Move AuthenticatedRegistrarAccessor to request/auth/

It is starting to be used in more places than just ur/server/registrar. Even now it's used in the RDAP, and we are going to start using it for the registrar-xhr endpoint meaning it will be used in EPP flows as well. Also logically - this is part of the request authentication. While moving - we also refactor it to make it easier to use in tests. Instead of mocking, we will be able to create instances with arbitrary roles. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=221645055
2025-05-29 08:50:09 +02:00 · 2018-11-15 10:19:02 -08:00 · 2018-11-15 10:19:02 -08:00 · 6586460f3e
commit 6586460f3e
parent b317aab22f
15 changed files with 173 additions and 159 deletions
--- a/java/google/registry/rdap/RdapActionBase.java
+++ b/java/google/registry/rdap/RdapActionBase.java
@ -47,8 +47,8 @@ import google.registry.request.RequestMethod;
 import google.registry.request.RequestPath;
 import google.registry.request.Response;
 import google.registry.request.auth.AuthResult;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor;
 import google.registry.request.auth.UserAuthInfo;
-import google.registry.ui.server.registrar.AuthenticatedRegistrarAccessor;
 import google.registry.util.Clock;
 import java.io.IOException;
 import java.net.URI;
--- a/java/google/registry/request/HttpException.java
+++ b/java/google/registry/request/HttpException.java
@ -115,6 +115,10 @@ public abstract class HttpException extends RuntimeException {
      super(HttpServletResponse.SC_FORBIDDEN, message, null);
    }

+    public ForbiddenException(String message, Exception cause) {
+      super(HttpServletResponse.SC_FORBIDDEN, message, cause);
+    }
+
    @Override
    public String getResponseCodeString() {
      return "Forbidden";
--- a/java/google/registry/ui/server/registrar/AuthenticatedRegistrarAccessor.java
+++ b/java/google/registry/ui/server/registrar/AuthenticatedRegistrarAccessor.java
@ -12,8 +12,10 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.

-package google.registry.ui.server.registrar;
+package google.registry.request.auth;

+import static com.google.common.base.MoreObjects.toStringHelper;
+import static com.google.common.base.Preconditions.checkNotNull;
 import static google.registry.model.ofy.ObjectifyService.ofy;

 import com.google.appengine.api.users.User;
@ -27,19 +29,16 @@ import google.registry.config.RegistryConfig.Config;
 import google.registry.groups.GroupsConnection;
 import google.registry.model.registrar.Registrar;
 import google.registry.model.registrar.RegistrarContact;
-import google.registry.request.HttpException.ForbiddenException;
-import google.registry.request.auth.AuthResult;
-import google.registry.request.auth.UserAuthInfo;
 import javax.annotation.concurrent.Immutable;
 import javax.inject.Inject;

 /**
 * Allows access only to {@link Registrar}s the current user has access to.
 *
- * <p>A user has OWNER role on a Registrar if there exists a {@link RegistrarContact} with
- * that user's gaeId and the registrar as a parent.
+ * <p>A user has OWNER role on a Registrar if there exists a {@link RegistrarContact} with that
+ * user's gaeId and the registrar as a parent.
 *
- * <p>An admin has in addition OWNER role on {@link #registryAdminClientId}.
+ * <p>An admin has in addition OWNER role on {@code #registryAdminClientId}.
 *
 * <p>An admin also has ADMIN role on ALL registrars.
 */
@ -54,13 +53,14 @@ public class AuthenticatedRegistrarAccessor {
    ADMIN
  }

-  AuthResult authResult;
-  String registryAdminClientId;
+  private final String userIdForLogging;

  /**
   * Gives all roles a user has for a given clientId.
   *
   * <p>The order is significant, with "more specific to this user" coming first.
+   *
+   * <p>Logged out users have an empty roleMap.
   */
  private final ImmutableSetMultimap<String, Role> roleMap;

@ -89,28 +89,42 @@ public class AuthenticatedRegistrarAccessor {
        overrideGroupsConnection != null ? overrideGroupsConnection : groupsConnection.get());
  }

+  @VisibleForTesting
  AuthenticatedRegistrarAccessor(
      AuthResult authResult,
-      @Config("registryAdminClientId") String registryAdminClientId,
-      @Config("gSuiteSupportGroupEmailAddress") String gSuiteSupportGroupEmailAddress,
+      String registryAdminClientId,
+      String gSuiteSupportGroupEmailAddress,
      GroupsConnection groupsConnection) {
-    this.authResult = authResult;
-    this.registryAdminClientId = registryAdminClientId;
-    this.roleMap =
+    this(
+        authResult.userIdForLogging(),
        createRoleMap(
-            authResult,
-            registryAdminClientId,
-            groupsConnection,
-            gSuiteSupportGroupEmailAddress);
+            authResult, registryAdminClientId, groupsConnection, gSuiteSupportGroupEmailAddress));

    logger.atInfo().log(
        "%s has the following roles: %s", authResult.userIdForLogging(), roleMap);
  }

+  private AuthenticatedRegistrarAccessor(
+      String userIdForLogging, ImmutableSetMultimap<String, Role> roleMap) {
+    this.userIdForLogging = checkNotNull(userIdForLogging);
+    this.roleMap = checkNotNull(roleMap);
+  }
+
+  /**
+   * Creates a "logged-in user" accessor with a given role map, used for tests.
+   *
+   * <p>The user's "name" in logs and exception messages is "TestUserId".
+   */
+  @VisibleForTesting
+  public static AuthenticatedRegistrarAccessor createForTesting(
+      ImmutableSetMultimap<String, Role> roleMap) {
+    return new AuthenticatedRegistrarAccessor("TestUserId", roleMap);
+  }
+
  /**
   * A map that gives all roles a user has for a given clientId.
   *
-   * <p>Throws a {@link ForbiddenException} if the user is not logged in.
+   * <p>Throws a {@link RegistrarAccessDeniedException} if the user is not logged in.
   *
   * <p>The result is ordered starting from "most specific to this user".
   *
@ -129,7 +143,7 @@ public class AuthenticatedRegistrarAccessor {
  /**
   * "Guesses" which client ID the user wants from all those they have access to.
   *
-   * <p>If no such ClientIds exist, throws a ForbiddenException.
+   * <p>If no such ClientIds exist, throws a RegistrarAccessDeniedException.
   *
   * <p>This should be the ClientId "most likely wanted by the user".
   *
@ -141,56 +155,59 @@ public class AuthenticatedRegistrarAccessor {
   * other clue as to the requested {@code clientId}. It is perfectly OK to get a {@code clientId}
   * from any other source, as long as the registrar is then loaded using {@link #getRegistrar}.
   */
-  public String guessClientId() {
-    verifyLoggedIn();
+  public String guessClientId() throws RegistrarAccessDeniedException {
    return getAllClientIdWithRoles().keySet().stream()
        .findFirst()
        .orElseThrow(
            () ->
-                new ForbiddenException(
-                    String.format(
-                        "%s isn't associated with any registrar",
-                        authResult.userIdForLogging())));
+                new RegistrarAccessDeniedException(
+                    String.format("%s isn't associated with any registrar", userIdForLogging)));
  }

  /**
   * Loads a Registrar IFF the user is authorized.
   *
-   * <p>Throws a {@link ForbiddenException} if the user is not logged in, or not authorized to
-   * access the requested registrar.
+   * <p>Throws a {@link RegistrarAccessDeniedException} if the user is not logged in, or not
+   * authorized to access the requested registrar.
   *
   * @param clientId ID of the registrar we request
   */
-  public Registrar getRegistrar(String clientId) {
-    verifyLoggedIn();
-
-    ImmutableSet<Role> roles = getAllClientIdWithRoles().get(clientId);
-
-    if (roles.isEmpty()) {
-      throw new ForbiddenException(
-          String.format(
-              "%s doesn't have access to registrar %s",
-              authResult.userIdForLogging(), clientId));
-    }
+  public Registrar getRegistrar(String clientId) throws RegistrarAccessDeniedException {
+    verifyAccess(clientId);

