feat(admin): Add activate guard

* created routing guard
* added guard for organizations section for some common scenarios
* rest off the section as well as pages need to be added

Author: bodnara

apps/admin-gui/src/app/app-routing.module.ts

@@ -6,6 +6,7 @@ import { NotFoundPageComponent } from './shared/components/not-found-page/not-fo
 import { RedirectPageComponent } from '@perun-web-apps/perun/components';
 import { LoginScreenComponent } from '@perun-web-apps/perun/login';
 import { LoginScreenServiceAccessComponent } from '@perun-web-apps/perun/login';
+import { NotAuthorizedPageComponent } from './shared/components/not-authorized-page/not-authorized-page.component';
 
 const routes: Routes = [
   {
@@ -49,6 +50,10 @@ const routes: Routes = [
     path: 'home',
     component: UserDashboardComponent,
   },
+  {
+    path: 'notAuthorized',
+    component: NotAuthorizedPageComponent,
+  },
   { path: '**', component: NotFoundPageComponent },
 ];
 

apps/admin-gui/src/app/shared/components/not-authorized-page/not-authorized-page.component.html

@@ -0,0 +1,7 @@
+<div class="flex-container pl-xl-5 pr-xl-5">
+  <h1 class="page-title">{{'GENERAL.NOT_AUTHORIZED_PAGE.TITLE' | translate}}</h1>
+  <span>{{'GENERAL.NOT_AUTHORIZED_PAGE.DESC' | translate}}</span>
+  <button mat-stroked-button (click)="redirectToHome()">
+    {{'GENERAL.NOT_AUTHORIZED_PAGE.REDIRECT' | translate}}
+  </button>
+</div>

apps/admin-gui/src/app/shared/components/not-authorized-page/not-authorized-page.component.scss

@@ -0,0 +1,6 @@
+.flex-container {
+  display: flex;
+  flex-direction: column;
+  align-items: flex-start;
+  gap: 1em;
+}

apps/admin-gui/src/app/shared/components/not-authorized-page/not-authorized-page.component.ts

@@ -0,0 +1,15 @@
+import { Component } from '@angular/core';
+import { Router } from '@angular/router';
+
+@Component({
+  selector: 'app-not-authorized-page',
+  templateUrl: './not-authorized-page.component.html',
+  styleUrls: ['./not-authorized-page.component.scss'],
+})
+export class NotAuthorizedPageComponent {
+  constructor(private router: Router) {}
+
+  redirectToHome(): void {
+    void this.router.navigate(['/home'], { queryParamsHandling: 'merge' });
+  }
+}

apps/admin-gui/src/app/shared/route-auth-guard.service.ts

@@ -0,0 +1,87 @@
+import { Injectable } from '@angular/core';
+import {
+  ActivatedRouteSnapshot,
+  CanActivateChild,
+  Router,
+  RouterStateSnapshot,
+  UrlTree,
+} from '@angular/router';
+import { Observable } from 'rxjs';
+import { GuiAuthResolver, NotificatorService } from '@perun-web-apps/perun/services';
+import { PerunBean } from '@perun-web-apps/perun/openapi';
+import { RoutePolicyService } from '../../../../../libs/perun/services/src/lib/route-policy.service';
+
+interface AuthPair {
+  key: string;
+  entity: PerunBean;
+}
+
+@Injectable({
+  providedIn: 'root',
+})
+export class RouteAuthGuardService implements CanActivateChild {
+  constructor(
+    private authResolver: GuiAuthResolver,
+    private routePolicyService: RoutePolicyService,
+    private router: Router,
+    private notificator: NotificatorService
+  ) {}
+
+  private static getBeanName(key: string): string {
+    switch (key) {
+      case 'o':
+        return 'Vo';
+      case 'g':
+        return 'Group';
+      case 'f':
+        return 'Facility';
+      case 'r':
+        return 'Resource';
+      default:
+        return '';
+    }
+  }
+
+  private static parseUrl(url: string): AuthPair {
+    const segments: string[] = url.slice(1).split('/').reverse();
+    const authPair: AuthPair = { key: '', entity: { id: -1, beanName: '' } };
+
+    for (const segment of segments) {
+      if (Number(segment)) {
+        if (authPair.entity.id === -1) {
+          authPair.entity.id = Number(segment);
+          continue;
+        }
+        break;
+      }
+
+      authPair.key = segment.concat('-', authPair.key);
+    }
+
+    authPair.key = authPair.key.slice(0, authPair.key.length - 1);
+    authPair.entity.beanName = RouteAuthGuardService.getBeanName(authPair.key[0]);
+    return authPair;
+  }
+
+  canActivateChild(
+    _childRoute: ActivatedRouteSnapshot,
+    state: RouterStateSnapshot
+  ): Observable<boolean | UrlTree> | Promise<boolean | UrlTree> | boolean | UrlTree {
+    if (this.authResolver.isPerunAdminOrObserver()) {
+      return true;
+    }
+
+    const authPair: AuthPair = RouteAuthGuardService.parseUrl(state.url);
+    const isAuthorized: boolean = this.routePolicyService.canNavigate(
+      authPair.key,
+      authPair.entity
+    );
+
+    if (isAuthorized) {
+      return true;
+    }
+
+    this.notificator.showRouteError();
+    return this.router.parseUrl('/notAuthorized');
+  }
+}

apps/admin-gui/src/app/shared/shared.module.ts

@@ -169,6 +169,7 @@ import { PerunNamespacePasswordFormModule } from '@perun-web-apps/perun/namespac
 import { AuditMessagesListComponent } from './components/audit-messages-list/audit-messages-list.component';
 import { AuditMessageDetailDialogComponent } from './components/dialogs/audit-message-detail-dialog/audit-message-detail-dialog.component';
 import { ParseEventNamePipe } from './pipes/parse-event-name.pipe';
+import { NotAuthorizedPageComponent } from './components/not-authorized-page/not-authorized-page.component';
 
 @NgModule({
   imports: [
@@ -430,6 +431,7 @@ import { ParseEventNamePipe } from './pipes/parse-event-name.pipe';
     AuditMessagesListComponent,
     AuditMessageDetailDialogComponent,
     ParseEventNamePipe,
+    NotAuthorizedPageComponent,
   ],
   providers: [AnyToStringPipe, ExtSourceTypePipe],
 })

apps/admin-gui/src/app/vos/vos-routing.module.ts

@@ -59,6 +59,7 @@ import { GroupStatisticsComponent } from './pages/group-detail-page/group-statis
 import { ApplicationFormManageGroupsComponent } from './components/application-form-manage-groups/application-form-manage-groups.component';
 import { ResourceTagsComponent } from '../facilities/pages/resource-detail-page/resource-tags/resource-tags.component';
 import { VoSettingsServiceMembersComponent } from './pages/vo-detail-page/vo-settings/vo-settings-service-members/vo-settings-service-members.component';
+import { RouteAuthGuardService } from '../shared/route-auth-guard.service';
 
 const routes: Routes = [
   {
@@ -68,6 +69,7 @@ const routes: Routes = [
   {
     path: ':voId',
     component: VoDetailPageComponent,
+    canActivateChild: [RouteAuthGuardService],
     children: [
       {
         path: '',

apps/admin-gui/src/assets/i18n/en.json

@@ -12,6 +12,11 @@
       "TITLE": "Page not found",
       "MESSAGE": "The page you are trying to access is missing. If you wish to continue please click the button below that will redirect you to our home page.",
       "ACTION": "Redirect"
+    },
+    "NOT_AUTHORIZED_PAGE": {
+      "TITLE": "Not authorized",
+      "DESC": "You are not authorized to access the page you were trying to reach.",
+      "REDIRECT": "Redirect Home"
     }
   },
   "NAV": {
@@ -2604,7 +2609,9 @@
             "DIALOG_CLOSE": "Close",
             "DIALOG_BUG_REPORT": "Report a bug",
             "DEFAULT_RPC_ERROR_MESSAGE": "An operation failed.",
-            "PRIVILEGE_EXCEPTION": "You are not authorized to perform this action"
+            "PRIVILEGE_EXCEPTION": "You are not authorized to perform this action",
+            "ROUTE_DENIED_ERROR": "Access denied",
+            "ROUTE_DENIED_DESC": "You are not authorized to access this page"
           }
         },
         "USER_EXT_SOURCES_LIST": {

