Always provide context for UserRestrictionException

Author: oharsta

server/src/main/java/invite/api/APITokenController.java

@@ -18,7 +18,13 @@
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.StringUtils;
 import org.springframework.validation.annotation.Validated;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
 import java.util.Map;
@@ -73,10 +79,10 @@ public ResponseEntity<APIToken> create(@Validated @RequestBody APIToken apiToken
         UserPermissions.assertAuthority(user, Authority.INVITER);
         String token = (String) request.getSession().getAttribute(TOKEN_KEY);
         if (!StringUtils.hasText(token)) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Token is NULL");
         }
         if (user.isSuperUser() && !StringUtils.hasText(apiTokenRequest.getOrganizationGUID())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Super user must specify API token OrganizationGUID");
         }
         APIToken apiToken;
         if (user.isSuperUser() || user.isInstitutionAdmin()) {
@@ -96,16 +102,17 @@ public ResponseEntity<APIToken> create(@Validated @RequestBody APIToken apiToken
     @DeleteMapping("/{id}")
     public ResponseEntity<Void> deleteToken(@PathVariable("id") Long id, @Parameter(hidden = true) User user) {
         LOG.debug(String.format("DELETE /tokens/deleteToken with id %s for user %s", id.toString(), user.getEduPersonPrincipalName()));
+
         UserPermissions.assertAuthority(user, Authority.INVITER);
         APIToken apiToken = apiTokenRepository.findById(id).orElseThrow(() -> new NotFoundException("API token not found"));
         if (apiToken.isSuperUserToken() && !user.isSuperUser()) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Non super-user not allowed to delete super-user token: " + user.getEmail());
         }
         if (user.isInstitutionAdmin() && !apiToken.getOrganizationGUID().equals(user.getOrganizationGUID())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User not allowed to delete token for different organization: " + user.getEmail());
         }
         if (!user.isSuperUser() && !user.isInstitutionAdmin() && !Objects.equals(user.getId(), apiToken.getOwner().getId())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User not allowed to delete token for different owner: " + user.getEmail());
         }
         apiTokenRepository.delete(apiToken);
         return Results.deleteResult();

server/src/main/java/invite/api/RoleController.java

@@ -179,7 +179,7 @@ public ResponseEntity<List<Role>> rolesPerApplicationId(@PathVariable("manageId"
                     .collect(Collectors.toSet());
             applicationManageIdentifiers.addAll(roleManageIdentifiers);
             if (!applicationManageIdentifiers.contains(manageId)) {
-                throw new UserRestrictionException();
+                throw new UserRestrictionException(String.format("User %s has no access to manageID %s", user.getEmail(), manageId));
             }
             roles = roleRepository.findByOrganizationGUIDAndApplicationUsagesApplicationManageId(user.getOrganizationGUID(), manageId);
         }
@@ -194,7 +194,7 @@ public ResponseEntity<Role> newRole(@Validated @RequestBody RoleRequest roleRequ
         UserPermissions.assertAuthority(user, Authority.INSTITUTION_ADMIN);
         //For super_users we require an organization GUID from the input form
         if (user.isSuperUser() && !StringUtils.hasText(roleRequest.getOrganizationGUID())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Super users must specify an organizationGUID");
         }
         Role role = new Role(roleRequest);
         role.setOrganizationGUID(user.isSuperUser() ? roleRequest.getOrganizationGUID() : user.getOrganizationGUID());
@@ -244,7 +244,8 @@ public ResponseEntity<Void> deleteRole(@PathVariable("id") Long id,
 
         if (!user.isSuperUser() &&
                 !Objects.equals(user.getOrganizationGUID(), role.getOrganizationGUID())) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException(String.format("Non super user %s not allowd to delete role %s",
+                    user.getEmail(), role.getName()));
         }
 
         provisioningService.deleteGroupRequest(role);

server/src/main/java/invite/api/UserController.java

@@ -131,7 +131,8 @@ public ResponseEntity<User> details(@PathVariable("id") Long id, @Parameter(hidd
             //We need to ensure the institution admin has access to at least one of the roles
             boolean allowedByManage = roles.stream().anyMatch(role -> user.getOrganizationGUID().equals(role.getOrganizationGUID()));
             if (!allowedByManage) {
-                throw new UserRestrictionException();
+                throw new UserRestrictionException(String.format("User %s has no access to role %s",
+                        user.getEmail(), roles.stream().map(Role::getName).collect(Collectors.joining(", "))));
             }
         }
         return ResponseEntity.ok(other);

