Improved token validation

Now, if a user has their privileges demoted, or is set to inactive,
their corresponding token will lose validity as well.

Request: CT_BDEPLOY-871
Change-Id: Ifbf3240bdc659d760cd4883f8a7f0167b3d3e92b

Author: TheTechnolog

jersey/src/main/java/io/bdeploy/jersey/JerseyAuthenticationProvider.java

@@ -50,7 +50,7 @@ public class JerseyAuthenticationProvider implements ContainerRequestFilter, Con
     private static final String WEAK_AUTH = "weak";
 
     private final KeyStore store;
-    private final Predicate<String> userValidator;
+    private final Predicate<ApiAccessToken> tokenValidator;
     private final JerseySessionManager sessionManager;
 
     @Inject
@@ -102,9 +102,10 @@ public void filter(ContainerRequestContext requestContext) {
 
     }
 
-    public JerseyAuthenticationProvider(KeyStore store, Predicate<String> userValidator, JerseySessionManager sessionManager) {
+    public JerseyAuthenticationProvider(KeyStore store, Predicate<ApiAccessToken> tokenValidator,
+            JerseySessionManager sessionManager) {
         this.store = store;
-        this.userValidator = userValidator;
+        this.tokenValidator = tokenValidator;
         this.sessionManager = sessionManager;
     }
 
@@ -163,7 +164,7 @@ public void filter(ContainerRequestContext requestContext) {
                 abortWithUnauthorized(requestContext);
             }
 
-            if (!api.isSystem() && userValidator != null && !userValidator.test(api.getIssuedTo())) {
+            if (tokenValidator != null && !tokenValidator.test(api)) {
                 abortWithUnauthorized(requestContext);
             }
 
@@ -175,7 +176,6 @@ public void filter(ContainerRequestContext requestContext) {
             log.error("Exception while parsing authorization: {}", e.toString());
             abortWithUnauthorized(requestContext);
         }
-
     }
 
     @Override

jersey/src/main/java/io/bdeploy/jersey/JerseyServer.java

@@ -51,6 +51,7 @@
 
 import io.bdeploy.common.audit.Auditor;
 import io.bdeploy.common.audit.Slf4jAuditor;
+import io.bdeploy.common.security.ApiAccessToken;
 import io.bdeploy.common.util.NamedDaemonThreadFactory;
 import io.bdeploy.common.util.Threads;
 import io.bdeploy.common.util.VersionHelper;
@@ -146,7 +147,7 @@ public class JerseyServer implements AutoCloseable, RegistrationTarget {
     private final JerseySessionManager sessionManager;
     private final Map<String, WebSocketApplication> wsApplications = new TreeMap<>();
 
-    private Predicate<String> userValidator;
+    private Predicate<ApiAccessToken> tokenValidator;
 
     /**
      * @param port the port to listen on
@@ -183,10 +184,10 @@ public void setAuditor(Auditor auditor) {
     }
 
     /**
-     * @param validator a validator which can verify a user exists and is allowed to proceed.
+     * @param tokenValidator a {@link Predicate} which can verify the validity of an {@link ApiAccessToken}
      */
-    public void setUserValidator(Predicate<String> validator) {
-        this.userValidator = validator;
+    public void setTokenValidator(Predicate<ApiAccessToken> tokenValidator) {
+        this.tokenValidator = tokenValidator;
     }
 
     @Override
@@ -381,7 +382,7 @@ public void registerDefaultResources(ResourceConfig config) {
         config.register(MultiPartFeature.class);
 
         // unfortunately, priorities annotated on the providers are not always respected.
-        config.register(new JerseyAuthenticationProvider(store, userValidator, sessionManager), Priorities.AUTHENTICATION);
+        config.register(new JerseyAuthenticationProvider(store, tokenValidator, sessionManager), Priorities.AUTHENTICATION);
         config.register(JerseyAuthenticationUnprovider.class, Priorities.AUTHENTICATION - 1);
         config.register(JerseyAuthenticationWeakenerProvider.class, Priorities.AUTHENTICATION - 2);
 
@@ -462,7 +463,6 @@ protected void configure() {
             // need to lazily access the auditor in case it is changed later.
             bindFactory(new JerseyAuditorBridgeFactory()).to(Auditor.class);
         }
-
     }
 
     /**
@@ -479,7 +479,5 @@ public Auditor provide() {
         public void dispose(Auditor instance) {
             // nothing to do
         }
-
     }
-
 }

jersey/src/testFixtures/java/io/bdeploy/jersey/TestServer.java

@@ -14,6 +14,7 @@
 import java.util.Set;
 import java.util.TreeMap;
 import java.util.concurrent.CompletionStage;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 
 import javax.annotation.Priority;
@@ -77,6 +78,7 @@ public class TestServer
 
     private final Map<HttpHandlerRegistration, HttpHandler> handlers = new HashMap<>();
     private ServiceLocator rootLocator;
+    private Predicate<ApiAccessToken> tokenValidator;
     private Auditor auditor;
 
     private RemoteService service;
@@ -124,6 +126,10 @@ public char[] getStorePass() {
         return storePass;
     }
 
+    public void setTokenValidator(Predicate<ApiAccessToken> tokenValidator) {
+        this.tokenValidator = tokenValidator;
+    }
+
     public void setAuditor(Auditor auditor) {
         this.auditor = auditor;
         this.resources.add(auditor);
@@ -300,6 +306,9 @@ public void start() {
             resources.forEach(this.server::registerResource);
             registrations.forEach(this.server::register);
             wsApplications.forEach(this.server::registerWebsocketApplication);
+            if (tokenValidator != null) {
+                this.server.setTokenValidator(tokenValidator);
+            }
             if (auditor != null) {
                 this.server.setAuditor(auditor);
             }
@@ -317,7 +326,6 @@ public void close() {
             startup = null;
             server.close();
         }
-
     }
 
     @Provider
@@ -345,5 +353,4 @@ public void onReload(Container container) {
         public void onShutdown(Container container) {
         }
     }
-
 }

minion/src/main/java/io/bdeploy/minion/TokenValidator.java

@@ -0,0 +1,58 @@
+package io.bdeploy.minion;
+
+import java.util.Collection;
+import java.util.function.Predicate;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.bdeploy.common.security.ApiAccessToken;
+import io.bdeploy.common.security.ScopedPermission;
+import io.bdeploy.interfaces.UserInfo;
+import io.bdeploy.minion.user.UserDatabase;
+
+public class TokenValidator implements Predicate<ApiAccessToken> {
+
+    private static final Logger log = LoggerFactory.getLogger(TokenValidator.class);
+
+    private static Predicate<Collection<ScopedPermission>> isGlobalAdmin = perms -> perms.stream()
+            .anyMatch(p -> p.isGlobal() && p.permission == ScopedPermission.Permission.ADMIN);
+
+    private final UserDatabase userDatabase;
+
+    public TokenValidator(UserDatabase userDatabase) {
+        this.userDatabase = userDatabase;
+    }
+
+    @Override
+    public boolean test(ApiAccessToken api) {
+        if (api.isSystem()) {
+            return true;
+        }
+
+        String user = api.getIssuedTo();
+        UserInfo userInfo = userDatabase.getUser(user);
+
+        /*
+         * TODO This code allows tokens with invalid users as servers that have been initialized LONG ago will have those as
+         * master token. Changing this will invalidate these tokens (which are still around). Nevertheless this poses a
+         * security threat, so we should update the code and provide a migration.
+         */
+        if (userInfo == null) {
+            if (user.startsWith("[") && user.endsWith("]")) {
+                // on behalf of remote user (e.g. from central).
+                return true;
+            }
+            log.error("User not available: {}. Allowing to support legacy tokens.", user);
+            return true;
+        }
+
+        boolean tokenRequiresGlobalAdmin = isGlobalAdmin.test(api.getPermissions());
+        boolean userIsActiveGlobalAdmin = !userInfo.inactive && isGlobalAdmin.test(userInfo.permissions);
+        if (tokenRequiresGlobalAdmin && !userIsActiveGlobalAdmin) {
+            return false;
+        }
+
+        return userDatabase.isAuthenticationValid(userInfo);
+    }
+}

minion/src/main/java/io/bdeploy/minion/cli/StartTool.java

@@ -33,7 +33,6 @@
 import io.bdeploy.common.security.SecurityHelper;
 import io.bdeploy.common.util.PathHelper;
 import io.bdeploy.common.util.VersionHelper;
-import io.bdeploy.interfaces.UserInfo;
 import io.bdeploy.interfaces.descriptor.node.MultiNodeMasterFile;
 import io.bdeploy.interfaces.manifest.MinionManifest;
 import io.bdeploy.interfaces.manifest.managed.MasterProvider;
@@ -53,6 +52,7 @@
 import io.bdeploy.minion.ControllingMasterProvider;
 import io.bdeploy.minion.MinionRoot;
 import io.bdeploy.minion.MinionState;
+import io.bdeploy.minion.TokenValidator;
 import io.bdeploy.minion.api.v1.PublicProductValidationResourceImpl;
 import io.bdeploy.minion.api.v1.PublicRootResourceImpl;
 import io.bdeploy.minion.cli.StartTool.MasterConfig;
@@ -244,24 +244,7 @@ private void setupServerNode(MasterConfig config, MinionRoot r, JerseyServer srv
     }
 
     private void setupServerMaster(MasterConfig config, MinionRoot r, JerseyServer srv, BHiveRegistry reg) {
-        srv.setUserValidator(user -> {
-            UserInfo info = r.getUsers().getUser(user);
-
-            /*
-             * TODO This code allows tokens with invalid users as servers that have been initialized LONG ago will have those as
-             * master token. Changing this will invalidate these tokens (which are still around). Nevertheless this poses a
-             * security threat, so we should update the code and provide a migration.
-             */
-            if (info == null) {
-                if (user.startsWith("[") && user.endsWith("]")) {
-                    // on behalf of remote user (e.g. from central).
-                    return true;
-                }
-                log.error("User not available: {}. Allowing to support legacy tokens.", user);
-                return true;
-            }
-            return r.getUsers().isAuthenticationValid(info);
-        });
+        srv.setTokenValidator(new TokenValidator(r.getUsers()));
         registerMasterResources(srv, reg, config.publishWebapp(), r, r.createPluginManager(srv), getAuditorFactory(),
                 r.isInitialConnectionCheckFailed());
 
@@ -400,5 +383,4 @@ protected void configure() {
             bind(new TaskSynchronizer()).to(TaskSynchronizer.class);
         }
     }
-
 }

minion/src/test/java/io/bdeploy/minion/TestMinion.java

@@ -50,12 +50,14 @@ public class TestMinion extends TestServer {
 
     @FunctionalInterface
     public interface MultiNodeCompletion {
+
         public void complete(MultiNodeMasterFile master);
     }
 
     @Retention(RetentionPolicy.RUNTIME)
     @Target(ElementType.PARAMETER)
     public @interface MultiNodeMaster {
+
         public String value();
     }
 
@@ -119,6 +121,7 @@ public void beforeEach(ExtensionContext context) throws Exception {
         String userName = "Test";
         UserDatabase userDb = cmr.mr.getUsers();
         userDb.createLocalUser(userName, "TheTestPassword", Collections.singletonList(ApiAccessToken.ADMIN_PERMISSION));
+        setTokenValidator(new TokenValidator(userDb));
 
         serverStore = SecurityHelper.getInstance().loadPrivateKeyStore(state.keystorePath, state.keystorePass);
         storePass = state.keystorePass;
@@ -147,7 +150,7 @@ public void beforeTestExecution(ExtensionContext context) {
         CloseableMinionRoot cmr = getExtensionStore(context).get(CloseableMinionRoot.class, CloseableMinionRoot.class);
 
         // in case of MULTI_RUNTIME we need to complete startup later.
-        if(nodeType != MinionNodeType.MULTI_RUNTIME) {
+        if (nodeType != MinionNodeType.MULTI_RUNTIME) {
             super.afterStartup().thenRun(() -> cmr.mr.afterStartup(true, false));
         }
     }
@@ -203,11 +206,11 @@ public boolean supportsParameter(ParameterContext parameterContext, ExtensionCon
             return true;
         }
 
-        if(parameterContext.getParameter().getType().isAssignableFrom(MultiNodeCompletion.class)) {
+        if (parameterContext.getParameter().getType().isAssignableFrom(MultiNodeCompletion.class)) {
             return mode == MinionMode.NODE && nodeType == MinionNodeType.MULTI_RUNTIME;
         }
 
-        if(parameterContext.isAnnotated(MultiNodeMaster.class)) {
+        if (parameterContext.isAnnotated(MultiNodeMaster.class)) {
             return mode == MinionMode.MANAGED || mode == MinionMode.STANDALONE;
         }
 
@@ -229,18 +232,21 @@ public Object resolveParameter(ParameterContext parameterContext, ExtensionConte
             return authPack;
         }
 
-        if(parameterContext.getParameter().getType().isAssignableFrom(MultiNodeCompletion.class)) {
-            CloseableMinionRoot cmr = getExtensionStore(extensionContext).get(CloseableMinionRoot.class, CloseableMinionRoot.class);
+        if (parameterContext.getParameter().getType().isAssignableFrom(MultiNodeCompletion.class)) {
+            CloseableMinionRoot cmr = getExtensionStore(extensionContext).get(CloseableMinionRoot.class,
+                    CloseableMinionRoot.class);
             MinionDto self = new MinionManifest(cmr.mr.getHive()).read().getMinion(cmr.mr.getState().self);
 
             return (MultiNodeCompletion) (master) -> {
                 MultiNodeRegistration.register(cmr.mr, mode.name() + "-multi-" + disambiguation, self, master);
             };
         }
 
-        if(parameterContext.isAnnotated(MultiNodeMaster.class)) {
+        if (parameterContext.isAnnotated(MultiNodeMaster.class)) {
             var x = parameterContext.getParameter().getAnnotationsByType(MultiNodeMaster.class);
-            return createMasterFile(getExtensionStore(extensionContext).get(CloseableMinionRoot.class, CloseableMinionRoot.class).mr, x[0].value());
+            return createMasterFile(
+                    getExtensionStore(extensionContext).get(CloseableMinionRoot.class, CloseableMinionRoot.class).mr,
+                    x[0].value());
         }
 
         return super.resolveParameter(parameterContext, extensionContext);
@@ -271,5 +277,4 @@ public void close() {
         }
 
     }
-
 }

minion/src/test/java/io/bdeploy/minion/cli/UserManagementCliTest.java

@@ -67,12 +67,28 @@ void testUserCreationAndPermissionManagement(RemoteService remote) {
         admin2data = getUserRowByName(remote, admin2Username);
         assertEquals("[]", admin2data.get("Permissions"));
 
+        // Check if the token actually lost administrative power
+        assertThrows(NotAuthorizedException.class, () -> remote(admin2Remote, RemoteUserTool.class, "--list"));
+
         // Promote the permission of the user
         remote(remote, RemoteUserTool.class, "--update=" + userUsername, "--permission=ADMIN");
 
         // Check if the permission actually got added
         userData = getUserRowByName(remote, userUsername);
         assertEquals("[ADMIN (<<GLOBAL>>)]", userData.get("Permissions"));
+
+        // Check if the token actually gained administrative power
+        assertDoesNotThrow(() -> remote(userRemote, RemoteUserTool.class, "--list"));
+
+        // Set the user to inactive
+        remote(remote, RemoteUserTool.class, "--update=" + userUsername, "--inactive=true");
+
+        // Check if the user actually got set to inactive
+        userData = getUserRowByName(remote, userUsername);
+        assertEquals("*", userData.get("Inact"));
+
+        // Check if the token actually lost administrative power
+        assertThrows(NotAuthorizedException.class, () -> remote(userRemote, RemoteUserTool.class, "--list"));
     }
 
     private StructuredOutputRow getUserRowByName(RemoteService remote, String username) {

minion/src/test/java/io/bdeploy/minion/ui/AuthResourceTest.java

@@ -44,6 +44,7 @@ void testAuth(AuthResource auth, TestMinion backend) throws GeneralSecurityExcep
     void testCurrentUserDataUpdateLogic(AuthResource auth) {
         UserInfo userInfo = auth.getCurrentUser();
         UserInfo newUserInfo = new UserInfo(userInfo.name);
+        newUserInfo.permissions.addAll(userInfo.permissions);
 
         newUserInfo.fullName = "Ash Ketchum";
         newUserInfo.email = "pikachu@thundershock.pkm";