use of eu.bcvsolutions.idm.core.security.api.service.AuthorizableService in project CzechIdMng by bcvsolutions.
the class AbstractReadDtoService method findEntities.
protected Page<E> findEntities(F filter, Pageable pageable, BasePermission... permission) {
// transform filter to criteria
Specification<E> criteria = new Specification<E>() {
public Predicate toPredicate(Root<E> root, CriteriaQuery<?> query, CriteriaBuilder builder) {
List<Predicate> predicates = new ArrayList<>();
// if filter is null, no filter predicates will be built
if (filter != null) {
predicates.addAll(AbstractReadDtoService.this.toPredicates(root, query, builder, filter));
}
//
// permisions are not evaluated, if no permission was given or authorizable type is null (=> authorization policies are not supported)
BasePermission[] permissions = PermissionUtils.trimNull(permission);
if (!ObjectUtils.isEmpty(permissions) && (AbstractReadDtoService.this instanceof AuthorizableService)) {
AuthorizableType authorizableType = ((AuthorizableService<?>) AbstractReadDtoService.this).getAuthorizableType();
if (authorizableType != null && authorizableType.getType() != null) {
predicates.add(getAuthorizationManager().getPredicate(root, query, builder, permissions));
}
}
//
return query.where(predicates.toArray(new Predicate[predicates.size()])).getRestriction();
}
};
return getRepository().findAll(criteria, pageable);
}
use of eu.bcvsolutions.idm.core.security.api.service.AuthorizableService in project CzechIdMng by bcvsolutions.
the class AbstractReadWriteDtoControllerRestTest method testCheckAvailableBulkActions.
@Test
@SuppressWarnings("unchecked")
public void testCheckAvailableBulkActions() throws Exception {
if (!supportsBulkActions()) {
LOG.info("Controller [{}] doesn't support bulk actions. Method will not be tested.", getController().getClass());
return;
}
//
Authentication authentication;
if (!(getController().getService() instanceof AuthorizableService)) {
authentication = getAdminAuthentication();
} else {
AuthorizableService<DTO> authorizableService = (AuthorizableService<DTO>) getController().getService();
if (authorizableService.getAuthorizableType() == null) {
// Some services can return null - internal transitive security can be implemented.
authentication = getAdminAuthentication();
} else {
// create read policy - all bulk action should be secured under READ permission
IdmRoleDto readRole = getHelper().createRole();
getHelper().createBasePolicy(readRole.getId(), authorizableService.getAuthorizableType().getGroup(), authorizableService.getAuthorizableType().getType(), IdmBasePermission.READ);
// create test identity
IdmIdentityDto identity = getHelper().createIdentity((GuardedString) null);
IdmIdentityContractDto contract = getHelper().createContract(identity);
getHelper().createIdentityRole(contract, readRole);
authentication = getAuthentication(identity.getUsername());
}
}
String response = getMockMvc().perform(get(getBulkActionsUrl()).with(authentication(authentication)).contentType(TestHelper.HAL_CONTENT_TYPE)).andExpect(status().isOk()).andReturn().getResponse().getContentAsString();
List<IdmBulkActionDto> actions = getMapper().readValue(response, new TypeReference<List<IdmBulkActionDto>>() {
});
//
// if bulk actions are supported, then some action has to be returned (or override #supportsBulkActions method)
Assert.assertFalse(actions.isEmpty());
//
// test prevalidate - just action is available under given authentication for each registered action
DTO dto = createDto();
for (IdmBulkActionDto action : actions) {
action.setIdentifiers(Sets.newHashSet(dto.getId()));
//
// prevalidate
getMockMvc().perform(post(getBulkPrevalidateUrl()).with(authentication(authentication)).content(getMapper().writeValueAsString(action)).contentType(TestHelper.HAL_CONTENT_TYPE)).andExpect(status().isOk());
// execute without identifier is set ~ no change, but endpoint can be called
action.setIdentifiers(null);
if (!action.isShowWithoutSelection() && action.isShowWithSelection() && !action.isDisabled()) {
Assert.assertNotNull(getMockMvc().perform(post(getBulkActionUrl()).with(authentication(authentication)).content(getMapper().writeValueAsString(action)).contentType(TestHelper.HAL_CONTENT_TYPE)).andReturn().getResponse().getContentAsString());
}
}
}
use of eu.bcvsolutions.idm.core.security.api.service.AuthorizableService in project CzechIdMng by bcvsolutions.
the class GeneralEntityExport method getAuthoritiesForEntity.
