Refactor permission checks, support team_users entity (#23439)

* add more specific doc

* move user permission check to entitiy level

* move role permissions check to entity level

* verify based on role id & fix test

* resolve permission against role name

* Add spacing to section header

* Support team_users entity

* Change teams permission to team

* add endpoint to check username availability

* give self user read permission

* Use new call for user name validation

* Add Icon and Tooltip to indicate restricted access to an entity

* Only link user over item for edit permission

* Adjust shared entity overview and collection owners cell

* Use entity permission for grn

* Remove obsolete import

* Use correct permission

* shared entities: Make sure to use edit permission for team

* Add missing permissions

* check permissions for admin user

* Remove duplicate file and fix license header

* Use list permission in user page navigation tabs

* fix paginated permission check & only return users based on user:read permissioN

* fix unit tests

* add to upgrading md

* Fix tests

* grn check should be against username

* Fix owners cell with global share

* Remove unused import

* Remove permissions around user and teams tabs and user menu item

* format builder

---------

Co-authored-by: Laura Bergenthal-Grotlüschen <[email protected]>
Co-authored-by: Mohamed OULD HOCINE <[email protected]>
Co-authored-by: Ousmane SAMBA <[email protected]>

Author: 4 people

UPGRADING.md

@@ -60,6 +60,7 @@ is now used as the primary color for elements like buttons and badges in the UI.
   - Event procedure
   - Event step
   - Content Pack installation
+  - Teams
 
   <br> For example, the request payload to create a stream might now look like this:
 

graylog2-server/src/main/java/org/graylog/security/authzroles/AuthzRolesResource.java

@@ -37,8 +37,8 @@
 import jakarta.ws.rs.Produces;
 import jakarta.ws.rs.QueryParam;
 import jakarta.ws.rs.core.MediaType;
+import java.util.function.Predicate;
 import org.apache.shiro.authz.annotation.RequiresAuthentication;
-import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.graylog2.audit.AuditEventTypes;
 import org.graylog2.audit.jersey.AuditEvent;
 import org.graylog2.database.PaginatedList;
@@ -106,7 +106,6 @@ public AuthzRolesResource(PaginatedAuthzRolesService authzRolesService, Paginate
     @GET
     @Timed
     @ApiOperation(value = "Get a paginated list of all roles")
-    @RequiresPermissions(RestPermissions.ROLES_READ)
     public PaginatedResponse<AuthzRoleDTO> getList(
             @ApiParam(name = "page") @QueryParam("page") @DefaultValue("1") int page,
             @ApiParam(name = "per_page") @QueryParam("per_page") @DefaultValue("50") int perPage,
@@ -125,9 +124,8 @@ public PaginatedResponse<AuthzRoleDTO> getList(
         } catch (IllegalArgumentException e) {
             throw new BadRequestException("Invalid argument in search query: " + e.getMessage());
         }
-
-        final PaginatedList<AuthzRoleDTO> result = authzRolesService.findPaginated(
-                searchQuery, page, perPage, sort, order);
+        final Predicate<String> roleNamePermissionPredicate = getRoleNamePermissionPredicate();
+        final PaginatedList<AuthzRoleDTO> result = authzRolesService.findPaginated(roleNamePermissionPredicate, searchQuery, page, perPage, sort, order);
         final Map<String, Set<Map<String, String>>> userRoleMap = userRoleContext(result);
 
         return PaginatedResponse.create("roles", result, query, ImmutableMap.of("users", userRoleMap));
@@ -137,7 +135,6 @@ public PaginatedResponse<AuthzRoleDTO> getList(
     @ApiOperation(value = "Get a paginated list of users for a role")
     @Path("/{roleId}/assignees")
     @Produces(MediaType.APPLICATION_JSON)
-    @RequiresPermissions(RestPermissions.USERS_LIST)
     public PaginatedResponse<UserOverviewDTO> getUsersForRole(
             @ApiParam(name = "roleId") @PathParam("roleId") @NotEmpty String roleId,
             @ApiParam(name = "page") @QueryParam("page") @DefaultValue("1") int page,
@@ -158,10 +155,12 @@ public PaginatedResponse<UserOverviewDTO> getUsersForRole(
             throw new BadRequestException("Invalid argument in search query: " + e.getMessage());
         }
 
-        final PaginatedList<UserOverviewDTO> result = paginatedUserService.findPaginatedByRole(
-                searchQuery, page, perPage, sort, order, ImmutableSet.of(roleId));
+        final Predicate<String> userNamePermissionPredicate = roleName -> isPermitted(RestPermissions.USERS_READ, roleName);
+        final Predicate<String> roleNamePermissionPredicate = getRoleNamePermissionPredicate();
+
+        final PaginatedList<UserOverviewDTO> result = paginatedUserService.findPaginatedByRole(userNamePermissionPredicate, searchQuery, page, perPage, sort, order, ImmutableSet.of(roleId));
         final Set<String> roleIds = result.stream().flatMap(u -> u.roles().stream()).collect(Collectors.toSet());
-        final Map<String, String> rolesMap = authzRolesService.findPaginatedByIds(
+        final Map<String, String> rolesMap = authzRolesService.findPaginatedByIds(roleNamePermissionPredicate,
                         new SearchQuery(""), 0, 0, AuthzRoleDTO.FIELD_NAME, SortOrder.ASCENDING, roleIds)
                 .stream().collect(Collectors.toMap(AuthzRoleDTO::id, AuthzRoleDTO::name));
         final List<UserOverviewDTO> users = result.stream().map(u -> {
@@ -174,6 +173,10 @@ public PaginatedResponse<UserOverviewDTO> getUsersForRole(
         return PaginatedResponse.create("users", enrichedResult, query);
     }
 
+    private Predicate<String> getRoleNamePermissionPredicate() {
+        return roleName -> isPermitted(RestPermissions.ROLES_READ, roleName);
+    }
+
     @GET
     @ApiOperation(value = "Get a single role")
     @Path("{roleId}")
@@ -187,7 +190,6 @@ public AuthzRoleDTO get(@ApiParam(name = "roleId") @PathParam("roleId") @NotBlan
     @GET
     @ApiOperation(value = "Get a paginated list roles for a user")
     @Path("/user/{username}")
-    @RequiresPermissions(RestPermissions.ROLES_READ)
     public PaginatedResponse<AuthzRoleDTO> getListForUser(
             @ApiParam(name = "username") @PathParam("username") @NotEmpty String username,
             @ApiParam(name = "page") @QueryParam("page") @DefaultValue("1") int page,
@@ -208,10 +210,11 @@ public PaginatedResponse<AuthzRoleDTO> getListForUser(
             throw new BadRequestException("Invalid argument in search query: " + e.getMessage());
         }
 
+        checkPermission(RestPermissions.USERS_READ, username);
         final User user = Optional.ofNullable(userService.load(username))
                 .orElseThrow(() -> new NotFoundException("Couldn't find user: " + username));
-
-        final PaginatedList<AuthzRoleDTO> result = authzRolesService.findPaginatedByIds(
+        final Predicate<String> roleNamePermissionPredicate = getRoleNamePermissionPredicate();
+        final PaginatedList<AuthzRoleDTO> result = authzRolesService.findPaginatedByIds(roleNamePermissionPredicate,
                 searchQuery, page, perPage, sort, order, user.getRoleIds());
         return PaginatedResponse.create("roles", result, query);
     }
@@ -283,7 +286,8 @@ public void delete(@ApiParam(name = "roleId") @PathParam("roleId") @NotBlank Str
 
 
     private Map<String, Set<Map<String, String>>> userRoleContext(PaginatedList<AuthzRoleDTO> roles) {
-        final PaginatedList<UserOverviewDTO> users = paginatedUserService.findPaginatedByRole(new SearchQuery(""),
+        final Predicate<String> userNamePermissionPredicate = roleName -> isPermitted(RestPermissions.USERS_READ, roleName);
+        final PaginatedList<UserOverviewDTO> users = paginatedUserService.findPaginatedByRole(userNamePermissionPredicate, new SearchQuery(""),
                 1, 0, UserOverviewDTO.FIELD_USERNAME, SortOrder.ASCENDING,
                 roles.stream().map(AuthzRoleDTO::id).collect(Collectors.toSet()));
         final Map<String, Set<Map<String, String>>> userRoleMap = new HashMap<>(roles.size());

graylog2-server/src/main/java/org/graylog/security/authzroles/PaginatedAuthzRolesService.java

