diff --git a/li.strolch.agent/src/main/java/li/strolch/job/StrolchJob.java b/li.strolch.agent/src/main/java/li/strolch/job/StrolchJob.java index 3a0d9b6b8..1011ec81e 100644 --- a/li.strolch.agent/src/main/java/li/strolch/job/StrolchJob.java +++ b/li.strolch.agent/src/main/java/li/strolch/job/StrolchJob.java @@ -28,6 +28,7 @@ import li.strolch.persistence.api.StrolchTransaction; import li.strolch.privilege.base.PrivilegeException; import li.strolch.privilege.model.Certificate; import li.strolch.privilege.model.PrivilegeContext; +import li.strolch.privilege.model.Restrictable; import li.strolch.runtime.StrolchConstants; import li.strolch.runtime.privilege.PrivilegedRunnable; import li.strolch.utils.helper.ExceptionHelper; @@ -38,7 +39,7 @@ import org.slf4j.LoggerFactory; * A StrolchJob is a simple job which performs an action. A StrolchJob can be scheduled so that it executes * periodically, or trigger externally e.g. from a UI. Sub classes must implement the */ -public abstract class StrolchJob implements Runnable { +public abstract class StrolchJob implements Runnable, Restrictable { protected static final Logger logger = LoggerFactory.getLogger(StrolchJob.class); @@ -295,6 +296,16 @@ public abstract class StrolchJob implements Runnable { protected abstract void execute(PrivilegeContext ctx) throws Exception; + @Override + public String getPrivilegeName() { + return StrolchJob.class.getName(); + } + + @Override + public Object getPrivilegeValue() { + return this.getClass().getName(); + } + public JsonObject toJson() { JsonObject jsonObject = new JsonObject(); diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/StrolchJobsResource.java b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/StrolchJobsResource.java index afacee1cd..d845fbd14 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/StrolchJobsResource.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/StrolchJobsResource.java @@ -16,7 +16,9 @@ package li.strolch.rest.endpoint; import static java.util.Comparator.comparing; +import static java.util.stream.Collectors.toList; import static li.strolch.rest.StrolchRestfulConstants.DATA; +import static li.strolch.runtime.StrolchConstants.ROLE_STROLCH_ADMIN; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.*; @@ -26,9 +28,12 @@ import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; import java.util.List; +import li.strolch.agent.api.ComponentContainer; import li.strolch.job.StrolchJob; import li.strolch.job.StrolchJobsHandler; import li.strolch.privilege.model.Certificate; +import li.strolch.privilege.model.IPrivilege; +import li.strolch.privilege.model.PrivilegeContext; import li.strolch.rest.RestfulStrolchComponent; import li.strolch.rest.StrolchRestfulConstants; import li.strolch.rest.helper.ResponseUtil; @@ -48,12 +53,25 @@ public class StrolchJobsResource { public Response getAll(@Context HttpServletRequest request, @Context HttpHeaders headers) { Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE); + ComponentContainer container = RestfulStrolchComponent.getInstance().getContainer(); + PrivilegeContext ctx = container.getPrivilegeHandler().validate(cert); - StrolchJobsHandler strolchJobsHandler = RestfulStrolchComponent.getInstance().getContainer() - .getComponent(StrolchJobsHandler.class); + // assert user can access StrolchJobs + if (!ctx.hasRole(ROLE_STROLCH_ADMIN)) + ctx.assertHasPrivilege(StrolchJob.class.getName()); - List jobs = strolchJobsHandler.getJobs(cert); - jobs.sort(comparing(StrolchJob::getName)); + StrolchJobsHandler strolchJobsHandler = container.getComponent(StrolchJobsHandler.class); + + List jobs = strolchJobsHandler.getJobs(cert).stream() // + .filter(job -> { + if (ctx.hasRole(ROLE_STROLCH_ADMIN)) + return true; + + IPrivilege privilege = ctx.getPrivilege(StrolchJob.class.getName()); + return privilege.isAllAllowed() || privilege.getAllowList().contains(job.getClass().getName()); + }) // + .sorted(comparing(StrolchJob::getName)) // + .collect(toList()); return ResponseUtil.listToResponse(DATA, jobs, StrolchJob::toJson); } @@ -67,11 +85,16 @@ public class StrolchJobsResource { Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE); - StrolchJobsHandler strolchJobsHandler = RestfulStrolchComponent.getInstance().getContainer() - .getComponent(StrolchJobsHandler.class); + ComponentContainer container = RestfulStrolchComponent.getInstance().getContainer(); + StrolchJobsHandler strolchJobsHandler = container.getComponent(StrolchJobsHandler.class); StrolchJob job = strolchJobsHandler.getJob(cert, name); + // assert user can access StrolchJobs + PrivilegeContext ctx = container.getPrivilegeHandler().validate(cert); + if (!ctx.hasRole(ROLE_STROLCH_ADMIN)) + ctx.validateAction(job); + switch (action) { case "runNow":