mirror of
https://github.com/google/nomulus.git
synced 2025-05-13 16:07:15 +02:00
Use AuthenticatedRegistrarAccessor in EppConsoleAction
EppConsoleAction still "manually" checks access by going over the RegistrarContacts. We need it to use AuthenticatedRegistrarAccessor just like every other part of the registrar console. We still need to remove the (now unneeded) login EPP sent by the console, but that's left for a followup CL. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=222404208
This commit is contained in:
guyben
jianglai
parent
eca3461dec
commit
5f283ebd09
15 changed files with 102 additions and 176 deletions
|
|
@ -15,98 +15,40 @@
|
|||
package google.registry.flows;
|
||||
|
||||
import static com.google.common.base.MoreObjects.toStringHelper;
|
||||
import static com.google.common.base.Strings.nullToEmpty;
|
||||
import static google.registry.util.PreconditionsUtils.checkArgumentNotNull;
|
||||
|
||||
import com.google.appengine.api.users.User;
|
||||
import com.google.appengine.api.users.UserService;
|
||||
import com.google.common.annotations.VisibleForTesting;
|
||||
import google.registry.flows.EppException.AuthenticationErrorException;
|
||||
import google.registry.model.registrar.Registrar;
|
||||
import google.registry.model.registrar.RegistrarContact;
|
||||
import javax.annotation.Nullable;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor;
|
||||
import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
|
||||
|
||||
/** Credentials provided by {@link com.google.appengine.api.users.UserService}. */
|
||||
public class GaeUserCredentials implements TransportCredentials {
|
||||
|
||||
private final User gaeUser;
|
||||
private final Boolean isAdmin;
|
||||
private final AuthenticatedRegistrarAccessor registrarAccessor;
|
||||
|
||||
/**
|
||||
* Create an instance for the current user, as determined by {@code UserService}.
|
||||
*
|
||||
* <p>Note that the current user may be null (i.e. there is no logged in user).
|
||||
*/
|
||||
public static GaeUserCredentials forCurrentUser(UserService userService) {
|
||||
User user = userService.getCurrentUser();
|
||||
return new GaeUserCredentials(user, user != null ? userService.isUserAdmin() : null);
|
||||
}
|
||||
|
||||
/** Create an instance that represents an explicit user (for testing purposes). */
|
||||
@VisibleForTesting
|
||||
public static GaeUserCredentials forTestingUser(User gaeUser, Boolean isAdmin) {
|
||||
checkArgumentNotNull(gaeUser);
|
||||
checkArgumentNotNull(isAdmin);
|
||||
return new GaeUserCredentials(gaeUser, isAdmin);
|
||||
}
|
||||
|
||||
/** Create an instance that represents a non-logged in user (for testing purposes). */
|
||||
@VisibleForTesting
|
||||
public static GaeUserCredentials forLoggedOutUser() {
|
||||
return new GaeUserCredentials(null, null);
|
||||
}
|
||||
|
||||
private GaeUserCredentials(@Nullable User gaeUser, @Nullable Boolean isAdmin) {
|
||||
this.gaeUser = gaeUser;
|
||||
this.isAdmin = isAdmin;
|
||||
}
|
||||
|
||||
@VisibleForTesting
|
||||
User getUser() {
|
||||
return gaeUser;
|
||||
public GaeUserCredentials(AuthenticatedRegistrarAccessor registrarAccessor) {
|
||||
this.registrarAccessor = registrarAccessor;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void validate(Registrar registrar, String ignoredPassword)
|
||||
throws AuthenticationErrorException {
|
||||
if (gaeUser == null) {
|
||||
throw new UserNotLoggedInException();
|
||||
try {
|
||||
registrarAccessor.verifyAccess(registrar.getClientId());
|
||||
} catch (RegistrarAccessDeniedException e) {
|
||||
throw new UserForbiddenException(e);
|
||||
}
|
||||
// Allow admins to act as any registrar.
|
||||
if (Boolean.TRUE.equals(isAdmin)) {
|
||||
return;
|
||||
}
|
||||
// Check Registrar's contacts to see if any are associated with this gaeUserId.
|
||||
final String gaeUserId = gaeUser.getUserId();
|
||||
for (RegistrarContact rc : registrar.getContacts()) {
|
||||
if (gaeUserId.equals(rc.getGaeUserId())) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
throw new BadGaeUserIdException(gaeUser);
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return toStringHelper(getClass())
|
||||
.add("gaeUser", gaeUser)
|
||||
.add("isAdmin", isAdmin)
|
||||
.toString();
|
||||
return toStringHelper(getClass()).add("user", registrarAccessor.userIdForLogging()).toString();
|
||||
}
|
||||
|
||||
/** User is not logged in as a GAE user. */
|
||||
public static class UserNotLoggedInException extends AuthenticationErrorException {
|
||||
public UserNotLoggedInException() {
|
||||
super("User is not logged in");
|
||||
}
|
||||
}
|
||||
|
||||
/** GAE user id is not allowed to login as requested registrar. */
|
||||
public static class BadGaeUserIdException extends AuthenticationErrorException {
|
||||
public BadGaeUserIdException(User user) {
|
||||
super(
|
||||
"User id is not allowed to login as requested registrar: "
|
||||
+ (nullToEmpty(user.getEmail())));
|
||||
/** GAE User can't access the requested registrar. */
|
||||
public static class UserForbiddenException extends AuthenticationErrorException {
|
||||
public UserForbiddenException(RegistrarAccessDeniedException e) {
|
||||
super(e.getMessage());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue