fix(core): periodic update of roles

sarkapalkovicova · sarkapalkovicova · commit 7f2177883c56 · 2023-06-26T14:33:16.000+02:00
Update roles in periodic configurable intervals in the scope of minutes.
diff --git a/perun-base/src/main/java/cz/metacentrum/perun/core/api/CoreConfig.java b/perun-base/src/main/java/cz/metacentrum/perun/core/api/CoreConfig.java
@@ -100,6 +100,7 @@ public void initBeansUtils() {
 	private boolean enforceMfa;
 	private int idpLoginValidity;
 	private List<String> idpLoginValidityExceptions;
+	private int roleUpdateInterval;
 
 	public int getGroupMaxConcurentGroupsToSynchronize() {
 		return groupMaxConcurentGroupsToSynchronize;
@@ -856,4 +857,12 @@ public Set<String> getBlockedLogins() {
 
 		return blockedLogins;
 	}
+
+	public int getRoleUpdateInterval() {
+		return roleUpdateInterval;
+	}
+
+	public void setRoleUpdateInterval(int roleUpdateInterval) {
+		this.roleUpdateInterval = roleUpdateInterval;
+	}
 }
diff --git a/perun-base/src/main/java/cz/metacentrum/perun/core/api/PerunPrincipal.java b/perun-base/src/main/java/cz/metacentrum/perun/core/api/PerunPrincipal.java
@@ -20,6 +20,8 @@ public class PerunPrincipal {
 	private User user;
 	// Contains principal's roles together with objects which specifies the role, e.g. VOADMIN -> list contains VO names
 	private volatile AuthzRoles authzRoles = new AuthzRoles();
+	// Time of the last update of roles
+	private long rolesUpdatedAt = System.currentTimeMillis();
 	// Map contains additional attributes, e.g. from authentication system
 	private Map<String, String> additionalInformations = new HashMap<String, String>();
 	// Specifies if the principal has initialized authZResolver
@@ -75,6 +77,7 @@ public String toString() {
 				.append("user='").append((user != null ? user : "null")).append("', ")
 				.append("extSourceName='").append(extSourceName).append("', ")
 				.append("authzRoles='").append(authzRoles).append("', ")
+				.append("rolesUpdatedAt='").append(rolesUpdatedAt).append("' ")
 				.append("authzInitialized='").append(authzInitialized).append("']").toString();
 	}
 
@@ -142,6 +145,14 @@ public void setExtSourceLoa(int extSourceLoa) {
 		this.extSourceLoa = extSourceLoa;
 	}
 
+	public long getRolesUpdatedAt() {
+		return rolesUpdatedAt;
+	}
+
+	public void setRolesUpdatedAt(long rolesUpdatedAt) {
+		this.rolesUpdatedAt = rolesUpdatedAt;
+	}
+
 	@Override
 	public int hashCode() {
 		final int prime = 31;
diff --git a/perun-base/src/main/resources/perun-base.xml b/perun-base/src/main/resources/perun-base.xml
@@ -21,6 +21,7 @@
 		<property name="enginePrincipals" value="#{'${perun.engine.principals}'.split('\s*,\s*')}"/>
 		<property name="generatedLoginNamespaces" value="#{'${perun.loginNamespace.generated}'.split('\s*,\s*')}"/>
 		<property name="groupSynchronizationInterval" value="${perun.group.synchronization.interval}"/>
+		<property name="roleUpdateInterval" value="${perun.roleUpdateInterval}"/>
 		<property name="groupSynchronizationTimeout" value="${perun.group.synchronization.timeout}"/>
 		<property name="groupStructureSynchronizationInterval" value="${perun.group.structure.synchronization.interval}"/>
 		<property name="groupStructureSynchronizationTimeout" value="${perun.group.structure.synchronization.timeout}"/>
@@ -148,6 +149,7 @@
 				<prop key="perun.instanceName">LOCAL</prop>
 				<prop key="perun.allowedCorsDomains"></prop>
 				<prop key="perun.queryTimeout">-1</prop>
+				<prop key="perun.roleUpdateInterval">5</prop>
 				<prop key="perun.defaultLoa.idp">2</prop>
 				<prop key="perun.attributesToSearchUsersAndMembersBy">urn:perun:user:attribute-def:def:preferredMail, urn:perun:member:attribute-def:def:mail</prop>
 				<prop key="perun.attributesToAnonymize"></prop>
diff --git a/perun-core/src/main/java/cz/metacentrum/perun/core/blImpl/AuthzResolverBlImpl.java b/perun-core/src/main/java/cz/metacentrum/perun/core/blImpl/AuthzResolverBlImpl.java
@@ -96,6 +96,7 @@
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.concurrent.TimeUnit;
 import java.util.function.BiFunction;
 import java.util.function.Function;
 import java.util.stream.Collectors;
@@ -139,6 +140,8 @@ public static boolean authorized(PerunSession sess, String policyDefinition, Lis
 			refreshAuthz(sess);
 		}
 
+		periodicCheckAuthz(sess);
+
 		// If the user has no roles, deny access
 		if (sess.getPerunPrincipal().getRoles() == null) {
 			return false;
@@ -163,6 +166,20 @@ public static boolean authorized(PerunSession sess, String policyDefinition, Lis
 		return resolveAuthorization(sess, policyRoles, mapOfBeans);
 	}
 
