#1059 add user-access validator service to validate the user grants

Author: challamani-ms

calm-hub/keycloak-dev/device-code-flow-v2.sh

@@ -60,13 +60,11 @@ if [[ -n $ACCESS_TOKEN ]]; then
   curl -X POST --insecure -v "https://localhost:8443/calm/namespaces/finos/user-access" \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer $ACCESS_TOKEN" \
-    -d '{ "namespace": "finos", "resource": "*", "role": "write", "username": "demo" }'
+    -d '{ "namespace": "finos", "resourceType": "namespaces", "permission": "read", "username": "demo" }'
 
   echo -e "\nPress enter to get list of user-access details"
   read
   curl --insecure -v "https://localhost:8443/calm/namespaces/finos/user-access" \
       -H "Content-Type: application/json" \
       -H "Authorization: Bearer $ACCESS_TOKEN"
 fi
-
-#Reference: https://github.com/keycloak/keycloak-community/blob/main/design/oauth2-device-authorization-grant.md

calm-hub/mongo/init-mongo.js

@@ -2668,4 +2668,28 @@ db.architectures.insertMany([
             }
         }]
     }
+]);
+
+db.userAccess.insertMany([
+    {
+        "id": NumberInt(1),
+        "username": "demo_admin",
+        "permission": "write",
+        "namespace": "finos",
+        "resourceType": "all"
+    },
+    {
+        "id": NumberInt(2),
+        "username": "demo_admin",
+        "permission": "write",
+        "namespace": "workshop",
+        "resourceType": "patterns"
+    },
+    {
+        "id": NumberInt(3),
+        "username": "demo_admin",
+        "permission": "write",
+        "namespace": "traderx",
+        "resourceType": "all"
+    }
 ]);

calm-hub/src/main/java/org/finos/calm/domain/UserAccess.java

@@ -9,14 +9,28 @@
 import java.util.Objects;
 
 /**
- * Represents a CalmHub user role on resources associated to a namespace.
+ * Represents a CalmHub user access on resources associated to a namespace.
  */
 public class UserAccess {
 
+    public enum Permission {
+        read,
+        write
+    }
+
+    public enum ResourceType {
+        patterns,
+        flows,
+        adrs,
+        architectures,
+        namespaces,
+        all
+    }
+
     private String username;
-    private String role;
+    private Permission permission;
     private String namespace;
-    private String resource;
+    private ResourceType resourceType;
     private int id;
 
     @JsonDeserialize(using = LocalDateTimeDeserializer.class)
@@ -27,19 +41,19 @@ public class UserAccess {
     @JsonSerialize(using = LocalDateTimeSerializer.class)
     private LocalDateTime updateDateTime;
 
-    public UserAccess(String username, String role, String namespace, String resource, int id) {
+    public UserAccess(String username, Permission permission, String namespace, ResourceType resourceType, int id) {
         this.username = username;
-        this.role = role;
+        this.permission = permission;
         this.namespace = namespace;
-        this.resource = resource;
+        this.resourceType = resourceType;
         this.id = id;
     }
 
-    public UserAccess(String username, String role, String namespace, String resource) {
+    public UserAccess(String username, Permission permission, String namespace, ResourceType resourceType) {
         this.username = username;
-        this.role = role;
+        this.permission = permission;
         this.namespace = namespace;
-        this.resource = resource;
+        this.resourceType = resourceType;
     }
 
     public UserAccess(){
@@ -49,18 +63,18 @@ public UserAccess(){
     public static class UserAccessBuilder {
 
         private String username;
-        private String role;
+        private Permission permission;
         private String namespace;
-        private String resource;
+        private ResourceType resourceType;
         private int id;
 
         public UserAccessBuilder setUsername(String username) {
             this.username = username;
             return this;
         }
 
-        public UserAccessBuilder setRole(String role) {
-            this.role = role;
+        public UserAccessBuilder setPermission(Permission permission) {
+            this.permission = permission;
             return this;
         }
 
@@ -69,8 +83,8 @@ public UserAccessBuilder setNamespace(String namespace) {
             return this;
         }
 
-        public UserAccessBuilder setResource(String resource) {
-            this.resource = resource;
+        public UserAccessBuilder setResourceType(ResourceType resourceType) {
+            this.resourceType = resourceType;
             return this;
         }
 
@@ -80,24 +94,24 @@ public UserAccessBuilder setId(int id) {
         }
 
         public UserAccess build(){
-            return new UserAccess(username, role, namespace, resource, id);
+            return new UserAccess(username, permission, namespace, resourceType, id);
         }
     }
 
     public String getUsername() {
         return username;
     }
 
-    public String getRole() {
-        return role;
+    public Permission getPermission() {
+        return permission;
     }
 
     public String getNamespace() {
         return namespace;
     }
 
-    public String getResource() {
-        return resource;
+    public ResourceType getResourceType() {
+        return resourceType;
     }
 
     public int getId() {
@@ -129,23 +143,23 @@ public boolean equals(Object o) {
 
         if (id != that.id) return false;
         if (!Objects.equals(username, that.username)) return false;
-        if (!Objects.equals(role, that.role)) return false;
+        if (!Objects.equals(permission, that.permission)) return false;
         if (!Objects.equals(namespace, that.namespace)) return false;
-        return Objects.equals(resource, that.resource);
+        return Objects.equals(resourceType, that.resourceType);
     }
 
     @Override
     public int hashCode() {
-        return Objects.hash(username, role, namespace, resource, id);
+        return Objects.hash(username, permission, namespace, resourceType, id);
     }
 
     @Override
     public String toString() {
         return "UserAccess{" +
                 "username='" + username + '\'' +
-                ", role='" + role + '\'' +
+                ", permission='" + permission + '\'' +
                 ", namespace='" + namespace + '\'' +
-                ", resource='" + resource + '\'' +
+                ", resourceType='" + resourceType + '\'' +
                 ", id=" + id +
                 '}';
     }
@@ -154,16 +168,16 @@ public void setUsername(String username) {
         this.username = username;
     }
 
-    public void setRole(String role) {
-        this.role = role;
+    public void setPermission(Permission permission) {
+        this.permission = permission;
     }
 
     public void setNamespace(String namespace) {
         this.namespace = namespace;
     }
 
-    public void setResource(String resource) {
-        this.resource = resource;
+    public void setResourceType(ResourceType resourceType) {
+        this.resourceType = resourceType;
     }
 
     public void setId(int id) {

calm-hub/src/main/java/org/finos/calm/security/AccessControlFilter.java

@@ -45,11 +45,14 @@ public class AccessControlFilter implements ContainerRequestFilter {
 
     private final JsonWebToken jwt;
     private final ResourceInfo resourceInfo;
+    private final UserAccessValidator userAccessValidator;
     private final Logger logger = LoggerFactory.getLogger(AccessControlFilter.class);
 
-    public AccessControlFilter(JsonWebToken jwt, ResourceInfo resourceInfo) {
+    public AccessControlFilter(JsonWebToken jwt, ResourceInfo resourceInfo,
+                               UserAccessValidator userAccessValidator) {
         this.jwt = jwt;
         this.resourceInfo = resourceInfo;
+        this.userAccessValidator = userAccessValidator;
     }
 
     @Override
@@ -68,6 +71,16 @@ public void filter(ContainerRequestContext requestContext) {
                     .entity("Forbidden: JWT does not have required scopes.")
                     .build());
         }
+
+        String requestMethod = requestContext.getMethod();
+        String username = jwt.getClaim("preferred_username");
+        String path = requestContext.getUriInfo().getPath();
+        String namespace = requestContext.getUriInfo().getPathParameters().getFirst("namespace");
+
+        UserRequestAttributes userRequestAttributes = new UserRequestAttributes(requestMethod,
+                username, path, namespace);
+        logger.info("User request attributes: {}", userRequestAttributes);
+        userAccessValidator.validate(userRequestAttributes);
     }
 
     /**

calm-hub/src/main/java/org/finos/calm/security/UserAccessValidator.java

@@ -0,0 +1,73 @@
+package org.finos.calm.security;
+
+import io.netty.util.internal.StringUtil;
+import io.quarkus.arc.profile.IfBuildProfile;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.ws.rs.ForbiddenException;
+import org.finos.calm.domain.UserAccess;
+import org.finos.calm.domain.exception.NamespaceNotFoundException;
+import org.finos.calm.domain.exception.UserAccessNotFoundException;
+import org.finos.calm.store.UserAccessStore;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.List;
+
+@ApplicationScoped
+@IfBuildProfile("secure")
+public class UserAccessValidator {
+
+    private static final Logger log = LoggerFactory.getLogger(UserAccessValidator.class);
+    private final UserAccessStore userAccessStore;
+
+    public UserAccessValidator(UserAccessStore userAccessStore) {
+        this.userAccessStore = userAccessStore;
+    }
+
+    public void validate(UserRequestAttributes userRequestAttributes) {
+
+        String action = mapHttpMethodToPermission(userRequestAttributes.requestMethod());
+        String requestPath = userRequestAttributes.path();
+        try {
+            List<UserAccess> userAccesses = userAccessStore.getUserAccessForUsername(userRequestAttributes.username());
+
+            boolean authorized = userAccesses.stream().anyMatch(userAccess -> {
+                boolean resourceMatches = (UserAccess.ResourceType.all == userAccess.getResourceType())
+                        || requestPath.contains(userAccess.getResourceType().name());
+                boolean permissionSufficient = permissionAllows(userAccess.getPermission(), action);
+                boolean namespaceMatches = !StringUtil.isNullOrEmpty(userRequestAttributes.namespace()) && userRequestAttributes.namespace().equals(userAccess.getNamespace());
+                return resourceMatches && permissionSufficient && namespaceMatches;
+            });
+
+            if (!authorized && !isDefaultAccessibleResource(userRequestAttributes)) {
+                log.warn("Access denied for user [{}] to path [{}] with action [{}]", userRequestAttributes.username(),
+                        userRequestAttributes.path(),
+                        action);
+                throw new ForbiddenException("Access denied.");
+            }
+
+        } catch (NamespaceNotFoundException | UserAccessNotFoundException e) {
+            log.error("Access check failed for user [{}]", userRequestAttributes.username(), e.getMessage());
+            throw new ForbiddenException("Access denied.");
+        }
+    }
+
+    private boolean isDefaultAccessibleResource(UserRequestAttributes userRequestAttributes) {
+        return "/calm/namespaces".equals(userRequestAttributes.path()) &&
+                "get".equalsIgnoreCase(userRequestAttributes.requestMethod().toLowerCase());
+    }
+
+    private String mapHttpMethodToPermission(String method) {
+        return switch (method) {
+            case "POST", "PUT", "PATCH", "DELETE" -> "write";
+            default -> "read";
+        };
+    }
+
+    private boolean permissionAllows(UserAccess.Permission userPermission, String requestedAction) {
+        return switch (userPermission) {
+            case write -> requestedAction.equals("write") || requestedAction.equals("read");
+            case read -> requestedAction.equals("read");
+        };
+    }
+}

