From 38eb24084fe340a2a1ff473d251c7e67cff2ec1b Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Fri, 7 Feb 2025 17:07:42 -0500 Subject: [PATCH 1/6] LMSA-9652 - added event authorization event publisher and removed the old way of doing authorization event registration --- pom.xml | 2 +- .../LmsAuthorizationEventPublisher.java | 27 +++++++++++++++++++ .../canvasnotifier/config/SecurityConfig.java | 7 ++--- src/main/resources/templates/main.html | 10 +++---- 4 files changed, 35 insertions(+), 11 deletions(-) create mode 100644 src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java diff --git a/pom.xml b/pom.xml index a5b6394..88e1c70 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,7 @@ 3.7.1 6.2.8.1_1 6.0.9 - 6.5.0 + 6.5.1-SNAPSHOT 5.10 2023.0.5 2.5.0 diff --git a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java new file mode 100644 index 0000000..b0e3fe1 --- /dev/null +++ b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java @@ -0,0 +1,27 @@ +package edu.iu.uits.lms.canvasnotifier.config; + +import lombok.extern.slf4j.Slf4j; +import org.springframework.context.ApplicationEventPublisher; +import org.springframework.security.authorization.AuthorizationDecision; +import org.springframework.security.authorization.AuthorizationEventPublisher; +import org.springframework.security.authorization.event.AuthorizationEvent; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.util.function.Supplier; + +@Component +@Slf4j +public class LmsAuthorizationEventPublisher implements AuthorizationEventPublisher { + private ApplicationEventPublisher applicationEventPublisher; + + public LmsAuthorizationEventPublisher(ApplicationEventPublisher applicationEventPublisher) { + this.applicationEventPublisher = applicationEventPublisher; + } + + @Override + public void publishAuthorizationEvent(Supplier authentication, + T object, AuthorizationDecision decision) { + applicationEventPublisher.publishEvent(new AuthorizationEvent(authentication, object, decision)); + } +} \ No newline at end of file diff --git a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/SecurityConfig.java b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/SecurityConfig.java index ce835cb..f9fa0fa 100644 --- a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/SecurityConfig.java +++ b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/SecurityConfig.java @@ -71,9 +71,7 @@ public SecurityFilterChain restFilterChain(HttpSecurity http) throws Exception { ) .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .oauth2ResourceServer(oauth -> oauth - .jwt(jwt -> jwt.jwtAuthenticationConverter(new CustomJwtAuthenticationConverter()))) - .with(new RestSecurityLoggingConfig(), log -> { - }); + .jwt(jwt -> jwt.jwtAuthenticationConverter(new CustomJwtAuthenticationConverter()))); return http.build(); } @@ -116,8 +114,7 @@ public SecurityFilterChain catchallFilterChain(HttpSecurity http) throws Excepti .grantedAuthoritiesMapper(new CustomRoleMapper(defaultInstructorRoleRepository, userRepository))); http.securityMatcher("/**") - .authorizeHttpRequests((authz) -> authz.anyRequest().authenticated() - .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor())) + .authorizeHttpRequests((authz) -> authz.anyRequest().authenticated()) .headers(headers -> headers .contentSecurityPolicy(csp -> csp.policyDirectives("style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self' https://*.instructure.com")) diff --git a/src/main/resources/templates/main.html b/src/main/resources/templates/main.html index 7933a29..29e8c31 100644 --- a/src/main/resources/templates/main.html +++ b/src/main/resources/templates/main.html @@ -66,14 +66,14 @@

