From 40f0a90bf3a0a39885db0d1ee95d61a2e77d3373 Mon Sep 17 00:00:00 2001
From: Matija Obreza <matija.obreza@croptrust.org>
Date: Mon, 29 Oct 2018 13:58:38 +0100
Subject: [PATCH] ACL: Added support for #aclParentObjectIdentity()

---
 .../security/component/AclAssignerAspect.java | 10 ++---
 .../blocks/security/model/AclAwareModel.java  | 17 ++++++-
 .../security/service/CustomAclService.java    |  4 +-
 .../service/impl/CustomAclServiceImpl.java    | 44 ++++++++++++-------
 4 files changed, 51 insertions(+), 24 deletions(-)

diff --git a/security/src/main/java/org/genesys/blocks/security/component/AclAssignerAspect.java b/security/src/main/java/org/genesys/blocks/security/component/AclAssignerAspect.java
index 23a7b39..de72f4e 100644
--- a/security/src/main/java/org/genesys/blocks/security/component/AclAssignerAspect.java
+++ b/security/src/main/java/org/genesys/blocks/security/component/AclAssignerAspect.java
@@ -55,7 +55,7 @@ public class AclAssignerAspect {
 	}
 
 	/**
-	 * Create owner permissions on persist.
+	 * Ensure owner permissions on persist or update
 	 *
 	 * @param result the result
 	 * @return the object
@@ -66,12 +66,12 @@ public class AclAssignerAspect {
 
 		if (auth != null) {
 			if (result instanceof AclAwareModel) {
-				maybeAddCreatorPermissions(result);
+				maybeUpdatePermissions(result);
 			} else if (result instanceof Iterable) {
 				// Handle collections of AclAwareModel
 				final Iterable<?> i = (Iterable<?>) result;
 				for (final Object o : i) {
-					maybeAddCreatorPermissions(o);
+					maybeUpdatePermissions(o);
 				}
 			} else {
 				LOG.trace("{} is not instance of AclAwareModel", result);
@@ -86,9 +86,9 @@ public class AclAssignerAspect {
 	 *
 	 * @param obj the obj
 	 */
-	private void maybeAddCreatorPermissions(final Object obj) {
+	private void maybeUpdatePermissions(final Object obj) {
 		if (obj instanceof AclAwareModel) {
-			aclService.addCreatorPermissions((AclAwareModel) obj);
+			aclService.createOrUpdatePermissions((AclAwareModel) obj);
 		} else {
 			LOG.trace("{} is not instance of AclAwareModel", obj);
 		}
diff --git a/security/src/main/java/org/genesys/blocks/security/model/AclAwareModel.java b/security/src/main/java/org/genesys/blocks/security/model/AclAwareModel.java
index ada39b5..f1a7bee 100644
--- a/security/src/main/java/org/genesys/blocks/security/model/AclAwareModel.java
+++ b/security/src/main/java/org/genesys/blocks/security/model/AclAwareModel.java
@@ -32,11 +32,24 @@ import org.genesys.blocks.util.JsonClassNameWriter;
 public interface AclAwareModel extends Serializable, EntityId {
 
 	/**
-	 * Objects belonging to some parent can override this method.
+	 * Objects belonging to a parent entity can override this method.
 	 *
-	 * @return the parent ACL object (null by default)
+	 * @return the parent AclAwareModel (null by default)
 	 */
 	default AclAwareModel aclParentObject() {
 		return null;
 	}
+
+	/**
+	 * A custom, persisted parent AclObjectIdentity reference. Takes precedence over
+	 * {@link #aclParentObject()} when configured.
+	 * 
+	 * This addresses the ACL inheritance for generic use cases where no business
+	 * entity relationships exist.
+	 * 
+	 * @return a custom parent AclObjectIdentity (null by default)
+	 */
+	default AclObjectIdentity aclParentObjectIdentity() {
+		return null;
+	}
 }
diff --git a/security/src/main/java/org/genesys/blocks/security/service/CustomAclService.java b/security/src/main/java/org/genesys/blocks/security/service/CustomAclService.java
index 574d9fa..276918d 100644
--- a/security/src/main/java/org/genesys/blocks/security/service/CustomAclService.java
+++ b/security/src/main/java/org/genesys/blocks/security/service/CustomAclService.java
@@ -63,11 +63,11 @@ public interface CustomAclService {
 	List<AclSid> listAuthoritySids();
 
 	/**
-	 * Adds the creator permissions.
+	 * Adds the creator permissions or updates permission inheritance
 	 *
 	 * @param entity the target
 	 */
-	void addCreatorPermissions(AclAwareModel entity);
+	void createOrUpdatePermissions(AclAwareModel entity);
 
 	/**
 	 * Removes the permissions on ACL model.
diff --git a/security/src/main/java/org/genesys/blocks/security/service/impl/CustomAclServiceImpl.java b/security/src/main/java/org/genesys/blocks/security/service/impl/CustomAclServiceImpl.java
index 267e53e..efcc883 100644
--- a/security/src/main/java/org/genesys/blocks/security/service/impl/CustomAclServiceImpl.java
+++ b/security/src/main/java/org/genesys/blocks/security/service/impl/CustomAclServiceImpl.java
@@ -70,7 +70,7 @@ public class CustomAclServiceImpl implements CustomAclService {
 	private AclEntryPersistence aclEntryPersistence;
 
 	/** The cache manager. */
-	@Autowired
+	@Autowired(required = false)
 	private CacheManager cacheManager;
 
 	/** The acl sid persistence. */
@@ -102,7 +102,7 @@ public class CustomAclServiceImpl implements CustomAclService {
 
 	@Override
 	@Transactional(propagation = Propagation.REQUIRED)
-	public void addCreatorPermissions(final AclAwareModel target) {
+	public void createOrUpdatePermissions(final AclAwareModel target) {
 		if ((target == null) || (target.getId() <= 0l)) {
 			LOG.warn("No target specified for ACL permissions, bailing out!");
 			return;
@@ -112,6 +112,7 @@ public class CustomAclServiceImpl implements CustomAclService {
 
 		// save object identity
 		AclObjectIdentity objectIdentity = aclObjectIdentityPersistence.findByObjectIdAndClassname(target.getId(), aclClass.getAclClass());
+
 		if (objectIdentity == null) {
 			objectIdentity = new AclObjectIdentity();
 
@@ -129,38 +130,50 @@ public class CustomAclServiceImpl implements CustomAclService {
 			objectIdentity.setObjectIdIdentity(target.getId());
 			objectIdentity.setAclClass(aclClass);
 
-			AclObjectIdentity parentObject = getObjectIdentity(target.aclParentObject());
+			AclObjectIdentity parentObject = target.aclParentObjectIdentity(); 
+			if (parentObject == null && target.aclParentObject() != null) {
+				// get OID of parent business entity
+				parentObject = getObjectIdentity(target.aclParentObject());
+			}
 			if (parentObject != null) {
 				objectIdentity.setParentObject(parentObject);
-				objectIdentity.setEntriesInheriting(true);
-			} else {
-				objectIdentity.setEntriesInheriting(true);
 			}
+			objectIdentity.setEntriesInheriting(true);
 
 			objectIdentity = aclObjectIdentityPersistence.save(objectIdentity);
 			if (objectIdentity.getOwnerSid() != null) {
+				// Grant permissions to owner
 				final Permissions permissions = new Permissions().grantAll();
 				addPermissions(objectIdentity, objectIdentity.getOwnerSid(), permissions);
 			}
 
 		} else {
-			// update parent
+			// update permissions
 			LOG.debug("Updating ACL parent object for class={} id={}", target.getClass().getName(), target.getId());
 
 			if (objectIdentity.getOwnerSid() == null) {
 				final AclSid ownerSid = SecurityContextUtil.getCurrentUser();
 				if (ownerSid != null && ownerSid.isPersisted()) {
 					objectIdentity.setOwnerSid(ownerSid);
+					
+					// Grant permissions to owner
+					final Permissions permissions = new Permissions().grantAll();
+					addPermissions(objectIdentity, objectIdentity.getOwnerSid(), permissions);
 				} else {
 					LOG.debug("Owner SID not persisted or is null.");
 				}
 			}
+			
+			AclObjectIdentity parentObject = target.aclParentObjectIdentity(); 
+			if (parentObject == null && target.aclParentObject() != null) {
+				// get OID of parent business entity
+				parentObject = getObjectIdentity(target.aclParentObject());
+			}
 
-			if (target.aclParentObject() != null) {
-				LOG.trace("Updating ACL parent to {}", target.aclParentObject());
-				AclObjectIdentity parentObject = getObjectIdentity(target.aclParentObject());
+			if (parentObject != null) {
+				LOG.trace("Updating ACL parent to {}", parentObject);
 				objectIdentity.setParentObject(parentObject);
-				// objectIdentity.setEntriesInheriting(true);
+				objectIdentity.setEntriesInheriting(true);
 			} else {
 				LOG.trace("Clearing ACL parent");
 				objectIdentity.setParentObject(null);
@@ -259,9 +272,11 @@ public class CustomAclServiceImpl implements CustomAclService {
 	}
 
 	private void clearAclCache() {
-		final Cache aclCache = cacheManager.getCache("aclCache");
-		if (aclCache != null)
-			aclCache.clear();
+		if (cacheManager!=null) {
+			final Cache aclCache = cacheManager.getCache("aclCache");
+			if (aclCache != null)
+				aclCache.clear();
+		}
 	}
 
 	/**
@@ -619,5 +634,4 @@ public class CustomAclServiceImpl implements CustomAclService {
 		}
 		LOG.warn("Done cleaning ACL for {} ACL classes", aclClasses.size());
 	}
-
 }
-- 
GitLab