diff --git a/src/main/java/ch/ethz/seb/sebserver/gbl/authorization/Privilege.java b/src/main/java/ch/ethz/seb/sebserver/gbl/authorization/Privilege.java index df4ec948..a39a5a63 100644 --- a/src/main/java/ch/ethz/seb/sebserver/gbl/authorization/Privilege.java +++ b/src/main/java/ch/ethz/seb/sebserver/gbl/authorization/Privilege.java @@ -75,6 +75,22 @@ public final class Privilege { return this.ownershipPrivilege.hasImplicit(privilegeType); } + public final boolean hasGrant( + final String userId, + final Long userInstitutionId, + final PrivilegeType privilegeType, + final Long institutionId, + final String ownerId) { + + return this.hasBasePrivilege(privilegeType) + || ((institutionId != null) && + (this.hasInstitutionalPrivilege(privilegeType) + && userInstitutionId.longValue() == institutionId + .longValue()) + || (this.hasOwnershipPrivilege(privilegeType) + && userId.equals(ownerId))); + } + @Override public String toString() { return "Privilege [privilegeType=" + this.basePrivilege + ", institutionalPrivilege=" diff --git a/src/main/java/ch/ethz/seb/sebserver/gui/service/page/form/FormBuilder.java b/src/main/java/ch/ethz/seb/sebserver/gui/service/page/form/FormBuilder.java index eb78f6de..21d9bf3a 100644 --- a/src/main/java/ch/ethz/seb/sebserver/gui/service/page/form/FormBuilder.java +++ b/src/main/java/ch/ethz/seb/sebserver/gui/service/page/form/FormBuilder.java @@ -207,13 +207,8 @@ public class FormBuilder { this.formParent, value, new LocTextKey("sebserver.overall.upload"), - span, 1); - if (this.readonly) { - imageUpload.setReadonly(); - this.form.putField(name, lab, imageUpload); - } else { - this.form.putField(name, lab, imageUpload); - } + span, 1, this.readonly); + this.form.putField(name, lab, imageUpload); return this; } diff --git a/src/main/java/ch/ethz/seb/sebserver/gui/service/remote/webservice/auth/CurrentUser.java b/src/main/java/ch/ethz/seb/sebserver/gui/service/remote/webservice/auth/CurrentUser.java index 5a77d125..5428c25d 100644 --- a/src/main/java/ch/ethz/seb/sebserver/gui/service/remote/webservice/auth/CurrentUser.java +++ b/src/main/java/ch/ethz/seb/sebserver/gui/service/remote/webservice/auth/CurrentUser.java @@ -12,7 +12,6 @@ import java.util.Collection; import java.util.HashMap; import java.util.Map; import java.util.function.Function; -import java.util.function.Predicate; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -78,12 +77,17 @@ public class CurrentUser { public boolean hasPrivilege(final PrivilegeType privilegeType, final EntityType entityType) { if (loadPrivileges()) { try { - return get().getRoles() + final UserInfo userInfo = get(); + return userInfo.getRoles() .stream() .map(roleName -> UserRole.valueOf(roleName)) .map(role -> new RoleTypeKey(entityType, role)) .map(key -> this.privileges.get(key)) - .filter(checkPrivilege(get(), privilegeType, null)) + .filter(priv -> (priv != null) && priv.hasGrant( + userInfo.uuid, + userInfo.institutionId, + privilegeType, + null, null)) .findFirst() .isPresent(); } catch (final Exception e) { @@ -102,12 +106,18 @@ public class CurrentUser { if (loadPrivileges()) { final EntityType entityType = grantEntity.entityType(); try { - return get().getRoles() + final UserInfo userInfo = get(); + return userInfo.getRoles() .stream() .map(roleName -> UserRole.valueOf(roleName)) .map(role -> new RoleTypeKey(entityType, role)) .map(key -> this.privileges.get(key)) - .filter(checkPrivilege(get(), privilegeType, grantEntity)) + .filter(priv -> (priv != null) && priv.hasGrant( + userInfo.uuid, + userInfo.institutionId, + privilegeType, + grantEntity.getInstitutionId(), + grantEntity.getOwnerId())) .findFirst() .isPresent(); } catch (final Exception e) { @@ -119,20 +129,6 @@ public class CurrentUser { return false; } - private Predicate checkPrivilege( - final UserInfo userInfo, - final PrivilegeType privilegeType, - final GrantEntity grantEntity) { - - return priv -> priv.hasBasePrivilege(privilegeType) - || ((grantEntity != null) && - (priv.hasInstitutionalPrivilege(privilegeType) - && get().institutionId.longValue() == grantEntity.getInstitutionId() - .longValue()) - || (priv.hasOwnershipPrivilege(privilegeType) - && get().uuid.equals(grantEntity.getOwnerId()))); - } - public boolean isAvailable() { updateContext(); return this.authContext != null && this.authContext.isLoggedIn(); diff --git a/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/ImageUpload.java b/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/ImageUpload.java index e686b967..0493ef2d 100644 --- a/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/ImageUpload.java +++ b/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/ImageUpload.java @@ -41,88 +41,71 @@ public class ImageUpload extends Composite { private final ServerPushService serverPushService; - final Composite imageCanvas; - final FileUpload fileUpload; + private final Composite imageCanvas; + private final FileUpload fileUpload; private String imageBase64 = null; private boolean loadNewImage = false; private boolean imageLoaded = false; - ImageUpload(final Composite parent, final ServerPushService serverPushService) { + ImageUpload(final Composite parent, final ServerPushService serverPushService, final boolean readonly) { super(parent, SWT.NONE); super.setLayout(new GridLayout(2, false)); this.serverPushService = serverPushService; - this.fileUpload = new FileUpload(this, SWT.NONE); - this.fileUpload.setText("Select File"); - this.fileUpload.setLayoutData(new GridData(SWT.CENTER, SWT.CENTER, false, false)); + if (!readonly) { + this.fileUpload = new FileUpload(this, SWT.NONE); + this.fileUpload.setText("Select File"); + this.fileUpload.setLayoutData(new GridData(SWT.CENTER, SWT.CENTER, false, false)); + + final FileUploadHandler uploadHandler = new FileUploadHandler(new FileUploadReceiver() { + + @Override + public void receive(final InputStream stream, final FileDetails details) throws IOException { + try { + final String contentType = details.getContentType(); + if (contentType != null && contentType.startsWith("image")) { + ImageUpload.this.imageBase64 = Base64.getEncoder().encodeToString(stream.readAllBytes()); + } + } catch (final Exception e) { + log.error("Error while trying to upload image", e); + } finally { + ImageUpload.this.imageLoaded = true; + stream.close(); + } + } + }); + + this.fileUpload.addSelectionListener(new SelectionAdapter() { + + private static final long serialVersionUID = -6776734104137568801L; + + @Override + public void widgetSelected(final SelectionEvent event) { + ImageUpload.this.loadNewImage = true; + ImageUpload.this.imageLoaded = false; + ImageUpload.this.fileUpload.submit(uploadHandler.getUploadUrl()); + + ImageUpload.this.serverPushService.runServerPush( + new ServerPushContext(ImageUpload.this, ImageUpload::uploadInProgress), + ImageUpload::wait, + ImageUpload::update); + } + }); + } else { + this.fileUpload = null; + } this.imageCanvas = new Composite(this, SWT.NONE); final GridData canvas = new GridData(SWT.FILL, SWT.FILL, true, true); this.imageCanvas.setLayoutData(canvas); - final FileUploadHandler uploadHandler = new FileUploadHandler(new FileUploadReceiver() { - - @Override - public void receive(final InputStream stream, final FileDetails details) throws IOException { - try { - final String contentType = details.getContentType(); - if (contentType != null && contentType.startsWith("image")) { - ImageUpload.this.imageBase64 = Base64.getEncoder().encodeToString(stream.readAllBytes()); - } - } catch (final Exception e) { - log.error("Error while trying to upload image", e); - } finally { - ImageUpload.this.imageLoaded = true; - stream.close(); - } - } - }); - - this.fileUpload.addSelectionListener(new SelectionAdapter() { - - private static final long serialVersionUID = -6776734104137568801L; - - @Override - public void widgetSelected(final SelectionEvent event) { - ImageUpload.this.loadNewImage = true; - ImageUpload.this.imageLoaded = false; - ImageUpload.this.fileUpload.submit(uploadHandler.getUploadUrl()); - - ImageUpload.this.serverPushService.runServerPush( - new ServerPushContext( - ImageUpload.this, - runAgainContext -> { - final ImageUpload imageUpload = (ImageUpload) runAgainContext.getAnchor(); - return imageUpload.loadNewImage && !imageUpload.imageLoaded; - }), - context -> { - try { - Thread.sleep(200); - } catch (final Exception e) { - e.printStackTrace(); - } - }, - context -> { - final ImageUpload imageUpload = (ImageUpload) context.getAnchor(); - if (imageUpload.imageBase64 != null - && imageUpload.loadNewImage - && imageUpload.imageLoaded) { - final Base64InputStream input = new Base64InputStream( - new ByteArrayInputStream( - imageUpload.imageBase64.getBytes(StandardCharsets.UTF_8)), - false); - - imageUpload.imageCanvas.setData(RWT.CUSTOM_VARIANT, "bgLogoNoImage"); - imageUpload.imageCanvas.setBackgroundImage(new Image(context.getDisplay(), input)); - context.layout(); - imageUpload.layout(); - imageUpload.loadNewImage = false; - } - }); - } - }); + } + public void setSelectionText(final String text) { + if (this.fileUpload != null) { + this.fileUpload.setText(text); + } } public String getImageBase64() { @@ -141,9 +124,34 @@ public class ImageUpload extends Composite { this.imageCanvas.setBackgroundImage(new Image(super.getDisplay(), input)); } - public void setReadonly() { - this.fileUpload.setVisible(false); - this.fileUpload.setEnabled(false); + private static final boolean uploadInProgress(final ServerPushContext context) { + final ImageUpload imageUpload = (ImageUpload) context.getAnchor(); + return imageUpload.loadNewImage && !imageUpload.imageLoaded; + } + + private static final void wait(final ServerPushContext context) { + try { + Thread.sleep(200); + } catch (final Exception e) { + } + } + + private static final void update(final ServerPushContext context) { + final ImageUpload imageUpload = (ImageUpload) context.getAnchor(); + if (imageUpload.imageBase64 != null + && imageUpload.loadNewImage + && imageUpload.imageLoaded) { + final Base64InputStream input = new Base64InputStream( + new ByteArrayInputStream( + imageUpload.imageBase64.getBytes(StandardCharsets.UTF_8)), + false); + + imageUpload.imageCanvas.setData(RWT.CUSTOM_VARIANT, "bgLogoNoImage"); + imageUpload.imageCanvas.setBackgroundImage(new Image(context.getDisplay(), input)); + context.layout(); + imageUpload.layout(); + imageUpload.loadNewImage = false; + } } } diff --git a/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/WidgetFactory.java b/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/WidgetFactory.java index e3056745..a13a5dc8 100644 --- a/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/WidgetFactory.java +++ b/src/main/java/ch/ethz/seb/sebserver/gui/service/widget/WidgetFactory.java @@ -343,17 +343,23 @@ public class WidgetFactory { final Composite parent, final String value, final LocTextKey locTextKey, - final int hspan, final int vspan) { + final int hspan, + final int vspan, + final boolean readonly) { - final ImageUpload imageUpload = imageUploadLocalized(parent, locTextKey); + final ImageUpload imageUpload = imageUploadLocalized(parent, locTextKey, readonly); final GridData gridData = new GridData(SWT.FILL, SWT.FILL, true, false, hspan, vspan); imageUpload.setLayoutData(gridData); imageUpload.setImageBase64(value); return imageUpload; } - public ImageUpload imageUploadLocalized(final Composite parent, final LocTextKey locTextKey) { - final ImageUpload imageUpload = new ImageUpload(parent, this.serverPushService); + public ImageUpload imageUploadLocalized( + final Composite parent, + final LocTextKey locTextKey, + final boolean readonly) { + + final ImageUpload imageUpload = new ImageUpload(parent, this.serverPushService, readonly); injectI18n(imageUpload, locTextKey); return imageUpload; } @@ -454,7 +460,7 @@ public class WidgetFactory { return imageUpload -> { if (locTextKey != null) { - imageUpload.fileUpload.setText(i18nSupport.getText(locTextKey)); + imageUpload.setSelectionText(i18nSupport.getText(locTextKey)); } }; } diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantRule.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantRule.java deleted file mode 100644 index 9d61d8d8..00000000 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantRule.java +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET) - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - */ - -package ch.ethz.seb.sebserver.webservice.servicelayer.authorization; - -import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType; -import ch.ethz.seb.sebserver.gbl.model.EntityType; - -/** Defines a authorization grant rule for a specified EntityType. - * - * If there is the need for a specialized authorization grant rule for a specified EntityType, just - * create an implementation of this interface for a specified EntityType as a normal Spring Component - * and the AuthorizationGrantService will automatically collect it on initialization and use it for - * the specified EntityType instead of the default implementation. */ -public interface AuthorizationGrantRule { - - /** The EntityType of the authorization grant rule implementation. - * This is used by the AuthorizationGrantService on initialization. - * - * @return the authorization grant rule implementation */ - EntityType entityType(); - - /** Implements a authorization grant rule check for a given entity, user and grant type. - * - * @param entity the GrantEntity instance to check the grant rule on - * @param user the SEBServerUser instance to check the grant rule on - * @param grantType the GrantType to check - * @return true if a given user has a given grant-type on a given entity, false otherwise */ - boolean hasGrant(GrantEntity entity, SEBServerUser user, PrivilegeType grantType); - -} diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantService.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantService.java deleted file mode 100644 index 154fe105..00000000 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantService.java +++ /dev/null @@ -1,126 +0,0 @@ -/* - * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET) - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - */ - -package ch.ethz.seb.sebserver.webservice.servicelayer.authorization; - -import java.security.Principal; -import java.util.Collection; -import java.util.function.Predicate; - -import ch.ethz.seb.sebserver.gbl.authorization.Privilege; -import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType; -import ch.ethz.seb.sebserver.gbl.model.EntityType; -import ch.ethz.seb.sebserver.gbl.util.Result; - -/** A service to check authorization grants for a given user for entity-types and -instances - * - * If there is one or more GrantEntity objects within an authenticated user-request, this service - * can be used check the authenticated user access grant within the object. Check if a given user - * has write, modify or even read-only rights on an entity instance or on an entity type. */ -public interface AuthorizationGrantService { - - /** Gets the UserService that is bundled within the AuthorizationGrantService - * - * @return the UserService that is bundled within the AuthorizationGrantService */ - UserService getUserService(); - - /** All Privileges in a collection. - * - * @return all registered Privileges */ - Collection getAllPrivileges(); - - /** Checks if the current user has any privilege (base or institutional or owner) for the given EntityType and - * PrivilegeType. - * - * @param entityType the EntityType - * @param privilegeType the PrivilegeType to check on EntityType */ - void checkHasAnyPrivilege(EntityType entityType, PrivilegeType privilegeType); - - void checkPrivilege(EntityType entityType, PrivilegeType privilegeType, Long institutionId); - - void checkPrivilege(EntityType entityType, PrivilegeType privilegeType, Long institutionId, Long ownerId); - - /** Check if current user has grant on a given GrantEntity instance for specified PrivilegeType - * - * @param entity The GrantEntity to check specified PrivilegeType for - * @param privilegeType The PrivilegeType - * @return a with a Result of the granted entity instance or with a Result of a PermissionDeniedException */ - Result checkGrantOnEntity(E entity, PrivilegeType privilegeType); - - /** Checks if the current user has a implicit base privilege for a given entity-type - * - * @param entityType the entity type - * @param privilegeType the privilege type to check - * @return true if the current user has a implicit base privilege on specified PrivilegeType for a given - * EntityType */ - boolean hasBasePrivilege(EntityType entityType, PrivilegeType privilegeType); - - /** Checks if a given user has a implicit base privilege for a given entity-type - * - * @param entityType the entity type - * @param privilegeType the privilege type to check - * @return true if a given user has a implicit base privilege on specified PrivilegeType for a given EntityType */ - boolean hasBasePrivilege(EntityType entityType, PrivilegeType privilegeType, Principal principal); - - /** Checks if the current user has an implicit institutional privilege on a given EntityType - * - * @param entityType the entity type - * @param privilegeType the privilege type to check - * @return true if the current user has an implicit institutional privilege on the given EntityType */ - boolean hasInstitutionalPrivilege(EntityType entityType, PrivilegeType privilegeType); - - /** Checks if a given user has an implicit institutional privilege on a given EntityType - * - * @param entityType the entity type - * @param privilegeType the privilege type to check - * @return true if a given user has an implicit institutional privilege on the given EntityType */ - boolean hasInstitutionalPrivilege(EntityType entityType, PrivilegeType privilegeType, Principal principal); - - /** Checks if the current user has grant on a given entity for a specified PrivilegeType - * - * @param entity the entity-instance - * @param privilegeType the privilege type to check - * @return true if the current user has a specified grant for a given entity-instance */ - boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType); - - /** Checks if a given user has grant on a given entity for a specified PrivilegeType - * - * @param entity the entity-instance - * @param privilegeType the grant type to check - * @param principal an authorization Principal instance to extract the user from - * @return true if the given user has grant on a given entity for a specified PrivilegeType */ - boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType, Principal principal); - - /** Checks if a given user has specified grant for a given entity-instance - * - * @param entity the entity-instance - * @param privilegeType the grant type to check - * @param user a SEBServerUser instance to check grant for - * @return true if a given user has a specified grant for a given entity-instance. False otherwise */ - boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType, SEBServerUser user); - - /** Closure to get a grant check predicate for the current user - * to filter a several entity-instances within the same grant - * - * @param entityType the EntityType for the grant check filter - * @param privilegeType the PrivilegeType for the grant check filter - * @return A filter predicate working on the given attributes to check user grants */ - Predicate getGrantFilter(EntityType entityType, PrivilegeType privilegeType); - - /** Closure to get a grant check predicate to filter a several entity-instances within the same grant - * - * @param entityType the EntityType for the grant check filter - * @param privilegeType the PrivilegeType for the grant check filter - * @param principal an authorization Principal instance to extract the user from - * @return A filter predicate working on the given attributes to check user grants */ - Predicate getGrantFilter( - EntityType entityType, - PrivilegeType privilegeType, - Principal principal); - -} diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantServiceImpl.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantServiceImpl.java deleted file mode 100644 index 8c57a832..00000000 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationGrantServiceImpl.java +++ /dev/null @@ -1,450 +0,0 @@ -/* - * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET) - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, You can obtain one at http://mozilla.org/MPL/2.0/. - */ - -package ch.ethz.seb.sebserver.webservice.servicelayer.authorization; - -import java.security.Principal; -import java.util.Collection; -import java.util.Collections; -import java.util.EnumMap; -import java.util.HashMap; -import java.util.Map; -import java.util.function.Predicate; - -import javax.annotation.PostConstruct; - -import org.springframework.context.annotation.Lazy; -import org.springframework.stereotype.Service; - -import ch.ethz.seb.sebserver.gbl.authorization.Privilege; -import ch.ethz.seb.sebserver.gbl.authorization.Privilege.RoleTypeKey; -import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType; -import ch.ethz.seb.sebserver.gbl.model.EntityType; -import ch.ethz.seb.sebserver.gbl.model.user.UserRole; -import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile; -import ch.ethz.seb.sebserver.gbl.util.Result; - -@Lazy -@Service -@WebServiceProfile -public class AuthorizationGrantServiceImpl implements AuthorizationGrantService { - - /** Map of role based grants for specified entity types. */ - private final Map privileges = new HashMap<>(); - /** Map of collected AuthorizationGrantRule exceptions */ - private final Map exceptionalRules = - new EnumMap<>(EntityType.class); - - private final UserService userService; - - public AuthorizationGrantServiceImpl( - final Collection exceptionalGrantRules, - final UserService userService) { - - this.userService = userService; - - if (exceptionalGrantRules != null) { - exceptionalGrantRules.stream() - .forEach(r -> this.exceptionalRules.put(r.entityType(), r)); - } - } - - @Override - public UserService getUserService() { - return this.userService; - } - - @Override - public Collection getAllPrivileges() { - return Collections.unmodifiableCollection(this.privileges.values()); - } - - /** Initialize the (hard-coded) grants */ - @PostConstruct - public void init() { - // grants for institution - addPrivilege(EntityType.INSTITUTION) - .forRole(UserRole.SEB_SERVER_ADMIN) - .withBasePrivilege(PrivilegeType.WRITE) - .andForRole(UserRole.INSTITUTIONAL_ADMIN) - .withInstitutionalPrivilege(PrivilegeType.MODIFY) - .andForRole(UserRole.EXAM_ADMIN) - .