diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java index e83e56709..b6677ffba 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java @@ -41,8 +41,6 @@ import li.strolch.utils.dbc.DBC; */ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege { - public static final String PARAM_ORGANISATION = "organisation"; - @Override public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable) throws AccessDeniedException { @@ -71,44 +69,28 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege throw new PrivilegeException(msg); } - // get user organisation - Set userOrgs = getUserOrganisations(ctx); - Tuple tuple = (Tuple) object; switch (privilegeName) { case PrivilegeHandler.PRIVILEGE_GET_USER: case PrivilegeHandler.PRIVILEGE_ADD_USER: case PrivilegeHandler.PRIVILEGE_MODIFY_USER: + case PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD: case PrivilegeHandler.PRIVILEGE_REMOVE_USER: { // make sure old user has same organisation User oldUser = tuple.getFirst(); if (oldUser != null) { - Set oldOrgs = getUserOrganisations(oldUser); - if (!isUserInOrganisation(userOrgs, oldOrgs)) { - if (assertHasPrivilege) - throw new AccessDeniedException( - "User " + ctx.getUsername() + " may not access users outside of their organisation: " - + userOrgs + " / " + oldOrgs); - + if (!assertUserInSameOrganisation(ctx, oldUser, assertHasPrivilege)) return false; - } } // make sure new user has same organisation User newUser = tuple.getSecond(); DBC.INTERIM.assertNotNull("For " + privilegeName + " second must not be null!", newUser); - Set newOrgs = getUserOrganisations(newUser); - - if (!isUserInOrganisation(userOrgs, newOrgs)) { - if (assertHasPrivilege) - throw new AccessDeniedException( - "User " + ctx.getUsername() + " may not access users outside of their organisations: " - + userOrgs + " / " + newOrgs); + if (!assertUserInSameOrganisation(ctx, newUser, assertHasPrivilege)) return false; - } break; } @@ -117,16 +99,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege User user = tuple.getFirst(); DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user); - Set orgs = getUserOrganisations(user); - if (!isUserInOrganisation(userOrgs, orgs)) { - - if (assertHasPrivilege) - throw new AccessDeniedException( - "User " + ctx.getUsername() + " may not access users outside of their organisation: " - + userOrgs + " / " + orgs); - + if (!assertUserInSameOrganisation(ctx, user, assertHasPrivilege)) return false; - } break; } @@ -142,19 +116,34 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege); } + protected boolean assertUserInSameOrganisation(PrivilegeContext ctx, User user, boolean assertHasPrivilege) { + Set userOrgs = getUserOrganisations(ctx); + Set orgs = getUserOrganisations(user); + + if (isUserInOrganisation(userOrgs, orgs)) + return true; + + if (assertHasPrivilege) + throw new AccessDeniedException( + "User " + ctx.getUsername() + " may not access users outside of their organisation: " + userOrgs + + " / " + orgs); + + return false; + } + protected boolean isUserInOrganisation(Set organisations, Set userOrg) { return userOrg.stream().anyMatch(organisations::contains); } protected Set getUserOrganisations(User user) { - String userOrg = user.getProperty(PARAM_ORGANISATION); + String userOrg = user.getOrganisation(); if (isEmpty(userOrg)) throw new PrivilegeException("No organisation configured for user " + user.getUsername()); return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet()); } protected Set getUserOrganisations(PrivilegeContext ctx) { - String userOrg = ctx.getCertificate().getProperty(PARAM_ORGANISATION); + String userOrg = ctx.getCertificate().getOrganisation(); if (isEmpty(userOrg)) throw new PrivilegeException("No organisation configured for user " + ctx.getUsername()); return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet()); diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java index 874a6dadf..846d990bb 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java @@ -15,10 +15,13 @@ */ package li.strolch.privilege.policy; +import static java.util.stream.Collectors.toSet; import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate; import static li.strolch.utils.helper.StringHelper.isEmpty; import java.text.MessageFormat; +import java.util.Set; +import java.util.stream.Stream; import li.strolch.privilege.base.AccessDeniedException; import li.strolch.privilege.base.PrivilegeException; @@ -43,8 +46,6 @@ import li.strolch.privilege.model.Restrictable; */ public class UsernameFromCertificateWithSameOrganisationPrivilege extends UsernameFromCertificatePrivilege { - public static final String PARAM_ORGANISATION = "organisation"; - @Override public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable) throws AccessDeniedException { @@ -76,24 +77,37 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna // get object Certificate cert = (Certificate) object; - // get user organisation - String userOrg = ctx.getCertificate().getProperty(PARAM_ORGANISATION); - if (isEmpty(userOrg)) - throw new PrivilegeException("No organisation configured for user " + ctx.getUsername()); - - // assert same organisation - String org = cert.getProperty(PARAM_ORGANISATION); - if (!userOrg.equals(org)) { - - if (assertHasPrivilege) - throw new AccessDeniedException( - "User " + ctx.getUsername() + " may not access users outside of their organisation: " + userOrg - + " / " + org); - + // first validate same organisation + if (!assertUserInSameOrganisation(ctx, cert, assertHasPrivilege)) return false; - } // now delegate the rest of the validation to the super class return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege); } + + protected boolean assertUserInSameOrganisation(PrivilegeContext ctx, Certificate cert, boolean assertHasPrivilege) { + Set userOrgs = getUserOrganisations(ctx.getCertificate()); + Set orgs = getUserOrganisations(cert); + + if (isUserInOrganisation(userOrgs, orgs)) + return true; + + if (assertHasPrivilege) + throw new AccessDeniedException( + "User " + ctx.getUsername() + " may not access users outside of their organisation: " + userOrgs + + " / " + orgs); + + return false; + } + + protected boolean isUserInOrganisation(Set organisations, Set userOrg) { + return userOrg.stream().anyMatch(organisations::contains); + } + + protected Set getUserOrganisations(Certificate cert) { + String userOrg = cert.getOrganisation(); + if (isEmpty(userOrg)) + throw new PrivilegeException("No organisation configured for user " + cert.getUsername()); + return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet()); + } }