Read-only mode and Spring Security example (#129)

driesva · web-flow · commit 1814d11986d7 · 2025-01-28T22:50:39.000+01:00
* Read-only mode and Spring Security example setup
* introduce a read-only mode in which you can only consult tasks but not alter them:
  * controller separation
  * config for frontend
  * ui changes to hide buttons
* provide Spring Security example
  * option to alter frontend config at runtime
  * test with sample config and tests
* bump SB and db-scheduler versions

* Read-only mode and Spring Security example setup
* attempt to fix test failures by creating different tasks for deletion
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        spring-boot: [ '3.3.7', '3.4.1' ]
+        spring-boot: [ '3.3.8', '3.4.2' ]
 
     steps:
       - name: Checkout repo
diff --git a/README.md b/README.md
@@ -41,7 +41,7 @@ dashboard for monitoring and basic administration of tasks.
 <dependency>
     <groupId>no.bekk.db-scheduler-ui</groupId>
     <artifactId>db-scheduler-ui-starter</artifactId>
-    <version>1.0.1</version>
+    <version>4.0.0</version>
 </dependency>
 ```
 
@@ -94,6 +94,59 @@ If you for some reason want to hide the task data you can set this to false. def
 db-scheduler-ui.task-data=false
 ```
 
+Or if you want a _read-only_ mode (in which tasks cannot be manually run, deleted or scheduled) set `read-only` to `true`, defaults to `false`
+
+````
+db-scheduler-ui.read-only=true
+````
+
+## Security
+
+In case you want to secure db-scheduler-ui you can use [Spring Security](https://spring.io/projects/spring-security), you should secure the paths `/db-scheduler` and `/db-scheduler-api`.
+
+In a more advanced scenario, you could assign an _admin role_ and a _read-only user_ role.
+An example _filter chain_ with basic security:
+```java
+@Bean
+SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+  return http
+      .csrf(CsrfConfigurer::disable)
+      .authorizeHttpRequests(
+          authz ->
+              authz
+                  // protect the UI
+                  .requestMatchers("/db-scheduler/**").hasAnyRole("ADMIN", "USER")
+                  // allow read access to the API for both users and admins
+                  .requestMatchers(HttpMethod.GET, "/db-scheduler-api/**").hasAnyRole("ADMIN", "USER")
+                  // only admins can delete tasks, alter scheduling, ...
+                  .requestMatchers(HttpMethod.POST, "/db-scheduler-api/**").hasAnyRole("ADMIN")
+                  // other application specific security
+                  .anyRequest().permitAll())
+      .httpBasic(withDefaults())
+      .build();
+}
+```
+additionally you might want to hide delete, run, ... buttons in the UI. To achieve this, declare the following bean:
+```java
+@Bean
+ConfigController configController(DbSchedulerUiProperties properties) {
+  return new ConfigController(properties.isHistory(), readOnly(properties));
+}
+
+private Supplier<Boolean> readOnly(DbSchedulerUiProperties properties) {
+  // either global readonly mode is active or user has no admin rights  
+  return () -> properties.isReadOnly() || !isAdmin();
+}
+
+private boolean isAdmin() {
+  Authentication auth = SecurityContextHolder.getContext().getAuthentication();
+  if (auth == null) {
+    return false;
+  }
+  return auth.getAuthorities().stream().anyMatch(a -> "ROLE_ADMIN".equals(a.getAuthority()));
+}
+```
+
 ## Contributing
 
 Feel free to create pull requests if there are features or improvements you want to add.
diff --git a/db-scheduler-ui-frontend/src/components/input/DotButton.tsx b/db-scheduler-ui-frontend/src/components/input/DotButton.tsx
@@ -32,6 +32,7 @@ import { CalendarIcon, DeleteIcon, InfoOutlineIcon } from '@chakra-ui/icons';
 import { IoEllipsisVerticalIcon } from '../../assets/icons';
 import { useNavigate } from 'react-router-dom';
 import { ScheduleRunAlert } from './ScheduleRunAlert';
+import { getReadonly } from 'src/utils/config';
 
 interface TaskProps {
   taskName: string;
@@ -65,6 +66,7 @@ export const DotButton: React.FC<TaskProps> = ({
 