@Override
@SuppressWarnings("rawtypes")
protected List<String> getAuthoritiesForEntity() {
ReadWriteDtoService<AbstractDto, BaseFilter> service = getService();
if (!(service instanceof AuthorizableService)) {
// Service is not authorizable => only super admin can use report.
return Lists.newArrayList(IdmGroupPermission.APP_ADMIN);
}
AuthorizableService authorizableService = (AuthorizableService) service;
AuthorizableType authorizableType = authorizableService.getAuthorizableType();
if (authorizableType == null) {
// Service is authorizable but group is not specified => only super admin can use report.
return Lists.newArrayList(IdmGroupPermission.APP_ADMIN);
}
boolean readPermissionFound = authorizableType.getGroup().getPermissions().stream().filter(permission -> IdmBasePermission.READ == permission).findFirst().isPresent();
if (!readPermissionFound) {
// By default only super admin can use report.
return Lists.newArrayList(IdmGroupPermission.APP_ADMIN);
}
// If exist, read permission for that type will be returned.
return Lists.newArrayList(MessageFormat.format("{0}{1}{2}", authorizableType.getGroup().getName(), IdmBasePermission.SEPARATOR, IdmBasePermission.READ.name()));
}
use of eu.bcvsolutions.idm.core.security.api.service.AuthorizableService in project CzechIdMng by bcvsolutions.
the class AbstractReadDtoService method toCriteria.
/**
* Constructs find / count jpa criteria from given filter and permissions
*
* @param filter
* @param applyFetchMode fetch related entities in the master select
* @param permission
* @return
*/
protected Specification<E> toCriteria(F filter, boolean applyFetchMode, BasePermission... permission) {
return new Specification<E>() {
private static final long serialVersionUID = 1L;
public Predicate toPredicate(Root<E> root, CriteriaQuery<?> query, CriteriaBuilder builder) {
List<Predicate> predicates = new ArrayList<>();
// if filter is null, no filter predicates will be built
if (filter != null) {
predicates.addAll(AbstractReadDtoService.this.toPredicates(root, query, builder, filter));
}
//
// permissions are not evaluated, if no permission was given
// or authorizable type is null (=> authorization policies are not supported)
BasePermission[] permissions = PermissionUtils.trimNull(permission);
if (!ObjectUtils.isEmpty(permissions) && (AbstractReadDtoService.this instanceof AuthorizableService)) {
AuthorizableType authorizableType = ((AuthorizableService<?>) AbstractReadDtoService.this).getAuthorizableType();
if (authorizableType != null && authorizableType.getType() != null) {
boolean usePermissionOperatorOr = false;
if (filter instanceof PermissionContext) {
PermissionContext permissionContext = (PermissionContext) filter;
usePermissionOperatorOr = permissionContext.usePermissionOperatorOr();
}
if (usePermissionOperatorOr) {
predicates.add(getAuthorizationManager().getPredicateOr(root, query, builder, permissions));
} else {
predicates.add(getAuthorizationManager().getPredicate(root, query, builder, permissions));
}
}
}
//
// check IN predicates limit
predicates.forEach(predicate -> {
checkFilterSizeExceeded(predicate);
});
// include referenced entity in "master" select => reduces number of sub selects
if (applyFetchMode) {
// FIXME: is needed in new hibernate?
// applyFetchMode(root);
}
//
return query.where(predicates.toArray(new Predicate[predicates.size()])).getRestriction();
}
};
}
Aggregations