Refactor api user check auth0

src/main/java/org/opentripplanner/middleware/auth/Auth0Connection.java

@@ -14,6 +14,9 @@
 import org.opentripplanner.middleware.models.AbstractUser;
 import org.opentripplanner.middleware.models.ApiUser;
 import org.opentripplanner.middleware.models.OtpUser;
+import org.opentripplanner.middleware.persistence.Persistence;
+import org.opentripplanner.middleware.utils.ConfigUtils;
+import org.opentripplanner.middleware.utils.JsonUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import spark.HaltException;
@@ -24,10 +27,6 @@
 
 import static org.opentripplanner.middleware.controllers.api.ApiUserController.API_USER_PATH;
 import static org.opentripplanner.middleware.controllers.api.OtpUserController.OTP_USER_PATH;
-import static org.opentripplanner.middleware.utils.ConfigUtils.getConfigPropertyAsText;
-import static org.opentripplanner.middleware.utils.ConfigUtils.hasConfigProperty;
-import static org.opentripplanner.middleware.utils.JsonUtils.getPOJOFromRequestBody;
-import static org.opentripplanner.middleware.utils.JsonUtils.logMessageAndHalt;
 
 /**
  * This handles verifying the Auth0 token passed in the auth header (e.g., Authorization: Bearer MY_TOKEN of Spark HTTP
@@ -54,9 +53,10 @@ public static void checkUser(Request req) {
         if (isAuthDisabled()) {
             // If in a development or testing environment, assign a mock profile of an admin user to the request
             // attribute and skip authentication.
-            addUserToRequest(req, Auth0UserProfile.createTestUser(req));
+            addUserToRequest(req, RequestingUser.createTestUser(req));
             return;
         }
+        // Admin and OTP users authenticated by Bearer token
         String token = getTokenFromRequest(req);
         // Handle getting the verifier outside of the below verification try/catch, which is intended to catch issues
         // with the client request. (getVerifier has its own exception/halt handling).
@@ -65,7 +65,7 @@ public static void checkUser(Request req) {
         // for downstream controllers to check permissions.
         try {
             DecodedJWT jwt = verifier.verify(token);
-            Auth0UserProfile profile = new Auth0UserProfile(jwt);
+            RequestingUser profile = new RequestingUser(jwt);
             if (!isValidUser(profile)) {
                 if (isCreatingSelf(req, profile)) {
                     // If creating self, no user account is required (it does not exist yet!). Note: creating an
@@ -74,27 +74,27 @@ public static void checkUser(Request req) {
                     LOG.info("New user is creating self. OK to proceed without existing user object for auth0UserId");
                 } else {
                     // Otherwise, if no valid user is found, halt the request.
-                    logMessageAndHalt(req, HttpStatus.NOT_FOUND_404, "Unknown user.");
+                    JsonUtils.logMessageAndHalt(req, HttpStatus.NOT_FOUND_404, "Auth0 auth - Unknown user.");
                 }
             }
             // The user attribute is used on the server side to check user permissions and does not have all of the
             // fields that the raw Auth0 profile string does.
             addUserToRequest(req, profile);
         } catch (JWTVerificationException e) {
             // Invalid signature/claims
-            logMessageAndHalt(req, 401, "Login failed to verify with our authorization provider.", e);
+            JsonUtils.logMessageAndHalt(req, 401, "Login failed to verify with our authorization provider.", e);
         } catch (HaltException e) {
             throw e;
         } catch (Exception e) {
             LOG.warn("Login failed to verify with our authorization provider.", e);
-            logMessageAndHalt(req, 401, "Could not verify user's token");
+            JsonUtils.logMessageAndHalt(req, 401, "Could not verify user's token");
         }
     }
 
     /**
      * Check for POST requests that are creating an {@link AbstractUser} (a proxy for OTP/API users).
      */
-    private static boolean isCreatingSelf(Request req, Auth0UserProfile profile) {
+    private static boolean isCreatingSelf(Request req, RequestingUser profile) {
         String uri = req.uri();
         String method = req.requestMethod();
         // Check that this is a POST request.
@@ -109,7 +109,7 @@ private static boolean isCreatingSelf(Request req, Auth0UserProfile profile) {
                 try {
                     // Next, get the user object from the request body, verifying that the Auth0UserId matches between
                     // requester and the new user object.
-                    AbstractUser user = getPOJOFromRequestBody(req, userClass);
+                    AbstractUser user = JsonUtils.getPOJOFromRequestBody(req, userClass);
                     return profile.auth0UserId.equals(user.auth0UserId);
                 } catch (JsonProcessingException e) {
                     LOG.warn("Could not parse user object from request.", e);
@@ -124,17 +124,16 @@ public static boolean isAuthHeaderPresent(Request req) {
         return authHeader != null;
     }
 
-
     /**
      * Assign user to request and check that the user is an admin.
      */
     public static void checkUserIsAdmin(Request req, Response res) {
         // Check auth token in request (and add user object to request).
         checkUser(req);
         // Check that user object is present and is admin.
-        Auth0UserProfile user = Auth0Connection.getUserFromRequest(req);
+        RequestingUser user = Auth0Connection.getUserFromRequest(req);
         if (!isUserAdmin(user)) {
-            logMessageAndHalt(
+            JsonUtils.logMessageAndHalt(
                 req,
                 HttpStatus.UNAUTHORIZED_401,
                 "User is not authorized to perform administrative action"
@@ -143,23 +142,24 @@ public static void checkUserIsAdmin(Request req, Response res) {
     }
 