+	/**
+	 * If the last check was earlier than the set interval then updates the roles.
+	 *
+	 * @param sess session
+	 */
+	private static void periodicCheckAuthz(PerunSession sess) {
+		if (System.currentTimeMillis() - sess.getPerunPrincipal().getRolesUpdatedAt() >= TimeUnit.MINUTES.toMillis(BeansUtils.getCoreConfig().getRoleUpdateInterval())) {
+			log.debug("Periodic update authz roles for session {}.", sess);
+
+			refreshAuthz(sess);
+			sess.getPerunPrincipal().setRolesUpdatedAt(System.currentTimeMillis());
+		}
+	}
+
 	/**
 	 * Checks authorization according to MFA rules.
 	 *
@@ -272,6 +289,8 @@ public static boolean authorizedToManageRole(PerunSession sess, PerunBean object
 			refreshAuthz(sess);
 		}
 
+		periodicCheckAuthz(sess);
+
 		// If the user has no roles, deny access
 		if (sess.getPerunPrincipal().getRoles() == null) {
 			return false;
@@ -303,6 +322,8 @@ public static boolean authorizedToReadRole(PerunSession sess, PerunBean object,
 			refreshAuthz(sess);
 		}
 
+		periodicCheckAuthz(sess);
+
 		// If the user has no roles, deny access
 		if (sess.getPerunPrincipal().getRoles() == null) {
 			return false;
@@ -1854,6 +1875,8 @@ private static boolean hasAccessByDefault(PerunSession sess, AttributeAction act
 			refreshAuthz(sess);
 		}
 
+		periodicCheckAuthz(sess);
+
 		if (sess.getPerunPrincipal().getRoles() == null || sess.getPerunPrincipal().getRoles().isEmpty()) {
 			return false;
 		}
diff --git a/perun-core/src/test/java/cz/metacentrum/perun/core/api/AuthzResolverIntegrationTest.java b/perun-core/src/test/java/cz/metacentrum/perun/core/api/AuthzResolverIntegrationTest.java
@@ -1082,6 +1082,7 @@ public void isAuthorizedForAttributeAssociatedReadRole() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.GROUPOBSERVER, group));
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 		when(mockedPerunPrincipal.getUser()).thenReturn(sessionUser);
 		when(mockedPerunPrincipal.getUserId()).thenReturn(sessionUser.getId());
 
@@ -1115,6 +1116,7 @@ public void isNotAuthorizedForAttributeAssociatedReadRoleWriteAction() throws Ex
 		PerunSessionImpl testSession = new PerunSessionImpl(sess.getPerun(), mockedPerunPrincipal, sess.getPerunClient());
 
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.GROUPADMIN, group));
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 		assertTrue(AuthzResolver.isAuthorizedForAttribute(testSession, AttributeAction.WRITE, attrDef, group, false));
 
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.GROUPOBSERVER, group));
@@ -1141,6 +1143,7 @@ public void isAuthorizedByDefault() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.PERUNOBSERVER));
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 		when(mockedPerunPrincipal.getUser()).thenReturn(sessionUser);
 		when(mockedPerunPrincipal.getUserId()).thenReturn(sessionUser.getId());
 
@@ -1196,6 +1199,7 @@ public void setRoleGroupAdminSucceedsForVoAdmin() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.VOADMIN, testVo));
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 
 		PerunSession testSession = new PerunSessionImpl(sess.getPerun(), mockedPerunPrincipal, sess.getPerunClient());
 
@@ -1215,6 +1219,7 @@ public void setRoleGroupAdminFailsWithoutSufficientRole() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.VOADMIN, otherVo));
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 
 		PerunSession testSession = new PerunSessionImpl(sess.getPerun(), mockedPerunPrincipal, sess.getPerunClient());
 
@@ -1243,6 +1248,7 @@ public void getVoAdminGroupsWithProperRights() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.VOADMIN, testVo));
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 		PerunSession testSession = new PerunSessionImpl(sess.getPerun(), mockedPerunPrincipal, sess.getPerunClient());
 
 		AuthzResolver.setRole(testSession, testGroup, testVo, Role.VOADMIN);
@@ -1262,6 +1268,7 @@ public void getVoAdminGroupsWithInsufficientRights() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles());
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 		PerunSession testSession = new PerunSessionImpl(sess.getPerun(), mockedPerunPrincipal, sess.getPerunClient());
 
 		AuthzResolver.setRole(sess, testGroup, testVo, Role.VOADMIN);
@@ -1279,6 +1286,7 @@ public void getVoDirectRichAdminsWithProperRights() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.VOADMIN, testVo));
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 		PerunSession testSession = new PerunSessionImpl(sess.getPerun(), mockedPerunPrincipal, sess.getPerunClient());
 
 		AuthzResolver.setRole(testSession, testUser, testVo, Role.VOADMIN);
@@ -1299,6 +1307,7 @@ public void getVoDirectRichAdminsWithInsufficientRights() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles());
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 		PerunSession testSession = new PerunSessionImpl(sess.getPerun(), mockedPerunPrincipal, sess.getPerunClient());
 
 		AuthzResolver.setRole(sess, testUser, testVo, Role.VOADMIN);
@@ -1321,6 +1330,7 @@ public void getVoRichAdminsWithProperRights() throws Exception {
 		PerunPrincipal mockedPerunPrincipal = mock(PerunPrincipal.class, RETURNS_DEEP_STUBS);
 		when(mockedPerunPrincipal.isAuthzInitialized()).thenReturn(true);
 		when(mockedPerunPrincipal.getRoles()).thenReturn(new AuthzRoles(Role.VOADMIN, testVo));
+		when(mockedPerunPrincipal.getRolesUpdatedAt()).thenReturn(System.currentTimeMillis());
 		PerunSession testSession = new PerunSessionImpl(sess.getPerun(), mockedPerunPrincipal, sess.getPerunClient());
 
 		AuthzResolver.setRole(testSession, testUser, testVo, Role.VOADMIN);
