Search in sources :

Example 1 with AuthorizableService

use of eu.bcvsolutions.idm.core.security.api.service.AuthorizableService in project CzechIdMng by bcvsolutions.

the class AbstractReadDtoService method findEntities.

protected Page<E> findEntities(F filter, Pageable pageable, BasePermission... permission) {
    // transform filter to criteria
    Specification<E> criteria = new Specification<E>() {

        public Predicate toPredicate(Root<E> root, CriteriaQuery<?> query, CriteriaBuilder builder) {
            List<Predicate> predicates = new ArrayList<>();
            // if filter is null, no filter predicates will be built
            if (filter != null) {
                predicates.addAll(AbstractReadDtoService.this.toPredicates(root, query, builder, filter));
            }
            // 
            // permisions are not evaluated, if no permission was given or authorizable type is null (=> authorization policies are not supported)
            BasePermission[] permissions = PermissionUtils.trimNull(permission);
            if (!ObjectUtils.isEmpty(permissions) && (AbstractReadDtoService.this instanceof AuthorizableService)) {
                AuthorizableType authorizableType = ((AuthorizableService<?>) AbstractReadDtoService.this).getAuthorizableType();
                if (authorizableType != null && authorizableType.getType() != null) {
                    predicates.add(getAuthorizationManager().getPredicate(root, query, builder, permissions));
                }
            }
            // 
            return query.where(predicates.toArray(new Predicate[predicates.size()])).getRestriction();
        }
    };
    return getRepository().findAll(criteria, pageable);
}
Also used : CriteriaBuilder(javax.persistence.criteria.CriteriaBuilder) Root(javax.persistence.criteria.Root) CriteriaQuery(javax.persistence.criteria.CriteriaQuery) ArrayList(java.util.ArrayList) Specification(org.springframework.data.jpa.domain.Specification) AuthorizableType(eu.bcvsolutions.idm.core.security.api.dto.AuthorizableType) Predicate(javax.persistence.criteria.Predicate) AuthorizableService(eu.bcvsolutions.idm.core.security.api.service.AuthorizableService) BasePermission(eu.bcvsolutions.idm.core.security.api.domain.BasePermission)

Example 2 with AuthorizableService

use of eu.bcvsolutions.idm.core.security.api.service.AuthorizableService in project CzechIdMng by bcvsolutions.

the class AbstractReadWriteDtoControllerRestTest method testCheckAvailableBulkActions.

@Test
@SuppressWarnings("unchecked")
public void testCheckAvailableBulkActions() throws Exception {
    if (!supportsBulkActions()) {
        LOG.info("Controller [{}] doesn't support bulk actions. Method will not be tested.", getController().getClass());
        return;
    }
    // 
    Authentication authentication;
    if (!(getController().getService() instanceof AuthorizableService)) {
        authentication = getAdminAuthentication();
    } else {
        AuthorizableService<DTO> authorizableService = (AuthorizableService<DTO>) getController().getService();
        if (authorizableService.getAuthorizableType() == null) {
            // Some services can return null - internal transitive security can be implemented.
            authentication = getAdminAuthentication();
        } else {
            // create read policy - all bulk action should be secured under READ permission
            IdmRoleDto readRole = getHelper().createRole();
            getHelper().createBasePolicy(readRole.getId(), authorizableService.getAuthorizableType().getGroup(), authorizableService.getAuthorizableType().getType(), IdmBasePermission.READ);
            // create test identity
            IdmIdentityDto identity = getHelper().createIdentity((GuardedString) null);
            IdmIdentityContractDto contract = getHelper().createContract(identity);
            getHelper().createIdentityRole(contract, readRole);
            authentication = getAuthentication(identity.getUsername());
        }
    }
    String response = getMockMvc().perform(get(getBulkActionsUrl()).with(authentication(authentication)).contentType(TestHelper.HAL_CONTENT_TYPE)).andExpect(status().isOk()).andReturn().getResponse().getContentAsString();
    List<IdmBulkActionDto> actions = getMapper().readValue(response, new TypeReference<List<IdmBulkActionDto>>() {
    });
    // 
    // if bulk actions are supported, then some action has to be returned (or override #supportsBulkActions method)
    Assert.assertFalse(actions.isEmpty());
    // 
    // test prevalidate - just action is available under given authentication for each registered action
    DTO dto = createDto();
    for (IdmBulkActionDto action : actions) {
        action.setIdentifiers(Sets.newHashSet(dto.getId()));
        // 
        // prevalidate
        getMockMvc().perform(post(getBulkPrevalidateUrl()).with(authentication(authentication)).content(getMapper().writeValueAsString(action)).contentType(TestHelper.HAL_CONTENT_TYPE)).andExpect(status().isOk());
        // execute without identifier is set ~ no change, but endpoint can be called
        action.setIdentifiers(null);
        if (!action.isShowWithoutSelection() && action.isShowWithSelection() && !action.isDisabled()) {
            Assert.assertNotNull(getMockMvc().perform(post(getBulkActionUrl()).with(authentication(authentication)).content(getMapper().writeValueAsString(action)).contentType(TestHelper.HAL_CONTENT_TYPE)).andReturn().getResponse().getContentAsString());
        }
    }
}
Also used : AuthorizableService(eu.bcvsolutions.idm.core.security.api.service.AuthorizableService) IdmRoleDto(eu.bcvsolutions.idm.core.api.dto.IdmRoleDto) IdmBulkActionDto(eu.bcvsolutions.idm.core.api.bulk.action.dto.IdmBulkActionDto) Authentication(org.springframework.security.core.Authentication) List(java.util.List) ArrayList(java.util.ArrayList) GuardedString(eu.bcvsolutions.idm.core.security.api.domain.GuardedString) IdmIdentityDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto) IdmIdentityContractDto(eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto) AbstractRestTest(eu.bcvsolutions.idm.test.api.AbstractRestTest) Test(org.junit.Test)

Example 3 with AuthorizableService

use of eu.bcvsolutions.idm.core.security.api.service.AuthorizableService in project CzechIdMng by bcvsolutions.

the class GeneralEntityExport method getAuthoritiesForEntity.

@Override
@SuppressWarnings("rawtypes")
protected List<String> getAuthoritiesForEntity() {
    ReadWriteDtoService<AbstractDto, BaseFilter> service = getService();
    if (!(service instanceof AuthorizableService)) {
        // Service is not authorizable => only super admin can use report.
        return Lists.newArrayList(IdmGroupPermission.APP_ADMIN);
    }
    AuthorizableService authorizableService = (AuthorizableService) service;
    AuthorizableType authorizableType = authorizableService.getAuthorizableType();
    if (authorizableType == null) {
        // Service is authorizable but group is not specified => only super admin can use report.
        return Lists.newArrayList(IdmGroupPermission.APP_ADMIN);
    }
    boolean readPermissionFound = authorizableType.getGroup().getPermissions().stream().filter(permission -> IdmBasePermission.READ == permission).findFirst().isPresent();
    if (!readPermissionFound) {
        // By default only super admin can use report.
        return Lists.newArrayList(IdmGroupPermission.APP_ADMIN);
    }
    // If exist, read permission for that type will be returned.
    return Lists.newArrayList(MessageFormat.format("{0}{1}{2}", authorizableType.getGroup().getName(), IdmBasePermission.SEPARATOR, IdmBasePermission.READ.name()));
}
Also used : AuthorizableService(eu.bcvsolutions.idm.core.security.api.service.AuthorizableService) AbstractDto(eu.bcvsolutions.idm.core.api.dto.AbstractDto) AuthorizableType(eu.bcvsolutions.idm.core.security.api.dto.AuthorizableType) BaseFilter(eu.bcvsolutions.idm.core.api.dto.filter.BaseFilter)

Example 4 with AuthorizableService

use of eu.bcvsolutions.idm.core.security.api.service.AuthorizableService in project CzechIdMng by bcvsolutions.

the class AbstractReadDtoService method toCriteria.

