From ad0a0f1e10daa7ac8c9c37be8a530005efb2323c Mon Sep 17 00:00:00 2001 From: Robert von Burg Date: Thu, 22 Oct 2020 15:14:02 +0200 Subject: [PATCH] [Major] Refactoring privilege services, added Organisation checking if required --- .../runtime/config/PrivilegeRoles.xml | 19 +++++ .../runtime/config/PrivilegeRoles.xml | 19 +++++ ...erAccessWithSameOrganisationPrivilege.java | 45 +++++++--- ...tificateWithSameOrganisationPrivilege.java | 2 +- .../test/resources/config/PrivilegeRoles.xml | 83 ++++++++++++------- .../rest/endpoint/PrivilegeRolesService.java | 20 ++--- .../rest/endpoint/PrivilegeUsersService.java | 19 +++-- ...egeAddOrReplacePrivilegeOnRoleService.java | 10 --- .../roles/PrivilegeAddRoleService.java | 10 --- ...ivilegeRemovePrivilegeFromRoleService.java | 10 --- .../roles/PrivilegeRemoveRoleService.java | 10 --- .../roles/PrivilegeUpdateRoleService.java | 10 --- .../users/PrivilegeAddRoleToUserService.java | 10 --- .../users/PrivilegeAddUserService.java | 11 --- .../PrivilegeRemoveRoleFromUserService.java | 10 --- .../users/PrivilegeRemoveUserService.java | 10 --- .../PrivilegeSetUserPasswordService.java | 10 --- .../PrivilegeUpdateUserRolesService.java | 10 --- .../users/PrivilegeUpdateUserService.java | 10 --- .../svctest/config/PrivilegeRoles.xml | 83 ++++++++++++------- 20 files changed, 196 insertions(+), 215 deletions(-) diff --git a/li.strolch.mvn.archetype.main/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml b/li.strolch.mvn.archetype.main/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml index a79331544..d7a2109e7 100644 --- a/li.strolch.mvn.archetype.main/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml +++ b/li.strolch.mvn.archetype.main/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml @@ -89,10 +89,29 @@ + + li.strolch.service.privilege.users.PrivilegeSetUserPasswordService + li.strolch.service.privilege.users.PrivilegeSetUserLocaleService + + + li.strolch.service.privilege.users.PrivilegeUpdateUserService + li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService + li.strolch.service.privilege.users.PrivilegeSetUserPasswordService + li.strolch.service.privilege.users.PrivilegeSetUserLocaleService + li.strolch.service.privilege.users.PrivilegeRemoveUserService + li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService + li.strolch.service.privilege.users.PrivilegeAddUserService + li.strolch.service.privilege.users.PrivilegeAddRoleToUserService + li.strolch.service.privilege.roles.PrivilegeUpdateRoleService + li.strolch.service.privilege.roles.PrivilegeRemoveRoleService + li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService + li.strolch.service.privilege.roles.PrivilegeAddRoleService + li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService + true diff --git a/li.strolch.mvn.archetype.webapp/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml b/li.strolch.mvn.archetype.webapp/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml index 81a974e61..49cf215b3 100644 --- a/li.strolch.mvn.archetype.webapp/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml +++ b/li.strolch.mvn.archetype.webapp/src/main/resources/archetype-resources/runtime/config/PrivilegeRoles.xml @@ -101,10 +101,29 @@ + + li.strolch.service.privilege.users.PrivilegeSetUserPasswordService + li.strolch.service.privilege.users.PrivilegeSetUserLocaleService + + + li.strolch.service.privilege.users.PrivilegeUpdateUserService + li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService + li.strolch.service.privilege.users.PrivilegeSetUserPasswordService + li.strolch.service.privilege.users.PrivilegeSetUserLocaleService + li.strolch.service.privilege.users.PrivilegeRemoveUserService + li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService + li.strolch.service.privilege.users.PrivilegeAddUserService + li.strolch.service.privilege.users.PrivilegeAddRoleToUserService + li.strolch.service.privilege.roles.PrivilegeUpdateRoleService + li.strolch.service.privilege.roles.PrivilegeRemoveRoleService + li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService + li.strolch.service.privilege.roles.PrivilegeAddRoleService + li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService + true diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java index 15fe39677..e83e56709 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UserAccessWithSameOrganisationPrivilege.java @@ -15,10 +15,13 @@ */ package li.strolch.privilege.policy; +import static java.util.stream.Collectors.toSet; import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate; import static li.strolch.utils.helper.StringHelper.isEmpty; import java.text.MessageFormat; +import java.util.Set; +import java.util.stream.Stream; import li.strolch.privilege.base.AccessDeniedException; import li.strolch.privilege.base.PrivilegeException; @@ -38,7 +41,7 @@ import li.strolch.utils.dbc.DBC; */ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege { - private static final String PARAM_ORGANISATION = "organisation"; + public static final String PARAM_ORGANISATION = "organisation"; @Override public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable) @@ -69,9 +72,7 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege } // get user organisation - String userOrg = ctx.getCertificate().getProperty(PARAM_ORGANISATION); - if (isEmpty(userOrg)) - throw new PrivilegeException("No organisation configured for user " + ctx.getUsername()); + Set userOrgs = getUserOrganisations(ctx); Tuple tuple = (Tuple) object; @@ -84,12 +85,12 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege // make sure old user has same organisation User oldUser = tuple.getFirst(); if (oldUser != null) { - String oldOrg = oldUser.getProperty(PARAM_ORGANISATION); - if (!userOrg.equals(oldOrg)) { + Set oldOrgs = getUserOrganisations(oldUser); + if (!isUserInOrganisation(userOrgs, oldOrgs)) { if (assertHasPrivilege) throw new AccessDeniedException( "User " + ctx.getUsername() + " may not access users outside of their organisation: " - + userOrg + " / " + oldOrg); + + userOrgs + " / " + oldOrgs); return false; } @@ -98,13 +99,13 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege // make sure new user has same organisation User newUser = tuple.getSecond(); DBC.INTERIM.assertNotNull("For " + privilegeName + " second must not be null!", newUser); - String newdOrg = newUser.getProperty(PARAM_ORGANISATION); + Set newOrgs = getUserOrganisations(newUser); - if (!userOrg.equals(newdOrg)) { + if (!isUserInOrganisation(userOrgs, newOrgs)) { if (assertHasPrivilege) throw new AccessDeniedException( "User " + ctx.getUsername() + " may not access users outside of their organisations: " - + userOrg + " / " + newdOrg); + + userOrgs + " / " + newOrgs); return false; } @@ -116,13 +117,13 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege User user = tuple.getFirst(); DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user); - String org = user.getProperty(PARAM_ORGANISATION); - if (!userOrg.equals(org)) { + Set orgs = getUserOrganisations(user); + if (!isUserInOrganisation(userOrgs, orgs)) { if (assertHasPrivilege) throw new AccessDeniedException( "User " + ctx.getUsername() + " may not access users outside of their organisation: " - + userOrg + " / " + org); + + userOrgs + " / " + orgs); return false; } @@ -140,4 +141,22 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege // now delegate the rest of the validation to the super class return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege); } + + protected boolean isUserInOrganisation(Set organisations, Set userOrg) { + return userOrg.stream().anyMatch(organisations::contains); + } + + protected Set getUserOrganisations(User user) { + String userOrg = user.getProperty(PARAM_ORGANISATION); + if (isEmpty(userOrg)) + throw new PrivilegeException("No organisation configured for user " + user.getUsername()); + return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet()); + } + + protected Set getUserOrganisations(PrivilegeContext ctx) { + String userOrg = ctx.getCertificate().getProperty(PARAM_ORGANISATION); + if (isEmpty(userOrg)) + throw new PrivilegeException("No organisation configured for user " + ctx.getUsername()); + return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet()); + } } diff --git a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java index 137742b1d..874a6dadf 100644 --- a/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java +++ b/li.strolch.privilege/src/main/java/li/strolch/privilege/policy/UsernameFromCertificateWithSameOrganisationPrivilege.java @@ -43,7 +43,7 @@ import li.strolch.privilege.model.Restrictable; */ public class UsernameFromCertificateWithSameOrganisationPrivilege extends UsernameFromCertificatePrivilege { - private static final String PARAM_ORGANISATION = "organisation"; + public static final String PARAM_ORGANISATION = "organisation"; @Override public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable) diff --git a/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml b/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml index e5340d696..d5a9479cb 100644 --- a/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml +++ b/li.strolch.privilege/src/test/resources/config/PrivilegeRoles.xml @@ -2,27 +2,20 @@ - - Persist - Reload - GetPolicies - - - - true - - - true - - - true - - - true - - - - true + + li.strolch.service.privilege.users.PrivilegeUpdateUserService + li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService + li.strolch.service.privilege.users.PrivilegeSetUserPasswordService + li.strolch.service.privilege.users.PrivilegeSetUserLocaleService + li.strolch.service.privilege.users.PrivilegeRemoveUserService + li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService + li.strolch.service.privilege.users.PrivilegeAddUserService + li.strolch.service.privilege.users.PrivilegeAddRoleToUserService + li.strolch.service.privilege.roles.PrivilegeUpdateRoleService + li.strolch.service.privilege.roles.PrivilegeRemoveRoleService + li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService + li.strolch.service.privilege.roles.PrivilegeAddRoleService + li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService true @@ -30,24 +23,52 @@ true - + true - - true - - + true true - - ENABLED - DISABLED - SYSTEM + + Reload + GetPolicies + Persist + GetCertificates + PersistSessions - + + true + + + SYSTEM + DISABLED + ENABLED + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + true diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java index 9d4ff8dd8..affa242b3 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeRolesService.java @@ -15,12 +15,13 @@ */ package li.strolch.rest.endpoint; +import static java.util.Comparator.comparing; + import javax.servlet.http.HttpServletRequest; import javax.ws.rs.