     /**
-     * Check if the incoming user is an admin user
+     * Check if the incoming user is an admin user. To be classed as an admin user, the user must not be any other user
+     * type.
      */
-    public static boolean isUserAdmin(Auth0UserProfile user) {
-        return user != null && user.adminUser != null;
+    public static boolean isUserAdmin(RequestingUser user) {
+        return user != null && user.adminUser != null && user.apiUser == null && user.otpUser == null;
     }
 
     /**
      * Add user profile to Spark Request object
      */
-    public static void addUserToRequest(Request req, Auth0UserProfile user) {
+    public static void addUserToRequest(Request req, RequestingUser user) {
         req.attribute("user", user);
     }
 
     /**
      * Get user profile from Spark Request object
      */
-    public static Auth0UserProfile getUserFromRequest(Request req) {
+    public static RequestingUser getUserFromRequest(Request req) {
         return req.attribute("user");
     }
 
@@ -168,19 +168,19 @@ public static Auth0UserProfile getUserFromRequest(Request req) {
      */
     private static String getTokenFromRequest(Request req) {
         if (!isAuthHeaderPresent(req)) {
-            logMessageAndHalt(req, 401, "Authorization header is missing.");
+            JsonUtils.logMessageAndHalt(req, 401, "Authorization header is missing.");
         }
 
         // Check that auth header is present and formatted correctly (Authorization: Bearer [token]).
         final String authHeader = req.headers("Authorization");
         String[] parts = authHeader.split(" ");
         if (parts.length != 2 || !"bearer".equals(parts[0].toLowerCase())) {
-            logMessageAndHalt(req, 401, String.format("Authorization header is malformed: %s", authHeader));
+            JsonUtils.logMessageAndHalt(req, 401, String.format("Authorization header is malformed: %s", authHeader));
         }
         // Retrieve token from auth header.
         String token = parts[1];
         if (token == null) {
-            logMessageAndHalt(req, 401, "Could not find authorization token");
+            JsonUtils.logMessageAndHalt(req, 401, "Could not find authorization token");
         }
         return token;
     }
@@ -192,7 +192,7 @@ private static String getTokenFromRequest(Request req) {
     private static JWTVerifier getVerifier(Request req, String token) {
         if (verifier == null) {
             try {
-                final String domain = "https://" + getConfigPropertyAsText("AUTH0_DOMAIN") + "/";
+                final String domain = "https://" + ConfigUtils.getConfigPropertyAsText("AUTH0_DOMAIN") + "/";
                 JwkProvider provider = new UrlJwkProvider(domain);
                 // Decode the token.
                 DecodedJWT jwt = JWT.decode(token);
@@ -209,14 +209,15 @@ private static JWTVerifier getVerifier(Request req, String token) {
                     .build();
             } catch (IllegalStateException | NullPointerException | JwkException e) {
                 LOG.error("Auth0 verifier configured incorrectly.");
-                logMessageAndHalt(req, 500, "Server authentication configured incorrectly.", e);
+                JsonUtils.logMessageAndHalt(req, 500, "Server authentication configured incorrectly.", e);
             }
         }
         return verifier;
     }
 
     public static boolean getDefaultAuthDisabled() {
-        return hasConfigProperty("DISABLE_AUTH") && "true".equals(getConfigPropertyAsText("DISABLE_AUTH"));
+        return ConfigUtils.hasConfigProperty("DISABLE_AUTH") &&
+            "true".equals(ConfigUtils.getConfigPropertyAsText("DISABLE_AUTH"));
     }
 
     /**
@@ -236,29 +237,38 @@ public static void setAuthDisabled(boolean authDisabled) {
     /**
      * Confirm that the user exists in at least one of the MongoDB user collections.
      */
-    private static boolean isValidUser(Auth0UserProfile profile) {
+    private static boolean isValidUser(RequestingUser profile) {
         return profile != null && (profile.adminUser != null || profile.otpUser != null || profile.apiUser != null);
     }
 
     /**
-     * Confirm that the user's actions are on their items if not admin.
+     * Confirm that the user's actions are on their items if not admin. In the case of an Api user confirm that the
+     * user's actions, on Otp users, are Otp users they created initially.
      */
     public static void isAuthorized(String userId, Request request) {
-        Auth0UserProfile profile = getUserFromRequest(request);
+        RequestingUser requestingUser = getUserFromRequest(request);
         // let admin do anything
-        if (profile.adminUser != null) {
+        if (requestingUser.adminUser != null) {
             return;
         }
-        // If userId is defined, it must be set to a value associated with the user.
+        // If userId is defined, it must be set to a value associated with a user.
         if (userId != null) {
-            if (profile.otpUser != null && profile.otpUser.id.equals(userId)) {
+            if (requestingUser.otpUser != null && requestingUser.otpUser.id.equals(userId)) {
+                // Otp user requesting their item.
                 return;
             }
-            if (profile.apiUser != null && profile.apiUser.id.equals(userId)) {
+            if (requestingUser.isThirdPartyUser() && requestingUser.apiUser.id.equals(userId)) {
+                // Api user requesting their item.
                 return;
             }
+            if (requestingUser.isThirdPartyUser()) {
+                // Api user potentially requesting an item on behalf of an Otp user they created.
+                OtpUser otpUser = Persistence.otpUsers.getById(userId);
+                if (otpUser != null && requestingUser.apiUser.id.equals(otpUser.applicationId)) {
+                    return;
+                }
+            }
         }
-        logMessageAndHalt(request, HttpStatus.FORBIDDEN_403, "Unauthorized access.");
+        JsonUtils.logMessageAndHalt(request, HttpStatus.FORBIDDEN_403, "Unauthorized access.");
     }
-
 }