Skip to content

Commit

Permalink
Add endpoints for effective permissions #88
Browse files Browse the repository at this point in the history
 Defaults for permission type have been removed. Wildcard permissions are returned instead.
  • Loading branch information
gorbunkov committed Feb 10, 2020
1 parent 0efbd70 commit d8ef730
Show file tree
Hide file tree
Showing 8 changed files with 89 additions and 248 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -116,40 +116,21 @@ public EffectiveRoleInfo getEffectiveRole(EffectiveRoleRequestParams params) {

public EffectiveRoleInfo createEffectiveRoleInfo(RoleDefinition role, EffectiveRoleRequestParams params) {
EffectiveRoleInfo roleInfo = new EffectiveRoleInfo();
DefaultValuesInfo defaultValues = roleInfo.getDefaultValues();
ExplicitPermissionsInfo explicitPermissionsInfo = roleInfo.getExplicitPermissions();
if (params.isEntities()) {
explicitPermissionsInfo.setEntities(new ArrayList<>());
role.entityPermissions().getExplicitPermissions().forEach((key, value) ->
explicitPermissionsInfo.getEntities().add(new ShortPermissionInfo(key, value)));
defaultValues.setEntityCreate(role.entityPermissions().getDefaultEntityCreateAccess() != null ?
role.entityPermissions().getDefaultEntityCreateAccess().getId() :
null);
defaultValues.setEntityRead(role.entityPermissions().getDefaultEntityReadAccess() != null ?
role.entityPermissions().getDefaultEntityReadAccess().getId() :
null);
defaultValues.setEntityUpdate(role.entityPermissions().getDefaultEntityUpdateAccess() != null ?
role.entityPermissions().getDefaultEntityUpdateAccess().getId() :
null);
defaultValues.setEntityDelete(role.entityPermissions().getDefaultEntityDeleteAccess() != null ?
role.entityPermissions().getDefaultEntityDeleteAccess().getId() :
null);
}
if (params.isEntityAttributes()) {
explicitPermissionsInfo.setEntityAttributes(new ArrayList<>());
role.entityAttributePermissions().getExplicitPermissions().forEach((key, value) ->
explicitPermissionsInfo.getEntityAttributes().add(new ShortPermissionInfo(key, value)));
defaultValues.setEntityAttribute(role.entityAttributePermissions().getDefaultEntityAttributeAccess() != null ?
role.entityAttributePermissions().getDefaultEntityAttributeAccess().getId() :
null);
}
if (params.isSpecific()) {
explicitPermissionsInfo.setSpecific(new ArrayList<>());
role.specificPermissions().getExplicitPermissions().forEach((key, value) ->
explicitPermissionsInfo.getSpecific().add(new ShortPermissionInfo(key, value)));
defaultValues.setSpecific(role.specificPermissions().getDefaultSpecificAccess() != null ?
role.specificPermissions().getDefaultSpecificAccess().getId() :
null);
}

roleInfo.setUndefinedPermissionPolicy(rolesService.getPermissionUndefinedAccessPolicy().name());
Expand Down

This file was deleted.

Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ public class EffectiveRoleInfo {

private ExplicitPermissionsInfo explicitPermissions = new ExplicitPermissionsInfo();

private DefaultValuesInfo defaultValues = new DefaultValuesInfo();

private String undefinedPermissionPolicy = "DENY";

public EffectiveRoleInfo() {
Expand All @@ -36,14 +34,6 @@ public void setExplicitPermissions(ExplicitPermissionsInfo explicitPermissions)
this.explicitPermissions = explicitPermissions;
}

public DefaultValuesInfo getDefaultValues() {
return defaultValues;
}

public void setDefaultValues(DefaultValuesInfo defaultValues) {
this.defaultValues = defaultValues;
}

public String getUndefinedPermissionPolicy() {
return undefinedPermissionPolicy;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,31 +10,27 @@
/**
* Role grants full access for REST API
*/
@Role(name = RestFullAccessRole.NAME, securityScope = "REST")
@Role(name = RestFullAccessRole.NAME, securityScope = "REST", isSuper = true)
public class RestFullAccessRole extends AnnotatedRoleDefinition {

public static final String NAME = "rest-full-access";

@Override
@DefaultEntityAccess(allow = {EntityOp.CREATE, EntityOp.READ, EntityOp.UPDATE, EntityOp.DELETE})
public EntityPermissionsContainer entityPermissions() {
return super.entityPermissions();
}

@Override
@DefaultEntityAttributeAccess(EntityAttrAccess.MODIFY)
public EntityAttributePermissionsContainer entityAttributePermissions() {
return super.entityAttributePermissions();
}

@Override
@DefaultSpecificAccess(Access.ALLOW)
public SpecificPermissionsContainer specificPermissions() {
return super.specificPermissions();
}

@Override
@DefaultScreenAccess(Access.ALLOW)
public ScreenPermissionsContainer screenPermissions() {
return super.screenPermissions();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@
package com.haulmont.rest.demo.core.roles;

import com.haulmont.cuba.security.app.role.AnnotatedRoleDefinition;
import com.haulmont.cuba.security.app.role.annotation.DefaultEntityAttributeAccess;
import com.haulmont.cuba.security.app.role.annotation.EntityAccess;
import com.haulmont.cuba.security.app.role.annotation.EntityAttributeAccess;
import com.haulmont.cuba.security.app.role.annotation.Role;
import com.haulmont.cuba.security.entity.EntityAttrAccess;
import com.haulmont.cuba.security.entity.EntityOp;
Expand All @@ -36,13 +36,13 @@ public class RestTestAnonymousRole extends AnnotatedRoleDefinition {


@Override
@EntityAccess(target = User.class, allow = {EntityOp.READ})
@EntityAccess(entityClass = User.class, operations = {EntityOp.READ})
public EntityPermissionsContainer entityPermissions() {
return super.entityPermissions();
}

@Override
@DefaultEntityAttributeAccess(value = EntityAttrAccess.VIEW)
@EntityAttributeAccess(entityName = "*", view = "*")
public EntityAttributePermissionsContainer entityAttributePermissions() {
return super.entityAttributePermissions();
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -482,63 +482,105 @@ private void createDbUserRoles() throws SQLException {
private void createDbRoles() throws SQLException {
//read-only role. can read colours, can't read cars
colorReadRoleId = dirtyData.createRoleUuid();
executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
"values(?, ?, ?, ?)",
executePrepared("insert into sec_role(id, name, security_scope) " +
"values(?, ?, ?)",
colorReadRoleId,
"colorReadRole",
"REST",
1
"REST"
);

executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
"values(?, ?, ?, ?, ?)",
dirtyData.createPermissionUuid(),
colorReadRoleId,
PermissionType.ENTITY_OP.getId(),
"*:read",
1);

//read_only role. can update colours, can't update cars
colorUpdateRoleId = dirtyData.createRoleUuid();
executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
"values(?, ?, ?, ?)",
executePrepared("insert into sec_role(id, name, security_scope) " +
"values(?, ?, ?)",
colorUpdateRoleId,
"colorUpdateRole",
"REST",
1
"REST"
);

executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
"values(?, ?, ?, ?, ?)",
dirtyData.createPermissionUuid(),
colorUpdateRoleId,
PermissionType.ENTITY_OP.getId(),
"*:read",
1);

//read-only role. can create colours
colorCreateRoleId = dirtyData.createRoleUuid();
executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
"values(?, ?, ?, ?)",
executePrepared("insert into sec_role(id, name, security_scope) " +
"values(?, ?, ?)",
colorCreateRoleId,
"colorCreateRole",
"REST",
1
"REST"
);

executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
"values(?, ?, ?, ?, ?)",
dirtyData.createPermissionUuid(),
colorCreateRoleId,
PermissionType.ENTITY_OP.getId(),
"*:read",
1);

//read-only role. can delete colours
colorDeleteRoleId = dirtyData.createRoleUuid();
executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
"values(?, ?, ?, ?)",
executePrepared("insert into sec_role(id, name, security_scope) " +
"values(?, ?, ?)",
colorDeleteRoleId,
"colorDeleteRole",
"REST",
1
"REST"
);

executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
"values(?, ?, ?, ?, ?)",
dirtyData.createPermissionUuid(),
colorDeleteRoleId,
PermissionType.ENTITY_OP.getId(),
"*:read",
1);

//read-only role for attributes access tests
carReadRoleId = dirtyData.createRoleUuid();
executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
"values(?, ?, ?, ?)",
executePrepared("insert into sec_role(id, name, security_scope) " +
"values(?, ?, ?)",
carReadRoleId,
"carReadRole",
"REST",
1
"REST"
);

executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
"values(?, ?, ?, ?, ?)",
dirtyData.createPermissionUuid(),
carReadRoleId,
PermissionType.ENTITY_OP.getId(),
"*:read",
1);

//read-only role, prohibiting viewing the colors
noColorReadRoleId = dirtyData.createRoleUuid();
executePrepared("insert into sec_role(id, name, security_scope, default_entity_read_access) " +
"values(?, ?, ?, ?)",
executePrepared("insert into sec_role(id, name, security_scope) " +
"values(?, ?, ?)",
noColorReadRoleId,
"noColorReadRole",
"REST",
1
"REST"
);

executePrepared("insert into sec_permission(id, role_id, permission_type, target, value_) " +
"values(?, ?, ?, ?, ?)",
dirtyData.createPermissionUuid(),
noColorReadRoleId,
PermissionType.ENTITY_OP.getId(),
"*:read",
1);
}

private void createDbData() throws SQLException {
Expand Down
Loading

0 comments on commit d8ef730

Please sign in to comment.