Merge pull request #1700 from UNC-Libraries/BXC-4503-access-restrictions

Bxc 4503 access restrictions

web-common/src/main/java/edu/unc/lib/boxc/web/common/auth/filters/StoreUserAccessControlFilter.java

@@ -1,26 +1,28 @@
 package edu.unc.lib.boxc.web.common.auth.filters;
 
-import static edu.unc.lib.boxc.web.common.auth.HttpAuthHeaders.FORWARDED_MAIL_HEADER;
-import static edu.unc.lib.boxc.web.common.auth.RemoteUserUtil.getRemoteUser;
-
-import java.io.IOException;
-
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.web.context.ServletContextAware;
-import org.springframework.web.filter.OncePerRequestFilter;
-
 import edu.unc.lib.boxc.auth.api.models.AccessGroupSet;
 import edu.unc.lib.boxc.auth.api.models.AgentPrincipals;
 import edu.unc.lib.boxc.auth.fcrepo.models.AccessGroupSetImpl;
 import edu.unc.lib.boxc.auth.fcrepo.services.GroupsThreadStore;
 import edu.unc.lib.boxc.web.common.auth.HttpAuthHeaders;
 import edu.unc.lib.boxc.web.common.auth.PatronPrincipalProvider;
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.web.context.ServletContextAware;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+import static edu.unc.lib.boxc.auth.api.AccessPrincipalConstants.PUBLIC_PRINC;
+import static edu.unc.lib.boxc.web.common.auth.HttpAuthHeaders.FORWARDED_MAIL_HEADER;
+import static edu.unc.lib.boxc.web.common.auth.RemoteUserUtil.getRemoteUser;
 
 /**
  * Filter which retrieves the users shibboleth and grouper session information in order to construct their profile as
@@ -89,18 +91,37 @@ protected AccessGroupSet getUserGroups(HttpServletRequest request) {
 
     protected AccessGroupSet getForwardedGroups(HttpServletRequest request) {
         String forwardedGroups = request.getHeader(HttpAuthHeaders.FORWARDED_GROUPS_HEADER);
+        var publicAccessGroup = new AccessGroupSetImpl(List.of(PUBLIC_PRINC));
         if (log.isDebugEnabled()) {
             log.debug("Forwarding user {} logged in with forwarded groups {}",
-                    GroupsThreadStore.getUsername(), forwardedGroups);
+                    request.getRemoteUser(), forwardedGroups);
         }
         if (forwardedGroups == null) {
-            return new AccessGroupSetImpl();
+            logHeadersForEmptyForwarded(request);
+            // if no group is specified, set to public
+            return publicAccessGroup;
         }
 
-        if (forwardedGroups.trim().length() > 0) {
+        if (!forwardedGroups.trim().isEmpty()) {
             return new AccessGroupSetImpl(forwardedGroups);
         }
-        return new AccessGroupSetImpl();
+        logHeadersForEmptyForwarded(request);
+        return publicAccessGroup;
+    }
+
+    private void logHeadersForEmptyForwarded(HttpServletRequest request) {
+        log.info("Forwarded with no groups using user {}, logging headers:", request.getRemoteUser());
+        // read all header names and values from the request and log them
+        List<String> emptyHeaders = new ArrayList<>();
+        request.getHeaderNames().asIterator().forEachRemaining(headerName -> {
+            String headerValue = request.getHeader(headerName);
+            if (StringUtils.isBlank(headerValue)) {
+                emptyHeaders.add(headerName);
+            } else {
+                log.info("   name: {}, value: {}", headerName, headerValue);
+            }
+        });
+        log.info("   Empty headers: {}", emptyHeaders);
     }
 
     protected AccessGroupSet getGrouperGroups(HttpServletRequest request) {
@@ -111,7 +132,7 @@ protected AccessGroupSet getGrouperGroups(HttpServletRequest request) {
             log.debug("Normal user " + userName + " logged in with groups " + shibGroups);
         }
 
-        if (shibGroups == null || shibGroups.trim().length() == 0) {
+        if (shibGroups == null || shibGroups.trim().isEmpty()) {
             accessGroups = new AccessGroupSetImpl();
         } else {
             accessGroups = new AccessGroupSetImpl(shibGroups);

web-common/src/test/java/edu/unc/lib/boxc/web/common/auth/filters/StoreUserAccessControlFilterTest.java

@@ -1,5 +1,25 @@
 package edu.unc.lib.boxc.web.common.auth.filters;
 
+import edu.unc.lib.boxc.auth.api.models.AccessGroupSet;
+import edu.unc.lib.boxc.auth.fcrepo.services.GroupsThreadStore;
+import edu.unc.lib.boxc.web.common.auth.HttpAuthHeaders;
+import edu.unc.lib.boxc.web.common.auth.PatronPrincipalProvider;
+import edu.unc.lib.boxc.web.common.auth.RemoteUserUtil;
+import org.apache.commons.io.FileUtils;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+import org.mockito.Mock;
+
+import javax.servlet.FilterChain;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.File;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.util.Collections;
+
 import static edu.unc.lib.boxc.auth.api.AccessPrincipalConstants.AUTHENTICATED_PRINC;
 import static edu.unc.lib.boxc.auth.api.AccessPrincipalConstants.IP_PRINC_NAMESPACE;
 import static edu.unc.lib.boxc.auth.api.AccessPrincipalConstants.PUBLIC_PRINC;
@@ -15,26 +35,6 @@
 import static org.mockito.Mockito.when;
 import static org.mockito.MockitoAnnotations.openMocks;
 
-import java.io.File;
-import java.nio.charset.StandardCharsets;
-import java.nio.file.Path;
-
-import javax.servlet.FilterChain;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-
-import org.apache.commons.io.FileUtils;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.Test;
-import org.junit.jupiter.api.io.TempDir;
-import org.mockito.Mock;
-
-import edu.unc.lib.boxc.auth.api.models.AccessGroupSet;
-import edu.unc.lib.boxc.auth.fcrepo.services.GroupsThreadStore;
-import edu.unc.lib.boxc.web.common.auth.PatronPrincipalProvider;
-import edu.unc.lib.boxc.web.common.auth.RemoteUserUtil;
-
 /**
  *
  * @author bbpennel
@@ -189,12 +189,25 @@ public void testForwardedGroups() throws Exception {
     public void testForwardedNoGroups() throws Exception {
         when(request.getRemoteUser()).thenReturn("forwarder");
         when(request.isUserInRole(FORWARDING_ROLE)).thenReturn(true);
+        when(request.getHeaderNames()).thenReturn(Collections.emptyEnumeration());
         when(request.getHeader(FORWARDED_GROUPS_HEADER)).thenReturn("");
 
         filter.doFilter(request, response, filterChain);
 
         AccessGroupSet accessGroups = GroupsThreadStore.getGroups();
-        assertEquals(0, accessGroups.size());
+        assertEquals(1, accessGroups.size());
+        assertEquals(PUBLIC_PRINC, accessGroups.toString());
+    }
+
+    @Test
+    public void testGrouperNoGroups() throws Exception {
+        when(request.getHeader(HttpAuthHeaders.SHIBBOLETH_GROUPS_HEADER)).thenReturn("");
+
+        filter.doFilter(request, response, filterChain);
+
+        AccessGroupSet accessGroups = GroupsThreadStore.getGroups();
+        assertEquals(1, accessGroups.size());
+        assertEquals(PUBLIC_PRINC, accessGroups.toString());
     }
 
     @Test