From b138d588c59857ebb2ad83345e21fca6f52e7e70 Mon Sep 17 00:00:00 2001 From: Amnon Khen Date: Fri, 10 Nov 2023 17:11:03 +0000 Subject: [PATCH 1/2] dcp-967 managed access - require authentication for all read operations --- .../ingest/security/SecurityTest.java | 32 +++++++++++++++---- .../ingest/security/SecurityConfig.java | 2 ++ 2 files changed, 28 insertions(+), 6 deletions(-) diff --git a/src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java b/src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java index 64066a91..5a88881d 100644 --- a/src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java +++ b/src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java @@ -1,7 +1,9 @@ package org.humancellatlas.ingest.security; +import org.hamcrest.CoreMatchers; import org.humancellatlas.ingest.config.MigrationConfiguration; import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; @@ -10,13 +12,14 @@ import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.mock.mockito.MockBean; +import org.springframework.http.MediaType; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.web.servlet.MockMvc; import java.util.stream.Stream; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; @SpringBootTest @AutoConfigureDataMongo() @@ -51,14 +54,14 @@ class Authorised { @MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes") @WithMockUser public void apiAccessWithTrailingSlashIsPermitted(String metadataTypePlural) throws Exception { - checkGetUrlIsAuthorized("/" + metadataTypePlural + "/"); + checkGetUrlIsOk("/" + metadataTypePlural + "/"); } @ParameterizedTest @MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes") @WithMockUser public void apiAccessNoTrailingSlashIsPermitted(String metadataTypePlural) throws Exception { - checkGetUrlIsAuthorized("/" + metadataTypePlural); + checkGetUrlIsOk("/" + metadataTypePlural); } } @@ -73,19 +76,36 @@ public void apiAccessWithTrailingSlashIsBlocked(String metadataTypePlural) throw @ParameterizedTest @MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes") - public void apiAccessNoTrailingSlashIsBlocked(String metadataTypePlural) throws Exception { checkGetUrlIsUnauthorized("/" + metadataTypePlural); } - } + } + + @Nested + class RootResource { + @Test + public void checkUnauthenticatedJson_IsAllowed() throws Exception { + webApp.perform(get("/") + .accept(MediaType.APPLICATION_JSON)) + .andExpect(status().isOk()) + .andExpect(jsonPath("_links").hasJsonPath()); + } + @Test + public void checkUnauthenticatedHtml_IsAllowed() throws Exception { + webApp.perform(get("/browser/index.html") + .accept(MediaType.TEXT_HTML)) + .andExpect(status().isOk()) + .andExpect(content().string(CoreMatchers.containsString("The HAL Browser (for Spring Data REST)"))); + } + } private void checkGetUrlIsUnauthorized(String url) throws Exception { webApp.perform( get(url) ).andExpect(status().isUnauthorized()); } - private void checkGetUrlIsAuthorized(String url) throws Exception { + private void checkGetUrlIsOk(String url) throws Exception { webApp.perform( get(url) ).andExpect(status().isOk()); diff --git a/src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java b/src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java index 98d9c023..9448bf9c 100644 --- a/src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java +++ b/src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java @@ -95,6 +95,8 @@ protected void configure(HttpSecurity http) throws Exception { .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .cors().and() .authorizeRequests() + .antMatchers(GET, "/").permitAll() + .antMatchers(GET, "/browser/**").permitAll() .antMatchers(POST, "/submissionEnvelopes").authenticated() .antMatchers(POST, "/projects").authenticated() .antMatchers(POST, "/projects/suggestion").permitAll() From 7b39acd734b6e004dcf8b05fed6a0987db9e01b4 Mon Sep 17 00:00:00 2001 From: Amnon Khen Date: Fri, 10 Nov 2023 17:11:03 +0000 Subject: [PATCH 2/2] dcp-967 managed access: root resource,HAL browser to be publically available --- .../ingest/security/SecurityTest.java | 32 +++++++++++++++---- .../ingest/security/SecurityConfig.java | 2 ++ 2 files changed, 28 insertions(+), 6 deletions(-) diff --git a/src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java b/src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java index 64066a91..5a88881d 100644 --- a/src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java +++ b/src/integration/java/org/humancellatlas/ingest/security/SecurityTest.java @@ -1,7 +1,9 @@ package org.humancellatlas.ingest.security; +import org.hamcrest.CoreMatchers; import org.humancellatlas.ingest.config.MigrationConfiguration; import org.junit.jupiter.api.Nested; +import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; @@ -10,13 +12,14 @@ import org.springframework.boot.test.autoconfigure.web.servlet.AutoConfigureMockMvc; import org.springframework.boot.test.context.SpringBootTest; import org.springframework.boot.test.mock.mockito.MockBean; +import org.springframework.http.MediaType; import org.springframework.security.test.context.support.WithMockUser; import org.springframework.test.web.servlet.MockMvc; import java.util.stream.Stream; import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get; -import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; +import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*; @SpringBootTest @AutoConfigureDataMongo() @@ -51,14 +54,14 @@ class Authorised { @MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes") @WithMockUser public void apiAccessWithTrailingSlashIsPermitted(String metadataTypePlural) throws Exception { - checkGetUrlIsAuthorized("/" + metadataTypePlural + "/"); + checkGetUrlIsOk("/" + metadataTypePlural + "/"); } @ParameterizedTest @MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes") @WithMockUser public void apiAccessNoTrailingSlashIsPermitted(String metadataTypePlural) throws Exception { - checkGetUrlIsAuthorized("/" + metadataTypePlural); + checkGetUrlIsOk("/" + metadataTypePlural); } } @@ -73,19 +76,36 @@ public void apiAccessWithTrailingSlashIsBlocked(String metadataTypePlural) throw @ParameterizedTest @MethodSource("org.humancellatlas.ingest.security.SecurityTest#metadataTypes") - public void apiAccessNoTrailingSlashIsBlocked(String metadataTypePlural) throws Exception { checkGetUrlIsUnauthorized("/" + metadataTypePlural); } - } + } + + @Nested + class RootResource { + @Test + public void checkUnauthenticatedJson_IsAllowed() throws Exception { + webApp.perform(get("/") + .accept(MediaType.APPLICATION_JSON)) + .andExpect(status().isOk()) + .andExpect(jsonPath("_links").hasJsonPath()); + } + @Test + public void checkUnauthenticatedHtml_IsAllowed() throws Exception { + webApp.perform(get("/browser/index.html") + .accept(MediaType.TEXT_HTML)) + .andExpect(status().isOk()) + .andExpect(content().string(CoreMatchers.containsString("The HAL Browser (for Spring Data REST)"))); + } + } private void checkGetUrlIsUnauthorized(String url) throws Exception { webApp.perform( get(url) ).andExpect(status().isUnauthorized()); } - private void checkGetUrlIsAuthorized(String url) throws Exception { + private void checkGetUrlIsOk(String url) throws Exception { webApp.perform( get(url) ).andExpect(status().isOk()); diff --git a/src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java b/src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java index 98d9c023..9448bf9c 100644 --- a/src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java +++ b/src/main/java/org/humancellatlas/ingest/security/SecurityConfig.java @@ -95,6 +95,8 @@ protected void configure(HttpSecurity http) throws Exception { .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and() .cors().and() .authorizeRequests() + .antMatchers(GET, "/").permitAll() + .antMatchers(GET, "/browser/**").permitAll() .antMatchers(POST, "/submissionEnvelopes").authenticated() .antMatchers(POST, "/projects").authenticated() .antMatchers(POST, "/projects/suggestion").permitAll()