TRUNK-6203: Global properties access should be privileged

[wikumChamith]

Description of what I changed

Adding @Authorized(PrivilegeConstants.GET_GLOBAL_PROPERTIES) annotation to throw an authentication exception if a user is not authenticated when requesting a global property. Used Context.addProxyPrivilege("Get Global Properties") to extend the privilege to anonymous users in tests and before login.

Issue I worked on

see https://openmrs.atlassian.net/browse/TRUNK-6203

Checklist: I completed these to help reviewers :)

• My IDE is configured to follow the code style of this project.

  No? Unsure? -> configure your IDE, format the code and add the changes with git add . && git commit --amend

• I have added tests to cover my changes. (If you refactored
  existing code that was well tested you do not have to add tests)

  No? -> write tests and add them to this commit git add . && git commit --amend

• I ran mvn clean package right before creating this pull request and
  added all formatting changes to my commit.

  No? -> execute above command

• All new and existing tests passed.

  No? -> figure out why and add the fix to your commit. It is your responsibility to make sure your code works.

• My pull request is based on the latest changes of the master branch.

  No? Unsure? -> execute command git pull --rebase upstream master

[dkayiwa]

@wikumChamith when you run these changes with the reference application modules, were you able to log in and load the main landing dashboard?

[wikumChamith]

@dkayiwa Yes, Everything seems fine on my end.

[dkayiwa]

@wikumChamith did you accidentally leave out the setGlobalProperty() method?

[wikumChamith]

@dkayiwa I updated the PR.

[dkayiwa]

@wikumChamith are you still able to run the reference application even with that change without getting errors?

[wikumChamith]

@dkayiwa Yes, Are you getting any errors?

[dkayiwa]

@wikumChamith have you also tested and confirmed that, with your changes, non logged in users can no longer access global properties as per the ticket requirements? In other words, anonymous users should get some sort of access denied errors when they try to access this: http://localhost:8080/openmrs/ws/rest/v1/systemsetting

[wikumChamith]

@dkayiwa, I've made updates to the PR. Additionally, I've created pull requests for the modules to enable anonymous users to access the login page.

openmrs-module-uiframework : openmrs/openmrs-module-uiframework#77
openmrs-module-referenceapplication : openmrs/openmrs-module-referenceapplication#104
openmrs-module-legacyui : openmrs/openmrs-module-legacyui#190

Regarding the openmrs-module-owa, I encountered an issue. We need to add the 'Get Global Properties' privilege to allow anonymous users to access the login page. However, the method in question (OwaFilter.java#L39) gets called by all requests. Adding Context.addProxyPrivilege(GET_GLOBAL_PROPERTIES) here would grant the privilege to all anonymous requests.

One potential solution I could think of is using request.getHeader("referer") to add the privilege only to requests originating from the login page. Do you have any alternative suggestions for addressing this issue?"

[dkayiwa]

@wikumChamith how about if we intentionally expect this to fail until when accessed by a logged in user?

[wikumChamith]

@dkayiwa main issue here is users won't be able to access the login page because of that.

[dkayiwa]

Do you mind explaining why you changed the contents of String.format()?

[wikumChamith]

The format of the exception message changes after adding the authorization.

[wikumChamith]

@dkayiwa I have created another PR for this using a different approach: #4617

What method do you suggest?

[dkayiwa]

@dkayiwa I have created another PR for this using a different approach: #4617

What method do you suggest?

I think the approach in this pull request is simpler. Don't you think so?

[dkayiwa]

Do we really need this? Who calls it in the startup process?

[dkayiwa]

Do we really need this? Who calls it in the startup process?

[dkayiwa]

We could also just catch the APIAuthenticationException here and log it, before returning false, in order to reduce the need to add proxy privileges. This is based on the fact that it is not a big deal for a not yet logged in user to miss gzip compression. They can have it after login.

[dkayiwa]

@wikumChamith i am changing my mind on this. I think it would be better to add the proxy privilege to avoid these unnecessary errors before login. :)

[dkayiwa]

Do we need to make any changes in this file?

[dkayiwa]

I do not think we should change this file. Can't we do without these changes? The tests that expect these values should still do so.

[wikumChamith]

Not changing this could lead to problems with tests. For an example let's consider the following test.

openmrs-core/api/src/test/java/org/openmrs/api/AdministrationServiceTest.java

Lines 636 to 649 in 7d70503

	public void getGlobalPropertyObject_shouldReturnGlobalPropertyIfUserIsAllowedToView() {
	executeDataSet(ADMIN_INITIAL_DATA_XML);
	GlobalProperty property = getGlobalPropertyWithViewPrivilege();
	// authenticate new user without privileges
	Context.logout();
	Context.authenticate(getTestUserCredentials());
	// add required privilege to user
	Role role = Context.getUserService().getRole("Provider");
	role.addPrivilege(property.getViewPrivilege());
	Context.getAuthenticatedUser().addRole(role);
	assertNotNull(adminService.getGlobalPropertyObject(property.getProperty()));
	}

If we keep the privilege name as "Some Privilege For View Global Properties," this test will fail with an error message stating:

org.openmrs.api.APIAuthenticationException: Privileges required: Get Global Properties

We could mitigate the error by adding Context.addProxyPrivilege(PrivilegeConstants.GET_GLOBAL_PROPERTIES);
However, this goes against the test's purpose: to validate that only users with the appropriate privilege can access global properties.

[dkayiwa]

Do we really need this try finally?

[dkayiwa]

Do we really need this try finally? And the ones below?

[dkayiwa]

I'll look into this.

Awesome! Looking forward to the fix. 😊

[wikumChamith]

@dkayiwa, I am encountering an issue when running the O2 reference application with these changes. Upon launching the server, I face a browser error stating:

localhost redirected you too many times.: ERR_TOO_MANY_REDIRECTS

Apart from this, the only backend error I saw during redirects:

INFO - uncaughtException_jsp._jspService(515) |2024-06-19T19:01:24,921| Exception was thrown by not authenticated user

It looks like the issue is related to the openmrs-module-referenceapplication as the legacy-ui login page is accessible without this module. I also tried giving proxy privileges in a few instances within the reference application module where global properties were accessed but that didn't resolve the issue.

• ReferenceApplicationActivator.java#L170
• LoginPageController.java#L153
• LoginPageController.java#L379

Any insights on how to resolve this are highly appreciated.

[dkayiwa]

@wikumChamith does this problem happen only with your modified version of openmrs-core?

[wikumChamith]

@wikumChamith does this problem happen only with your modified version of openmrs-core?

Yeah. This only occurs on TRUNK-6203

[wikumChamith]

@dkayiwa This fixes the issue: openmrs/openmrs-module-referenceapplication#105

Previously this didn't work for me because of another issue on my side.

[dkayiwa]

@wikumChamith is this supposed to be part of this pull request?

[wikumChamith]

Where is this from 😅 ?

[dkayiwa]

You better find out. 😊

[dkayiwa]

Is this supposed to be part of this pul request?

[wikumChamith]

@dkayiwa I think those two changes are from the rebase. They are similar to the current master:

Concept#hydrate

pom.xml

[dkayiwa]

I do not care where they came from. All i want is not to see them here. 😊

[wikumChamith]

@dkayiwa I removed those changes.

[wikumChamith]

@dkayiwa I updated the PR.