refactoring of AuthorisationService
This commit is contained in:
parent
64f10c6455
commit
285290d93d
20 changed files with 539 additions and 812 deletions
|
@ -75,6 +75,22 @@ public final class Privilege {
|
||||||
return this.ownershipPrivilege.hasImplicit(privilegeType);
|
return this.ownershipPrivilege.hasImplicit(privilegeType);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public final boolean hasGrant(
|
||||||
|
final String userId,
|
||||||
|
final Long userInstitutionId,
|
||||||
|
final PrivilegeType privilegeType,
|
||||||
|
final Long institutionId,
|
||||||
|
final String ownerId) {
|
||||||
|
|
||||||
|
return this.hasBasePrivilege(privilegeType)
|
||||||
|
|| ((institutionId != null) &&
|
||||||
|
(this.hasInstitutionalPrivilege(privilegeType)
|
||||||
|
&& userInstitutionId.longValue() == institutionId
|
||||||
|
.longValue())
|
||||||
|
|| (this.hasOwnershipPrivilege(privilegeType)
|
||||||
|
&& userId.equals(ownerId)));
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return "Privilege [privilegeType=" + this.basePrivilege + ", institutionalPrivilege="
|
return "Privilege [privilegeType=" + this.basePrivilege + ", institutionalPrivilege="
|
||||||
|
|
|
@ -207,13 +207,8 @@ public class FormBuilder {
|
||||||
this.formParent,
|
this.formParent,
|
||||||
value,
|
value,
|
||||||
new LocTextKey("sebserver.overall.upload"),
|
new LocTextKey("sebserver.overall.upload"),
|
||||||
span, 1);
|
span, 1, this.readonly);
|
||||||
if (this.readonly) {
|
|
||||||
imageUpload.setReadonly();
|
|
||||||
this.form.putField(name, lab, imageUpload);
|
this.form.putField(name, lab, imageUpload);
|
||||||
} else {
|
|
||||||
this.form.putField(name, lab, imageUpload);
|
|
||||||
}
|
|
||||||
|
|
||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
|
@ -12,7 +12,6 @@ import java.util.Collection;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import java.util.function.Function;
|
import java.util.function.Function;
|
||||||
import java.util.function.Predicate;
|
|
||||||
|
|
||||||
import org.slf4j.Logger;
|
import org.slf4j.Logger;
|
||||||
import org.slf4j.LoggerFactory;
|
import org.slf4j.LoggerFactory;
|
||||||
|
@ -78,12 +77,17 @@ public class CurrentUser {
|
||||||
public boolean hasPrivilege(final PrivilegeType privilegeType, final EntityType entityType) {
|
public boolean hasPrivilege(final PrivilegeType privilegeType, final EntityType entityType) {
|
||||||
if (loadPrivileges()) {
|
if (loadPrivileges()) {
|
||||||
try {
|
try {
|
||||||
return get().getRoles()
|
final UserInfo userInfo = get();
|
||||||
|
return userInfo.getRoles()
|
||||||
.stream()
|
.stream()
|
||||||
.map(roleName -> UserRole.valueOf(roleName))
|
.map(roleName -> UserRole.valueOf(roleName))
|
||||||
.map(role -> new RoleTypeKey(entityType, role))
|
.map(role -> new RoleTypeKey(entityType, role))
|
||||||
.map(key -> this.privileges.get(key))
|
.map(key -> this.privileges.get(key))
|
||||||
.filter(checkPrivilege(get(), privilegeType, null))
|
.filter(priv -> (priv != null) && priv.hasGrant(
|
||||||
|
userInfo.uuid,
|
||||||
|
userInfo.institutionId,
|
||||||
|
privilegeType,
|
||||||
|
null, null))
|
||||||
.findFirst()
|
.findFirst()
|
||||||
.isPresent();
|
.isPresent();
|
||||||
} catch (final Exception e) {
|
} catch (final Exception e) {
|
||||||
|
@ -102,12 +106,18 @@ public class CurrentUser {
|
||||||
if (loadPrivileges()) {
|
if (loadPrivileges()) {
|
||||||
final EntityType entityType = grantEntity.entityType();
|
final EntityType entityType = grantEntity.entityType();
|
||||||
try {
|
try {
|
||||||
return get().getRoles()
|
final UserInfo userInfo = get();
|
||||||
|
return userInfo.getRoles()
|
||||||
.stream()
|
.stream()
|
||||||
.map(roleName -> UserRole.valueOf(roleName))
|
.map(roleName -> UserRole.valueOf(roleName))
|
||||||
.map(role -> new RoleTypeKey(entityType, role))
|
.map(role -> new RoleTypeKey(entityType, role))
|
||||||
.map(key -> this.privileges.get(key))
|
.map(key -> this.privileges.get(key))
|
||||||
.filter(checkPrivilege(get(), privilegeType, grantEntity))
|
.filter(priv -> (priv != null) && priv.hasGrant(
|
||||||
|
userInfo.uuid,
|
||||||
|
userInfo.institutionId,
|
||||||
|
privilegeType,
|
||||||
|
grantEntity.getInstitutionId(),
|
||||||
|
grantEntity.getOwnerId()))
|
||||||
.findFirst()
|
.findFirst()
|
||||||
.isPresent();
|
.isPresent();
|
||||||
} catch (final Exception e) {
|
} catch (final Exception e) {
|
||||||
|
@ -119,20 +129,6 @@ public class CurrentUser {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
private Predicate<Privilege> checkPrivilege(
|
|
||||||
final UserInfo userInfo,
|
|
||||||
final PrivilegeType privilegeType,
|
|
||||||
final GrantEntity grantEntity) {
|
|
||||||
|
|
||||||
return priv -> priv.hasBasePrivilege(privilegeType)
|
|
||||||
|| ((grantEntity != null) &&
|
|
||||||
(priv.hasInstitutionalPrivilege(privilegeType)
|
|
||||||
&& get().institutionId.longValue() == grantEntity.getInstitutionId()
|
|
||||||
.longValue())
|
|
||||||
|| (priv.hasOwnershipPrivilege(privilegeType)
|
|
||||||
&& get().uuid.equals(grantEntity.getOwnerId())));
|
|
||||||
}
|
|
||||||
|
|
||||||
public boolean isAvailable() {
|
public boolean isAvailable() {
|
||||||
updateContext();
|
updateContext();
|
||||||
return this.authContext != null && this.authContext.isLoggedIn();
|
return this.authContext != null && this.authContext.isLoggedIn();
|
||||||
|
|
|
@ -41,26 +41,23 @@ public class ImageUpload extends Composite {
|
||||||
|
|
||||||
private final ServerPushService serverPushService;
|
private final ServerPushService serverPushService;
|
||||||
|
|
||||||
final Composite imageCanvas;
|
private final Composite imageCanvas;
|
||||||
final FileUpload fileUpload;
|
private final FileUpload fileUpload;
|
||||||
private String imageBase64 = null;
|
private String imageBase64 = null;
|
||||||
private boolean loadNewImage = false;
|
private boolean loadNewImage = false;
|
||||||
private boolean imageLoaded = false;
|
private boolean imageLoaded = false;
|
||||||
|
|
||||||
ImageUpload(final Composite parent, final ServerPushService serverPushService) {
|
ImageUpload(final Composite parent, final ServerPushService serverPushService, final boolean readonly) {
|
||||||
super(parent, SWT.NONE);
|
super(parent, SWT.NONE);
|
||||||
super.setLayout(new GridLayout(2, false));
|
super.setLayout(new GridLayout(2, false));
|
||||||
|
|
||||||
this.serverPushService = serverPushService;
|
this.serverPushService = serverPushService;
|
||||||
|
|
||||||
|
if (!readonly) {
|
||||||
this.fileUpload = new FileUpload(this, SWT.NONE);
|
this.fileUpload = new FileUpload(this, SWT.NONE);
|
||||||
this.fileUpload.setText("Select File");
|
this.fileUpload.setText("Select File");
|
||||||
this.fileUpload.setLayoutData(new GridData(SWT.CENTER, SWT.CENTER, false, false));
|
this.fileUpload.setLayoutData(new GridData(SWT.CENTER, SWT.CENTER, false, false));
|
||||||
|
|
||||||
this.imageCanvas = new Composite(this, SWT.NONE);
|
|
||||||
final GridData canvas = new GridData(SWT.FILL, SWT.FILL, true, true);
|
|
||||||
this.imageCanvas.setLayoutData(canvas);
|
|
||||||
|
|
||||||
final FileUploadHandler uploadHandler = new FileUploadHandler(new FileUploadReceiver() {
|
final FileUploadHandler uploadHandler = new FileUploadHandler(new FileUploadReceiver() {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -90,39 +87,25 @@ public class ImageUpload extends Composite {
|
||||||
ImageUpload.this.fileUpload.submit(uploadHandler.getUploadUrl());
|
ImageUpload.this.fileUpload.submit(uploadHandler.getUploadUrl());
|
||||||
|
|
||||||
ImageUpload.this.serverPushService.runServerPush(
|
ImageUpload.this.serverPushService.runServerPush(
|
||||||
new ServerPushContext(
|
new ServerPushContext(ImageUpload.this, ImageUpload::uploadInProgress),
|
||||||
ImageUpload.this,
|
ImageUpload::wait,
|
||||||
runAgainContext -> {
|
ImageUpload::update);
|
||||||
final ImageUpload imageUpload = (ImageUpload) runAgainContext.getAnchor();
|
|
||||||
return imageUpload.loadNewImage && !imageUpload.imageLoaded;
|
|
||||||
}),
|
|
||||||
context -> {
|
|
||||||
try {
|
|
||||||
Thread.sleep(200);
|
|
||||||
} catch (final Exception e) {
|
|
||||||
e.printStackTrace();
|
|
||||||
}
|
|
||||||
},
|
|
||||||
context -> {
|
|
||||||
final ImageUpload imageUpload = (ImageUpload) context.getAnchor();
|
|
||||||
if (imageUpload.imageBase64 != null
|
|
||||||
&& imageUpload.loadNewImage
|
|
||||||
&& imageUpload.imageLoaded) {
|
|
||||||
final Base64InputStream input = new Base64InputStream(
|
|
||||||
new ByteArrayInputStream(
|
|
||||||
imageUpload.imageBase64.getBytes(StandardCharsets.UTF_8)),
|
|
||||||
false);
|
|
||||||
|
|
||||||
imageUpload.imageCanvas.setData(RWT.CUSTOM_VARIANT, "bgLogoNoImage");
|
|
||||||
imageUpload.imageCanvas.setBackgroundImage(new Image(context.getDisplay(), input));
|
|
||||||
context.layout();
|
|
||||||
imageUpload.layout();
|
|
||||||
imageUpload.loadNewImage = false;
|
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
} else {
|
||||||
|
this.fileUpload = null;
|
||||||
}
|
}
|
||||||
});
|
|
||||||
|
|
||||||
|
this.imageCanvas = new Composite(this, SWT.NONE);
|
||||||
|
final GridData canvas = new GridData(SWT.FILL, SWT.FILL, true, true);
|
||||||
|
this.imageCanvas.setLayoutData(canvas);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setSelectionText(final String text) {
|
||||||
|
if (this.fileUpload != null) {
|
||||||
|
this.fileUpload.setText(text);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public String getImageBase64() {
|
public String getImageBase64() {
|
||||||
|
@ -141,9 +124,34 @@ public class ImageUpload extends Composite {
|
||||||
this.imageCanvas.setBackgroundImage(new Image(super.getDisplay(), input));
|
this.imageCanvas.setBackgroundImage(new Image(super.getDisplay(), input));
|
||||||
}
|
}
|
||||||
|
|
||||||
public void setReadonly() {
|
private static final boolean uploadInProgress(final ServerPushContext context) {
|
||||||
this.fileUpload.setVisible(false);
|
final ImageUpload imageUpload = (ImageUpload) context.getAnchor();
|
||||||
this.fileUpload.setEnabled(false);
|
return imageUpload.loadNewImage && !imageUpload.imageLoaded;
|
||||||
|
}
|
||||||
|
|
||||||
|
private static final void wait(final ServerPushContext context) {
|
||||||
|
try {
|
||||||
|
Thread.sleep(200);
|
||||||
|
} catch (final Exception e) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private static final void update(final ServerPushContext context) {
|
||||||
|
final ImageUpload imageUpload = (ImageUpload) context.getAnchor();
|
||||||
|
if (imageUpload.imageBase64 != null
|
||||||
|
&& imageUpload.loadNewImage
|
||||||
|
&& imageUpload.imageLoaded) {
|
||||||
|
final Base64InputStream input = new Base64InputStream(
|
||||||
|
new ByteArrayInputStream(
|
||||||
|
imageUpload.imageBase64.getBytes(StandardCharsets.UTF_8)),
|
||||||
|
false);
|
||||||
|
|
||||||
|
imageUpload.imageCanvas.setData(RWT.CUSTOM_VARIANT, "bgLogoNoImage");
|
||||||
|
imageUpload.imageCanvas.setBackgroundImage(new Image(context.getDisplay(), input));
|
||||||
|
context.layout();
|
||||||
|
imageUpload.layout();
|
||||||
|
imageUpload.loadNewImage = false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -343,17 +343,23 @@ public class WidgetFactory {
|
||||||
final Composite parent,
|
final Composite parent,
|
||||||
final String value,
|
final String value,
|
||||||
final LocTextKey locTextKey,
|
final LocTextKey locTextKey,
|
||||||
final int hspan, final int vspan) {
|
final int hspan,
|
||||||
|
final int vspan,
|
||||||
|
final boolean readonly) {
|
||||||
|
|
||||||
final ImageUpload imageUpload = imageUploadLocalized(parent, locTextKey);
|
final ImageUpload imageUpload = imageUploadLocalized(parent, locTextKey, readonly);
|
||||||
final GridData gridData = new GridData(SWT.FILL, SWT.FILL, true, false, hspan, vspan);
|
final GridData gridData = new GridData(SWT.FILL, SWT.FILL, true, false, hspan, vspan);
|
||||||
imageUpload.setLayoutData(gridData);
|
imageUpload.setLayoutData(gridData);
|
||||||
imageUpload.setImageBase64(value);
|
imageUpload.setImageBase64(value);
|
||||||
return imageUpload;
|
return imageUpload;
|
||||||
}
|
}
|
||||||
|
|
||||||
public ImageUpload imageUploadLocalized(final Composite parent, final LocTextKey locTextKey) {
|
public ImageUpload imageUploadLocalized(
|
||||||
final ImageUpload imageUpload = new ImageUpload(parent, this.serverPushService);
|
final Composite parent,
|
||||||
|
final LocTextKey locTextKey,
|
||||||
|
final boolean readonly) {
|
||||||
|
|
||||||
|
final ImageUpload imageUpload = new ImageUpload(parent, this.serverPushService, readonly);
|
||||||
injectI18n(imageUpload, locTextKey);
|
injectI18n(imageUpload, locTextKey);
|
||||||
return imageUpload;
|
return imageUpload;
|
||||||
}
|
}
|
||||||
|
@ -454,7 +460,7 @@ public class WidgetFactory {
|
||||||
|
|
||||||
return imageUpload -> {
|
return imageUpload -> {
|
||||||
if (locTextKey != null) {
|
if (locTextKey != null) {
|
||||||
imageUpload.fileUpload.setText(i18nSupport.getText(locTextKey));
|
imageUpload.setSelectionText(i18nSupport.getText(locTextKey));
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,36 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
|
|
||||||
*
|
|
||||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
||||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
||||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
|
|
||||||
|
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.model.EntityType;
|
|
||||||
|
|
||||||
/** Defines a authorization grant rule for a specified EntityType.
|
|
||||||
*
|
|
||||||
* If there is the need for a specialized authorization grant rule for a specified EntityType, just
|
|
||||||
* create an implementation of this interface for a specified EntityType as a normal Spring Component
|
|
||||||
* and the AuthorizationGrantService will automatically collect it on initialization and use it for
|
|
||||||
* the specified EntityType instead of the default implementation. */
|
|
||||||
public interface AuthorizationGrantRule {
|
|
||||||
|
|
||||||
/** The EntityType of the authorization grant rule implementation.
|
|
||||||
* This is used by the AuthorizationGrantService on initialization.
|
|
||||||
*
|
|
||||||
* @return the authorization grant rule implementation */
|
|
||||||
EntityType entityType();
|
|
||||||
|
|
||||||
/** Implements a authorization grant rule check for a given entity, user and grant type.
|
|
||||||
*
|
|
||||||
* @param entity the GrantEntity instance to check the grant rule on
|
|
||||||
* @param user the SEBServerUser instance to check the grant rule on
|
|
||||||
* @param grantType the GrantType to check
|
|
||||||
* @return true if a given user has a given grant-type on a given entity, false otherwise */
|
|
||||||
boolean hasGrant(GrantEntity entity, SEBServerUser user, PrivilegeType grantType);
|
|
||||||
|
|
||||||
}
|
|
|
@ -1,126 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
|
|
||||||
*
|
|
||||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
||||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
||||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
|
|
||||||
|
|
||||||
import java.security.Principal;
|
|
||||||
import java.util.Collection;
|
|
||||||
import java.util.function.Predicate;
|
|
||||||
|
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.model.EntityType;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.util.Result;
|
|
||||||
|
|
||||||
/** A service to check authorization grants for a given user for entity-types and -instances
|
|
||||||
*
|
|
||||||
* If there is one or more GrantEntity objects within an authenticated user-request, this service
|
|
||||||
* can be used check the authenticated user access grant within the object. Check if a given user
|
|
||||||
* has write, modify or even read-only rights on an entity instance or on an entity type. */
|
|
||||||
public interface AuthorizationGrantService {
|
|
||||||
|
|
||||||
/** Gets the UserService that is bundled within the AuthorizationGrantService
|
|
||||||
*
|
|
||||||
* @return the UserService that is bundled within the AuthorizationGrantService */
|
|
||||||
UserService getUserService();
|
|
||||||
|
|
||||||
/** All Privileges in a collection.
|
|
||||||
*
|
|
||||||
* @return all registered Privileges */
|
|
||||||
Collection<Privilege> getAllPrivileges();
|
|
||||||
|
|
||||||
/** Checks if the current user has any privilege (base or institutional or owner) for the given EntityType and
|
|
||||||
* PrivilegeType.
|
|
||||||
*
|
|
||||||
* @param entityType the EntityType
|
|
||||||
* @param privilegeType the PrivilegeType to check on EntityType */
|
|
||||||
void checkHasAnyPrivilege(EntityType entityType, PrivilegeType privilegeType);
|
|
||||||
|
|
||||||
void checkPrivilege(EntityType entityType, PrivilegeType privilegeType, Long institutionId);
|
|
||||||
|
|
||||||
void checkPrivilege(EntityType entityType, PrivilegeType privilegeType, Long institutionId, Long ownerId);
|
|
||||||
|
|
||||||
/** Check if current user has grant on a given GrantEntity instance for specified PrivilegeType
|
|
||||||
*
|
|
||||||
* @param entity The GrantEntity to check specified PrivilegeType for
|
|
||||||
* @param privilegeType The PrivilegeType
|
|
||||||
* @return a with a Result of the granted entity instance or with a Result of a PermissionDeniedException */
|
|
||||||
<E extends GrantEntity> Result<E> checkGrantOnEntity(E entity, PrivilegeType privilegeType);
|
|
||||||
|
|
||||||
/** Checks if the current user has a implicit base privilege for a given entity-type
|
|
||||||
*
|
|
||||||
* @param entityType the entity type
|
|
||||||
* @param privilegeType the privilege type to check
|
|
||||||
* @return true if the current user has a implicit base privilege on specified PrivilegeType for a given
|
|
||||||
* EntityType */
|
|
||||||
boolean hasBasePrivilege(EntityType entityType, PrivilegeType privilegeType);
|
|
||||||
|
|
||||||
/** Checks if a given user has a implicit base privilege for a given entity-type
|
|
||||||
*
|
|
||||||
* @param entityType the entity type
|
|
||||||
* @param privilegeType the privilege type to check
|
|
||||||
* @return true if a given user has a implicit base privilege on specified PrivilegeType for a given EntityType */
|
|
||||||
boolean hasBasePrivilege(EntityType entityType, PrivilegeType privilegeType, Principal principal);
|
|
||||||
|
|
||||||
/** Checks if the current user has an implicit institutional privilege on a given EntityType
|
|
||||||
*
|
|
||||||
* @param entityType the entity type
|
|
||||||
* @param privilegeType the privilege type to check
|
|
||||||
* @return true if the current user has an implicit institutional privilege on the given EntityType */
|
|
||||||
boolean hasInstitutionalPrivilege(EntityType entityType, PrivilegeType privilegeType);
|
|
||||||
|
|
||||||
/** Checks if a given user has an implicit institutional privilege on a given EntityType
|
|
||||||
*
|
|
||||||
* @param entityType the entity type
|
|
||||||
* @param privilegeType the privilege type to check
|
|
||||||
* @return true if a given user has an implicit institutional privilege on the given EntityType */
|
|
||||||
boolean hasInstitutionalPrivilege(EntityType entityType, PrivilegeType privilegeType, Principal principal);
|
|
||||||
|
|
||||||
/** Checks if the current user has grant on a given entity for a specified PrivilegeType
|
|
||||||
*
|
|
||||||
* @param entity the entity-instance
|
|
||||||
* @param privilegeType the privilege type to check
|
|
||||||
* @return true if the current user has a specified grant for a given entity-instance */
|
|
||||||
boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType);
|
|
||||||
|
|
||||||
/** Checks if a given user has grant on a given entity for a specified PrivilegeType
|
|
||||||
*
|
|
||||||
* @param entity the entity-instance
|
|
||||||
* @param privilegeType the grant type to check
|
|
||||||
* @param principal an authorization Principal instance to extract the user from
|
|
||||||
* @return true if the given user has grant on a given entity for a specified PrivilegeType */
|
|
||||||
boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType, Principal principal);
|
|
||||||
|
|
||||||
/** Checks if a given user has specified grant for a given entity-instance
|
|
||||||
*
|
|
||||||
* @param entity the entity-instance
|
|
||||||
* @param privilegeType the grant type to check
|
|
||||||
* @param user a SEBServerUser instance to check grant for
|
|
||||||
* @return true if a given user has a specified grant for a given entity-instance. False otherwise */
|
|
||||||
boolean hasGrant(GrantEntity entity, PrivilegeType privilegeType, SEBServerUser user);
|
|
||||||
|
|
||||||
/** Closure to get a grant check predicate for the current user
|
|
||||||
* to filter a several entity-instances within the same grant
|
|
||||||
*
|
|
||||||
* @param entityType the EntityType for the grant check filter
|
|
||||||
* @param privilegeType the PrivilegeType for the grant check filter
|
|
||||||
* @return A filter predicate working on the given attributes to check user grants */
|
|
||||||
<T extends GrantEntity> Predicate<T> getGrantFilter(EntityType entityType, PrivilegeType privilegeType);
|
|
||||||
|
|
||||||
/** Closure to get a grant check predicate to filter a several entity-instances within the same grant
|
|
||||||
*
|
|
||||||
* @param entityType the EntityType for the grant check filter
|
|
||||||
* @param privilegeType the PrivilegeType for the grant check filter
|
|
||||||
* @param principal an authorization Principal instance to extract the user from
|
|
||||||
* @return A filter predicate working on the given attributes to check user grants */
|
|
||||||
<T extends GrantEntity> Predicate<T> getGrantFilter(
|
|
||||||
EntityType entityType,
|
|
||||||
PrivilegeType privilegeType,
|
|
||||||
Principal principal);
|
|
||||||
|
|
||||||
}
|
|
|
@ -1,450 +0,0 @@
|
||||||
/*
|
|
||||||
* Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
|
|
||||||
*
|
|
||||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
|
||||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
||||||
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
||||||
*/
|
|
||||||
|
|
||||||
package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
|
|
||||||
|
|
||||||
import java.security.Principal;
|
|
||||||
import java.util.Collection;
|
|
||||||
import java.util.Collections;