@@ -78,39 +78,18 @@ public List<AuthzRoleDTO> findByIds(Collection<String> ids) {
         return collection.find(MongoUtils.stringIdsIn(ids)).into(new ArrayList<>());
     }
 
-    /**
-     * @deprecated Use {@link #findPaginated(SearchQuery, int, int, String, SortOrder)}
-     */
-    @Deprecated
-    public PaginatedList<AuthzRoleDTO> findPaginated(SearchQuery searchQuery, int page,
-                                                     int perPage, String sortField, String order) {
-        return findPaginated(searchQuery, page, perPage, sortField, SortOrder.fromString(order));
-    }
-
-    public PaginatedList<AuthzRoleDTO> findPaginated(SearchQuery searchQuery, int page,
+    public PaginatedList<AuthzRoleDTO> findPaginated(Predicate<String> roleNamePermissionPredicate, SearchQuery searchQuery, int page,
                                                      int perPage, String sortField, SortOrder order) {
         return paginationHelper
                 .filter(searchQuery.toBson())
                 .sort(order.toBsonSort(sortField))
                 .perPage(perPage)
                 .includeGrandTotal(true)
-                .page(page);
-    }
-
-    /**
-     * @deprecated use {@link #findPaginatedByIds(SearchQuery, int, int, String, SortOrder, Set)}
-     */
-    @Deprecated
-    public PaginatedList<AuthzRoleDTO> findPaginatedByIds(SearchQuery searchQuery,
-                                                          int page,
-                                                          int perPage,
-                                                          String sortField,
-                                                          String order,
-                                                          Set<String> roleIds) {
-        return findPaginatedByIds(searchQuery, page, perPage, sortField, SortOrder.fromString(order), roleIds);
+                .page(page, role -> roleNamePermissionPredicate.test(role.name()));
     }
 
-    public PaginatedList<AuthzRoleDTO> findPaginatedByIds(SearchQuery searchQuery,
+    public PaginatedList<AuthzRoleDTO> findPaginatedByIds(Predicate<String> roleNamePermissionPredicate,
+                                                          SearchQuery searchQuery,
                                                           int page,
                                                           int perPage,
                                                           String sortField,
@@ -121,7 +100,7 @@ public PaginatedList<AuthzRoleDTO> findPaginatedByIds(SearchQuery searchQuery,
                 .sort(order.toBsonSort(sortField))
                 .perPage(perPage)
                 .includeGrandTotal(true)
-                .page(page);
+                .page(page, role -> roleNamePermissionPredicate.test(role.name()));
     }
 
     /**

graylog2-server/src/main/java/org/graylog/security/shares/PluggableEntityHandler.java

@@ -28,6 +28,12 @@ public interface PluggableEntityHandler {
      */
     void onCreate(GRN entity, Set<GRN> collections);
 
+    /**
+     * Returns a predicate that tests whether a given GRN should be excluded from handling by this Entity Handler.
+     *
+     * @return a predicate that returns {@code true} if the GRN should not be handled,
+     * or {@code false} if it can be handled
+     */
     Predicate<GRN> entityFilter();
 
     Stream<GRN> expand(GRN grn);

graylog2-server/src/main/java/org/graylog2/rest/models/users/responses/UsernameAvailabilityResponse.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) 2020 Graylog, Inc.
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the Server Side Public License, version 1,
+ * as published by MongoDB, Inc.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * Server Side Public License for more details.
+ *
+ * You should have received a copy of the Server Side Public License
+ * along with this program. If not, see
+ * <http://www.mongodb.com/licensing/server-side-public-license>.
+ */
+package org.graylog2.rest.models.users.responses;
+
+public record UsernameAvailabilityResponse(String username, boolean available) { }