Commit 26c64dc0 authored by Matija Obreza's avatar Matija Obreza

Merge branch 'acl-updates' into 'master'

Acl updates

See merge request genesys-pgr/application-blocks!41
parents a3588258 ce45ba76
......@@ -15,6 +15,8 @@
*/
package org.genesys.blocks.security.persistence;
import java.util.List;
import org.genesys.blocks.security.model.AclObjectIdentity;
import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Modifying;
......@@ -45,4 +47,6 @@ public interface AclObjectIdentityPersistence extends JpaRepository<AclObjectIde
@Modifying
@Query("update AclObjectIdentity aoi set aoi.parentObject = null where aoi.parentObject = ?1")
void resetChildrenOfOID(AclObjectIdentity oID);
List<AclObjectIdentity> findByParentObject(AclObjectIdentity parentObject);
}
......@@ -15,6 +15,7 @@
*/
package org.genesys.blocks.security.service;
import java.util.ArrayList;
import java.util.List;
import org.genesys.blocks.util.JsonSidConverter;
......@@ -23,10 +24,14 @@ import org.genesys.blocks.security.model.AclClass;
import org.genesys.blocks.security.model.AclEntry;
import org.genesys.blocks.security.model.AclObjectIdentity;
import org.genesys.blocks.security.model.AclSid;
import org.genesys.blocks.security.serialization.AclEntriesToPermissions;
import org.genesys.blocks.security.serialization.Permissions;
import org.genesys.blocks.security.serialization.SidPermissions;
import org.springframework.security.acls.model.Permission;
import com.fasterxml.jackson.annotation.JsonUnwrapped;
import com.fasterxml.jackson.databind.annotation.JsonSerialize;
/**
* The Interface CustomAclService.
*/
......@@ -170,6 +175,15 @@ public interface CustomAclService extends JsonSidConverter.SidProvider {
*/
AclObjectIdentity setPermissions(AclObjectIdentity objectIdentity, AclSid sid, final Permissions permissions);
/**
* Removes the permissions for SID on ACL OID
*
* @param objectIdentity the object identity
* @param aclSid the acl sid
* @return the acl object identity
*/
AclObjectIdentity removePermissions(AclObjectIdentity objectIdentity, AclSid aclSid);
/**
* Gets the acl entries.
*
......@@ -245,4 +259,26 @@ public interface CustomAclService extends JsonSidConverter.SidProvider {
* @return the sid name
*/
String getSidName(long id);
/**
* Load object identity extended information
*
* @param objectIdentity the object identity
* @return the acl object identity ext
*/
AclObjectIdentityExt loadObjectIdentityExt(AclObjectIdentity objectIdentity);
/**
* Wraps {@link AclObjectIdentity} and adds list of inherited permissions.
*/
public static class AclObjectIdentityExt {
@JsonUnwrapped
public AclObjectIdentity original;
@JsonSerialize(converter = AclEntriesToPermissions.class)
public List<AclEntry> inherited = new ArrayList<>();
public AclObjectIdentityExt(AclObjectIdentity source) {
this.original = source;
}
}
}
......@@ -16,7 +16,9 @@
package org.genesys.blocks.security.service.impl;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.persistence.EntityManager;
......@@ -261,7 +263,7 @@ public class CustomAclServiceImpl implements CustomAclService {
* permissions granted to the SID are removed.
*/
@Override
@Transactional(propagation = Propagation.REQUIRED)
@Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
public void removeAclAwareModel(final AclAwareModel target) {
LOG.debug("Deleting ACL data for {}", target);
......@@ -272,6 +274,11 @@ public class CustomAclServiceImpl implements CustomAclService {
final AclObjectIdentity aclObjectIdentity = getObjectIdentity(target);
if (aclObjectIdentity != null) {
LOG.debug("OID {}#{} of {}", aclObjectIdentity.getAclClass().getAclClass(), aclObjectIdentity.getObjectIdIdentity(), target);
for (AclObjectIdentity child : aclObjectIdentityPersistence.findByParentObject(aclObjectIdentity)) {
LOG.debug("Has child {}#{}", child.getAclClass().getAclClass(), child.getObjectIdIdentity());
}
LOG.info("Deleting ACL data of {}", target);
final List<AclEntry> aclEntries = aclEntryPersistence.findByObjectIdentity(aclObjectIdentity);
if (aclEntries != null) {
......@@ -381,6 +388,38 @@ public class CustomAclServiceImpl implements CustomAclService {
return aclClass;
}
@Override
@Transactional(readOnly = true)
public AclObjectIdentityExt loadObjectIdentityExt(AclObjectIdentity objectIdentity) {
if (objectIdentity != null) {
objectIdentity = getObjectIdentity(objectIdentity.getId());
AclObjectIdentityExt _aclObjectIdentity = new AclObjectIdentityExt(objectIdentity);
objectIdentity.getAclEntries().forEach(entry -> entry.getAclSid().getId());
List<AclEntry> inheritedEntries = inherited(objectIdentity.getParentObject(), new ArrayList<>(), new HashSet<>());
_aclObjectIdentity.inherited.addAll(inheritedEntries);
// lazy load for JSON
_aclObjectIdentity.inherited.forEach(entry -> entry.getAclSid().getId());
return _aclObjectIdentity;
}
return null;
}
private List<AclEntry> inherited(AclObjectIdentity objectIdentity, List<AclEntry> aclEntries, Set<AclObjectIdentity> handled) {
if (objectIdentity == null || handled.contains(objectIdentity)) {
return aclEntries;
}
aclEntries.addAll(objectIdentity.getAclEntries());
handled.add(objectIdentity);
if (objectIdentity.getParentObject() != null) {
inherited(objectIdentity.getParentObject(), aclEntries, handled);
}
return aclEntries;
}
/*
* (non-Javadoc)
* @see
......@@ -488,7 +527,12 @@ public class CustomAclServiceImpl implements CustomAclService {
throw new NullPointerException("Permissions must be provided, was null.");
}
final AclObjectIdentity objectIdentity = getObjectIdentity(entity);
String className = entity.getClass().getName();
if (entity instanceof ClassAclOid<?>) {
className = ((ClassAclOid<?>) entity).getClassName();
}
final AclObjectIdentity objectIdentity = ensureObjectIdentity(entity.getId(), className);
return setPermissions(objectIdentity, sid, permissions);
}
......@@ -544,6 +588,32 @@ public class CustomAclServiceImpl implements CustomAclService {
}
}
/* (non-Javadoc)
* @see org.genesys.blocks.security.service.CustomAclService#removePermissions(org.genesys.blocks.security.model.AclObjectIdentity, org.genesys.blocks.security.model.AclSid)
*/
@Override
@Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
public AclObjectIdentity removePermissions(AclObjectIdentity objectIdentity, AclSid sid) {
if (objectIdentity == null) {
throw new NullPointerException("AclObjectIdentity must be provided, was null.");
}
if (sid == null) {
throw new NullPointerException("AclSid must be provided, was null.");
}
try {
final List<AclEntry> aclEntries = aclEntryPersistence.findBySidAndObjectIdentity(sid, objectIdentity);
// delete ACL entries for sid
LOG.debug("Deleting {} AclEntries for {}", aclEntries.size(), sid);
aclEntryPersistence.delete(aclEntries);
return getObjectIdentity(objectIdentity.getId());
} finally {
clearAclCache();
}
}
/*
* (non-Javadoc)
* @see org.genesys.blocks.security.service.CustomAclService#getAclEntries(org.
......@@ -627,7 +697,7 @@ public class CustomAclServiceImpl implements CustomAclService {
* java.lang.String, long)
*/
@Override
@Transactional(propagation = Propagation.REQUIRED)
@Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
public AclObjectIdentity ensureObjectIdentity(final long objectIdIdentity, final String className) {
AclObjectIdentity aoi = aclObjectIdentityPersistence.findByObjectIdAndClassname(objectIdIdentity, className);
if (aoi == null) {
......@@ -661,7 +731,7 @@ public class CustomAclServiceImpl implements CustomAclService {
* .genesys.blocks.security.model.AclAwareModel, boolean)
*/
@Override
@Transactional(propagation = Propagation.REQUIRED)
@Transactional(propagation = Propagation.REQUIRED, isolation = Isolation.READ_UNCOMMITTED)
@PreAuthorize("hasRole('ADMINISTRATOR') or hasPermission(#entity, 'ADMINISTRATION')")
public void makePubliclyReadable(AclAwareModel entity, boolean publiclyReadable) {
AclSid roleEveryone = getAuthoritySid("ROLE_EVERYONE");
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment