Add new isClientOwner preAuthorize method

Author: SteDev2

iam-login-service/src/main/java/it/infn/mw/iam/api/client/management/ClientManagementAPIController.java

@@ -159,7 +159,7 @@ public void disableClient(@PathVariable String clientId) {
 
   @PostMapping("/{clientId}/secret")
   @ResponseStatus(CREATED)
-  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN')")
+  @PreAuthorize("#iam.hasScope('iam:admin.write') or #iam.hasDashboardRole('ROLE_ADMIN') or #iam.isClientOwner('clientId')")
   public RegisteredClientDTO rotateClientSecret(@PathVariable String clientId) {
     return managementService.generateNewClientSecret(clientId);
   }

iam-login-service/src/main/java/it/infn/mw/iam/core/expression/IamMethodSecurityExpressionHandler.java

@@ -22,6 +22,7 @@
 import org.springframework.stereotype.Component;
 
 import it.infn.mw.iam.api.account.AccountUtils;
+import it.infn.mw.iam.api.client.service.DefaultClientService;
 import it.infn.mw.iam.api.requests.GroupRequestUtils;
 import it.infn.mw.iam.core.userinfo.OAuth2AuthenticationScopeResolver;
 
@@ -30,12 +31,15 @@
 public class IamMethodSecurityExpressionHandler extends OAuth2MethodSecurityExpressionHandler {
 
   private final AccountUtils accountUtils;
+  private final DefaultClientService clientService;
   private final GroupRequestUtils groupRequestUtils;
   private final OAuth2AuthenticationScopeResolver scopeResolver;
 
   public IamMethodSecurityExpressionHandler(AccountUtils accountUtils,
-      GroupRequestUtils groupRequestUtils, OAuth2AuthenticationScopeResolver scopeResolver) {
+      DefaultClientService clientService, GroupRequestUtils groupRequestUtils,
+      OAuth2AuthenticationScopeResolver scopeResolver) {
     this.accountUtils = accountUtils;
+    this.clientService = clientService;
     this.groupRequestUtils = groupRequestUtils;
     this.scopeResolver = scopeResolver;
   }
@@ -46,7 +50,7 @@ public StandardEvaluationContext createEvaluationContextInternal(Authentication
 
     StandardEvaluationContext ec = super.createEvaluationContextInternal(authentication, mi);
     ec.setVariable("iam", new IamSecurityExpressionMethods(authentication, accountUtils,
-        groupRequestUtils, scopeResolver));
+        clientService, groupRequestUtils, scopeResolver));
     return ec;
   }
 

iam-login-service/src/main/java/it/infn/mw/iam/core/expression/IamSecurityExpressionMethods.java

@@ -20,11 +20,13 @@
 import java.util.Collection;
 import java.util.Optional;
 
+import org.mitre.oauth2.model.ClientDetailsEntity;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.oauth2.provider.OAuth2Authentication;
 
 import it.infn.mw.iam.api.account.AccountUtils;
+import it.infn.mw.iam.api.client.service.DefaultClientService;
 import it.infn.mw.iam.api.requests.GroupRequestUtils;
 import it.infn.mw.iam.authn.AbstractExternalAuthenticationToken;
 import it.infn.mw.iam.core.IamGroupRequestStatus;
@@ -40,13 +42,16 @@ public class IamSecurityExpressionMethods {
 
   private final Authentication authentication;
   private final AccountUtils accountUtils;
+  private final DefaultClientService clientService;
   private final GroupRequestUtils groupRequestUtils;
   private final OAuth2AuthenticationScopeResolver scopeResolver;
 
   public IamSecurityExpressionMethods(Authentication authentication, AccountUtils accountUtils,
-      GroupRequestUtils groupRequestUtils, OAuth2AuthenticationScopeResolver scopeResolver) {
+      DefaultClientService clientService, GroupRequestUtils groupRequestUtils,
+      OAuth2AuthenticationScopeResolver scopeResolver) {
     this.authentication = authentication;
     this.accountUtils = accountUtils;
+    this.clientService = clientService;
     this.groupRequestUtils = groupRequestUtils;
     this.scopeResolver = scopeResolver;
   }
@@ -153,4 +158,11 @@ public boolean hasDashboardRole(Role role) {
   public boolean hasAdminOrGMDashboardRoleOfGroup(String gid) {
     return (hasDashboardRole(Role.ROLE_ADMIN) || isGroupManager(gid));
   }
+
+  public boolean isClientOwner(String clientId) {
+    Optional<IamAccount> account = accountUtils.getAuthenticatedUserAccount();
+    Optional<ClientDetailsEntity> client =
+        clientService.findClientByClientIdAndAccount(clientId, account.orElse(null));
+    return client.isPresent();
+  }
 }

iam-login-service/src/main/java/it/infn/mw/iam/core/expression/IamWebSecurityExpressionHandler.java