|
|
||||||
import java.util.EnumMap;
|
|
||||||
import java.util.HashMap;
|
|
||||||
import java.util.Map;
|
|
||||||
import java.util.function.Predicate;
|
|
||||||
|
|
||||||
import javax.annotation.PostConstruct;
|
|
||||||
|
|
||||||
import org.springframework.context.annotation.Lazy;
|
|
||||||
import org.springframework.stereotype.Service;
|
|
||||||
|
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.Privilege.RoleTypeKey;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.model.EntityType;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.util.Result;
|
|
||||||
|
|
||||||
@Lazy
|
|
||||||
@Service
|
|
||||||
@WebServiceProfile
|
|
||||||
public class AuthorizationGrantServiceImpl implements AuthorizationGrantService {
|
|
||||||
|
|
||||||
/** Map of role based grants for specified entity types. */
|
|
||||||
private final Map<Privilege.RoleTypeKey, Privilege> privileges = new HashMap<>();
|
|
||||||
/** Map of collected AuthorizationGrantRule exceptions */
|
|
||||||
private final Map<EntityType, AuthorizationGrantRule> exceptionalRules =
|
|
||||||
new EnumMap<>(EntityType.class);
|
|
||||||
|
|
||||||
private final UserService userService;
|
|
||||||
|
|
||||||
public AuthorizationGrantServiceImpl(
|
|
||||||
final Collection<AuthorizationGrantRule> exceptionalGrantRules,
|
|
||||||
final UserService userService) {
|
|
||||||
|
|
||||||
this.userService = userService;
|
|
||||||
|
|
||||||
if (exceptionalGrantRules != null) {
|
|
||||||
exceptionalGrantRules.stream()
|
|
||||||
.forEach(r -> this.exceptionalRules.put(r.entityType(), r));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public UserService getUserService() {
|
|
||||||
return this.userService;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public Collection<Privilege> getAllPrivileges() {
|
|
||||||
return Collections.unmodifiableCollection(this.privileges.values());
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Initialize the (hard-coded) grants */
|
|
||||||
@PostConstruct
|
|
||||||
public void init() {
|
|
||||||
// grants for institution
|
|
||||||
addPrivilege(EntityType.INSTITUTION)
|
|
||||||
.forRole(UserRole.SEB_SERVER_ADMIN)
|
|
||||||
.withBasePrivilege(PrivilegeType.WRITE)
|
|
||||||
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.MODIFY)
|
|
||||||
.andForRole(UserRole.EXAM_ADMIN)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
|
||||||
.andForRole(UserRole.EXAM_SUPPORTER)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
|
||||||
.create();
|
|
||||||
|
|
||||||
// grants for lms setup
|
|
||||||
addPrivilege(EntityType.LMS_SETUP)
|
|
||||||
.forRole(UserRole.SEB_SERVER_ADMIN)
|
|
||||||
.withBasePrivilege(PrivilegeType.WRITE)
|
|
||||||
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.WRITE)
|
|
||||||
.andForRole(UserRole.EXAM_ADMIN)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.MODIFY)
|
|
||||||
.andForRole(UserRole.EXAM_SUPPORTER)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
|
||||||
.create();
|
|
||||||
|
|
||||||
// grants for user account
|
|
||||||
addPrivilege(EntityType.USER)
|
|
||||||
.forRole(UserRole.SEB_SERVER_ADMIN)
|
|
||||||
.withBasePrivilege(PrivilegeType.WRITE)
|
|
||||||
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.WRITE)
|
|
||||||
.andForRole(UserRole.EXAM_ADMIN)
|
|
||||||
.withOwnerPrivilege(PrivilegeType.MODIFY)
|
|
||||||
.andForRole(UserRole.EXAM_SUPPORTER)
|
|
||||||
.withOwnerPrivilege(PrivilegeType.MODIFY)
|
|
||||||
.create();
|
|
||||||
|
|
||||||
// grants for user activity logs
|
|
||||||
addPrivilege(EntityType.USER_ACTIVITY_LOG)
|
|
||||||
.forRole(UserRole.SEB_SERVER_ADMIN)
|
|
||||||
.withBasePrivilege(PrivilegeType.READ_ONLY)
|
|
||||||
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
|
||||||
.create();
|
|
||||||
|
|
||||||
// grants for exam
|
|
||||||
addPrivilege(EntityType.EXAM)
|
|
||||||
.forRole(UserRole.SEB_SERVER_ADMIN)
|
|
||||||
.withBasePrivilege(PrivilegeType.READ_ONLY)
|
|
||||||
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
|
||||||
.andForRole(UserRole.EXAM_ADMIN)
|
|
||||||
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
|
||||||
.withOwnerPrivilege(PrivilegeType.WRITE)
|
|
||||||
.andForRole(UserRole.EXAM_SUPPORTER)
|
|
||||||
.withOwnerPrivilege(PrivilegeType.MODIFY)
|
|
||||||
.create();
|
|
||||||
|
|
||||||
// TODO other entities
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void checkHasAnyPrivilege(final EntityType entityType, final PrivilegeType privilegeType) {
|
|
||||||
final SEBServerUser currentUser = this.userService.getCurrentUser();
|
|
||||||
if (hasBasePrivilege(entityType, privilegeType, currentUser) ||
|
|
||||||
hasInstitutionalPrivilege(entityType, privilegeType, currentUser)) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void checkPrivilege(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType privilegeType,
|
|
||||||
final Long institutionId) {
|
|
||||||
|
|
||||||
final SEBServerUser currentUser = this.userService.getCurrentUser();
|
|
||||||
if (hasBasePrivilege(entityType, privilegeType, currentUser)) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (institutionId == null) {
|
|
||||||
throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (hasInstitutionalPrivilege(entityType, privilegeType, currentUser) &&
|
|
||||||
currentUser.institutionId().longValue() == institutionId.longValue()) {
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public void checkPrivilege(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType privilegeType,
|
|
||||||
final Long institutionId,
|
|
||||||
final Long ownerId) {
|
|
||||||
|
|
||||||
final SEBServerUser currentUser = this.userService.getCurrentUser();
|
|
||||||
|
|
||||||
// TODO Auto-generated method stub
|
|
||||||
|
|
||||||
throw new PermissionDeniedException(entityType, privilegeType, currentUser.getUserInfo().uuid);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public <E extends GrantEntity> Result<E> checkGrantOnEntity(final E entity, final PrivilegeType privilegeType) {
|
|
||||||
|
|
||||||
final SEBServerUser currentUser = this.userService.getCurrentUser();
|
|
||||||
if (hasGrant(entity, privilegeType, currentUser)) {
|
|
||||||
return Result.of(entity);
|
|
||||||
} else {
|
|
||||||
return Result.ofError(new PermissionDeniedException(entity, privilegeType, currentUser.getUserInfo().uuid));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean hasBasePrivilege(final EntityType entityType, final PrivilegeType privilegeType) {
|
|
||||||
return hasBasePrivilege(entityType, privilegeType, this.userService.getCurrentUser());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean hasBasePrivilege(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType privilegeType,
|
|
||||||
final Principal principal) {
|
|
||||||
|
|
||||||
return hasBasePrivilege(entityType, privilegeType, this.userService.extractFromPrincipal(principal));
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean hasBasePrivilege(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType privilegeType,
|
|
||||||
final SEBServerUser user) {
|
|
||||||
|
|
||||||
for (final UserRole role : user.getUserRoles()) {
|
|
||||||
final Privilege roleTypeGrant = this.privileges.get(new RoleTypeKey(entityType, role));
|
|
||||||
if (roleTypeGrant != null && roleTypeGrant.hasBasePrivilege(privilegeType)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean hasInstitutionalPrivilege(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType privilegeType) {
|
|
||||||
|
|
||||||
return hasInstitutionalPrivilege(
|
|
||||||
entityType,
|
|
||||||
privilegeType,
|
|
||||||
this.userService.getCurrentUser());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean hasInstitutionalPrivilege(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType privilegeType,
|
|
||||||
final Principal principal) {
|
|
||||||
|
|
||||||
return hasInstitutionalPrivilege(
|
|
||||||
entityType,
|
|
||||||
privilegeType,
|
|
||||||
this.userService.extractFromPrincipal(principal));
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean hasInstitutionalPrivilege(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType privilegeType,
|
|
||||||
final SEBServerUser user) {
|
|
||||||
|
|
||||||
for (final UserRole role : user.getUserRoles()) {
|
|
||||||
final Privilege roleTypeGrant = this.privileges.get(new RoleTypeKey(entityType, role));
|
|
||||||
if (roleTypeGrant != null && roleTypeGrant.hasInstitutionalPrivilege(privilegeType)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType) {
|
|
||||||
return hasGrant(entity, grantType, this.userService.getCurrentUser());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType, final Principal principal) {
|
|
||||||
return hasGrant(entity, grantType, this.userService.extractFromPrincipal(principal));
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean hasGrant(final GrantEntity entity, final PrivilegeType grantType, final SEBServerUser user) {
|
|
||||||
final AuthorizationGrantRule authorizationGrantRule = getGrantRule(entity.entityType());
|
|
||||||
if (authorizationGrantRule == null) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return authorizationGrantRule.hasGrant(entity, user, grantType);
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public <T extends GrantEntity> Predicate<T> getGrantFilter(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType grantType) {
|
|
||||||
|
|
||||||
return getGrantFilter(entityType, grantType, this.userService.getCurrentUser());
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public <T extends GrantEntity> Predicate<T> getGrantFilter(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType grantType,
|
|
||||||
final Principal principal) {
|
|
||||||
|
|
||||||
return getGrantFilter(entityType, grantType, this.userService.extractFromPrincipal(principal));
|
|
||||||
}
|
|
||||||
|
|
||||||
private <T extends GrantEntity> Predicate<T> getGrantFilter(
|
|
||||||
final EntityType entityType,
|
|
||||||
final PrivilegeType grantType,
|
|
||||||
final SEBServerUser user) {
|
|
||||||
|
|
||||||
final AuthorizationGrantRule authorizationGrantRule = getGrantRule(entityType);
|
|
||||||
if (authorizationGrantRule == null)
|
|
||||||
return entity -> false;
|
|
||||||
|
|
||||||
return entity -> authorizationGrantRule.hasGrant(entity, user, grantType);
|
|
||||||
}
|
|
||||||
|
|
||||||
private AuthorizationGrantRule getGrantRule(final EntityType type) {
|
|
||||||
return this.exceptionalRules.computeIfAbsent(
|
|
||||||
type,
|
|
||||||
entityType -> new BaseTypeGrantRule(entityType, this));
|
|
||||||
}
|
|
||||||
|
|
||||||
private PrivilegeBuilder addPrivilege(final EntityType entityType) {
|
|
||||||
return new PrivilegeBuilder(entityType);
|
|
||||||
}
|
|
||||||
|
|
||||||
/** This is the default (or base) implementation of a AuthorizationGrantRule.
|
|
||||||
*
|
|
||||||
* The rule is: go over all user-roles of the given user and for each user-role check
|
|
||||||
* if there is base-privilege on the given entity-type for the given grant type.
|
|
||||||
* if true return true
|
|
||||||
* if false; check if there is a given institutional-privilege on the given
|
|
||||||
* entity-instance for the given grant type.
