Check for unauthorized users inside security filter directly

Fixes RM-63350 Signed-off-by: Pierre Belloy <[email protected]>
anlem12 · Jun 15, 2023 · d5e89b7 · d5e89b7
1 parent 32f4a71
commit d5e89b7
Show file tree

Hide file tree

Showing 8 changed files with 87 additions and 80 deletions.
diff --git a/axelor-core/src/main/java/com/axelor/auth/AuthModule.java b/axelor-core/src/main/java/com/axelor/auth/AuthModule.java
@@ -52,9 +52,6 @@ protected final void configure() {
       return;
     }
 
-    // observe authentication-related events
-    bind(AuthObserver.class);
-
     // pac4j
     bind(AuthPac4jObserver.class);
     install(new AuthPac4jModule(context));

diff --git a/axelor-core/src/main/java/com/axelor/auth/AuthObserver.java b/axelor-core/src/main/java/com/axelor/auth/AuthObserver.java
diff --git a/axelor-core/src/main/java/com/axelor/auth/AuthSessionService.java b/axelor-core/src/main/java/com/axelor/auth/AuthSessionService.java
@@ -23,7 +23,7 @@
 import org.apache.shiro.session.Session;
 
 /** Manages session attributes. */
-class AuthSessionService {
+public class AuthSessionService {
   private static final String LOGIN_DATE = "com.axelor.internal.loginDate";
 
   public void updateLoginDate() {

diff --git a/axelor-core/src/main/java/com/axelor/auth/pac4j/AxelorUserAuthorizer.java b/axelor-core/src/main/java/com/axelor/auth/pac4j/AxelorUserAuthorizer.java
@@ -0,0 +1,76 @@
+/*
+ * Axelor Business Solutions
+ *
+ * Copyright (C) 2005-2023 Axelor (<http://axelor.com>).
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+package com.axelor.auth.pac4j;
+
+import com.axelor.auth.AuthSessionService;
+import com.axelor.auth.AuthUtils;
+import com.axelor.auth.db.User;
+import java.time.LocalDateTime;
+import java.util.List;
+import javax.inject.Inject;
+import javax.inject.Singleton;
+import org.apache.shiro.SecurityUtils;
+import org.pac4j.core.authorization.authorizer.Authorizer;
+import org.pac4j.core.context.WebContext;
+import org.pac4j.core.context.session.SessionStore;
+import org.pac4j.core.profile.UserProfile;
+
+@Singleton
+public class AxelorUserAuthorizer implements Authorizer {
+
+  public static final String USER_AUTHORIZER_NAME = "AxelorUserAuthorizer";
+
+  private AuthSessionService authSessionService;
+
+  @Inject
+  public AxelorUserAuthorizer(AuthSessionService authSessionService) {
+    this.authSessionService = authSessionService;
+  }
+
+  @Override
+  public boolean isAuthorized(
+      WebContext context, SessionStore sessionStore, List<UserProfile> profiles) {
+    User user = AuthUtils.getUser();
+    if (user == null) {
+      return false;
+    }
+    if (!isAllowed(user)) {
+      removeSession();
+      return false;
+    }
+
+    return true;
+  }
+
+  private boolean isAllowed(User user) {
+    final LocalDateTime loginDate =
+        authSessionService.getLoginDate(AuthUtils.getSubject().getSession());
+    return AuthUtils.isActive(user)
+        && (user.getPasswordUpdatedOn() == null
+            || loginDate != null && !loginDate.isBefore(user.getPasswordUpdatedOn()));
+  }
+
+  private void removeSession() {
+    try {
+      SecurityUtils.getSubject().logout();
+    } catch (Exception e) {
+      // ignore
+    }
+  }
+}
diff --git a/axelor-core/src/main/java/com/axelor/auth/pac4j/ConfigProvider.java b/axelor-core/src/main/java/com/axelor/auth/pac4j/ConfigProvider.java
@@ -31,8 +31,12 @@ public class ConfigProvider implements Provider<Config> {
 
   @Inject
   public ConfigProvider(
-      Clients clients, AxelorCsrfAuthorizer csrfAuthorizer, AxelorCsrfMatcher csrfMatcher) {
+      Clients clients,
+      AxelorUserAuthorizer userAuthorizer,
+      AxelorCsrfAuthorizer csrfAuthorizer,
+      AxelorCsrfMatcher csrfMatcher) {
     config = new Config(clients);
+    config.addAuthorizer(AxelorUserAuthorizer.USER_AUTHORIZER_NAME, userAuthorizer);
     config.addAuthorizer(AxelorCsrfAuthorizer.CSRF_AUTHORIZER_NAME, csrfAuthorizer);
     config.addMatcher(AxelorCsrfMatcher.CSRF_MATCHER_NAME, csrfMatcher);
   }

diff --git a/axelor-web/src/main/webapp/js/axelor.app.js b/axelor-web/src/main/webapp/js/axelor.app.js
@@ -721,7 +721,7 @@
         report = data.data || data, stacktrace = null, cause = null, exception;
 
       // unauthorized errors are handled separately
-      if (data.status === 401) {
+      if (data.status === 401 || data.status === 403) {
         return;
       }
 

diff --git a/axelor-web/src/main/webapp/js/axelor.auth.js b/axelor-web/src/main/webapp/js/axelor.auth.js
@@ -82,7 +82,7 @@ angular.module('axelor.auth', []).provider('authService', function() {
               + "&hash_location=" + encodeURIComponent(window.location.hash);
             return $q.reject(response);
         }
-        if ((response.status === 401 || response.status === 502
+        if ((response.status === 401 || response.status === 403 || response.status === 502
             || (response.status === 0 && !response.data)) && response.config.url !== "callback") {
           var deferred = $q.defer();
           authServiceProvider.pushToBuffer(response.config, deferred);

diff --git a/changelogs/unreleased/block-users.yml b/changelogs/unreleased/block-users.yml
@@ -0,0 +1,3 @@
+---
+title: Check for unauthorized users inside security filter directly
+type: security