Merge pull request #141 from delphi-hub/hotfix/userAccessLevelFix

hotfix/userAccessLevel

Author: janniclas

app/authorization/AuthAction.scala

@@ -25,13 +25,15 @@ import play.api.Configuration
 import scala.concurrent.{ExecutionContext, Future}
 import scala.util.{Failure, Success}
 
+// The following is based on https://auth0.com/blog/build-and-secure-a-scala-play-framework-api/
 // A custom request type to hold our JWT claims, we can pass these on to the
 // handling action
-//case class UserRequest[A](jwt: JwtClaim, token: String, request: Request[A]) extends WrappedRequest[A](request)
+
+case class UserRequest[A](token: String, request: Request[A]) extends WrappedRequest[A](request)
 
 // Our custom action implementation
 class AuthAction @Inject()(bodyParser: BodyParsers.Default)(implicit ec: ExecutionContext, config: Configuration)
-  extends ActionBuilder[Request, AnyContent] {
+  extends ActionBuilder[UserRequest, AnyContent] {
 
   override def parser: BodyParser[AnyContent] = bodyParser
   override protected def executionContext: ExecutionContext = ec
@@ -41,10 +43,10 @@ class AuthAction @Inject()(bodyParser: BodyParsers.Default)(implicit ec: Executi
 
   // Called when a request is invoked. We should validate the bearer token here
   // and allow the request to proceed if it is valid.
-  override def invokeBlock[A](request: Request[A], block: Request[A] => Future[Result]): Future[Result] =
+  override def invokeBlock[A](request: Request[A], block: UserRequest[A] => Future[Result]): Future[Result] =
     extractBearerToken(request) map { token =>
       if(AuthProvider.validateJwt(token)) {
-        block(request)   // token was valid - proceed!
+        block(UserRequest(token,request))  // token was valid - proceed!
       } else {
         Future.successful(Results.Unauthorized("Invalid"))  // token was invalid - return 401
       }

app/authorization/AuthProvider.scala

@@ -40,7 +40,7 @@ import play.api.Configuration
             .expiresIn(validFor * 300)
             .startsNow
             . +("user_id", configuration.get[String]("play.http.instance"))
-            . +("user_type", "Admin")
+            . +("user_type", "Component")
 
           Token = Jwt.encode(claim, jwtSecretKey, JwtAlgorithm.HS256)
         }

app/controllers/InstanceRegistryController.scala

@@ -70,12 +70,13 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
     * @return
     */
   def instances(componentType: String): Action[AnyContent] = authAction.async {
-    ws.url(instanceRegistryUri).addQueryStringParameters("ComponentType" -> componentType)
-      .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
-      .get().map { response =>
-      // TODO: possible handling of parsing the data can be done here
+    request =>
+      ws.url(instanceRegistryUri).addQueryStringParameters("ComponentType" -> componentType)
+        .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
+        .get().map { response =>
+        // TODO: possible handling of parsing the data can be done here
 
-      Ok(response.body)
+        Ok(response.body)
     }(myExecutionContext)
   }
 
@@ -92,14 +93,14 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
     */
 
   def users(): Action[AnyContent] = authAction.async{
-    ws.url(instanceRegistryUri + "/users").withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
-      .get().map { response =>
-  Logger.debug(response.body)
-      if (response.status == 200) {
-        Ok(response.body)
-      } else {
-        new Status(response.status)
-      }
+    request =>
+      ws.url(instanceRegistryUri + "/users").withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
+        .get().map { response =>
+        if (response.status == 200) {
+          Ok(response.body)
+        } else {
+          new Status(response.status)
+        }
     }(myExecutionContext)
   }
 
@@ -110,15 +111,16 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
     */
 
   def getNetwork(): Action[AnyContent] = authAction.async {
-    ws.url(instanceRegistryUri + "/instances/network").withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
-      .get().map { response =>
-      // TODO: possible handling of parsing the data can be done here
-      Logger.debug(response.body)
-      if (response.status == 200) {
-        Ok(response.body)
-      } else {
-        new Status(response.status)
-      }
+    request =>
+      ws.url(instanceRegistryUri + "/instances/network").withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
+        .get().map { response =>
+        // TODO: possible handling of parsing the data can be done here
+        Logger.debug(response.body)
+        if (response.status == 200) {
+          Ok(response.body)
+        } else {
+          new Status(response.status)
+        }
     }(myExecutionContext)
   }
 
@@ -133,15 +135,16 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
   def numberOfInstances(componentType: String): Action[AnyContent] = authAction.async {
     // TODO: handle what should happen if the instance registry is not reachable.
     // TODO: create constants for the urls
-    ws.url(instanceRegistryUri + "/count").addQueryStringParameters("ComponentType" -> componentType)
-      .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
-      .get().map { response =>
-      // TODO: possible handling of parsing the data can be done here
-      if (response.status == 200) {
-        Ok(response.body)
-      } else {
-        new Status(response.status)
-      }
+    request =>
+      ws.url(instanceRegistryUri + "/count").addQueryStringParameters("ComponentType" -> componentType)
+        .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
+        .get().map { response =>
+        // TODO: possible handling of parsing the data can be done here
+        if (response.status == 200) {
+          Ok(response.body)
+        } else {
+          new Status(response.status)
+        }
     }(myExecutionContext)
   }
 
@@ -155,7 +158,7 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
 
   def handleRequest(action: String, instanceID: String): Action[AnyContent] = authAction.async { request =>
     ws.url(instanceRegistryUri + "/instances/" + instanceID + action)
-      .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
+      .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
       .post("")
       .map { response =>
         new Status(response.status)
@@ -173,7 +176,7 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
 
     ws.url(instanceRegistryUri + "/instances/" + from + "/assignInstance"
     )
-      .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
+      .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
       .post(Json.obj("AssignedInstanceId" -> to))
       .map { response =>
         response.status match {
@@ -196,7 +199,7 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
   def postInstance(compType: String, name: String): Action[AnyContent] = authAction.async {
     request =>
       ws.url(instanceRegistryUri + "/instances/deploy")
-        .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
+        .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
         .post(Json.obj("ComponentType" -> compType, "InstanceName" -> name))
         .map { response =>
           response.status match {
@@ -233,7 +236,7 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
           .post("")
           .map { response =>
             if (response.status == 200) {
-              Ok(Json.obj("token" -> response.body, "refreshToken" -> ""))
+              Ok(response.body)
             } else {
               new Status(response.status)
             }
@@ -253,7 +256,7 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
   {
     request =>
     ws.url(instanceRegistryUri + "/instances/" + instanceID + "/label")
-      .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
+      .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
       .post(Json.obj("Label" -> label))
       .map { response =>
         response.status match {
@@ -282,11 +285,11 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
         val secret = (json \ "secret").as[String]
         val userType = (json \ "userType").as[String]
         ws.url(instanceRegistryUri + "/users" + "/add")
-        .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
+        .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
         .post(json)
         .map { response =>
            if (response.status == 200) {
-              Ok(Json.obj("token" -> response.body, "refreshToken" -> ""))
+              Ok(response.body)
             } else {
               Logger.info(s"$ws")
               Logger.debug(s"$ws")
@@ -304,7 +307,7 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
   def deleteUser( userID: String): Action[AnyContent] = authAction.async {
     request =>
     ws.url(instanceRegistryUri + "/users/" + userID + "/remove")
-      .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
+      .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
       .post("")
       .map { response =>
       response.status match {
@@ -322,7 +325,7 @@ class InstanceRegistryController @Inject()(implicit system: ActorSystem, mat: Ma
   {
     request =>
     ws.url(instanceRegistryUri + "/instances/" + instanceID + "/label/" + label + "/delete")
-      .withHttpHeaders(("Authorization", s"Bearer ${AuthProvider.generateJwt()}"))
+      .withHttpHeaders(("Authorization", s"Bearer ${request.token}"))
       .post("")
       .map { response =>
         response.status match {