Examples with BasePermission eu.bcvsolutions.idm.core.security.api.domain.BasePermission used on opensource projects

Example 6 with BasePermission

use of eu.bcvsolutions.idm.core.security.api.domain.BasePermission in project CzechIdMng by bcvsolutions.

the class PermissionUtils method toPermissions.

/**
 * Method resolve given list of permission constants (e.g. 'IDENTITY_READ').
 * From the list will be parsed (by separator from BasePermission) permission. For IDENTITY_READ
 * will be result READ.
 *
 * BEWARE: if given list contains constant from different group result set will be united.
 * For input list IDENTITY_READ, ROLE_UPDATE, ROLE_READ will be result: READ, UPDATE!
 *
 * @param authorities group (authorities) or base permissions.
 * @return BasePermission list of base permissions
 */
public static Collection<BasePermission> toPermissions(Collection<String> authorities) {
    if (CollectionUtils.isEmpty(authorities)) {
        return Collections.<BasePermission>emptySet();
    }
    Set<String> resolvedPermissions = new HashSet<>(authorities.size());
    Set<BasePermission> result = new HashSet<>(authorities.size());
    for (String authority : authorities) {
        BasePermission permission = toPermission(authority);
        if (permission == null) {
            continue;
        }
        String permissionName = permission.getName();
        if (resolvedPermissions.contains(permissionName)) {
            continue;
        }
        // 
        result.add(permission);
        resolvedPermissions.add(permissionName);
    }
    return result;
}

Example 7 with BasePermission

use of eu.bcvsolutions.idm.core.security.api.domain.BasePermission in project CzechIdMng by bcvsolutions.

the class DefaultIdmRequestIdentityRoleService method compileIdentityRolesWithConcepts.

/**
 * Find concepts for given identity-roles. If some exists (in given request),
 * then will be altered for concept metadata (operation, EAVs)
 *
 * @param requestIdentityRoles
 * @param identityRoles
 * @param filter
 * @param permission
 */
private void compileIdentityRolesWithConcepts(List<IdmRequestIdentityRoleDto> requestIdentityRoles, List<IdmIdentityRoleDto> identityRoles, IdmRequestIdentityRoleFilter filter, BasePermission... permission) {
    // Convert identity-roles to Set of IDs.
    Set<UUID> identityRoleIds = identityRoles.stream().map(IdmIdentityRoleDto::getId).collect(Collectors.toSet());
    // Find concepts by identity-roles IDs.
    IdmConceptRoleRequestFilter conceptFilter = new IdmConceptRoleRequestFilter();
    conceptFilter.setIdentityRoleIds(identityRoleIds);
    conceptFilter.setRoleRequestId(filter.getRoleRequestId());
    List<IdmConceptRoleRequestDto> conceptsForThisPage = conceptRoleService.find(conceptFilter, null, permission).getContent();
    // 
    conceptsForThisPage.stream().filter(// 
    concept -> ConceptRoleRequestOperation.ADD != concept.getOperation()).forEach(concept -> {
        // 
        IdmRequestIdentityRoleDto requestIdentityRoleWithConcept = // 
        requestIdentityRoles.stream().filter(requestIdentityRole -> requestIdentityRole.getIdentityRole() != null && requestIdentityRole.getIdentityRole().equals(concept.getIdentityRole()) && requestIdentityRole.getId().equals(requestIdentityRole.getIdentityRole())).findFirst().orElse(// 
        null);
        if (requestIdentityRoleWithConcept != null) {
            requestIdentityRoleWithConcept.setOperation(concept.getOperation());
            requestIdentityRoleWithConcept.setId(concept.getId());
            requestIdentityRoleWithConcept.setValidFrom(concept.getValidFrom());
            requestIdentityRoleWithConcept.setValidTill(concept.getValidTill());
            requestIdentityRoleWithConcept.setRoleRequest(concept.getRoleRequest());
            IdmFormInstanceDto formInstanceDto;
            // For updated identity-role replace EAVs from the concept
            if (ConceptRoleRequestOperation.UPDATE == concept.getOperation()) {
                // Check on change of values is made only on ended request! 'Original' value is current value and in audit it was confusing (only 'new' value is show now).
                formInstanceDto = conceptRoleService.getRoleAttributeValues(concept, !concept.getState().isTerminatedState());
                this.addEav(requestIdentityRoleWithConcept, formInstanceDto);
            }
        }
    });
}

Example 8 with BasePermission

use of eu.bcvsolutions.idm.core.security.api.domain.BasePermission in project CzechIdMng by bcvsolutions.

the class DefaultIdmConceptRoleRequestService method checkAccess.