@@ -22,6 +22,7 @@
 import org.springframework.stereotype.Component;
 
 import it.infn.mw.iam.api.account.AccountUtils;
+import it.infn.mw.iam.api.client.service.DefaultClientService;
 import it.infn.mw.iam.api.requests.GroupRequestUtils;
 import it.infn.mw.iam.core.userinfo.OAuth2AuthenticationScopeResolver;
 
@@ -30,12 +31,15 @@
 public class IamWebSecurityExpressionHandler extends OAuth2WebSecurityExpressionHandler {
 
   private final AccountUtils accountUtils;
+  private final DefaultClientService clientService;
   private final GroupRequestUtils groupRequestUtils;
   private final OAuth2AuthenticationScopeResolver scopeResolver;
 
   public IamWebSecurityExpressionHandler(AccountUtils accountUtils,
-      GroupRequestUtils groupRequestUtils, OAuth2AuthenticationScopeResolver scopeResolver) {
+      DefaultClientService clientService, GroupRequestUtils groupRequestUtils,
+      OAuth2AuthenticationScopeResolver scopeResolver) {
     this.accountUtils = accountUtils;
+    this.clientService = clientService;
     this.groupRequestUtils = groupRequestUtils;
     this.scopeResolver = scopeResolver;
   }
@@ -47,7 +51,7 @@ public StandardEvaluationContext createEvaluationContextInternal(Authentication
     StandardEvaluationContext ec =
         super.createEvaluationContextInternal(authentication, invocation);
     ec.setVariable("iam", new IamSecurityExpressionMethods(authentication, accountUtils,
-        groupRequestUtils, scopeResolver));
+        clientService, groupRequestUtils, scopeResolver));
     return ec;
   }
 

iam-login-service/src/test/java/it/infn/mw/iam/test/util/IamSecurityExpressionsTests.java

@@ -31,6 +31,7 @@
 
 import it.infn.mw.iam.IamLoginService;
 import it.infn.mw.iam.api.account.AccountUtils;
+import it.infn.mw.iam.api.client.service.DefaultClientService;
 import it.infn.mw.iam.api.requests.GroupRequestUtils;
 import it.infn.mw.iam.api.requests.model.GroupRequestDto;
 import it.infn.mw.iam.core.expression.IamSecurityExpressionMethods;
@@ -45,6 +46,9 @@ public class IamSecurityExpressionsTests extends GroupRequestsTestUtils {
   @Autowired
   private AccountUtils accountUtils;
 
+  @Autowired
+  private DefaultClientService clientService;
+
   @Autowired
   private GroupRequestUtils groupRequestUtils;
 
@@ -58,14 +62,15 @@ public class IamSecurityExpressionsTests extends GroupRequestsTestUtils {
   public void destroy() {
     repo.deleteAll();
   }
-  
+
   private IamSecurityExpressionMethods getMethods() {
     Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-    return new IamSecurityExpressionMethods(authentication, accountUtils, groupRequestUtils, scopeResolver);
+    return new IamSecurityExpressionMethods(authentication, accountUtils, clientService,
+        groupRequestUtils, scopeResolver);
   }
 
   @Test
-  @WithMockUser(roles = { "ADMIN", "USER" }, username = TEST_ADMIN)
+  @WithMockUser(roles = {"ADMIN", "USER"}, username = TEST_ADMIN)
   public void testIsAdmin() {
     assertTrue(getMethods().isAdmin());
     assertTrue(getMethods().isUser(TEST_ADMIN_UUID));
@@ -77,7 +82,7 @@ public void testIsAdmin() {
   }
 
   @Test
-  @WithMockUser(roles = { "USER" }, username = TEST_USERNAME)
+  @WithMockUser(roles = {"USER"}, username = TEST_USERNAME)
   public void testIsNotAdmin() {
     assertFalse(getMethods().isAdmin());
     assertTrue(getMethods().isUser(TEST_USERUUID));