-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #41 from consiglionazionaledellericerche/40-implem…
…entare-endpoint-per-securecheck 40 implementare endpoint per securecheck
- Loading branch information
Showing
9 changed files
with
389 additions
and
128 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 0.4.0 | ||
| 0.4.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
268 changes: 152 additions & 116 deletions
268
src/main/java/it/cnr/iit/epas/controller/v4/AbsencesController.java
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
94 changes: 94 additions & 0 deletions
94
src/main/java/it/cnr/iit/epas/controller/v4/SecureController.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,94 @@ | ||
| /* | ||
| * Copyright (C) 2024 Consiglio Nazionale delle Ricerche | ||
| * | ||
| * This program is free software: you can redistribute it and/or modify | ||
| * it under the terms of the GNU Affero General Public License as | ||
| * published by the Free Software Foundation, either version 3 of the | ||
| * License, or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU Affero General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU Affero General Public License | ||
| * along with this program. If not, see <https://www.gnu.org/licenses/>. | ||
| */ | ||
| package it.cnr.iit.epas.controller.v4; | ||
|
|
||
| import java.util.Optional; | ||
|
|
||
| import javax.transaction.Transactional; | ||
|
|
||
| import org.springframework.http.ResponseEntity; | ||
| import org.springframework.web.bind.annotation.GetMapping; | ||
| import org.springframework.web.bind.annotation.RequestMapping; | ||
| import org.springframework.web.bind.annotation.RequestParam; | ||
| import org.springframework.web.bind.annotation.RestController; | ||
|
|
||
| import io.swagger.v3.oas.annotations.Operation; | ||
| import io.swagger.v3.oas.annotations.media.Content; | ||
| import io.swagger.v3.oas.annotations.responses.ApiResponse; | ||
| import io.swagger.v3.oas.annotations.responses.ApiResponses; | ||
| import io.swagger.v3.oas.annotations.security.SecurityRequirement; | ||
| import io.swagger.v3.oas.annotations.security.SecurityRequirements; | ||
| import io.swagger.v3.oas.annotations.tags.Tag; | ||
| import it.cnr.iit.epas.config.OpenApiConfiguration; | ||
| import it.cnr.iit.epas.controller.v4.utils.ApiRoutes; | ||
| import it.cnr.iit.epas.security.SecurityService; | ||
| import it.cnr.iit.epas.security.SecurityService.EntityType; | ||
| import lombok.RequiredArgsConstructor; | ||
|
|
||
| /** | ||
| * Metodi REST per la verifica dei permessi. | ||
| */ | ||
| @SecurityRequirements( | ||
| value = { | ||
| @SecurityRequirement(name = OpenApiConfiguration.BEARER_AUTHENTICATION), | ||
| @SecurityRequirement(name = OpenApiConfiguration.BASIC_AUTHENTICATION) | ||
| }) | ||
| @Tag( | ||
| name = "Secure Controller", | ||
| description = "Controllo di sicurezza su path e riferimenti agli oggetti.") | ||
| @Transactional | ||
| @RequiredArgsConstructor | ||
| @RestController | ||
| @RequestMapping(ApiRoutes.BASE_PATH + "/secure") | ||
| public class SecureController { | ||
|
|
||
| private final SecurityService securityService; | ||
|
|
||
| /** | ||
| * Visualizzazione delle informazioni di accesso ad un controller. | ||
| */ | ||
| @Operation( | ||
| summary = "Verifica se l'utente corrente ha l'accesso ad un certo endpoint REST.") | ||
| @ApiResponses(value = { | ||
| @ApiResponse(responseCode = "200", | ||
| description = "Restituita l'autorizzazione true/false di accedere all'endpoint indicato"), | ||
| @ApiResponse(responseCode = "401", | ||
| description = "Autenticazione non presente", content = @Content), | ||
| @ApiResponse(responseCode = "403", | ||
| description = "Utente che ha effettuato la richiesta non autorizzato a visualizzare" | ||
| + " i permessi di questo controller", | ||
| content = @Content), | ||
| @ApiResponse(responseCode = "404", | ||
| description = "Entity non trovata con l'id fornito", | ||
| content = @Content) | ||
| }) | ||
| @GetMapping("/check") | ||
| public ResponseEntity<Boolean> secureCheck( | ||
| @RequestParam("method") String method, | ||
| @RequestParam("path") String path, | ||
| @RequestParam("entityType") Optional<EntityType> entityType, | ||
| @RequestParam("targetType") Optional<EntityType> targetType, | ||
| @RequestParam("id") Optional<Long> id, | ||
| @RequestParam("year") Optional<Integer> year, | ||
| @RequestParam("month") Optional<Integer> month) throws Exception { | ||
|
|
||
| return ResponseEntity.ok( | ||
| securityService.secureCheck(method, path, entityType, targetType, id, year, month)); | ||
|
|
||
| } | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
126 changes: 126 additions & 0 deletions
126
src/main/java/it/cnr/iit/epas/security/SecurityService.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,126 @@ | ||
| /* | ||
| * Copyright (C) 2024 Consiglio Nazionale delle Ricerche | ||
| * | ||
| * This program is free software: you can redistribute it and/or modify | ||
| * it under the terms of the GNU Affero General Public License as | ||
| * published by the Free Software Foundation, either version 3 of the | ||
| * License, or (at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU Affero General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU Affero General Public License | ||
| * along with this program. If not, see <https://www.gnu.org/licenses/>. | ||
| */ | ||
| package it.cnr.iit.epas.security; | ||
|
|
||
| import org.joda.time.YearMonth; | ||
| import java.util.Optional; | ||
|
|
||
| import org.springframework.stereotype.Service; | ||
|
|
||
| import it.cnr.iit.epas.dao.AbsenceDao; | ||
| import it.cnr.iit.epas.dao.OfficeDao; | ||
| import it.cnr.iit.epas.dao.PersonDao; | ||
| import it.cnr.iit.epas.dao.PersonDayDao; | ||
| import it.cnr.iit.epas.models.base.BaseEntity; | ||
| import lombok.RequiredArgsConstructor; | ||
| import lombok.val; | ||
| import lombok.extern.slf4j.Slf4j; | ||
|
|
||
| @Slf4j | ||
| @RequiredArgsConstructor | ||
| @Service | ||
| public class SecurityService { | ||
|
|
||
| public enum EntityType { | ||
| Office, Person, Absence, PersonDay, YearMonth | ||
| } | ||
|
|
||
| private final SecurityRules rules; | ||
|
|
||
| private final OfficeDao officeDao; | ||
| private final PersonDao personDao; | ||
| private final AbsenceDao absenceDao; | ||
| private final PersonDayDao personDayDao; | ||
|
|
||
| public Boolean secureCheck(String method, String path, | ||
| Optional<EntityType> entityType, Optional<EntityType> targetType, | ||
| Optional<Long> id, Optional<Integer> year, Optional<Integer> month | ||
| ) throws Exception { | ||
|
|
||
| BaseEntity entity = null; | ||
| Object entityToTarget = null; | ||
|
|
||
| log.debug("SecurityService::secureCheck method= {}, path = {}, id = {}, year = {}, month = {}," | ||
| + " target={}", method, path, id, year, month, entityType); | ||
|
|
||
| if (entityType.isPresent() && id.isPresent()) { | ||
| switch (entityType.get()) { | ||
| case Office: { | ||
| val office = officeDao.getOfficeById(id.get()); | ||
| entity = office; | ||
| entityToTarget = office; | ||
| break; | ||
| } | ||
| case Person: { | ||
| val person = personDao.byId(id.get()).orElse(null); | ||
| entity = person; | ||
| if (targetType.isPresent() && targetType.get().equals(EntityType.Office)) { | ||
| entityToTarget = person.getOffice(); | ||
| } else { | ||
| entityToTarget = person; | ||
| } | ||
| break; | ||
| } | ||
| case Absence: { | ||
| val absence = absenceDao.byId(id.get()).orElse(null); | ||
| entity = absence; | ||
| if (targetType.isPresent()) { | ||
| if (targetType.get().equals(EntityType.Absence)) { | ||
| entityToTarget = absence; | ||
| } else if (targetType.get().equals(EntityType.Office)) { | ||
| entityToTarget = absence.getPersonDay().getPerson().getOffice(); | ||
| } | ||
| } else { | ||
| //Il default per i controlli sulle assenze è la verifica sulla Person. | ||
| entityToTarget = absence.getPersonDay().getPerson(); | ||
| } | ||
| break; | ||
| } | ||
| case PersonDay: { | ||
| val personDay = personDayDao.getPersonDayById(id.get()); | ||
| entity = personDay; | ||
| if (targetType.isPresent()) { | ||
| if (targetType.get().equals(EntityType.PersonDay)) { | ||
| entityToTarget = personDay; | ||
| } else if (targetType.get().equals(EntityType.Office)) { | ||
| entityToTarget = personDay.getPerson().getOffice(); | ||
| } | ||
| } else { | ||
| //Il default per i controlli sui personDay è la verifica sulla Person. | ||
| entityToTarget = personDay.getPerson(); | ||
| } | ||
| break; | ||
| } | ||
| case YearMonth: { | ||
| val yearMonth = new YearMonth(year.get(), month.get()); | ||
| entityToTarget = yearMonth; | ||
| break; | ||
| } | ||
| default: | ||
| throw new IllegalArgumentException("Unexpected value: " + entityType.get()); | ||
| } | ||
| } | ||
|
|
||
| log.debug("SecurityService::secureCheck method= {}, path = {}, id = {}, year = {}, month = {}," | ||
| + "targetFromObject={}, targetToOject={}", | ||
| method, path, id, year, month, entity, entityToTarget); | ||
|
|
||
| //controllo le drools in base alla path, method e target | ||
| return rules.check(method, path, entityToTarget); | ||
| } | ||
|
|
||
| } |