PermissionApiServiceImpl.java
/*
* Copyright 2024 Global Crop Diversity Trust
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.gringlobal.api.v2.facade.impl;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang3.StringUtils;
import org.genesys.blocks.oauth.model.OAuthClient;
import org.genesys.blocks.oauth.service.OAuthClientService;
import org.genesys.blocks.security.NoUserFoundException;
import org.genesys.blocks.security.SecurityContextUtil;
import org.genesys.blocks.security.model.AclObjectIdentity;
import org.genesys.blocks.security.model.AclSid;
import org.genesys.blocks.security.serialization.Permissions;
import org.genesys.blocks.security.service.CustomAclService;
import org.gringlobal.api.exception.NotFoundElement;
import org.gringlobal.api.model.AclObjectIdentityExtDTO;
import org.gringlobal.api.model.SecuredActionDTO;
import org.gringlobal.api.model.SidPermissionsDTO;
import org.gringlobal.api.v2.facade.PermissionApiService;
import org.gringlobal.api.v2.mapper.MapstructMapper;
import org.gringlobal.model.SysGroup;
import org.gringlobal.model.SysUser;
import org.gringlobal.model.community.SecurityAction;
import org.gringlobal.model.security.UserRole;
import org.gringlobal.persistence.community.SecuredActionRepository;
import org.gringlobal.service.SysGroupService;
import org.gringlobal.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;
import javax.persistence.EntityManager;
import java.util.List;
import java.util.stream.Collectors;
@Service
@Transactional(readOnly = true)
@Slf4j
public class PermissionApiServiceImpl implements PermissionApiService {
@Autowired
protected CustomAclService aclService;
@Autowired
private SecuredActionRepository securedActionRepository;
@Autowired
private MapstructMapper mapper;
@Autowired
protected EntityManager entityManager;
@Autowired
private UserService userService;
@Autowired
private SysGroupService sysGroupService;
@Autowired
private OAuthClientService oAuthClientService;
@Override
@Transactional
public AclObjectIdentityExtDTO addPermission(String className, long id, SidPermissionsDTO sidPermissionsDTO) {
var sidPermissions = mapper.map(sidPermissionsDTO);
final AclObjectIdentity objectIdentity = aclService.ensureObjectIdentity(id, className);
log.info("Setting permissions {}", sidPermissions);
AclSid sid = null;
if (sidPermissions.sid.getId() != null) {
sid = aclService.getSid(sidPermissions.sid.getId());
} else {
sid = aclService.getSid(sidPermissions.getSid().getSid());
}
return mapper.map(lazyLoadForJson(aclService.setPermissions(objectIdentity, sid, sidPermissions)));
}
@Override
@Transactional
public AclObjectIdentityExtDTO deletePermissionsForSid(String className, long id, String sid) {
final AclObjectIdentity objectIdentity = aclService.ensureObjectIdentity(id, className);
log.info("Removing permissions for {}", sid);
final AclSid aclSid = aclService.getSid(aclService.getSidId(sid));
return mapper.map(lazyLoadForJson(aclService.removePermissions(objectIdentity, aclSid)));
}
@Override
@Transactional
public AclObjectIdentityExtDTO updateInheriting(boolean inheriting, long id) {
final AclObjectIdentity objectIdentity = aclService.updateInheriting(id, inheriting);
if (objectIdentity == null) {
throw new NotFoundElement("No such ACL object");
}
return mapper.map(lazyLoadForJson(objectIdentity));
}
@Override
@Transactional
public AclObjectIdentityExtDTO updateParentObject(long id, long parentId) {
final AclObjectIdentity objectIdentity = aclService.updateParentObject(id, parentId);
if (objectIdentity == null) {
throw new NotFoundElement("No such ACL object");
}
return mapper.map(lazyLoadForJson(objectIdentity));
}
@Override
public AclObjectIdentityExtDTO permissions(String className, long id) {
final AclObjectIdentity objectIdentity = aclService.getObjectIdentity(id, className);
if (objectIdentity == null) {
throw new NotFoundElement("No such ACL object");
}
return mapper.map(lazyLoadForJson(objectIdentity));
}
@Override
public AclObjectIdentityExtDTO permissions(long id) {
final AclObjectIdentity objectIdentity = aclService.getObjectIdentity(id);
if (objectIdentity == null) {
throw new NotFoundElement("No such ACL object");
}
return mapper.map(lazyLoadForJson(objectIdentity));
}
@Override
public List<SecuredActionDTO> myPermissions() {
return mapper.map(securedActionRepository.findAll(), mapper::map);
}
@PreAuthorize("hasAuthority('GROUP_ADMINS')")
@Override
public List<SecuredActionDTO> sidPermissions(String sid) throws NoUserFoundException {
var aclSid = aclService.getSid(sid);
Authentication auth = null;
if (aclSid != null) {
log.debug("Got ACL SID {}: {}", aclSid.getClass().getName(), aclSid);
if (aclSid instanceof SysUser) {
var sysUser = userService.loadSysUser(aclSid.getId());
log.debug("Permissions for {}", sysUser);
log.debug("Authorities of {}: {}", sysUser, sysUser.getAuthorities());
auth = new UsernamePasswordAuthenticationToken(sysUser, null, sysUser.getAuthorities());
} else if (aclSid instanceof SysGroup) {
var sysGroup = sysGroupService.load(aclSid.getId());
log.debug("Permissions for {}", sysGroup);
var authorities = List.of(new SimpleGrantedAuthority(sysGroup.getAuthority()), UserRole.EVERYONE);
log.debug("Authorities of {}: {}", sysGroup.getGroupTag(), authorities);
auth = new UsernamePasswordAuthenticationToken(sysGroup, null, authorities);
} else if (aclSid instanceof OAuthClient) {
var oauthClient = oAuthClientService.loadClientByClientId(((OAuthClient) aclSid).getClientId());
log.debug("Permissions for {}", oauthClient);
log.debug("Authorities of {}: {}", oauthClient.getClientId(), oauthClient.getAuthorities());
auth = new UsernamePasswordAuthenticationToken(oauthClient, null, oauthClient.getAuthorities());
}
}
var authentication = auth;
boolean isAdmin = authentication == null ? false : authentication.getAuthorities().stream().anyMatch(authority -> StringUtils.equals(UserRole.ADMINISTRATOR.getAuthority(), authority.getAuthority()));
log.debug("User is admin? {}", isAdmin);
return securedActionRepository.findAll().stream().map(securedAction -> {
var action = mapper.mapWithoutPermissions(securedAction);
Permissions perms;
if (authentication == null) {
log.debug("No authentication for {}", securedAction);
perms = new Permissions().grantNone();
try {
perms.isPublic = SecurityContextUtil.anyoneHasPermission(securedAction, "READ");
} catch (Throwable e) {
perms.isPublic = false;
}
} else if (isAdmin) {
perms = new Permissions().grantAll();
try {
perms.isPublic = SecurityContextUtil.anyoneHasPermission(securedAction, "READ");
} catch (Throwable e) {
perms.isPublic = false;
}
} else {
try {
perms = SecurityContextUtil.getPermissions(authentication, securedAction);
log.debug("Actual permissions on {}: {}", securedAction.getAction(), perms);
} catch (Throwable e) {
throw new IllegalArgumentException("Could not read current permissions " + e.getMessage(), e);
}
}
action.set_permissions(perms);
return action;
}).collect(Collectors.toList());
}
@Override
public List<SecurityAction> securityActions() {
return List.of(SecurityAction.values());
}
/**
* Lazy load for json.
*
* @param objectIdentity the object identity
* @return the acl object identity
*/
protected CustomAclService.AclObjectIdentityExt lazyLoadForJson(final AclObjectIdentity objectIdentity) {
CustomAclService.AclObjectIdentityExt ext = aclService.loadObjectIdentityExt(objectIdentity);
if (ext == null) {
throw new NotFoundElement("No such ACL object");
}
entityManager.flush();
entityManager.detach(ext.original);
ext.original.setAclEntries(aclService.getAclEntries(objectIdentity));
return ext;
}
}