Commit dc4ba486 authored by Matija Obreza's avatar Matija Obreza

Merge branch 'acl-json-and-permission-checks' into 'master'

Acl json and permission checks

See merge request genesys-pgr/application-blocks!28
parents b74449ff 3c5d531f
......@@ -24,13 +24,17 @@ import javax.persistence.Id;
import javax.persistence.MappedSuperclass;
import javax.persistence.Transient;
import org.genesys.blocks.util.JsonClassNameWriter;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonView;
import com.fasterxml.jackson.databind.annotation.JsonAppend;
/**
* The Class BasicModel.
*/
@MappedSuperclass
@JsonAppend(props = { @JsonAppend.Prop(name = "_type", value = JsonClassNameWriter.class, type = String.class) })
public class BasicModel implements EntityId, Serializable {
/** The Constant serialVersionUID. */
......@@ -111,7 +115,7 @@ public class BasicModel implements EntityId, Serializable {
}
return true;
}
@Override
public String toString() {
return super.toString() + " id=" + this.id;
......
/*
* Copyright 2018 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.genesys.blocks.util;
import org.genesys.blocks.model.BasicModel;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.fasterxml.jackson.annotation.JsonTypeId;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.SerializerProvider;
import com.fasterxml.jackson.databind.cfg.MapperConfig;
import com.fasterxml.jackson.databind.introspect.AnnotatedClass;
import com.fasterxml.jackson.databind.introspect.BeanPropertyDefinition;
import com.fasterxml.jackson.databind.ser.VirtualBeanPropertyWriter;
import com.fasterxml.jackson.databind.util.Annotations;
/**
* The ClassNameWriter is applied to {@link BasicModel} and it instructs Jackson
* to to include class simple name as a virtual property.
*
* This is so we don't need to rely on {@link JsonTypeId}, which complicates
* object deserialization.
*
*/
public class JsonClassNameWriter extends VirtualBeanPropertyWriter {
/** The Constant serialVersionUID. */
private static final long serialVersionUID = 1L;
private static final Logger LOG = LoggerFactory.getLogger(JsonClassNameWriter.class);
/**
* Default constructor
*/
public JsonClassNameWriter() {
LOG.trace("JsonClassNameWriter");
}
/**
* Instantiates a new current permissions writer.
*
* @param propDef the prop def
* @param annotations the annotations
* @param type the type
*/
public JsonClassNameWriter(BeanPropertyDefinition propDef, Annotations annotations, JavaType type) {
super(propDef, annotations, type);
LOG.trace("JsonClassNameWriter", propDef.getName(), annotations);
}
/*
* (non-Javadoc)
* @see
* com.fasterxml.jackson.databind.ser.VirtualBeanPropertyWriter#value(java.lang.
* Object, com.fasterxml.jackson.core.JsonGenerator,
* com.fasterxml.jackson.databind.SerializerProvider)
*/
@Override
protected Object value(Object bean, JsonGenerator gen, SerializerProvider prov) throws Exception {
LOG.trace("JsonClassNameWriter.value", bean);
return bean == null ? null : bean.getClass().getSimpleName();
}
/*
* (non-Javadoc)
* @see
* com.fasterxml.jackson.databind.ser.VirtualBeanPropertyWriter#withConfig(com.
* fasterxml.jackson.databind.cfg.MapperConfig,
* com.fasterxml.jackson.databind.introspect.AnnotatedClass,
* com.fasterxml.jackson.databind.introspect.BeanPropertyDefinition,
* com.fasterxml.jackson.databind.JavaType)
*/
@Override
public VirtualBeanPropertyWriter withConfig(MapperConfig<?> config, AnnotatedClass declaringClass, BeanPropertyDefinition propDef, JavaType type) {
LOG.trace("JsonClassNameWriter.withConfig", declaringClass.getName());
return new JsonClassNameWriter(propDef, declaringClass.getAnnotations(), type);
}
}
......@@ -80,12 +80,13 @@ public interface OAuthClientDetailsService extends ClientDetailsService {
*/
OAuthClient removeClient(OAuthClient oauthClient);
/**
* Autocomplete OAuth clients by title.
*
* @param title the title
* @return list of auth clients
*/
List<OAuthClient> autocompleteClients(String title);
/**
* Autocomplete OAuth clients by title.
*
* @param title the title
* @param limit maximum number of results
* @return list of auth clients
*/
List<OAuthClient> autocompleteClients(String title, int limit);
}
......@@ -411,8 +411,8 @@ public class OAuthServiceImpl implements OAuthClientDetailsService, OAuthTokenSt
*/
@Override
public Collection<OAuth2AccessToken> findTokensByClientIdAndUserName(final String clientId, final String username) {
return accessTokenRepository.findByClientIdAndUsername(clientId, username).stream().filter(at -> at != null).map(at -> deserializeAccessToken(at.getToken())).collect(Collectors
.toList());
return accessTokenRepository.findByClientIdAndUsername(clientId, username).stream().filter(at -> at != null).map(at -> deserializeAccessToken(at.getToken())).collect(
Collectors.toList());
}
/*
......@@ -638,9 +638,12 @@ public class OAuthServiceImpl implements OAuthClientDetailsService, OAuthTokenSt
return oauthClientRepository.save(client);
}
/* (non-Javadoc)
* @see org.genesys.blocks.oauth.service.OAuthClientDetailsService#addClient(org.genesys.blocks.oauth.model.OAuthClient)
/*
* (non-Javadoc)
* @see
* org.genesys.blocks.oauth.service.OAuthClientDetailsService#addClient(org.
* genesys.blocks.oauth.model.OAuthClient)
*/
@Override
@Transactional
......@@ -671,12 +674,18 @@ public class OAuthServiceImpl implements OAuthClientDetailsService, OAuthTokenSt
}
@Override
public List<OAuthClient> autocompleteClients(final String title) {
if (StringUtils.isBlank(title) || title.length() < 4)
public List<OAuthClient> autocompleteClients(final String term, int limit) {
if (StringUtils.isBlank(term) || term.length() < 1)
return Collections.emptyList();
LOG.debug("Autocomplete for={}", title);
Predicate predicate = QOAuthClient.oAuthClient.title.startsWithIgnoreCase(title);
return oauthClientRepository.findAll(predicate, new PageRequest(0, 10, new Sort("title"))).getContent();
LOG.debug("Autocomplete for={}", term);
Predicate predicate = QOAuthClient.oAuthClient.title.startsWithIgnoreCase(term)
// clientId
.or(QOAuthClient.oAuthClient.clientId.startsWithIgnoreCase(term))
// description contains
.or(QOAuthClient.oAuthClient.description.contains(term));
return oauthClientRepository.findAll(predicate, new PageRequest(0, Math.min(100, limit), new Sort("title"))).getContent();
}
}
......@@ -20,12 +20,14 @@ import java.io.Serializable;
import com.fasterxml.jackson.databind.annotation.JsonAppend;
import org.genesys.blocks.model.EntityId;
import org.genesys.blocks.security.serialization.CurrentPermissions;
import org.genesys.blocks.security.serialization.Permissions;
import org.genesys.blocks.security.serialization.CurrentPermissionsWriter;
import org.genesys.blocks.util.JsonClassNameWriter;
/**
* Interface label for entities that require ACL security.
*/
@JsonAppend(props = { @JsonAppend.Prop(name="_permissions", value = CurrentPermissionsWriter.class, type=CurrentPermissions.class) })
@JsonAppend(props = { @JsonAppend.Prop(name = "_type", value = JsonClassNameWriter.class, type = String.class),
@JsonAppend.Prop(name = "_permissions", value = CurrentPermissionsWriter.class, type = Permissions.class) })
public interface AclAwareModel extends Serializable, EntityId {
}
......@@ -25,6 +25,9 @@ import javax.persistence.UniqueConstraint;
import org.genesys.blocks.model.BasicModel;
import com.fasterxml.jackson.annotation.JsonIdentityReference;
import com.fasterxml.jackson.annotation.JsonIgnore;
/**
* ACL Entry represents permissions of {@link AclSid} on a particular entity
* (through {@link AclObjectIdentity}).
......@@ -39,11 +42,13 @@ public class AclEntry extends BasicModel {
/** The acl object identity. */
@ManyToOne(fetch = FetchType.LAZY, cascade = {}, optional = false)
@JoinColumn(name = "acl_object_identity", nullable = false)
@JsonIgnore
private AclObjectIdentity aclObjectIdentity;
/** The acl sid. */
@ManyToOne(fetch = FetchType.LAZY, cascade = {}, optional = false)
@JoinColumn(name = "sid", nullable = false)
@JsonIdentityReference(alwaysAsId = false)
private AclSid aclSid;
/** The ace order. */
......@@ -51,8 +56,8 @@ public class AclEntry extends BasicModel {
private long aceOrder;
/** The mask. */
@Column(name = "mask", nullable = false, length = 11)
private long mask;
@Column(name = "mask", nullable = false)
private int mask;
/** The granting. */
@Column(name = "granting", nullable = false, length = 1)
......@@ -125,7 +130,7 @@ public class AclEntry extends BasicModel {
*
* @return the mask
*/
public long getMask() {
public int getMask() {
return mask;
}
......@@ -134,7 +139,7 @@ public class AclEntry extends BasicModel {
*
* @param mask the new mask
*/
public void setMask(final long mask) {
public void setMask(final int mask) {
this.mask = mask;
}
......
......@@ -27,9 +27,13 @@ import javax.persistence.OneToMany;
import javax.persistence.Table;
import javax.persistence.UniqueConstraint;
import com.fasterxml.jackson.annotation.JsonIgnore;
import org.genesys.blocks.model.BasicModel;
import org.genesys.blocks.security.serialization.AclEntriesToPermissions;
import com.fasterxml.jackson.annotation.JsonIdentityInfo;
import com.fasterxml.jackson.annotation.JsonIdentityReference;
import com.fasterxml.jackson.annotation.ObjectIdGenerators;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;
/**
* ACL Object Identity represents a specific ACL-aware entity (combination of
......@@ -39,6 +43,7 @@ import org.genesys.blocks.model.BasicModel;
*/
@Entity
@Table(name = "acl_object_identity", uniqueConstraints = @UniqueConstraint(columnNames = { "object_id_class", "object_id_identity" }))
@JsonIdentityInfo(generator = ObjectIdGenerators.PropertyGenerator.class, property = "id")
public class AclObjectIdentity extends BasicModel {
/** The Constant serialVersionUID. */
......@@ -52,11 +57,13 @@ public class AclObjectIdentity extends BasicModel {
/** The parent object. */
@ManyToOne(fetch = FetchType.EAGER, cascade = CascadeType.PERSIST)
@JoinColumn(name = "parent_object", nullable = true)
@JsonIdentityReference(alwaysAsId = true)
private AclObjectIdentity parentObject;
/** The owner sid. */
@ManyToOne(fetch = FetchType.EAGER, cascade = {})
@JoinColumn(name = "owner_sid", nullable = true)
@JsonIdentityReference(alwaysAsId = false)
private AclSid ownerSid;
/** The object id identity. */
......@@ -68,7 +75,8 @@ public class AclObjectIdentity extends BasicModel {
private boolean entriesInheriting;
/** The acl entries. */
@JsonIgnore
// @JsonIgnore
@JsonSerialize(converter = AclEntriesToPermissions.class)
@OneToMany(mappedBy = "aclObjectIdentity", fetch = FetchType.LAZY, cascade = CascadeType.REMOVE, orphanRemoval = true)
private List<AclEntry> aclEntries;
......
......@@ -29,7 +29,9 @@ import javax.persistence.InheritanceType;
import javax.persistence.OneToMany;
import javax.persistence.Table;
import com.fasterxml.jackson.annotation.JsonIdentityInfo;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.ObjectIdGenerators;
import org.genesys.blocks.model.AuditedVersionedModel;
import org.hibernate.annotations.DiscriminatorOptions;
......@@ -49,6 +51,7 @@ import org.hibernate.annotations.DiscriminatorOptions;
@DiscriminatorColumn(name = "type", discriminatorType = DiscriminatorType.INTEGER)
@DiscriminatorValue(value = "0")
@DiscriminatorOptions(force = false)
@JsonIdentityInfo(generator = ObjectIdGenerators.PropertyGenerator.class, property = "id")
public class AclSid extends AuditedVersionedModel {
/** The Constant serialVersionUID. */
......
......@@ -59,7 +59,7 @@ public interface AclEntryPersistence extends JpaRepository<AclEntry, Long> {
* @return - returns lists of user's permissions on domain class
*/
@Query("select ae.aclObjectIdentity.objectIdIdentity from AclEntry ae where ae.aclSid=?1 and ae.aclObjectIdentity.aclClass.aclClass=?2 and ae.mask=?3 and ae.granting=true")
List<Long> findObjectIdentitiesForSidAndAclClassAndMask(AclSid sid, String aclClass, long mask);
List<Long> findObjectIdentitiesForSidAndAclClassAndMask(AclSid sid, String aclClass, int mask);
/**
* Calculates max. ace_order for acl_object_identity to avoid DuplicateIndex
......
......@@ -28,10 +28,10 @@ public interface AclObjectIdentityPersistence extends JpaRepository<AclObjectIde
/**
* Find by object id identity and class name.
*
* @param objectIdentityId the object identity id
* @param objectIdIdentity the object identity id
* @param aclClass the acl class
* @return the acl object identity
*/
@Query("select aoi from AclObjectIdentity aoi where aoi.objectIdIdentity = :objectIdIdentity and aoi.aclClass.aclClass = :aclClass")
AclObjectIdentity findByIdAndClassname(@Param("objectIdIdentity") long objectIdentityId, @Param("aclClass") String aclClass);
AclObjectIdentity findByObjectIdAndClassname(@Param("objectIdIdentity") long objectIdIdentity, @Param("aclClass") String aclClass);
}
......@@ -45,4 +45,12 @@ public interface AclSidPersistence extends JpaRepository<AclSid, Long> {
@Query("select distinct sid from AclSid sid where sid.id in :ids")
List<AclSid> listById(@Param("ids") Iterable<Long> ids);
/**
* List SIDs of authorities (roles)
*
* @return the list of {@link AclSid} for registered authorities
*/
@Query("select sid from AclSid sid where sid.principal = false")
List<AclSid> listAuthoritySids();
}
......@@ -15,23 +15,51 @@
*/
package org.genesys.blocks.security.serialization;
import java.util.List;
import org.genesys.blocks.security.model.AclEntry;
import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.type.TypeFactory;
import com.fasterxml.jackson.databind.util.Converter;
/**
* The Class CurrentPermissions.
* Converts a list of {@link AclEntry} to the easily digestible
* {@link SidPermissions} objects/.
*
* @author Matija Obreza
*/
public class CurrentPermissions {
/** The create. */
public boolean create;
/** The read. */
public boolean read;
/** The write. */
public boolean write;
/** The delete. */
public boolean delete;
/** The manage. */
public boolean manage;
public class AclEntriesToPermissions implements Converter<List<AclEntry>, List<SidPermissions>> {
/*
* (non-Javadoc)
* @see com.fasterxml.jackson.databind.util.Converter#convert(java.lang.Object)
*/
@Override
public List<SidPermissions> convert(List<AclEntry> aclEntries) {
return SidPermissions.fromEntries(aclEntries);
}
/*
* (non-Javadoc)
* @see
* com.fasterxml.jackson.databind.util.Converter#getInputType(com.fasterxml.
* jackson.databind.type.TypeFactory)
*/
@Override
public JavaType getInputType(TypeFactory typeFactory) {
return typeFactory.constructCollectionType(List.class, AclEntry.class);
}
/*
* (non-Javadoc)
* @see
* com.fasterxml.jackson.databind.util.Converter#getOutputType(com.fasterxml.
* jackson.databind.type.TypeFactory)
*/
@Override
public JavaType getOutputType(TypeFactory typeFactory) {
return typeFactory.constructCollectionType(List.class, SidPermissions.class);
}
}
......@@ -37,7 +37,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
/**
* The CurrentPermissionsWriter is applied to {@link AclAwareModel} and it
* instructs Jackson to to include {@link CurrentPermissions} for current SID
* instructs Jackson to to include {@link Permissions} for current SID
* for every ACL aware entity.
*
* Serialization is enabled <code>@JsonAppend</code> annotation on
......@@ -110,7 +110,7 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
if (permissionEvaluator != null) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null) {
CurrentPermissions perms = new CurrentPermissions();
Permissions perms = new Permissions();
perms.create = permissionEvaluator.hasPermission(authentication, bean, BasePermission.CREATE);
perms.read = permissionEvaluator.hasPermission(authentication, bean, BasePermission.READ);
perms.write = permissionEvaluator.hasPermission(authentication, bean, BasePermission.WRITE);
......
/*
* Copyright 2017 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.genesys.blocks.security.serialization;
import static org.springframework.security.acls.domain.BasePermission.*;
import org.springframework.security.acls.domain.BasePermission;
/**
* A simple POJO for object permissions.
*/
public class Permissions {
/** Allowed to create */
public boolean create;
/** Allowed to read */
public boolean read;
/** Allowed to write/modify */
public boolean write;
/** Allowed to delete */
public boolean delete;
/** Allowed to admin/manage */
public boolean manage;
@Override
public String toString() {
StringBuffer sb = new StringBuffer();
sb.append(create ? "c" : "-");
sb.append(read ? "r" : "-");
sb.append(write ? "w" : "-");
sb.append(delete ? "d" : "-");
sb.append(manage ? "A" : "-"); // Admin
return sb.toString();
}
/**
* Is Permissions granting the {@link BasePermission} by its mask?
*
* @param mask int value of Permission mask
* @return true if granting, false otherwise
* @throws UnsupportedOperationException if mask is not understood
*/
public boolean isGranting(int mask) {
if (CREATE.getMask() == mask) {
return create;
} else if (READ.getMask() == mask) {
return read;
} else if (WRITE.getMask() == mask) {
return write;
} else if (DELETE.getMask() == mask) {
return delete;
} else if (ADMINISTRATION.getMask() == mask) {
return manage;
} else {
throw new UnsupportedOperationException("No such permission with mask=" + mask);
}
}
public Permissions grantAll() {
this.create = true;
this.read = true;
this.write = true;
this.delete = true;
this.manage = true;
return this;
}
public Permissions grantNone() {
this.create = false;
this.read = false;
this.write = false;
this.delete = false;
this.manage = false;
return this;
}
}
/*
* Copyright 2017 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.genesys.blocks.security.serialization;
import static org.springframework.security.acls.domain.BasePermission.*;
import java.util.ArrayList;
import java.util.List;
import org.genesys.blocks.security.model.AclEntry;
import org.genesys.blocks.security.model.AclSid;
import com.google.common.collect.Lists;
/**
* Simple POJO for SID's permissions
*/
public class SidPermissions extends Permissions {
/** SID having these permisions */