         <MenuList padding={0}>
           <MenuItem
+            display={getReadonly() ? 'none' : 'unset'}
             rounded={6}
             minBlockSize={10}
             onClick={(event) => {
@@ -87,6 +89,7 @@ export const DotButton: React.FC<TaskProps> = ({
             See history for task
           </MenuItem>
           <MenuItem
+            display={getReadonly() ? 'none' : 'unset'}
             rounded={6}
             minBlockSize={10}
             onClick={(event) => {
diff --git a/db-scheduler-ui-frontend/src/components/scheduled/TaskAccordionButton.tsx b/db-scheduler-ui-frontend/src/components/scheduled/TaskAccordionButton.tsx
@@ -30,6 +30,7 @@ import { NumberCircleGroup } from 'src/components/common/NumberCircleGroup';
 import { AttachmentIcon } from '@chakra-ui/icons';
 import { determineStatus, isStatus } from 'src/utils/determineStatus';
 import colors from 'src/styles/colors';
+import { getReadonly } from 'src/utils/config';
 
 interface TaskAccordionButtonProps extends Task {
   refetch: () => void;
@@ -128,7 +129,11 @@ export const TaskAccordionButton: React.FC<TaskAccordionButtonProps> = (
               }
               w={150}
             >
-              <TaskRunButton {...props} refetch={refetch} />
+              <TaskRunButton
+                {...props}
+                refetch={refetch}
+                style={{ visibility: getReadonly() ? 'hidden' : 'visible' }}
+              />
               <DotButton
                 taskName={taskName}
                 taskInstance={taskInstance[0]}
diff --git a/db-scheduler-ui-frontend/src/services/deleteTask.ts b/db-scheduler-ui-frontend/src/services/deleteTask.ts
@@ -23,7 +23,9 @@ const deleteTask = async (id: string, name: string) => {
     },
   );
 
-  if (!response.ok) {
+  if (response.status == 401) {
+    document.location.href = '/db-scheduler';
+  } else if (!response.ok) {
     throw new Error(`Error executing task. Status: ${response.statusText}`);
   }
 };
diff --git a/db-scheduler-ui-frontend/src/services/getLogs.ts b/db-scheduler-ui-frontend/src/services/getLogs.ts
@@ -62,7 +62,9 @@ export const getLogs = async (
     },
   });
 
-  if (!response.ok) {
+  if (response.status == 401) {
+    document.location.href = '/db-scheduler';
+  } else if (!response.ok) {
     throw new Error(`Error fetching logs. Status: ${response.statusText}`);
   }
 
diff --git a/db-scheduler-ui-frontend/src/services/getTask.ts b/db-scheduler-ui-frontend/src/services/getTask.ts
@@ -60,7 +60,9 @@ export const getTask = async (
     },
   });
 
-  if (!response.ok) {
+  if (response.status == 401) {
+    document.location.href = '/db-scheduler';
+  } else if (!response.ok) {
     throw new Error(`Error fetching tasks. Status: ${response.statusText}`);
   }
 
diff --git a/db-scheduler-ui-frontend/src/services/getTasks.ts b/db-scheduler-ui-frontend/src/services/getTasks.ts
@@ -58,7 +58,9 @@ export const getTasks = async (
     },
   });
 
-  if (!response.ok) {
+  if (response.status == 401) {
+    document.location.href = '/db-scheduler';
+  } else if (!response.ok) {
     throw new Error(`Error fetching tasks. Status: ${response.statusText}`);
   }
 
diff --git a/db-scheduler-ui-frontend/src/services/pollLogs.ts b/db-scheduler-ui-frontend/src/services/pollLogs.ts
@@ -60,7 +60,9 @@ export const pollLogs = async (
     },
   });
 
-  if (!response.ok) {
+  if (response.status == 401) {
+    document.location.href = '/db-scheduler';
+  } else if (!response.ok) {
     throw new Error(`Error polling tasks. Status: ${response.statusText}`);
   }
 
diff --git a/db-scheduler-ui-frontend/src/services/pollTasks.ts b/db-scheduler-ui-frontend/src/services/pollTasks.ts
@@ -60,8 +60,9 @@ export const pollTasks = async (
       'Content-Type': 'application/json',
     },
   });
-
-  if (!response.ok) {
+  if (response.status == 401) {
+    document.location.href = '/db-scheduler';
+  } else if (!response.ok) {
     throw new Error(`Error polling tasks. Status: ${response.statusText}`);
   }
 
diff --git a/db-scheduler-ui-frontend/src/services/runTask.ts b/db-scheduler-ui-frontend/src/services/runTask.ts
@@ -34,7 +34,9 @@ const runTask = async (id: string, name: string, scheduleTime?:Date) => {
     },
   );
 
-  if (!response.ok) {
+  if (response.status == 401) {
+    document.location.href = '/db-scheduler';
+  } else if (!response.ok) {
     throw new Error(`Error executing task. Status: ${response.statusText}`);
   }
 };
diff --git a/db-scheduler-ui-frontend/src/services/runTaskGroup.ts b/db-scheduler-ui-frontend/src/services/runTaskGroup.ts
@@ -23,7 +23,9 @@ const runTaskGroup = async (name: string, onlyFailed: boolean) => {
     },
   );
 
-  if (!response.ok) {
+  if (response.status == 401) {
+    document.location.href = '/db-scheduler';
+  } else if (!response.ok) {
     throw new Error(`Error executing task. Status: ${response.statusText}`);
   }
 };
diff --git a/db-scheduler-ui-frontend/src/utils/config.ts b/db-scheduler-ui-frontend/src/utils/config.ts
@@ -19,4 +19,7 @@ const config = await fetch('/db-scheduler-api/config').then((res) =>
 const showHistory =
   'showHistory' in config ? Boolean(config.showHistory) : false;
 
+const readOnly = 'readOnly' in config ? Boolean(config.readOnly) : false;
+
 export const getShowHistory = (): boolean => showHistory;
+export const getReadonly = (): boolean => readOnly;
diff --git a/db-scheduler-ui-starter/src/main/java/no/bekk/dbscheduler/uistarter/autoconfigure/UiApiAutoConfiguration.java b/db-scheduler-ui-starter/src/main/java/no/bekk/dbscheduler/uistarter/autoconfigure/UiApiAutoConfiguration.java
@@ -20,6 +20,7 @@
 import no.bekk.dbscheduler.ui.controller.ConfigController;
 import no.bekk.dbscheduler.ui.controller.LogController;
 import no.bekk.dbscheduler.ui.controller.SpaFallbackMvc;
+import no.bekk.dbscheduler.ui.controller.TaskAdminController;
 import no.bekk.dbscheduler.ui.controller.TaskController;
 import no.bekk.dbscheduler.ui.service.LogLogic;
 import no.bekk.dbscheduler.ui.service.TaskLogic;
@@ -88,6 +89,17 @@ LogLogic logLogic(
         logLimit);
   }
 
+  @Bean
+  @ConditionalOnMissingBean
+  @ConditionalOnProperty(
+      prefix = "db-scheduler-ui",
+      name = "read-only",
+      havingValue = "false",
+      matchIfMissing = true)
+  TaskAdminController taskAdminController(TaskLogic taskLogic) {
+    return new TaskAdminController(taskLogic);
+  }
+
   @Bean
   @ConditionalOnMissingBean
   TaskController taskController(TaskLogic taskLogic) {
@@ -125,6 +137,6 @@ public RouterFunction<ServerResponse> dbSchedulerRouter(
   @Bean
   @ConditionalOnMissingBean
   ConfigController configController(DbSchedulerUiProperties properties) {
-    return new ConfigController(properties.isHistory());
+    return new ConfigController(properties.isHistory(), properties::isReadOnly);
   }
 }
diff --git a/db-scheduler-ui-starter/src/main/java/no/bekk/dbscheduler/uistarter/config/DbSchedulerUiProperties.java b/db-scheduler-ui-starter/src/main/java/no/bekk/dbscheduler/uistarter/config/DbSchedulerUiProperties.java
@@ -23,6 +23,7 @@
 public class DbSchedulerUiProperties {
 
   private boolean enabled = true;
+  private boolean readOnly = false;
   private boolean taskData = true;
   private boolean history = false;
   private int logLimit = 0;
diff --git a/db-scheduler-ui/src/main/java/no/bekk/dbscheduler/ui/controller/ConfigController.java b/db-scheduler-ui/src/main/java/no/bekk/dbscheduler/ui/controller/ConfigController.java
@@ -13,6 +13,7 @@
  */
 package no.bekk.dbscheduler.ui.controller;
 
+import java.util.function.Supplier;
 import no.bekk.dbscheduler.ui.model.ConfigResponse;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -25,13 +26,15 @@
 public class ConfigController {
 
   private final boolean showHistory;
+  private final Supplier<Boolean> readOnly;
 
-  public ConfigController(boolean showHistory) {
+  public ConfigController(boolean showHistory, Supplier<Boolean> readOnly) {
     this.showHistory = showHistory;
+    this.readOnly = readOnly;
   }
 
   @GetMapping
   public ConfigResponse getConfig() {
-    return new ConfigResponse(showHistory);
+    return new ConfigResponse(showHistory, readOnly.get());
   }
 }
diff --git a/db-scheduler-ui/src/main/java/no/bekk/dbscheduler/ui/controller/TaskAdminController.java b/db-scheduler-ui/src/main/java/no/bekk/dbscheduler/ui/controller/TaskAdminController.java
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) Bekk
+ *
+ * <p>Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file
+ * except in compliance with the License. You may obtain a copy of the License at
+ *
+ * <p>http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * <p>Unless required by applicable law or agreed to in writing, software distributed under the
+ * License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package no.bekk.dbscheduler.ui.controller;
+
+import java.time.Instant;
+import no.bekk.dbscheduler.ui.service.TaskLogic;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+@CrossOrigin
+@RequestMapping("/db-scheduler-api/tasks")
+@ConditionalOnProperty(
+    prefix = "db-scheduler-ui",
+    name = "read-only",
+    havingValue = "false",
+    matchIfMissing = true)
+public class TaskAdminController {
+
+  private final TaskLogic taskLogic;
+
+  @Autowired
+  public TaskAdminController(TaskLogic taskLogic) {
+    this.taskLogic = taskLogic;
+  }
+
+  @PostMapping("/rerun")
+  public void runNow(
+      @RequestParam String id, @RequestParam String name, @RequestParam Instant scheduleTime) {
+    taskLogic.runTaskNow(id, name, scheduleTime);
+  }
+
+  @PostMapping("/rerunGroup")
+  public void runAllNow(@RequestParam String name, @RequestParam boolean onlyFailed) {
+    taskLogic.runTaskGroupNow(name, onlyFailed);
+  }
+
+  @PostMapping("/delete")
+  public void deleteTaskNow(@RequestParam String id, @RequestParam String name) {
+    taskLogic.deleteTask(id, name);
+  }
+}
diff --git a/db-scheduler-ui/src/main/java/no/bekk/dbscheduler/ui/controller/TaskController.java b/db-scheduler-ui/src/main/java/no/bekk/dbscheduler/ui/controller/TaskController.java
@@ -13,14 +13,16 @@
  */
 package no.bekk.dbscheduler.ui.controller;
 
-import java.time.Instant;
 import no.bekk.dbscheduler.ui.model.GetTasksResponse;
 import no.bekk.dbscheduler.ui.model.PollResponse;
 import no.bekk.dbscheduler.ui.model.TaskDetailsRequestParams;
 import no.bekk.dbscheduler.ui.model.TaskRequestParams;
 import no.bekk.dbscheduler.ui.service.TaskLogic;
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @CrossOrigin
@@ -47,20 +49,4 @@ public GetTasksResponse getTaskDetails(TaskDetailsRequestParams params) {
   public PollResponse pollForUpdates(TaskDetailsRequestParams params) {
     return taskLogic.pollTasks(params);
   }
-
-  @PostMapping("/rerun")
-  public void runNow(
-      @RequestParam String id, @RequestParam String name, @RequestParam Instant scheduleTime) {
-    taskLogic.runTaskNow(id, name, scheduleTime);
-  }
-
-  @PostMapping("/rerunGroup")
-  public void runAllNow(@RequestParam String name, @RequestParam boolean onlyFailed) {
-    taskLogic.runTaskGroupNow(name, onlyFailed);
-  }
-
-  @PostMapping("/delete")
-  public void deleteTaskNow(@RequestParam String id, @RequestParam String name) {
-    taskLogic.deleteTask(id, name);
-  }
 }
diff --git a/db-scheduler-ui/src/main/java/no/bekk/dbscheduler/ui/model/ConfigResponse.java b/db-scheduler-ui/src/main/java/no/bekk/dbscheduler/ui/model/ConfigResponse.java
@@ -22,4 +22,5 @@
 @AllArgsConstructor
 public class ConfigResponse {
   private boolean showHistory;
+  private boolean readOnly;
 }
diff --git a/example-app-webflux/src/test/java/com/github/bekk/exampleapp/SmokeTest.java b/example-app-webflux/src/test/java/com/github/bekk/exampleapp/SmokeTest.java
diff --git a/example-app/pom.xml b/example-app/pom.xml
diff --git a/example-app/src/main/java/com/github/bekk/exampleapp/service/TaskService.java b/example-app/src/main/java/com/github/bekk/exampleapp/service/TaskService.java
diff --git a/example-app/src/test/java/com/github/bekk/exampleapp/DynamicRecurringSchedulingTest.java b/example-app/src/test/java/com/github/bekk/exampleapp/DynamicRecurringSchedulingTest.java
diff --git a/example-app/src/test/java/com/github/bekk/exampleapp/SmokeReadOnlyTest.java b/example-app/src/test/java/com/github/bekk/exampleapp/SmokeReadOnlyTest.java
diff --git a/example-app/src/test/java/com/github/bekk/exampleapp/SmokeSpringSecurityTest.java b/example-app/src/test/java/com/github/bekk/exampleapp/SmokeSpringSecurityTest.java
diff --git a/example-app/src/test/java/com/github/bekk/exampleapp/SmokeTest.java b/example-app/src/test/java/com/github/bekk/exampleapp/SmokeTest.java
diff --git a/pom.xml b/pom.xml

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,9 @@ export const getLogs = async (`
`62`	`62`	`},`
`63`	`63`	`});`
`64`	`64`
`65`		`- if (!response.ok) {`
	`65`	`+ if (response.status == 401) {`
	`66`	`+ document.location.href = '/db-scheduler';`
	`67`	`+ } else if (!response.ok) {`
`66`	`68`	throw new Error(`Error fetching logs. Status: ${response.statusText}`);
`67`	`69`	`}`
`68`	`70`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,9 @@ export const getTask = async (`
`60`	`60`	`},`
`61`	`61`	`});`
`62`	`62`
`63`		`- if (!response.ok) {`
	`63`	`+ if (response.status == 401) {`
	`64`	`+ document.location.href = '/db-scheduler';`
	`65`	`+ } else if (!response.ok) {`
`64`	`66`	throw new Error(`Error fetching tasks. Status: ${response.statusText}`);
`65`	`67`	`}`
`66`	`68`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,9 @@ export const getTasks = async (`
`58`	`58`	`},`
`59`	`59`	`});`
`60`	`60`
`61`		`- if (!response.ok) {`
	`61`	`+ if (response.status == 401) {`
	`62`	`+ document.location.href = '/db-scheduler';`
	`63`	`+ } else if (!response.ok) {`
`62`	`64`	throw new Error(`Error fetching tasks. Status: ${response.statusText}`);
`63`	`65`	`}`
`64`	`66`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,9 @@ export const pollLogs = async (`
`60`	`60`	`},`
`61`	`61`	`});`
`62`	`62`
`63`		`- if (!response.ok) {`
	`63`	`+ if (response.status == 401) {`
	`64`	`+ document.location.href = '/db-scheduler';`
	`65`	`+ } else if (!response.ok) {`
`64`	`66`	throw new Error(`Error polling tasks. Status: ${response.statusText}`);
`65`	`67`	`}`
`66`	`68`
Original file line number	Diff line number	Diff line change
`@@ -22,4 +22,5 @@`
`22`	`22`	`@AllArgsConstructor`
`23`	`23`	`public class ConfigResponse {`
`24`	`24`	`private boolean showHistory;`
	`25`	`+ private boolean readOnly;`
`25`	`26`	`}`