From e8378c3ef8ed328790e6cce8732cd58cf1c8438d Mon Sep 17 00:00:00 2001 From: Olivier Lamy Date: Wed, 13 Apr 2022 12:04:15 +1000 Subject: [PATCH] ensure user update has correct permissions Signed-off-by: Olivier Lamy --- .../security/role/RedbackRoleConstants.java | 34 +++++++++---------- .../rest/services/DefaultUserService.java | 26 ++++++++++++-- .../services/RoleManagementServiceTest.java | 2 -- 3 files changed, 41 insertions(+), 21 deletions(-) diff --git a/redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java b/redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java index b7241b96..3f532305 100644 --- a/redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java +++ b/redback-integrations/redback-integrations-security/src/main/java/org/apache/archiva/redback/integration/security/role/RedbackRoleConstants.java @@ -27,46 +27,46 @@ */ public interface RedbackRoleConstants { - public static final String ADMINISTRATOR_ACCOUNT_NAME = "admin"; + String ADMINISTRATOR_ACCOUNT_NAME = "admin"; // roles - public static final String SYSTEM_ADMINISTRATOR_ROLE = "System Administrator"; + String SYSTEM_ADMINISTRATOR_ROLE = "System Administrator"; - public static final String USER_ADMINISTRATOR_ROLE = "User Administrator"; + String USER_ADMINISTRATOR_ROLE = "User Administrator"; - public static final String REGISTERED_USER_ROLE = "Registered User"; + String REGISTERED_USER_ROLE = "Registered User"; /** * @since 1.4 */ - public static final String REGISTERED_USER_ROLE_ID = "registered-user"; + String REGISTERED_USER_ROLE_ID = "registered-user"; - public static final String GUEST_ROLE = "Guest"; + String GUEST_ROLE = "Guest"; // guest access operation - public static final String GUEST_ACCESS_OPERATION = "guest-access"; + String GUEST_ACCESS_OPERATION = "guest-access"; // operations against configuration - public static final String CONFIGURATION_EDIT_OPERATION = "configuration-edit"; + String CONFIGURATION_EDIT_OPERATION = "configuration-edit"; // operations against user - public static final String USER_MANAGEMENT_USER_CREATE_OPERATION = "user-management-user-create"; + String USER_MANAGEMENT_USER_CREATE_OPERATION = "user-management-user-create"; - public static final String USER_MANAGEMENT_USER_EDIT_OPERATION = "user-management-user-edit"; + String USER_MANAGEMENT_USER_EDIT_OPERATION = "user-management-user-edit"; - public static final String USER_MANAGEMENT_USER_ROLE_OPERATION = "user-management-user-role"; + String USER_MANAGEMENT_USER_ROLE_OPERATION = "user-management-user-role"; - public static final String USER_MANAGEMENT_USER_DELETE_OPERATION = "user-management-user-delete"; + String USER_MANAGEMENT_USER_DELETE_OPERATION = "user-management-user-delete"; - public static final String USER_MANAGEMENT_USER_LIST_OPERATION = "user-management-user-list"; + String USER_MANAGEMENT_USER_LIST_OPERATION = "user-management-user-list"; // operations against user assignment. - public static final String USER_MANAGEMENT_ROLE_GRANT_OPERATION = "user-management-role-grant"; + String USER_MANAGEMENT_ROLE_GRANT_OPERATION = "user-management-role-grant"; - public static final String USER_MANAGEMENT_ROLE_DROP_OPERATION = "user-management-role-drop"; + String USER_MANAGEMENT_ROLE_DROP_OPERATION = "user-management-role-drop"; // operations against rbac objects. - public static final String USER_MANAGEMENT_RBAC_ADMIN_OPERATION = "user-management-rbac-admin"; + String USER_MANAGEMENT_RBAC_ADMIN_OPERATION = "user-management-rbac-admin"; - public static final String USER_MANAGEMENT_MANAGE_DATA = "user-management-manage-data"; + String USER_MANAGEMENT_MANAGE_DATA = "user-management-manage-data"; } diff --git a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java index d85ad416..c11d7102 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/DefaultUserService.java @@ -72,6 +72,7 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; +import java.util.Collections; import java.util.List; import java.util.Set; @@ -372,6 +373,27 @@ public Boolean updateMe( User user ) public Boolean updateUser( User user ) throws RedbackServiceException { + + // check username == one in the session + RedbackRequestInformation redbackRequestInformation = RedbackAuthenticationThreadLocal.get(); + if ( redbackRequestInformation == null || redbackRequestInformation.getUser() == null ) + { + log.warn( "RedbackRequestInformation from ThreadLocal is null" ); + throw new RedbackServiceException( new ErrorMessage( "you must be logged to update your profile" ), + Response.Status.FORBIDDEN.getStatusCode() ); + } + if ( user == null ) + { + throw new RedbackServiceException( new ErrorMessage( "user parameter is mandatory" ), + Response.Status.BAD_REQUEST.getStatusCode() ); + } + if ( !StringUtils.equals( redbackRequestInformation.getUser().getUsername(), user.getUsername() ) + && !StringUtils.equals( redbackRequestInformation.getUser().getUsername(), RedbackRoleConstants.ADMINISTRATOR_ACCOUNT_NAME) ) + { + throw new RedbackServiceException( new ErrorMessage( "you can update only your profile" ), + Response.Status.FORBIDDEN.getStatusCode() ); + } + try { org.apache.archiva.redback.users.User rawUser = userManager.findUser( user.getUsername(), false ); @@ -587,7 +609,7 @@ public Boolean resetPassword( ResetPasswordRequest resetPasswordRequest ) applicationUrl = getBaseUrl(); } - mailer.sendPasswordResetEmail( Arrays.asList( user.getEmail() ), authkey, applicationUrl ); + mailer.sendPasswordResetEmail( Collections.singletonList( user.getEmail() ), authkey, applicationUrl ); log.info( "password reset request for username {}", username ); } catch ( UserNotFoundException e ) @@ -679,7 +701,7 @@ public RegistrationKey registerUser( UserRegistrationRequest userRegistrationReq log.debug( "register user {} with email {} and app url {}", u.getUsername(), u.getEmail(), baseUrl ); - mailer.sendAccountValidationEmail( Arrays.asList( u.getEmail() ), authkey, baseUrl ); + mailer.sendAccountValidationEmail( Collections.singletonList( u.getEmail() ), authkey, baseUrl ); securityPolicy.setEnabled( false ); userManager.addUser( u ); diff --git a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java index 0d02005b..bf2ec3cd 100644 --- a/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java +++ b/redback-integrations/redback-rest/redback-rest-services/src/test/java/org/apache/archiva/redback/rest/services/RoleManagementServiceTest.java @@ -94,8 +94,6 @@ public void createUserThenAssignRole() catch ( ForbiddenException e ) { assertEquals( 403, e.getResponse().getStatus() ); - - } // assign the role and retry