Support impersonation via Java client API

SVN r65329 |2020-04-07 04:57:23 +0000

Author: labkey-kevink

.gitattributes

@@ -135,10 +135,14 @@ java/src/org/labkey/remoteapi/security/GetGroupPermsResponse.java -text
 java/src/org/labkey/remoteapi/security/GetUsersCommand.java -text
 java/src/org/labkey/remoteapi/security/GetUsersResponse.java -text
 java/src/org/labkey/remoteapi/security/GroupMembersCommand.java -text
+java/src/org/labkey/remoteapi/security/ImpersonateUserCommand.java -text
 java/src/org/labkey/remoteapi/security/LogoutCommand.java -text
 java/src/org/labkey/remoteapi/security/RemoveGroupMembersCommand.java -text
 java/src/org/labkey/remoteapi/security/RenameGroupCommand.java -text
 java/src/org/labkey/remoteapi/security/RenameGroupResponse.java -text
+java/src/org/labkey/remoteapi/security/StopImpersonatingCommand.java -text
+java/src/org/labkey/remoteapi/security/WhoAmICommand.java -text
+java/src/org/labkey/remoteapi/security/WhoAmIResponse.java -text
 java/src/org/labkey/remoteapi/study/CheckForStudyReloadCommand.java -text
 java/src/org/labkey/remoteapi/study/ParticipantGroup.java -text
 java/src/org/labkey/remoteapi/study/UpdateParticipantGroupCommand.java -text

java/src/org/labkey/remoteapi/Connection.java

@@ -35,7 +35,10 @@
 import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
 import org.apache.http.impl.cookie.BasicClientCookie;
 import org.labkey.remoteapi.security.EnsureLoginCommand;
+import org.labkey.remoteapi.security.ImpersonateUserCommand;
 import org.labkey.remoteapi.security.LogoutCommand;
+import org.labkey.remoteapi.security.StopImpersonatingCommand;
+import org.labkey.remoteapi.security.WhoAmICommand;
 
 import java.io.IOException;
 import java.net.URI;
@@ -44,6 +47,7 @@
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Date;
+import java.util.Objects;
 
 /**
  * Represents connection information for a particular LabKey Server.
@@ -108,6 +112,11 @@ public class Connection
     private int _timeout = DEFAULT_TIMEOUT;
     private String _proxyHost;
     private Integer _proxyPort;
+    private String _csrf;
+
+    // The user email when impersonating a user
+    private String _impersonateUser;
+    private String _impersonatePath;
 
     /**
      * Constructs a new Connection object given a base URL and a credentials provider.
@@ -221,24 +230,21 @@ protected HttpClientBuilder clientBuilder()
 
 
 
-    private String csrf = null;
-
-    protected void beforeExecute(HttpRequest request)
+    protected void beforeExecute(HttpRequest request) throws IOException, CommandException
     {
-        if (null == csrf && request instanceof HttpPost)
+        if (null == _csrf && request instanceof HttpPost)
         {
-            // need to preemptively login
-            // we're not really using the login form, just getting a JSESSIONID
+            // make a request to get a JSESSIONID
             try
             {
-                new Command("login", "login").execute(this, "/");
+                new WhoAmICommand().execute(this, "/");
             }
             catch (Exception ignored)
             {
             }
         }
-        if (null != csrf)
-            request.setHeader("X-LABKEY-CSRF", csrf);
+        if (null != _csrf)
+            request.setHeader("X-LABKEY-CSRF", _csrf);
     }
 
 
@@ -248,7 +254,7 @@ protected void afterExecute()
         for (Cookie c : _httpClientContext.getCookieStore().getCookies())
         {
             if ("JSESSIONID".equals(c.getName()))
-                csrf = c.getValue();
+                _csrf = c.getValue();
         }
     }
 
@@ -278,7 +284,68 @@ public CloseableHttpClient logout() throws IOException, CommandException
         return getHttpClient();
     }
 
