From 55c4a48b314e90bfe18be885f33f5f8c407aeb69 Mon Sep 17 00:00:00 2001
From: Martin Ledvinka <martin.ledvinka@fel.cvut.cz>
Date: Fri, 20 Oct 2023 12:55:01 +0200
Subject: [PATCH] Disable user management API when OIDC security is used.

---
 .gitignore                                    |  1 +
 .../kbss/study/config/SecurityConfig.java     |  5 +++
 .../kbss/study/rest/OidcUserController.java   | 34 +++++++++++++++++++
 .../cvut/kbss/study/rest/UserController.java  | 16 +++++----
 .../cvut/kbss/study/service/UserService.java  |  2 ++
 .../repository/RepositoryUserService.java     |  5 +++
 6 files changed, 57 insertions(+), 6 deletions(-)
 create mode 100644 src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java

diff --git a/.gitignore b/.gitignore
index 5dafe25e..4c8a78fa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@
 target
 node_modules
 build
+logs
 **/generated-sources
 **/npm-debug.log
 .DS_store
diff --git a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java
index fa86c4a8..30653a4d 100644
--- a/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java
+++ b/src/main/java/cz/cvut/kbss/study/config/SecurityConfig.java
@@ -4,6 +4,8 @@
 import cz.cvut.kbss.study.security.SecurityConstants;
 import cz.cvut.kbss.study.service.ConfigReader;
 import cz.cvut.kbss.study.util.ConfigParam;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
@@ -35,6 +37,8 @@
 @EnableMethodSecurity
 public class SecurityConfig {
 
+    private static final Logger LOG = LoggerFactory.getLogger(SecurityConfig.class);
+
     private static final String[] COOKIES_TO_DESTROY = {
             SecurityConstants.SESSION_COOKIE_NAME,
             SecurityConstants.REMEMBER_ME_COOKIE_NAME,
@@ -61,6 +65,7 @@ public SecurityConfig(AuthenticationFailureHandler authenticationFailureHandler,
 
     @Bean
     public SecurityFilterChain filterChain(HttpSecurity http, ConfigReader config) throws Exception {
+        LOG.debug("Using internal security mechanisms.");
         final AuthenticationManager authManager = buildAuthenticationManager(http);
         http.authorizeHttpRequests((auth) -> auth.anyRequest().permitAll())
             .cors((auth) -> auth.configurationSource(corsConfigurationSource(config)))
diff --git a/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java b/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java
new file mode 100644
index 00000000..3504e5b8
--- /dev/null
+++ b/src/main/java/cz/cvut/kbss/study/rest/OidcUserController.java
@@ -0,0 +1,34 @@
+package cz.cvut.kbss.study.rest;
+
+import cz.cvut.kbss.study.model.User;
+import cz.cvut.kbss.study.security.SecurityConstants;
+import cz.cvut.kbss.study.service.UserService;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.http.MediaType;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * API for getting basic user info.
+ * <p>
+ * Enabled when OIDC security is used.
+ */
+@ConditionalOnProperty(prefix = "security", name = "provider", havingValue = "oidc")
+@RestController
+@RequestMapping("/users")
+public class OidcUserController extends BaseController {
+
+    private final UserService userService;
+
+    public OidcUserController(UserService userService) {
+        this.userService = userService;
+    }
+
+    @PreAuthorize("hasRole('" + SecurityConstants.ROLE_USER + "')")
+    @GetMapping(value = "/current", produces = MediaType.APPLICATION_JSON_VALUE)
+    public User getCurrent() {
+        return userService.getCurrentUser();
+    }
+}
diff --git a/src/main/java/cz/cvut/kbss/study/rest/UserController.java b/src/main/java/cz/cvut/kbss/study/rest/UserController.java
index d01209d7..42fac83e 100644
--- a/src/main/java/cz/cvut/kbss/study/rest/UserController.java
+++ b/src/main/java/cz/cvut/kbss/study/rest/UserController.java
@@ -11,6 +11,7 @@
 import cz.cvut.kbss.study.service.InstitutionService;
 import cz.cvut.kbss.study.service.UserService;
 import cz.cvut.kbss.study.service.security.SecurityUtils;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
@@ -27,10 +28,15 @@
 import org.springframework.web.bind.annotation.ResponseStatus;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.security.Principal;
 import java.util.List;
 import java.util.Map;
 
+/**
+ * User management API.
+ *
+ * Enabled when internal security is used.
+ */
+@ConditionalOnProperty(prefix = "security", name = "provider", havingValue = "internal", matchIfMissing = true)
 @RestController
 @RequestMapping("/users")
 public class UserController extends BaseController {
@@ -57,9 +63,8 @@ public User getByUsername(@PathVariable("username") String username) {
 
     @PreAuthorize("hasRole('" + SecurityConstants.ROLE_USER + "')")
     @GetMapping(value = "/current", produces = MediaType.APPLICATION_JSON_VALUE)
-    public User getCurrent(Principal principal) {
-        final String username = principal.getName();
-        return getByUsername(username);
+    public User getCurrent() {
+        return userService.getCurrentUser();
     }
 
     @PreAuthorize("hasRole('" + SecurityConstants.ROLE_ADMIN + "')")
@@ -79,8 +84,7 @@ public ResponseEntity<Void> create(@RequestBody User user) {
                     "or hasRole('" + SecurityConstants.ROLE_USER + "') and @securityUtils.isMemberOfInstitution(#institutionKey)")
     @GetMapping(produces = MediaType.APPLICATION_JSON_VALUE)
     public List<User> getUsers(@RequestParam(value = "institution", required = false) String institutionKey) {
-        final List<User> users = institutionKey != null ? getByInstitution(institutionKey) : userService.findAll();
-        return users;
+        return institutionKey != null ? getByInstitution(institutionKey) : userService.findAll();
     }
 
     private List<User> getByInstitution(String institutionKey) {
diff --git a/src/main/java/cz/cvut/kbss/study/service/UserService.java b/src/main/java/cz/cvut/kbss/study/service/UserService.java
index 19d4c75b..af744aad 100644
--- a/src/main/java/cz/cvut/kbss/study/service/UserService.java
+++ b/src/main/java/cz/cvut/kbss/study/service/UserService.java
@@ -9,6 +9,8 @@ public interface UserService extends BaseService<User> {
 
     User findByUsername(String username);
 
+    User getCurrentUser();
+
     User findByEmail(String email);
 
     User findByToken(String token);
diff --git a/src/main/java/cz/cvut/kbss/study/service/repository/RepositoryUserService.java b/src/main/java/cz/cvut/kbss/study/service/repository/RepositoryUserService.java
index 3de075b0..1ed305a0 100644
--- a/src/main/java/cz/cvut/kbss/study/service/repository/RepositoryUserService.java
+++ b/src/main/java/cz/cvut/kbss/study/service/repository/RepositoryUserService.java
@@ -71,6 +71,11 @@ public User findByUsername(String username) {
         return userDao.findByUsername(username);
     }
 
+    @Override
+    public User getCurrentUser() {
+        return securityUtils.getCurrentUser();
+    }
+
     @Transactional(readOnly = true)
     @Override
     public List<User> findByInstitution(Institution institution) {