diff --git a/messages/uniworx/de-de-formal.msg b/messages/uniworx/de-de-formal.msg index 8f0a55fa7..6367327a3 100644 --- a/messages/uniworx/de-de-formal.msg +++ b/messages/uniworx/de-de-formal.msg @@ -1157,6 +1157,7 @@ MenuUserPassword: Passwort MenuAdminTest: Admin-Demo MenuMessageList: Systemnachrichten MenuAdminErrMsg: Fehlermeldung entschlüsseln +MenuAdminTokens: Tokens ausstellen MenuProfileData: Persönliche Daten MenuTermCreate: Neues Semester anlegen MenuCourseNew: Neuen Kurs anlegen @@ -2427,3 +2428,21 @@ AllocationUsersCount: Teilnehmer AllocationCoursesCount: Kurse CourseOption tid@TermId ssh@SchoolId coursen@CourseName: #{tid} - #{ssh} - #{coursen} + +BearerTokenUsageWarning: Mit diesem Interface können quesi beliebige Rechte als Tokens kodiert und somit ohne wesentliche weitere Beschränkung frei übertragen werden. Benutzen Sie dieses Interface nur, wenn Sie von einem erfahrenen Entwickler über die Auswirkungen des konkreten Tokens, dass sie ausstellen möchten, beraten wurden! +BearerTokenAuthorityGroups: Token-Authorität (Gruppen) +BearerTokenAuthorityGroupsTip: Die primären Benutzer aller angegebenen Gruppen müssen Zugriff auf eine Route haben, damit das Token den Zugriff auf diese Route erlaubt. +BearerTokenAuthorityUsers: Token-Authorität (Benutzer) +BearerTokenAuthorityUsersTip: Alle angegebenen Benutzer müssen Zugriff auf eine Route haben, damit das Token den Zugriff auf diese Route erlaubt. Der Aussteller muss, bei mit diesem Benutzerinterface erzeugten Tokens, auch Zugriff auf die Route haben (er wird automatisch der Menge von Token-Authoritäten hinzugefügt). +BearerTokenAuthorityUnknownUser email@UserEmail: Ein Nutzer mit E-Mail #{email} ist dem System nicht bekannt +BearerTokenRoutes: Erlaubte Routen +BearerTokenRoutesTip: Wenn die Token-Validität nach Routen eingeschränkt und keine Routen angegeben werden, ist das Token nirgends gültig. +BearerTokenRestrictions: Routen-spezifische Einschränkungen +BearerTokenRestrictRoutes: Token-Validität nach Routen einschränken +BearerTokenAdditionalAuth: Zusätzliche Authorisierung +BearerTokenAdditionalAuthTip: Wird hier nichts angegeben, werden keine Einschränkungen daran gesetzt, wer das Token verwenden kann. Es reicht dann der Besitz. +BearerTokenOverrideExpiration: Ablaufzeitpunkt überschreiben +BearerTokenExpires: Ablaufzeitpunkt +BearerTokenExpiresTip: Wird der Ablaufzeitpunkt überschrieben und kein Ablaufzeitpunkt angegeben, ist das Token für immer gültig. +BearerTokenOverrideStart: Startzeitpunkt +BearerTokenOverrideStartTip: Wird kein Startzeitpunkt angegeben, wird bei Verwendung des Tokens nur der Ablaufzeitpunkt überprüft. \ No newline at end of file diff --git a/messages/uniworx/en-eu.msg b/messages/uniworx/en-eu.msg index 2d107c14b..3123c1649 100644 --- a/messages/uniworx/en-eu.msg +++ b/messages/uniworx/en-eu.msg @@ -1156,6 +1156,7 @@ MenuUserPassword: Password MenuAdminTest: Admin-demo MenuMessageList: System messages MenuAdminErrMsg: Decrypt error message +MenuAdminTokens: Issue tokens MenuProfileData: Personal information MenuTermCreate: Create new semester MenuCourseNew: Create new course @@ -2427,3 +2428,21 @@ AllocationUsersCount: Participants AllocationCoursesCount: Courses CourseOption tid ssh coursen: #{tid} - #{ssh} - #{coursen} + +BearerTokenUsageWarning: Using this interface you are able to encode essentially arbitrary permissions inte bearer tokens. This allows you to freely hand permissions off arbitrarily and without relevant restrictions. Only use this interface if you have discussed the consequences of the specific token, that you want to issue, with an experienced developer! +BearerTokenAuthorityGroups: Authority (groups) +BearerTokenAuthorityGroupsTip: All primary users of the groups listed here need to have the requisite permissions to access a route in order for the created token to grant permission to do so as well. +BearerTokenAuthorityUsers: Authority (users +BearerTokenAuthorityUsersTip: All users listed here need to have the requisite permissions to access a route in order for the created token to grant permission to do so as well. The user issuing the token using this interface also needs to have permission to access that route (they are automatically added to the list of authorities). +BearerTokenAuthorityUnknownUser email: Could not find any user with email #{email} +BearerTokenRoutes: Permitted routes +BearerTokenRoutesTip: If the token is restricted to certain routes and no routes are listed, the token is valid nowhere. +BearerTokenRestrictions: Route-specific restrictions +BearerTokenRestrictRoutes: Restrict token to certain routes +BearerTokenAdditionalAuth: Additional authorisation +BearerTokenAdditionalAuthTip: If nothing is entered, no additional authorisation will be performed when the token is used. Mere posession of the token will be sufficient. +BearerTokenOverrideExpiration: Override expiration time +BearerTokenExpires: Expiration time +BearerTokenExpiresTip: If no expiration time is given, the token will not expire. It will be valid forever. +BearerTokenOverrideStart: Start time +BearerTokenOverrideStartTip: If no start time is given, only the expiration time will be checked when the token is used. diff --git a/routes b/routes index 125b6da56..fcd3c05b0 100644 --- a/routes +++ b/routes @@ -55,6 +55,7 @@ /admin/features AdminFeaturesR GET POST /admin/test AdminTestR GET POST /admin/errMsg AdminErrMsgR GET POST +/admin/tokens AdminTokensR GET POST /health HealthR GET !free /instance InstanceR GET !free diff --git a/src/Foundation.hs b/src/Foundation.hs index 350076572..d5a01d22d 100644 --- a/src/Foundation.hs +++ b/src/Foundation.hs @@ -328,13 +328,13 @@ validateBearer mAuthId' route' isWrite' token' = $runCachedMemoT $ for4 memo val validateBearer' mAuthId route isWrite BearerToken{..} = lift . exceptT return return $ do guardMExceptT (maybe True (HashSet.member route) bearerRoutes) (unauthorizedI MsgUnauthorizedTokenInvalidRoute) - bearerAuthority' <- case bearerAuthority of + bearerAuthority' <- flip foldMapM bearerAuthority $ \case Left tVal | JSON.Success groupName <- JSON.fromJSON tVal -> maybeT (throwError =<< unauthorizedI MsgUnauthorizedTokenInvalidAuthorityGroup) . hoist lift $ do Entity _ UserGroupMember{..} <- MaybeT . getBy $ UniquePrimaryUserGroupMember groupName Active return $ Set.singleton userGroupMemberUser | otherwise -> throwError =<< unauthorizedI MsgUnauthorizedTokenInvalidAuthorityValue - Right uids -> return uids + Right uid -> return $ Set.singleton uid let -- Prevent infinite loops @@ -2013,6 +2013,7 @@ instance YesodBreadcrumbs UniWorX where breadcrumb AdminFeaturesR = i18nCrumb MsgAdminFeaturesHeading $ Just AdminR breadcrumb AdminTestR = i18nCrumb MsgMenuAdminTest $ Just AdminR breadcrumb AdminErrMsgR = i18nCrumb MsgMenuAdminErrMsg $ Just AdminR + breadcrumb AdminTokensR = i18nCrumb MsgMenuAdminTokens $ Just AdminR breadcrumb SchoolListR = i18nCrumb MsgMenuSchoolList $ Just AdminR breadcrumb (SchoolR ssh SchoolEditR) = maybeT (i18nCrumb MsgBreadcrumbSchool $ Just SchoolListR) $ do @@ -2482,6 +2483,14 @@ defaultLinks = fmap catMaybes . mapM runMaybeT $ -- Define the menu items of the , navQuick' = mempty , navForceActive = False } + , NavLink + { navLabel = MsgMenuAdminTokens + , navRoute = AdminTokensR + , navAccess' = return True + , navType = NavTypeLink { navModal = False } + , navQuick' = mempty + , navForceActive = False + } , NavLink { navLabel = MsgMenuAdminTest , navRoute = AdminTestR diff --git a/src/Handler/Admin.hs b/src/Handler/Admin.hs index 0002200e8..0baadf2b8 100644 --- a/src/Handler/Admin.hs +++ b/src/Handler/Admin.hs @@ -9,6 +9,7 @@ import Handler.Utils import Handler.Admin.Test as Handler.Admin import Handler.Admin.ErrorMessage as Handler.Admin import Handler.Admin.StudyFeatures as Handler.Admin +import Handler.Admin.Tokens as Handler.Admin getAdminR :: Handler Html diff --git a/src/Handler/Admin/Tokens.hs b/src/Handler/Admin/Tokens.hs new file mode 100644 index 000000000..9468bfca0 --- /dev/null +++ b/src/Handler/Admin/Tokens.hs @@ -0,0 +1,105 @@ +module Handler.Admin.Tokens + ( getAdminTokensR, postAdminTokensR + ) where + +import Import +import Handler.Utils + +import qualified Data.HashSet as HashSet +import qualified Data.HashMap.Strict as HashMap +import qualified Data.Set as Set + +import Control.Arrow (left) + +import Jose.Jwt (Jwt(..)) + +import qualified Data.Aeson as Aeson +import qualified Data.Aeson.Encode.Pretty as Aeson + +import Data.Map ((!), (!?)) + +import qualified Data.Text as Text + + +data BearerTokenForm = BearerTokenForm + { btfAuthority :: HashSet (Either UserGroupName UserId) + , btfRoutes :: Maybe (HashSet (Route UniWorX)) + , btfRestrict :: HashMap (Route UniWorX) Value + , btfAddAuth :: Maybe AuthDNF + , btfExpiresAt :: Maybe (Maybe UTCTime) + , btfStartsAt :: Maybe UTCTime + } + +bearerTokenForm :: WForm Handler (FormResult BearerTokenForm) +bearerTokenForm = do + muid <- maybeAuthId + + btfAuthorityGroups <- aFormToWForm $ HashSet.fromList . map Left <$> massInputListA pathPieceField (const "") (\p -> Just . SomeRoute $ AdminTokensR :#: p) ("token-groups" :: Text) (fslI MsgBearerTokenAuthorityGroups & setTooltip