|
|
||||||
* if true return true
|
|
||||||
* if false; check if there is a given ownership-privilege on the given
|
|
||||||
* entity-instance for the given grant type.
|
|
||||||
* if true return true
|
|
||||||
* if false return false */
|
|
||||||
private static class BaseTypeGrantRule implements AuthorizationGrantRule {
|
|
||||||
|
|
||||||
private final EntityType type;
|
|
||||||
private final Map<UserRole, Privilege> grants;
|
|
||||||
|
|
||||||
public BaseTypeGrantRule(final EntityType type, final AuthorizationGrantServiceImpl service) {
|
|
||||||
this.type = type;
|
|
||||||
this.grants = new EnumMap<>(UserRole.class);
|
|
||||||
for (final UserRole role : UserRole.values()) {
|
|
||||||
this.grants.put(role,
|
|
||||||
service.privileges.get(new RoleTypeKey(type, role)));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public EntityType entityType() {
|
|
||||||
return this.type;
|
|
||||||
}
|
|
||||||
|
|
||||||
@Override
|
|
||||||
public boolean hasGrant(final GrantEntity entity, final SEBServerUser user, final PrivilegeType grantType) {
|
|
||||||
for (final UserRole role : user.getUserRoles()) {
|
|
||||||
final Privilege roleTypeGrant = this.grants.get(role);
|
|
||||||
if (roleTypeGrant != null && hasGrant(roleTypeGrant, user, entity, grantType)) {
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
public boolean hasGrant(
|
|
||||||
final Privilege roleTypeGrant,
|
|
||||||
final SEBServerUser user,
|
|
||||||
final GrantEntity entity,
|
|
||||||
final PrivilegeType grantType) {
|
|
||||||
|
|
||||||
return roleTypeGrant.hasBasePrivilege(grantType) ||
|
|
||||||
hasInstitutionalGrant(roleTypeGrant, user, entity, grantType) ||
|
|
||||||
hasOwnershipGrant(roleTypeGrant, user, entity, grantType);
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean hasInstitutionalGrant(
|
|
||||||
final Privilege roleTypeGrant,
|
|
||||||
final SEBServerUser user,
|
|
||||||
final GrantEntity entity,
|
|
||||||
final PrivilegeType grantType) {
|
|
||||||
|
|
||||||
if (entity.getInstitutionId() == null) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return roleTypeGrant.hasInstitutionalPrivilege(grantType) &&
|
|
||||||
user.institutionId().longValue() == entity.getInstitutionId().longValue();
|
|
||||||
}
|
|
||||||
|
|
||||||
private boolean hasOwnershipGrant(
|
|
||||||
final Privilege roleTypeGrant,
|
|
||||||
final SEBServerUser user,
|
|
||||||
final GrantEntity entity,
|
|
||||||
final PrivilegeType grantType) {
|
|
||||||
|
|
||||||
if (entity.getOwnerId() == null) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
|
|
||||||
return roleTypeGrant.hasOwnershipPrivilege(grantType) &&
|
|
||||||
user.uuid().equals(entity.getOwnerId());
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
/** Implements a GrantRuleBuilder for internal use and to make the code more readable.
|
|
||||||
* See init (PostConstruct) */
|
|
||||||
private final class PrivilegeBuilder {
|
|
||||||
private final EntityType entityType;
|
|
||||||
private UserRole userRole;
|
|
||||||
private PrivilegeType basePrivilege = PrivilegeType.NONE;
|
|
||||||
private PrivilegeType institutionalPrivilege = PrivilegeType.NONE;
|
|
||||||
private PrivilegeType ownerPrivilege = PrivilegeType.NONE;
|
|
||||||
|
|
||||||
public PrivilegeBuilder(final EntityType entityType) {
|
|
||||||
super();
|
|
||||||
this.entityType = entityType;
|
|
||||||
}
|
|
||||||
|
|
||||||
public PrivilegeBuilder forRole(final UserRole userRole) {
|
|
||||||
this.userRole = userRole;
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
public PrivilegeBuilder withBasePrivilege(final PrivilegeType basePrivilege) {
|
|
||||||
this.basePrivilege = basePrivilege;
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
public PrivilegeBuilder withInstitutionalPrivilege(final PrivilegeType institutionalPrivilege) {
|
|
||||||
this.institutionalPrivilege = institutionalPrivilege;
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
public PrivilegeBuilder withOwnerPrivilege(final PrivilegeType ownerPrivilege) {
|
|
||||||
this.ownerPrivilege = ownerPrivilege;
|
|
||||||
return this;
|
|
||||||
}
|
|
||||||
|
|
||||||
public PrivilegeBuilder andForRole(final UserRole userRole) {
|
|
||||||
create();
|
|
||||||
return new PrivilegeBuilder(this.entityType)
|
|
||||||
.forRole(userRole);
|
|
||||||
}
|
|
||||||
|
|
||||||
public void create() {
|
|
||||||
final RoleTypeKey roleTypeKey = new RoleTypeKey(this.entityType, this.userRole);
|
|
||||||
final Privilege roleTypeGrant = new Privilege(
|
|
||||||
roleTypeKey,
|
|
||||||
this.basePrivilege,
|
|
||||||
this.institutionalPrivilege,
|
|
||||||
this.ownerPrivilege);
|
|
||||||
|
|
||||||
AuthorizationGrantServiceImpl.this.privileges.put(roleTypeKey, roleTypeGrant);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
|
@ -0,0 +1,124 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
|
||||||
|
*
|
||||||
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
|
||||||
|
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.model.EntityType;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.util.Result;
|
||||||
|
|
||||||
|
/** A service to check authorization grants for a given user for entity-types and -instances
|
||||||
|
*
|
||||||
|
* If there is one or more GrantEntity objects within an authenticated user-request, this service
|
||||||
|
* can be used check the authenticated user access grant within the object. Check if a given user
|
||||||
|
* has write, modify or even read-only rights on an entity instance or on an entity type. */
|
||||||
|
public interface AuthorizationService {
|
||||||
|
|
||||||
|
/** Gets the UserService that is bundled within the AuthorizationGrantService
|
||||||
|
*
|
||||||
|
* @return the UserService that is bundled within the AuthorizationGrantService */
|
||||||
|
UserService getUserService();
|
||||||
|
|
||||||
|
/** All Privileges in a collection.
|
||||||
|
*
|
||||||
|
* @return all registered Privileges */
|
||||||
|
Collection<Privilege> getAllPrivileges();
|
||||||
|
|
||||||
|
boolean hasPrivilege(
|
||||||
|
PrivilegeType privilegeType,
|
||||||
|
EntityType entityType,
|
||||||
|
Long institutionId,
|
||||||
|
String userId,
|
||||||
|
Long userInstitutionId,
|
||||||
|
Set<UserRole> userRoles);
|
||||||
|
|
||||||
|
boolean hasPrivilege(PrivilegeType privilegeType, GrantEntity grantEntity);
|
||||||
|
|
||||||
|
default boolean hasPrivilege(final PrivilegeType privilegeType, final EntityType entityType) {
|
||||||
|
final SEBServerUser currentUser = getUserService().getCurrentUser();
|
||||||
|
final UserInfo userInfo = currentUser.getUserInfo();
|
||||||
|
return hasPrivilege(
|
||||||
|
privilegeType,
|
||||||
|
entityType,
|
||||||
|
null,
|
||||||
|
userInfo.uuid,
|
||||||
|
userInfo.institutionId,
|
||||||
|
currentUser.getUserRoles());
|
||||||
|
}
|
||||||
|
|
||||||
|
default boolean hasPrivilege(
|
||||||
|
final PrivilegeType privilegeType,
|
||||||
|
final EntityType entityType,
|
||||||
|
final Long institutionId) {
|
||||||
|
|
||||||
|
final SEBServerUser currentUser = getUserService().getCurrentUser();
|
||||||
|
final UserInfo userInfo = currentUser.getUserInfo();
|
||||||
|
return hasPrivilege(
|
||||||
|
privilegeType,
|
||||||
|
entityType,
|
||||||
|
institutionId,
|
||||||
|
userInfo.uuid,
|
||||||
|
userInfo.institutionId,
|
||||||
|
currentUser.getUserRoles());
|
||||||
|
}
|
||||||
|
|
||||||
|
default boolean hasReadonlyPrivilege(final GrantEntity grantEntity) {
|
||||||
|
return hasPrivilege(PrivilegeType.READ_ONLY, grantEntity);
|
||||||
|
}
|
||||||
|
|
||||||
|
default boolean hasModifyPrivilege(final GrantEntity grantEntity) {
|
||||||
|
return hasPrivilege(PrivilegeType.MODIFY, grantEntity);
|
||||||
|
}
|
||||||
|
|
||||||
|
default boolean hasWritePrivilege(final GrantEntity grantEntity) {
|
||||||
|
return hasPrivilege(PrivilegeType.WRITE, grantEntity);
|
||||||
|
}
|
||||||
|
|
||||||
|
default void check(final PrivilegeType privilegeType, final EntityType entityType) {
|
||||||
|
check(privilegeType, entityType, null);
|
||||||
|
}
|
||||||
|
|
||||||
|
default void check(final PrivilegeType privilegeType, final EntityType entityType, final Long institutionId) {
|
||||||
|
if (!hasPrivilege(privilegeType, entityType, institutionId)) {
|
||||||
|
throw new PermissionDeniedException(
|
||||||
|
entityType,
|
||||||
|
privilegeType,
|
||||||
|
getUserService().getCurrentUser().getUserInfo().uuid);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
default <E extends GrantEntity> Result<E> check(final PrivilegeType privilegeType, final E grantEntity) {
|
||||||
|
if (!hasPrivilege(privilegeType, grantEntity)) {
|
||||||
|
throw new PermissionDeniedException(
|
||||||
|
grantEntity,
|
||||||
|
privilegeType,
|
||||||
|
getUserService().getCurrentUser().getUserInfo().uuid);
|
||||||
|
}
|
||||||
|
|
||||||
|
return Result.of(grantEntity);
|
||||||
|
}
|
||||||
|
|
||||||
|
default <E extends GrantEntity> Result<E> checkReadonly(final E grantEntity) {
|
||||||
|
return check(PrivilegeType.READ_ONLY, grantEntity);
|
||||||
|
}
|
||||||
|
|
||||||
|
default <E extends GrantEntity> Result<E> checkModify(final E grantEntity) {
|
||||||
|
return check(PrivilegeType.MODIFY, grantEntity);
|
||||||
|
}
|
||||||
|
|
||||||
|
default <E extends GrantEntity> Result<E> checkWrite(final E grantEntity) {
|
||||||
|
return check(PrivilegeType.WRITE, grantEntity);
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,214 @@
|
||||||
|
/*
|
||||||
|
* Copyright (c) 2018 ETH Zürich, Educational Development and Technology (LET)
|
||||||
|
*
|
||||||
|
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||||
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||||
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||||
|
*/
|
||||||
|
|
||||||
|
package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
|
||||||
|
|
||||||
|
import java.util.Collection;
|
||||||
|
import java.util.Collections;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.Map;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
|
import javax.annotation.PostConstruct;
|
||||||
|
|
||||||
|
import org.springframework.context.annotation.Lazy;
|
||||||
|
import org.springframework.stereotype.Service;
|
||||||
|
|
||||||
|
import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.authorization.Privilege.RoleTypeKey;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.model.EntityType;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
||||||
|
|
||||||
|
@Lazy
|
||||||
|
@Service
|
||||||
|
@WebServiceProfile
|
||||||
|
public class AuthorizationServiceImpl implements AuthorizationService {
|
||||||
|
|
||||||
|
private final UserService userService;
|
||||||
|
|
||||||
|
/** Map of role based grants for specified entity types. */
|
||||||
|
private final Map<Privilege.RoleTypeKey, Privilege> privileges = new HashMap<>();
|
||||||
|
|
||||||
|
