Merge branch 'release/3.0.2'

pom.xml

@@ -5,7 +5,7 @@
 
 	<groupId>eu.openanalytics</groupId>
 	<artifactId>shinyproxy</artifactId>
-	<version>3.0.1</version>
+	<version>3.0.2</version>
 	<packaging>jar</packaging>
 
 	<name>ShinyProxy</name>
@@ -28,7 +28,7 @@
 		<java.version>1.8</java.version>
 		<maven.compiler.source>8</maven.compiler.source>
 		<maven.compiler.target>8</maven.compiler.target>
-		<containerproxy.version>1.0.1</containerproxy.version>
+		<containerproxy.version>1.0.2</containerproxy.version>
 		<resource.delimiter>&amp;</resource.delimiter>
 	</properties>
 

src/main/java/eu/openanalytics/shinyproxy/ShinyProxyConfiguration.java

@@ -25,6 +25,7 @@
 import eu.openanalytics.shinyproxy.runtimevalues.PublicPathKey;
 import eu.openanalytics.shinyproxy.runtimevalues.ShinyForceFullReloadKey;
 import eu.openanalytics.shinyproxy.runtimevalues.TrackAppUrl;
+import eu.openanalytics.shinyproxy.runtimevalues.UserTimeZoneKey;
 import eu.openanalytics.shinyproxy.runtimevalues.WebSocketReconnectionModeKey;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.PropertySource;
@@ -39,5 +40,6 @@ public class ShinyProxyConfiguration {
 		RuntimeValueKeyRegistry.addRuntimeValueKey(ShinyForceFullReloadKey.inst);
 		RuntimeValueKeyRegistry.addRuntimeValueKey(WebSocketReconnectionModeKey.inst);
 		RuntimeValueKeyRegistry.addRuntimeValueKey(TrackAppUrl.inst);
+		RuntimeValueKeyRegistry.addRuntimeValueKey(UserTimeZoneKey.inst);
 	}
 }

src/main/java/eu/openanalytics/shinyproxy/ShinyProxyIframeScriptInjector.java

@@ -21,6 +21,7 @@
 package eu.openanalytics.shinyproxy;
 
 import eu.openanalytics.containerproxy.util.ContextPathHelper;
+import io.netty.buffer.ByteBuf;
 import io.undertow.UndertowMessages;
 import io.undertow.server.HttpServerExchange;
 import io.undertow.server.protocol.http.ServerFixedLengthStreamSinkConduit;
@@ -113,16 +114,16 @@ public long writeFinal(java.nio.ByteBuffer[] srcs, int offs, int len) throws IOE
 
     @Override
     public void terminateWrites() throws IOException {
-        // 1. get HTML page and add script tag
-        String r = outputStream.toString();
+        // 1. check whether it's a html response and success
         if (exchange.getStatusCode() == HttpStatus.OK.value()
                 && exchange.getResponseHeaders().get("Content-Type") != null
                 && exchange.getResponseHeaders().get("Content-Type").stream().anyMatch(headerValue -> headerValue.contains("text/html"))) {
-            // only inject script of response successful and actually a html response
-            r += "<script src='" + ContextPathHelper.withEndingSlash() + "js/shiny.iframe.js'></script>";
+            // 2. inject script
+            String r = "<script src='" + ContextPathHelper.withEndingSlash() + "js/shiny.iframe.js'></script>";
+            outputStream.write(r.getBytes(StandardCharsets.UTF_8));
         }
-        // 2. convert to ByteBuffer
-        ByteBuffer out = ByteBuffer.wrap(r.getBytes(StandardCharsets.UTF_8));
+
+        ByteBuffer out = ByteBuffer.wrap(outputStream.toByteArray());
         // 3. set Content-Length header
         updateContentLength(exchange, out);
         // 4. write new response (to the next stream)

src/main/java/eu/openanalytics/shinyproxy/ShinyProxyTestStrategy.java

@@ -62,7 +62,7 @@ public boolean testProxy(Proxy proxy) {
 					// proxy got stopped while loading -> no need to try to connect it since the container will already be deleted
 					return true;
 				}
-				URL testURL = new URL(targetURI.toString());
+				URL testURL = new URL(targetURI.toString() + "/");
 				HttpURLConnection connection = ((HttpURLConnection) testURL.openConnection());
 				if (currentAttempt <= 5) {
 					// When the container has only just started (or when the k8s service has only just been created),

src/main/java/eu/openanalytics/shinyproxy/UISecurityConfig.java

@@ -23,37 +23,63 @@
 import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
 import eu.openanalytics.containerproxy.security.ICustomSecurityConfig;
 import eu.openanalytics.containerproxy.service.UserService;
+import org.springframework.context.annotation.Lazy;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.DefaultRedirectStrategy;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
+import org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler;
 import org.springframework.stereotype.Component;
+import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
 
 import javax.inject.Inject;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+import static eu.openanalytics.containerproxy.ui.AuthController.AUTH_SUCCESS_URL_SESSION_ATTR;
 
 @Component
 public class UISecurityConfig implements ICustomSecurityConfig {
 
-	@Inject
-	private IAuthenticationBackend auth;
-
-	@Inject
-	private UserService userService;
-
-	@Override
-	public void apply(HttpSecurity http) throws Exception {
-		if (auth.hasAuthorization()) {
-
-			// Limit access to the app pages according to spec permissions
-			http.authorizeRequests().antMatchers("/app/{specId}/**").access("@proxyAccessControlService.canAccessOrHasExistingProxy(authentication, #specId)");
-			http.authorizeRequests().antMatchers("/app_i/{specId}/**").access("@proxyAccessControlService.canAccessOrHasExistingProxy(authentication, #specId)");
-			http.authorizeRequests().antMatchers("/app_direct/{specId}/**").access("@proxyAccessControlService.canAccessOrHasExistingProxy(authentication, #specId)");
-			http.authorizeRequests().antMatchers("/app_direct_i/{specId}/**").access("@proxyAccessControlService.canAccessOrHasExistingProxy(authentication, #specId)");
-
-			// Limit access to the admin pages
-			http.authorizeRequests().antMatchers("/admin").hasAnyRole(userService.getAdminGroups());
-			http.authorizeRequests().antMatchers("/admin/data").hasAnyRole(userService.getAdminGroups());
-
-			http.addFilterAfter(new AuthenticationRequiredFilter(), ExceptionTranslationFilter.class);
-		}
-
-	}
+    @Inject
+    private IAuthenticationBackend auth;
+
+    @Inject
+    private UserService userService;
+
+    @Inject
+    @Lazy
+    private SavedRequestAwareAuthenticationSuccessHandler savedRequestAwareAuthenticationSuccessHandler;
+
+    @Override
+    public void apply(HttpSecurity http) throws Exception {
+        if (auth.hasAuthorization()) {
+
+            // Limit access to the app pages according to spec permissions
+            http.authorizeRequests().antMatchers("/app/{specId}/**").access("@proxyAccessControlService.canAccessOrHasExistingProxy(authentication, #specId)");
+            http.authorizeRequests().antMatchers("/app_i/{specId}/**").access("@proxyAccessControlService.canAccessOrHasExistingProxy(authentication, #specId)");
+            http.authorizeRequests().antMatchers("/app_direct/{specId}/**").access("@proxyAccessControlService.canAccessOrHasExistingProxy(authentication, #specId)");
+            http.authorizeRequests().antMatchers("/app_direct_i/{specId}/**").access("@proxyAccessControlService.canAccessOrHasExistingProxy(authentication, #specId)");
+
+            http.addFilterAfter(new AuthenticationRequiredFilter(), ExceptionTranslationFilter.class);
+
+            savedRequestAwareAuthenticationSuccessHandler.setRedirectStrategy(new DefaultRedirectStrategy() {
+                @Override
+                public void sendRedirect(HttpServletRequest request, HttpServletResponse response, String url) throws IOException {
+                    String redirectUrl = calculateRedirectUrl(request.getContextPath(), url);
+                    AppRequestInfo appRequestInfo = AppRequestInfo.fromURI(redirectUrl);
+                    if (appRequestInfo != null) {
+                        // before auth, the user tried to open the page of an app, redirect back to that app
+                        // (we don't redirect to any other app, see  #30648 and #28624)
+                        request.getSession().setAttribute(AUTH_SUCCESS_URL_SESSION_ATTR, url);
+                    }
+                    response.sendRedirect(ServletUriComponentsBuilder.fromCurrentContextPath().path("/auth-success").build().toUriString());
+                }
+            });
+        }
+        // Limit access to the admin pages
+        http.authorizeRequests().antMatchers("/admin").access("@userService.isAdmin()");
+        http.authorizeRequests().antMatchers("/admin/data").access("@userService.isAdmin()");
+
+    }
 }