From e8813c7592c1f4d99e3f5acd30610d28ca856d98 Mon Sep 17 00:00:00 2001 From: Sylvain Gaudan Date: Tue, 17 Dec 2024 16:26:30 +0100 Subject: [PATCH 1/5] admin check deactivate --- .../src/main/java/io/arlas/iam/core/AuthService.java | 4 ++-- .../java/io/arlas/iam/impl/HibernateAuthService.java | 10 ++++++++-- .../java/io/arlas/iam/rest/service/IAMRestService.java | 8 ++++---- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/arlas-iam-core/src/main/java/io/arlas/iam/core/AuthService.java b/arlas-iam-core/src/main/java/io/arlas/iam/core/AuthService.java index 5ac7d04..36186cb 100644 --- a/arlas-iam-core/src/main/java/io/arlas/iam/core/AuthService.java +++ b/arlas-iam-core/src/main/java/io/arlas/iam/core/AuthService.java @@ -50,8 +50,8 @@ public interface AuthService { User updateUser(User user, String oldPassword, String newPassword, String firstName, String lastName, String locale, String timezone) throws NonMatchingPasswordException; void deleteUser(UUID actingId, UUID targetId) throws NotAllowedException; - Optional activateUser(UUID userId); - Optional deactivateUser(UUID userId) throws NotAllowedException; + Optional activateUser(UUID actingId, UUID userId) throws NotAllowedException; + Optional deactivateUser(UUID actingId, UUID userId) throws NotAllowedException; ApiKey createApiKey(User user, UUID ownerId, UUID oid, String name, int ttlInDays, Set roleIds) throws NotAllowedException, NotFoundException; void deleteApiKey(User user, UUID ownerId, UUID oid, UUID apiKeyId) throws NotFoundException, NotAllowedException; diff --git a/arlas-iam-core/src/main/java/io/arlas/iam/impl/HibernateAuthService.java b/arlas-iam-core/src/main/java/io/arlas/iam/impl/HibernateAuthService.java index ea48c56..dabbc75 100644 --- a/arlas-iam-core/src/main/java/io/arlas/iam/impl/HibernateAuthService.java +++ b/arlas-iam-core/src/main/java/io/arlas/iam/impl/HibernateAuthService.java @@ -450,7 +450,10 @@ public void deleteUser(UUID actingId, UUID targetId) throws NotAllowedException } @Override - public Optional activateUser(UUID userId) { + public Optional activateUser(UUID actingId, UUID userId) throws NotAllowedException { + if (!isAdmin(actingId)) { + throw new NotAllowedException("Admin only can deactivate a user."); + } Optional user = readUser(userId); user.ifPresent(u -> { u.setActive(true); @@ -460,7 +463,10 @@ public Optional activateUser(UUID userId) { } @Override - public Optional deactivateUser(UUID userId) throws NotAllowedException { + public Optional deactivateUser(UUID actingId, UUID userId) throws NotAllowedException { + if (!isAdmin(actingId)) { + throw new NotAllowedException("Admin only can deactivate a user."); + } if (isAdmin(userId)) { throw new NotAllowedException("Admin cannot be deactivated."); } diff --git a/arlas-iam-rest/src/main/java/io/arlas/iam/rest/service/IAMRestService.java b/arlas-iam-rest/src/main/java/io/arlas/iam/rest/service/IAMRestService.java index bb611c7..a97363f 100644 --- a/arlas-iam-rest/src/main/java/io/arlas/iam/rest/service/IAMRestService.java +++ b/arlas-iam-rest/src/main/java/io/arlas/iam/rest/service/IAMRestService.java @@ -570,8 +570,8 @@ public Response activateUser( @Parameter(name = "id", required = true) @PathParam(value = "id") String id - ) { - authService.activateUser(UUID.fromString(id)); + ) throws NotAllowedException, NotFoundException { + authService.activateUser(getUser(headers).getId(), UUID.fromString(id)); logUAM(request, headers, "users", "activate-user-account"); return Response.accepted(uriInfo.getRequestUriBuilder().build()) .entity(new ArlasMessage("User activated.")) @@ -603,8 +603,8 @@ public Response deactivateUser( @Parameter(name = "id", required = true) @PathParam(value = "id") String id - ) throws NotAllowedException { - authService.deactivateUser(UUID.fromString(id)); + ) throws NotAllowedException, NotFoundException { + authService.deactivateUser(getUser(headers).getId(), UUID.fromString(id)); logUAM(request, headers, "users", "deactivate-user-account"); return Response.accepted(uriInfo.getRequestUriBuilder().build()) .entity(new ArlasMessage("User deactivated.")) From 08b63d704bcdca991d4a0c7d0ebe8d6ab3e886d9 Mon Sep 17 00:00:00 2001 From: Sylvain Gaudan Date: Tue, 17 Dec 2024 17:27:15 +0100 Subject: [PATCH 2/5] set admin for test (de)activate --- .../src/test/java/io/arlas/iam/test/AuthITUser.