chore: only allow access to the `autograde-users` group at EPFL

NOTE: This is not the most optimal design as it is very much adapted to EPFL's structure. We will try to generalise the design later

chore: only allow access to the `autograde-users` group at EPFL
bc7f8ce9 · Hamza Remmal · c7c32aa8 · bc7f8ce9 · bc7f8ce9 · bc7f8ce9
Unverified Commit bc7f8ce9 authored 6 months ago by Hamza Remmal
--- a/autograde-service/src/main/java/ch/epfl/autograde/auth/AutogradeAuthorities.java
+++ b/autograde-service/src/main/java/ch/epfl/autograde/auth/AutogradeAuthorities.java
+package ch.epfl.autograde.auth;
+import lombok.RequiredArgsConstructor;
+import org.springframework.security.core.GrantedAuthority;
+@RequiredArgsConstructor
+public enum AutogradeAuthorities implements GrantedAuthority {
+    SYSTEM_ACCESS("system:access");
+    // ==============================================================
+    private final String authority;
+    @Override
+    public java.lang.String getAuthority() {
+        return authority;
+    }
+}
--- a/autograde-service/src/main/java/ch/epfl/autograde/auth/ldap/EPFLAuthoritiesPopulator.java
+++ b/autograde-service/src/main/java/ch/epfl/autograde/auth/ldap/EPFLAuthoritiesPopulator.java
+package ch.epfl.autograde.auth.ldap;
+import ch.epfl.autograde.auth.AutogradeAuthorities;
+import ch.epfl.autograde.properties.AutogradeAuthConfig;
+import lombok.RequiredArgsConstructor;
+import org.springframework.ldap.core.DirContextOperations;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.ldap.userdetails.LdapAuthoritiesPopulator;
+import org.springframework.stereotype.Component;
+import java.util.Collection;
+import java.util.List;
+import static java.util.Objects.nonNull;
+@RequiredArgsConstructor
+@Component
+public final class EPFLAuthoritiesPopulator implements LdapAuthoritiesPopulator {
+    private final AutogradeAuthConfig config;
+    @Override
+    public Collection<? extends GrantedAuthority> getGrantedAuthorities(DirContextOperations userData, String username) {
+        final var groups = userData.getAttributes().get("memberof");
+        if (nonNull(groups) && groups.contains(config.ldap().group()))
+            return List.of(AutogradeAuthorities.SYSTEM_ACCESS);
+        else
+            return List.of();
+    }
+}
--- a/autograde-service/src/main/java/ch/epfl/autograde/config/SecurityConfig.java
+++ b/autograde-service/src/main/java/ch/epfl/autograde/config/SecurityConfig.java
 package ch.epfl.autograde.config;
+import ch.epfl.autograde.auth.AutogradeAuthorities;
+import ch.epfl.autograde.auth.ldap.EPFLAuthoritiesPopulator;
 import ch.epfl.autograde.auth.token.ShareSecretAuthenticationProvider;
 import ch.epfl.autograde.auth.token.SharedSecretConfigurer;
 import ch.epfl.autograde.properties.AutogradeAuthConfig;
@@ -102,7 +104,7 @@ public class SecurityConfig {
                .formLogin(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(auth -> {
                    auth.requestMatchers("/error", "/css/error-pages.css").permitAll();
-                    auth.anyRequest().fullyAuthenticated();
+                    auth.anyRequest().hasAuthority(AutogradeAuthorities.SYSTEM_ACCESS.getAuthority());
                })
                .build();
    }
@@ -113,10 +115,11 @@ public class SecurityConfig {
    @Bean
-    protected AuthenticationManager ldapAuthenticationManager(BaseLdapPathContextSource contextSource, AutogradeAuthConfig config) {
+    protected AuthenticationManager ldapAuthenticationManager(BaseLdapPathContextSource contextSource, AutogradeAuthConfig config, EPFLAuthoritiesPopulator populator) {
 	    final var factory = new LdapBindAuthenticationManagerFactory(contextSource);
        factory.setUserSearchBase(config.ldap().userSearchBase());
 	    factory.setUserSearchFilter(config.ldap().userSearchFilter());
+        factory.setLdapAuthoritiesPopulator(populator);
 	    return factory.createAuthenticationManager();
    }

--- a/autograde-service/src/main/java/ch/epfl/autograde/properties/AutogradeAPIConfig.java
+++ b/autograde-service/src/main/java/ch/epfl/autograde/properties/AutogradeAPIConfig.java
-package ch.epfl.autograde.properties;
-import org.springframework.boot.context.properties.ConfigurationProperties;
-/**
- * test
- * @param key tst
- * @param integritySecret
- */
-@ConfigurationProperties(prefix = "autograde.api")
-public record AutogradeAPIConfig (
-        String key,
-        String integritySecret
-){}
--- a/autograde-service/src/main/java/ch/epfl/autograde/properties/AutogradeAuthConfig.java
+++ b/autograde-service/src/main/java/ch/epfl/autograde/properties/AutogradeAuthConfig.java
@@ -14,6 +14,7 @@ public record AutogradeAuthConfig(
    public record AutogradeLDAPConfig(boolean enabled,
                                      String source,
                                      String userSearchBase,
-                                      String userSearchFilter) {}
+                                      String userSearchFilter,
+                                      String group) {}
 }
--- a/autograde-service/src/main/resources/application.yaml
+++ b/autograde-service/src/main/resources/application.yaml
@@ -35,6 +35,7 @@ autograde:
      source: ldaps://ldap.epfl.ch
      user-search-base: o=epfl,c=ch
      user-search-filter: (uid={0})
+      group: autograde-users
  moodle:
    base-url: http://moodle:80
    token: ???