Refactor authorization for ImportResource

src/main/java/org/rutebanken/tiamat/auth/AuthorizationService.java

@@ -12,6 +12,12 @@
  */
 public interface AuthorizationService {
 
+    /**
+     * Verify that the current user have right to edit any entity?
+     */
+    void verifyCanEditAllEntities();
+
+
     /**
      * Does the current user have edit right on all the given entities?
      */

src/main/java/org/rutebanken/tiamat/auth/DefaultAuthorizationService.java

@@ -1,20 +1,39 @@
 package org.rutebanken.tiamat.auth;
 
+import org.apache.commons.lang3.StringUtils;
+import org.rutebanken.helper.organisation.AuthorizationConstants;
 import org.rutebanken.helper.organisation.DataScopedAuthorizationService;
 import org.rutebanken.helper.organisation.RoleAssignment;
+import org.rutebanken.helper.organisation.RoleAssignmentExtractor;
 import org.rutebanken.tiamat.model.EntityStructure;
+import org.springframework.security.access.AccessDeniedException;
 
 import java.util.Collection;
 import java.util.Set;
 
-import static org.rutebanken.helper.organisation.AuthorizationConstants.ROLE_DELETE_STOPS;
-import static org.rutebanken.helper.organisation.AuthorizationConstants.ROLE_EDIT_STOPS;
+import static org.rutebanken.helper.organisation.AuthorizationConstants.*;
 
 public class DefaultAuthorizationService implements AuthorizationService {
     private final DataScopedAuthorizationService dataScopedAuthorizationService;
+    private final RoleAssignmentExtractor roleAssignmentExtractor;
 
-    public DefaultAuthorizationService(DataScopedAuthorizationService dataScopedAuthorizationService) {
+    public DefaultAuthorizationService(DataScopedAuthorizationService dataScopedAuthorizationService, RoleAssignmentExtractor roleAssignmentExtractor) {
         this.dataScopedAuthorizationService = dataScopedAuthorizationService;
+        this.roleAssignmentExtractor = roleAssignmentExtractor;
+        }
+
+    @Override
+    public void verifyCanEditAllEntities() {
+        if (roleAssignmentExtractor.getRoleAssignmentsForUser()
+                .stream()
+                .noneMatch(roleAssignment -> ROLE_EDIT_STOPS.equals(roleAssignment.getRole())
+                        && roleAssignment.getEntityClassifications() != null
+                        && roleAssignment.getEntityClassifications().get(AuthorizationConstants.ENTITY_TYPE) != null
+                        && roleAssignment.getEntityClassifications().get(AuthorizationConstants.ENTITY_TYPE).contains(ENTITY_CLASSIFIER_ALL_ATTRIBUTES)
+                        && StringUtils.isEmpty(roleAssignment.getAdministrativeZone())
+                )) {
+            throw new AccessDeniedException("Insufficient privileges for operation");
+        }
     }
 
     @Override

src/main/java/org/rutebanken/tiamat/config/AuthorizationServiceConfig.java

@@ -39,8 +39,8 @@ public class AuthorizationServiceConfig {
 
 
     @Bean
-    public AuthorizationService authorizationService(DataScopedAuthorizationService dataScopedAuthorizationService) {
-        return new DefaultAuthorizationService(dataScopedAuthorizationService);
+    public AuthorizationService authorizationService(DataScopedAuthorizationService dataScopedAuthorizationService, RoleAssignmentExtractor roleAssignmentExtractor) {
+        return new DefaultAuthorizationService(dataScopedAuthorizationService, roleAssignmentExtractor);
     }
 
     @Bean

src/main/java/org/rutebanken/tiamat/importer/PublicationDeliveryImporter.java

@@ -17,6 +17,7 @@
 
 import org.rutebanken.netex.model.PublicationDeliveryStructure;
 import org.rutebanken.netex.model.SiteFrame;
+import org.rutebanken.tiamat.auth.AuthorizationService;
 import org.rutebanken.tiamat.exporter.PublicationDeliveryCreator;
 import org.rutebanken.tiamat.importer.handler.GroupOfTariffZonesImportHandler;
 import org.rutebanken.tiamat.importer.handler.ParkingsImportHandler;
@@ -57,6 +58,7 @@ public class PublicationDeliveryImporter {
     private final ParkingsImportHandler parkingsImportHandler;
     private final TopographicPlaceImportHandler topographicPlaceImportHandler;
     private final BackgroundJobs backgroundJobs;
+    private final AuthorizationService authorizationService;
 
     @Autowired
     public PublicationDeliveryImporter(PublicationDeliveryHelper publicationDeliveryHelper, NetexMapper netexMapper,
@@ -67,7 +69,7 @@ public PublicationDeliveryImporter(PublicationDeliveryHelper publicationDelivery
                                        GroupOfTariffZonesImportHandler groupOfTariffZonesImportHandler,
                                        StopPlaceImportHandler stopPlaceImportHandler,
                                        ParkingsImportHandler parkingsImportHandler,
-                                       BackgroundJobs backgroundJobs) {
+                                       BackgroundJobs backgroundJobs, AuthorizationService authorizationService) {
         this.publicationDeliveryHelper = publicationDeliveryHelper;
         this.parkingsImportHandler = parkingsImportHandler;
         this.publicationDeliveryCreator = publicationDeliveryCreator;
@@ -77,6 +79,7 @@ public PublicationDeliveryImporter(PublicationDeliveryHelper publicationDelivery
         this.groupOfTariffZonesImportHandler = groupOfTariffZonesImportHandler;
         this.stopPlaceImportHandler = stopPlaceImportHandler;
         this.backgroundJobs = backgroundJobs;
+        this.authorizationService = authorizationService;
     }
 
 
@@ -87,6 +90,8 @@ public PublicationDeliveryStructure importPublicationDelivery(PublicationDeliver
     @SuppressWarnings("unchecked")
     public PublicationDeliveryStructure importPublicationDelivery(PublicationDeliveryStructure incomingPublicationDelivery, ImportParams importParams) {
 
+        authorizationService.verifyCanEditAllEntities();
+
         if (incomingPublicationDelivery.getDataObjects() == null) {
             String responseMessage = "Received publication delivery but it does not contain any data objects.";
             logger.warn(responseMessage);

src/main/java/org/rutebanken/tiamat/rest/netex/publicationdelivery/ImportResource.java

@@ -36,25 +36,20 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Component;
 import org.xml.sax.SAXException;
 
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Set;
 
-import static org.rutebanken.helper.organisation.AuthorizationConstants.ROLE_EDIT_STOPS;
-
-
 /**
  * Import publication deliveries
  */
 @Component
 @Tag(name = "Import resource", description = "Import resource")
 @Produces(MediaType.APPLICATION_XML + "; charset=UTF-8")
 @Path("netex")
-@PreAuthorize("hasRole('"+ROLE_EDIT_STOPS+"')")
 public class ImportResource {
 
     private static final Logger logger = LoggerFactory.getLogger(ImportResource.class);

src/test/java/org/rutebanken/tiamat/auth/StopPlaceAuthorizationServiceTest.java

@@ -122,8 +122,7 @@ public void StopPlaceAuthorizationServiceTest() {
                 tiamatOriganisationChecker,
                 topographicPlaceChecker,
                 tiamatEntityResolver);
-        this.authorizationService = authorizationServiceConfig.authorizationService(dataScopedAuthorizationService
-        );
+        this.authorizationService = authorizationServiceConfig.authorizationService(dataScopedAuthorizationService, roleAssignmentExtractor);