MsgBearerTokenAuthorityGroupsTip) False Nothing + btfAuthorityUsers <- fmap (fmap . ofoldMap $ HashSet.singleton . Right) <$> wopt (checkMap (foldMapM $ fmap Set.singleton . left MsgBearerTokenAuthorityUnknownUser) (Set.map Right) $ multiUserField False Nothing) (fslI MsgBearerTokenAuthorityUsers & setTooltip MsgBearerTokenAuthorityUsersTip) (Just $ Set.singleton <$> muid) + let btfAuthority' :: FormResult (HashSet (Either UserGroupName UserId)) + btfAuthority' + = (<>) <$> btfAuthorityGroups <*> ((hoistMaybe =<< btfAuthorityUsers) <|> pure HashSet.empty) + + let btfRoutesForm = HashSet.fromList <$> massInputListA routeField (const "") (\p -> Just . SomeRoute $ AdminTokensR :#: p) ("token-routes" :: Text) (fslI MsgBearerTokenRoutes & setTooltip MsgBearerTokenRoutesTip) True Nothing + btfRoutes' <- optionalActionW btfRoutesForm (fslI MsgBearerTokenRestrictRoutes) (Just True) + + let btfRestrictForm = massInputAccumEditW miAdd' miCell' (\p -> Just . SomeRoute $ AdminTokensR :#: p) miLayout' ("token-restrictions" :: Text) (fslI MsgBearerTokenRestrictions) False Nothing + where miAdd' nudge = fmap (over (mapped . _1) tweakRes) . miForm nudge . Left + where tweakRes res = res <&> \(newRoute, newRestr) oldRestrs -> pure (bool [(newRoute, newRestr)] [] $ newRoute `HashMap.member` HashMap.fromList oldRestrs) + miCell' nudge = miForm nudge . Right + miForm :: (Text -> Text) + -> Either (FieldView UniWorX) (Route UniWorX, Value) + -> Form (Route UniWorX, Value) + miForm nudge mode csrf = do + (routeRes, routeView) <- mpreq routeField ("" & addName (nudge "route")) (mode ^? _Right . _1) + (restrRes, restrView) <- mpreq (checkMap (left Text.pack . Aeson.eitherDecode . encodeUtf8 . fromStrict . unTextarea) (Textarea . toStrict . decodeUtf8 . Aeson.encodePretty) $ textareaField) ("" & addName (nudge "restr")) (mode ^? _Right . _2) + + return ((,) <$> routeRes <*> restrRes, case mode of + Left btn -> $(widgetFile "widgets/massinput/token-restrictions/add") + Right _ -> $(widgetFile "widgets/massinput/token-restrictions/cell") + ) + + miLayout' :: MassInputLayout ListLength (Route UniWorX, Value) (Route UniWorX, Value) + miLayout' lLength _ cellWdgts delButtons addWdgts = $(widgetFile "widgets/massinput/token-restrictions/layout") + + btfRestrict' <- fmap HashMap.fromList <$> btfRestrictForm + + btfAddAuth' <- fmap (assertM $ not . Set.null . dnfTerms) <$> wopt pathPieceField (fslI MsgBearerTokenAdditionalAuth & setTooltip MsgBearerTokenAdditionalAuthTip) Nothing + + btfExpiresAt' <- optionalActionW (aopt utcTimeField (fslI MsgBearerTokenExpires & setTooltip MsgBearerTokenExpiresTip) Nothing) (fslI MsgBearerTokenOverrideExpiration) (Just False) + btfStartsAt' <- wopt utcTimeField (fslI MsgBearerTokenOverrideStart & setTooltip MsgBearerTokenOverrideStartTip) Nothing + + return $ BearerTokenForm + <$> btfAuthority' + <*> btfRoutes' + <*> btfRestrict' + <*> btfAddAuth' + <*> btfExpiresAt' + <*> btfStartsAt' + + +getAdminTokensR, postAdminTokensR :: Handler Html +getAdminTokensR = postAdminTokensR +postAdminTokensR = do + ((bearerReq, bearerView), bearerEnc) <- runFormPost $ renderWForm FormStandard bearerTokenForm + + mjwt <- formResultMaybe bearerReq $ \BearerTokenForm{..} -> do + uid <- requireAuthId + let btfAuthority' = btfAuthority + & HashSet.insert (Right uid) + & HashSet.map (left toJSON) + + fmap Just . encodeBearer . set _bearerRestrictions btfRestrict =<< bearerToken btfAuthority' btfRoutes btfAddAuth btfExpiresAt btfStartsAt + + siteLayoutMsg' MsgMenuAdminTokens $ do + setTitleI MsgMenuAdminTokens + + let bearerForm = wrapForm bearerView def + { formMethod = POST + , formAction = Just $ SomeRoute AdminTokensR + , formEncoding = bearerEnc + } + + warning <- notification NotificationBroad <$> messageI Warning MsgBearerTokenUsageWarning + + $(widgetFile "admin-tokens") diff --git a/src/Handler/Course/LecturerInvite.hs b/src/Handler/Course/LecturerInvite.hs index ac1ab7480..53d7156ac 100644 --- a/src/Handler/Course/LecturerInvite.hs +++ b/src/Handler/Course/LecturerInvite.hs @@ -17,7 +17,7 @@ import Data.Aeson hiding (Result(..)) import Text.Hamlet (ihamlet) -import qualified Data.Set as Set +import qualified Data.HashSet as HashSet instance IsInvitableJunction Lecturer where @@ -67,7 +67,7 @@ lecturerInvitationConfig = InvitationConfig{..} invitationHeading (Entity _ Course{..