Course level authorization

closes #226 (closed)

Description

Add course level security for most important endpoints. This means that only users that have been added to a course will be able to view assignments and submission related to those courses.

Changes

Added a security service to most controllers. Using preauthorize SPeL statements works in production, however this is not testable for some reason (Spring cannot find a matching service name). The security service handles authorization requests, which have to be added to endpoints manually.

Additions

Added testing classes which can be used to test future controllers.

Test and Review

To be filled in by the reviewers

• All of the methods are commented to expectation

• The methods are tested to satisfaction

• There are no unnecessary files present in the MR

• The continuous integration has no problems with the MR

• The MR is filled in as requested (including labels, milestones, and reviewers)

• The documentation is up-to-date

• All nullable parameters are marked as such

core/src/main/java/nl/tudelft/ewi/auta/core/controller/AssignmentController.java

 package nl.tudelft.ewi.auta.core.controller;
 
-import java.net.URI;
-import java.net.URISyntaxException;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
-
-import javax.servlet.http.HttpServletRequest;
-
 import nl.tudelft.ewi.auta.common.model.metric.MetricName;
 import nl.tudelft.ewi.auta.common.model.metric.MetricSettings;
+import nl.tudelft.ewi.auta.core.database.AssignmentRepository;
+import nl.tudelft.ewi.auta.core.model.Assignment;
+import nl.tudelft.ewi.auta.core.response.Response;
 import nl.tudelft.ewi.auta.core.response.exception.AssignmentAlreadyExistsException;
 import nl.tudelft.ewi.auta.core.response.exception.InvalidAssignmentNameException;
 import nl.tudelft.ewi.auta.core.response.exception.InvalidLanguageException;
@@ -20,15 +12,22 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 
-import nl.tudelft.ewi.auta.core.database.AssignmentRepository;
-import nl.tudelft.ewi.auta.core.model.Assignment;
-import nl.tudelft.ewi.auta.core.response.Response;
+import javax.servlet.http.HttpServletRequest;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Collectors;
 
 /**
  * The controller handling requests related to assignmentStore.
@@ -44,13 +43,18 @@ public class AssignmentController extends ControllerBase {
      */
     private final AssignmentRepository assignmentStore;
 
+
+    private final CourseSecuredService securedService;
+
     /**
      * Creates a new assignment controller.
      *
      * @param assignmentStore the assignment repository
      */
-    public AssignmentController(final AssignmentRepository assignmentStore) {
+    public AssignmentController(final AssignmentRepository assignmentStore,
+                                final CourseSecuredService securedService) {
         this.assignmentStore = assignmentStore;
+        this.securedService = securedService;
     }
 
     /**
@@ -60,27 +64,31 @@ public class AssignmentController extends ControllerBase {
     @RequestMapping(value = "/api/v1/assignment", method = RequestMethod.GET)
     public ResponseEntity<Response> getAllAction(final HttpServletRequest req) {
         final var res = new Response();
-
-        final List<?> assignmentsList;
+        final List<Assignment> assignmentsList;
         if (req.getParameterMap().containsKey("include_deleted")) {
             assignmentsList = this.assignmentStore.findAll();
         } else {
             assignmentsList = this.assignmentStore.findAllActive();
         }
+        final var authentication = SecurityContextHolder.getContext().getAuthentication();
+        final var assignmentsWithAccess = assignmentsList.stream()
+                .filter(assignment ->
+                        this.securedService.userHasAssignmentAccess(authentication, assignment))
+                .collect(Collectors.toList());
 
-        res.put("assignments", assignmentsList);
+        res.put("assignments", assignmentsWithAccess);
         return ResponseEntity.ok(res);
     }
 
 
-        /**
-         * Creates a new assignment and adds it to the store.
-         * By default, no checks will be run if no static or dynamic checks are specified.
-         *
-         * @param req the request body
-         *
-         * @return the response
-         */
+    /**
+     * Creates a new assignment and adds it to the store.
+     * By default, no checks will be run if no static or dynamic checks are specified.
+     *
+     * @param req the request body
+     *
+     * @return the response
+     */
     @RequestMapping(value = "/api/v1/assignment", method = RequestMethod.POST)
     public ResponseEntity<Response> createAction(final @RequestBody Map<String, Object> req)
             throws URISyntaxException {
@@ -119,8 +127,8 @@ public class AssignmentController extends ControllerBase {
     @RequestMapping(value = "/api/v1/assignment/{id}", method = RequestMethod.GET)
     public ResponseEntity<Response> getAction(final @PathVariable String id) {
         final var res = new Response();
-
         final var assignment = this.assignmentStore.findExisting(id);
+        this.securedService.checkForAssignmentAccess(assignment);
 
         final var options = new HashMap<String, Object>();
         options.put("static", assignment.getMetricSettings());
@@ -134,6 +142,12 @@ public class AssignmentController extends ControllerBase {
         return ResponseEntity.ok(res);
     }
 
+    /**
+     * Updates an assignment.
+     *
+     * @param id the id of the assignment to update
+     * @return the response
+     */
     @RequestMapping(value = "/api/v1/assignment/{id}", method = RequestMethod.PUT)
     public ResponseEntity<Response> updateAction(
             final @PathVariable String id,
@@ -142,6 +156,7 @@ public class AssignmentController extends ControllerBase {
         final var res = new Response();
 
         var assignment = this.assignmentStore.findExisting(id);
+        this.securedService.checkForAssignmentAccess(assignment);
 
         this.populateFromRequest(req, assignment);
 
@@ -164,6 +179,7 @@ public class AssignmentController extends ControllerBase {
         final var res = new Response();
 
         var assignment = this.assignmentStore.findExisting(id);
+        this.securedService.checkForAssignmentAccess(assignment);
 
         assignment.setDeleted(true);