libs/perun/services/src/lib/notificator.service.ts

@@ -60,6 +60,16 @@ export class NotificatorService {
     }
   }
 
+  showRouteError(): void {
+    const title: string = this.translate.instant(
+      'SHARED_LIB.PERUN.COMPONENTS.NOTIFICATOR.NOTIFICATION.ROUTE_DENIED_ERROR'
+    );
+    const desc: string = this.translate.instant(
+      'SHARED_LIB.PERUN.COMPONENTS.NOTIFICATOR.NOTIFICATION.ROUTE_DENIED_DESC'
+    );
+    this.showError(title, null, desc);
+  }
+
   /**
    * Shows error notification
    *

libs/perun/services/src/lib/route-policy.service.ts

@@ -0,0 +1,88 @@
+import { Injectable } from '@angular/core';
+import { Facility, Group, Member, Resource, User, Vo } from '@perun-web-apps/perun/openapi';
+import { GuiAuthResolver } from './gui-auth-resolver.service';
+
+type Entity = Vo | Group | Resource | Facility | Member | User;
+
+@Injectable({
+  providedIn: 'root',
+})
+export class RoutePolicyService {
+  constructor(private authResolver: GuiAuthResolver) {}
+
+  // Map of page key and function determining if user is authorized to access given page
+  private routePolicies: Map<string, (entity: Entity) => boolean> = new Map<
+    string,
+    (entity: Entity) => boolean
+  >([
+    [
+      'organizations-members',
+      (vo) => this.authResolver.isAuthorized('getCompleteRichMembers_Vo_List<String>_policy', [vo]),
+    ],
+    [
+      'organizations-groups',
+      (vo) =>
+        this.authResolver.isAuthorized(
+          'getAllRichGroupsWithAttributesByNames_Vo_List<String>_policy',
+          [vo]
+        ),
+    ],
+    [
+      'organization-resources',
+      (vo) => this.authResolver.isAuthorized('getRichResources_Vo_policy', [vo]),
+    ],
+    [
+      'organizations-applications',
+      (vo) =>
+        this.authResolver.isAuthorized('getApplicationsForVo_Vo_List<String>_Boolean_policy', [vo]),
+    ],
+    [
+      'organizations-sponsoredMembers',
+      (vo) => this.authResolver.isAuthorized('getSponsoredMembersAndTheirSponsors_Vo_policy', [vo]),
+    ],
+    [
+      'organizations-serviceAccounts',
+      (vo) =>
+        this.authResolver.isAuthorized(
+          `createSpecificMember_Vo_Candidate_List<User>_SpecificUserType_List<Group>_policy`,
+          [vo]
+        ),
+    ],
+    ['organizations-attributes', () => true],
+    [
+      'organizations-settings',
+      (vo) =>
+        this.authResolver.isManagerPagePrivileged(vo) ||
+        this.authResolver.isAuthorized('getVoExtSources_Vo_policy', [vo]) ||
+        this.authResolver.isThisVoAdminOrObserver(vo.id),
+    ],
+    ['organizations-settings-expiration', (vo) => this.authResolver.isThisVoAdminOrObserver(vo.id)],
+    ['organizations-settings-managers', (vo) => this.authResolver.isManagerPagePrivileged(vo)],
+    [
+      'organizations-settings-applicationForm',
+      (vo) => this.authResolver.isThisVoAdminOrObserver(vo.id),
+    ],
+    [
+      'organizations-settings-notifications',
+      (vo) => this.authResolver.isThisVoAdminOrObserver(vo.id),
+    ],
+    [
+      'organizations-settings-extsources',
+      (vo) => this.authResolver.isAuthorized('getVoExtSources_Vo_policy', [vo]),
+    ],
+  ]);
+
+  /**
+   * Determines whether user can access given page or not,
+   * default is true
+   *
+   * @param key: page key
+   * @param entity: entity connected to given page
+   *
+   * @returns true if user can access page, false otherwise
+   * */
+  canNavigate(key: string, entity: Entity): boolean {
+    const authorize: (e: Entity) => boolean = this.routePolicies.get(key);
+    return authorize ? authorize(entity) : true;
+  }
+}