}) _ = return . SomeMessage $ MsgCourseLecInviteHeading $ CI.original courseName invitationExplanation _ _ = return [ihamlet|_{SomeMessage MsgCourseLecInviteExplanation}|] invitationTokenConfig _ _ = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId return $ InvitationTokenConfig itAuthority Nothing Nothing Nothing invitationRestriction _ _ = return Authorized invitationForm _ (InvDBDataLecturer mlType, _) _ = hoistAForm liftHandler $ toJunction <$> case mlType of diff --git a/src/Handler/Course/ParticipantInvite.hs b/src/Handler/Course/ParticipantInvite.hs index d3e7cd5e9..c3d677382 100644 --- a/src/Handler/Course/ParticipantInvite.hs +++ b/src/Handler/Course/ParticipantInvite.hs @@ -29,6 +29,8 @@ import Control.Monad.Except (MonadError(..)) import Generics.Deriving.Monoid (memptydefault, mappenddefault) +import qualified Data.HashSet as HashSet + -- Invitations for ordinary participants of this course instance IsInvitableJunction CourseParticipant where @@ -81,7 +83,7 @@ participantInvitationConfig = InvitationConfig{..} invitationHeading (Entity _ Course{..}) _ = return . SomeMessage $ MsgCourseParticipantInviteHeading $ CI.original courseName invitationExplanation _ _ = return [ihamlet|_{SomeMessage MsgCourseParticipantInviteExplanation}|] invitationTokenConfig _ _ = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId return $ InvitationTokenConfig itAuthority Nothing Nothing Nothing invitationRestriction _ _ = return Authorized invitationForm (Entity _ Course{..}) _ uid = hoistAForm lift . wFormToAForm $ do diff --git a/src/Handler/Exam/CorrectorInvite.hs b/src/Handler/Exam/CorrectorInvite.hs index 205c8bf0f..c55da69f2 100644 --- a/src/Handler/Exam/CorrectorInvite.hs +++ b/src/Handler/Exam/CorrectorInvite.hs @@ -16,7 +16,7 @@ import Text.Hamlet (ihamlet) import Data.Aeson hiding (Result(..)) -import qualified Data.Set as Set +import qualified Data.HashSet as HashSet instance IsInvitableJunction ExamCorrector where @@ -69,7 +69,7 @@ examCorrectorInvitationConfig = InvitationConfig{..} invitationHeading (Entity _ Exam{..}) _ = return . SomeMessage $ MsgExamCorrectorInviteHeading examName invitationExplanation _ _ = return [ihamlet|_{SomeMessage MsgExamCorrectorInviteExplanation}|] invitationTokenConfig _ _ = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId return $ InvitationTokenConfig itAuthority Nothing Nothing Nothing invitationRestriction _ _ = return Authorized invitationForm _ _ _ = pure (JunctionExamCorrector, ()) diff --git a/src/Handler/Exam/RegistrationInvite.hs b/src/Handler/Exam/RegistrationInvite.hs index 1f55b34dd..68ad7cd72 100644 --- a/src/Handler/Exam/RegistrationInvite.hs +++ b/src/Handler/Exam/RegistrationInvite.hs @@ -20,6 +20,8 @@ import Text.Hamlet (ihamlet) import Data.Aeson hiding (Result(..)) import Jobs.Queue + +import qualified Data.HashSet as HashSet instance IsInvitableJunction ExamRegistration where @@ -77,7 +79,7 @@ examRegistrationInvitationConfig = InvitationConfig{..} invitationHeading (Entity _ Exam{..}) _ = return . SomeMessage $ MsgExamRegistrationInviteHeading examName invitationExplanation _ _ = return [ihamlet|_{SomeMessage MsgExamRegistrationInviteExplanation}|] invitationTokenConfig _ (InvDBDataExamRegistration{..}, _) = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId let itExpiresAt = Just $ Just invDBExamRegistrationDeadline itAddAuth | not invDBExamRegistrationCourseRegister diff --git a/src/Handler/ExamOffice/Users.hs b/src/Handler/ExamOffice/Users.hs index ac7b110ba..9071b269f 100644 --- a/src/Handler/ExamOffice/Users.hs +++ b/src/Handler/ExamOffice/Users.hs @@ -19,6 +19,8 @@ import qualified Database.Esqueleto as E import qualified Data.Set as Set import qualified Data.Map as Map import Data.Map ((!), (!?)) + +import qualified Data.HashSet as HashSet instance IsInvitableJunction ExamOfficeUser where @@ -67,7 +69,7 @@ examOfficeUserInvitationConfig = InvitationConfig{..} return . SomeMessage $ MsgExamOfficeUserInviteHeading userDisplayName invitationExplanation _ _ = return [ihamlet|_{SomeMessage MsgExamOfficeUserInviteExplanation}|] invitationTokenConfig _ _ = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId let itExpiresAt = Nothing itStartsAt = Nothing itAddAuth = Nothing diff --git a/src/Handler/ExternalExam/StaffInvite.hs b/src/Handler/ExternalExam/StaffInvite.hs index cdc2a464d..c594b613a 100644 --- a/src/Handler/ExternalExam/StaffInvite.hs +++ b/src/Handler/ExternalExam/StaffInvite.hs @@ -13,7 +13,7 @@ import Handler.Utils.Invitations import Text.Hamlet (ihamlet) import Data.Aeson hiding (Result(..)) -import qualified Data.Set as Set +import qualified Data.HashSet as HashSet instance IsInvitableJunction ExternalExamStaff where @@ -61,7 +61,7 @@ externalExamStaffInvitationConfig = InvitationConfig{..} invitationHeading (Entity _ ExternalExam{..}) _ = return . SomeMessage $ MsgExternalExamStaffInviteHeading externalExamCourseName externalExamExamName invitationExplanation _ _ = return [ihamlet|_{SomeMessage MsgExternalExamStaffInviteExplanation}|] invitationTokenConfig _ _ = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId return $ InvitationTokenConfig itAuthority Nothing (Just Nothing) Nothing invitationRestriction _ _ = return Authorized invitationForm _ (InvDBDataExternalExamStaff, _) _ = pure (JunctionExternalExamStaff, ()) diff --git a/src/Handler/Metrics.hs b/src/Handler/Metrics.hs index e49a57210..92bed0bc1 100644 --- a/src/Handler/Metrics.hs +++ b/src/Handler/Metrics.hs @@ -27,7 +27,7 @@ getMetricsR = selectRep $ do uid <- MaybeT maybeAuthId guardM . lift . existsBy $ UniqueUserGroupMember UserGroupMetrics uid - encodeBearer =<< bearerToken (Left $ toJSON UserGroupMetrics) (Just $ HashSet.singleton MetricsR) Nothing (Just Nothing) Nothing + encodeBearer =<< bearerToken (HashSet.singleton . Left $ toJSON UserGroupMetrics) (Just $ HashSet.singleton MetricsR) Nothing (Just Nothing) Nothing defaultLayout $ do setTitleI MsgTitleMetrics diff --git a/src/Handler/Sheet.hs b/src/Handler/Sheet.hs index f12c355f8..be86eca93 100644 --- a/src/Handler/Sheet.hs +++ b/src/Handler/Sheet.hs @@ -30,6 +30,7 @@ import qualified Database.Esqueleto as E import qualified Database.Esqueleto.Utils as E -- import qualified Database.Esqueleto.Internal.Sql as E +import qualified Data.HashSet as HashSet import qualified Data.Set as Set import qualified Data.Map as Map @@ -881,7 +882,7 @@ correctorInvitationConfig = InvitationConfig{..} invitationHeading (Entity _ Sheet{..}) _ = return . SomeMessage $ MsgSheetCorrInviteHeading sheetName invitationExplanation _ _ = return [ihamlet|_{SomeMessage MsgSheetCorrInviteExplanation}|] invitationTokenConfig _ _ = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId return $ InvitationTokenConfig itAuthority Nothing Nothing Nothing invitationRestriction _ _ = return Authorized invitationForm _ (InvDBDataSheetCorrector cLoad cState, _) _ = pure $ (JunctionSheetCorrector cLoad cState, ()) diff --git a/src/Handler/Submission.hs b/src/Handler/Submission.hs index d4c0ba631..7878ae211 100644 --- a/src/Handler/Submission.hs +++ b/src/Handler/Submission.hs @@ -37,6 +37,8 @@ import Text.Blaze (Markup) import Data.Aeson hiding (Result(..)) import Text.Hamlet (ihamlet) +import qualified Data.HashSet as HashSet + -- import Colonnade hiding (bool, fromMaybe) -- import qualified Yesod.Colonnade as Yesod -- import qualified Text.Blaze.Html5.Attributes as HA @@ -104,7 +106,7 @@ submissionUserInvitationConfig = InvitationConfig{..} invitationTokenConfig (Entity _ Submission{..}) _ = do Sheet{..} <- getJust submissionSheet Course{..} <- getJust sheetCourse - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId itAddAuth <- either throwM (return . Just) $ routeAuthTags (CSheetR courseTerm courseSchool courseShorthand sheetName SubmissionNewR) let itExpiresAt = Nothing itStartsAt = Nothing diff --git a/src/Handler/Tutorial/TutorInvite.hs b/src/Handler/Tutorial/TutorInvite.hs index e8688da59..725cc6e83 100644 --- a/src/Handler/Tutorial/TutorInvite.hs +++ b/src/Handler/Tutorial/TutorInvite.hs @@ -13,7 +13,7 @@ import Handler.Utils.Invitations import Data.Aeson hiding (Result(..)) import Text.Hamlet (ihamlet) -import qualified Data.Set as Set +import qualified Data.HashSet as HashSet instance IsInvitableJunction Tutor where @@ -66,7 +66,7 @@ tutorInvitationConfig = InvitationConfig{..} invitationHeading (Entity _ Tutorial{..}) _ = return . SomeMessage $ MsgTutorInviteHeading tutorialName invitationExplanation _ _ = return [ihamlet|_{SomeMessage MsgTutorInviteExplanation}|] invitationTokenConfig _ _ = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId return $ InvitationTokenConfig itAuthority Nothing Nothing Nothing invitationRestriction _ _ = return Authorized invitationForm _ _ _ = pure (JunctionTutor, ()) diff --git a/src/Handler/Users.hs b/src/Handler/Users.hs index a3d860a5e..ee0d67d85 100644 --- a/src/Handler/Users.hs +++ b/src/Handler/Users.hs @@ -36,6 +36,8 @@ import Handler.Users.Add as Handler.Users import qualified Data.Conduit.List as C +import qualified Data.HashSet as HashSet + hijackUserForm :: Form () hijackUserForm csrf = do @@ -571,7 +573,7 @@ functionInvitationConfig = InvitationConfig{..} MsgRenderer mr <- getMsgRenderer return [ihamlet|_{SomeMessage $ MsgSchoolFunctionInviteExplanation (mr $ SomeMessage invTokenUserFunctionFunction)}|] invitationTokenConfig _ (InvDBDataUserFunction{..}, _) = do - itAuthority <- Right . Set.singleton <$> liftHandler requireAuthId + itAuthority <- HashSet.singleton . Right <$> liftHandler requireAuthId let itExpiresAt = Just $ Just invDBUserFunctionDeadline itAddAuth = Nothing itStartsAt = Nothing diff --git a/src/Handler/Utils/Invitations.hs b/src/Handler/Utils/Invitations.hs index 2537ace7d..47873d036 100644 --- a/src/Handler/Utils/Invitations.hs +++ b/src/Handler/Utils/Invitations.hs @@ -140,7 +140,7 @@ data InvitationConfig junction = forall formCtx. InvitationConfig -- | Additional configuration needed for an invocation of `bearerToken` data InvitationTokenConfig = InvitationTokenConfig - { itAuthority :: Either Value (Set UserId) + { itAuthority :: HashSet (Either Value UserId) , itAddAuth :: Maybe AuthDNF , itExpiresAt :: Maybe (Maybe UTCTime) , itStartsAt :: Maybe UTCTime diff --git a/src/Jobs/Handler/ChangeUserDisplayEmail.hs b/src/Jobs/Handler/ChangeUserDisplayEmail.hs index db9747729..0d256c0ca 100644 --- a/src/Jobs/Handler/ChangeUserDisplayEmail.hs +++ b/src/Jobs/Handler/ChangeUserDisplayEmail.hs @@ -7,13 +7,12 @@ import Import import Handler.Utils.Mail import qualified Data.HashSet as HashSet import qualified Data.CaseInsensitive as CI -import qualified Data.Set as Set import Text.Hamlet dispatchJobChangeUserDisplayEmail :: UserId -> UserEmail -> Handler () dispatchJobChangeUserDisplayEmail jUser jDisplayEmail = do - bearer <- bearerRestrict SetDisplayEmailR jDisplayEmail <$> bearerToken (Right $ Set.singleton jUser) (Just $ HashSet.singleton SetDisplayEmailR) Nothing Nothing Nothing + bearer <- bearerRestrict SetDisplayEmailR jDisplayEmail <$> bearerToken (HashSet.singleton $ Right jUser) (Just $ HashSet.singleton SetDisplayEmailR) Nothing Nothing Nothing jwt <- encodeBearer bearer let setDisplayEmailUrl :: SomeRoute UniWorX diff --git a/src/Jobs/Handler/SendNotification/Utils.hs b/src/Jobs/Handler/SendNotification/Utils.hs index ce234035f..e60d20cfd 100644 --- a/src/Jobs/Handler/SendNotification/Utils.hs +++ b/src/Jobs/Handler/SendNotification/Utils.hs @@ -8,7 +8,6 @@ import Import import Text.Hamlet import qualified Data.HashSet as HashSet -import qualified Data.Set as Set ihamletSomeMessage :: HtmlUrlI18n UniWorXMessage (Route UniWorX) -> HtmlUrlI18n (SomeMessage UniWorX) (Route UniWorX) @@ -17,7 +16,7 @@ ihamletSomeMessage f trans = f $ trans . SomeMessage mkEditNotifications :: (MonadHandler m, HandlerSite m ~ UniWorX) => UserId -> m (HtmlUrlI18n UniWorXMessage (Route UniWorX)) mkEditNotifications uid = liftHandler $ do cID <- encrypt uid - jwt <- encodeBearer =<< bearerToken (Right $ Set.singleton uid) (Just . HashSet.singleton $ UserNotificationR cID) Nothing Nothing Nothing + jwt <- encodeBearer =<< bearerToken (HashSet.singleton $ Right uid) (Just . HashSet.singleton $ UserNotificationR cID) Nothing Nothing Nothing let editNotificationsUrl :: SomeRoute UniWorX editNotificationsUrl = SomeRoute (UserNotificationR cID, [(toPathPiece GetBearer, toPathPiece jwt)]) diff --git a/src/Jobs/Handler/SendPasswordReset.hs b/src/Jobs/Handler/SendPasswordReset.hs index 504d0d2ce..352b37b7f 100644 --- a/src/Jobs/Handler/SendPasswordReset.hs +++ b/src/Jobs/Handler/SendPasswordReset.hs @@ -10,7 +10,6 @@ import Handler.Utils.Users import qualified Data.ByteString.Base64 as Base64 import qualified Data.ByteArray as BA import qualified Data.HashSet as HashSet -import qualified Data.Set as Set import Text.Hamlet @@ -30,7 +29,7 @@ dispatchJobSendPasswordReset jRecipient = userMailT jRecipient $ do LTUUnique utc' _ -> utc' _other -> UTCTime (addDays 2 $ utctDay now) 0 - resetBearer' <- bearerToken (Right $ Set.singleton jRecipient) (Just . HashSet.singleton $ UserPasswordR cID) Nothing (Just $ Just tomorrowEndOfDay) Nothing + resetBearer' <- bearerToken (HashSet.singleton $ Right jRecipient) (Just . HashSet.singleton $ UserPasswordR cID) Nothing (Just $ Just tomorrowEndOfDay) Nothing let resetBearer = resetBearer' & bearerRestrict (UserPasswordR cID) (decodeUtf8 . Base64.encode . BA.convert $ computeUserAuthenticationDigest userAuthentication) encodedBearer <- encodeBearer resetBearer diff --git a/src/Model/Tokens/Bearer.hs b/src/Model/Tokens/Bearer.hs index 3dc7413f8..807dad35b 100644 --- a/src/Model/Tokens/Bearer.hs +++ b/src/Model/Tokens/Bearer.hs @@ -24,6 +24,7 @@ import qualified Jose.Jwt as Jose import Jose.Jwt.Instances () +import qualified Data.HashSet as HashSet import qualified Data.HashMap.Strict as HashMap import Data.Time.Clock.Instances () @@ -39,15 +40,13 @@ import Data.Binary (Binary) import qualified Data.CryptoID.Class.ImplicitNamespace as I -import qualified Data.Set as Set - -- | Presenting