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) - .andForRole(UserRole.EXAM_SUPPORTER) - .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) - .create(); - - // grants for lms setup - addPrivilege(EntityType.LMS_SETUP) - .forRole(UserRole.SEB_SERVER_ADMIN) - .withBasePrivilege(PrivilegeType.WRITE) - .andForRole(UserRole.INSTITUTIONAL_ADMIN) - .withInstitutionalPrivilege(PrivilegeType.WRITE) - .andForRole(UserRole.EXAM_ADMIN) - .withInstitutionalPrivilege(PrivilegeType.MODIFY) - .andForRole(UserRole.EXAM_SUPPORTER) - .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) - .create(); - - // grants for user account - addPrivilege(EntityType.USER) - .forRole(UserRole.SEB_SERVER_ADMIN) - .withBasePrivilege(PrivilegeType.WRITE) - .andForRole(UserRole.INSTITUTIONAL_ADMIN) - .withInstitutionalPrivilege(PrivilegeType.WRITE) - .andForRole(UserRole.EXAM_ADMIN) - .withOwnerPrivilege(PrivilegeType.MODIFY) - .andForRole(UserRole.EXAM_SUPPORTER) - .withOwnerPrivilege(PrivilegeType.MODIFY) - .create(); - - // grants for user activity logs - addPrivilege(EntityType.USER_ACTIVITY_LOG) - .forRole(UserRole.SEB_SERVER_ADMIN) - .withBasePrivilege(PrivilegeType.READ_ONLY) - .andForRole(UserRole.INSTITUTIONAL_ADMIN) - .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) - .create(); - - // grants for exam - addPrivilege(EntityType.EXAM) - .forRole(UserRole.SEB_SERVER_ADMIN) - .withBasePrivilege(PrivilegeType.READ_ONLY) - .andForRole(UserRole.INSTITUTIONAL_ADMIN) - .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) - .andForRole(UserRole.EXAM_ADMIN) - .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) - .withOwnerPrivilege(PrivilegeType.WRITE) - .andForRole(UserRole.EXAM_SUPPORTER) - .withOwnerPrivilege(PrivilegeType.MODIFY) - .create(); - - // TODO other entities - } - - @Override - public void checkHasAnyPrivilege(final EntityType entityType, final PrivilegeType privilegeType) { - final SEBServerUser currentUser = this.userService.getCurrentUser(); - if (hasBasePrivilege(entityType, privilegeType, currentUser) || - hasInstitutionalPrivilege(entityType, privilegeType, currentUser)) { - return; - } - - throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid); - } - - @Override - public void checkPrivilege( - final EntityType entityType, - final PrivilegeType privilegeType, - final Long institutionId) { - - final SEBServerUser currentUser = this.userService.getCurrentUser(); - if (hasBasePrivilege(entityType, privilegeType, currentUser)) { - return; - } - - if (institutionId == null) { - throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid); - } - - if (hasInstitutionalPrivilege(entityType, privilegeType, currentUser) && - currentUser.institutionId().longValue() == institutionId.longValue()) { - return; - } - - throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid); - } - - @Override - public void checkPrivilege( - final EntityType entityType, - final PrivilegeType privilegeType, - final Long institutionId, - final Long ownerId) { - - final SEBServerUser currentUser = this.userService.getCurrentUser(); - - // TODO Auto-generated method stub - - throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid); - } - - @Override - public Result checkGrantOnEntity(final E entity, final PrivilegeType privilegeType) { - - final SEBServerUser currentUser = this.userService.getCurrentUser(); - if (hasGrant(entity, privilegeType, currentUser)) { - return Result.of(entity); - } else { - return Result.ofError(new PermissionDeniedException(entity, privilegeType, currentUser.getUserInfo().uuid)); - } - } - - @Override - public boolean hasBasePrivilege(final EntityType entityType, final PrivilegeType privilegeType) { - return hasBasePrivilege(entityType, privilegeType, this.userService.getCurrentUser()); - } - - @Override - public boolean hasBasePrivilege( - final EntityType entityType, - final PrivilegeType privilegeType, - final Principal principal) { - - return hasBasePrivilege(entityType, privilegeType, this.userService.extractFromPrincipal(principal)); - } - - private boolean hasBasePrivilege( - final EntityType entityType, - final PrivilegeType privilegeType, - final SEBServerUser user) { - - for (final UserRole role : user.getUserRoles()) { - final Privilege roleTypeGrant = this.privileges.get(new RoleTypeKey(entityType, role)); - if (roleTypeGrant != null && roleTypeGrant.hasBasePrivilege(privilegeType)) { - return true; - } - } - - return false; - } - - @Override - public boolean hasInstitutionalPrivilege( - final EntityType entityType, - final PrivilegeType privilegeType) { - - return hasInstitutionalPrivilege( - entityType, - privilegeType, - this.userService.getCurrentUser()); - } - - @Override - public boolean hasInstitutionalPrivilege( - final EntityType entityType, - final PrivilegeType privilegeType, - final Principal principal) { - - return hasInstitutionalPrivilege( - entityType, - privilegeType, - this.userService.extractFromPrincipal(principal)); - } - - private boolean hasInstitutionalPrivilege( - final EntityType entityType, - final PrivilegeType privilegeType, - final SEBServerUser user) { - - for (final UserRole role : user.getUserRoles()) { - final Privilege roleTypeGrant = this.privileges.get(new RoleTypeKey(entityType, role)); - if (roleTypeGrant != null && roleTypeGrant.hasInstitutionalPrivilege(privilegeType)) { - return true; - } - } - - return false; - } - - @Override - public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType) { - return hasGrant(entity, grantType, this.userService.getCurrentUser()); - } - - @Override - public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType, final Principal principal) { - return hasGrant(entity, grantType, this.userService.extractFromPrincipal(principal)); - } - - @Override - public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType, final SEBServerUser user) { - final AuthorizationGrantRule authorizationGrantRule = getGrantRule(entity.entityType()); - if (authorizationGrantRule == null) { - return false; - } - - return authorizationGrantRule.hasGrant(entity, user, grantType); - } - - @Override - public Predicate getGrantFilter( - final EntityType entityType, - final PrivilegeType grantType) { - - return getGrantFilter(entityType, grantType, this.userService.getCurrentUser()); - } - - @Override - public Predicate getGrantFilter( - final EntityType entityType, - final PrivilegeType grantType, - final Principal principal) { - - return getGrantFilter(entityType, grantType, this.userService.extractFromPrincipal(principal)); - } - - private Predicate getGrantFilter( - final EntityType entityType, - final PrivilegeType grantType, - final SEBServerUser user) { - - final AuthorizationGrantRule authorizationGrantRule = getGrantRule(entityType); - if (authorizationGrantRule == null) - return entity -> false; - - return entity -> authorizationGrantRule.hasGrant(entity, user, grantType); - } - - private AuthorizationGrantRule getGrantRule(final EntityType type) { - return this.exceptionalRules.computeIfAbsent( - type, - entityType -> new BaseTypeGrantRule(entityType, this)); - } - - private PrivilegeBuilder addPrivilege(final EntityType entityType) { - return new PrivilegeBuilder(entityType); - } - - /** This is the default (or base) implementation of a AuthorizationGrantRule. - * - * The rule is: go over all user-roles of the given user and for each user-role check - * if there is base-privilege on the given entity-type for the given grant type. - * if true return true - * if false; check if there is a given institutional-privilege on the given - * entity-instance for the given grant type. - * if true return true - * if false; check if there is a given ownership-privilege on the given - * entity-instance for the given grant type. - * if true return true - * if false return false */ - private static class BaseTypeGrantRule implements AuthorizationGrantRule { - - private final EntityType type; - private final Map grants; - - public BaseTypeGrantRule(final EntityType type, final AuthorizationGrantServiceImpl service) { - this.type = type; - this.grants = new EnumMap<>(UserRole.class); - for (final UserRole role : UserRole.values()) { - this.grants.put(role, - service.privileges.get(new RoleTypeKey(type, role))); - } - } - - @Override - public EntityType entityType() { - return this.type; - } - - @Override - public boolean hasGrant(final GrantEntity entity, final SEBServerUser user, final PrivilegeType grantType) { - for (final UserRole role : user.getUserRoles()) { - final Privilege roleTypeGrant = this.grants.get(role); - if (roleTypeGrant != null && hasGrant(roleTypeGrant, user, entity, grantType)) { - return true; - } - } - - return false; - } - - public boolean hasGrant( - final Privilege roleTypeGrant, - final SEBServerUser user, - final GrantEntity entity, - final PrivilegeType grantType) { - - return roleTypeGrant.hasBasePrivilege(grantType) || - hasInstitutionalGrant(roleTypeGrant, user, entity, grantType) || - hasOwnershipGrant(roleTypeGrant, user, entity, grantType); - } - - private boolean hasInstitutionalGrant( - final Privilege roleTypeGrant, - final SEBServerUser user, - final GrantEntity entity, - final PrivilegeType grantType) { - - if (entity.getInstitutionId() == null) { - return false; - } - - return roleTypeGrant.hasInstitutionalPrivilege(grantType) && - user.institutionId().longValue() == entity.getInstitutionId().longValue(); - } - - private boolean hasOwnershipGrant( - final Privilege roleTypeGrant, - final SEBServerUser user, - final GrantEntity entity, - final PrivilegeType grantType) { - - if (entity.getOwnerId() == null) { - return false; - } - - return roleTypeGrant.hasOwnershipPrivilege(grantType) && - user.uuid().equals(entity.getOwnerId()); - } - } - - /** Implements a GrantRuleBuilder for internal use and to make the code more readable. - * See init (PostConstruct) */ - private final class PrivilegeBuilder { - private final EntityType entityType; - private UserRole userRole; - private PrivilegeType basePrivilege = PrivilegeType.NONE; - private PrivilegeType institutionalPrivilege = PrivilegeType.NONE; - private PrivilegeType ownerPrivilege = PrivilegeType.NONE; - - public PrivilegeBuilder(final EntityType entityType) { - super(); - this.entityType = entityType; - } - - public PrivilegeBuilder forRole(final UserRole userRole) { - this.userRole = userRole; - return this; - } - - public PrivilegeBuilder withBasePrivilege(final PrivilegeType basePrivilege) { - this.basePrivilege = basePrivilege; - return this; - } - - public PrivilegeBuilder withInstitutionalPrivilege(final PrivilegeType institutionalPrivilege) { - this.institutionalPrivilege = institutionalPrivilege; - return this; - } - - public PrivilegeBuilder withOwnerPrivilege(final PrivilegeType ownerPrivilege) { - this.ownerPrivilege = ownerPrivilege; - return this; - } - - public PrivilegeBuilder andForRole(final UserRole userRole) { - create(); - return new PrivilegeBuilder(this.entityType) - .forRole(userRole); - } - - public void create() { - final RoleTypeKey roleTypeKey = new RoleTypeKey(this.entityType, this.userRole); - final Privilege roleTypeGrant = new Privilege( - roleTypeKey, - this.basePrivilege, - this.institutionalPrivilege, - this.ownerPrivilege); - - AuthorizationGrantServiceImpl.this.privileges.put(roleTypeKey, roleTypeGrant); - } - } - -} diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java new file mode 100644 index 00000000..2f0abb4a --- /dev/null +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationService.java @@ -0,0 +1,124 @@ +/* + * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET) + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +package ch.ethz.seb.sebserver.webservice.servicelayer.authorization; + +import java.util.Collection; +import java.util.Set; + +import ch.ethz.seb.sebserver.gbl.authorization.Privilege; +import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType; +import ch.ethz.seb.sebserver.gbl.model.EntityType; +import ch.ethz.seb.sebserver.gbl.model.user.UserInfo; +import ch.ethz.seb.sebserver.gbl.model.user.UserRole; +import ch.ethz.seb.sebserver.gbl.util.Result; + +/** A service to check authorization grants for a given user for entity-types and -instances + * + * If there is one or more GrantEntity objects within an authenticated user-request, this service + * can be used check the authenticated user access grant within the object. Check if a given user + * has write, modify or even read-only rights on an entity instance or on an entity type. */ +public interface AuthorizationService { + + /** Gets the UserService that is bundled within the AuthorizationGrantService + * + * @return the UserService that is bundled within the AuthorizationGrantService */ + UserService getUserService(); + + /** All Privileges in a collection. + * + * @return all registered Privileges */ + Collection getAllPrivileges(); + + boolean hasPrivilege( + PrivilegeType privilegeType, + EntityType entityType, + Long institutionId, + String userId, + Long userInstitutionId, + Set userRoles); + + boolean hasPrivilege(PrivilegeType privilegeType, GrantEntity grantEntity); + + default boolean hasPrivilege(final PrivilegeType privilegeType, final EntityType entityType) { + final SEBServerUser currentUser = getUserService().getCurrentUser(); + final UserInfo userInfo = currentUser.getUserInfo(); + return hasPrivilege( + privilegeType, + entityType, + null, + userInfo.uuid, + userInfo.institutionId, + currentUser.getUserRoles()); + } + + default boolean hasPrivilege( + final PrivilegeType privilegeType, + final EntityType entityType, + final Long institutionId) { + + final SEBServerUser currentUser = getUserService().getCurrentUser(); + final UserInfo userInfo = currentUser.getUserInfo(); + return hasPrivilege( + privilegeType, + entityType, + institutionId, + userInfo.uuid, + userInfo.institutionId, + currentUser.getUserRoles()); + } + + default boolean hasReadonlyPrivilege(final GrantEntity grantEntity) { + return hasPrivilege(PrivilegeType.READ_ONLY, grantEntity); + } + + default boolean hasModifyPrivilege(final GrantEntity grantEntity) { + return hasPrivilege(PrivilegeType.MODIFY, grantEntity); + } + + default boolean hasWritePrivilege(final GrantEntity grantEntity) { + return hasPrivilege(PrivilegeType.WRITE, grantEntity); + } + + default void check(final PrivilegeType privilegeType, final EntityType entityType) { + check(privilegeType, entityType, null); + } + + default void check(final PrivilegeType privilegeType, final EntityType entityType, final Long institutionId) { + if (!hasPrivilege(privilegeType, entityType, institutionId)) { + throw new PermissionDeniedException( + entityType, + privilegeType, + getUserService().getCurrentUser().getUserInfo().uuid); + } + } + + default Result check(final PrivilegeType privilegeType, final E grantEntity) { + if (!hasPrivilege(privilegeType, grantEntity)) { + throw new PermissionDeniedException( + grantEntity, + privilegeType, + getUserService().getCurrentUser().getUserInfo().uuid); + } + + return Result.of(grantEntity); + } + + default Result checkReadonly(final E grantEntity) { + return check(PrivilegeType.READ_ONLY, grantEntity); + } + + default Result checkModify(final E grantEntity) { + return check(PrivilegeType.MODIFY, grantEntity); + } + + default Result checkWrite(final E grantEntity) { + return check(PrivilegeType.WRITE, grantEntity); + } + +} diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationServiceImpl.java b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationServiceImpl.java new file mode 100644 index 00000000..ebd9e01b --- /dev/null +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/servicelayer/authorization/AuthorizationServiceImpl.java @@ -0,0 +1,214 @@ +/* + * Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET) + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +package ch.ethz.seb.sebserver.webservice.servicelayer.authorization; + +import java.util.Collection; +import java.util.Collections; +import java.util.HashMap; +import java.util.Map; +import java.util.Set; + +import javax.annotation.PostConstruct; + +import org.springframework.context.annotation.Lazy; +import org.springframework.stereotype.Service; + +import ch.ethz.seb.sebserver.gbl.authorization.Privilege; +import ch.ethz.seb.sebserver.gbl.authorization.Privilege.RoleTypeKey; +import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType; +import ch.ethz.seb.sebserver.gbl.model.EntityType; +import ch.ethz.seb.sebserver.gbl.model.user.UserInfo; +import ch.ethz.seb.sebserver.gbl.model.user.UserRole; +import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile; + +@Lazy +@Service +@WebServiceProfile +public class AuthorizationServiceImpl implements AuthorizationService { + + private final UserService userService; + + /** Map of role based grants for specified entity types. */ + private final Map privileges = new HashMap<>(); + + public AuthorizationServiceImpl(final UserService userService) { + this.userService = userService; + } + + @Override + public UserService getUserService() { + return this.userService; + } + + @Override + public Collection getAllPrivileges() { + return Collections.unmodifiableCollection(this.privileges.values()); + } + + /** Initialize the (hard-coded) grants */ + @PostConstruct + public void init() { + // grants for institution + addPrivilege(EntityType.INSTITUTION) + .forRole(UserRole.SEB_SERVER_ADMIN) + .withBasePrivilege(PrivilegeType.WRITE) + .andForRole(UserRole.INSTITUTIONAL_ADMIN) + .withInstitutionalPrivilege(PrivilegeType.MODIFY) + .andForRole(UserRole.EXAM_ADMIN) + .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) + .andForRole(UserRole.EXAM_SUPPORTER) + .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) + .create(); + + // grants for lms setup + addPrivilege(EntityType.LMS_SETUP) + .forRole(UserRole.SEB_SERVER_ADMIN) + .withBasePrivilege(PrivilegeType.WRITE) + .andForRole(UserRole.INSTITUTIONAL_ADMIN) + .withInstitutionalPrivilege(PrivilegeType.WRITE) + .andForRole(UserRole.EXAM_ADMIN) + .withInstitutionalPrivilege(PrivilegeType.MODIFY) + .andForRole(UserRole.EXAM_SUPPORTER) + .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) + .create(); + + // grants for user account + addPrivilege(EntityType.USER) + .forRole(UserRole.SEB_SERVER_ADMIN) + .withBasePrivilege(PrivilegeType.WRITE) + .andForRole(UserRole.INSTITUTIONAL_ADMIN) + .withInstitutionalPrivilege(PrivilegeType.WRITE) + .andForRole(UserRole.EXAM_ADMIN) + .withOwnerPrivilege(PrivilegeType.MODIFY) + .andForRole(UserRole.EXAM_SUPPORTER) + .withOwnerPrivilege(PrivilegeType.MODIFY) + .create(); + + // grants for user activity logs + addPrivilege(EntityType.USER_ACTIVITY_LOG) + .forRole(UserRole.SEB_SERVER_ADMIN) + .withBasePrivilege(PrivilegeType.READ_ONLY) + .andForRole(UserRole.INSTITUTIONAL_ADMIN) + .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) + .create(); + + // grants for exam + addPrivilege(EntityType.EXAM) + .forRole(UserRole.SEB_SERVER_ADMIN) + .withBasePrivilege(PrivilegeType.READ_ONLY) + .andForRole(UserRole.INSTITUTIONAL_ADMIN) + .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) + .andForRole(UserRole.EXAM_ADMIN) + .withInstitutionalPrivilege(PrivilegeType.READ_ONLY) + .withOwnerPrivilege(PrivilegeType.WRITE) + .andForRole(UserRole.EXAM_SUPPORTER) + .withOwnerPrivilege(PrivilegeType.MODIFY) + .create(); + + // TODO other entities + } + + @Override + public boolean hasPrivilege( + final PrivilegeType privilegeType, + final EntityType entityType, + final Long institutionId, + final String userId, + final Long userInstitutionId, + final Set userRoles) { + + return userRoles + .stream() + .map(role -> new RoleTypeKey(entityType, role)) + .map(key -> this.privileges.get(key)) + .filter(priv -> (priv != null) && priv.hasGrant( + userId, + userInstitutionId, + privilegeType, + institutionId, + null)) + .findFirst() + .isPresent(); + } + + @Override + public boolean hasPrivilege(final PrivilegeType privilegeType, final GrantEntity grantEntity) { + final UserInfo userInfo = this.userService.getCurrentUser().getUserInfo(); + return userInfo.getRoles() + .stream() + .map(roleName -> UserRole.valueOf(roleName)) + .map(role -> new RoleTypeKey(grantEntity.entityType(), role)) + .map(key -> this.privileges.get(key)) + .filter(priv -> (priv != null) && priv.hasGrant( + userInfo.uuid, + userInfo.institutionId, + privilegeType, + grantEntity.getInstitutionId(), + grantEntity.getOwnerId())) + .findFirst() + .isPresent(); + } + + private PrivilegeBuilder addPrivilege(final EntityType entityType) { + return new PrivilegeBuilder(entityType); + } + + /** Implements a GrantRuleBuilder for internal use and to make the code more readable. + * See init (PostConstruct) */ + private final class PrivilegeBuilder { + private final EntityType entityType; + private UserRole userRole; + private PrivilegeType basePrivilege = PrivilegeType.NONE; + private PrivilegeType institutionalPrivilege = PrivilegeType.NONE; + private PrivilegeType ownerPrivilege = PrivilegeType.NONE; + + public PrivilegeBuilder(final EntityType entityType) { + super(); + this.entityType = entityType; + } + + public PrivilegeBuilder forRole(final UserRole userRole) { + this.userRole = userRole; + return this; + } + + public PrivilegeBuilder withBasePrivilege(final PrivilegeType basePrivilege) { + this.basePrivilege = basePrivilege; + return this; + } + + public PrivilegeBuilder withInstitutionalPrivilege(final PrivilegeType institutionalPrivilege) { + this.institutionalPrivilege = institutionalPrivilege; + return this; + } + + public PrivilegeBuilder withOwnerPrivilege(final PrivilegeType ownerPrivilege) { + this.ownerPrivilege = ownerPrivilege; + return this; + } + + public PrivilegeBuilder andForRole(final UserRole userRole) { + create(); + return new PrivilegeBuilder(this.entityType) + .forRole(userRole); + } + + public void create() { + final RoleTypeKey roleTypeKey = new RoleTypeKey(this.entityType, this.userRole); + final Privilege roleTypeGrant = new Privilege( + roleTypeKey, + this.basePrivilege, + this.institutionalPrivilege, + this.ownerPrivilege); + + AuthorizationServiceImpl.this.privileges.put(roleTypeKey, roleTypeGrant); + } + } + +} diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ActivatableEntityController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ActivatableEntityController.java index 58f5143d..ca248612 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ActivatableEntityController.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ActivatableEntityController.java @@ -15,7 +15,6 @@ import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RequestParam; import ch.ethz.seb.sebserver.gbl.api.API; -import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType; import ch.ethz.seb.sebserver.gbl.model.Entity; import ch.ethz.seb.sebserver.gbl.model.EntityKey; import ch.ethz.seb.sebserver.gbl.model.EntityProcessingReport; @@ -24,7 +23,7 @@ import ch.ethz.seb.sebserver.gbl.model.Page; import ch.ethz.seb.sebserver.gbl.util.Result; import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport; import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService; -import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService; +import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.GrantEntity; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService; import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkAction; @@ -40,7 +39,7 @@ public abstract class ActivatableEntityController activatableEntityDAO; public ActivatableEntityController( - final AuthorizationGrantService authorizationGrantService, + final AuthorizationService authorizationGrantService, final BulkActionService bulkActionService, final ActivatableEntityDAO entityDAO, final UserActivityLogDAO userActivityLogDAO, @@ -130,9 +129,7 @@ public abstract class ActivatableEntityController this.authorizationGrantService.checkGrantOnEntity( - entity, - PrivilegeType.WRITE)) + .flatMap(this.authorization::checkWrite) .flatMap(entity -> this.bulkActionService.createReport(bulkAction)); } diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/EntityController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/EntityController.java index fc6d0232..0cc89823 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/EntityController.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/EntityController.java @@ -10,7 +10,6 @@ package ch.ethz.seb.sebserver.webservice.weblayer.api; import java.util.Arrays; import java.util.Collection; -import java.util.function.Predicate; import java.util.stream.Collectors; import javax.validation.Valid; @@ -39,7 +38,7 @@ import ch.ethz.seb.sebserver.gbl.model.EntityType; import ch.ethz.seb.sebserver.gbl.model.Page; import ch.ethz.seb.sebserver.gbl.util.Result; import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService; -import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService; +import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.GrantEntity; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService; import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkAction; @@ -53,7 +52,7 @@ import ch.ethz.seb.sebserver.webservice.servicelayer.validation.BeanValidationSe public abstract class EntityController { - protected final AuthorizationGrantService authorizationGrantService; + protected final AuthorizationService authorization; protected final BulkActionService bulkActionService; protected final EntityDAO entityDAO; protected final UserActivityLogDAO userActivityLogDAO; @@ -61,14 +60,14 @@ public abstract class EntityController entityDAO, final UserActivityLogDAO userActivityLogDAO, final PaginationService paginationService, final BeanValidationService beanValidationService) { - this.authorizationGrantService = authorizationGrantService; + this.authorization = authorization; this.bulkActionService = bulkActionService; this.entityDAO = entityDAO; this.userActivityLogDAO = userActivityLogDAO; @@ -78,7 +77,7 @@ public abstract class EntityController this.authorizationGrantService.checkGrantOnEntity( - entity, - PrivilegeType.READ_ONLY)) + .flatMap(this.authorization::checkReadonly) .getOrThrow(); } @@ -181,7 +178,7 @@ public abstract class EntityController this.authorizationGrantService.hasGrant(entity, PrivilegeType.READ_ONLY)) + .filter(this.authorization::hasReadonlyPrivilege) .collect(Collectors.toList()); } @@ -201,9 +198,9 @@ public abstract class EntityController this.authorizationGrantService.checkGrantOnEntity(m, PrivilegeType.MODIFY)) + .flatMap(this.authorization::checkModify) .flatMap(m -> this.entityDAO.save(modelId, m)) .flatMap(e -> this.userActivityLogDAO.log(ActivityType.MODIFY, e)) .flatMap(e -> notifySaved(modifyData, e)) @@ -284,26 +281,22 @@ public abstract class EntityController this.authorizationGrantService.checkGrantOnEntity( - entity, - PrivilegeType.WRITE)) + .flatMap(this.authorization::checkWrite) .flatMap(entity -> this.bulkActionService.createReport(bulkAction)) .getOrThrow(); } protected void checkReadPrivilege(final Long institutionId) { - this.authorizationGrantService.checkPrivilege( - this.entityDAO.entityType(), + this.authorization.check( PrivilegeType.READ_ONLY, + this.entityDAO.entityType(), institutionId); } protected Result> getAll(final FilterMap filterMap) { - final Predicate grantFilter = this.authorizationGrantService.getGrantFilter( - this.entityDAO.entityType(), - PrivilegeType.READ_ONLY); - - return this.entityDAO.allMatching(filterMap, grantFilter); + return this.entityDAO.allMatching( + filterMap, + this.authorization::hasReadonlyPrivilege); } protected Result notifySaved(final M modifyData, final T entity) { diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ExamAdministrationController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ExamAdministrationController.java index 5b2f87a8..2a222984 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ExamAdministrationController.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/ExamAdministrationController.java @@ -45,7 +45,7 @@ import ch.ethz.seb.sebserver.gbl.util.Utils; import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.ExamRecordDynamicSqlSupport; import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService; import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService.SortOrder; -import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService; +import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService; import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService; import ch.ethz.seb.sebserver.webservice.servicelayer.dao.ExamDAO; @@ -66,7 +66,7 @@ public class ExamAdministrationController extends ActivatableEntityController getIndicatorOfExam(@PathVariable final Long examId) { // check read-only grant on Exam this.examDAO.byPK(examId) - .map(exam -> this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.READ_ONLY)) + .map(this.authorization::checkReadonly) .getOrThrow(); return this.indicatorDAO.allForExam(examId) @@ -175,7 +175,7 @@ public class ExamAdministrationController extends ActivatableEntityController this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.WRITE)) + .map(this.authorization::checkWrite) .getOrThrow(); final Set toDelete = (indicatorId != null) @@ -199,7 +199,7 @@ public class ExamAdministrationController extends ActivatableEntityController this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.WRITE)) + .flatMap(this.authorization::checkWrite) .getOrThrow(); if (indicator.id != null) { @@ -219,7 +219,7 @@ public class ExamAdministrationController extends ActivatableEntityController this.authorizationGrantService.checkGrantOnEntity(e, PrivilegeType.MODIFY)) + .flatMap(this.authorization::checkModify) .getOrThrow(); return this.indicatorDAO diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InfoController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InfoController.java index c09079a3..21af5168 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InfoController.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InfoController.java @@ -19,7 +19,7 @@ import org.springframework.web.bind.annotation.RestController; import ch.ethz.seb.sebserver.gbl.api.API; import ch.ethz.seb.sebserver.gbl.authorization.Privilege; import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile; -import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService; +import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO; @WebServiceProfile @@ -28,11 +28,11 @@ import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO; public class InfoController { private final InstitutionDAO institutionDAO; - private final AuthorizationGrantService authorizationGrantService; + private final AuthorizationService authorizationGrantService; protected InfoController( final InstitutionDAO institutionDAO, - final AuthorizationGrantService authorizationGrantService) { + final AuthorizationService authorizationGrantService) { this.institutionDAO = institutionDAO; this.authorizationGrantService = authorizationGrantService; diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InstitutionController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InstitutionController.java index 6e8484f6..5e88a804 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InstitutionController.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/InstitutionController.java @@ -19,7 +19,7 @@ import ch.ethz.seb.sebserver.gbl.model.institution.Institution; import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile; import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.InstitutionRecordDynamicSqlSupport; import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService; -import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService; +import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.SEBServerUser; import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService; import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO; @@ -35,13 +35,13 @@ public class InstitutionController extends ActivatableEntityController template.testLmsSetup()) diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/QuizImportController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/QuizImportController.java index 38d65dec..6e8dbc7c 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/QuizImportController.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/QuizImportController.java @@ -23,7 +23,7 @@ import ch.ethz.seb.sebserver.gbl.model.Page; import ch.ethz.seb.sebserver.gbl.model.exam.QuizData; import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile; import ch.ethz.seb.sebserver.gbl.util.Utils; -import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService; +import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService; import ch.ethz.seb.sebserver.webservice.servicelayer.lms.LmsAPIService; import ch.ethz.seb.sebserver.webservice.servicelayer.lms.LmsAPITemplate; @@ -37,18 +37,18 @@ public class QuizImportController { private final int maxPageSize; private final LmsAPIService lmsAPIService; - private final AuthorizationGrantService authorizationGrantService; + private final AuthorizationService authorization; public QuizImportController( @Value("${sebserver.webservice.api.pagination.defaultPageSize:10}") final int defaultPageSize, @Value("${sebserver.webservice.api.pagination.maxPageSize:500}") final int maxPageSize, final LmsAPIService lmsAPIService, - final AuthorizationGrantService authorizationGrantService) { + final AuthorizationService authorization) { this.defaultPageSize = defaultPageSize; this.maxPageSize = maxPageSize; this.lmsAPIService = lmsAPIService; - this.authorizationGrantService = authorizationGrantService; + this.authorization = authorization; } @RequestMapping(method = RequestMethod.GET) @@ -68,9 +68,9 @@ public class QuizImportController { .createLmsAPITemplate(lmsSetupId) .getOrThrow(); - this.authorizationGrantService.checkPrivilege( - EntityType.EXAM, + this.authorization.check( PrivilegeType.READ_ONLY, + EntityType.EXAM, institutionId); return lmsAPITemplate.getQuizzes( diff --git a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java index 056655b1..21ec24b4 100644 --- a/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java +++ b/src/main/java/ch/ethz/seb/sebserver/webservice/weblayer/api/UserAccountController.java @@ -14,15 +14,15 @@ import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; -import ch.ethz.seb.sebserver.gbl.api.POSTMapper; import ch.ethz.seb.sebserver.gbl.api.API; +import ch.ethz.seb.sebserver.gbl.api.POSTMapper; import ch.ethz.seb.sebserver.gbl.model.user.UserInfo; import ch.ethz.seb.sebserver.gbl.model.user.UserMod; import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile; import ch.ethz.seb.sebserver.gbl.util.Result; import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport; import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService; -import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService; +import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService; import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService; import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO; import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserDAO; @@ -38,14 +38,14 @@ public class UserAccountController extends ActivatableEntityController