feat: add role based auth

ec01ac4e · Tomas Madeja · 5e8ccd75 · ec01ac4e · ec01ac4e · ec01ac4e
Commit ec01ac4e authored 3 years ago by Tomas Madeja
--- a/rest/src/main/java/cz/muni/fi/pa165/icehockeymanager/rest/controller/LeagueManagerController.java
+++ b/rest/src/main/java/cz/muni/fi/pa165/icehockeymanager/rest/controller/LeagueManagerController.java
@@ -11,6 +11,7 @@ import cz.muni.fi.pa165.icehockeymanager.facades.UserFacade;
 import cz.muni.fi.pa165.icehockeymanager.rest.security.JWTAuthenticationFilter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -64,4 +65,8 @@ public class LeagueManagerController {
    public final void dropGame(@PathVariable Long id) {
        leagueManagerFacade.dropGame(id);
    }
+//
+//    private boolean isAuthorized() {
+//
+//    }
 }
--- a/rest/src/main/java/cz/muni/fi/pa165/icehockeymanager/rest/security/JWTAuthenticationFilter.java
+++ b/rest/src/main/java/cz/muni/fi/pa165/icehockeymanager/rest/security/JWTAuthenticationFilter.java
@@ -31,7 +31,7 @@ public class JWTAuthenticationFilter extends UsernamePasswordAuthenticationFilte

    Logger logger = LoggerFactory.getLogger(JWTAuthenticationFilter.class);

-    private UserAuthFacade userAuthFacade;
+    private final UserAuthFacade userAuthFacade;

    public JWTAuthenticationFilter(UserAuthFacade userAuthFacade) {
        this.userAuthFacade = userAuthFacade;

--- a/rest/src/main/java/cz/muni/fi/pa165/icehockeymanager/rest/security/JWTAuthorizationFilter.java
+++ b/rest/src/main/java/cz/muni/fi/pa165/icehockeymanager/rest/security/JWTAuthorizationFilter.java
@@ -2,10 +2,12 @@ package cz.muni.fi.pa165.icehockeymanager.rest.security;

 import com.auth0.jwt.JWT;
 import com.auth0.jwt.algorithms.Algorithm;
+import cz.muni.fi.pa165.icehockeymanager.facades.UserAuthFacade;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

@@ -15,6 +17,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.List;

 import static cz.muni.fi.pa165.icehockeymanager.rest.security.SecurityConstants.HEADER_STRING;
 import static cz.muni.fi.pa165.icehockeymanager.rest.security.SecurityConstants.SECRET;
@@ -24,8 +27,11 @@ public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

    Logger logger = LoggerFactory.getLogger(JWTAuthorizationFilter.class);

-    public JWTAuthorizationFilter(AuthenticationManager authManager) {
+    private final UserAuthFacade userAuthFacade;
+
+    public JWTAuthorizationFilter(AuthenticationManager authManager, UserAuthFacade userAuthFacade) {
        super(authManager);
+        this.userAuthFacade = userAuthFacade;
    }

    @Override
@@ -33,17 +39,17 @@ public class JWTAuthorizationFilter extends BasicAuthenticationFilter {
                                    HttpServletResponse res,
                                    FilterChain chain) throws IOException, ServletException {
        logger.info("Auth request on " + req.getRequestURI());
-        if (req.getRequestURI().startsWith("/pa165/api/public")) {
-            logger.info("Ignoring auth on public route");
-            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
-                    "",
-                    null,
-                    new ArrayList<>()
-            );
-            SecurityContextHolder.getContext().setAuthentication(authentication);
-            chain.doFilter(req, res);
-            return;
-        }
+//        if (req.getRequestURI().startsWith("/pa165/api/public")) {
+//            logger.info("Ignoring auth on public route");
+//            UsernamePasswordAuthenticationToken authentication = new UsernamePasswordAuthenticationToken(
+//                    "",
+//                    null,
+//                    new ArrayList<>()
+//            );
+//            SecurityContextHolder.getContext().setAuthentication(authentication);
+//            chain.doFilter(req, res);
+//            return;
+//        }

        String header = req.getHeader(HEADER_STRING);

@@ -64,14 +70,22 @@ public class JWTAuthorizationFilter extends BasicAuthenticationFilter {

        if (token != null) {
            // parse the token.
-            String user = JWT.require(Algorithm.HMAC512(SECRET.getBytes()))
+            String username = JWT.require(Algorithm.HMAC512(SECRET.getBytes()))
                    .build()
                    .verify(token.replace(TOKEN_PREFIX, ""))
                    .getSubject();

-            if (user != null) {
+            if (username != null) {
                // new arraylist means authorities
-                return new UsernamePasswordAuthenticationToken(user, null, new ArrayList<>());
+                var user = userAuthFacade.fetchUser(username).orElseThrow();
+                logger.info(username + " with role " + user.getRole().toString());
+                return new UsernamePasswordAuthenticationToken(
+                        username,
+                        null,
+                        List.of(
+                                new SimpleGrantedAuthority("ROLE_" + user.getRole().toString())
+                        )
+                );
            }

            return null;

--- a/rest/src/main/java/cz/muni/fi/pa165/icehockeymanager/rest/security/WebSecurity.java
+++ b/rest/src/main/java/cz/muni/fi/pa165/icehockeymanager/rest/security/WebSecurity.java
 package cz.muni.fi.pa165.icehockeymanager.rest.security;

 import cz.muni.fi.pa165.icehockeymanager.facades.UserAuthFacade;
+import cz.muni.fi.pa165.icehockeymanager.security.Roles;
 import org.springframework.context.annotation.Bean;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpMethod;
@@ -31,10 +32,13 @@ public class WebSecurity extends WebSecurityConfigurerAdapter {
        http.cors().and()
                .authorizeRequests()
                .antMatchers(HttpMethod.POST, SIGN_UP_URL).permitAll()
+                .antMatchers(HttpMethod.GET, "/pa165/api/public/**").permitAll()
+                .antMatchers("/pa165/api/manage/league/**").hasRole(Roles.LEAGUE_MANAGER.toString())
+                .antMatchers( "/pa165/api/manage/team/**").hasRole(Roles.TEAM_MANAGER.toString())
                .anyRequest().authenticated()
                .and()
                .addFilter(new JWTAuthenticationFilter(userAuthFacade))
-                .addFilter(new JWTAuthorizationFilter(authenticationManager()))
+                .addFilter(new JWTAuthorizationFilter(authenticationManager(), userAuthFacade))
                // this disables session creation on Spring Security
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS);
        http.csrf().disable();