a `BearerToken` transfers some authorisation from `tokenAuthority` to /whoever/ presents the token data BearerToken site = BearerToken { bearerIdentifier :: TokenId -- ^ Unique identifier for each token; maybe useful for tracing usage of tokens - , bearerAuthority :: Either Value (Set (AuthId site)) + , bearerAuthority :: HashSet (Either Value (AuthId site)) -- ^ Tokens only grant rights the `bearerAuthority` has (i.e. `AuthTag`s are evaluated with the user set to `bearerAuthority`) , bearerRoutes :: Maybe (HashSet (Route site)) -- ^ Tokens can optionally be restricted to only be usable on a subset of routes @@ -65,10 +64,10 @@ data BearerToken site = BearerToken } deriving (Generic, Typeable) deriving instance (Eq (AuthId site), Eq (Route site)) => Eq (BearerToken site) -deriving instance (Read (AuthId site), Eq (Route site), Hashable (Route site), Read (Route site), Ord (AuthId site)) => Read (BearerToken site) -deriving instance (Show (AuthId site), Show (Route site), Ord (AuthId site)) => Show (BearerToken site) +deriving instance (Read (AuthId site), Eq (Route site), Hashable (Route site), Read (Route site), Hashable (AuthId site), Eq (AuthId site)) => Read (BearerToken site) +deriving instance (Show (AuthId site), Show (Route site), Hashable (AuthId site)) => Show (BearerToken site) -instance (Binary (AuthId site), Binary (Route site), Hashable (Route site), Eq (Route site)) => Binary (BearerToken site) +instance (Binary (AuthId site), Binary (Route site), Hashable (Route site), Eq (Route site), Hashable (AuthId site), Eq (AuthId site)) => Binary (BearerToken site) makeLenses_ ''BearerToken instance HasTokenIdentifier (BearerToken site) TokenId where @@ -111,7 +110,7 @@ bearerToJSON :: forall m. -- -- Monadic context is needed because `AuthId`s are encrypted during encoding bearerToJSON BearerToken{..} = do - cID <- either (return . Left) (fmap Right . foldMapM (fmap Set.singleton . I.encrypt)) bearerAuthority :: m (Either Value (Set (CryptoUUID (AuthId (HandlerSite m))))) + cID <- foldMapM (fmap HashSet.singleton . either (return . Left) (fmap Right . I.encrypt)) bearerAuthority :: m (HashSet (Either Value (CryptoUUID (AuthId (HandlerSite m))))) let stdPayload = Jose.JwtClaims { jwtIss = Just $ toPathPiece bearerIssuedBy , jwtSub = Nothing @@ -122,9 +121,8 @@ bearerToJSON BearerToken{..} = do , jwtJti = Just $ toPathPiece bearerIdentifier } - authorityToJSON (Left v ) = v - authorityToJSON (Right ids) | [uid] <- toList ids = toJSON uid - | otherwise = toJSON ids + authorityToJSON auths | [auth] <- otoList auths = either toJSON toJSON auth + | otherwise = toJSON $ HashSet.map (either toJSON toJSON) auths return . JSON.object $ catMaybes [ Just $ "authority" .= authorityToJSON cID , ("routes" .=) <$> bearerRoutes @@ -134,7 +132,7 @@ bearerToJSON BearerToken{..} = do ++ let JSON.Object hm = toJSON stdPayload in HashMap.toList hm bearerParseJSON :: forall site. - ( Ord (AuthId site) + ( Hashable (AuthId site), Eq (AuthId site) , HasCryptoUUID (AuthId site) (ReaderT CryptoIDKey Parser) , ParseRoute site , Hashable (Route site) @@ -147,8 +145,12 @@ bearerParseJSON :: forall site. -- -- It's usually easier to use `Utils.Tokens.bearerParseJSON'` bearerParseJSON v@(Object o) = do - bearerAuthority' <- lift $ (Right <$> o .: "authority") <|> (Right . Set.singleton <$> o .: "authority") <|> (Left <$> o .: "authority") :: ReaderT CryptoIDKey Parser (Either Value (Set (CryptoUUID (AuthId site)))) - bearerAuthority <- either (return . Left) (fmap Right . foldMapM (fmap Set.singleton . I.decrypt)) bearerAuthority' + bearerAuthority' <- lift $ asum + [ HashSet.singleton . Right <$> o .: "authority" + , (o .: "authority" :: Parser (HashSet Value)) >>= foldMapM (\v' -> fmap HashSet.singleton $ (Right <$> parseJSON v') <|> return (Left v')) + , HashSet.singleton . Left <$> o .: "authority" + ] :: ReaderT CryptoIDKey Parser (HashSet (Either Value (CryptoUUID (AuthId site)))) + bearerAuthority <- foldMapM (fmap HashSet.singleton . either (return . Left) (fmap Right . I.decrypt)) bearerAuthority' bearerRoutes <- lift $ o .:? "routes" bearerAddAuth <- lift $ o .:? "add-auth" diff --git a/src/Model/Types/Security.hs b/src/Model/Types/Security.hs index 71e35fbdf..ad6a4c8dc 100644 --- a/src/Model/Types/Security.hs +++ b/src/Model/Types/Security.hs @@ -12,6 +12,7 @@ module Model.Types.Security import Import.NoModel import qualified Data.Text as Text +import qualified Data.Set as Set import qualified Data.HashMap.Strict as HashMap @@ -24,6 +25,8 @@ import qualified Data.CaseInsensitive as CI import Model.Types.TH.PathPiece