Commit 370304d6 authored by Matija Obreza's avatar Matija Obreza

Merge branch 'acl-objectidentity-as-parent' into 'master'

Acl objectidentity as parent

See merge request genesys-pgr/application-blocks!36
parents cd95da72 40f0a90b
......@@ -55,7 +55,7 @@ public class AclAssignerAspect {
}
/**
* Create owner permissions on persist.
* Ensure owner permissions on persist or update
*
* @param result the result
* @return the object
......@@ -66,12 +66,12 @@ public class AclAssignerAspect {
if (auth != null) {
if (result instanceof AclAwareModel) {
maybeAddCreatorPermissions(result);
maybeUpdatePermissions(result);
} else if (result instanceof Iterable) {
// Handle collections of AclAwareModel
final Iterable<?> i = (Iterable<?>) result;
for (final Object o : i) {
maybeAddCreatorPermissions(o);
maybeUpdatePermissions(o);
}
} else {
LOG.trace("{} is not instance of AclAwareModel", result);
......@@ -86,9 +86,9 @@ public class AclAssignerAspect {
*
* @param obj the obj
*/
private void maybeAddCreatorPermissions(final Object obj) {
private void maybeUpdatePermissions(final Object obj) {
if (obj instanceof AclAwareModel) {
aclService.addCreatorPermissions((AclAwareModel) obj);
aclService.createOrUpdatePermissions((AclAwareModel) obj);
} else {
LOG.trace("{} is not instance of AclAwareModel", obj);
}
......
......@@ -32,11 +32,24 @@ import org.genesys.blocks.util.JsonClassNameWriter;
public interface AclAwareModel extends Serializable, EntityId {
/**
* Objects belonging to some parent can override this method.
* Objects belonging to a parent entity can override this method.
*
* @return the parent ACL object (null by default)
* @return the parent AclAwareModel (null by default)
*/
default AclAwareModel aclParentObject() {
return null;
}
/**
* A custom, persisted parent AclObjectIdentity reference. Takes precedence over
* {@link #aclParentObject()} when configured.
*
* This addresses the ACL inheritance for generic use cases where no business
* entity relationships exist.
*
* @return a custom parent AclObjectIdentity (null by default)
*/
default AclObjectIdentity aclParentObjectIdentity() {
return null;
}
}
......@@ -100,16 +100,16 @@ public class CurrentPermissionsWriter extends VirtualBeanPropertyWriter {
if (SecurityContextUtil.hasRole("ADMINISTRATOR")) {
perms.grantAll();
}
try {
perms.create = SecurityContextUtil.hasPermission(bean, BasePermission.CREATE);
perms.read = SecurityContextUtil.hasPermission(bean, BasePermission.READ);
perms.write = SecurityContextUtil.hasPermission(bean, BasePermission.WRITE);
perms.delete = SecurityContextUtil.hasPermission(bean, BasePermission.DELETE);
perms.manage = SecurityContextUtil.hasPermission(bean, BasePermission.ADMINISTRATION);
} catch (Throwable e) {
LOG.warn("Could not read current permissions {}", e.getMessage());
} else {
try {
perms.create = SecurityContextUtil.hasPermission(bean, BasePermission.CREATE);
perms.read = SecurityContextUtil.hasPermission(bean, BasePermission.READ);
perms.write = SecurityContextUtil.hasPermission(bean, BasePermission.WRITE);
perms.delete = SecurityContextUtil.hasPermission(bean, BasePermission.DELETE);
perms.manage = SecurityContextUtil.hasPermission(bean, BasePermission.ADMINISTRATION);
} catch (Throwable e) {
LOG.warn("Could not read current permissions {}", e.getMessage());
}
}
return perms;
}
......
......@@ -63,11 +63,11 @@ public interface CustomAclService {
List<AclSid> listAuthoritySids();
/**
* Adds the creator permissions.
* Adds the creator permissions or updates permission inheritance
*
* @param entity the target
*/
void addCreatorPermissions(AclAwareModel entity);
void createOrUpdatePermissions(AclAwareModel entity);
/**
* Removes the permissions on ACL model.
......
......@@ -70,7 +70,7 @@ public class CustomAclServiceImpl implements CustomAclService {
private AclEntryPersistence aclEntryPersistence;
/** The cache manager. */
@Autowired
@Autowired(required = false)
private CacheManager cacheManager;
/** The acl sid persistence. */
......@@ -102,7 +102,7 @@ public class CustomAclServiceImpl implements CustomAclService {
@Override
@Transactional(propagation = Propagation.REQUIRED)
public void addCreatorPermissions(final AclAwareModel target) {
public void createOrUpdatePermissions(final AclAwareModel target) {
if ((target == null) || (target.getId() <= 0l)) {
LOG.warn("No target specified for ACL permissions, bailing out!");
return;
......@@ -112,6 +112,7 @@ public class CustomAclServiceImpl implements CustomAclService {
// save object identity
AclObjectIdentity objectIdentity = aclObjectIdentityPersistence.findByObjectIdAndClassname(target.getId(), aclClass.getAclClass());
if (objectIdentity == null) {
objectIdentity = new AclObjectIdentity();
......@@ -129,38 +130,50 @@ public class CustomAclServiceImpl implements CustomAclService {
objectIdentity.setObjectIdIdentity(target.getId());
objectIdentity.setAclClass(aclClass);
AclObjectIdentity parentObject = getObjectIdentity(target.aclParentObject());
AclObjectIdentity parentObject = target.aclParentObjectIdentity();
if (parentObject == null && target.aclParentObject() != null) {
// get OID of parent business entity
parentObject = getObjectIdentity(target.aclParentObject());
}
if (parentObject != null) {
objectIdentity.setParentObject(parentObject);
objectIdentity.setEntriesInheriting(true);
} else {
objectIdentity.setEntriesInheriting(true);
}
objectIdentity.setEntriesInheriting(true);
objectIdentity = aclObjectIdentityPersistence.save(objectIdentity);
if (objectIdentity.getOwnerSid() != null) {
// Grant permissions to owner
final Permissions permissions = new Permissions().grantAll();
addPermissions(objectIdentity, objectIdentity.getOwnerSid(), permissions);
}
} else {
// update parent
// update permissions
LOG.debug("Updating ACL parent object for class={} id={}", target.getClass().getName(), target.getId());
if (objectIdentity.getOwnerSid() == null) {
final AclSid ownerSid = SecurityContextUtil.getCurrentUser();
if (ownerSid != null && ownerSid.isPersisted()) {
objectIdentity.setOwnerSid(ownerSid);
// Grant permissions to owner
final Permissions permissions = new Permissions().grantAll();
addPermissions(objectIdentity, objectIdentity.getOwnerSid(), permissions);
} else {
LOG.debug("Owner SID not persisted or is null.");
}
}
AclObjectIdentity parentObject = target.aclParentObjectIdentity();
if (parentObject == null && target.aclParentObject() != null) {
// get OID of parent business entity
parentObject = getObjectIdentity(target.aclParentObject());
}
if (target.aclParentObject() != null) {
LOG.trace("Updating ACL parent to {}", target.aclParentObject());
AclObjectIdentity parentObject = getObjectIdentity(target.aclParentObject());
if (parentObject != null) {
LOG.trace("Updating ACL parent to {}", parentObject);
objectIdentity.setParentObject(parentObject);
// objectIdentity.setEntriesInheriting(true);
objectIdentity.setEntriesInheriting(true);
} else {
LOG.trace("Clearing ACL parent");
objectIdentity.setParentObject(null);
......@@ -259,9 +272,11 @@ public class CustomAclServiceImpl implements CustomAclService {
}
private void clearAclCache() {
final Cache aclCache = cacheManager.getCache("aclCache");
if (aclCache != null)
aclCache.clear();
if (cacheManager!=null) {
final Cache aclCache = cacheManager.getCache("aclCache");
if (aclCache != null)
aclCache.clear();
}
}
/**
......@@ -619,5 +634,4 @@ public class CustomAclServiceImpl implements CustomAclService {
}
LOG.warn("Done cleaning ACL for {} ACL classes", aclClasses.size());
}
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment