Added permission check for objecten api objects (#1875)

* Added permission check for objects

* Set default permission check to true

* Running without authorization for object

* Fixed tests

* Added warning when permission check is disabled

* Fixed logging import

* Added return type

Author: ivo-ritense

app/gzac/.env.properties

@@ -14,7 +14,7 @@ CATALOGI_API_URL=http://localhost:8001/catalogi/api/v1/
 DOCUMENTEN_API_URL=http://localhost:8001/documenten/api/v1/
 NOTIFICATIES_API_URL=http://localhost:8002/api/v1/
 OBJECTEN_API_URL=http://localhost:8010/api/v2/
-OBJECTTYPEN_API_URL=http://localhost:8011/api/v1/
+OBJECTTYPEN_API_URL=http://localhost:8011/api/v2/
 
 OPEN_ZAAK_CLIENT_ID=valtimo_client
 OPEN_ZAAK_CLIENT_SECRET=e09b8bc5-5831-4618-ab28-41411304309d

app/gzac/src/main/resources/config/application.yml

@@ -250,6 +250,8 @@ valtimo:
             polling.rate: "PT1M"
 
     authorization:
+        objectenapi:
+            enabled: true
         dashboard:
             enabled: true
         zgwDocuments:

app/gzac/src/main/resources/config/pbac/object.permission.json

@@ -0,0 +1,30 @@
+{
+    "changesetId": "object-admin-v1",
+    "permissions": [
+        {
+            "resourceType": "com.ritense.objectenapi.security.Object",
+            "action": "create",
+            "roleKey": "ROLE_ADMIN"
+        },
+        {
+            "resourceType": "com.ritense.objectenapi.security.Object",
+            "action": "modify",
+            "roleKey": "ROLE_ADMIN"
+        },
+        {
+            "resourceType": "com.ritense.objectenapi.security.Object",
+            "action": "view",
+            "roleKey": "ROLE_ADMIN"
+        },
+        {
+            "resourceType": "com.ritense.objectenapi.security.Object",
+            "action": "view_list",
+            "roleKey": "ROLE_ADMIN"
+        },
+        {
+            "resourceType": "com.ritense.objectenapi.security.Object",
+            "action": "delete",
+            "roleKey": "ROLE_ADMIN"
+        }
+    ]
+}

zgw/object-management/build.gradle

@@ -30,6 +30,7 @@ dockerCompose {
 }
 
 dependencies {
+    implementation project(':authorization')
     implementation project(':plugin')
     implementation project(':contract')
     implementation project(":web")

zgw/object-management/src/main/kotlin/com/ritense/objectmanagement/service/ObjectManagementFacade.kt

@@ -17,6 +17,7 @@
 package com.ritense.objectmanagement.service
 
 import com.fasterxml.jackson.databind.JsonNode
+import com.ritense.authorization.AuthorizationContext.Companion.runWithoutAuthorization
 import com.ritense.objectenapi.ObjectenApiPlugin
 import com.ritense.objectenapi.client.ObjectRecord
 import com.ritense.objectenapi.client.ObjectRequest
@@ -231,20 +232,20 @@ class ObjectManagementFacade(
         val objectUrl = accessObject.objectenApiPlugin.getObjectUrl(uuid)
 
         logger.trace { "Getting object $objectUrl" }
-        return accessObject.objectenApiPlugin.getObject(objectUrl)
+        return runWithoutAuthorization { accessObject.objectenApiPlugin.getObject(objectUrl) }
     }
 
     private fun findObjectByUuidAndIndex(accessObject: ObjectManagementAccessObject, uuid: UUID, index: Int): ObjectRecord {
         logger.debug { "Find object by uuid and index accessObject=$accessObject uuid=$uuid index=$index" }
         val objectUrl = accessObject.objectenApiPlugin.getObjectUrl(uuid)
 
         logger.trace { "Getting object $objectUrl" }
-        return accessObject.objectenApiPlugin.getObjectRecord(objectUrl, index)
+        return runWithoutAuthorization { accessObject.objectenApiPlugin.getObjectRecord(objectUrl, index) }
     }
 
     private fun findObjectByUri(accessObject: ObjectManagementAccessObject, objectUrl: URI): ObjectWrapper {
         logger.debug { "Getting object $objectUrl" }
-        return accessObject.objectenApiPlugin.getObject(objectUrl)
+        return runWithoutAuthorization { accessObject.objectenApiPlugin.getObject(objectUrl) }
     }
 
     private fun findObjectsPaged(
@@ -255,26 +256,28 @@ class ObjectManagementFacade(
         pageNumber: Int,
         pageSize: Int
     ): ObjectsList {
-        return if (!searchString.isNullOrBlank()) {
-            logger.debug { "Getting object page for object type $objectName with search string $searchString" }
-
-            accessObject.objectenApiPlugin.getObjectsByObjectTypeIdWithSearchParams(
-                accessObject.objectTypenApiPlugin.url,
-                accessObject.objectManagement.objecttypeId,
-                searchString,
-                ordering,
-                PageRequest.of(pageNumber, pageSize)
-            )
-        } else {
-            logger.debug { "Getting object page for object type $objectName" }
-
-            accessObject.objectenApiPlugin.getObjectsByObjectTypeId(
-                accessObject.objectTypenApiPlugin.url,
-                accessObject.objectenApiPlugin.url,
-                accessObject.objectManagement.objecttypeId,
-                ordering,
-                PageRequest.of(pageNumber, pageSize)
-            )
+        return runWithoutAuthorization {
+            if (!searchString.isNullOrBlank()) {
+                logger.debug { "Getting object page for object type $objectName with search string $searchString" }
+
+                accessObject.objectenApiPlugin.getObjectsByObjectTypeIdWithSearchParams(
+                    accessObject.objectTypenApiPlugin.url,
+                    accessObject.objectManagement.objecttypeId,
+                    searchString,
+                    ordering,
+                    PageRequest.of(pageNumber, pageSize)
+                )
+            } else {
+                logger.debug { "Getting object page for object type $objectName" }
+
+                accessObject.objectenApiPlugin.getObjectsByObjectTypeId(
+                    accessObject.objectTypenApiPlugin.url,
+                    accessObject.objectenApiPlugin.url,
+                    accessObject.objectManagement.objecttypeId,
+                    ordering,
+                    PageRequest.of(pageNumber, pageSize)
+                )
+            }
         }
     }
 

zgw/object-management/src/test/kotlin/com/ritense/objectmanagement/service/ObjectManagementServiceIntTest.kt

@@ -19,6 +19,7 @@ package com.ritense.objectmanagement.service
 import com.fasterxml.jackson.databind.JsonNode
 import com.fasterxml.jackson.databind.ObjectMapper
 import com.fasterxml.jackson.databind.node.ObjectNode
+import com.ritense.authorization.AuthorizationContext.Companion.runWithoutAuthorization
 import com.ritense.objectenapi.client.Comparator.EQUAL_TO
 import com.ritense.objectenapi.client.ObjectSearchParameter
 import com.ritense.objectmanagement.BaseIntegrationTest
@@ -242,9 +243,9 @@ internal class ObjectManagementServiceIntTest : BaseIntegrationTest() {
         val searchWithConfigRequest =
             SearchWithConfigRequest(listOf(otherFilters))
 
-        val objects = objectManagementService.getObjectsWithSearchParams(
+        val objects = runWithoutAuthorization{ objectManagementService.getObjectsWithSearchParams(
             searchWithConfigRequest, objectManagement.id, PageRequest.of(0, 10)
-        )
+        )}
 
         assertThat(objects.content.size).isEqualTo(1)
         assertThat(objects.first().items[0].key).isEqualTo("property1")
@@ -294,11 +295,11 @@ internal class ObjectManagementServiceIntTest : BaseIntegrationTest() {
         val objectManagement = objectManagementService.getByTitle("My Object Management")!!
         val searchParameters = listOf(ObjectSearchParameter("property1", EQUAL_TO, "henk"))
 
-        val objects = objectManagementService.getObjectsWithSearchParams(
+        val objects = runWithoutAuthorization { objectManagementService.getObjectsWithSearchParams(
             objectManagement,
             searchParameters,
             PageRequest.of(0, 10)
-        )
+        )}
 
         assertThat(objects.content.size).isEqualTo(1)
         assertThat(objects.first().url).isEqualTo(URI("https://example.com/123"))

zgw/objecten-api/build.gradle

@@ -30,6 +30,7 @@ dockerCompose {
 }
 
 dependencies {
+    implementation project(':authorization')
     implementation project(':plugin')
     implementation project(':contract')
     implementation project(':document')

zgw/objecten-api/src/main/kotlin/com/ritense/objectenapi/ObjectenApiAutoConfiguration.kt

@@ -17,11 +17,13 @@
 package com.ritense.objectenapi
 
 import com.fasterxml.jackson.databind.ObjectMapper
+import com.ritense.authorization.AuthorizationService
 import com.ritense.form.service.FormDefinitionService
 import com.ritense.objectenapi.client.ObjectenApiClient
 import com.ritense.objectenapi.listener.ZaakObjectListener
 import com.ritense.objectenapi.management.ErrorObjectManagementInfoProvider
 import com.ritense.objectenapi.management.ObjectManagementInfoProvider
+import com.ritense.objectenapi.security.ObjectSpecificationFactory
 import com.ritense.objectenapi.security.ObjectenApiHttpSecurityConfigurer
 import com.ritense.objectenapi.service.ZaakObjectDataResolver
 import com.ritense.objectenapi.service.ZaakObjectService
@@ -32,6 +34,8 @@ import com.ritense.outbox.OutboxService
 import com.ritense.plugin.service.PluginService
 import com.ritense.processdocument.service.ProcessDocumentService
 import com.ritense.zakenapi.ZaakUrlProvider
+import mu.KotlinLogging
+import org.springframework.beans.factory.annotation.Value
 import org.springframework.boot.autoconfigure.AutoConfiguration
 import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean
 import org.springframework.context.annotation.Bean
@@ -57,12 +61,21 @@ class ObjectenApiAutoConfiguration {
     fun objectenApiClient(
         restClientBuilder: RestClient.Builder,
         outboxService: OutboxService,
-        objectMapper: ObjectMapper
-    ) = ObjectenApiClient(
-        restClientBuilder,
-        outboxService,
-        objectMapper
-    )
+        objectMapper: ObjectMapper,
+        authorizationService: AuthorizationService,
+        @Value("\${valtimo.authorization.objectenapi.enabled:true}") authorizationEnabled: Boolean
+    ): ObjectenApiClient {
+        if (!authorizationEnabled) {
+            logger.warn { "Objecten API authorization is disabled. This is a potential security issue. The option to disable this will be removed with Valtimo 13." }
+        }
+        return ObjectenApiClient(
+            restClientBuilder,
+            outboxService,
+            objectMapper,
+            authorizationService,
+            authorizationEnabled
+        )
+    }
 
     @Bean
     fun objectenApiPluginFactory(
@@ -131,4 +144,14 @@ class ObjectenApiAutoConfiguration {
     fun errorObjectManagementInfoProvider(): ObjectManagementInfoProvider {
         return ErrorObjectManagementInfoProvider()
     }
+
+    @Bean
+    @ConditionalOnMissingBean(ObjectSpecificationFactory::class)
+    fun objectSpecificationFactory(): ObjectSpecificationFactory {
+        return ObjectSpecificationFactory()
+    }
+
+    companion object {
+        val logger = KotlinLogging.logger {}
+    }
 }