import Database.Persist.Sql +import Utils.Lens.TH + data AuthenticationMode = AuthLDAP | AuthPWHash { authPWHash :: Text } @@ -149,6 +152,10 @@ instance (Ord a, Binary a) => Binary (PredDNF a) where get = PredDNF <$> Binary.get put = Binary.put . dnfTerms +instance (Ord a, PathPiece a) => PathPiece (PredDNF a) where + toPathPiece = Text.unwords . map (Text.intercalate "AND") . map (map toPathPiece . otoList) . otoList . dnfTerms + fromPathPiece = fmap (PredDNF . Set.fromList) . mapM (fromNullable <=< foldMapM (fmap Set.singleton . fromPathPiece) . Text.splitOn "AND") . concatMap (Text.splitOn "OR") . Text.words + type AuthLiteral = PredLiteral AuthTag type AuthDNF = PredDNF AuthTag @@ -158,6 +165,7 @@ data UserGroupName = UserGroupMetrics | UserGroupCustom { userGroupCustomName :: CI Text } deriving (Eq, Ord, Read, Show, Generic, Typeable) + deriving anyclass (Hashable) instance PathPiece UserGroupName where toPathPiece UserGroupMetrics = "metrics" @@ -171,3 +179,4 @@ instance PathPiece UserGroupName where pathPieceJSON ''UserGroupName derivePersistFieldPathPiece' (sqlType (Proxy @(CI Text))) ''UserGroupName +makeLenses_ ''UserGroupName diff --git a/src/Utils/Tokens.hs b/src/Utils/Tokens.hs index 0e05629aa..f290261fc 100644 --- a/src/Utils/Tokens.hs +++ b/src/Utils/Tokens.hs @@ -33,7 +33,7 @@ import Text.Blaze (Markup) bearerParseJSON' :: forall m. - ( Ord (AuthId (HandlerSite m)) + ( Hashable (AuthId (HandlerSite m)), Eq (AuthId (HandlerSite m)) , HasCryptoUUID (AuthId (HandlerSite m)) (ReaderT CryptoIDKey Parser) , ParseRoute (HandlerSite m) , Hashable (Route (HandlerSite m)) @@ -54,7 +54,7 @@ bearerToken :: forall m. , HasClusterID (HandlerSite m) ClusterId , HasAppSettings (HandlerSite m) ) - => Either Value (Set (AuthId (HandlerSite m))) + => HashSet (Either Value (AuthId (HandlerSite m))) -> Maybe (HashSet (Route (HandlerSite m))) -> Maybe AuthDNF -> Maybe (Maybe UTCTime) -- ^ @Nothing@ determines default expiry time automatically @@ -109,7 +109,7 @@ instance Exception BearerTokenException decodeBearer :: forall m. ( MonadHandler m , HasJSONWebKeySet (HandlerSite m) JwkSet - , Ord (AuthId (HandlerSite m)) + , Hashable (AuthId (HandlerSite m)), Eq (AuthId (HandlerSite m)) , HasCryptoUUID (AuthId (HandlerSite m)) (ReaderT CryptoIDKey Parser) , MonadCryptoKey m ~ CryptoIDKey , MonadCrypto m diff --git a/templates/admin-tokens.hamlet b/templates/admin-tokens.hamlet new file mode 100644 index 000000000..d0cf294e3 --- /dev/null +++ b/templates/admin-tokens.hamlet @@ -0,0 +1,10 @@ +$newline never +^{warning} + +$maybe (Jwt bs) <- mjwt +
+ 
+      #{decodeUtf8 bs}
+
+

+  ^{bearerForm}
diff --git a/templates/widgets/massinput/token-restrictions/add.hamlet b/templates/widgets/massinput/token-restrictions/add.hamlet
new file mode 100644
index 000000000..1ffbf19f8
--- /dev/null
+++ b/templates/widgets/massinput/token-restrictions/add.hamlet
@@ -0,0 +1,7 @@
+$newline never
+
+  #{csrf}
+  ^{fvInput routeView}

+  ^{fvInput restrView}
+
+  ^{fvInput btn}
diff --git a/templates/widgets/massinput/token-restrictions/cell.hamlet b/templates/widgets/massinput/token-restrictions/cell.hamlet
new file mode 100644
index 000000000..af5b0462b
--- /dev/null
+++ b/templates/widgets/massinput/token-restrictions/cell.hamlet
@@ -0,0 +1,6 @@
+$newline never
+
+  #{csrf}
+  ^{fvInput routeView}

+  ^{fvInput restrView}
+
diff --git a/templates/widgets/massinput/token-restrictions/layout.hamlet b/templates/widgets/massinput/token-restrictions/layout.hamlet
new file mode 100644
index 000000000..f1842a72f
--- /dev/null
+++ b/templates/widgets/massinput/token-restrictions/layout.hamlet
@@ -0,0 +1,13 @@
+$newline never
+
+  
+    $forall coord <- review liveCoords lLength
+      
+        ^{cellWdgts ! coord}
+        
+      
+        ^{addWdgt}
diff --git a/translate.hs b/translate.hs
index eadb44621..cc81b6fa4 100755
--- a/translate.hs
+++ b/translate.hs
@@ -254,7 +254,9 @@ combine f1 f2 = insertMissing f1 f2 >> insertMissing f2 f1
       unless (null missing) $ do
         response <- runUserEditor (mkTemplate "msg") query
         let responseMsgs = readMsgText "" response
-        insertIntoFile f2' f1' responseMsgs
+            responseMsgs' = responseMsgs { msgDefinitions = map stripTypes $ msgDefinitions responseMsgs }
+            stripTypes defn = defn { msgArgs = map (\(n, _) -> (n, Nothing)) $ msgArgs defn }
+        insertIntoFile f2' f1' responseMsgs'
 
 
 normalizeLang :: Bool -> String -> String


+          $maybe delButton <- delButtons !? coord
+            ^{fvInput delButton}
+  $maybe addWdgt <- addWdgts !? (0, 0)
+