/**
 * Constructs find / count jpa criteria from given filter and permissions
 *
 * @param filter
 * @param applyFetchMode fetch related entities in the master select
 * @param permission
 * @return
 */
protected Specification<E> toCriteria(F filter, boolean applyFetchMode, BasePermission... permission) {
    return new Specification<E>() {

        private static final long serialVersionUID = 1L;

        public Predicate toPredicate(Root<E> root, CriteriaQuery<?> query, CriteriaBuilder builder) {
            List<Predicate> predicates = new ArrayList<>();
            // if filter is null, no filter predicates will be built
            if (filter != null) {
                predicates.addAll(AbstractReadDtoService.this.toPredicates(root, query, builder, filter));
            }
            // 
            // permissions are not evaluated, if no permission was given
            // or authorizable type is null (=> authorization policies are not supported)
            BasePermission[] permissions = PermissionUtils.trimNull(permission);
            if (!ObjectUtils.isEmpty(permissions) && (AbstractReadDtoService.this instanceof AuthorizableService)) {
                AuthorizableType authorizableType = ((AuthorizableService<?>) AbstractReadDtoService.this).getAuthorizableType();
                if (authorizableType != null && authorizableType.getType() != null) {
                    boolean usePermissionOperatorOr = false;
                    if (filter instanceof PermissionContext) {
                        PermissionContext permissionContext = (PermissionContext) filter;
                        usePermissionOperatorOr = permissionContext.usePermissionOperatorOr();
                    }
                    if (usePermissionOperatorOr) {
                        predicates.add(getAuthorizationManager().getPredicateOr(root, query, builder, permissions));
                    } else {
                        predicates.add(getAuthorizationManager().getPredicate(root, query, builder, permissions));
                    }
                }
            }
            // 
            // check IN predicates limit
            predicates.forEach(predicate -> {
                checkFilterSizeExceeded(predicate);
            });
            // include referenced entity in "master" select  => reduces number of sub selects
            if (applyFetchMode) {
            // FIXME: is needed in new hibernate?
            // applyFetchMode(root);
            }
            // 
            return query.where(predicates.toArray(new Predicate[predicates.size()])).getRestriction();
        }
    };
}
Also used : CriteriaBuilder(javax.persistence.criteria.CriteriaBuilder) Root(javax.persistence.criteria.Root) CriteriaQuery(javax.persistence.criteria.CriteriaQuery) ArrayList(java.util.ArrayList) PermissionContext(eu.bcvsolutions.idm.core.api.dto.filter.PermissionContext) Specification(org.springframework.data.jpa.domain.Specification) AuthorizableType(eu.bcvsolutions.idm.core.security.api.dto.AuthorizableType) Predicate(javax.persistence.criteria.Predicate) InPredicate(org.hibernate.query.criteria.internal.predicate.InPredicate) ExistsPredicate(org.hibernate.query.criteria.internal.predicate.ExistsPredicate) AuthorizableService(eu.bcvsolutions.idm.core.security.api.service.AuthorizableService) BasePermission(eu.bcvsolutions.idm.core.security.api.domain.BasePermission) IdmBasePermission(eu.bcvsolutions.idm.core.security.api.domain.IdmBasePermission)

Aggregations

AuthorizableService (eu.bcvsolutions.idm.core.security.api.service.AuthorizableService)4 AuthorizableType (eu.bcvsolutions.idm.core.security.api.dto.AuthorizableType)3 ArrayList (java.util.ArrayList)3 BasePermission (eu.bcvsolutions.idm.core.security.api.domain.BasePermission)2 CriteriaBuilder (javax.persistence.criteria.CriteriaBuilder)2 CriteriaQuery (javax.persistence.criteria.CriteriaQuery)2 Predicate (javax.persistence.criteria.Predicate)2 Root (javax.persistence.criteria.Root)2 Specification (org.springframework.data.jpa.domain.Specification)2 IdmBulkActionDto (eu.bcvsolutions.idm.core.api.bulk.action.dto.IdmBulkActionDto)1 AbstractDto (eu.bcvsolutions.idm.core.api.dto.AbstractDto)1 IdmIdentityContractDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityContractDto)1 IdmIdentityDto (eu.bcvsolutions.idm.core.api.dto.IdmIdentityDto)1 IdmRoleDto (eu.bcvsolutions.idm.core.api.dto.IdmRoleDto)1 BaseFilter (eu.bcvsolutions.idm.core.api.dto.filter.BaseFilter)1 PermissionContext (eu.bcvsolutions.idm.core.api.dto.filter.PermissionContext)1 GuardedString (eu.bcvsolutions.idm.core.security.api.domain.GuardedString)1 IdmBasePermission (eu.bcvsolutions.idm.core.security.api.domain.IdmBasePermission)1 AbstractRestTest (eu.bcvsolutions.idm.test.api.AbstractRestTest)1 List (java.util.List)1