calm-hub/src/main/java/org/finos/calm/security/UserRequestAttributes.java

@@ -0,0 +1,5 @@
+package org.finos.calm.security;
+
+public record UserRequestAttributes(String requestMethod, String username, String path, String namespace) {
+
+}

calm-hub/src/main/java/org/finos/calm/store/mongo/MongoUserAccessStore.java

@@ -36,29 +36,29 @@ public MongoUserAccessStore(MongoClient mongoClient, MongoNamespaceStore namespa
     public UserAccess createUserAccessForNamespace(UserAccess userAccess)
             throws NamespaceNotFoundException, JsonParseException {
 
-        log.info("User-access details: {}",userAccess);
+        log.info("User-access details: {}", userAccess);
         if (!namespaceStore.namespaceExists(userAccess.getNamespace())) {
             throw new NamespaceNotFoundException();
         }
 
         int id = counterStore.getNextUserAccessSequenceValue();
         Document userAccessDoc = new Document("username", userAccess.getUsername())
-                .append("role", userAccess.getRole())
+                .append("permission", userAccess.getPermission().name())
                 .append("namespace", userAccess.getNamespace())
-                .append("resource", userAccess.getResource())
+                .append("resourceType", userAccess.getResourceType().name())
                 .append("createdAt", userAccess.getCreationDateTime())
                 .append("lastUpdated", userAccess.getUpdateDateTime())
                 .append("id", id);
 
         userAccessCollection.insertOne(userAccessDoc);
         log.info("UserAccess has been created for namespace: {}, resource: {}, role: {}, username: {}",
-                userAccess.getNamespace(), userAccess.getResource(), userAccess.getRole(), userAccess.getUsername());
+                userAccess.getNamespace(), userAccess.getResourceType(), userAccess.getPermission(), userAccess.getUsername());
 
         UserAccess persistedUserAccess = new UserAccess.UserAccessBuilder()
                 .setId(id)
-                .setResource(userAccess.getResource())
+                .setResourceType(userAccess.getResourceType())
                 .setNamespace(userAccess.getNamespace())
-                .setRole(userAccess.getRole())
+                .setPermission(userAccess.getPermission())
                 .setUsername(userAccess.getUsername())
                 .build();
         return persistedUserAccess;
@@ -77,12 +77,11 @@ public List<UserAccess> getUserAccessForUsername(String username)
 
             UserAccess userAccess = new UserAccess.UserAccessBuilder()
                     .setUsername(doc.getString("username"))
-                    .setRole(doc.getString("role"))
+                    .setPermission(UserAccess.Permission.valueOf(doc.getString("permission")))
                     .setNamespace(namespace)
-                    .setResource(doc.getString("resource"))
+                    .setResourceType(UserAccess.ResourceType.valueOf(doc.getString("resourceType")))
                     .setId(doc.getInteger("id"))
                     .build();
-
             userAccessList.add(userAccess);
         }
 
@@ -103,9 +102,9 @@ public List<UserAccess> getUserAccessForNamespace(String namespace)
         for (Document doc : userAccessCollection.find(Filters.eq("namespace", namespace))) {
             UserAccess userAccess = new UserAccess.UserAccessBuilder()
                     .setUsername(doc.getString("username"))
-                    .setRole(doc.getString("role"))
+                    .setPermission(UserAccess.Permission.valueOf(doc.getString("permission")))
                     .setNamespace(namespace)
-                    .setResource(doc.getString("resource"))
+                    .setResourceType(UserAccess.ResourceType.valueOf(doc.getString("resourceType")))
                     .setId(doc.getInteger("id"))
                     .build();
             userAccessList.add(userAccess);