From cd95da7230ce56274220499bff1416a154a0c821 Mon Sep 17 00:00:00 2001 From: Matija Obreza Date: Sat, 27 Oct 2018 17:08:19 +0200 Subject: [PATCH] Added Permissions#isPublic = EVERYONE can read the object --- .../blocks/security/SecurityContextUtil.java | 34 ++++++++++++++++--- .../CurrentPermissionsWriter.java | 7 ++-- .../security/serialization/Permissions.java | 5 ++- .../blocks/security/model/UserRole.java | 14 ++++---- 4 files changed, 45 insertions(+), 15 deletions(-) diff --git a/security/src/main/java/org/genesys/blocks/security/SecurityContextUtil.java b/security/src/main/java/org/genesys/blocks/security/SecurityContextUtil.java index d8d4289..83fbeb8 100644 --- a/security/src/main/java/org/genesys/blocks/security/SecurityContextUtil.java +++ b/security/src/main/java/org/genesys/blocks/security/SecurityContextUtil.java @@ -16,6 +16,8 @@ package org.genesys.blocks.security; +import java.util.Arrays; + import org.genesys.blocks.security.model.AclSid; import org.genesys.blocks.security.model.BasicUser; import org.genesys.blocks.util.CurrentApplicationContext; @@ -26,20 +28,24 @@ import org.springframework.context.ApplicationContext; import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; import org.springframework.security.core.GrantedAuthority; +import org.springframework.security.core.authority.SimpleGrantedAuthority; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; /** * The Class SecurityContextUtil. */ public class SecurityContextUtil { - + /** The Constant LOG. */ public static final Logger LOG = LoggerFactory.getLogger(SecurityContextUtil.class); /** The permission evaluator. */ private static PermissionEvaluator permissionEvaluator; + private final static Authentication ANONYMOUS_AUTH = new PreAuthenticatedAuthenticationToken("Anyone", null, Arrays.asList(new SimpleGrantedAuthority("ROLE_EVERYONE"))); + // Context initialization static { ApplicationContext context = CurrentApplicationContext.getContext(); @@ -86,7 +92,7 @@ public class SecurityContextUtil { } else { LOG.warn("Principal {} is not BasicUser, but type {}", principal, principal.getClass()); } - } + } return null; } @@ -112,7 +118,7 @@ public class SecurityContextUtil { return null; } - + /** * Checks for role. * @@ -130,7 +136,7 @@ public class SecurityContextUtil { } return false; } - + /** * Checks for permission. * @@ -151,4 +157,24 @@ public class SecurityContextUtil { return false; } } + + /** + * Check if ROLE_EVERYONE has permission on target object + * + * @param targetDomainObject + * @param permission + * @return + */ + public static boolean anyoneHasPermission(Object targetDomainObject, Object permission) { + if (permissionEvaluator == null) { + LOG.warn("permissionEvaluator not available. No permissions."); + return false; + } + + if (ANONYMOUS_AUTH != null) { + return permissionEvaluator.hasPermission(ANONYMOUS_AUTH, targetDomainObject, permission); + } else { + return false; + } + } } diff --git a/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java b/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java index 1363fc5..740cc41 100644 --- a/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java +++ b/security/src/main/java/org/genesys/blocks/security/serialization/CurrentPermissionsWriter.java @@ -61,7 +61,6 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter { private static final Permissions NO_PERMISSIONS = new Permissions().grantNone(); - private static final Permissions ALL_PERMISSIONS = new Permissions().grantAll(); /** * Instantiates a new current permissions writer. @@ -96,11 +95,13 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter { return NO_PERMISSIONS; } + Permissions perms = new Permissions(); + perms.isPublic = SecurityContextUtil.anyoneHasPermission(bean, "READ"); + if (SecurityContextUtil.hasRole("ADMINISTRATOR")) { - return ALL_PERMISSIONS; + perms.grantAll(); } - Permissions perms = new Permissions(); try { perms.create = SecurityContextUtil.hasPermission(bean, BasePermission.CREATE); perms.read = SecurityContextUtil.hasPermission(bean, BasePermission.READ); diff --git a/security/src/main/java/org/genesys/blocks/security/serialization/Permissions.java b/security/src/main/java/org/genesys/blocks/security/serialization/Permissions.java index eb1e865..a153371 100644 --- a/security/src/main/java/org/genesys/blocks/security/serialization/Permissions.java +++ b/security/src/main/java/org/genesys/blocks/security/serialization/Permissions.java @@ -41,6 +41,9 @@ public class Permissions { /** Allowed to admin/manage. */ public boolean manage; + /** Anyone is allowed to read the object */ + public boolean isPublic = false; + /* (non-Javadoc) * @see java.lang.Object#toString() */ @@ -48,7 +51,7 @@ public class Permissions { public String toString() { StringBuffer sb = new StringBuffer(); sb.append(create ? "c" : "-"); - sb.append(read ? "r" : "-"); + sb.append(isPublic ? "R" : read ? "r" : "-"); sb.append(write ? "w" : "-"); sb.append(delete ? "d" : "-"); sb.append(manage ? "A" : "-"); // Admin diff --git a/security/src/test/java/org/genesys/blocks/security/model/UserRole.java b/security/src/test/java/org/genesys/blocks/security/model/UserRole.java index 94ddec6..767af7e 100644 --- a/security/src/test/java/org/genesys/blocks/security/model/UserRole.java +++ b/security/src/test/java/org/genesys/blocks/security/model/UserRole.java @@ -24,13 +24,13 @@ import org.springframework.security.core.GrantedAuthority; public enum UserRole implements GrantedAuthority { /** The user. */ - USER("User"), - /** The administrator. */ - ADMINISTRATOR("Administrator"), - /** The extrarole. */ - EXTRAROLE("Extra"), - /** The everyone. */ - EVERYONE("Everyone"); + USER("User"), + /** The administrator. */ + ADMINISTRATOR("Administrator"), + /** The extrarole. */ + EXTRAROLE("Extra"), + /** The everyone. */ + EVERYONE("Everyone"); /** The label. */ String label; -- GitLab