*; import javax.ws.rs.core.Context; import javax.ws.rs.core.MediaType; import javax.ws.rs.core.Response; -import java.util.List; import com.google.gson.JsonArray; import li.strolch.agent.api.ComponentContainer; @@ -53,8 +54,13 @@ public class PrivilegeRolesService { Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE); PrivilegeHandler privilegeHandler = getPrivilegeHandler(); - List roles = privilegeHandler.getRoles(cert); - JsonArray rolesJ = toJson(roles); + PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor(); + JsonArray rolesJ = privilegeHandler.getRoles(cert).stream() // + .sorted(comparing(roleRep -> roleRep.getName().toLowerCase())) // + .collect(JsonArray::new, // + (array, role) -> array.add(role.accept(visitor)), // + JsonArray::addAll); + return Response.ok(rolesJ.toString(), MediaType.APPLICATION_JSON).build(); } @@ -173,12 +179,4 @@ public class PrivilegeRolesService { } return ResponseUtil.toResponse(svcResult); } - - private JsonArray toJson(List roles) { - JsonArray rolesArr = new JsonArray(); - for (RoleRep roleRep : roles) { - rolesArr.add(roleRep.accept(new PrivilegeElementToJsonVisitor())); - } - return rolesArr; - } } diff --git a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java index 932a3ab64..55fb0127f 100644 --- a/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java +++ b/li.strolch.rest/src/main/java/li/strolch/rest/endpoint/PrivilegeUsersService.java @@ -15,6 +15,7 @@ */ package li.strolch.rest.endpoint; +import static java.util.Comparator.comparing; import static li.strolch.rest.helper.RestfulHelper.toJson; import static li.strolch.search.SearchBuilder.buildSimpleValueSearch; @@ -77,7 +78,9 @@ public class PrivilegeUsersService { UserRep::getFirstname, // UserRep::getLastname, // userRep -> userRep.getUserState().name(), // - UserRep::getRoles)).search(users); + UserRep::getRoles)) // + .search(users) // + .orderBy(comparing(r -> r.getUsername().toLowerCase())); PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor(); JsonObject root = toJson(queryData, users.size(), result, t -> t.accept(visitor)); @@ -93,13 +96,15 @@ public class PrivilegeUsersService { Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE); PrivilegeHandler privilegeHandler = getPrivilegeHandler(); - UserRep queryRep = new PrivilegeElementFromJsonVisitor().userRepFromJson(query); - List users = privilegeHandler.queryUsers(cert, queryRep); + PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor(); + + UserRep queryRep = new PrivilegeElementFromJsonVisitor().userRepFromJson(query); + JsonArray usersArr = privilegeHandler.queryUsers(cert, queryRep).stream() // + .sorted(comparing(r -> r.getUsername().toLowerCase())) // + .collect(JsonArray::new, // + (array, user) -> array.add(user.accept(visitor)), // + JsonArray::addAll); - JsonArray usersArr = new JsonArray(); - for (UserRep userRep : users) { - usersArr.add(userRep.accept(new PrivilegeElementToJsonVisitor())); - } return Response.ok(usersArr.toString(), MediaType.APPLICATION_JSON).build(); } diff --git a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java index a2ba0c1f7..9e51debd2 100644 --- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java +++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddOrReplacePrivilegeOnRoleService.java @@ -59,14 +59,4 @@ public class PrivilegeAddOrReplacePrivilegeOnRoleService return new PrivilegeRoleResult(role); } - - @Override - public String getPrivilegeName() { - return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE; - } - - @Override - public String getPrivilegeValue() { - return null; - } } diff --git a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java index 98b140cf9..d27ceac84 100644 --- a/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java +++ b/li.strolch.service/src/main/java/li/strolch/service/privilege/roles/PrivilegeAddRoleService.java @@ -57,14 +57,4 @@ public class PrivilegeAddRoleService extends AbstractService - - Persist - Reload - GetPolicies - - - - true - - - true - - - true - - - true - - - - true + + li.strolch.service.privilege.users.PrivilegeUpdateUserService + li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService + li.strolch.service.privilege.users.PrivilegeSetUserPasswordService + li.strolch.service.privilege.users.PrivilegeSetUserLocaleService + li.strolch.service.privilege.users.PrivilegeRemoveUserService + li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService + li.strolch.service.privilege.users.PrivilegeAddUserService + li.strolch.service.privilege.users.PrivilegeAddRoleToUserService + li.strolch.service.privilege.roles.PrivilegeUpdateRoleService + li.strolch.service.privilege.roles.PrivilegeRemoveRoleService + li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService + li.strolch.service.privilege.roles.PrivilegeAddRoleService + li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService true @@ -132,24 +125,52 @@ true - + true - - true - - + true true - - ENABLED - DISABLED - SYSTEM + + Reload + GetPolicies + Persist + GetCertificates + PersistSessions - + + true + + + SYSTEM + DISABLED + ENABLED + + + true + + + true + + + true + + + true + + + true + + + true + + + true + + true