Strolch
/
strolch
mirror of https://github.com/strolch-li/strolch.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[New] Allow StrolchAdmin to ignore organisations

This commit is contained in:
Robert von Burg 2021-09-13 17:04:26 +02:00
parent eb93e2ab5e
commit 6c43e54a93
2 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java
View File

@ -16,6 +16,7 @@
package li.strolch.privilege.policy;
import static java.util.stream.Collectors.toSet;
import static li.strolch.privilege.base.PrivilegeConstants.ROLE_STROLCH_ADMIN;
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
import static li.strolch.utils.helper.StringHelper.isEmpty;
@ -53,6 +54,11 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
return validateAction(ctx, privilege, restrictable, false);
}
protected boolean isStrolchAdminAndIgnoreOrganisation(PrivilegeContext ctx) {
return ctx.hasRole(ROLE_STROLCH_ADMIN);
}
@Override
protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable,
boolean assertHasPrivilege) throws AccessDeniedException {
@ -63,8 +69,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
// RoleAccessPrivilege policy expects the privilege value to be a role
if (!(object instanceof Tuple)) {
String msg = Restrictable.class.getName() + PrivilegeMessages
.getString("Privilege.illegalArgument.nontuple"); //$NON-NLS-1$
String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
"Privilege.illegalArgument.nontuple"); //$NON-NLS-1$
msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName());
throw new PrivilegeException(msg);
}
@ -78,6 +84,9 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
case PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD:
case PrivilegeHandler.PRIVILEGE_REMOVE_USER: {
if (isStrolchAdminAndIgnoreOrganisation(ctx))
break;
// make sure old user has same organisation
User oldUser = tuple.getFirst();
if (oldUser != null) {
@ -97,6 +106,9 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
case PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER:
case PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER: {
if (isStrolchAdminAndIgnoreOrganisation(ctx))
break;
User user = tuple.getFirst();
DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user);
if (!assertUserInSameOrganisation(ctx, user, assertHasPrivilege))
@ -106,8 +118,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
}
default:
String msg = Restrictable.class.getName() + PrivilegeMessages
.getString("Privilege.userAccessPrivilege.unknownPrivilege"); //$NON-NLS-1$
String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
"Privilege.userAccessPrivilege.unknownPrivilege"); //$NON-NLS-1$
msg = MessageFormat.format(msg, privilegeName);
throw new PrivilegeException(msg);
}

12
li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java
View File

@ -16,6 +16,7 @@
package li.strolch.privilege.policy;
import static java.util.stream.Collectors.toSet;
import static li.strolch.privilege.base.PrivilegeConstants.ROLE_STROLCH_ADMIN;
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
import static li.strolch.utils.helper.StringHelper.isEmpty;
@ -58,6 +59,7 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
return validateAction(ctx, privilege, restrictable, false);
}
@Override
protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable,
boolean assertHasPrivilege) throws AccessDeniedException {
@ -68,8 +70,8 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
// RoleAccessPrivilege policy expects the privilege value to be a role
if (!(object instanceof Certificate)) {
String msg = Restrictable.class.getName() + PrivilegeMessages
.getString("Privilege.illegalArgument.noncertificate"); //$NON-NLS-1$
String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
"Privilege.illegalArgument.noncertificate"); //$NON-NLS-1$
msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName());
throw new PrivilegeException(msg);
}
@ -78,13 +80,17 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
Certificate cert = (Certificate) object;
// first validate same organisation
if (!assertUserInSameOrganisation(ctx, cert, assertHasPrivilege))
if (!isStrolchAdminAndIgnoreOrganisation(cert) && !assertUserInSameOrganisation(ctx, cert, assertHasPrivilege))
return false;
// now delegate the rest of the validation to the super class
return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege);
}
protected boolean isStrolchAdminAndIgnoreOrganisation(Certificate cert) {
return cert.hasRole(ROLE_STROLCH_ADMIN);
}
protected boolean assertUserInSameOrganisation(PrivilegeContext ctx, Certificate cert, boolean assertHasPrivilege) {
Set<String> userOrgs = getUserOrganisations(ctx.getCertificate());
Set<String> orgs = getUserOrganisations(cert);