Commit 370304d6 authored by Matija Obreza's avatar Matija Obreza

Merge branch 'acl-objectidentity-as-parent' into 'master'

Acl objectidentity as parent

See merge request genesys-pgr/application-blocks!36
parents cd95da72 40f0a90b
...@@ -55,7 +55,7 @@ public class AclAssignerAspect { ...@@ -55,7 +55,7 @@ public class AclAssignerAspect {
} }
/** /**
* Create owner permissions on persist. * Ensure owner permissions on persist or update
* *
* @param result the result * @param result the result
* @return the object * @return the object
...@@ -66,12 +66,12 @@ public class AclAssignerAspect { ...@@ -66,12 +66,12 @@ public class AclAssignerAspect {
if (auth != null) { if (auth != null) {
if (result instanceof AclAwareModel) { if (result instanceof AclAwareModel) {
maybeAddCreatorPermissions(result); maybeUpdatePermissions(result);
} else if (result instanceof Iterable) { } else if (result instanceof Iterable) {
// Handle collections of AclAwareModel // Handle collections of AclAwareModel
final Iterable<?> i = (Iterable<?>) result; final Iterable<?> i = (Iterable<?>) result;
for (final Object o : i) { for (final Object o : i) {
maybeAddCreatorPermissions(o); maybeUpdatePermissions(o);
} }
} else { } else {
LOG.trace("{} is not instance of AclAwareModel", result); LOG.trace("{} is not instance of AclAwareModel", result);
...@@ -86,9 +86,9 @@ public class AclAssignerAspect { ...@@ -86,9 +86,9 @@ public class AclAssignerAspect {
* *
* @param obj the obj * @param obj the obj
*/ */
private void maybeAddCreatorPermissions(final Object obj) { private void maybeUpdatePermissions(final Object obj) {
if (obj instanceof AclAwareModel) { if (obj instanceof AclAwareModel) {
aclService.addCreatorPermissions((AclAwareModel) obj); aclService.createOrUpdatePermissions((AclAwareModel) obj);
} else { } else {
LOG.trace("{} is not instance of AclAwareModel", obj); LOG.trace("{} is not instance of AclAwareModel", obj);
} }
......
...@@ -32,11 +32,24 @@ import org.genesys.blocks.util.JsonClassNameWriter; ...@@ -32,11 +32,24 @@ import org.genesys.blocks.util.JsonClassNameWriter;
public interface AclAwareModel extends Serializable, EntityId { public interface AclAwareModel extends Serializable, EntityId {
/** /**
* Objects belonging to some parent can override this method. * Objects belonging to a parent entity can override this method.
* *
* @return the parent ACL object (null by default) * @return the parent AclAwareModel (null by default)
*/ */
default AclAwareModel aclParentObject() { default AclAwareModel aclParentObject() {
return null; return null;
} }
/**
* A custom, persisted parent AclObjectIdentity reference. Takes precedence over
* {@link #aclParentObject()} when configured.
*
* This addresses the ACL inheritance for generic use cases where no business
* entity relationships exist.
*
* @return a custom parent AclObjectIdentity (null by default)
*/
default AclObjectIdentity aclParentObjectIdentity() {
return null;
}
} }
...@@ -100,16 +100,16 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter { ...@@ -100,16 +100,16 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
if (SecurityContextUtil.hasRole("ADMINISTRATOR")) { if (SecurityContextUtil.hasRole("ADMINISTRATOR")) {
perms.grantAll(); perms.grantAll();
} } else {
try {
try { perms.create = SecurityContextUtil.hasPermission(bean, BasePermission.CREATE);
perms.create = SecurityContextUtil.hasPermission(bean, BasePermission.CREATE); perms.read = SecurityContextUtil.hasPermission(bean, BasePermission.READ);
perms.read = SecurityContextUtil.hasPermission(bean, BasePermission.READ); perms.write = SecurityContextUtil.hasPermission(bean, BasePermission.WRITE);
perms.write = SecurityContextUtil.hasPermission(bean, BasePermission.WRITE); perms.delete = SecurityContextUtil.hasPermission(bean, BasePermission.DELETE);
perms.delete = SecurityContextUtil.hasPermission(bean, BasePermission.DELETE); perms.manage = SecurityContextUtil.hasPermission(bean, BasePermission.ADMINISTRATION);
perms.manage = SecurityContextUtil.hasPermission(bean, BasePermission.ADMINISTRATION); } catch (Throwable e) {
} catch (Throwable e) { LOG.warn("Could not read current permissions {}", e.getMessage());
LOG.warn("Could not read current permissions {}", e.getMessage()); }
} }
return perms; return perms;
} }
......
...@@ -63,11 +63,11 @@ public interface CustomAclService { ...@@ -63,11 +63,11 @@ public interface CustomAclService {
List<AclSid> listAuthoritySids(); List<AclSid> listAuthoritySids();
/** /**
* Adds the creator permissions. * Adds the creator permissions or updates permission inheritance
* *
* @param entity the target * @param entity the target
*/ */
void addCreatorPermissions(AclAwareModel entity); void createOrUpdatePermissions(AclAwareModel entity);
/** /**
* Removes the permissions on ACL model. * Removes the permissions on ACL model.
......
...@@ -70,7 +70,7 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -70,7 +70,7 @@ public class CustomAclServiceImpl implements CustomAclService {
private AclEntryPersistence aclEntryPersistence; private AclEntryPersistence aclEntryPersistence;
/** The cache manager. */ /** The cache manager. */
@Autowired @Autowired(required = false)
private CacheManager cacheManager; private CacheManager cacheManager;
/** The acl sid persistence. */ /** The acl sid persistence. */
...@@ -102,7 +102,7 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -102,7 +102,7 @@ public class CustomAclServiceImpl implements CustomAclService {
@Override @Override
@Transactional(propagation = Propagation.REQUIRED) @Transactional(propagation = Propagation.REQUIRED)
public void addCreatorPermissions(final AclAwareModel target) { public void createOrUpdatePermissions(final AclAwareModel target) {
if ((target == null) || (target.getId() <= 0l)) { if ((target == null) || (target.getId() <= 0l)) {
LOG.warn("No target specified for ACL permissions, bailing out!"); LOG.warn("No target specified for ACL permissions, bailing out!");
return; return;
...@@ -112,6 +112,7 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -112,6 +112,7 @@ public class CustomAclServiceImpl implements CustomAclService {
// save object identity // save object identity
AclObjectIdentity objectIdentity = aclObjectIdentityPersistence.findByObjectIdAndClassname(target.getId(), aclClass.getAclClass()); AclObjectIdentity objectIdentity = aclObjectIdentityPersistence.findByObjectIdAndClassname(target.getId(), aclClass.getAclClass());
if (objectIdentity == null) { if (objectIdentity == null) {
objectIdentity = new AclObjectIdentity(); objectIdentity = new AclObjectIdentity();
...@@ -129,38 +130,50 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -129,38 +130,50 @@ public class CustomAclServiceImpl implements CustomAclService {
objectIdentity.setObjectIdIdentity(target.getId()); objectIdentity.setObjectIdIdentity(target.getId());
objectIdentity.setAclClass(aclClass); objectIdentity.setAclClass(aclClass);
AclObjectIdentity parentObject = getObjectIdentity(target.aclParentObject()); AclObjectIdentity parentObject = target.aclParentObjectIdentity();
if (parentObject == null && target.aclParentObject() != null) {
// get OID of parent business entity
parentObject = getObjectIdentity(target.aclParentObject());
}
if (parentObject != null) { if (parentObject != null) {
objectIdentity.setParentObject(parentObject); objectIdentity.setParentObject(parentObject);
objectIdentity.setEntriesInheriting(true);
} else {
objectIdentity.setEntriesInheriting(true);
} }
objectIdentity.setEntriesInheriting(true);
objectIdentity = aclObjectIdentityPersistence.save(objectIdentity); objectIdentity = aclObjectIdentityPersistence.save(objectIdentity);
if (objectIdentity.getOwnerSid() != null) { if (objectIdentity.getOwnerSid() != null) {
// Grant permissions to owner
final Permissions permissions = new Permissions().grantAll(); final Permissions permissions = new Permissions().grantAll();
addPermissions(objectIdentity, objectIdentity.getOwnerSid(), permissions); addPermissions(objectIdentity, objectIdentity.getOwnerSid(), permissions);
} }
} else { } else {
// update parent // update permissions
LOG.debug("Updating ACL parent object for class={} id={}", target.getClass().getName(), target.getId()); LOG.debug("Updating ACL parent object for class={} id={}", target.getClass().getName(), target.getId());
if (objectIdentity.getOwnerSid() == null) { if (objectIdentity.getOwnerSid() == null) {
final AclSid ownerSid = SecurityContextUtil.getCurrentUser(); final AclSid ownerSid = SecurityContextUtil.getCurrentUser();
if (ownerSid != null && ownerSid.isPersisted()) { if (ownerSid != null && ownerSid.isPersisted()) {
objectIdentity.setOwnerSid(ownerSid); objectIdentity.setOwnerSid(ownerSid);
// Grant permissions to owner
final Permissions permissions = new Permissions().grantAll();
addPermissions(objectIdentity, objectIdentity.getOwnerSid(), permissions);
} else { } else {
LOG.debug("Owner SID not persisted or is null."); LOG.debug("Owner SID not persisted or is null.");
} }
} }
AclObjectIdentity parentObject = target.aclParentObjectIdentity();
if (parentObject == null && target.aclParentObject() != null) {
// get OID of parent business entity
parentObject = getObjectIdentity(target.aclParentObject());
}
if (target.aclParentObject() != null) { if (parentObject != null) {
LOG.trace("Updating ACL parent to {}", target.aclParentObject()); LOG.trace("Updating ACL parent to {}", parentObject);
AclObjectIdentity parentObject = getObjectIdentity(target.aclParentObject());
objectIdentity.setParentObject(parentObject); objectIdentity.setParentObject(parentObject);
// objectIdentity.setEntriesInheriting(true); objectIdentity.setEntriesInheriting(true);
} else { } else {
LOG.trace("Clearing ACL parent"); LOG.trace("Clearing ACL parent");
objectIdentity.setParentObject(null); objectIdentity.setParentObject(null);
...@@ -259,9 +272,11 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -259,9 +272,11 @@ public class CustomAclServiceImpl implements CustomAclService {
} }
private void clearAclCache() { private void clearAclCache() {
final Cache aclCache = cacheManager.getCache("aclCache"); if (cacheManager!=null) {
if (aclCache != null) final Cache aclCache = cacheManager.getCache("aclCache");
aclCache.clear(); if (aclCache != null)
aclCache.clear();
}
} }
/** /**
...@@ -619,5 +634,4 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -619,5 +634,4 @@ public class CustomAclServiceImpl implements CustomAclService {
} }
LOG.warn("Done cleaning ACL for {} ACL classes", aclClasses.size()); LOG.warn("Done cleaning ACL for {} ACL classes", aclClasses.size());
} }
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment