From faa1cae4a26b8c231101fe32ca94e845a00d3f5d Mon Sep 17 00:00:00 2001 From: Tom Richards Date: Fri, 26 Apr 2024 11:03:24 +0100 Subject: [PATCH] add a permission check for `preview` and `admin` (using the `preview_access` and `admin_tool_access` permissions added in https://github.com/guardian/permissions/pull/184) --- admin/app/AppLoader.scala | 2 +- build.sbt | 1 + .../app/http/GuardianAuthWithExemptions.scala | 26 ++++++++++++++++--- preview/app/AppLoader.scala | 1 + project/Dependencies.scala | 1 + 5 files changed, 27 insertions(+), 4 deletions(-) diff --git a/admin/app/AppLoader.scala b/admin/app/AppLoader.scala index 3fc6d8d9f0e..d1735663d7c 100644 --- a/admin/app/AppLoader.scala +++ b/admin/app/AppLoader.scala @@ -5,7 +5,6 @@ import dfp._ import common.dfp._ import common._ import conf.switches.SwitchboardLifecycle -import conf.CachedHealthCheckLifeCycle import controllers.{AdminControllers, HealthCheck} import _root_.dfp.DfpDataCacheLifecycle import com.amazonaws.regions.Regions @@ -106,6 +105,7 @@ trait AppComponents extends FrontendComponents with AdminControllers with AdminS // in [admin]. "/interactive-librarian/", ), + requiredEditorialPermissionName = "admin_tool_access", ) lazy val healthCheck = wire[HealthCheck] diff --git a/build.sbt b/build.sbt index de4980efb9e..59ba905a111 100644 --- a/build.sbt +++ b/build.sbt @@ -39,6 +39,7 @@ val common = library("common") jSoup, json4s, panDomainAuth, + editorialPermissions, quartzScheduler, redisClient, rome, diff --git a/common/app/http/GuardianAuthWithExemptions.scala b/common/app/http/GuardianAuthWithExemptions.scala index 99ce750ec88..d4d4909fde3 100644 --- a/common/app/http/GuardianAuthWithExemptions.scala +++ b/common/app/http/GuardianAuthWithExemptions.scala @@ -1,15 +1,18 @@ package http +import com.amazonaws.regions.Regions import com.amazonaws.services.s3.AmazonS3 import com.gu.pandomainauth.action.AuthActions import com.gu.pandomainauth.model.AuthenticatedUser import com.gu.pandomainauth.{PanDomain, PanDomainAuthSettingsRefresher} +import com.gu.permissions.{PermissionDefinition, PermissionsConfig, PermissionsProvider} import common.Environment.stage +import conf.Configuration.aws.mandatoryCredentials import model.ApplicationContext import org.apache.pekko.stream.Materializer import play.api.Mode import play.api.libs.ws.WSClient -import play.api.mvc.{BaseController, _} +import play.api.mvc._ import java.net.URL import scala.concurrent.Future @@ -22,6 +25,7 @@ class GuardianAuthWithExemptions( s3Client: AmazonS3, system: String, extraDoNotAuthenticatePathPrefixes: Seq[String], + requiredEditorialPermissionName: String, )(implicit val mat: Materializer, context: ApplicationContext, @@ -30,6 +34,19 @@ class GuardianAuthWithExemptions( private val outer = this + private val permissions: PermissionsProvider = PermissionsProvider( + PermissionsConfig( + stage = if (stage == "PROD") "PROD" else "CODE", + region = Regions.EU_WEST_1.getName, + awsCredentials = mandatoryCredentials, + ), + ) + + private val requiredPermission = PermissionDefinition( + name = requiredEditorialPermissionName, + app = "frontend", + ) + private def toolsDomainSuffix = stage match { case "PROD" => "gutools.co.uk" @@ -81,9 +98,12 @@ class GuardianAuthWithExemptions( if (doNotAuthenticate(request)) { nextFilter(request) } else { - // TODO: in future PR add a permission check here based on user, likely via a function passed in to GuardianAuthWithExemptions AuthAction.authenticateRequest(request) { user => - nextFilter(request) + if (permissions.hasPermission(requiredPermission, user.email)) { + nextFilter(request) + } else { + ??? //FIXME serve 4XX (with explanation) + } } } } diff --git a/preview/app/AppLoader.scala b/preview/app/AppLoader.scala index 459c2c35480..8fa6148801c 100644 --- a/preview/app/AppLoader.scala +++ b/preview/app/AppLoader.scala @@ -116,6 +116,7 @@ trait AppComponents s3Client, system = "preview", extraDoNotAuthenticatePathPrefixes = healthCheck.healthChecks.map(_.path), + requiredEditorialPermissionName = "preview_access", ) override lazy val capiHttpClient: HttpClient = new CapiHttpClient(wsClient) { diff --git a/project/Dependencies.scala b/project/Dependencies.scala index c6b8231787c..4d287ba7de8 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -59,6 +59,7 @@ object Dependencies { val mockito = "org.mockito" % "mockito-all" % "1.10.19" % Test val paClient = "com.gu" %% "pa-client" % "7.0.7" val panDomainAuth = "com.gu" %% "pan-domain-auth-play_3-0" % "3.1.0" + val editorialPermissions = "com.gu" %% "editorial-permissions-client" % "2.15" val quartzScheduler = "org.quartz-scheduler" % "quartz" % "2.3.2" val redisClient = "net.debasishg" %% "redisclient" % "3.42" val rome = "rome" % "rome" % romeVersion