fix: Current permissions -> PAK with no-auth mode (#2113)

tolgee · Jan 29, 2024 · 51e2251 · 51e2251
1 parent ae2906e
commit 51e2251
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 89 deletions.
diff --git a/backend/app/src/main/kotlin/io/tolgee/configuration/WebSecurityConfig.kt b/backend/app/src/main/kotlin/io/tolgee/configuration/WebSecurityConfig.kt
@@ -18,7 +18,6 @@ package io.tolgee.configuration
 
 import io.tolgee.component.ExceptionHandlerFilter
 import io.tolgee.component.TransferEncodingHeaderDebugFilter
-import io.tolgee.security.authentication.AuthenticationDisabledFilter
 import io.tolgee.security.authentication.AuthenticationFilter
 import io.tolgee.security.authentication.AuthenticationInterceptor
 import io.tolgee.security.authorization.OrganizationAuthorizationInterceptor
@@ -48,7 +47,6 @@ import org.springframework.web.servlet.config.annotation.WebMvcConfigurer
 @EnableWebSecurity
 class WebSecurityConfig(
   private val authenticationFilter: AuthenticationFilter,
-  private val authenticationDisabledFilter: AuthenticationDisabledFilter,
   private val globalIpRateLimitFilter: GlobalIpRateLimitFilter,
   private val globalUserRateLimitFilter: GlobalUserRateLimitFilter,
   private val rateLimitInterceptor: RateLimitInterceptor,
@@ -66,7 +64,6 @@ class WebSecurityConfig(
       .sessionManagement { it.sessionCreationPolicy(SessionCreationPolicy.STATELESS) }
       .addFilterBefore(exceptionHandlerFilter, UsernamePasswordAuthenticationFilter::class.java)
       .addFilterBefore(authenticationFilter, UsernamePasswordAuthenticationFilter::class.java)
-      .addFilterBefore(authenticationDisabledFilter, UsernamePasswordAuthenticationFilter::class.java)
       .addFilterBefore(globalUserRateLimitFilter, UsernamePasswordAuthenticationFilter::class.java)
       .addFilterBefore(globalIpRateLimitFilter, UsernamePasswordAuthenticationFilter::class.java)
       .authorizeHttpRequests {

diff --git a/backend/security/src/main/kotlin/io/tolgee/security/SecurityFilterConfiguration.kt b/backend/security/src/main/kotlin/io/tolgee/security/SecurityFilterConfiguration.kt
@@ -16,7 +16,6 @@
 
 package io.tolgee.security
 
-import io.tolgee.security.authentication.AuthenticationDisabledFilter
 import io.tolgee.security.authentication.AuthenticationFilter
 import io.tolgee.security.ratelimit.GlobalIpRateLimitFilter
 import io.tolgee.security.ratelimit.GlobalUserRateLimitFilter
@@ -33,13 +32,6 @@ class SecurityFilterConfiguration {
     return registration
   }
 
-  @Bean("filterRegistrationAuthDisabled")
-  fun authenticationDisabledFilter(filter: AuthenticationDisabledFilter): FilterRegistrationBean<*> {
-    val registration = FilterRegistrationBean(filter)
-    registration.isEnabled = false
-    return registration
-  }
-
   @Bean("filterRegistrationGlobalIpRateLimit")
   fun globalIpRateLimitFilter(filter: GlobalIpRateLimitFilter): FilterRegistrationBean<*> {
     val registration = FilterRegistrationBean(filter)

diff --git a/...ecurity/src/main/kotlin/io/tolgee/security/authentication/AuthenticationDisabledFilter.kt b/...ecurity/src/main/kotlin/io/tolgee/security/authentication/AuthenticationDisabledFilter.kt
diff --git a/backend/security/src/main/kotlin/io/tolgee/security/authentication/AuthenticationFilter.kt b/backend/security/src/main/kotlin/io/tolgee/security/authentication/AuthenticationFilter.kt
@@ -19,6 +19,7 @@ package io.tolgee.security.authentication
 import io.tolgee.component.CurrentDateProvider
 import io.tolgee.configuration.tolgee.AuthenticationProperties
 import io.tolgee.constants.Message
+import io.tolgee.dtos.cacheable.UserAccountDto
 import io.tolgee.exceptions.AuthenticationException
 import io.tolgee.security.PAT_PREFIX
 import io.tolgee.security.ratelimit.RateLimitService
@@ -66,7 +67,7 @@ class AuthenticationFilter(
   }
 
   override fun shouldNotFilter(request: HttpServletRequest): Boolean {
-    return !authenticationProperties.enabled || request.method == "OPTIONS"
+    return request.method == "OPTIONS"
   }
 
   private fun doAuthenticate(request: HttpServletRequest) {
@@ -91,6 +92,18 @@ class AuthenticationFilter(
       // Attempt PAK auth even if it doesn't have the prefix
       // Might be a legacy key
       pakAuth(apiKey)
+      return
+    }
+
+    // even if the authentication is disabled, they still might be using PAK for in-context editing,
+    // so we still need to try tho authenticate using API key, to have API key authentication in the security context
+    if (!authenticationProperties.enabled) {
+      SecurityContextHolder.getContext().authentication =
+        TolgeeAuthentication(
+          null,
+          initialUser,
+          TolgeeAuthenticationDetails(true),
+        )
     }
   }
 
@@ -143,4 +156,11 @@ class AuthenticationFilter(
         TolgeeAuthenticationDetails(false),
       )
   }
+
+  private val initialUser by lazy {
+    val account =
+      userAccountService.findInitialUser()
+        ?: throw IllegalStateException("Initial user does not exists")
+    UserAccountDto.fromEntity(account)
+  }
 }
diff --git a/...ity/src/test/kotlin/io/tolgee/security/authentication/AuthenticationDisabledFilterTest.kt b/...ity/src/test/kotlin/io/tolgee/security/authentication/AuthenticationDisabledFilterTest.kt
@@ -25,6 +25,8 @@ import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
 import org.junit.jupiter.api.assertDoesNotThrow
 import org.mockito.Mockito
+import org.mockito.Mockito.mock
+import org.mockito.kotlin.mock
 import org.springframework.mock.web.MockFilterChain
 import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.mock.web.MockHttpServletResponse
@@ -36,13 +38,14 @@ class AuthenticationDisabledFilterTest {
     const val TEST_INITIAL_USER_NAME = "admin"
   }
 
-  private val authProperties = Mockito.mock(AuthenticationProperties::class.java)
+  private val authProperties = mock(AuthenticationProperties::class.java)
 
-  private val userAccountService = Mockito.mock(UserAccountService::class.java)
+  private val userAccountService = mock(UserAccountService::class.java)
 
-  private val userAccount = Mockito.mock(UserAccount::class.java)
+  private val userAccount = mock(UserAccount::class.java)
 
-  private val authenticationDisabledFilter = AuthenticationDisabledFilter(authProperties, userAccountService)
+  private val authenticationDisabledFilter =
+    AuthenticationFilter(authProperties, mock(), mock(), mock(), userAccountService, mock(), mock())
 
   @BeforeEach
   fun setupMocksAndSecurityCtx() {

diff --git a/...nd/security/src/test/kotlin/io/tolgee/security/authentication/AuthenticationFilterTest.kt b/...nd/security/src/test/kotlin/io/tolgee/security/authentication/AuthenticationFilterTest.kt
@@ -173,19 +173,6 @@ class AuthenticationFilterTest {
     )
   }
 
-  @Test
-  fun `it does not filter when auth is disabled`() {
-    Mockito.`when`(authProperties.enabled).thenReturn(false)
-    val req = MockHttpServletRequest()
-    val res = MockHttpServletResponse()
-    val chain = MockFilterChain()
-
-    assertDoesNotThrow { authenticationFilter.doFilter(req, res, chain) }
-
-    val ctx = SecurityContextHolder.getContext()
-    assertThat(ctx.authentication).isNull()
-  }
-
   @Test
   fun `it allows request to go through with valid JWT token`() {
     val req = MockHttpServletRequest()