public AuthorizationServiceImpl(final UserService userService) {
|
||||||
|
this.userService = userService;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public UserService getUserService() {
|
||||||
|
return this.userService;
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public Collection<Privilege> getAllPrivileges() {
|
||||||
|
return Collections.unmodifiableCollection(this.privileges.values());
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Initialize the (hard-coded) grants */
|
||||||
|
@PostConstruct
|
||||||
|
public void init() {
|
||||||
|
// grants for institution
|
||||||
|
addPrivilege(EntityType.INSTITUTION)
|
||||||
|
.forRole(UserRole.SEB_SERVER_ADMIN)
|
||||||
|
.withBasePrivilege(PrivilegeType.WRITE)
|
||||||
|
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.MODIFY)
|
||||||
|
.andForRole(UserRole.EXAM_ADMIN)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
||||||
|
.andForRole(UserRole.EXAM_SUPPORTER)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
||||||
|
.create();
|
||||||
|
|
||||||
|
// grants for lms setup
|
||||||
|
addPrivilege(EntityType.LMS_SETUP)
|
||||||
|
.forRole(UserRole.SEB_SERVER_ADMIN)
|
||||||
|
.withBasePrivilege(PrivilegeType.WRITE)
|
||||||
|
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.WRITE)
|
||||||
|
.andForRole(UserRole.EXAM_ADMIN)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.MODIFY)
|
||||||
|
.andForRole(UserRole.EXAM_SUPPORTER)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
||||||
|
.create();
|
||||||
|
|
||||||
|
// grants for user account
|
||||||
|
addPrivilege(EntityType.USER)
|
||||||
|
.forRole(UserRole.SEB_SERVER_ADMIN)
|
||||||
|
.withBasePrivilege(PrivilegeType.WRITE)
|
||||||
|
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.WRITE)
|
||||||
|
.andForRole(UserRole.EXAM_ADMIN)
|
||||||
|
.withOwnerPrivilege(PrivilegeType.MODIFY)
|
||||||
|
.andForRole(UserRole.EXAM_SUPPORTER)
|
||||||
|
.withOwnerPrivilege(PrivilegeType.MODIFY)
|
||||||
|
.create();
|
||||||
|
|
||||||
|
// grants for user activity logs
|
||||||
|
addPrivilege(EntityType.USER_ACTIVITY_LOG)
|
||||||
|
.forRole(UserRole.SEB_SERVER_ADMIN)
|
||||||
|
.withBasePrivilege(PrivilegeType.READ_ONLY)
|
||||||
|
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
||||||
|
.create();
|
||||||
|
|
||||||
|
// grants for exam
|
||||||
|
addPrivilege(EntityType.EXAM)
|
||||||
|
.forRole(UserRole.SEB_SERVER_ADMIN)
|
||||||
|
.withBasePrivilege(PrivilegeType.READ_ONLY)
|
||||||
|
.andForRole(UserRole.INSTITUTIONAL_ADMIN)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
||||||
|
.andForRole(UserRole.EXAM_ADMIN)
|
||||||
|
.withInstitutionalPrivilege(PrivilegeType.READ_ONLY)
|
||||||
|
.withOwnerPrivilege(PrivilegeType.WRITE)
|
||||||
|
.andForRole(UserRole.EXAM_SUPPORTER)
|
||||||
|
.withOwnerPrivilege(PrivilegeType.MODIFY)
|
||||||
|
.create();
|
||||||
|
|
||||||
|
// TODO other entities
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean hasPrivilege(
|
||||||
|
final PrivilegeType privilegeType,
|
||||||
|
final EntityType entityType,
|
||||||
|
final Long institutionId,
|
||||||
|
final String userId,
|
||||||
|
final Long userInstitutionId,
|
||||||
|
final Set<UserRole> userRoles) {
|
||||||
|
|
||||||
|
return userRoles
|
||||||
|
.stream()
|
||||||
|
.map(role -> new RoleTypeKey(entityType, role))
|
||||||
|
.map(key -> this.privileges.get(key))
|
||||||
|
.filter(priv -> (priv != null) && priv.hasGrant(
|
||||||
|
userId,
|
||||||
|
userInstitutionId,
|
||||||
|
privilegeType,
|
||||||
|
institutionId,
|
||||||
|
null))
|
||||||
|
.findFirst()
|
||||||
|
.isPresent();
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean hasPrivilege(final PrivilegeType privilegeType, final GrantEntity grantEntity) {
|
||||||
|
final UserInfo userInfo = this.userService.getCurrentUser().getUserInfo();
|
||||||
|
return userInfo.getRoles()
|
||||||
|
.stream()
|
||||||
|
.map(roleName -> UserRole.valueOf(roleName))
|
||||||
|
.map(role -> new RoleTypeKey(grantEntity.entityType(), role))
|
||||||
|
.map(key -> this.privileges.get(key))
|
||||||
|
.filter(priv -> (priv != null) && priv.hasGrant(
|
||||||
|
userInfo.uuid,
|
||||||
|
userInfo.institutionId,
|
||||||
|
privilegeType,
|
||||||
|
grantEntity.getInstitutionId(),
|
||||||
|
grantEntity.getOwnerId()))
|
||||||
|
.findFirst()
|
||||||
|
.isPresent();
|
||||||
|
}
|
||||||
|
|
||||||
|
private PrivilegeBuilder addPrivilege(final EntityType entityType) {
|
||||||
|
return new PrivilegeBuilder(entityType);
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Implements a GrantRuleBuilder for internal use and to make the code more readable.
|
||||||
|
* See init (PostConstruct) */
|
||||||
|
private final class PrivilegeBuilder {
|
||||||
|
private final EntityType entityType;
|
||||||
|
private UserRole userRole;
|
||||||
|
private PrivilegeType basePrivilege = PrivilegeType.NONE;
|
||||||
|
private PrivilegeType institutionalPrivilege = PrivilegeType.NONE;
|
||||||
|
private PrivilegeType ownerPrivilege = PrivilegeType.NONE;
|
||||||
|
|
||||||
|
public PrivilegeBuilder(final EntityType entityType) {
|
||||||
|
super();
|
||||||
|
this.entityType = entityType;
|
||||||
|
}
|
||||||
|
|
||||||
|
public PrivilegeBuilder forRole(final UserRole userRole) {
|
||||||
|
this.userRole = userRole;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
public PrivilegeBuilder withBasePrivilege(final PrivilegeType basePrivilege) {
|
||||||
|
this.basePrivilege = basePrivilege;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
public PrivilegeBuilder withInstitutionalPrivilege(final PrivilegeType institutionalPrivilege) {
|
||||||
|
this.institutionalPrivilege = institutionalPrivilege;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
public PrivilegeBuilder withOwnerPrivilege(final PrivilegeType ownerPrivilege) {
|
||||||
|
this.ownerPrivilege = ownerPrivilege;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
|
public PrivilegeBuilder andForRole(final UserRole userRole) {
|
||||||
|
create();
|
||||||
|
return new PrivilegeBuilder(this.entityType)
|
||||||
|
.forRole(userRole);
|
||||||
|
}
|
||||||
|
|
||||||
|
public void create() {
|
||||||
|
final RoleTypeKey roleTypeKey = new RoleTypeKey(this.entityType, this.userRole);
|
||||||
|
final Privilege roleTypeGrant = new Privilege(
|
||||||
|
roleTypeKey,
|
||||||
|
this.basePrivilege,
|
||||||
|
this.institutionalPrivilege,
|
||||||
|
this.ownerPrivilege);
|
||||||
|
|
||||||
|
AuthorizationServiceImpl.this.privileges.put(roleTypeKey, roleTypeGrant);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
|
@ -15,7 +15,6 @@ import org.springframework.web.bind.annotation.RequestMethod;
|
||||||
import org.springframework.web.bind.annotation.RequestParam;
|
import org.springframework.web.bind.annotation.RequestParam;
|
||||||
|
|
||||||
import ch.ethz.seb.sebserver.gbl.api.API;
|
import ch.ethz.seb.sebserver.gbl.api.API;
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.model.Entity;
|
import ch.ethz.seb.sebserver.gbl.model.Entity;
|
||||||
import ch.ethz.seb.sebserver.gbl.model.EntityKey;
|
import ch.ethz.seb.sebserver.gbl.model.EntityKey;
|
||||||
import ch.ethz.seb.sebserver.gbl.model.EntityProcessingReport;
|
import ch.ethz.seb.sebserver.gbl.model.EntityProcessingReport;
|
||||||
|
@ -24,7 +23,7 @@ import ch.ethz.seb.sebserver.gbl.model.Page;
|
||||||
import ch.ethz.seb.sebserver.gbl.util.Result;
|
import ch.ethz.seb.sebserver.gbl.util.Result;
|
||||||
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
|
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.GrantEntity;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.GrantEntity;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkAction;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkAction;
|
||||||
|
@ -40,7 +39,7 @@ public abstract class ActivatableEntityController<T extends GrantEntity, M exten
|
||||||
private final ActivatableEntityDAO<T, M> activatableEntityDAO;
|
private final ActivatableEntityDAO<T, M> activatableEntityDAO;
|
||||||
|
|
||||||
public ActivatableEntityController(
|
public ActivatableEntityController(
|
||||||
final AuthorizationGrantService authorizationGrantService,
|
final AuthorizationService authorizationGrantService,
|
||||||
final BulkActionService bulkActionService,
|
final BulkActionService bulkActionService,
|
||||||
final ActivatableEntityDAO<T, M> entityDAO,
|
final ActivatableEntityDAO<T, M> entityDAO,
|
||||||
final UserActivityLogDAO userActivityLogDAO,
|
final UserActivityLogDAO userActivityLogDAO,
|
||||||
|
@ -130,9 +129,7 @@ public abstract class ActivatableEntityController<T extends GrantEntity, M exten
|
||||||
new EntityKey(id, entityType));
|
new EntityKey(id, entityType));
|
||||||
|
|
||||||
return this.entityDAO.byModelId(id)
|
return this.entityDAO.byModelId(id)
|
||||||
.flatMap(entity -> this.authorizationGrantService.checkGrantOnEntity(
|
.flatMap(this.authorization::checkWrite)
|
||||||
entity,
|
|
||||||
PrivilegeType.WRITE))
|
|
||||||
.flatMap(entity -> this.bulkActionService.createReport(bulkAction));
|
.flatMap(entity -> this.bulkActionService.createReport(bulkAction));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -10,7 +10,6 @@ package ch.ethz.seb.sebserver.webservice.weblayer.api;
|
||||||
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collection;
|
import java.util.Collection;
|
||||||
import java.util.function.Predicate;
|
|
||||||
import java.util.stream.Collectors;
|
import java.util.stream.Collectors;
|
||||||
|
|
||||||
import javax.validation.Valid;
|
import javax.validation.Valid;
|
||||||
|
@ -39,7 +38,7 @@ import ch.ethz.seb.sebserver.gbl.model.EntityType;
|
||||||
import ch.ethz.seb.sebserver.gbl.model.Page;
|
import ch.ethz.seb.sebserver.gbl.model.Page;
|
||||||
import ch.ethz.seb.sebserver.gbl.util.Result;
|
import ch.ethz.seb.sebserver.gbl.util.Result;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.GrantEntity;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.GrantEntity;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkAction;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkAction;
|
||||||
|
@ -53,7 +52,7 @@ import ch.ethz.seb.sebserver.webservice.servicelayer.validation.BeanValidationSe
|
||||||
|
|
||||||
public abstract class EntityController<T extends GrantEntity, M extends GrantEntity> {
|
public abstract class EntityController<T extends GrantEntity, M extends GrantEntity> {
|
||||||
|
|
||||||
protected final AuthorizationGrantService authorizationGrantService;
|
protected final AuthorizationService authorization;
|
||||||
protected final BulkActionService bulkActionService;
|
protected final BulkActionService bulkActionService;
|
||||||
protected final EntityDAO<T, M> entityDAO;
|
protected final EntityDAO<T, M> entityDAO;
|
||||||
protected final UserActivityLogDAO userActivityLogDAO;
|
protected final UserActivityLogDAO userActivityLogDAO;
|
||||||
|
@ -61,14 +60,14 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
|
||||||
protected final BeanValidationService beanValidationService;
|
protected final BeanValidationService beanValidationService;
|
||||||
|
|
||||||
protected EntityController(
|
protected EntityController(
|
||||||
final AuthorizationGrantService authorizationGrantService,
|
final AuthorizationService authorization,
|
||||||
final BulkActionService bulkActionService,
|
final BulkActionService bulkActionService,
|
||||||
final EntityDAO<T, M> entityDAO,
|
final EntityDAO<T, M> entityDAO,
|
||||||
final UserActivityLogDAO userActivityLogDAO,
|
final UserActivityLogDAO userActivityLogDAO,
|
||||||
final PaginationService paginationService,
|
final PaginationService paginationService,
|
||||||
final BeanValidationService beanValidationService) {
|
final BeanValidationService beanValidationService) {
|
||||||
|
|
||||||
this.authorizationGrantService = authorizationGrantService;
|
this.authorization = authorization;
|
||||||
this.bulkActionService = bulkActionService;
|
this.bulkActionService = bulkActionService;
|
||||||
this.entityDAO = entityDAO;
|
this.entityDAO = entityDAO;
|
||||||
this.userActivityLogDAO = userActivityLogDAO;
|
this.userActivityLogDAO = userActivityLogDAO;
|
||||||
|
@ -78,7 +77,7 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
|
||||||
|
|
||||||
@InitBinder
|
@InitBinder
|
||||||
public void initBinder(final WebDataBinder binder) throws Exception {
|
public void initBinder(final WebDataBinder binder) throws Exception {
|
||||||
this.authorizationGrantService
|
this.authorization
|
||||||
.getUserService()
|
.getUserService()
|
||||||
.addUsersInstitutionDefaultPropertySupport(binder);
|
.addUsersInstitutionDefaultPropertySupport(binder);
|
||||||
}
|
}
|
||||||
|
@ -153,9 +152,7 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
|
||||||
|
|
||||||
return this.entityDAO
|
return this.entityDAO
|
||||||
.byModelId(modelId)
|
.byModelId(modelId)
|
||||||
.flatMap(entity -> this.authorizationGrantService.checkGrantOnEntity(
|
.flatMap(this.authorization::checkReadonly)
|
||||||
entity,
|
|
||||||
PrivilegeType.READ_ONLY))
|
|
||||||
.getOrThrow();
|
.getOrThrow();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -181,7 +178,7 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
|
||||||
.flatMap(this.entityDAO::loadEntities)
|
.flatMap(this.entityDAO::loadEntities)
|
||||||
.getOrThrow()
|
.getOrThrow()
|
||||||
.stream()
|
.stream()
|
||||||
.filter(entity -> this.authorizationGrantService.hasGrant(entity, PrivilegeType.READ_ONLY))
|
.filter(this.authorization::hasReadonlyPrivilege)
|
||||||
.collect(Collectors.toList());
|
.collect(Collectors.toList());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -201,9 +198,9 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
|
||||||
defaultValue = UserService.USERS_INSTITUTION_AS_DEFAULT) final Long institutionId) {
|
defaultValue = UserService.USERS_INSTITUTION_AS_DEFAULT) final Long institutionId) {
|
||||||
|
|
||||||
// check write privilege for requested institution and concrete entityType
|
// check write privilege for requested institution and concrete entityType
|
||||||
this.authorizationGrantService.checkPrivilege(
|
this.authorization.check(
|
||||||
this.entityDAO.entityType(),
|
|
||||||
PrivilegeType.WRITE,
|
PrivilegeType.WRITE,
|
||||||
|
this.entityDAO.entityType(),
|
||||||
institutionId);
|
institutionId);
|
||||||
|
|
||||||
final POSTMapper postMap = new POSTMapper(allRequestParams)
|
final POSTMapper postMap = new POSTMapper(allRequestParams)
|
||||||
|
@ -232,7 +229,7 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
|
||||||
@Valid @RequestBody final M modifyData) {
|
@Valid @RequestBody final M modifyData) {
|
||||||
|
|
||||||
return this.beanValidationService.validateBean(modifyData)
|
return this.beanValidationService.validateBean(modifyData)
|
||||||
.flatMap(m -> this.authorizationGrantService.checkGrantOnEntity(m, PrivilegeType.MODIFY))
|
.flatMap(this.authorization::checkModify)
|
||||||
.flatMap(m -> this.entityDAO.save(modelId, m))
|
.flatMap(m -> this.entityDAO.save(modelId, m))
|
||||||
.flatMap(e -> this.userActivityLogDAO.log(ActivityType.MODIFY, e))
|
.flatMap(e -> this.userActivityLogDAO.log(ActivityType.MODIFY, e))
|
||||||
.flatMap(e -> notifySaved(modifyData, e))
|
.flatMap(e -> notifySaved(modifyData, e))
|
||||||
|
@ -284,26 +281,22 @@ public abstract class EntityController<T extends GrantEntity, M extends GrantEnt
|
||||||
new EntityKey(modelId, entityType));
|
new EntityKey(modelId, entityType));
|
||||||
|
|
||||||
return this.entityDAO.byModelId(modelId)
|
return this.entityDAO.byModelId(modelId)
|
||||||
.flatMap(entity -> this.authorizationGrantService.checkGrantOnEntity(
|
.flatMap(this.authorization::checkWrite)
|
||||||
entity,
|
|
||||||
PrivilegeType.WRITE))
|
|
||||||
.flatMap(entity -> this.bulkActionService.createReport(bulkAction))
|
.flatMap(entity -> this.bulkActionService.createReport(bulkAction))
|
||||||
.getOrThrow();
|
.getOrThrow();
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void checkReadPrivilege(final Long institutionId) {
|
protected void checkReadPrivilege(final Long institutionId) {
|
||||||
this.authorizationGrantService.checkPrivilege(
|
this.authorization.check(
|
||||||
this.entityDAO.entityType(),
|
|
||||||
PrivilegeType.READ_ONLY,
|
PrivilegeType.READ_ONLY,
|
||||||
|
this.entityDAO.entityType(),
|
||||||
institutionId);
|
institutionId);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected Result<Collection<T>> getAll(final FilterMap filterMap) {
|
protected Result<Collection<T>> getAll(final FilterMap filterMap) {
|
||||||
final Predicate<T> grantFilter = this.authorizationGrantService.getGrantFilter(
|
return this.entityDAO.allMatching(
|
||||||
this.entityDAO.entityType(),
|
filterMap,
|
||||||
PrivilegeType.READ_ONLY);
|
this.authorization::hasReadonlyPrivilege);
|
||||||
|
|
||||||
return this.entityDAO.allMatching(filterMap, grantFilter);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protected Result<T> notifySaved(final M modifyData, final T entity) {
|
protected Result<T> notifySaved(final M modifyData, final T entity) {
|
||||||
|
|
|
@ -45,7 +45,7 @@ import ch.ethz.seb.sebserver.gbl.util.Utils;
|
||||||
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.ExamRecordDynamicSqlSupport;
|
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.ExamRecordDynamicSqlSupport;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService.SortOrder;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService.SortOrder;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.ExamDAO;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.ExamDAO;
|
||||||
|
@ -66,7 +66,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
|
||||||
private final LmsAPIService lmsAPIService;
|
private final LmsAPIService lmsAPIService;
|
||||||
|
|
||||||
public ExamAdministrationController(
|
public ExamAdministrationController(
|
||||||
final AuthorizationGrantService authorizationGrantService,
|
final AuthorizationService authorization,
|
||||||
final UserActivityLogDAO userActivityLogDAO,
|
final UserActivityLogDAO userActivityLogDAO,
|
||||||
final ExamDAO examDAO,
|
final ExamDAO examDAO,
|
||||||
final PaginationService paginationService,
|
final PaginationService paginationService,
|
||||||
|
@ -75,7 +75,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
|
||||||
final IndicatorDAO indicatorDAO,
|
final IndicatorDAO indicatorDAO,
|
||||||
final LmsAPIService lmsAPIService) {
|
final LmsAPIService lmsAPIService) {
|
||||||
|
|
||||||
super(authorizationGrantService,
|
super(authorization,
|
||||||
bulkActionService,
|
bulkActionService,
|
||||||
examDAO,
|
examDAO,
|
||||||
userActivityLogDAO,
|
userActivityLogDAO,
|
||||||
|
@ -124,9 +124,9 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
this.authorizationGrantService.checkPrivilege(
|
this.authorization.check(
|
||||||
EntityType.EXAM,
|
|
||||||
PrivilegeType.READ_ONLY,
|
PrivilegeType.READ_ONLY,
|
||||||
|
EntityType.EXAM,
|
||||||
institutionId);
|
institutionId);
|
||||||
|
|
||||||
final int pageNum = this.paginationService.getPageNumber(pageNumber);
|
final int pageNum = this.paginationService.getPageNumber(pageNumber);
|
||||||
|
@ -161,7 +161,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
|
||||||
public Collection<Indicator> getIndicatorOfExam(@PathVariable final Long examId) {
|
public Collection<Indicator> getIndicatorOfExam(@PathVariable final Long examId) {
|
||||||
// check read-only grant on Exam
|
// check read-only grant on Exam
|
||||||
this.examDAO.byPK(examId)
|
this.examDAO.byPK(examId)
|
||||||
.map(exam -> this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.READ_ONLY))
|
.map(this.authorization::checkReadonly)
|
||||||
.getOrThrow();
|
.getOrThrow();
|
||||||
|
|
||||||
return this.indicatorDAO.allForExam(examId)
|
return this.indicatorDAO.allForExam(examId)
|
||||||
|
@ -175,7 +175,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
|
||||||
|
|
||||||
// check write grant on Exam
|
// check write grant on Exam
|
||||||
this.examDAO.byPK(examId)
|
this.examDAO.byPK(examId)
|
||||||
.map(exam -> this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.WRITE))
|
.map(this.authorization::checkWrite)
|
||||||
.getOrThrow();
|
.getOrThrow();
|
||||||
|
|
||||||
final Set<EntityKey> toDelete = (indicatorId != null)
|
final Set<EntityKey> toDelete = (indicatorId != null)
|
||||||
|
@ -199,7 +199,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
|
||||||
|
|
||||||
// check write grant on Exam
|
// check write grant on Exam
|
||||||
this.examDAO.byPK(examId)
|
this.examDAO.byPK(examId)
|
||||||
.flatMap(exam -> this.authorizationGrantService.checkGrantOnEntity(exam, PrivilegeType.WRITE))
|
.flatMap(this.authorization::checkWrite)
|
||||||
.getOrThrow();
|
.getOrThrow();
|
||||||
|
|
||||||
if (indicator.id != null) {
|
if (indicator.id != null) {
|
||||||
|
@ -219,7 +219,7 @@ public class ExamAdministrationController extends ActivatableEntityController<Ex
|
||||||
|
|
||||||
// check modify grant on Exam
|
// check modify grant on Exam
|
||||||
this.examDAO.byPK(indicator.examId)
|
this.examDAO.byPK(indicator.examId)
|
||||||
.flatMap(e -> this.authorizationGrantService.checkGrantOnEntity(e, PrivilegeType.MODIFY))
|
.flatMap(this.authorization::checkModify)
|
||||||
.getOrThrow();
|
.getOrThrow();
|
||||||
|
|
||||||
return this.indicatorDAO
|
return this.indicatorDAO
|
||||||
|
|
|
@ -19,7 +19,7 @@ import org.springframework.web.bind.annotation.RestController;
|
||||||
import ch.ethz.seb.sebserver.gbl.api.API;
|
import ch.ethz.seb.sebserver.gbl.api.API;
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
|
import ch.ethz.seb.sebserver.gbl.authorization.Privilege;
|
||||||
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO;
|
||||||
|
|
||||||
@WebServiceProfile