server/src/main/java/invite/api/UserRoleAuditController.java

@@ -3,21 +3,11 @@
 import invite.config.Config;
 import invite.exception.NotFoundException;
 import invite.exception.UserRestrictionException;
-import invite.logging.AccessLogger;
-import invite.logging.Event;
-import invite.manage.EntityType;
-import invite.model.Application;
-import invite.model.ApplicationUsage;
-import invite.model.Authority;
 import invite.model.Role;
-import invite.model.RoleRequest;
 import invite.model.User;
-import invite.model.UserRole;
 import invite.model.UserRoleAudit;
-import invite.provision.scim.GroupURN;
 import invite.repository.RoleRepository;
 import invite.repository.UserRoleAuditRepository;
-import invite.security.UserPermissions;
 import io.swagger.v3.oas.annotations.Parameter;
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import org.apache.commons.logging.Log;
@@ -29,38 +19,19 @@
 import org.springframework.data.domain.Sort;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-import org.springframework.retry.annotation.Backoff;
-import org.springframework.retry.annotation.Retryable;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.StringUtils;
-import org.springframework.validation.annotation.Validated;
-import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.PostMapping;
-import org.springframework.web.bind.annotation.PutMapping;
-import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.net.URLDecoder;
-import java.nio.charset.Charset;
-import java.sql.SQLTransactionRollbackException;
-import java.util.ArrayList;
-import java.util.Collection;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
-import java.util.Optional;
-import java.util.Set;
-import java.util.UUID;
-import java.util.stream.Collectors;
 
 import static invite.SwaggerOpenIdConfig.API_TOKENS_SCHEME_NAME;
 import static invite.SwaggerOpenIdConfig.OPEN_ID_SCHEME_NAME;
 import static invite.security.InstitutionAdmin.isInstitutionAdmin;
-import static invite.security.UserPermissions.assertAuthority;
 import static invite.security.UserPermissions.assertInstitutionAdmin;
 
 @RestController
@@ -107,7 +78,8 @@ public ResponseEntity<Page<UserRoleAudit>> search(
             Role role = roleRepository.findById(roleId)
                     .orElseThrow(() -> new NotFoundException("Role not found: " + roleId));
             if (!user.getOrganizationGUID().equals(role.getOrganizationGUID())) {
-                throw new UserRestrictionException();
+                throw new UserRestrictionException(String.format("User %s has no access to role %s",
+                        user.getEmail(), role.getName()));
             }
         }
 

server/src/main/java/invite/exception/UserRestrictionException.java

@@ -7,10 +7,6 @@
 @ResponseStatus(HttpStatus.FORBIDDEN)
 public class UserRestrictionException extends AuthenticationException {
 
-    public UserRestrictionException() {
-        super("Forbidden");
-    }
-
     public UserRestrictionException(String message) {
         super(message);
     }

server/src/main/java/invite/security/RemoteUserPermissions.java

@@ -5,8 +5,10 @@
 import invite.model.Role;
 import org.apache.commons.lang3.stream.Streams;
 
+import java.util.Arrays;
 import java.util.Collection;
 import java.util.List;
+import java.util.stream.Collectors;
 
 public class RemoteUserPermissions {
 
@@ -15,13 +17,14 @@ private RemoteUserPermissions() {
 
     public static void assertScopeAccess(RemoteUser remoteUser, Scope... scopes) {
         if (remoteUser == null) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Remote user is NULL");
         }
         if (scopes == null || scopes.length == 0) {
             return;
         }
         if (!Streams.of(scopes).allMatch(scope -> remoteUser.getScopes().contains(scope))) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException(String.format("Scope %s not allowd for remoteUsser %s",
+                    Arrays.toString(scopes), remoteUser.getName()));
         }
     }
 
@@ -31,7 +34,7 @@ public static void assertApplicationAccess(RemoteUser remoteUser, Role role) {
 
     public static void assertApplicationAccess(RemoteUser remoteUser, List<Role> roles) {
         if (remoteUser == null) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Remote user is NULL");
         }
         if (remoteUser.isLocalDevMode()) {
             return;
@@ -43,7 +46,8 @@ public static void assertApplicationAccess(RemoteUser remoteUser, List<Role> rol
                         .anyMatch(remoteUserApplication -> remoteUserApplication.getManageId().equals(application.getManageId())
                                 && remoteUserApplication.getManageType().equals(application.getManageType())));
         if (!hasApplicationAccess) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException(String.format("RemoteUser %s has no access to roles %s",
+                    remoteUser.getName(), roles.stream().map(role -> role.getName()).collect(Collectors.joining(", "))));
         }
     }
 

