Commit b8d50c9f authored by Matija Obreza's avatar Matija Obreza
Browse files

Merge branch 'acl-current-permission-writer' into 'main'

CurrentPermissionsWriter: Allow for disabling Permissions serialization with...

See merge request genesys-pgr/application-blocks!113
parents fc9e4fda 087339ae
......@@ -205,6 +205,18 @@ public class SecurityContextUtil {
* @return true, if successful
*/
public static boolean hasPermission(Object targetDomainObject, Object permission) {
final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
return permissionEvaluator.hasPermission(auth, targetDomainObject, permission);
}
/**
* Checks for permission.
*
* @param targetDomainObject the target domain object
* @param permission the permission
* @return true, if successful
*/
public static boolean hasPermission(final Authentication auth, Object targetDomainObject, Object permission) {
if (permissionEvaluator == null) {
LOG.info("permissionEvaluator not available. Checking context again");
if (!updatePermissionEvaluator()) {
......@@ -213,7 +225,6 @@ public class SecurityContextUtil {
}
}
final Authentication auth = SecurityContextHolder.getContext().getAuthentication();
if (auth != null) {
return permissionEvaluator.hasPermission(auth, targetDomainObject, permission);
} else {
......
......@@ -23,6 +23,7 @@ import org.springframework.security.acls.domain.BasePermission;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import com.fasterxml.jackson.annotation.JsonIgnoreType;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.SerializerProvider;
......@@ -33,7 +34,7 @@ import com.fasterxml.jackson.databind.ser.VirtualBeanPropertyWriter;
import com.fasterxml.jackson.databind.util.Annotations;
/**
* The CurrentPermissionsWriter is applied to {@link AclAwareModel} and it
* The <code>CurrentPermissionsWriter</code> is applied to {@link AclAwareModel} and it
* instructs Jackson to to include {@link Permissions} for current SID for every
* ACL aware entity.
*
......@@ -49,16 +50,43 @@ import com.fasterxml.jackson.databind.util.Annotations;
* relies on an instance of
* <code>org.genesys.blocks.util.CurrentApplicationContext</code> to be
* registered in the Spring application context.
* <p>
* Writer can be disabled with @JsonView(CurrentPermissionsWriter.NoPermissions.class)
* or by mix-in that ignores Permissions.class:
*
* <pre>
* {@code @JsonIgnoreType}
* public class MyMixInForIgnoreType {}
* ...
* mapper.addMixIn(Permissions.class, MyMixInForIgnoreType.class);
* </pre>
*/
public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
/** The Constant LOG. */
private static final Logger LOG = LoggerFactory.getLogger(CurrentPermissionsWriter.class);
/**
* Use this JsonView to exclude permission checks!
*/
public static interface NoPermissions {
}
/** The Constant serialVersionUID. */
private static final long serialVersionUID = 1L;
/**
* Writer can be disabled with <code>@JsonView(CurrentPermissionsWriter.NoPermissions.class)</code>
* or by mix-in that ignores <code>{@link Permissions}.class</code>:
*
* <pre>
* {@code @JsonIgnoreType}
* public class MyMixInForIgnoreType {}
* ...
* mapper.addMixIn(Permissions.class, MyMixInForIgnoreType.class);
* </pre>
*/
private boolean enabled = true;
private static final Permissions NO_PERMISSIONS = new Permissions().grantNone();
......@@ -78,7 +106,7 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
*/
public CurrentPermissionsWriter(BeanPropertyDefinition propDef, Annotations annotations, JavaType type) {
super(propDef, annotations, type);
LOG.trace("CurrentPermissionsWriter");
LOG.trace("CurrentPermissionsWriter {} {}", propDef, type);
}
/*
......@@ -90,11 +118,15 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
*/
@Override
protected Object value(Object bean, JsonGenerator gen, SerializerProvider prov) throws Exception {
if (!enabled) {
// We are not enabled
return null;
}
if (bean == null || !(bean instanceof AclAwareModel)) {
// Skip nulls
return null;
}
AclAwareModel aclAwareModel = (AclAwareModel) bean;
if (aclAwareModel.getId() == null) {
......@@ -106,7 +138,6 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
if (authentication == null) {
return NO_PERMISSIONS;
}
Permissions perms = new Permissions();
try {
perms.isPublic = SecurityContextUtil.anyoneHasPermission(aclAwareModel, "READ");
......@@ -119,11 +150,11 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
perms.grantAll();
} else {
try {
perms.create = SecurityContextUtil.hasPermission(aclAwareModel, BasePermission.CREATE);
perms.read = SecurityContextUtil.hasPermission(aclAwareModel, BasePermission.READ);
perms.write = SecurityContextUtil.hasPermission(aclAwareModel, BasePermission.WRITE);
perms.delete = SecurityContextUtil.hasPermission(aclAwareModel, BasePermission.DELETE);
perms.manage = SecurityContextUtil.hasPermission(aclAwareModel, BasePermission.ADMINISTRATION);
perms.create = SecurityContextUtil.hasPermission(authentication, aclAwareModel, BasePermission.CREATE);
perms.read = SecurityContextUtil.hasPermission(authentication, aclAwareModel, BasePermission.READ);
perms.write = SecurityContextUtil.hasPermission(authentication, aclAwareModel, BasePermission.WRITE);
perms.delete = SecurityContextUtil.hasPermission(authentication, aclAwareModel, BasePermission.DELETE);
perms.manage = SecurityContextUtil.hasPermission(authentication, aclAwareModel, BasePermission.ADMINISTRATION);
} catch (Throwable e) {
LOG.warn("Could not read current permissions {}", e.getMessage(), e);
}
......@@ -142,7 +173,26 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
*/
@Override
public VirtualBeanPropertyWriter withConfig(MapperConfig<?> config, AnnotatedClass declaringClass, BeanPropertyDefinition propDef, JavaType type) {
return new CurrentPermissionsWriter(propDef, declaringClass.getAnnotations(), type);
var writer = new CurrentPermissionsWriter(propDef, declaringClass.getAnnotations(), type);
var permissionsMixin = config.findMixInClassFor(Permissions.class);
if (permissionsMixin != null) {
var isIgnoredType = permissionsMixin.getAnnotation(JsonIgnoreType.class);
LOG.warn("Mixin for {} has @JsonIgnoreType={}", Permissions.class, isIgnoredType);
if (isIgnoredType != null) {
LOG.debug("Permissions.class is @JsonIgnoreType({})", isIgnoredType.value());
writer.enabled = ! isIgnoredType.value(); // Enable or disable checks
}
}
var activeView = config.getActiveView();
LOG.trace("Active JsonView {}", activeView);
if (activeView != null && NoPermissions.class.equals(activeView)) {
LOG.debug("Not computing permissions for @JsonView(CurrentPermissionWriter.NoPermissions.class)");
writer.enabled = false;
}
return writer;
}
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment