Commit eb231064 authored by Matija Obreza's avatar Matija Obreza
Browse files

AclAwareModel exposes #aclParentObject for inheriting permissions

parent 4817a4cd
...@@ -30,4 +30,11 @@ import org.genesys.blocks.util.JsonClassNameWriter; ...@@ -30,4 +30,11 @@ import org.genesys.blocks.util.JsonClassNameWriter;
@JsonAppend(props = { @JsonAppend.Prop(name = "_class", value = JsonClassNameWriter.class, type = String.class), @JsonAppend(props = { @JsonAppend.Prop(name = "_class", value = JsonClassNameWriter.class, type = String.class),
@JsonAppend.Prop(name = "_permissions", value = CurrentPermissionsWriter.class, type = Permissions.class) }) @JsonAppend.Prop(name = "_permissions", value = CurrentPermissionsWriter.class, type = Permissions.class) })
public interface AclAwareModel extends Serializable, EntityId { public interface AclAwareModel extends Serializable, EntityId {
/**
* Objects belonging to some parent can override this method
*/
default AclAwareModel aclParentObject() {
return null;
}
} }
...@@ -28,10 +28,12 @@ import javax.persistence.Table; ...@@ -28,10 +28,12 @@ import javax.persistence.Table;
import javax.persistence.UniqueConstraint; import javax.persistence.UniqueConstraint;
import org.genesys.blocks.model.BasicModel; import org.genesys.blocks.model.BasicModel;
import org.genesys.blocks.model.JsonViews;
import org.genesys.blocks.security.serialization.AclEntriesToPermissions; import org.genesys.blocks.security.serialization.AclEntriesToPermissions;
import com.fasterxml.jackson.annotation.JsonIdentityInfo; import com.fasterxml.jackson.annotation.JsonIdentityInfo;
import com.fasterxml.jackson.annotation.JsonIdentityReference; import com.fasterxml.jackson.annotation.JsonIdentityReference;
import com.fasterxml.jackson.annotation.JsonView;
import com.fasterxml.jackson.annotation.ObjectIdGenerators; import com.fasterxml.jackson.annotation.ObjectIdGenerators;
import com.fasterxml.jackson.databind.annotation.JsonSerialize; import com.fasterxml.jackson.databind.annotation.JsonSerialize;
...@@ -64,6 +66,7 @@ public class AclObjectIdentity extends BasicModel { ...@@ -64,6 +66,7 @@ public class AclObjectIdentity extends BasicModel {
@ManyToOne(fetch = FetchType.EAGER, cascade = {}) @ManyToOne(fetch = FetchType.EAGER, cascade = {})
@JoinColumn(name = "owner_sid", nullable = true) @JoinColumn(name = "owner_sid", nullable = true)
@JsonIdentityReference(alwaysAsId = false) @JsonIdentityReference(alwaysAsId = false)
@JsonView(JsonViews.Minimal.class)
private AclSid ownerSid; private AclSid ownerSid;
/** The object id identity. */ /** The object id identity. */
......
...@@ -18,12 +18,13 @@ package org.genesys.blocks.security.persistence; ...@@ -18,12 +18,13 @@ package org.genesys.blocks.security.persistence;
import org.genesys.blocks.security.model.AclObjectIdentity; import org.genesys.blocks.security.model.AclObjectIdentity;
import org.springframework.data.jpa.repository.JpaRepository; import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query; import org.springframework.data.jpa.repository.Query;
import org.springframework.data.querydsl.QueryDslPredicateExecutor;
import org.springframework.data.repository.query.Param; import org.springframework.data.repository.query.Param;
/** /**
* The Interface AclObjectIdentityPersistence. * The Interface AclObjectIdentityPersistence.
*/ */
public interface AclObjectIdentityPersistence extends JpaRepository<AclObjectIdentity, Long> { public interface AclObjectIdentityPersistence extends JpaRepository<AclObjectIdentity, Long>, QueryDslPredicateExecutor<AclObjectIdentity> {
/** /**
* Find by object id identity and class name. * Find by object id identity and class name.
......
...@@ -107,34 +107,52 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -107,34 +107,52 @@ public class CustomAclServiceImpl implements CustomAclService {
return; return;
} }
final AclSid ownerSid = SecurityContextUtil.getCurrentUser(); final AclClass aclClass = ensureAclClass(target.getClass().getName());
if (ownerSid == null) {
LOG.warn("No SID in security context, not assigning creator permissions"); // save object identity
return; AclObjectIdentity objectIdentity = aclObjectIdentityPersistence.findByObjectIdAndClassname(target.getId(), aclClass.getAclClass());
} else if (!ownerSid.isPersisted()) { if (objectIdentity == null) {
LOG.warn("Owner SID not persisted, not assigning creator permissions"); final AclSid ownerSid = SecurityContextUtil.getCurrentUser();
return; if (ownerSid == null) {
} LOG.warn("No SID in security context, not assigning creator permissions");
return;
} else if (!ownerSid.isPersisted()) {
LOG.warn("Owner SID not persisted, not assigning creator permissions");
return;
}
LOG.debug("Inserting owner ACL entries for owner={} class={} id={}", ownerSid, target.getClass().getName(), target.getId()); LOG.debug("Inserting owner ACL entries for owner={} class={} id={}", ownerSid, target.getClass().getName(), target.getId());
final AclClass aclClass = ensureAclClass(target.getClass().getName()); objectIdentity = new AclObjectIdentity();
objectIdentity.setObjectIdIdentity(target.getId());
objectIdentity.setAclClass(aclClass);
objectIdentity.setOwnerSid(ownerSid);
// create object identity AclObjectIdentity parentObject = getObjectIdentity(target.aclParentObject());
final AclObjectIdentity objectIdentity = new AclObjectIdentity(); if (parentObject != null) {
objectIdentity.setObjectIdIdentity(target.getId()); objectIdentity.setParentObject(parentObject);
objectIdentity.setAclClass(aclClass); objectIdentity.setEntriesInheriting(true);
objectIdentity.setOwnerSid(ownerSid); } else {
objectIdentity.setParentObject(null); objectIdentity.setEntriesInheriting(false);
objectIdentity.setEntriesInheriting(false); }
// save object identity objectIdentity = aclObjectIdentityPersistence.save(objectIdentity);
AclObjectIdentity savedAclObjectIdentity = aclObjectIdentityPersistence.findByObjectIdAndClassname(objectIdentity.getObjectIdIdentity(), objectIdentity.getAclClass()
.getAclClass());
if (savedAclObjectIdentity == null) {
savedAclObjectIdentity = aclObjectIdentityPersistence.save(objectIdentity);
final Permissions permissions = new Permissions().grantAll(); final Permissions permissions = new Permissions().grantAll();
addPermissions(savedAclObjectIdentity, ownerSid, permissions); addPermissions(objectIdentity, ownerSid, permissions);
} else {
// update parent
LOG.debug("Updating ACL parent object for class={} id={}", target.getClass().getName(), target.getId());
AclObjectIdentity parentObject = getObjectIdentity(target.aclParentObject());
if (parentObject != null && ! parentObject.getId().equals(objectIdentity.getParentObject())) {
objectIdentity.setParentObject(parentObject);
objectIdentity.setEntriesInheriting(true);
} else {
objectIdentity.setParentObject(null);
objectIdentity.setEntriesInheriting(false);
}
} }
} }
...@@ -287,7 +305,8 @@ public class CustomAclServiceImpl implements CustomAclService { ...@@ -287,7 +305,8 @@ public class CustomAclServiceImpl implements CustomAclService {
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#entity, 'ADMINISTRATION')") @PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#entity, 'ADMINISTRATION')")
public AclObjectIdentity getObjectIdentity(final AclAwareModel entity) { public AclObjectIdentity getObjectIdentity(final AclAwareModel entity) {
if (entity == null) { if (entity == null) {
LOG.error("getObjectIdentity: Entity is null"); LOG.trace("getObjectIdentity: Entity is null");
return null;
} }
final AclObjectIdentity oid = aclObjectIdentityPersistence.findByObjectIdAndClassname(entity.getId(), entity.getClass().getName()); final AclObjectIdentity oid = aclObjectIdentityPersistence.findByObjectIdAndClassname(entity.getId(), entity.getClass().getName());
if (oid == null) { if (oid == null) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment