Merge pull request #551 from wri/feature/authorize-uploads

Feature/authorize uploads

Author: tsubik

.env.sample

@@ -18,6 +18,7 @@ FRONTEND_URL=
 OBSERVATIONS_TOOL_URL=
 
 SENTRY_DSN=
+SENTRY_LOG_UNAUTHORIZED_DOWNLOADS=true
 
 SENDGRID_DOMAIN=
 SENDGRID_API_KEY=

.rubocop.yml

@@ -65,4 +65,3 @@ Rails/WhereRange:
 
 Rails/Blank:
   Enabled: false
-

app/controllers/uploads_controller.rb

@@ -2,8 +2,8 @@
 
 class UploadsController < ApplicationController
   rescue_from ActionController::MissingFile, with: :raise_not_found_exception
-  rescue_from SecurityError, with: :raise_not_found_exception
-  rescue_from CanCan::AccessDenied, with: :raise_not_found_exception
+  rescue_from SecurityError, with: :log_and_raise_not_found_exception
+  rescue_from CanCan::AccessDenied, with: :log_and_raise_not_found_exception
 
   MODELS_OVERRIDES = {
     "operator_document_file" => "document_file",
@@ -15,6 +15,7 @@ def download
     parse_upload_path
     ensure_valid_db_record
     track_download if trackable_request?
+    check_authorization! if needs_authorization?
     send_file @sanitized_filepath, disposition: :inline
   end
 
@@ -79,6 +80,29 @@ def ensure_valid_filename
     end
   end
 
+  def cookie_download_users
+    cookies
+      .select { |name, _v| name.ends_with?("download_user") }
+      .map do |name, download_token|
+        payload = Rails.application.message_verifier("download_token").verify(download_token)
+        User.find_by(id: payload["user_id"])
+      rescue ActiveSupport::MessageVerifier::InvalidSignature
+        nil
+      end.compact
+  end
+
+  def check_authorization!
+    raise SecurityError unless download_users.any? { it.can?(:download_protected, @record) }
+  end
+
+  def download_users
+    [current_user, *cookie_download_users].compact
+  end
+
+  def needs_authorization?
+    @uploader.protected?
+  end
+
   def allowed_models
     uploads_root = ApplicationUploader.new.root.join("uploads")
     Dir.entries(uploads_root)
@@ -151,7 +175,14 @@ def allowed_directory
     Rails.env.test? ? File.join(Rails.root, "tmp", "uploads") : File.join(Rails.root, "uploads")
   end
 
+  def log_and_raise_not_found_exception
+    msg = "Unauthorized file download attempt: user_id=#{current_user&.id}, path=#{@sanitized_filepath}"
+    Rails.logger.warn(msg)
+    Sentry.capture_message(msg) if ENV["SENTRY_LOG_UNAUTHORIZED_DOWNLOADS"] == "true"
+    raise_not_found_exception
+  end
+
   def raise_not_found_exception
-    raise ActionController::RoutingError, "Not Found"
+    raise ActionController::RoutingError, "Not found or your download session has expired (try clicking on the link again)"
   end
 end

app/controllers/v1/sessions_controller.rb

@@ -4,11 +4,14 @@ module V1
   class SessionsController < APIController
     skip_before_action :authenticate, only: [:create]
 
+    include ActionController::Cookies
+
     def create
       @user = User.find_by(email: auth_params[:email])
       if @user.present? && @user.valid_password?(auth_params[:password]) && @user.is_active
         token = Auth.issue({user: @user.id})
         @user.update_tracked_fields!(request)
+        set_download_session_cookie_for(@user)
         render json: {token: token, role: @user.user_permission.user_role,
                       user_id: @user.id, country: @user.country_id,
                       operator_ids: @user.operator_ids, observer: @user.observer_id}, status: :ok
@@ -17,10 +20,38 @@ def create
       end
     end
 
+    def destroy
+      cookies.delete(download_user_cookie_name)
+    end
+
+    # each app, like portal and observation tool can have it's own download user cookie to prevent some edgecases
+    def download_session
+      set_download_session_cookie_for(current_user)
+      head :ok
+    end
+
     private
 
     def auth_params
       params.require(:auth).permit(:email, :password, :current_sign_in_ip)
     end
+
+    def set_download_session_cookie_for(user)
+      download_token = Rails.application.message_verifier("download_token").generate(
+        {user_id: user.id},
+        expires_in: 10.minutes
+      )
+      cookies[download_user_cookie_name] = {
+        value: download_token,
+        expires: 10.minutes.from_now,
+        same_site: :strict,
+        secure: Rails.env.production? || Rails.env.staging?,
+        httponly: true
+      }
+    end
+
+    def download_user_cookie_name
+      [context[:app], "download_user"].compact.join("_")
+    end
   end
 end

app/models/ability.rb

@@ -29,6 +29,16 @@ def initialize(user = nil)
         end
         can :ru, Notification, user_id: user.id
         can :dismiss, Notification, user_id: user.id
+        can :download_protected, OperatorDocumentAnnex do |annex|
+          can? :update, annex.operator_document
+        end
+        can :download_protected, DocumentFile do |document_file|
+          if document_file.owner.is_a?(OperatorDocumentHistory)
+            can? :manage, document_file.owner.operator_document
+          else
+            can? :manage, document_file.owner
+          end
+        end
       else
         can [:read], User, id: user.id
       end

app/models/operator.rb

@@ -121,6 +121,10 @@ def translated_types
     end
   end
 
+  def publication_authorization_signed?
+    approved?
+  end
+
   def holding_users
     holding&.users || User.none
   end

app/models/operator_document.rb

@@ -139,6 +139,14 @@ def publication_authorization?
     required_operator_document.contract_signature?
   end
 
+  # # TODO: I would name it public? but we have public attribute that should be refactored at some point
+  def needs_authorization_before_downloading?
+    return true if publication_authorization?
+    return false if (doc_valid? || doc_expired?) && (operator.publication_authorization_signed? || public?)
+
+    true
+  end
+
   def name_with_fmu
     return required_operator_document.name if fmu.nil?
 

app/models/operator_document_annex.rb

@@ -45,6 +45,12 @@ class OperatorDocumentAnnex < ApplicationRecord
   scope :from_operator, ->(operator_id) { joins(:operator_document).where(operator_documents: {operator_id: operator_id}) }
   scope :orphaned, -> { where.not(id: AnnexDocument.select(:operator_document_annex_id)) }
 
+  def needs_authorization_before_downloading?
+    return false if (doc_valid? || doc_expired?) && any_operator_document_without_authorization?
+
+    true
+  end
+
   def self.expire_document_annexes
     today = Time.zone.today
     documents_to_expire =
@@ -61,4 +67,10 @@ def operator_document_name
   def expire_document_annex
     update(status: OperatorDocumentAnnex.statuses[:doc_expired])
   end
+
+  private
+
+  def any_operator_document_without_authorization?
+    [operator_document, *operator_document_histories].compact.any? { !it.needs_authorization_before_downloading? }
+  end
 end

app/models/operator_document_history.rb

@@ -56,6 +56,13 @@ def publication_authorization?
     required_operator_document.contract_signature?
   end
 
+  def needs_authorization_before_downloading?
+    return true if publication_authorization?
+    return false if (doc_valid? || doc_expired?) && (operator.publication_authorization_signed? || public?)
+
+    true
+  end
+
   # Returns the collection of OperatorDocumentHistory for a given operator at a point in time
   #
   # @param String operator_id The operator id

app/models/user.rb

@@ -90,6 +90,11 @@ class User < ApplicationRecord
   scope :inactive, -> { where(is_active: false) }
   scope :with_roles, ->(role) { joins(:user_permission).where(user_permission: {user_role: role}) }
 
+  delegate :can?, :cannot, to: :ability
+  def ability
+    @ability ||= Ability.new(self)
+  end
+
   def self.ransackable_attributes(auth_object = nil)
     %w[name first_name last_name email id created_at]
   end