-    CloseableHttpResponse executeRequest(HttpUriRequest request, Integer timeout) throws IOException, URISyntaxException, AuthenticationException
+    /**
+     * For site-admins only, start impersonating a user.
+     *
+     * Admins may impersonate other users to perform actions on their behalf.
+     * Site admins may impersonate any user in any project. Project admins must
+     * provide a <code>projectPath</code> and may only impersonate within the
+     * project in which they have admin permission.
+     *
+     * @param email The user to impersonate
+     * @see Connection#stopImpersonate()
+     */
+    public Connection impersonate(/*@NotNull*/ String email) throws IOException, CommandException
+    {
+        return impersonate(email, null);
+    }
+
+    /**
+     * For site-admins or project-admins only, start impersonating a user.
+     *
+     * Admins may impersonate other users to perform actions on their behalf.
+     * Site admins may impersonate any user in any project. Project admins must
+     * provide a <code>projectPath</code> and may only impersonate within the
+     * project in which they have admin permission.
+     *
+     * @param email The user to impersonate
+     * @param projectPath The project path within which the user will be impersonated.
+     * @see Connection#stopImpersonate()
+     */
+    public Connection impersonate(/*@NotNull*/ String email, /*@Nullable*/ String projectPath) throws IOException, CommandException
+    {
+        Objects.requireNonNull(email, "email");
+
+        CommandResponse resp = new ImpersonateUserCommand(email).execute(this, projectPath);
+        if (resp.getStatusCode() != 200)
+            throw new CommandException("Failed to impersonate user");
+
+        _impersonateUser = email;
+        _impersonatePath = projectPath;
+        return this;
+    }
+
+    /**
+     * Stop impersonating a user.
+     */
+    public Connection stopImpersonate() throws IOException, CommandException
+    {
+        if (_impersonateUser != null)
+        {
+            CommandResponse resp = new StopImpersonatingCommand().execute(this, _impersonatePath);
+
+            // on success, a 302 redirect response is returned
+            if (resp.getStatusCode() != 302)
+                throw new CommandException("Failed to stop impersonating");
+
+            _impersonateUser = null;
+            _impersonatePath = null;
+        }
+
+        return this;
+    }
+
+    CloseableHttpResponse executeRequest(HttpUriRequest request, Integer timeout) throws IOException, URISyntaxException, AuthenticationException, CommandException
     {
         // Delegate authentication setup to CredentialsProvider
         _credentialsProvider.configureRequest(getBaseUrl(), request, _httpClientContext);

java/src/org/labkey/remoteapi/security/ImpersonateUserCommand.java

@@ -0,0 +1,37 @@
+package org.labkey.remoteapi.security;
+
+import org.json.simple.JSONObject;
+import org.labkey.remoteapi.Command;
+import org.labkey.remoteapi.CommandException;
+import org.labkey.remoteapi.CommandResponse;
+import org.labkey.remoteapi.Connection;
+import org.labkey.remoteapi.PostCommand;
+
+import java.io.IOException;
+
+/**
+ * For site-admins or project-admins only, start impersonating a user.
+ *
+ * Admins may impersonate other users to perform actions on their behalf.
+ * Site users may impersonate any user in any project. Project admins must
+ * execute this command in a project in which they have admin permission
+ * and may impersonate any user that has access to the project.
+ *
+ * To finish an impersonation session use either {@link LogoutCommand} to
+ * log the original user out or use {@link StopImpersonatingCommand} to stop
+ * impersonating while keeping the original user logged in.
+ */
+public class ImpersonateUserCommand extends PostCommand<CommandResponse>
+{
+    public ImpersonateUserCommand(int userId)
+    {
+        super("user", "impersonateUser.api");
+        getParameters().put("userId", userId);
+    }
+
+    public ImpersonateUserCommand(String email)
+    {
+        super("user", "impersonateUser.api");
+        getParameters().put("email", email);
+    }
+}

java/src/org/labkey/remoteapi/security/StopImpersonatingCommand.java

@@ -0,0 +1,15 @@
+package org.labkey.remoteapi.security;
+
+import org.labkey.remoteapi.CommandResponse;
+import org.labkey.remoteapi.PostCommand;
+
+/**
+ * Stop impersonating a user.
+ */
+public class StopImpersonatingCommand extends PostCommand<CommandResponse>
+{
+    public StopImpersonatingCommand()
+    {
+        super("login", "stopImpersonating.api");
+    }
+}

java/src/org/labkey/remoteapi/security/WhoAmICommand.java

@@ -0,0 +1,18 @@
+package org.labkey.remoteapi.security;
+
+import org.json.simple.JSONObject;
+import org.labkey.remoteapi.Command;
+
+public class WhoAmICommand extends Command<WhoAmIResponse>
+{
+    public WhoAmICommand()
+    {
+        super("login", "whoami.api");
+    }
+
+    @Override
+    protected WhoAmIResponse createResponse(String text, int status, String contentType, JSONObject json)
+    {
+        return new WhoAmIResponse(text, status, contentType, json, this);
+    }
+}

java/src/org/labkey/remoteapi/security/WhoAmIResponse.java

@@ -0,0 +1,38 @@
+package org.labkey.remoteapi.security;
+
+import org.json.simple.JSONObject;
+import org.labkey.remoteapi.Command;
+import org.labkey.remoteapi.CommandResponse;
+
+public class WhoAmIResponse extends CommandResponse
+{
+    public WhoAmIResponse(String text, int statusCode, String contentType, JSONObject json, WhoAmICommand cmd)
+    {
+        super(text, statusCode, contentType, json, cmd);
+    }
+
+    public Number getUserId()
+    {
+        return getProperty("id");
+    }
+
+    public String getEmail()
+    {
+        return getProperty("email");
+    }
+
+    public String getDisplayName()
+    {
+        return getProperty("displayName");
+    }
+
+    public boolean isImpersonated()
+    {
+        return (Boolean)getProperty("impersonated");
+    }
+
+    public String getCSRF()
+    {
+        return getProperty("CSRF");
+    }
+}