Canvas Notifier

- +
- +
@@ -95,7 +95,7 @@

Canvas Notifier

- + @@ -104,7 +104,7 @@

Canvas Notifier

-

Recipients

+

Recipients

Date: Fri, 7 Feb 2025 17:19:47 -0500 Subject: [PATCH 2/6] LMSA-9652 - removed uneeded filter --- pom.xml | 2 +- .../iu/uits/lms/canvasnotifier/config/SecurityConfig.java | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/pom.xml b/pom.xml index 88e1c70..fce0367 100644 --- a/pom.xml +++ b/pom.xml @@ -62,7 +62,7 @@ 21 3.7.1 6.2.8.1_1 - 6.0.9 + 6.1.4-SNAPSHOT 6.5.1-SNAPSHOT 5.10 2023.0.5 diff --git a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/SecurityConfig.java b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/SecurityConfig.java index f9fa0fa..66d31bc 100644 --- a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/SecurityConfig.java +++ b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/SecurityConfig.java @@ -34,8 +34,6 @@ */ import edu.iu.uits.lms.canvasnotifier.repository.UserRepository; -import edu.iu.uits.lms.common.it12logging.LmsFilterSecurityInterceptorObjectPostProcessor; -import edu.iu.uits.lms.common.it12logging.RestSecurityLoggingConfig; import edu.iu.uits.lms.common.oauth.CustomJwtAuthenticationConverter; import edu.iu.uits.lms.lti.repository.DefaultInstructorRoleRepository; import org.springframework.beans.factory.annotation.Autowired; @@ -81,9 +79,7 @@ public SecurityFilterChain appFilterChain(HttpSecurity http) throws Exception { http.securityMatcher(WELL_KNOWN_ALL, "/error", "/app/**") .authorizeHttpRequests(authz -> authz .requestMatchers(WELL_KNOWN_ALL, "/error").permitAll() - .requestMatchers("/**").hasAuthority(BASE_USER_AUTHORITY) - .withObjectPostProcessor(new LmsFilterSecurityInterceptorObjectPostProcessor()) - ) + .requestMatchers("/**").hasAuthority(BASE_USER_AUTHORITY)) .headers(headers -> headers .contentSecurityPolicy(csp -> csp.policyDirectives("style-src 'self' 'unsafe-inline'; form-action 'self'; frame-ancestors 'self' https://*.instructure.com")) .referrerPolicy(referrer -> referrer From aca615bbad6b1d45a87b121283ee2c778090096e Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Mon, 10 Feb 2025 09:03:11 -0500 Subject: [PATCH 3/6] LMSA-9652 - perhaps use this profile? --- .../canvasnotifier/config/LmsAuthorizationEventPublisher.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java index b0e3fe1..fe2f363 100644 --- a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java +++ b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java @@ -2,6 +2,7 @@ import lombok.extern.slf4j.Slf4j; import org.springframework.context.ApplicationEventPublisher; +import org.springframework.context.annotation.Profile; import org.springframework.security.authorization.AuthorizationDecision; import org.springframework.security.authorization.AuthorizationEventPublisher; import org.springframework.security.authorization.event.AuthorizationEvent; @@ -10,6 +11,7 @@ import java.util.function.Supplier; +@Profile("it12") @Component @Slf4j public class LmsAuthorizationEventPublisher implements AuthorizationEventPublisher { From 288d1830c1fc2da56b8c7abe3125d92d7f2fe684 Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Mon, 10 Feb 2025 09:28:27 -0500 Subject: [PATCH 4/6] LMSA-9652 - add license --- .../LmsAuthorizationEventPublisher.java | 35 ++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java index fe2f363..486dfae 100644 --- a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java +++ b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java @@ -1,5 +1,38 @@ package edu.iu.uits.lms.canvasnotifier.config; +/*- + * #%L + * canvasnotifier + * %% + * Copyright (C) 2015 - 2025 Indiana University + * %% + * Redistribution and use in source and binary forms, with or without modification, + * are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, this + * list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * 3. Neither the name of the Indiana University nor the names of its contributors + * may be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE + * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * #L% + */ + import lombok.extern.slf4j.Slf4j; import org.springframework.context.ApplicationEventPublisher; import org.springframework.context.annotation.Profile; @@ -26,4 +59,4 @@ public void publishAuthorizationEvent(Supplier authenticatio T object, AuthorizationDecision decision) { applicationEventPublisher.publishEvent(new AuthorizationEvent(authentication, object, decision)); } -} \ No newline at end of file +} From c3e34bc9928b713e025f667f7bf05e760b8c6074 Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Mon, 10 Feb 2025 11:49:26 -0500 Subject: [PATCH 5/6] LMSA-9652 - removed publisher (moved to common-configuration in embedded services) --- .../LmsAuthorizationEventPublisher.java | 62 ------------------- 1 file changed, 62 deletions(-) delete mode 100644 src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java diff --git a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java b/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java deleted file mode 100644 index 486dfae..0000000 --- a/src/main/java/edu/iu/uits/lms/canvasnotifier/config/LmsAuthorizationEventPublisher.java +++ /dev/null @@ -1,62 +0,0 @@ -package edu.iu.uits.lms.canvasnotifier.config; - -/*- - * #%L - * canvasnotifier - * %% - * Copyright (C) 2015 - 2025 Indiana University - * %% - * Redistribution and use in source and binary forms, with or without modification, - * are permitted provided that the following conditions are met: - * - * 1. Redistributions of source code must retain the above copyright notice, this - * list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * 3. Neither the name of the Indiana University nor the names of its contributors - * may be used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. - * IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, - * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE - * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * #L% - */ - -import lombok.extern.slf4j.Slf4j; -import org.springframework.context.ApplicationEventPublisher; -import org.springframework.context.annotation.Profile; -import org.springframework.security.authorization.AuthorizationDecision; -import org.springframework.security.authorization.AuthorizationEventPublisher; -import org.springframework.security.authorization.event.AuthorizationEvent; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Component; - -import java.util.function.Supplier; - -@Profile("it12") -@Component -@Slf4j -public class LmsAuthorizationEventPublisher implements AuthorizationEventPublisher { - private ApplicationEventPublisher applicationEventPublisher; - - public LmsAuthorizationEventPublisher(ApplicationEventPublisher applicationEventPublisher) { - this.applicationEventPublisher = applicationEventPublisher; - } - - @Override - public void publishAuthorizationEvent(Supplier authentication, - T object, AuthorizationDecision decision) { - applicationEventPublisher.publishEvent(new AuthorizationEvent(authentication, object, decision)); - } -} From 9007458d73d1c389bb886ff1c89fb8504a17fbc5 Mon Sep 17 00:00:00 2001 From: Damian Sobieralski Date: Mon, 10 Feb 2025 14:32:58 -0500 Subject: [PATCH 6/6] LMSA-9652 - updated dep versions --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index fce0367..2211e50 100644 --- a/pom.xml +++ b/pom.xml @@ -62,8 +62,8 @@ 21 3.7.1 6.2.8.1_1 - 6.1.4-SNAPSHOT - 6.5.1-SNAPSHOT + 6.1.4 + 6.5.0_1 5.10 2023.0.5 2.5.0