[Major] Refactoring privilege services, added Organisation checking if required
This commit is contained in:
parent
c1f9ee01b5
commit
ad0a0f1e10
|
|
@ -89,10 +89,29 @@
|
||||||
</Role>
|
</Role>
|
||||||
|
|
||||||
<Role name="UserPrivileges">
|
<Role name="UserPrivileges">
|
||||||
|
<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserPasswordService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserLocaleService</Allow>
|
||||||
|
</Privilege>
|
||||||
<Privilege name="PrivilegeSetUserPassword" policy="UserAccessPrivilege"/>
|
<Privilege name="PrivilegeSetUserPassword" policy="UserAccessPrivilege"/>
|
||||||
<Privilege name="PrivilegeSetUserLocale" policy="UserAccessPrivilege"/>
|
<Privilege name="PrivilegeSetUserLocale" policy="UserAccessPrivilege"/>
|
||||||
</Role>
|
</Role>
|
||||||
<Role name="PrivilegeAdmin">
|
<Role name="PrivilegeAdmin">
|
||||||
|
<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeUpdateUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserPasswordService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserLocaleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeRemoveUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeAddUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeAddRoleToUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeUpdateRoleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeRemoveRoleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeAddRoleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService</Allow>
|
||||||
|
</Privilege>
|
||||||
<Privilege name="PrivilegeAddUser" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeAddUser" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
|
|
|
||||||
|
|
@ -101,10 +101,29 @@
|
||||||
</Role>
|
</Role>
|
||||||
|
|
||||||
<Role name="UserPrivileges">
|
<Role name="UserPrivileges">
|
||||||
|
<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserPasswordService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserLocaleService</Allow>
|
||||||
|
</Privilege>
|
||||||
<Privilege name="PrivilegeSetUserPassword" policy="UserAccessPrivilege"/>
|
<Privilege name="PrivilegeSetUserPassword" policy="UserAccessPrivilege"/>
|
||||||
<Privilege name="PrivilegeSetUserLocale" policy="UserAccessPrivilege"/>
|
<Privilege name="PrivilegeSetUserLocale" policy="UserAccessPrivilege"/>
|
||||||
</Role>
|
</Role>
|
||||||
<Role name="PrivilegeAdmin">
|
<Role name="PrivilegeAdmin">
|
||||||
|
<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeUpdateUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserPasswordService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserLocaleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeRemoveUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeAddUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeAddRoleToUserService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeUpdateRoleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeRemoveRoleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeAddRoleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService</Allow>
|
||||||
|
</Privilege>
|
||||||
<Privilege name="PrivilegeAddUser" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeAddUser" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
|
|
|
||||||
|
|
@ -15,10 +15,13 @@
|
||||||
*/
|
*/
|
||||||
package li.strolch.privilege.policy;
|
package li.strolch.privilege.policy;
|
||||||
|
|
||||||
|
import static java.util.stream.Collectors.toSet;
|
||||||
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
|
import static li.strolch.privilege.policy.PrivilegePolicyHelper.preValidate;
|
||||||
import static li.strolch.utils.helper.StringHelper.isEmpty;
|
import static li.strolch.utils.helper.StringHelper.isEmpty;
|
||||||
|
|
||||||
import java.text.MessageFormat;
|
import java.text.MessageFormat;
|
||||||
|
import java.util.Set;
|
||||||
|
import java.util.stream.Stream;
|
||||||
|
|
||||||
import li.strolch.privilege.base.AccessDeniedException;
|
import li.strolch.privilege.base.AccessDeniedException;
|
||||||
import li.strolch.privilege.base.PrivilegeException;
|
import li.strolch.privilege.base.PrivilegeException;
|
||||||
|
|
@ -38,7 +41,7 @@ import li.strolch.utils.dbc.DBC;
|
||||||
*/
|
*/
|
||||||
public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege {
|
public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege {
|
||||||
|
|
||||||
private static final String PARAM_ORGANISATION = "organisation";
|
public static final String PARAM_ORGANISATION = "organisation";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable)
|
public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable)
|
||||||
|
|
@ -69,9 +72,7 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
}
|
}
|
||||||
|
|
||||||
// get user organisation
|
// get user organisation
|
||||||
String userOrg = ctx.getCertificate().getProperty(PARAM_ORGANISATION);
|
Set<String> userOrgs = getUserOrganisations(ctx);
|
||||||
if (isEmpty(userOrg))
|
|
||||||
throw new PrivilegeException("No organisation configured for user " + ctx.getUsername());
|
|
||||||
|
|
||||||
Tuple tuple = (Tuple) object;
|
Tuple tuple = (Tuple) object;
|
||||||
|
|
||||||
|
|
@ -84,12 +85,12 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
// make sure old user has same organisation
|
// make sure old user has same organisation
|
||||||
User oldUser = tuple.getFirst();
|
User oldUser = tuple.getFirst();
|
||||||
if (oldUser != null) {
|
if (oldUser != null) {
|
||||||
String oldOrg = oldUser.getProperty(PARAM_ORGANISATION);
|
Set<String> oldOrgs = getUserOrganisations(oldUser);
|
||||||
if (!userOrg.equals(oldOrg)) {
|
if (!isUserInOrganisation(userOrgs, oldOrgs)) {
|
||||||
if (assertHasPrivilege)
|
if (assertHasPrivilege)
|
||||||
throw new AccessDeniedException(
|
throw new AccessDeniedException(
|
||||||
"User " + ctx.getUsername() + " may not access users outside of their organisation: "
|
"User " + ctx.getUsername() + " may not access users outside of their organisation: "
|
||||||
+ userOrg + " / " + oldOrg);
|
+ userOrgs + " / " + oldOrgs);
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -98,13 +99,13 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
// make sure new user has same organisation
|
// make sure new user has same organisation
|
||||||
User newUser = tuple.getSecond();
|
User newUser = tuple.getSecond();
|
||||||
DBC.INTERIM.assertNotNull("For " + privilegeName + " second must not be null!", newUser);
|
DBC.INTERIM.assertNotNull("For " + privilegeName + " second must not be null!", newUser);
|
||||||
String newdOrg = newUser.getProperty(PARAM_ORGANISATION);
|
Set<String> newOrgs = getUserOrganisations(newUser);
|
||||||
|
|
||||||
if (!userOrg.equals(newdOrg)) {
|
if (!isUserInOrganisation(userOrgs, newOrgs)) {
|
||||||
if (assertHasPrivilege)
|
if (assertHasPrivilege)
|
||||||
throw new AccessDeniedException(
|
throw new AccessDeniedException(
|
||||||
"User " + ctx.getUsername() + " may not access users outside of their organisations: "
|
"User " + ctx.getUsername() + " may not access users outside of their organisations: "
|
||||||
+ userOrg + " / " + newdOrg);
|
+ userOrgs + " / " + newOrgs);
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -116,13 +117,13 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
|
|
||||||
User user = tuple.getFirst();
|
User user = tuple.getFirst();
|
||||||
DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user);
|
DBC.INTERIM.assertNotNull("For " + privilegeName + " first must not be null!", user);
|
||||||
String org = user.getProperty(PARAM_ORGANISATION);
|
Set<String> orgs = getUserOrganisations(user);
|
||||||
if (!userOrg.equals(org)) {
|
if (!isUserInOrganisation(userOrgs, orgs)) {
|
||||||
|
|
||||||
if (assertHasPrivilege)
|
if (assertHasPrivilege)
|
||||||
throw new AccessDeniedException(
|
throw new AccessDeniedException(
|
||||||
"User " + ctx.getUsername() + " may not access users outside of their organisation: "
|
"User " + ctx.getUsername() + " may not access users outside of their organisation: "
|
||||||
+ userOrg + " / " + org);
|
+ userOrgs + " / " + orgs);
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
@ -140,4 +141,22 @@ public class UserAccessWithSameOrganisationPrivilege extends UserAccessPrivilege
|
||||||
// now delegate the rest of the validation to the super class
|
// now delegate the rest of the validation to the super class
|
||||||
return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege);
|
return super.validateAction(ctx, privilege, restrictable, assertHasPrivilege);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected boolean isUserInOrganisation(Set<String> organisations, Set<String> userOrg) {
|
||||||
|
return userOrg.stream().anyMatch(organisations::contains);
|
||||||
|
}
|
||||||
|
|
||||||
|
protected Set<String> getUserOrganisations(User user) {
|
||||||
|
String userOrg = user.getProperty(PARAM_ORGANISATION);
|
||||||
|
if (isEmpty(userOrg))
|
||||||
|
throw new PrivilegeException("No organisation configured for user " + user.getUsername());
|
||||||
|
return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet());
|
||||||
|
}
|
||||||
|
|
||||||
|
protected Set<String> getUserOrganisations(PrivilegeContext ctx) {
|
||||||
|
String userOrg = ctx.getCertificate().getProperty(PARAM_ORGANISATION);
|
||||||
|
if (isEmpty(userOrg))
|
||||||
|
throw new PrivilegeException("No organisation configured for user " + ctx.getUsername());
|
||||||
|
return Stream.of(userOrg.split(",")).map(String::trim).collect(toSet());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -43,7 +43,7 @@ import li.strolch.privilege.model.Restrictable;
|
||||||
*/
|
*/
|
||||||
public class UsernameFromCertificateWithSameOrganisationPrivilege extends UsernameFromCertificatePrivilege {
|
public class UsernameFromCertificateWithSameOrganisationPrivilege extends UsernameFromCertificatePrivilege {
|
||||||
|
|
||||||
private static final String PARAM_ORGANISATION = "organisation";
|
public static final String PARAM_ORGANISATION = "organisation";
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable)
|
public void validateAction(PrivilegeContext ctx, IPrivilege privilege, Restrictable restrictable)
|
||||||
|
|
|
||||||
|
|
@ -2,27 +2,20 @@
|
||||||
<Roles>
|
<Roles>
|
||||||
|
|
||||||
<Role name="PrivilegeAdmin">
|
<Role name="PrivilegeAdmin">
|
||||||
<Privilege name="PrivilegeAction" policy="DefaultPrivilege">
|
<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
|
||||||
<Allow>Persist</Allow>
|
<Allow>li.strolch.service.privilege.users.PrivilegeUpdateUserService</Allow>
|
||||||
<Allow>Reload</Allow>
|
<Allow>li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService</Allow>
|
||||||
<Allow>GetPolicies</Allow>
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserPasswordService</Allow>
|
||||||
</Privilege>
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserLocaleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeRemoveUserService</Allow>
|
||||||
<Privilege name="PrivilegeGetRole" policy="RoleAccessPrivilege">
|
<Allow>li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService</Allow>
|
||||||
<AllAllowed>true</AllAllowed>
|
<Allow>li.strolch.service.privilege.users.PrivilegeAddUserService</Allow>
|
||||||
</Privilege>
|
<Allow>li.strolch.service.privilege.users.PrivilegeAddRoleToUserService</Allow>
|
||||||
<Privilege name="PrivilegeAddRole" policy="RoleAccessPrivilege">
|
<Allow>li.strolch.service.privilege.roles.PrivilegeUpdateRoleService</Allow>
|
||||||
<AllAllowed>true</AllAllowed>
|
<Allow>li.strolch.service.privilege.roles.PrivilegeRemoveRoleService</Allow>
|
||||||
</Privilege>
|
<Allow>li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService</Allow>
|
||||||
<Privilege name="PrivilegeRemoveRole" policy="RoleAccessPrivilege">
|
<Allow>li.strolch.service.privilege.roles.PrivilegeAddRoleService</Allow>
|
||||||
<AllAllowed>true</AllAllowed>
|
<Allow>li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService</Allow>
|
||||||
</Privilege>
|
|
||||||
<Privilege name="PrivilegeModifyRole" policy="RoleAccessPrivilege">
|
|
||||||
<AllAllowed>true</AllAllowed>
|
|
||||||
</Privilege>
|
|
||||||
|
|
||||||
<Privilege name="PrivilegeGetUser" policy="UserAccessPrivilege">
|
|
||||||
<AllAllowed>true</AllAllowed>
|
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeAddUser" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeAddUser" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
|
|
@ -30,24 +23,52 @@
|
||||||
<Privilege name="PrivilegeRemoveUser" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeRemoveUser" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeModifyUser" policy="UserAccessPrivilege">
|
<Privilege name="InvalidateSession" policy="UserSessionAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeAddRoleToUser" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeSetUserPassword" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
|
||||||
</Privilege>
|
|
||||||
<Privilege name="PrivilegeRemoveRoleFromUser" policy="UserAccessPrivilege">
|
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeSetUserLocale" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeSetUserLocale" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeSetUserState" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeAction" policy="DefaultPrivilege">
|
||||||
<Allow>ENABLED</Allow>
|
<Allow>Reload</Allow>
|
||||||
<Allow>DISABLED</Allow>
|
<Allow>GetPolicies</Allow>
|
||||||
<Deny>SYSTEM</Deny>
|
<Allow>Persist</Allow>
|
||||||
|
<Allow>GetCertificates</Allow>
|
||||||
|
<Allow>PersistSessions</Allow>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeSetUserPassword" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeGetUser" policy="UserAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeSetUserState" policy="UserAccessPrivilege">
|
||||||
|
<Deny>SYSTEM</Deny>
|
||||||
|
<Allow>DISABLED</Allow>
|
||||||
|
<Allow>ENABLED</Allow>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeAddRoleToUser" policy="UserAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeGetRole" policy="RoleAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="GetSession" policy="UserSessionAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeModifyUser" policy="UserAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeRemoveRole" policy="RoleAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeRemoveRoleFromUser" policy="UserAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeModifyRole" policy="RoleAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeAddRole" policy="RoleAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
</Role>
|
</Role>
|
||||||
|
|
|
||||||
|
|
@ -15,12 +15,13 @@
|
||||||
*/
|
*/
|
||||||
package li.strolch.rest.endpoint;
|
package li.strolch.rest.endpoint;
|
||||||
|
|
||||||
|
import static java.util.Comparator.comparing;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
import javax.ws.rs.*;
|
import javax.ws.rs.*;
|
||||||
import javax.ws.rs.core.Context;
|
import javax.ws.rs.core.Context;
|
||||||
import javax.ws.rs.core.MediaType;
|
import javax.ws.rs.core.MediaType;
|
||||||
import javax.ws.rs.core.Response;
|
import javax.ws.rs.core.Response;
|
||||||
import java.util.List;
|
|
||||||
|
|
||||||
import com.google.gson.JsonArray;
|
import com.google.gson.JsonArray;
|
||||||
import li.strolch.agent.api.ComponentContainer;
|
import li.strolch.agent.api.ComponentContainer;
|
||||||
|
|
@ -53,8 +54,13 @@ public class PrivilegeRolesService {
|
||||||
Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
|
Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
|
||||||
PrivilegeHandler privilegeHandler = getPrivilegeHandler();
|
PrivilegeHandler privilegeHandler = getPrivilegeHandler();
|
||||||
|
|
||||||
List<RoleRep> roles = privilegeHandler.getRoles(cert);
|
PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor();
|
||||||
JsonArray rolesJ = toJson(roles);
|
JsonArray rolesJ = privilegeHandler.getRoles(cert).stream() //
|
||||||
|
.sorted(comparing(roleRep -> roleRep.getName().toLowerCase())) //
|
||||||
|
.collect(JsonArray::new, //
|
||||||
|
(array, role) -> array.add(role.accept(visitor)), //
|
||||||
|
JsonArray::addAll);
|
||||||
|
|
||||||
return Response.ok(rolesJ.toString(), MediaType.APPLICATION_JSON).build();
|
return Response.ok(rolesJ.toString(), MediaType.APPLICATION_JSON).build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -173,12 +179,4 @@ public class PrivilegeRolesService {
|
||||||
}
|
}
|
||||||
return ResponseUtil.toResponse(svcResult);
|
return ResponseUtil.toResponse(svcResult);
|
||||||
}
|
}
|
||||||
|
|
||||||
private JsonArray toJson(List<RoleRep> roles) {
|
|
||||||
JsonArray rolesArr = new JsonArray();
|
|
||||||
for (RoleRep roleRep : roles) {
|
|
||||||
rolesArr.add(roleRep.accept(new PrivilegeElementToJsonVisitor()));
|
|
||||||
}
|
|
||||||
return rolesArr;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@
|
||||||
*/
|
*/
|
||||||
package li.strolch.rest.endpoint;
|
package li.strolch.rest.endpoint;
|
||||||
|
|
||||||
|
import static java.util.Comparator.comparing;
|
||||||
import static li.strolch.rest.helper.RestfulHelper.toJson;
|
import static li.strolch.rest.helper.RestfulHelper.toJson;
|
||||||
import static li.strolch.search.SearchBuilder.buildSimpleValueSearch;
|
import static li.strolch.search.SearchBuilder.buildSimpleValueSearch;
|
||||||
|
|
||||||
|
|
@ -77,7 +78,9 @@ public class PrivilegeUsersService {
|
||||||
UserRep::getFirstname, //
|
UserRep::getFirstname, //
|
||||||
UserRep::getLastname, //
|
UserRep::getLastname, //
|
||||||
userRep -> userRep.getUserState().name(), //
|
userRep -> userRep.getUserState().name(), //
|
||||||
UserRep::getRoles)).search(users);
|
UserRep::getRoles)) //
|
||||||
|
.search(users) //
|
||||||
|
.orderBy(comparing(r -> r.getUsername().toLowerCase()));
|
||||||
|
|
||||||
PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor();
|
PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor();
|
||||||
JsonObject root = toJson(queryData, users.size(), result, t -> t.accept(visitor));
|
JsonObject root = toJson(queryData, users.size(), result, t -> t.accept(visitor));
|
||||||
|
|
@ -93,13 +96,15 @@ public class PrivilegeUsersService {
|
||||||
Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
|
Certificate cert = (Certificate) request.getAttribute(StrolchRestfulConstants.STROLCH_CERTIFICATE);
|
||||||
PrivilegeHandler privilegeHandler = getPrivilegeHandler();
|
PrivilegeHandler privilegeHandler = getPrivilegeHandler();
|
||||||
|
|
||||||
UserRep queryRep = new PrivilegeElementFromJsonVisitor().userRepFromJson(query);
|
PrivilegeElementToJsonVisitor visitor = new PrivilegeElementToJsonVisitor();
|
||||||
List<UserRep> users = privilegeHandler.queryUsers(cert, queryRep);
|
|
||||||
|
UserRep queryRep = new PrivilegeElementFromJsonVisitor().userRepFromJson(query);
|
||||||
|
JsonArray usersArr = privilegeHandler.queryUsers(cert, queryRep).stream() //
|
||||||
|
.sorted(comparing(r -> r.getUsername().toLowerCase())) //
|
||||||
|
.collect(JsonArray::new, //
|
||||||
|
(array, user) -> array.add(user.accept(visitor)), //
|
||||||
|
JsonArray::addAll);
|
||||||
|
|
||||||
JsonArray usersArr = new JsonArray();
|
|
||||||
for (UserRep userRep : users) {
|
|
||||||
usersArr.add(userRep.accept(new PrivilegeElementToJsonVisitor()));
|
|
||||||
}
|
|
||||||
return Response.ok(usersArr.toString(), MediaType.APPLICATION_JSON).build();
|
return Response.ok(usersArr.toString(), MediaType.APPLICATION_JSON).build();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -59,14 +59,4 @@ public class PrivilegeAddOrReplacePrivilegeOnRoleService
|
||||||
|
|
||||||
return new PrivilegeRoleResult(role);
|
return new PrivilegeRoleResult(role);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -57,14 +57,4 @@ public class PrivilegeAddRoleService extends AbstractService<PrivilegeRoleArgume
|
||||||
|
|
||||||
return new PrivilegeRoleResult(role);
|
return new PrivilegeRoleResult(role);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_ADD_ROLE;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -59,14 +59,4 @@ public class PrivilegeRemovePrivilegeFromRoleService
|
||||||
|
|
||||||
return new PrivilegeRoleResult(role);
|
return new PrivilegeRoleResult(role);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -58,14 +58,4 @@ public class PrivilegeRemoveRoleService extends AbstractService<PrivilegeRoleNam
|
||||||
|
|
||||||