server/src/main/java/invite/security/UserHandlerMethodArgumentResolver.java

@@ -69,7 +69,7 @@ public User resolveArgument(MethodParameter methodParameter,
             //The user has an API token (from her institution admin) and there is no state
             String hashedToken = HashGenerator.hashToken(apiTokenHeader);
             APIToken apiToken = apiTokenRepository.findByHashedValue(hashedToken)
-                    .orElseThrow(UserRestrictionException::new);
+                    .orElseThrow(() -> new UserRestrictionException("No API token found for: " + hashedToken));
             List<User> apiUsers = new ArrayList<>();
             User owner = apiToken.getOwner();
             String organizationGUID = apiToken.getOrganizationGUID();
@@ -85,7 +85,7 @@ public User resolveArgument(MethodParameter methodParameter,
             }
             if (apiUsers.isEmpty()) {
                 //we don't want to return null as this is not part of the happy-path
-                throw new UserRestrictionException();
+                throw new UserRestrictionException("No API user found for token: " + hashedToken);
             }
             //For old superuser and institution admin tokens it does not make any difference security-wise which user we return
             //For inviters and managers (and all new tokens after 0.0.36 release) the user is linked to the API token
@@ -124,7 +124,7 @@ public User resolveArgument(MethodParameter methodParameter,
                     if (StringUtils.hasText(impersonateId) && user.isSuperUser()) {
                         validImpersonation.set(true);
                         return userRepository.findById(Long.valueOf(impersonateId))
-                                .orElseThrow(UserRestrictionException::new);
+                                .orElseThrow(() -> new UserRestrictionException("No user found in impersonation: " + impersonateId));
                     }
                     return user;
                 });
@@ -144,7 +144,7 @@ public User resolveArgument(MethodParameter methodParameter,
                 }
             }
             return user;
-        }).orElseThrow(UserRestrictionException::new);
+        }).orElseThrow(() -> new UserRestrictionException("No user found sub:" + sub));
 
     }
 

server/src/main/java/invite/security/UserPermissions.java

@@ -11,36 +11,38 @@
 
 import java.util.List;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 public class UserPermissions {
     private static final Log LOG = LogFactory.getLog(UserPermissions.class);
+
     private UserPermissions() {
     }
 
     public static void assertSuperUser(User user) {
         if (user == null) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User is NULL");
         }
 
         if (!user.isSuperUser()) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User is no super user: " + user.getEmail());
         }
     }
 
     public static void assertInstitutionAdmin(User user) {
         if (user == null) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User is NULL");
         }
 
         if (user.isSuperUser() || (user.isInstitutionAdmin() && StringUtils.hasText(user.getOrganizationGUID()))) {
             return;
         }
-        throw new UserRestrictionException();
+        throw new UserRestrictionException("User is no institution admin: " + user.getEmail());
     }
 
     public static void assertAuthority(User user, Authority authority) {
         if (user == null) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User is NULL");
         }
         LOG.debug(String.format("assertAuthority for user %s", user.getEduPersonPrincipalName()));
 
@@ -54,21 +56,21 @@ public static void assertAuthority(User user, Authority authority) {
             return;
         }
         if (user.getUserRoles().stream()
-                        .noneMatch(userRole -> userRole.getAuthority().hasEqualOrHigherRights(authority)))
-            throw new UserRestrictionException();
+                .noneMatch(userRole -> userRole.getAuthority().hasEqualOrHigherRights(authority)))
+            throw new UserRestrictionException(String.format("User %s is not an Authority %s", user.getEmail(), authority));
     }
 
     public static void assertValidInvitation(User user, Authority intendedAuthority, List<Role> roles) {
         if (user == null) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("User is NULL");
         }
         LOG.debug(String.format("assertValidInvitation for user %s", user.getEduPersonPrincipalName()));
 
         if (user.isSuperUser()) {
             return;
         }
         if (intendedAuthority.equals(Authority.SUPER_USER)) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Invalid invitation for super-user by " + user.getEmail());
         }
         Set<UserRole> userRoles = user.getUserRoles();
         //Institution admin needs to own all roles or be a member of the role for at least the authority of invitationo
@@ -85,21 +87,22 @@ public static void assertValidInvitation(User user, Authority intendedAuthority,
                     return mayInviteByInstitutionAdmin || mayInviteByApplication || mayInviteByAuthority;
                 });
         if (!allowed) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException(String.format("Invalid invation by %s for roles %s",
+                    user.getEmail(), roles.stream().map(role -> role.getName()).collect(Collectors.joining(", "))));
         }
     }
 
     public static void assertRoleAccess(User user, Role accessRole, Authority authority) {
         if (user == null) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("USer is NULL");
         }
         LOG.debug(String.format("assertRoleAccess for user %s", user.getEduPersonPrincipalName()));
 
         if (user.isSuperUser()) {
             return;
         }
         if (accessRole == null) {
-            throw new UserRestrictionException();
+            throw new UserRestrictionException("Role is NULL");
         }
         if (user.isInstitutionAdmin() && user.getOrganizationGUID().equals(accessRole.getOrganizationGUID())) {
             return;
@@ -110,7 +113,8 @@ public static void assertRoleAccess(User user, Role accessRole, Authority author
                         (userRole.hasAccessToApplication(accessRole) &&
                                 userRole.getAuthority().hasEqualOrHigherRights(Authority.INSTITUTION_ADMIN)))
                 .findFirst()
-                .orElseThrow(UserRestrictionException::new);
+                .orElseThrow(() -> new UserRestrictionException(String.format("User %s has no access to role %s",
+                        user.getEmail(), accessRole.getName())));
     }
 
     //Does one of the userRoles has Authority.MANAGE and has the same application as the role