@Override
public IdmConceptRoleRequest checkAccess(IdmConceptRoleRequest entity, BasePermission... permission) {
    if (entity == null) {
        // nothing to check
        return null;
    }
    if (ObjectUtils.isEmpty(permission)) {
        return entity;
    }
    // We can delete the concept if we have UPDATE permission on request
    Set<BasePermission> permissionsForRequest = Sets.newHashSet();
    for (BasePermission p : permission) {
        if (p.equals(IdmBasePermission.DELETE)) {
            permissionsForRequest.add(IdmBasePermission.UPDATE);
        } else {
            permissionsForRequest.add(p);
        }
    }
    // We have rights on the concept, when we have rights on whole request
    if (getAuthorizationManager().evaluate(entity.getRoleRequest(), permissionsForRequest.toArray(new BasePermission[0]))) {
        return entity;
    }
    // We have rights on the concept, when we have rights on workflow process using in the concept.
    // Beware, concet can use different WF process than whole request. So we need to check directly process on concept!
    String processId = entity.getWfProcessId();
    if (!Strings.isNullOrEmpty(processId)) {
        WorkflowProcessInstanceDto processInstance = workflowProcessInstanceService.get(processId, true);
        if (processInstance != null) {
            return entity;
        }
        if (processInstance == null) {
            // Ok process was not returned, but we need to check historic process (on involved user) too.
            WorkflowHistoricProcessInstanceDto historicProcess = historicProcessService.get(processId);
            if (historicProcess != null) {
                return entity;
            }
        }
    }
    throw new ForbiddenEntityException((BaseEntity) entity, permission);
}

Example 9 with BasePermission

use of eu.bcvsolutions.idm.core.security.api.domain.BasePermission in project CzechIdMng by bcvsolutions.

the class AbstractReadDtoService method findEntities.

protected Page<E> findEntities(F filter, Pageable pageable, BasePermission... permission) {
    // transform filter to criteria
    Specification<E> criteria = new Specification<E>() {

        public Predicate toPredicate(Root<E> root, CriteriaQuery<?> query, CriteriaBuilder builder) {
            List<Predicate> predicates = new ArrayList<>();
            // if filter is null, no filter predicates will be built
            if (filter != null) {
                predicates.addAll(AbstractReadDtoService.this.toPredicates(root, query, builder, filter));
            }
            // 
            // permisions are not evaluated, if no permission was given or authorizable type is null (=> authorization policies are not supported)
            BasePermission[] permissions = PermissionUtils.trimNull(permission);
            if (!ObjectUtils.isEmpty(permissions) && (AbstractReadDtoService.this instanceof AuthorizableService)) {
                AuthorizableType authorizableType = ((AuthorizableService<?>) AbstractReadDtoService.this).getAuthorizableType();
                if (authorizableType != null && authorizableType.getType() != null) {
                    predicates.add(getAuthorizationManager().getPredicate(root, query, builder, permissions));
                }
            }
            // 
            return query.where(predicates.toArray(new Predicate[predicates.size()])).getRestriction();
        }
    };
    return getRepository().findAll(criteria, pageable);
}

Example 10 with BasePermission

use of eu.bcvsolutions.idm.core.security.api.domain.BasePermission in project CzechIdMng by bcvsolutions.

the class PermissionUtils method toPermission.

/**
 * Method resolve given permission constants (e.g. 'IDENTITY_READ').
 * Value will be parsed (by separator from BasePermission) permission. For 'IDENTITY_READ'
 * will be result 'READ'.
 *
 * @param authority group (authority) or base permission.
 * @return base permission
 * @since 10.3.0
 */
public static BasePermission toPermission(String authority) {
    if (StringUtils.isEmpty(authority)) {
        return null;
    }
    // 
    if (authority.contains(BasePermission.SEPARATOR)) {
        String[] split = authority.split(BasePermission.SEPARATOR);
        // permission is on last place
        authority = split[split.length - 1];
    }
    // 
    final String rawPermission = authority;
    // Base permission may be child from IdmBasePermission
    BasePermission permission = EnumUtils.getEnum(IdmBasePermission.class, rawPermission);
    // but can be registered dynamically in custom module => new BasePermission is created
    if (permission == null) {
        permission = (BasePermission) () -> rawPermission;
    }
    // 
    return permission;
}