Merged 2.0.0-m3 into feature/global_config_v2_endpoint

2025-11-13 17:05:43 +01:00 · 2018-07-31 16:21:40 +02:00
parent 865929b328 54b47ae74b
commit c3b7703f2b
113 changed files with 22087 additions and 60 deletions
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AuthenticationRequestDto.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AuthenticationRequestDto.java
@@ -0,0 +1,51 @@
+package sonia.scm.api.v2.resources;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.google.common.base.Strings;
+
+import javax.ws.rs.FormParam;
+import java.util.List;
+
+public class AuthenticationRequestDto {
+
+  @FormParam("grant_type")
+  @JsonProperty("grant_type")
+  private String grantType;
+
+  @FormParam("username")
+  private String username;
+
+  @FormParam("password")
+  private String password;
+
+  @FormParam("cookie")
+  private boolean cookie;
+
+  @FormParam("scope")
+  private List<String> scope;
+
+  public String getGrantType() {
+    return grantType;
+  }
+
+  public String getUsername() {
+    return username;
+  }
+
+  public String getPassword() {
+    return password;
+  }
+
+  public boolean isCookie() {
+    return cookie;
+  }
+
+  public List<String> getScope() {
+    return scope;
+  }
+
+  public boolean isValid() {
+    // password is currently the only valid grant_type
+    return "password".equals(grantType) && !Strings.isNullOrEmpty(username) && !Strings.isNullOrEmpty(password);
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AuthenticationResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/AuthenticationResource.java
@@ -0,0 +1,140 @@
+package sonia.scm.api.v2.resources;
+
+import com.google.inject.Inject;
+import com.webcohesion.enunciate.metadata.rs.ResponseCode;
+import com.webcohesion.enunciate.metadata.rs.StatusCodes;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.subject.Subject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import sonia.scm.security.*;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.ws.rs.*;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
+
+@Path(AuthenticationResource.PATH)
+public class AuthenticationResource {
+
+  private static final Logger LOG = LoggerFactory.getLogger(AuthenticationResource.class);
+
+  static final String PATH = "v2/auth";
+
+  private final AccessTokenBuilderFactory tokenBuilderFactory;
+  private final AccessTokenCookieIssuer cookieIssuer;
+
+  @Inject
+  public AuthenticationResource(AccessTokenBuilderFactory tokenBuilderFactory, AccessTokenCookieIssuer cookieIssuer)
+  {
+    this.tokenBuilderFactory = tokenBuilderFactory;
+    this.cookieIssuer = cookieIssuer;
+  }
+
+
+  @POST
+  @Path("access_token")
+  @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
+  @StatusCodes({
+    @ResponseCode(code = 200, condition = "success"),
+    @ResponseCode(code = 400, condition = "bad request, required parameter is missing"),
+    @ResponseCode(code = 401, condition = "unauthorized, the specified username or password is wrong"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  public Response authenticateViaForm(
+    @Context HttpServletRequest request,
+    @Context HttpServletResponse response,
+    @BeanParam AuthenticationRequestDto authentication
+  ) {
+    return authenticate(request, response, authentication);
+  }
+
+  @POST
+  @Path("access_token")
+  @Consumes(MediaType.APPLICATION_JSON)
+  @StatusCodes({
+    @ResponseCode(code = 200, condition = "success"),
+    @ResponseCode(code = 400, condition = "bad request, required parameter is missing"),
+    @ResponseCode(code = 401, condition = "unauthorized, the specified username or password is wrong"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  public Response authenticateViaJSONBody(
+    @Context HttpServletRequest request,
+    @Context HttpServletResponse response,
+    AuthenticationRequestDto authentication
+    ) {
+    return authenticate(request, response, authentication);
+  }
+
+  private Response authenticate(
+    HttpServletRequest request,
+    HttpServletResponse response,
+    AuthenticationRequestDto authentication
+  ) {
+    if (!authentication.isValid()) {
+      return Response.status(Response.Status.BAD_REQUEST).build();
+    }
+
+    Response res;
+    Subject subject = SecurityUtils.getSubject();
+
+    try
+    {
+      subject.login(Tokens.createAuthenticationToken(request, authentication.getUsername(), authentication.getPassword()));
+
+      AccessTokenBuilder tokenBuilder = tokenBuilderFactory.create();
+      if ( authentication.getScope() != null ) {
+        tokenBuilder.scope(Scope.valueOf(authentication.getScope()));
+      }
+
+      AccessToken token = tokenBuilder.build();
+
+      if (authentication.isCookie()) {
+        cookieIssuer.authenticate(request, response, token);
+        res = Response.noContent().build();
+      } else {
+        res = Response.ok( token.compact() ).build();
+      }
+    }
+    catch (AuthenticationException ex)
+    {
+      if (LOG.isTraceEnabled())
+      {
+        LOG.trace("authentication failed for user ".concat(authentication.getUsername()), ex);
+      }
+      else
+      {
+        LOG.warn("authentication failed for user {}", authentication.getUsername());
+      }
+
+      // TODO DisabledAccountException, ExcessiveAttemptsException for ui?
+
+      return Response.status(Response.Status.UNAUTHORIZED).build();
+    }
+
+    return res;
+  }
+
+  @DELETE
+  @Path("access_token")
+  @StatusCodes({
+    @ResponseCode(code = 204, condition = "success"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  public Response logout(@Context HttpServletRequest request, @Context HttpServletResponse response)
+  {
+    Subject subject = SecurityUtils.getSubject();
+
+    subject.logout();
+
+    // remove authentication cookie
+    cookieIssuer.invalidate(request, response);
+
+    // TODO anonymous access ??
+    return Response.noContent().build();
+  }
+
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeResource.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/MeResource.java
@@ -0,0 +1,52 @@
+package sonia.scm.api.v2.resources;
+
+import com.webcohesion.enunciate.metadata.rs.ResponseCode;
+import com.webcohesion.enunciate.metadata.rs.StatusCodes;
+import com.webcohesion.enunciate.metadata.rs.TypeHint;
+import org.apache.shiro.SecurityUtils;
+import sonia.scm.user.User;
+import sonia.scm.user.UserException;
+import sonia.scm.user.UserManager;
+import sonia.scm.web.VndMediaType;
+
+import javax.inject.Inject;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.Request;
+import javax.ws.rs.core.Response;
+import javax.ws.rs.core.UriInfo;
+
+
+@Path(MeResource.ME_PATH_V2)
+public class MeResource {
+  static final String ME_PATH_V2 = "v2/me/";
+
+  private final UserToUserDtoMapper userToDtoMapper;
+
+  private final IdResourceManagerAdapter<User, UserDto, UserException> adapter;
+  @Inject
+  public MeResource(UserToUserDtoMapper userToDtoMapper, UserManager manager) {
+    this.userToDtoMapper = userToDtoMapper;
+    this.adapter = new IdResourceManagerAdapter<>(manager, User.class);
+  }
+
+  /**
+   * Returns the currently logged in user or a 401 if user is not logged in
+   */
+  @GET
+  @Path("")
+  @Produces(VndMediaType.USER)
+  @TypeHint(UserDto.class)
+  @StatusCodes({
+    @ResponseCode(code = 200, condition = "success"),
+    @ResponseCode(code = 401, condition = "not authenticated / invalid credentials"),
+    @ResponseCode(code = 500, condition = "internal server error")
+  })
+  public Response get(@Context Request request, @Context UriInfo uriInfo) {
+
+    String id = (String) SecurityUtils.getSubject().getPrincipals().getPrimaryPrincipal();
+    return adapter.get(id, userToDtoMapper::map);
+  }
+}
--- a/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserToUserDtoMapper.java
+++ b/scm-webapp/src/main/java/sonia/scm/api/v2/resources/UserToUserDtoMapper.java
@@ -1,5 +1,6 @@
 package sonia.scm.api.v2.resources;

+import com.google.common.annotations.VisibleForTesting;
 import de.otto.edison.hal.Links;
 import org.mapstruct.AfterMapping;
 import org.mapstruct.Mapper;
@@ -21,6 +22,11 @@ public abstract class UserToUserDtoMapper extends BaseMapper<User, UserDto> {
  @Inject
  private ResourceLinks resourceLinks;

+  @VisibleForTesting
+  void setResourceLinks(ResourceLinks resourceLinks) {
+    this.resourceLinks = resourceLinks;
+  }
+
  @AfterMapping
  void removePassword(@MappingTarget UserDto target) {
    target.setPassword(UserResource.DUMMY_PASSWORT);
--- a/scm-webapp/src/main/java/sonia/scm/filter/SecurityFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/filter/SecurityFilter.java
@@ -44,6 +44,7 @@ import org.apache.shiro.subject.Subject;
 import sonia.scm.Priority;
 import sonia.scm.SCMContext;
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.SecurityRequests;
 import sonia.scm.web.filter.HttpFilter;
 import sonia.scm.web.filter.SecurityHttpServletRequestWrapper;

@@ -69,45 +70,20 @@ public class SecurityFilter extends HttpFilter
  @VisibleForTesting
  static final String ATTRIBUTE_REMOTE_USER = "principal";

-  /** Field description */
-  public static final String URL_AUTHENTICATION = "/api/rest/auth";
+  private final ScmConfiguration configuration;

-  //~--- constructors ---------------------------------------------------------
-
-  /**
-   * Constructs ...
-   *
-   *
-   * @param configuration
-   */
  @Inject
  public SecurityFilter(ScmConfiguration configuration)
  {
    this.configuration = configuration;
  }

-  //~--- methods --------------------------------------------------------------
-
-  /**
-   * Method description
-   *
-   *
-   * @param request
-   * @param response
-   * @param chain
-   *
-   * @throws IOException
-   * @throws ServletException
-   */
  @Override
  protected void doFilter(HttpServletRequest request,
    HttpServletResponse response, FilterChain chain)
    throws IOException, ServletException
  {
-    String uri =
-      request.getRequestURI().substring(request.getContextPath().length());
-
-    if (!uri.startsWith(URL_AUTHENTICATION))
+    if (!SecurityRequests.isAuthenticationRequest(request))
    {
      Subject subject = SecurityUtils.getSubject();
      if (hasPermission(subject))
@@ -139,16 +115,6 @@ public class SecurityFilter extends HttpFilter
    }
  }

-  //~--- get methods ----------------------------------------------------------
-
-  /**
-   * Method description
-   *
-   *
-   * @param subject
-   *
-   * @return
-   */
  protected boolean hasPermission(Subject subject)
  {
    return ((configuration != null)
@@ -173,8 +139,4 @@ public class SecurityFilter extends HttpFilter
    return username;
  }

-  //~--- fields ---------------------------------------------------------------
-
-  /** scm configuration */
-  private final ScmConfiguration configuration;
 }
--- a/scm-webapp/src/main/java/sonia/scm/security/SecurityRequests.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/SecurityRequests.java
@@ -0,0 +1,24 @@
+package sonia.scm.security;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.regex.Pattern;
+
+/**
+ * Created by masuewer on 04.07.18.
+ */
+public final class SecurityRequests {
+
+  private static final Pattern URI_LOGIN_PATTERN = Pattern.compile("/api/rest(?:/v2)?/auth/access_token");
+
+  private SecurityRequests() {}
+
+  public static boolean isAuthenticationRequest(HttpServletRequest request) {
+    String uri = request.getRequestURI().substring(request.getContextPath().length());
+    return isAuthenticationRequest(uri);
+  }
+
+  public static boolean isAuthenticationRequest(String uri) {
+    return URI_LOGIN_PATTERN.matcher(uri).matches();
+  }
+
+}
--- a/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/security/ApiAuthenticationFilter.java
@@ -36,24 +36,22 @@ package sonia.scm.web.security;
 //~--- non-JDK imports --------------------------------------------------------

 import com.google.inject.Inject;
-
 import sonia.scm.Priority;
 import sonia.scm.config.ScmConfiguration;
 import sonia.scm.filter.Filters;
 import sonia.scm.filter.WebElement;
-import sonia.scm.web.filter.AuthenticationFilter;
+import sonia.scm.security.SecurityRequests;
 import sonia.scm.web.WebTokenGenerator;
-
-//~--- JDK imports ------------------------------------------------------------
-
-import java.io.IOException;
-
-import java.util.Set;
+import sonia.scm.web.filter.AuthenticationFilter;

 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Set;
+
+//~--- JDK imports ------------------------------------------------------------

 /**
 * Filter to handle authentication for the rest api of SCM-Manager.
@@ -66,9 +64,6 @@ import javax.servlet.http.HttpServletResponse;
 public class ApiAuthenticationFilter extends AuthenticationFilter
 {

-  /** login uri */
-  public static final String URI_LOGIN = "/api/rest/auth/access_token";
-
  //~--- constructors ---------------------------------------------------------

  /**
@@ -104,7 +99,7 @@ public class ApiAuthenticationFilter extends AuthenticationFilter
    throws IOException, ServletException
  {
    // skip filter on login resource
-    if (request.getRequestURI().contains(URI_LOGIN))
+    if (SecurityRequests.isAuthenticationRequest(request))
    {
      chain.doFilter(request, response);
    }