[New] Allow StrolchAdmin to ignore organisations
This commit is contained in:
parent
eb93e2ab5e
commit
6c43e54a93
|
@ -16,6 +16,7 @@
|
||||||
package li.strolch.privilege.policy;
|
package li.strolch.privilege.policy;
|
||||||
|
|
||||||
import static java.util.stream.Collectors.toSet;
|
import static java.util.stream.Collectors.toSet;
|
||||||
|
import static li.strolch.privilege.base.PrivilegeConstants.ROLE_STROLCH_ADMIN;
|
||||||
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
|
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
|
||||||
import static li.strolch.utils.helper.StringHelper.isEmpty;
|
import static li.strolch.utils.helper.StringHelper.isEmpty;
|
||||||
|
|
||||||
|
@ -53,6 +54,11 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
return validateAction(ctx, privilege, restrictable, false);
|
return validateAction(ctx, privilege, restrictable, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected boolean isStrolchAdminAndIgnoreOrganisation(PrivilegeContext ctx) {
|
||||||
|
return ctx.hasRole(ROLE_STROLCH_ADMIN);
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable,
|
protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable,
|
||||||
boolean assertHasPrivilege) throws AccessDeniedException {
|
boolean assertHasPrivilege) throws AccessDeniedException {
|
||||||
|
|
||||||
|
@ -63,8 +69,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
|
|
||||||
// RoleAccessPrivilege policy expects the privilege value to be a role
|
// RoleAccessPrivilege policy expects the privilege value to be a role
|
||||||
if (!(object instanceof Tuple)) {
|
if (!(object instanceof Tuple)) {
|
||||||
String msg = Restrictable.class.getName() + PrivilegeMessages
|
String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
|
||||||
.getString("Privilege.illegalArgument.nontuple"); //$NON-NLS-1$
|
"Privilege.illegalArgument.nontuple"); //$NON-NLS-1$
|
||||||
msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName());
|
msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName());
|
||||||
throw new PrivilegeException(msg);
|
throw new PrivilegeException(msg);
|
||||||
}
|
}
|
||||||
|
@ -78,6 +84,9 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
case PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD:
|
case PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD:
|
||||||
case PrivilegeHandler.PRIVILEGE_REMOVE_USER: {
|
case PrivilegeHandler.PRIVILEGE_REMOVE_USER: {
|
||||||
|
|
||||||
|
if (isStrolchAdminAndIgnoreOrganisation(ctx))
|
||||||
|
break;
|
||||||
|
|
||||||
// make sure old user has same organisation
|
// make sure old user has same organisation
|
||||||
User oldUser = tuple.getFirst();
|
User oldUser = tuple.getFirst();
|
||||||
if (oldUser != null) {
|
if (oldUser != null) {
|
||||||
|
@ -97,6 +106,9 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
case PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER:
|
case PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER:
|
||||||
case PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER: {
|
case PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER: {
|
||||||
|
|
||||||
|
if (isStrolchAdminAndIgnoreOrganisation(ctx))
|
||||||
|
break;
|
||||||
|
|
||||||
User user = tuple.getFirst();
|
User user = tuple.getFirst();
|
||||||
DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user);
|
DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user);
|
||||||
if (!assertUserInSameOrganisation(ctx, user, assertHasPrivilege))
|
if (!assertUserInSameOrganisation(ctx, user, assertHasPrivilege))
|
||||||
|
@ -106,8 +118,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
}
|
}
|
||||||
|
|
||||||
default:
|
default:
|
||||||
String msg = Restrictable.class.getName() + PrivilegeMessages
|
String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
|
||||||
.getString("Privilege.userAccessPrivilege.unknownPrivilege"); //$NON-NLS-1$
|
"Privilege.userAccessPrivilege.unknownPrivilege"); //$NON-NLS-1$
|
||||||
msg = MessageFormat.format(msg, privilegeName);
|
msg = MessageFormat.format(msg, privilegeName);
|
||||||
throw new PrivilegeException(msg);
|
throw new PrivilegeException(msg);
|
||||||
}
|
}
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
package li.strolch.privilege.policy;
|
package li.strolch.privilege.policy;
|
||||||
|
|
||||||
import static java.util.stream.Collectors.toSet;
|
import static java.util.stream.Collectors.toSet;
|
||||||
|
import static li.strolch.privilege.base.PrivilegeConstants.ROLE_STROLCH_ADMIN;
|
||||||
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
|
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
|
||||||
import static li.strolch.utils.helper.StringHelper.isEmpty;
|
import static li.strolch.utils.helper.StringHelper.isEmpty;
|
||||||
|
|
||||||
|
@ -58,6 +59,7 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
|
||||||
return validateAction(ctx, privilege, restrictable, false);
|
return validateAction(ctx, privilege, restrictable, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable,
|
protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable,
|
||||||
boolean assertHasPrivilege) throws AccessDeniedException {
|
boolean assertHasPrivilege) throws AccessDeniedException {
|
||||||
|
|
||||||
|
@ -68,8 +70,8 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
|
||||||
|
|
||||||
// RoleAccessPrivilege policy expects the privilege value to be a role
|
// RoleAccessPrivilege policy expects the privilege value to be a role
|
||||||
if (!(object instanceof Certificate)) {
|
if (!(object instanceof Certificate)) {
|
||||||
String msg = Restrictable.class.getName() + PrivilegeMessages
|
String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
|
||||||
.getString("Privilege.illegalArgument.noncertificate"); //$NON-NLS-1$
|
"Privilege.illegalArgument.noncertificate"); //$NON-NLS-1$
|
||||||
msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName());
|
msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName());
|
||||||
throw new PrivilegeException(msg);
|
throw new PrivilegeException(msg);
|
||||||
}
|
}
|
||||||
|
@ -78,13 +80,17 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
|
||||||
Certificate cert = (Certificate) object;
|
Certificate cert = (Certificate) object;
|
||||||
|
|
||||||
// first validate same organisation
|
// first validate same organisation
|
||||||
if (!assertUserInSameOrganisation(ctx, cert, assertHasPrivilege))
|
if (!isStrolchAdminAndIgnoreOrganisation(cert) && !assertUserInSameOrganisation(ctx, cert, assertHasPrivilege))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
// now delegate the rest of the validation to the super class
|
// now delegate the rest of the validation to the super class
|
||||||
return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege);
|
return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected boolean isStrolchAdminAndIgnoreOrganisation(Certificate cert) {
|
||||||
|
return cert.hasRole(ROLE_STROLCH_ADMIN);
|
||||||
|
}
|
||||||
|
|
||||||
protected boolean assertUserInSameOrganisation(PrivilegeContext ctx, Certificate cert, boolean assertHasPrivilege) {
|
protected boolean assertUserInSameOrganisation(PrivilegeContext ctx, Certificate cert, boolean assertHasPrivilege) {
|
||||||
Set<String> userOrgs = getUserOrganisations(ctx.getCertificate());
|
Set<String> userOrgs = getUserOrganisations(ctx.getCertificate());
|
||||||
Set<String> orgs = getUserOrganisations(cert);
|
Set<String> orgs = getUserOrganisations(cert);
|
||||||
|
|
Loading…
Reference in New Issue