|
@WebServiceProfile
|
||||||
|
@ -28,11 +28,11 @@ import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO;
|
||||||
public class InfoController {
|
public class InfoController {
|
||||||
|
|
||||||
private final InstitutionDAO institutionDAO;
|
private final InstitutionDAO institutionDAO;
|
||||||
private final AuthorizationGrantService authorizationGrantService;
|
private final AuthorizationService authorizationGrantService;
|
||||||
|
|
||||||
protected InfoController(
|
protected InfoController(
|
||||||
final InstitutionDAO institutionDAO,
|
final InstitutionDAO institutionDAO,
|
||||||
final AuthorizationGrantService authorizationGrantService) {
|
final AuthorizationService authorizationGrantService) {
|
||||||
|
|
||||||
this.institutionDAO = institutionDAO;
|
this.institutionDAO = institutionDAO;
|
||||||
this.authorizationGrantService = authorizationGrantService;
|
this.authorizationGrantService = authorizationGrantService;
|
||||||
|
|
|
@ -19,7 +19,7 @@ import ch.ethz.seb.sebserver.gbl.model.institution.Institution;
|
||||||
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
||||||
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.InstitutionRecordDynamicSqlSupport;
|
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.InstitutionRecordDynamicSqlSupport;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.SEBServerUser;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.SEBServerUser;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.InstitutionDAO;
|
||||||
|
@ -35,13 +35,13 @@ public class InstitutionController extends ActivatableEntityController<Instituti
|
||||||
|
|
||||||
public InstitutionController(
|
public InstitutionController(
|
||||||
final InstitutionDAO institutionDAO,
|
final InstitutionDAO institutionDAO,
|
||||||
final AuthorizationGrantService authorizationGrantService,
|
final AuthorizationService authorization,
|
||||||
final UserActivityLogDAO userActivityLogDAO,
|
final UserActivityLogDAO userActivityLogDAO,
|
||||||
final BulkActionService bulkActionService,
|
final BulkActionService bulkActionService,
|
||||||
final PaginationService paginationService,
|
final PaginationService paginationService,
|
||||||
final BeanValidationService beanValidationService) {
|
final BeanValidationService beanValidationService) {
|
||||||
|
|
||||||
super(authorizationGrantService,
|
super(authorization,
|
||||||
bulkActionService,
|
bulkActionService,
|
||||||
institutionDAO,
|
institutionDAO,
|
||||||
userActivityLogDAO,
|
userActivityLogDAO,
|
||||||
|
@ -63,7 +63,7 @@ public class InstitutionController extends ActivatableEntityController<Instituti
|
||||||
|
|
||||||
@RequestMapping(path = API.SELF_PATH_SEGMENT, method = RequestMethod.GET)
|
@RequestMapping(path = API.SELF_PATH_SEGMENT, method = RequestMethod.GET)
|
||||||
public Institution getOwn() {
|
public Institution getOwn() {
|
||||||
final SEBServerUser currentUser = this.authorizationGrantService
|
final SEBServerUser currentUser = this.authorization
|
||||||
.getUserService()
|
.getUserService()
|
||||||
.getCurrentUser();
|
.getCurrentUser();
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,7 @@ import ch.ethz.seb.sebserver.gbl.model.institution.LmsSetupTestResult;
|
||||||
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
||||||
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.LmsSetupRecordDynamicSqlSupport;
|
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.LmsSetupRecordDynamicSqlSupport;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.LmsSetupDAO;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.LmsSetupDAO;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
|
||||||
|
@ -46,14 +46,14 @@ public class LmsSetupController extends ActivatableEntityController<LmsSetup, Lm
|
||||||
|
|
||||||
public LmsSetupController(
|
public LmsSetupController(
|
||||||
final LmsSetupDAO lmsSetupDAO,
|
final LmsSetupDAO lmsSetupDAO,
|
||||||
final AuthorizationGrantService authorizationGrantService,
|
final AuthorizationService authorization,
|
||||||
final UserActivityLogDAO userActivityLogDAO,
|
final UserActivityLogDAO userActivityLogDAO,
|
||||||
final BulkActionService bulkActionService,
|
final BulkActionService bulkActionService,
|
||||||
final LmsAPIService lmsAPIService,
|
final LmsAPIService lmsAPIService,
|
||||||
final PaginationService paginationService,
|
final PaginationService paginationService,
|
||||||
final BeanValidationService beanValidationService) {
|
final BeanValidationService beanValidationService) {
|
||||||
|
|
||||||
super(authorizationGrantService,
|
super(authorization,
|
||||||
bulkActionService,
|
bulkActionService,
|
||||||
lmsSetupDAO,
|
lmsSetupDAO,
|
||||||
userActivityLogDAO,
|
userActivityLogDAO,
|
||||||
|
@ -81,9 +81,7 @@ public class LmsSetupController extends ActivatableEntityController<LmsSetup, Lm
|
||||||
@PathVariable final Long modelId,
|
@PathVariable final Long modelId,
|
||||||
final HttpServletResponse response) {
|
final HttpServletResponse response) {
|
||||||
|
|
||||||
this.authorizationGrantService.checkHasAnyPrivilege(
|
this.authorization.check(PrivilegeType.WRITE, EntityType.LMS_SETUP);
|
||||||
EntityType.LMS_SETUP,
|
|
||||||
PrivilegeType.WRITE);
|
|
||||||
|
|
||||||
response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);
|
response.setContentType(MediaType.APPLICATION_OCTET_STREAM_VALUE);
|
||||||
response.setStatus(HttpStatus.OK.value());
|
response.setStatus(HttpStatus.OK.value());
|
||||||
|
@ -107,9 +105,7 @@ public class LmsSetupController extends ActivatableEntityController<LmsSetup, Lm
|
||||||
produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
|
produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
|
||||||
public LmsSetupTestResult connectionReport(@PathVariable final Long modelId) {
|
public LmsSetupTestResult connectionReport(@PathVariable final Long modelId) {
|
||||||
|
|
||||||
this.authorizationGrantService.checkHasAnyPrivilege(
|
this.authorization.check(PrivilegeType.MODIFY, EntityType.LMS_SETUP);
|
||||||
EntityType.LMS_SETUP,
|
|
||||||
PrivilegeType.MODIFY);
|
|
||||||
|
|
||||||
return this.lmsAPIService.createLmsAPITemplate(modelId)
|
return this.lmsAPIService.createLmsAPITemplate(modelId)
|
||||||
.map(template -> template.testLmsSetup())
|
.map(template -> template.testLmsSetup())
|
||||||
|
|
|
@ -23,7 +23,7 @@ import ch.ethz.seb.sebserver.gbl.model.Page;
|
||||||
import ch.ethz.seb.sebserver.gbl.model.exam.QuizData;
|
import ch.ethz.seb.sebserver.gbl.model.exam.QuizData;
|
||||||
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
||||||
import ch.ethz.seb.sebserver.gbl.util.Utils;
|
import ch.ethz.seb.sebserver.gbl.util.Utils;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.lms.LmsAPIService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.lms.LmsAPIService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.lms.LmsAPITemplate;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.lms.LmsAPITemplate;
|
||||||
|
@ -37,18 +37,18 @@ public class QuizImportController {
|
||||||
private final int maxPageSize;
|
private final int maxPageSize;
|
||||||
|
|
||||||
private final LmsAPIService lmsAPIService;
|
private final LmsAPIService lmsAPIService;
|
||||||
private final AuthorizationGrantService authorizationGrantService;
|
private final AuthorizationService authorization;
|
||||||
|
|
||||||
public QuizImportController(
|
public QuizImportController(
|
||||||
@Value("${sebserver.webservice.api.pagination.defaultPageSize:10}") final int defaultPageSize,
|
@Value("${sebserver.webservice.api.pagination.defaultPageSize:10}") final int defaultPageSize,
|
||||||
@Value("${sebserver.webservice.api.pagination.maxPageSize:500}") final int maxPageSize,
|
@Value("${sebserver.webservice.api.pagination.maxPageSize:500}") final int maxPageSize,
|
||||||
final LmsAPIService lmsAPIService,
|
final LmsAPIService lmsAPIService,
|
||||||
final AuthorizationGrantService authorizationGrantService) {
|
final AuthorizationService authorization) {
|
||||||
|
|
||||||
this.defaultPageSize = defaultPageSize;
|
this.defaultPageSize = defaultPageSize;
|
||||||
this.maxPageSize = maxPageSize;
|
this.maxPageSize = maxPageSize;
|
||||||
this.lmsAPIService = lmsAPIService;
|
this.lmsAPIService = lmsAPIService;
|
||||||
this.authorizationGrantService = authorizationGrantService;
|
this.authorization = authorization;
|
||||||
}
|
}
|
||||||
|
|
||||||
@RequestMapping(method = RequestMethod.GET)
|
@RequestMapping(method = RequestMethod.GET)
|
||||||
|
@ -68,9 +68,9 @@ public class QuizImportController {
|
||||||
.createLmsAPITemplate(lmsSetupId)
|
.createLmsAPITemplate(lmsSetupId)
|
||||||
.getOrThrow();
|
.getOrThrow();
|
||||||
|
|
||||||
this.authorizationGrantService.checkPrivilege(
|
this.authorization.check(
|
||||||
EntityType.EXAM,
|
|
||||||
PrivilegeType.READ_ONLY,
|
PrivilegeType.READ_ONLY,
|
||||||
|
EntityType.EXAM,
|
||||||
institutionId);
|
institutionId);
|
||||||
|
|
||||||
return lmsAPITemplate.getQuizzes(
|
return lmsAPITemplate.getQuizzes(
|
||||||
|
|
|
@ -14,15 +14,15 @@ import org.springframework.web.bind.annotation.RequestMapping;
|
||||||
import org.springframework.web.bind.annotation.RequestMethod;
|
import org.springframework.web.bind.annotation.RequestMethod;
|
||||||
import org.springframework.web.bind.annotation.RestController;
|
import org.springframework.web.bind.annotation.RestController;
|
||||||
|
|
||||||
import ch.ethz.seb.sebserver.gbl.api.POSTMapper;
|
|
||||||
import ch.ethz.seb.sebserver.gbl.api.API;
|
import ch.ethz.seb.sebserver.gbl.api.API;
|
||||||
|
import ch.ethz.seb.sebserver.gbl.api.POSTMapper;
|
||||||
import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
|
import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
|
||||||
import ch.ethz.seb.sebserver.gbl.model.user.UserMod;
|
import ch.ethz.seb.sebserver.gbl.model.user.UserMod;
|
||||||
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
import ch.ethz.seb.sebserver.gbl.profile.WebServiceProfile;
|
||||||
import ch.ethz.seb.sebserver.gbl.util.Result;
|
import ch.ethz.seb.sebserver.gbl.util.Result;
|
||||||
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
|
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.bulkaction.BulkActionService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserDAO;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserDAO;
|
||||||
|
@ -38,14 +38,14 @@ public class UserAccountController extends ActivatableEntityController<UserInfo,
|
||||||
|
|
||||||
public UserAccountController(
|
public UserAccountController(
|
||||||
final UserDAO userDao,
|
final UserDAO userDao,
|
||||||
final AuthorizationGrantService authorizationGrantService,
|
final AuthorizationService authorization,
|
||||||
final UserActivityLogDAO userActivityLogDAO,
|
final UserActivityLogDAO userActivityLogDAO,
|
||||||
final PaginationService paginationService,
|