return new PrivilegeRoleResult(role);
|
return new PrivilegeRoleResult(role);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_REMOVE_ROLE;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -58,14 +58,4 @@ public class PrivilegeUpdateRoleService extends AbstractService<PrivilegeRoleArg
|
||||||
|
|
||||||
return new PrivilegeRoleResult(role);
|
return new PrivilegeRoleResult(role);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_ROLE;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -59,14 +59,4 @@ public class PrivilegeAddRoleToUserService
|
||||||
|
|
||||||
return new PrivilegeUserResult(user);
|
return new PrivilegeUserResult(user);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_ADD_ROLE_TO_USER;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -17,7 +17,6 @@ package li.strolch.service.privilege.users;
|
||||||
|
|
||||||
import li.strolch.persistence.api.StrolchTransaction;
|
import li.strolch.persistence.api.StrolchTransaction;
|
||||||
import li.strolch.privilege.handler.PrivilegeHandler;
|
import li.strolch.privilege.handler.PrivilegeHandler;
|
||||||
import li.strolch.runtime.StrolchConstants.StrolchPrivilegeConstants;
|
|
||||||
import li.strolch.service.api.AbstractService;
|
import li.strolch.service.api.AbstractService;
|
||||||
import li.strolch.service.api.ServiceResultState;
|
import li.strolch.service.api.ServiceResultState;
|
||||||
|
|
||||||
|
|
@ -49,14 +48,4 @@ public class PrivilegeAddUserService extends AbstractService<PrivilegeUserArgume
|
||||||
|
|
||||||
return new PrivilegeUserResult(cmd.getUserOut());
|
return new PrivilegeUserResult(cmd.getUserOut());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_ADD_USER;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -58,14 +58,4 @@ public class PrivilegeRemoveRoleFromUserService
|
||||||
|
|
||||||
return new PrivilegeUserResult(user);
|
return new PrivilegeUserResult(user);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_REMOVE_ROLE_FROM_USER;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -58,14 +58,4 @@ public class PrivilegeRemoveUserService extends AbstractService<PrivilegeUserNam
|
||||||
|
|
||||||
return new PrivilegeUserResult(user);
|
return new PrivilegeUserResult(user);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_REMOVE_USER;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -63,14 +63,4 @@ public class PrivilegeSetUserPasswordService extends AbstractService<PrivilegeSe
|
||||||
|
|
||||||
return ServiceResult.success();
|
return ServiceResult.success();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_SET_USER_PASSWORD;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -85,14 +85,4 @@ public class PrivilegeUpdateUserRolesService extends AbstractService<JsonService
|
||||||
|
|
||||||
return new PrivilegeUserResult(user);
|
return new PrivilegeUserResult(user);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_ADD_ROLE_TO_USER;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -58,14 +58,4 @@ public class PrivilegeUpdateUserService extends AbstractService<PrivilegeUserArg
|
||||||
|
|
||||||
return new PrivilegeUserResult(user);
|
return new PrivilegeUserResult(user);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeName() {
|
|
||||||
return StrolchPrivilegeConstants.PRIVILEGE_MODIFY_USER;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public String getPrivilegeValue() {
|
|
||||||
return null;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -104,27 +104,20 @@
|
||||||
</Role>
|
</Role>
|
||||||
|
|
||||||
<Role name="PrivilegeAdmin">
|
<Role name="PrivilegeAdmin">
|
||||||
<Privilege name="PrivilegeAction" policy="DefaultPrivilege">
|
<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
|
||||||
<Allow>Persist</Allow>
|
<Allow>li.strolch.service.privilege.users.PrivilegeUpdateUserService</Allow>
|
||||||
<Allow>Reload</Allow>
|
<Allow>li.strolch.service.privilege.users.PrivilegeUpdateUserRolesService</Allow>
|
||||||
<Allow>GetPolicies</Allow>
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserPasswordService</Allow>
|
||||||
</Privilege>
|
<Allow>li.strolch.service.privilege.users.PrivilegeSetUserLocaleService</Allow>
|
||||||
|
<Allow>li.strolch.service.privilege.users.PrivilegeRemoveUserService</Allow>
|
||||||
<Privilege name="PrivilegeGetRole" policy="RoleAccessPrivilege">
|
<Allow>li.strolch.service.privilege.users.PrivilegeRemoveRoleFromUserService</Allow>
|
||||||
<AllAllowed>true</AllAllowed>
|
<Allow>li.strolch.service.privilege.users.PrivilegeAddUserService</Allow>
|
||||||
</Privilege>
|
<Allow>li.strolch.service.privilege.users.PrivilegeAddRoleToUserService</Allow>
|
||||||
<Privilege name="PrivilegeAddRole" policy="RoleAccessPrivilege">
|
<Allow>li.strolch.service.privilege.roles.PrivilegeUpdateRoleService</Allow>
|
||||||
<AllAllowed>true</AllAllowed>
|
<Allow>li.strolch.service.privilege.roles.PrivilegeRemoveRoleService</Allow>
|
||||||
</Privilege>
|
<Allow>li.strolch.service.privilege.roles.PrivilegeRemovePrivilegeFromRoleService</Allow>
|
||||||
<Privilege name="PrivilegeRemoveRole" policy="RoleAccessPrivilege">
|
<Allow>li.strolch.service.privilege.roles.PrivilegeAddRoleService</Allow>
|
||||||
<AllAllowed>true</AllAllowed>
|
<Allow>li.strolch.service.privilege.roles.PrivilegeAddOrReplacePrivilegeOnRoleService</Allow>
|
||||||
</Privilege>
|
|
||||||
<Privilege name="PrivilegeModifyRole" policy="RoleAccessPrivilege">
|
|
||||||
<AllAllowed>true</AllAllowed>
|
|
||||||
</Privilege>
|
|
||||||
|
|
||||||
<Privilege name="PrivilegeGetUser" policy="UserAccessPrivilege">
|
|
||||||
<AllAllowed>true</AllAllowed>
|
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeAddUser" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeAddUser" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
|
|
@ -132,24 +125,52 @@
|
||||||
<Privilege name="PrivilegeRemoveUser" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeRemoveUser" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeModifyUser" policy="UserAccessPrivilege">
|
<Privilege name="InvalidateSession" policy="UserSessionAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeAddRoleToUser" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeSetUserPassword" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
|
||||||
</Privilege>
|
|
||||||
<Privilege name="PrivilegeRemoveRoleFromUser" policy="UserAccessPrivilege">
|
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeSetUserLocale" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeSetUserLocale" policy="UserAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeSetUserState" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeAction" policy="DefaultPrivilege">
|
||||||
<Allow>ENABLED</Allow>
|
<Allow>Reload</Allow>
|
||||||
<Allow>DISABLED</Allow>
|
<Allow>GetPolicies</Allow>
|
||||||
<Deny>SYSTEM</Deny>
|
<Allow>Persist</Allow>
|
||||||
|
<Allow>GetCertificates</Allow>
|
||||||
|
<Allow>PersistSessions</Allow>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
<Privilege name="PrivilegeSetUserPassword" policy="UserAccessPrivilege">
|
<Privilege name="PrivilegeGetUser" policy="UserAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeSetUserState" policy="UserAccessPrivilege">
|
||||||
|
<Deny>SYSTEM</Deny>
|
||||||
|
<Allow>DISABLED</Allow>
|
||||||
|
<Allow>ENABLED</Allow>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeAddRoleToUser" policy="UserAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeGetRole" policy="RoleAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="GetSession" policy="UserSessionAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeModifyUser" policy="UserAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeRemoveRole" policy="RoleAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeRemoveRoleFromUser" policy="UserAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeModifyRole" policy="RoleAccessPrivilege">
|
||||||
|
<AllAllowed>true</AllAllowed>
|
||||||
|
</Privilege>
|
||||||
|
<Privilege name="PrivilegeAddRole" policy="RoleAccessPrivilege">
|
||||||
<AllAllowed>true</AllAllowed>
|
<AllAllowed>true</AllAllowed>
|
||||||
</Privilege>
|
</Privilege>
|
||||||
</Role>
|
</Role>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue