[Fix] Added proper privilege validation for StrolchJob

li.strolch.agent/src/main/java/li/strolch/job/StrolchJob.java

@@ -28,6 +28,7 @@ import li.strolch.persistence.api.StrolchTransaction;
 import li.strolch.privilege.base.PrivilegeException;
 import li.strolch.privilege.model.Certificate;
 import li.strolch.privilege.model.PrivilegeContext;
+import li.strolch.privilege.model.Restrictable;
 import li.strolch.runtime.StrolchConstants;
 import li.strolch.runtime.privilege.PrivilegedRunnable;
 import li.strolch.utils.helper.ExceptionHelper;
@@ -38,7 +39,7 @@ import org.slf4j.LoggerFactory;
  * A StrolchJob is a simple job which performs an action. A StrolchJob can be scheduled so that it executes
  * periodically, or trigger externally e.g. from a UI. Sub classes must implement the
  */
-public abstract class StrolchJob implements Runnable {
+public abstract class StrolchJob implements Runnable, Restrictable {
 
 	protected static final Logger logger = LoggerFactory.getLogger(StrolchJob.class);
 
@@ -295,6 +296,16 @@ public abstract class StrolchJob implements Runnable {
 
 	protected abstract void execute(PrivilegeContext ctx) throws Exception;
 
+	@Override
+	public String getPrivilegeName() {
+		return StrolchJob.class.getName();
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return this.getClass().getName();
+	}
+
 	public JsonObject toJson() {
 		JsonObject jsonObject = new JsonObject();
 

li.strolch.rest/src/main/java/li/strolch/rest/endpoint/StrolchJobsResource.java

@@ -16,7 +16,9 @@
 package li.strolch.rest.endpoint;
 
 import static java.util.Comparator.comparing;
+import static java.util.stream.Collectors.toList;
 import static li.strolch.rest.StrolchRestfulConstants.DATA;
+import static li.strolch.runtime.StrolchConstants.ROLE_STROLCH_ADMIN;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.*;
@@ -26,9 +28,12 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
 import java.util.List;
 
+import li.strolch.agent.api.ComponentContainer;
 import li.strolch.job.StrolchJob;
 import li.strolch.job.StrolchJobsHandler;
 import li.strolch.privilege.model.Certificate;
+import li.strolch.privilege.model.IPrivilege;
+import li.strolch.privilege.model.PrivilegeContext;
 import li.strolch.rest.RestfulStrolchComponent;
 import li.strolch.rest.StrolchRestfulConstants;
 import li.strolch.rest.helper.ResponseUtil;
@@ -48,12 +53,25 @@ public class StrolchJobsResource {
 	public Response getAll(@Context HttpServletRequest request, @Context HttpHeaders headers) {
 
 		Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
+		ComponentContainer container = RestfulStrolchComponent.getInstance().getContainer();
+		PrivilegeContext ctx = container.getPrivilegeHandler().validate(cert);
 
-		StrolchJobsHandler strolchJobsHandler = RestfulStrolchComponent.getInstance().getContainer()
-				.getComponent(StrolchJobsHandler.class);
+		// assert user can access StrolchJobs
+		if (!ctx.hasRole(ROLE_STROLCH_ADMIN))
+			ctx.assertHasPrivilege(StrolchJob.class.getName());
 
-		List<StrolchJob> jobs = strolchJobsHandler.getJobs(cert);
-		jobs.sort(comparing(StrolchJob::getName));
+		StrolchJobsHandler strolchJobsHandler = container.getComponent(StrolchJobsHandler.class);
+
+		List<StrolchJob> jobs = strolchJobsHandler.getJobs(cert).stream() //
+				.filter(job -> {
+					if (ctx.hasRole(ROLE_STROLCH_ADMIN))
+						return true;
+
+					IPrivilege privilege = ctx.getPrivilege(StrolchJob.class.getName());
+					return privilege.isAllAllowed() || privilege.getAllowList().contains(job.getClass().getName());
+				}) //
+				.sorted(comparing(StrolchJob::getName)) //
+				.collect(toList());
 		return ResponseUtil.listToResponse(DATA, jobs, StrolchJob::toJson);
 	}
 
@@ -67,11 +85,16 @@ public class StrolchJobsResource {
 
 			Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
 
-			StrolchJobsHandler strolchJobsHandler = RestfulStrolchComponent.getInstance().getContainer()
-					.getComponent(StrolchJobsHandler.class);
+			ComponentContainer container = RestfulStrolchComponent.getInstance().getContainer();
+			StrolchJobsHandler strolchJobsHandler = container.getComponent(StrolchJobsHandler.class);
 
 			StrolchJob job = strolchJobsHandler.getJob(cert, name);
 
+			// assert user can access StrolchJobs
+			PrivilegeContext ctx = container.getPrivilegeHandler().validate(cert);
+			if (!ctx.hasRole(ROLE_STROLCH_ADMIN))
+				ctx.validateAction(job);
+
 			switch (action) {
 
 			case "runNow":