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java b/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java index 88b7f1a..819941a 100644 --- a/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java +++ b/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java @@ -523,12 +523,12 @@ public void test901DeleteUserFromOrganisation() { @Test public void test902DeactivateUser() { - deactivateUser(userId1, userId2).then().statusCode(202); + deactivateUser("admin", userId2).then().statusCode(202); } @Test public void test903ActivateUser() { - activateUser(userId1, userId2).then().statusCode(202); + activateUser("admin", userId2).then().statusCode(202); } @Test From 4002d794c87d049dd1fa78eb8fc59fb6907cdd5d Mon Sep 17 00:00:00 2001 From: Sylvain Gaudan Date: Wed, 18 Dec 2024 15:23:48 +0100 Subject: [PATCH 3/5] check user not allowed to (de)activate --- .../src/test/java/io/arlas/iam/test/AuthITUser.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java b/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java index 819941a..fe3374b 100644 --- a/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java +++ b/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java @@ -526,6 +526,16 @@ public void test902DeactivateUser() { deactivateUser("admin", userId2).then().statusCode(202); } + @Test + public void test908DeactivateUser() { + deactivateUser(userId1, userId2).then().statusCode(greaterThan(299)); + } + + @Test + public void test908DeactivateUser() { + activateUser(userId1, userId2).then().statusCode(greaterThan(299)); + } + @Test public void test903ActivateUser() { activateUser("admin", userId2).then().statusCode(202); From 86315c810bad94e6eb39db072578b8dfbd3b3f0a Mon Sep 17 00:00:00 2001 From: Sylvain Gaudan Date: Wed, 18 Dec 2024 15:24:12 +0100 Subject: [PATCH 4/5] check user not allowed to (de)activate --- arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java b/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java index fe3374b..2c6b7e4 100644 --- a/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java +++ b/arlas-iam-tests/src/test/java/io/arlas/iam/test/AuthITUser.java @@ -532,7 +532,7 @@ public void test908DeactivateUser() { } @Test - public void test908DeactivateUser() { + public void test909ActivateUser() { activateUser(userId1, userId2).then().statusCode(greaterThan(299)); } From a8e7c445ab3954a4db0e943da01afaa2a6a0b961 Mon Sep 17 00:00:00 2001 From: Sylvain Gaudan Date: Thu, 19 Dec 2024 09:03:44 +0100 Subject: [PATCH 5/5] exception->401 when no cookie --- .../main/java/io/arlas/iam/rest/service/IAMRestService.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arlas-iam-rest/src/main/java/io/arlas/iam/rest/service/IAMRestService.java b/arlas-iam-rest/src/main/java/io/arlas/iam/rest/service/IAMRestService.java index a97363f..ff2d13e 100644 --- a/arlas-iam-rest/src/main/java/io/arlas/iam/rest/service/IAMRestService.java +++ b/arlas-iam-rest/src/main/java/io/arlas/iam/rest/service/IAMRestService.java @@ -56,6 +56,8 @@ import jakarta.validation.constraints.Pattern; import jakarta.ws.rs.*; import jakarta.ws.rs.core.*; +import jakarta.ws.rs.core.Response.StatusType; + import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.slf4j.MDC; @@ -267,7 +269,7 @@ public Response refresh( @CookieParam("refresh_token") Cookie refreshToken ) throws ArlasException { if (refreshToken == null) { - throw new InvalidTokenException("Missing refresh token in cookie"); + return Response.status(401, "Missing refresh token in cookie").build(); } RefreshTokenCookie rt = new RefreshTokenCookie(refreshToken.getValue()); LoginSession loginSession = authService.refresh(rt.userId, rt.refreshToken, uriInfo.getBaseUri().getHost());