modal-header", text: "Request ERROR 403")
-      expect(page).to have_css(".modal-body", text: "System-admin scope required")
+      expect(page.find(".modal-body")).to have_content("system-admin")
     end
   end
 end
diff --git a/spec/features/stores/groups_spec.rb b/spec/features/stores/groups_spec.rb
@@ -15,7 +15,6 @@
     end
 
     it_displays "authentication error"
-    it_displays "authorization error"
   end
 
   context "for an ordinary user" do
diff --git a/spec/features/stores/users_spec.rb b/spec/features/stores/users_spec.rb
@@ -15,7 +15,6 @@
     end
 
     it_displays "authentication error"
-    it_displays "authorization error"
   end
 
   context "for an ordinary user" do
diff --git a/spec/features/uploads_spec.rb b/spec/features/uploads_spec.rb
@@ -14,8 +14,7 @@
     it "displays modal with authentication error" do
       visit path
       within(".modal") do
-        expect(page).to have_css(".modal-header", text: "Request ERROR 403")
-        expect(page).to have_css(".modal-body", text: "Sign-in required")
+        expect(page).to have_css(".modal-header", text: "Request ERROR 401")
       end
     end
 
diff --git a/spec/requests/authorization_spec.rb b/spec/requests/authorization_spec.rb
@@ -1,4 +1,4 @@
-describe "Authorization" do
+describe "Authorization to settings" do
   context "with token" do
     let!(:settings) { create(:media_service_setting) }
     let(:request) { faraday_client_with_token.get("settings/") }
@@ -51,7 +51,7 @@
         end
 
         it "responds with error message" do
-          expect(response.body).to include("System-admin scope required")
+          expect(response.body).to include("")
         end
       end
 
@@ -62,11 +62,8 @@
           expect(response.status).to eq(403)
         end
 
-        it "responds with error message" do
-          expect(response.body).to include("System-admin scope required")
-        end
       end
-        
+
       context "for an user with system admin role" do
         let(:user) { create(:user, :with_system_admin_role) }
 
diff --git a/spec/requests/settings_spec.rb b/spec/requests/settings_spec.rb
@@ -1,3 +1,4 @@
+require 'requests/shared/authentication_error'
 require 'requests/shared/system_admin_error'
 
 describe "Resources" do
@@ -26,7 +27,7 @@
 
       # it_raises "authorization error"
       # include_examples "system admin access only"
-      it_raises "system admin error"
+      it_raises "authentication error"
     end
 
     context "for an ordinary user" do
diff --git a/spec/requests/shared/authentication_error.rb b/spec/requests/shared/authentication_error.rb
@@ -0,0 +1,18 @@
+RSpec.configure do |c|
+  c.alias_it_should_behave_like_to :it_raises
+end
+
+shared_examples "authentication error" do
+  let(:api_token) do
+    create(:api_token, user: user, scope_write: true) if user
+  end
+  let(:user_token) { api_token&.token_hash }
+
+  it "responds with 401 Forbidden status" do
+    expect(response.status).to eq(401)
+  end
+
+  it "responds with error message" do
+    expect(response.body).to include("Unauthorized - Authentication/Sign-in required")
+  end
+end
diff --git a/spec/requests/shared/authorization_error.rb b/spec/requests/shared/authorization_error.rb
@@ -13,6 +13,6 @@
   end
 
   it "responds with error message" do
-    expect(response.body).to include("Sign-in required")
+    expect(response.body).to include("Authorization requirements not satisfied")
   end
 end
diff --git a/spec/requests/shared/system_admin_error.rb b/spec/requests/shared/system_admin_error.rb
@@ -13,6 +13,7 @@
   end
 
   it "responds with error message" do
-    expect(response.body).to include("System-admin scope required")
+    expect(response.body).to include("Authorization requirements not satisfied")
+    expect(response.body).to include("system-admin")
   end
 end
diff --git a/spec/requests/stores/groups_spec.rb b/spec/requests/stores/groups_spec.rb
@@ -1,4 +1,5 @@
 require 'requests/shared/system_admin_error'
+require "requests/shared/authentication_error.rb"
 
 describe "Resources" do
   describe "Groups: /media-service/stores/:store_id/groups/", type: :request do
@@ -12,7 +13,7 @@
     context "with public access" do
       let(:user) { nil }
 
-      it_raises "system admin error"
+      it_raises "authentication error"
     end
 
     context "for an ordinary user" do
diff --git a/spec/requests/stores/users_spec.rb b/spec/requests/stores/users_spec.rb
@@ -1,3 +1,4 @@
+require "requests/shared/authentication_error.rb"
 require 'requests/shared/system_admin_error'
 
 describe "Resources" do
@@ -12,7 +13,7 @@
     context "with public access" do
       let(:user) { nil }
 
-      it_raises "system admin error"
+      it_raises "authentication error"
     end
 
     context "for an ordinary user" do
diff --git a/spec/requests/stores_spec.rb b/spec/requests/stores_spec.rb
@@ -1,3 +1,4 @@
+require "requests/shared/authentication_error.rb"
 require "requests/shared/system_admin_error"
 
 describe "Resources" do
@@ -8,7 +9,7 @@
     context "with public access" do
       let(:user) { nil }
 
-      it_raises "system admin error"
+      it_raises "authentication error"
     end
 
     context "for an ordinary user" do
diff --git a/spec/requests/uploads/upload_complete_spec.rb b/spec/requests/uploads/upload_complete_spec.rb
@@ -1,5 +1,6 @@
-require "requests/uploads/shared/configuration"
+require "requests/shared/authentication_error.rb"
 require "requests/shared/authorization_error"
+require "requests/uploads/shared/configuration"
 
 describe "Uploads", type: :request do
   include_context "configuration"
@@ -56,7 +57,7 @@
       let(:user) { nil }
       let(:upload_id) { :not_relevant }
 
-      it_raises "authorization error"
+      it_raises "authentication error"
     end
 
     context "for an ordinary user" do
diff --git a/spec/requests/uploads/upload_parts_spec.rb b/spec/requests/uploads/upload_parts_spec.rb
@@ -154,8 +154,8 @@ def upload_get_request
       it "raises the wrapped error" do
         expect { part_1_request }.to raise_error do |error|
           expect(error).to be_an_instance_of(Faraday::ParsingError)
-          expect(error.response.status).to eq(403)
-          expect(error.response.body).to include("Sign-in required")
+          expect(error.response.status).to eq(401)
+          expect(error.response.body).to include("Authentication/Sign-in required")
         end
       end
     end
diff --git a/spec/requests/uploads/upload_start_spec.rb b/spec/requests/uploads/upload_start_spec.rb
@@ -1,5 +1,6 @@
-require "requests/uploads/shared/configuration"
+require "requests/shared/authentication_error.rb"
 require "requests/shared/authorization_error"
+require "requests/uploads/shared/configuration"
 
 describe "Uploads", type: :request do
   include_context "configuration"
@@ -38,7 +39,7 @@
       let(:user) { nil }
       let(:upload_id) { :not_relevant }
 
-      it_raises "authorization error"
+      it_raises "authentication error"
     end
 
     context "for an ordinary user" do
diff --git a/spec/requests/uploads_spec.rb b/spec/requests/uploads_spec.rb
@@ -1,5 +1,8 @@
-require "requests/uploads/shared/configuration"
+require "requests/shared/authentication_error.rb"
 require "requests/shared/authorization_error"
+require "requests/shared/system_admin_error"
+require "requests/uploads/shared/configuration"
+
 
 describe "Uploads", type: :request do
   include_context "configuration"
@@ -10,7 +13,7 @@
     context "with public access" do
       let(:user) { nil }
 
-      it_raises "authorization error"
+      it_raises "authentication error"
     end
 
     context "for an ordinary user" do
@@ -77,7 +80,7 @@
     context "with public access" do
       let(:user) { nil }
 
-      it_raises "authorization error"
+      it_raises "authentication error"
     end
 
     context "for an ordinary user" do
diff --git a/src/madek/media_service/server/authorization/main.clj b/src/madek/media_service/server/authorization/main.clj
@@ -1,14 +1,15 @@
 (ns madek.media-service.server.authorization.main
   (:refer-clojure :exclude [keyword str])
   (:require
-    [madek.media-service.utils.core :refer [keyword presence str]]
     [clojure.java.jdbc :as jdbc]
     [honey.sql :refer [format] :rename {format sql-format}]
     [honey.sql.helpers :as sql]
+    [madek.media-service.utils.core :refer [keyword presence str]]
+    [madek.media-service.utils.http.shared :refer [HTTP_UNSAFE_METHODS HTTP_SAFE_METHODS]]
     [taoensso.timbre :as logging :refer [debug info warn error spy]]
     ))
 
-(defn authorize-original-inspector-access!
+(defn check-original-inspector-access
   [{{inspector-id :id} :authenticated-entity
     {{media-file-id :original-id} :path-params} :route
     tx :tx :as request}]
@@ -18,44 +19,58 @@
                   (sql/where [:= :media_file_id media-file-id])
                   ;TODO (sql/where [:= :state "dispatched"])
                   )]
-    (when-not (-> query
-                  sql-format
-                  (->> (jdbc/query tx) first))
-      (throw (ex-info (str "No valid inspection found "
-                           (sql-format query {:inline true}))
-                      {:status 403})))))
-
-(defn authorize-original-user-access! [{:as request}]
-  (warn "TODO authorize-original-user-access!"))
-
-(defn authorize-original-access! [request]
-  (let [entity-type (get-in request [:authenticated-entity :type])]
-    (case entity-type
-      :inspector (authorize-original-inspector-access! request)
-      :user  (authorize-original-user-access! request)
-      (throw (ex-info (str  "TODO authorize original access for " entity-type) {:status 599})))))
-
-(defn authorize! [handler request]
-  (debug 'authorize! request)
-  (let [authorizers (get-in request [:route :data :authorizers] #{})]
-    (debug 'authorizers authorizers)
-    (doseq [authorizer authorizers]
-      (debug 'authorizer authorizer)
-      (case authorizer
-        :admin (when-not (get-in request [:authenticated-entity :is_admin])
-                 (throw (ex-info "Admin scope required" {:status 403})))
-        :user (when-not (get-in request [:authenticated-entity :user_id])
-                (throw (ex-info "Sign-in required" {:status 403})))
-        :system-admin (when-not (get-in request [:authenticated-entity :is_system_admin])
-                        (throw (ex-info "System-admin scope required" {:status 403})))
-        :inspector (when-not (= :inspector (get-in request [:authenticated-entity :type]))
-                     (throw (ex-info "Inspector required" {:status 403})))
-        :original (authorize-original-access! request)
-        (throw (ex-info (str "Case " authorizer " not handled yet") {:status 404}))))
-    (handler request)))
+    (if (-> query sql-format (->> (jdbc/query tx) first))
+      true false)))
 
 
-(defn wrap-authorize! [handler]
-  (fn [request] (authorize! handler request)))
+(defn check-admin [request]
+  (get-in request [:authenticated-entity :is_admin]))
+
+(defn check-system-admin [request]
+  (get-in request [:authenticated-entity :is_system_admin]))
+
+(defn check-inspector [request]
+  (= :inspector (get-in request [:authenticated-entity :type])))
+
+(defn check-user [request]
+  (boolean (get-in request [:authenticated-entity :user_id])))
 
+(defn check-permitted-user-original [request]
+  (debug 'check-permitted-user-original request)
+  false)
+
+
+(defn check [{route-name :route-name :as request} auth]
+  (debug 'check auth request)
+  (case auth
+    :public true
+    :nobody false
+    :user (check-user request)
+    :inspector (check-inspector request)
+    :permitted-user (case route-name
+                      :original-content (check-permitted-user-original request))
+    :performing-inspector (case route-name
+                            :original-content (check-original-inspector-access request))
+    :admin (check-admin request)
+    :system-admin (check-system-admin request)))
+
+(defn check! [auths request]
+  (debug 'check! auths request)
+  (or (some (partial check request) auths)
+      (if (contains? request :authenticated-entity)
+        (throw (ex-info "Forbidden - Authorization requirements not satisfied"
+                        {:auths auths :status 403}))
+        (throw (ex-info "Unauthorized - Authentication/Sign-in required"
+                        {:status 401})))))
+
+(defn wrap-authorize! [handler]
+  (fn [{request-method :request-method
+        {{auths-http-safe :auths-http-safe
+          auths-http-unsafe :auths-http-unsafe} :data} :route
+        :as request}]
+    (debug request)
+    (condp contains? request-method
+      HTTP_SAFE_METHODS (check! auths-http-safe request)
+      HTTP_UNSAFE_METHODS (check! auths-http-unsafe request))
+    (handler request)))
 
diff --git a/src/madek/media_service/server/common/http_client/core.cljs b/src/madek/media_service/server/common/http_client/core.cljs
@@ -16,7 +16,7 @@
     [madek.media-service.server.state :as state :refer [state* routing-state*]]
     [madek.media-service.utils.core :refer [str keyword deep-merge presence]]
     [madek.media-service.utils.http.anti-csrf-front :as anti-csrf]
-    [madek.media-service.utils.http.shared :refer [ANTI_CRSF_TOKEN_COOKIE_NAME HTTP_SAVE_METHODS]]
+    [madek.media-service.utils.http.shared :refer [ANTI_CRSF_TOKEN_COOKIE_NAME HTTP_SAFE_METHODS]]
     [reagent.core :as reagent]
     [taoensso.timbre :as logging]
     ))
@@ -44,7 +44,7 @@
       (as-> data
         (update data :modal-on-request
                 #(if-not (nil? %) %
-                   (if (HTTP_SAVE_METHODS (:method data))
+                   (if (HTTP_SAFE_METHODS (:method data))
                      false true)))
         (update data :modal-on-response-success
                 #(if-not (nil? %) %
diff --git a/src/madek/media_service/server/common/http_client/modals.cljs b/src/madek/media_service/server/common/http_client/modals.cljs
diff --git a/src/madek/media_service/server/resources/inspections/inspection/main.clj b/src/madek/media_service/server/resources/inspections/inspection/main.clj
diff --git a/src/madek/media_service/server/routes.cljc b/src/madek/media_service/server/routes.cljc
diff --git a/src/madek/media_service/server/routing.clj b/src/madek/media_service/server/routing.clj
diff --git a/src/madek/media_service/utils/http/anti_csrf_back.clj b/src/madek/media_service/utils/http/anti_csrf_back.clj
diff --git a/src/madek/media_service/utils/http/client.clj b/src/madek/media_service/utils/http/client.clj
diff --git a/src/madek/media_service/utils/http/shared.cljc b/src/madek/media_service/utils/http/shared.cljc
diff --git a/src/madek/media_service/utils/logging/core.cljc b/src/madek/media_service/utils/logging/core.cljc