final PaginationService paginationService,
|
||||||
final BulkActionService bulkActionService,
|
final BulkActionService bulkActionService,
|
||||||
final ApplicationEventPublisher applicationEventPublisher,
|
final ApplicationEventPublisher applicationEventPublisher,
|
||||||
final BeanValidationService beanValidationService) {
|
final BeanValidationService beanValidationService) {
|
||||||
|
|
||||||
super(authorizationGrantService,
|
super(authorization,
|
||||||
bulkActionService,
|
bulkActionService,
|
||||||
userDao,
|
userDao,
|
||||||
userActivityLogDAO,
|
userActivityLogDAO,
|
||||||
|
@ -56,7 +56,7 @@ public class UserAccountController extends ActivatableEntityController<UserInfo,
|
||||||
|
|
||||||
@RequestMapping(path = "/me", method = RequestMethod.GET)
|
@RequestMapping(path = "/me", method = RequestMethod.GET)
|
||||||
public UserInfo loggedInUser() {
|
public UserInfo loggedInUser() {
|
||||||
return this.authorizationGrantService
|
return this.authorization
|
||||||
.getUserService()
|
.getUserService()
|
||||||
.getCurrentUser()
|
.getCurrentUser()
|
||||||
.getUserInfo();
|
.getUserInfo();
|
||||||
|
|
|
@ -27,7 +27,7 @@ import ch.ethz.seb.sebserver.gbl.util.Result;
|
||||||
import ch.ethz.seb.sebserver.gbl.util.Utils;
|
import ch.ethz.seb.sebserver.gbl.util.Utils;
|
||||||
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
|
import ch.ethz.seb.sebserver.webservice.datalayer.batis.mapper.UserRecordDynamicSqlSupport;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.PaginationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationGrantService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.AuthorizationService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.authorization.UserService;
|
||||||
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
|
import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
|
||||||
|
|
||||||
|
@ -37,22 +37,22 @@ import ch.ethz.seb.sebserver.webservice.servicelayer.dao.UserActivityLogDAO;
|
||||||
public class UserActivityLogController {
|
public class UserActivityLogController {
|
||||||
|
|
||||||
private final UserActivityLogDAO userActivityLogDAO;
|
private final UserActivityLogDAO userActivityLogDAO;
|
||||||
private final AuthorizationGrantService authorizationGrantService;
|
private final AuthorizationService authorization;
|
||||||
private final PaginationService paginationService;
|
private final PaginationService paginationService;
|
||||||
|
|
||||||
public UserActivityLogController(
|
public UserActivityLogController(
|
||||||
final UserActivityLogDAO userActivityLogDAO,
|
final UserActivityLogDAO userActivityLogDAO,
|
||||||
final AuthorizationGrantService authorizationGrantService,
|
final AuthorizationService authorization,
|
||||||
final PaginationService paginationService) {
|
final PaginationService paginationService) {
|
||||||
|
|
||||||
this.userActivityLogDAO = userActivityLogDAO;
|
this.userActivityLogDAO = userActivityLogDAO;
|
||||||
this.authorizationGrantService = authorizationGrantService;
|
this.authorization = authorization;
|
||||||
this.paginationService = paginationService;
|
this.paginationService = paginationService;
|
||||||
}
|
}
|
||||||
|
|
||||||
@InitBinder
|
@InitBinder
|
||||||
public void initBinder(final WebDataBinder binder) throws Exception {
|
public void initBinder(final WebDataBinder binder) throws Exception {
|
||||||
this.authorizationGrantService
|
this.authorization
|
||||||
.getUserService()
|
.getUserService()
|
||||||
.addUsersInstitutionDefaultPropertySupport(binder);
|
.addUsersInstitutionDefaultPropertySupport(binder);
|
||||||
}
|
}
|
||||||
|
@ -133,9 +133,9 @@ public class UserActivityLogController {
|
||||||
}
|
}
|
||||||
|
|
||||||
private void checkBaseReadPrivilege(final Long institutionId) {
|
private void checkBaseReadPrivilege(final Long institutionId) {
|
||||||
this.authorizationGrantService.checkPrivilege(
|
this.authorization.check(
|
||||||
EntityType.USER_ACTIVITY_LOG,
|
|
||||||
PrivilegeType.READ_ONLY,
|
PrivilegeType.READ_ONLY,
|
||||||
|
EntityType.USER_ACTIVITY_LOG,
|
||||||
institutionId);
|
institutionId);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,6 @@ package ch.ethz.seb.sebserver.webservice.servicelayer.authorization;
|
||||||
import static org.junit.Assert.assertFalse;
|
import static org.junit.Assert.assertFalse;
|
||||||
import static org.junit.Assert.assertTrue;
|
import static org.junit.Assert.assertTrue;
|
||||||
|
|
||||||
import java.security.Principal;
|
|
||||||
import java.util.Arrays;
|
import java.util.Arrays;
|
||||||
import java.util.Collections;
|
import java.util.Collections;
|
||||||
import java.util.HashSet;
|
import java.util.HashSet;
|
||||||
|
@ -20,7 +19,6 @@ import java.util.stream.Collectors;
|
||||||
|
|
||||||
import org.joda.time.DateTimeZone;
|
import org.joda.time.DateTimeZone;
|
||||||
import org.junit.Test;
|
import org.junit.Test;
|
||||||
import org.mockito.Mock;
|
|
||||||
import org.mockito.Mockito;
|
import org.mockito.Mockito;
|
||||||
|
|
||||||
import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
|
import ch.ethz.seb.sebserver.gbl.authorization.PrivilegeType;
|
||||||
|
@ -28,45 +26,42 @@ import ch.ethz.seb.sebserver.gbl.model.EntityType;
|
||||||
import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
|
import ch.ethz.seb.sebserver.gbl.model.user.UserInfo;
|
||||||
import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
|
import ch.ethz.seb.sebserver.gbl.model.user.UserRole;
|
||||||
|
|
||||||
public class AuthorizationGrantServiceTest {
|
public class AuthorizationServiceTest {
|
||||||
|
|
||||||
@Mock
|
|
||||||
private Principal principal;
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testInstitutionGrantForSEB_SERVER_ADMIN() {
|
public void testInstitutionGrantForSEB_SERVER_ADMIN() {
|
||||||
final AuthorizationGrantServiceImpl service = getTestServiceWithUserWithRoles(UserRole.SEB_SERVER_ADMIN);
|
final AuthorizationServiceImpl service = getTestServiceWithUserWithRoles(UserRole.SEB_SERVER_ADMIN);
|
||||||
|
|
||||||
assertTrue(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.READ_ONLY, this.principal));
|
assertTrue(service.hasPrivilege(PrivilegeType.READ_ONLY, EntityType.INSTITUTION));
|
||||||
assertTrue(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.MODIFY, this.principal));
|
assertTrue(service.hasPrivilege(PrivilegeType.MODIFY, EntityType.INSTITUTION));
|
||||||
assertTrue(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.WRITE, this.principal));
|
assertTrue(service.hasPrivilege(PrivilegeType.WRITE, EntityType.INSTITUTION));
|
||||||
|
|
||||||
final GrantEntity institution = entityOf(EntityType.INSTITUTION, 2L, "");
|
final GrantEntity institution = entityOf(EntityType.INSTITUTION, 2L, "");
|
||||||
|
|
||||||
assertTrue(service.hasGrant(institution, PrivilegeType.READ_ONLY, this.principal));
|
assertTrue(service.hasReadonlyPrivilege(institution));
|
||||||
assertTrue(service.hasGrant(institution, PrivilegeType.MODIFY, this.principal));
|
assertTrue(service.hasModifyPrivilege(institution));
|
||||||
assertTrue(service.hasGrant(institution, PrivilegeType.WRITE, this.principal));
|
assertTrue(service.hasWritePrivilege(institution));
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testInstitutionGrantsForINSTITUTIONAL_ADMIN() {
|
public void testInstitutionGrantsForINSTITUTIONAL_ADMIN() {
|
||||||
final AuthorizationGrantServiceImpl service = getTestServiceWithUserWithRoles(UserRole.INSTITUTIONAL_ADMIN);
|
final AuthorizationServiceImpl service = getTestServiceWithUserWithRoles(UserRole.INSTITUTIONAL_ADMIN);
|
||||||
|
|
||||||
assertFalse(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.READ_ONLY, this.principal));
|
assertFalse(service.hasPrivilege(PrivilegeType.READ_ONLY, EntityType.INSTITUTION));
|
||||||
assertFalse(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.MODIFY, this.principal));
|
assertFalse(service.hasPrivilege(PrivilegeType.MODIFY, EntityType.INSTITUTION));
|
||||||
assertFalse(service.hasBasePrivilege(EntityType.INSTITUTION, PrivilegeType.WRITE, this.principal));
|
assertFalse(service.hasPrivilege(PrivilegeType.WRITE, EntityType.INSTITUTION));
|
||||||
|
|
||||||
final GrantEntity ownInstitution = entityOf(EntityType.INSTITUTION, 1L, "");
|
final GrantEntity ownInstitution = entityOf(EntityType.INSTITUTION, 1L, "");
|
||||||
|
|
||||||
assertTrue(service.hasGrant(ownInstitution, PrivilegeType.READ_ONLY, this.principal));
|
assertTrue(service.hasReadonlyPrivilege(ownInstitution));
|
||||||
assertTrue(service.hasGrant(ownInstitution, PrivilegeType.MODIFY, this.principal));
|
assertTrue(service.hasModifyPrivilege(ownInstitution));
|
||||||
assertFalse(service.hasGrant(ownInstitution, PrivilegeType.WRITE, this.principal));
|
assertFalse(service.hasWritePrivilege(ownInstitution));
|
||||||
|
|
||||||
final GrantEntity otherInstitution = entityOf(EntityType.INSTITUTION, 2L, "");
|
final GrantEntity otherInstitution = entityOf(EntityType.INSTITUTION, 2L, "");
|
||||||
|
|
||||||
assertFalse(service.hasGrant(otherInstitution, PrivilegeType.READ_ONLY, this.principal));
|
assertFalse(service.hasReadonlyPrivilege(otherInstitution));
|
||||||
assertFalse(service.hasGrant(otherInstitution, PrivilegeType.MODIFY, this.principal));
|
assertFalse(service.hasModifyPrivilege(otherInstitution));
|
||||||
assertFalse(service.hasGrant(otherInstitution, PrivilegeType.WRITE, this.principal));
|
assertFalse(service.hasWritePrivilege(otherInstitution));
|
||||||
}
|
}
|
||||||
|
|
||||||
private SEBServerUser getUser(final UserRole... roles) {
|
private SEBServerUser getUser(final UserRole... roles) {
|
||||||
|
@ -109,13 +104,12 @@ public class AuthorizationGrantServiceTest {
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
private AuthorizationGrantServiceImpl getTestServiceWithUserWithRoles(final UserRole... roles) {
|
private AuthorizationServiceImpl getTestServiceWithUserWithRoles(final UserRole... roles) {
|
||||||
final SEBServerUser user = getUser(roles);
|
final SEBServerUser user = getUser(roles);
|
||||||
final UserServiceImpl currentUserServiceMock = Mockito.mock(UserServiceImpl.class);
|
final UserServiceImpl currentUserServiceMock = Mockito.mock(UserServiceImpl.class);
|
||||||
Mockito.when(currentUserServiceMock.extractFromPrincipal(this.principal)).thenReturn(user);
|
Mockito.when(currentUserServiceMock.getCurrentUser()).thenReturn(user);
|
||||||
|
|
||||||
final AuthorizationGrantServiceImpl authorizationGrantService = new AuthorizationGrantServiceImpl(
|
final AuthorizationServiceImpl authorizationGrantService = new AuthorizationServiceImpl(
|
||||||
Collections.emptyList(),
|
|
||||||
currentUserServiceMock);
|
currentUserServiceMock);
|
||||||
authorizationGrantService.init();
|
authorizationGrantService.init();
|
||||||
return authorizationGrantService;
|
return authorizationGrantService;
|
Loading…
Add table
Reference in a new issue