AsAdminAspect.java

/**
 * Copyright 2014 Global Crop Diversity Trust
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 **/

package org.genesys.server.component.aspect;

import java.util.Arrays;

import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.genesys.blocks.security.service.BasicUserService;
import org.genesys.server.model.UserRole;
import org.genesys.server.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.stereotype.Component;

import lombok.extern.slf4j.Slf4j;

@Aspect
@Component
@Slf4j
public class AsAdminAspect {

	@Autowired
	private UserService userService;

	// Our copy of the SYS_ADMIN account
	private static Authentication SYS_ADMIN = null;

	@Around("org.genesys.server.component.aspect.SystemArchitecture.allServices()" + " && @annotation(org.genesys.server.component.aspect.AsAdmin)")
	public Object authenticateAsAdmin(ProceedingJoinPoint pjp) throws Throwable {

		Authentication adminAuthorization = getSystemAdminAccount();

		// store previous version of auth (if any exists)
		final Authentication prevAuth = SecurityContextHolder.getContext().getAuthentication();
		boolean swapped = false;

		if (prevAuth == null
				// or is not admin
				|| ! prevAuth.getAuthorities().contains(UserRole.ADMINISTRATOR)
				// or not already SYS_ADMIN
				|| !prevAuth.getName().equals(adminAuthorization.getName())) {

			log.info("Granting ADMIN privileges");
			swapped = true;

			// set new role with admin capabilities
			SecurityContextHolder.getContext().setAuthentication(adminAuthorization);
		}

		try {
			// invoke actual code
			return pjp.proceed();
		} finally {
			if (swapped) {
				log.info("Revoking ADMIN privileges");
				SecurityContextHolder.getContext().setAuthentication(prevAuth);
			}
		}
	}

	public synchronized Authentication getSystemAdminAccount() {
		if (SYS_ADMIN == null) {
			log.warn("SYS_ADMIN not loaded. Loading now.");
			final UserDetails sysUser = userService.loadUserByUsername(BasicUserService.SYSTEM_ADMIN);

			if (sysUser == null) {
				log.warn("Temporary SYS_ADMIN account is being used.");
				return new PreAuthenticatedAuthenticationToken("SYS_ADMIN", null, Arrays.asList(new SimpleGrantedAuthority(UserRole.ADMINISTRATOR.getAuthority())));
			} else {
				log.warn("Got SYS_ADMIN account: {} with roles={}", sysUser, sysUser.getAuthorities());
				SYS_ADMIN = new PreAuthenticatedAuthenticationToken(sysUser, null, sysUser.getAuthorities());
			}
		}

		return SYS_ADMIN;
	}

}