Strolch
/
strolch
mirror of https://github.com/strolch-li/strolch.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[New] Allow StrolchAdmin to ignore organisations

This commit is contained in:
Robert von Burg 2021-09-13 17:04:26 +02:00
parent eb93e2ab5e
commit 6c43e54a93
2 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java
View File

@ -16,6 +16,7 @@
package li.strolch.privilege.policy; package li.strolch.privilege.policy;
import static java.util.stream.Collectors.toSet; import static java.util.stream.Collectors.toSet;
import static li.strolch.privilege.base.PrivilegeConstants.ROLE_STROLCH_ADMIN;
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate; import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
import static li.strolch.utils.helper.StringHelper.isEmpty; import static li.strolch.utils.helper.StringHelper.isEmpty;
@ -53,6 +54,11 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
return validateAction(ctx, privilege, restrictable, false); return validateAction(ctx, privilege, restrictable, false);
} }
protected boolean isStrolchAdminAndIgnoreOrganisation(PrivilegeContext ctx) {
return ctx.hasRole(ROLE_STROLCH_ADMIN);
}
@Override
protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable, protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable,
boolean assertHasPrivilege) throws AccessDeniedException { boolean assertHasPrivilege) throws AccessDeniedException {
@ -63,8 +69,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
// RoleAccessPrivilege policy expects the privilege value to be a role // RoleAccessPrivilege policy expects the privilege value to be a role
if (!(object instanceof Tuple)) { if (!(object instanceof Tuple)) {
String msg = Restrictable.class.getName() + PrivilegeMessages String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
.getString("Privilege.illegalArgument.nontuple"); //$NON-NLS-1$ "Privilege.illegalArgument.nontuple"); //$NON-NLS-1$
msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName()); msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName());
throw new PrivilegeException(msg); throw new PrivilegeException(msg);
} }
@ -78,6 +84,9 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
case PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD: case PrivilegeHandler.PRIVILEGE_SET_USER_PASSWORD:
case PrivilegeHandler.PRIVILEGE_REMOVE_USER: { case PrivilegeHandler.PRIVILEGE_REMOVE_USER: {
if (isStrolchAdminAndIgnoreOrganisation(ctx))
break;
// make sure old user has same organisation // make sure old user has same organisation
User oldUser = tuple.getFirst(); User oldUser = tuple.getFirst();
if (oldUser != null) { if (oldUser != null) {
@ -97,6 +106,9 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
case PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER: case PrivilegeHandler.PRIVILEGE_ADD_ROLE_TO_USER:
case PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER: { case PrivilegeHandler.PRIVILEGE_REMOVE_ROLE_FROM_USER: {
if (isStrolchAdminAndIgnoreOrganisation(ctx))
break;
User user = tuple.getFirst(); User user = tuple.getFirst();
DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user); DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user);
if (!assertUserInSameOrganisation(ctx, user, assertHasPrivilege)) if (!assertUserInSameOrganisation(ctx, user, assertHasPrivilege))
@ -106,8 +118,8 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
} }
default: default:
String msg = Restrictable.class.getName() + PrivilegeMessages String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
.getString("Privilege.userAccessPrivilege.unknownPrivilege"); //$NON-NLS-1$ "Privilege.userAccessPrivilege.unknownPrivilege"); //$NON-NLS-1$
msg = MessageFormat.format(msg, privilegeName); msg = MessageFormat.format(msg, privilegeName);
throw new PrivilegeException(msg); throw new PrivilegeException(msg);
} }

12
li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java
View File

@ -16,6 +16,7 @@
package li.strolch.privilege.policy; package li.strolch.privilege.policy;
import static java.util.stream.Collectors.toSet; import static java.util.stream.Collectors.toSet;
import static li.strolch.privilege.base.PrivilegeConstants.ROLE_STROLCH_ADMIN;
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate; import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
import static li.strolch.utils.helper.StringHelper.isEmpty; import static li.strolch.utils.helper.StringHelper.isEmpty;
@ -58,6 +59,7 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
return validateAction(ctx, privilege, restrictable, false); return validateAction(ctx, privilege, restrictable, false);
} }
@Override
protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable, protected boolean validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable,
boolean assertHasPrivilege) throws AccessDeniedException { boolean assertHasPrivilege) throws AccessDeniedException {
@ -68,8 +70,8 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
// RoleAccessPrivilege policy expects the privilege value to be a role // RoleAccessPrivilege policy expects the privilege value to be a role
if (!(object instanceof Certificate)) { if (!(object instanceof Certificate)) {
String msg = Restrictable.class.getName() + PrivilegeMessages String msg = Restrictable.class.getName() + PrivilegeMessages.getString(
.getString("Privilege.illegalArgument.noncertificate"); //$NON-NLS-1$ "Privilege.illegalArgument.noncertificate"); //$NON-NLS-1$
msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName()); msg = MessageFormat.format(msg, restrictable.getClass().getSimpleName());
throw new PrivilegeException(msg); throw new PrivilegeException(msg);
} }
@ -78,13 +80,17 @@ public class UsernameFromCertificateWithSameOrganisationPrivilege extends Userna
Certificate cert = (Certificate) object; Certificate cert = (Certificate) object;
// first validate same organisation // first validate same organisation
if (!assertUserInSameOrganisation(ctx, cert, assertHasPrivilege)) if (!isStrolchAdminAndIgnoreOrganisation(cert) && !assertUserInSameOrganisation(ctx, cert, assertHasPrivilege))
return false; return false;
// now delegate the rest of the validation to the super class // now delegate the rest of the validation to the super class
return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege); return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege);
} }
protected boolean isStrolchAdminAndIgnoreOrganisation(Certificate cert) {
return cert.hasRole(ROLE_STROLCH_ADMIN);
}
protected boolean assertUserInSameOrganisation(PrivilegeContext ctx, Certificate cert, boolean assertHasPrivilege) { protected boolean assertUserInSameOrganisation(PrivilegeContext ctx, Certificate cert, boolean assertHasPrivilege) {
Set<String> userOrgs = getUserOrganisations(ctx.getCertificate()); Set<String> userOrgs = getUserOrganisations(ctx.getCertificate());
Set<String> orgs = getUserOrganisations(cert); Set<String> orgs = getUserOrganisations(cert);