From 5a513e8115114fa11152c992e91cab19c524d646 Mon Sep 17 00:00:00 2001
From: Sergey Yakubov <sergey.yakubov@desy.de>
Date: Wed, 10 Mar 2021 12:07:39 +0100
Subject: [PATCH] update receiver authorization
---
.../src/request_handler/request_factory.cpp | 7 +++--
.../request_handler_authorize.cpp | 26 ++++++++++++++++---
.../request_handler/test_request_factory.cpp | 3 ++-
.../test_request_handler_authorizer.cpp | 21 ++++++++++++---
4 files changed, 46 insertions(+), 11 deletions(-)
diff --git a/receiver/src/request_handler/request_factory.cpp b/receiver/src/request_handler/request_factory.cpp
index fdacdd94a..de3f74cec 100644
--- a/receiver/src/request_handler/request_factory.cpp
+++ b/receiver/src/request_handler/request_factory.cpp
@@ -47,7 +47,9 @@ Error RequestFactory::AddReceiveDirectToFileHandler(std::unique_ptr<Request> &re
Error RequestFactory::AddHandlersToRequest(std::unique_ptr<Request> &request,
const GenericRequestHeader &request_header) const {
- request->AddHandler(&request_handler_authorize_);
+ if (request_header.op_code != Opcode::kOpcodeAuthorize) {
+ request->AddHandler(&request_handler_authorize_);
+ }
switch (request_header.op_code) {
case Opcode::kOpcodeTransferData:
@@ -73,7 +75,8 @@ Error RequestFactory::AddHandlersToRequest(std::unique_ptr<Request> &request,
break;
}
case Opcode::kOpcodeAuthorize: {
- // do nothing
+ request->AddHandler(&request_handler_receive_metadata_);
+ request->AddHandler(&request_handler_authorize_);
break;
}
case Opcode::kOpcodeStreamInfo: {
diff --git a/receiver/src/request_handler/request_handler_authorize.cpp b/receiver/src/request_handler/request_handler_authorize.cpp
index f13fc1ae2..9904d5844 100644
--- a/receiver/src/request_handler/request_handler_authorize.cpp
+++ b/receiver/src/request_handler/request_handler_authorize.cpp
@@ -26,6 +26,14 @@ Error RequestHandlerAuthorize::ErrorFromAuthorizationServerResponse(const Error&
}
}
+Error CheckAccessType(const std::string& access_type) {
+ if (access_type!="write") {
+ return asapo::ReceiverErrorTemplates::kAuthorizationFailure.Generate("wrong access type " + access_type);
+ }
+ return nullptr;
+}
+
+
Error RequestHandlerAuthorize::Authorize(Request* request, const char* source_credentials) const {
HttpCode code;
Error err;
@@ -42,6 +50,7 @@ Error RequestHandlerAuthorize::Authorize(Request* request, const char* source_cr
}
std::string stype;
+ std::string access_type;
JsonStringParser parser{response};
(err = parser.GetString("beamtimeId", &beamtime_id_)) ||
@@ -49,15 +58,24 @@ Error RequestHandlerAuthorize::Authorize(Request* request, const char* source_cr
(err = parser.GetString("core-path", &offline_path_)) ||
(err = parser.GetString("beamline-path", &online_path_)) ||
(err = parser.GetString("source-type", &stype)) ||
+ (err = parser.GetString("access-type", &access_type)) ||
(err = GetSourceTypeFromString(stype, &source_type_)) ||
(err = parser.GetString("beamline", &beamline_));
if (err) {
return ErrorFromAuthorizationServerResponse(err, code);
- } else {
- log__->Debug(std::string("authorized connection from ") + request->GetOriginUri() +"source type: "+stype+ " beamline: " +
- beamline_ + ", beamtime id: " + beamtime_id_ + ", data soucre: " + data_source_);
}
+ err = CheckAccessType(access_type);
+ if (err) {
+ log__->Error("failure authorizing at " + GetReceiverConfig()->authorization_server + " request: " + request_string +
+ " - " +
+ err->Explain());
+ return err;
+ }
+
+ log__->Debug(std::string("authorized connection from ") + request->GetOriginUri() +"source type: "+stype+ " beamline: " +
+ beamline_ + ", beamtime id: " + beamtime_id_ + ", data soucre: " + data_source_);
+
last_updated_ = system_clock::now();
cached_source_credentials_ = source_credentials;
@@ -73,7 +91,7 @@ Error RequestHandlerAuthorize::ProcessAuthorizationRequest(Request* request) con
return auth_error;
}
- return Authorize(request, request->GetMessage());
+ return Authorize(request, request->GetMetaData().c_str());
}
Error RequestHandlerAuthorize::ProcessReAuthorization(Request* request) const {
diff --git a/receiver/unittests/request_handler/test_request_factory.cpp b/receiver/unittests/request_handler/test_request_factory.cpp
index 5f224d3d0..a6c1d02b6 100644
--- a/receiver/unittests/request_handler/test_request_factory.cpp
+++ b/receiver/unittests/request_handler/test_request_factory.cpp
@@ -121,7 +121,8 @@ TEST_F(FactoryTests, ReturnsDataRequestForAuthorizationCode) {
ASSERT_THAT(err, Eq(nullptr));
ASSERT_THAT(dynamic_cast<asapo::Request*>(request.get()), Ne(nullptr));
- ASSERT_THAT(dynamic_cast<const asapo::RequestHandlerAuthorize*>(request->GetListHandlers()[0]), Ne(nullptr));
+ ASSERT_THAT(dynamic_cast<const asapo::RequestHandlerReceiveMetaData*>(request->GetListHandlers()[0]), Ne(nullptr));
+ ASSERT_THAT(dynamic_cast<const asapo::RequestHandlerAuthorize*>(request->GetListHandlers()[1]), Ne(nullptr));
}
TEST_F(FactoryTests, DoNotAddDiskAndDbWriterIfNotWantedInRequest) {
diff --git a/receiver/unittests/request_handler/test_request_handler_authorizer.cpp b/receiver/unittests/request_handler/test_request_handler_authorizer.cpp
index c1e5a9741..e85038de4 100644
--- a/receiver/unittests/request_handler/test_request_handler_authorizer.cpp
+++ b/receiver/unittests/request_handler/test_request_handler_authorizer.cpp
@@ -74,6 +74,7 @@ class AuthorizerHandlerTests : public Test {
std::string expected_source_credentials;
asapo::SourceType expected_source_type = asapo::SourceType::kProcessed;
std::string expected_source_type_str = "processed";
+ std::string expected_access_type_str = "write";
void MockRequestData();
void SetUp() override {
GenericRequestHeader request_header;
@@ -115,7 +116,8 @@ class AuthorizerHandlerTests : public Test {
"\",\"beamline-path\":" + "\"" + expected_beamline_path +
"\",\"core-path\":" + "\"" + expected_core_path +
"\",\"source-type\":" + "\"" + expected_source_type_str +
- "\",\"beamline\":" + "\"" + expected_beamline + "\"}")
+ "\",\"beamline\":" + "\"" + expected_beamline +
+ "\",\"access-type\":" + "\"" + expected_access_type_str + "\"}")
));
if (code != HttpCode::OK) {
EXPECT_CALL(mock_logger, Error(AllOf(HasSubstr("failure authorizing"),
@@ -126,13 +128,16 @@ class AuthorizerHandlerTests : public Test {
HasSubstr(expected_data_source),
HasSubstr(expected_producer_uri),
HasSubstr(expected_authorization_server))));
- } else {
+ } else if (expected_access_type_str=="write") {
EXPECT_CALL(mock_logger, Debug(AllOf(HasSubstr("authorized"),
HasSubstr(expected_beamtime_id),
HasSubstr(expected_beamline),
HasSubstr(expected_source_type_str),
HasSubstr(expected_data_source),
HasSubstr(expected_producer_uri))));
+ } else {
+ EXPECT_CALL(mock_logger, Error(AllOf(HasSubstr(expected_access_type_str),
+ HasSubstr(expected_access_type_str))));
}
}
@@ -142,8 +147,8 @@ class AuthorizerHandlerTests : public Test {
EXPECT_CALL(*mock_request, GetOpCode())
.WillOnce(Return(asapo::kOpcodeAuthorize))
;
- EXPECT_CALL(*mock_request, GetMessage())
- .WillOnce(Return(expected_source_credentials.c_str()))
+ EXPECT_CALL(*mock_request, GetMetaData())
+ .WillOnce(ReturnRef(expected_source_credentials))
;
MockAuthRequest(error, code);
@@ -206,6 +211,14 @@ TEST_F(AuthorizerHandlerTests, AuthorizeOk) {
ASSERT_THAT(err, Eq(nullptr));
}
+
+TEST_F(AuthorizerHandlerTests, AuthorizeFailsOnWrongAccessType) {
+ expected_access_type_str = "read";
+ auto err = MockFirstAuthorization(false);
+
+ ASSERT_THAT(err, Eq(asapo::ReceiverErrorTemplates::kAuthorizationFailure));
+}
+
TEST_F(AuthorizerHandlerTests, ErrorOnSecondAuthorize) {
MockFirstAuthorization(false);
EXPECT_CALL(*mock_request, GetOpCode())
--
GitLab