PermissionController.java
/*
* Copyright 2019 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.gringlobal.api.v1.impl;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import com.fasterxml.jackson.annotation.JsonView;
import io.swagger.v3.oas.annotations.Hidden;
import io.swagger.v3.oas.annotations.tags.Tag;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.genesys.blocks.model.JsonViews;
import org.genesys.blocks.oauth.model.OAuthClient;
import org.genesys.blocks.oauth.service.OAuthClientService;
import org.genesys.blocks.security.model.AclObjectIdentity;
import org.genesys.blocks.security.model.AclSid;
import org.genesys.blocks.security.serialization.CurrentPermissionsWriter;
import org.genesys.blocks.security.serialization.SidPermissions;
import org.genesys.blocks.security.service.CustomAclService;
import org.gringlobal.api.exception.InvalidApiUsageException;
import org.gringlobal.api.exception.NotFoundElement;
import org.gringlobal.api.v1.ApiBaseController;
import org.gringlobal.api.v1.CRUDController;
import org.gringlobal.model.QSysGroup;
import org.gringlobal.model.SysUser;
import org.gringlobal.model.community.SecuredAction;
import org.gringlobal.model.security.UserRole;
import org.gringlobal.persistence.SysGroupRepository;
import org.gringlobal.persistence.community.SecuredActionRepository;
import org.gringlobal.service.SecuredActionService;
import org.gringlobal.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.data.domain.PageRequest;
import org.springframework.data.domain.Sort;
import org.springframework.http.MediaType;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PathVariable;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;
@RestController("permissionApi1")
@RequestMapping(value = PermissionController.API_URL)
@PreAuthorize("isAuthenticated()")
@Tag(name = "Permission")
@Slf4j
public class PermissionController extends ApiBaseController {
/** The Constant CONTROLLER_URL. */
public static final String API_URL = ApiBaseController.APIv1_BASE + "/permission";
@Autowired
protected CustomAclService aclService;
@Autowired
private UserService userService;
@Autowired
private OAuthClientService clientDetailsService;
@Autowired
private SysGroupRepository groupRepository;
@Autowired
private SecuredActionRepository securedActionRepository;
@RestController("securedActionApi1")
@RequestMapping(SecuredActionController.API_URL)
@PreAuthorize("hasAuthority('GROUP_ADMINS')")
@Tag(name = "SecuredAction")
public static class SecuredActionController extends CRUDController<SecuredAction, SecuredActionService> {
/** The Constant API_URL. */
public static final String API_URL = PermissionController.API_URL + "/secured-action";
@Hidden
@Override
public SecuredAction get(long id) {
throw new InvalidApiUsageException();
}
@Hidden
@Override
public SecuredAction update(SecuredAction entity) {
throw new InvalidApiUsageException("SecuredActions can only be created, not updated.");
}
}
/**
* Adds the permission.
*
* @param className the class name
* @param id the id
* @param sidPermissions the sid permissions
* @return the acl object identity
*/
@PostMapping(value = "/permissions/{clazz}/{id}", produces = MediaType.APPLICATION_JSON_VALUE)
@JsonView(JsonViews.Minimal.class)
public CustomAclService.AclObjectIdentityExt addPermission(@PathVariable(value = "clazz") final String className,
@PathVariable("id") final long id, @RequestBody final SidPermissions sidPermissions) {
final AclObjectIdentity objectIdentity = aclService.ensureObjectIdentity(id, className);
log.info("Setting permissions {}", sidPermissions);
final AclSid sid = aclService.getSid(sidPermissions.sid.getId());
return lazyLoadForJson(aclService.setPermissions(objectIdentity, sid, sidPermissions));
}
/**
* Adds the permission.
*
* @param className the class name
* @param id the id
* @param sid the sid
* @return the acl object identity
*/
@DeleteMapping(value = "/permissions/{clazz}/{id}/{sid}", produces = MediaType.APPLICATION_JSON_VALUE)
@JsonView(JsonViews.Minimal.class)
public CustomAclService.AclObjectIdentityExt deletePermissionsForSid(@PathVariable(value = "clazz") final String className,
@PathVariable("id") final long id, @PathVariable("sid") final String sid) {
final AclObjectIdentity objectIdentity = aclService.ensureObjectIdentity(id, className);
log.info("Removing permissions for {}", sid);
final AclSid aclSid = aclService.getSid(aclService.getSidId(sid));
return lazyLoadForJson(aclService.removePermissions(objectIdentity, aclSid));
}
/**
* Update inheriting status
*
* @param inheriting is inheriting value
* @param id the id
* @return updated acl object identity
*/
@JsonView(JsonViews.Minimal.class)
@PostMapping(value = "/update-inheriting/{inheriting}/{id}", produces = MediaType.APPLICATION_JSON_VALUE)
public CustomAclService.AclObjectIdentityExt updateInheriting(@PathVariable(value = "inheriting") final boolean inheriting,
@PathVariable(name = "id") final long id) {
final AclObjectIdentity objectIdentity = aclService.updateInheriting(id, inheriting);
if (objectIdentity == null) {
throw new NotFoundElement("No such ACL object");
}
return lazyLoadForJson(objectIdentity);
}
/**
* Update parent object
*
* @param id the id
* @param parentId the parentId
* @return updated acl object identity
*/
@JsonView(JsonViews.Minimal.class)
@PostMapping(value = "/update-parent/{id}/{parentId}", produces = MediaType.APPLICATION_JSON_VALUE)
public CustomAclService.AclObjectIdentityExt updateParentObject(@PathVariable(name = "id") final long id, @PathVariable(name = "parentId") final long parentId) {
final AclObjectIdentity objectIdentity = aclService.updateParentObject(id, parentId);
if (objectIdentity == null) {
throw new NotFoundElement("No such ACL object");
}
return lazyLoadForJson(objectIdentity);
}
/**
* Return all information related to the AclAwareModel.
*
* @param className the class name
* @param id the id
* @return the acl object identity
*/
@GetMapping(value = "/permissions/{clazz}/{id}", produces = MediaType.APPLICATION_JSON_VALUE)
@JsonView(JsonViews.Minimal.class)
public CustomAclService.AclObjectIdentityExt permissions(@PathVariable(value = "clazz") final String className, @PathVariable("id") final long id) {
final AclObjectIdentity objectIdentity = aclService.getObjectIdentity(id, className);
if (objectIdentity == null) {
throw new NotFoundElement("No such ACL object");
}
return lazyLoadForJson(objectIdentity);
}
/**
* Return all information for {@link AclObjectIdentity} by its id.
*
* @param id the internal ID of aclObjectIdentity
* @return the acl object identity
*/
@GetMapping(value = "/permissions/{aclObjectIdentityId}", produces = MediaType.APPLICATION_JSON_VALUE)
@JsonView(JsonViews.Minimal.class)
public CustomAclService.AclObjectIdentityExt permissions(@PathVariable(value = "aclObjectIdentityId") final long id) {
final AclObjectIdentity objectIdentity = aclService.getObjectIdentity(id);
if (objectIdentity == null) {
throw new NotFoundElement("No such ACL object");
}
return lazyLoadForJson(objectIdentity);
}
/**
* Return user's permissions for all {@link SecuredAction}s.
*
* {@link CurrentPermissionsWriter} will take care of attaching current permissions.
*
* @return a list of all SecuredActions with attached permissions.
*/
@GetMapping(value = "/my-permissions", produces = MediaType.APPLICATION_JSON_VALUE)
public List<SecuredAction> myPermissions() {
return securedActionRepository.findAll();
}
/**
* Auto-complete users, roles and clients.
*
* @param term the search term
* @return Map of SID labels and SID IDs
* @since 1.6
*/
@GetMapping(value = "/autocomplete", produces = MediaType.APPLICATION_JSON_VALUE)
public Map<Long, String> acSid(@RequestParam("term") final String term) {
final Map<Long, String> sidIds = new HashMap<>();
sidIds.putAll(acRole(term));
sidIds.putAll(acGroup(term));
sidIds.putAll(acUser(term));
sidIds.putAll(acOauthClient(term)); // Note: Ignores blank search
// Keep max 20, ordered by SID asc
var top20 = sidIds.values().stream().sorted(StringUtils::compareIgnoreCase).limit(20).collect(Collectors.toSet());
sidIds.entrySet().removeIf(entry -> !top20.contains(entry.getValue()));
return sidIds;
}
/**
* Ac role.
*
* @param term the term
* @return the map
*/
private Map<Long, String> acRole(@RequestParam("term") final String term) {
final Map<Long, String> roleSids = new HashMap<>();
final List<UserRole> matchingRoles = Arrays.stream(UserRole.values()).filter(role -> StringUtils.isBlank(term) ? true : role.name().toLowerCase().startsWith(term.toLowerCase())).collect(Collectors.toList());
for (final UserRole role : matchingRoles) {
var roleSid = aclService.getAuthoritySid(role.getAuthority());
if (roleSid == null) {
continue; // Skip roles without SID
}
roleSids.put(roleSid.getId(), role.name());
}
return roleSids;
}
/**
* Ac user.
*
* @param term the term
* @return the map
*/
private Map<Long, String> acUser(@RequestParam("term") final String term) {
final Map<Long, String> userIds = new HashMap<>();
for (final SysUser user : userService.autocompleteSysUsers(term, 10)) {
userIds.put(user.getId(), user.getUsername());
}
return userIds;
}
/**
* Ac role.
*
* @param term the term
* @return the map
*/
private Map<Long, String> acGroup(@RequestParam("term") final String term) {
final Map<Long, String> roleSids = new HashMap<>();
groupRepository.findAll(QSysGroup.sysGroup.groupTag.startsWithIgnoreCase(StringUtils.trimToEmpty(term)), PageRequest.of(0, 10, Sort.by("groupTag"))).getContent().forEach(sysGroup -> {
var sid = aclService.getAuthoritySid(sysGroup.getAuthority());
if (sid != null) {
roleSids.put(sid.getId(), sysGroup.getGroupTag());
}
});
return roleSids;
}
/**
* Ac oauth client.
*
* @param term the term
* @return the map
*/
private Map<Long, String> acOauthClient(@RequestParam("term") final String term) {
final Map<Long, String> oauthMap = new HashMap<>();
for (final OAuthClient client : clientDetailsService.autocompleteClients(term, 10)) {
oauthMap.put(client.getId(), client.getTitle());
}
return oauthMap;
}
/**
* Lazy load for json.
*
* @param objectIdentity the object identity
* @return the acl object identity
*/
protected CustomAclService.AclObjectIdentityExt lazyLoadForJson(final AclObjectIdentity objectIdentity) {
CustomAclService.AclObjectIdentityExt ext = aclService.loadObjectIdentityExt(objectIdentity);
if (ext == null) {
throw new NotFoundElement("No such ACL object");
}
return ext;
}
}