    Registrar registrar =
        Registrar.loadByClientId(clientId)
            .orElseThrow(
-                () -> new ForbiddenException(String.format("Registrar %s not found", clientId)));
+                () ->
+                    new RegistrarAccessDeniedException(
+                        String.format("Registrar %s not found", clientId)));

    if (!clientId.equals(registrar.getClientId())) {
      logger.atSevere().log(
          "registrarLoader.apply(clientId) returned a Registrar with a different clientId. "
              + "Requested: %s, returned: %s.",
          clientId, registrar.getClientId());
-      throw new ForbiddenException("Internal error - please check logs");
+      throw new RegistrarAccessDeniedException("Internal error - please check logs");
    }

-    logger.atInfo().log(
-        "%s has %s access to registrar %s.", authResult.userIdForLogging(), roles, clientId);
    return registrar;
  }

+  public void verifyAccess(String clientId) throws RegistrarAccessDeniedException {
+    ImmutableSet<Role> roles = getAllClientIdWithRoles().get(clientId);
+
+    if (roles.isEmpty()) {
+      throw new RegistrarAccessDeniedException(
+          String.format("%s doesn't have access to registrar %s", userIdForLogging, clientId));
+    }
+    logger.atInfo().log("%s has %s access to registrar %s.", userIdForLogging, roles, clientId);
+  }
+
+  @Override
+  public String toString() {
+    return toStringHelper(getClass()).add("authResult", userIdForLogging).toString();
+  }
+
  private static boolean checkIsSupport(
      GroupsConnection groupsConnection, String userEmail, String supportEmail) {
    if (Strings.isNullOrEmpty(supportEmail)) {
@ -246,9 +263,10 @@ public class AuthenticatedRegistrarAccessor {
    return builder.build();
  }

-  private void verifyLoggedIn() {
-    if (!authResult.userAuthInfo().isPresent()) {
-      throw new ForbiddenException("Not logged in");
+  /** Exception thrown when the current user doesn't have access to the requested Registrar. */
+  public static class RegistrarAccessDeniedException extends Exception {
+    RegistrarAccessDeniedException(String message) {
+      super(message);
    }
  }
 }
--- a/java/google/registry/request/auth/BUILD
+++ b/java/google/registry/request/auth/BUILD
@ -9,6 +9,8 @@ java_library(
    srcs = glob(["*.java"]),
    deps = [
        "//java/google/registry/config",
+        "//java/google/registry/groups",
+        "//java/google/registry/model",
        "//java/google/registry/security",
        "@com_google_appengine_api_1_0_sdk",
        "@com_google_auto_value",
--- a/java/google/registry/ui/server/registrar/BUILD
+++ b/java/google/registry/ui/server/registrar/BUILD
@ -15,7 +15,6 @@ java_library(
        "//java/google/registry/config",
        "//java/google/registry/export/sheet",
        "//java/google/registry/flows",
-        "//java/google/registry/groups",
        "//java/google/registry/model",
        "//java/google/registry/request",
        "//java/google/registry/request/auth",
--- a/java/google/registry/ui/server/registrar/ConsoleUiAction.java
+++ b/java/google/registry/ui/server/registrar/ConsoleUiAction.java
@ -16,7 +16,7 @@ package google.registry.ui.server.registrar;

 import static com.google.common.net.HttpHeaders.LOCATION;
 import static com.google.common.net.HttpHeaders.X_FRAME_OPTIONS;
-import static google.registry.ui.server.registrar.AuthenticatedRegistrarAccessor.Role.ADMIN;
+import static google.registry.request.auth.AuthenticatedRegistrarAccessor.Role.ADMIN;
 import static google.registry.ui.server.registrar.RegistrarConsoleModule.PARAM_CLIENT_ID;
 import static javax.servlet.http.HttpServletResponse.SC_FORBIDDEN;
 import static javax.servlet.http.HttpServletResponse.SC_MOVED_TEMPORARILY;
@ -36,14 +36,15 @@ import com.google.template.soy.tofu.SoyTofu;
 import google.registry.config.RegistryConfig.Config;
 import google.registry.model.registrar.Registrar;
 import google.registry.request.Action;
-import google.registry.request.HttpException.ForbiddenException;
 import google.registry.request.Parameter;
 import google.registry.request.Response;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
 import google.registry.security.XsrfTokenManager;
 import google.registry.ui.server.SoyTemplateUtils;
-import google.registry.ui.server.registrar.AuthenticatedRegistrarAccessor.Role;
 import google.registry.ui.soy.registrar.ConsoleSoyInfo;
 import java.util.Optional;
 import javax.inject.Inject;
@ -151,7 +152,7 @@ public final class ConsoleUiAction implements Runnable {
      // because the requests come from the browser, and can easily be faked)
      Registrar registrar = registrarAccessor.getRegistrar(clientId);
      data.put("requireFeeExtension", registrar.getPremiumPriceAckRequired());
-    } catch (ForbiddenException e) {
+    } catch (RegistrarAccessDeniedException e) {
      logger.atWarning().withCause(e).log(
          "User %s doesn't have access to registrar console.", authResult.userIdForLogging());
      response.setStatus(SC_FORBIDDEN);
--- a/java/google/registry/ui/server/registrar/RegistrarConsoleMetrics.java
+++ b/java/google/registry/ui/server/registrar/RegistrarConsoleMetrics.java
@ -18,7 +18,7 @@ import com.google.common.collect.ImmutableSet;
 import com.google.monitoring.metrics.IncrementableMetric;
 import com.google.monitoring.metrics.LabelDescriptor;
 import com.google.monitoring.metrics.MetricRegistryImpl;
-import google.registry.ui.server.registrar.AuthenticatedRegistrarAccessor.Role;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
 import javax.inject.Inject;

 final class RegistrarConsoleMetrics {
--- a/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
+++ b/java/google/registry/ui/server/registrar/RegistrarSettingsAction.java
@ -42,11 +42,13 @@ import google.registry.request.HttpException.ForbiddenException;
 import google.registry.request.JsonActionRunner;
 import google.registry.request.auth.Auth;
 import google.registry.request.auth.AuthResult;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor.RegistrarAccessDeniedException;
+import google.registry.request.auth.AuthenticatedRegistrarAccessor.Role;
 import google.registry.security.JsonResponseHelper;
 import google.registry.ui.forms.FormException;
 import google.registry.ui.forms.FormFieldException;
 import google.registry.ui.server.RegistrarFormFields;
-import google.registry.ui.server.registrar.AuthenticatedRegistrarAccessor.Role;
 import google.registry.util.AppEngineServiceUtils;
 import google.registry.util.CollectionUtils;
 import google.registry.util.DiffUtils;
@ -161,7 +163,11 @@ public class RegistrarSettingsAction implements Runnable, JsonActionRunner.JsonA
  }

  private RegistrarResult read(String clientId) {
-    return RegistrarResult.create("Success", registrarAccessor.getRegistrar(clientId));
+    try {
+      return RegistrarResult.create("Success", registrarAccessor.getRegistrar(clientId));
+    } catch (RegistrarAccessDeniedException e) {
+      throw new ForbiddenException(e.getMessage(), e);
+    }
  }

  private RegistrarResult update(final Map<String, ?> args, String clientId) {
@ -171,7 +177,12 @@ public class RegistrarSettingsAction implements Runnable, JsonActionRunner.JsonA
              // We load the registrar here rather than outside of the transaction - to make
              // sure we have the latest version. This one is loaded inside the transaction, so it's
              // guaranteed to not change before we update it.
-              Registrar registrar = registrarAccessor.getRegistrar(clientId);
+              Registrar registrar;
+              try {
+                registrar = registrarAccessor.getRegistrar(clientId);
+              } catch (RegistrarAccessDeniedException e) {
+                throw new ForbiddenException(e.getMessage(), e);
+              }
              // Verify that the registrar hasn't been changed.
              // To do that - we find the latest update time (or null if the registrar has been
              // deleted) and compare to the update time from the args. The update time in the args