From 4f55161fc3c621e75f75b635488d9752e018b9dc Mon Sep 17 00:00:00 2001 From: Vincent Paturet Date: Tue, 11 Jun 2024 08:53:21 +0200 Subject: [PATCH] Refactor authorization for ImportResource --- .../tiamat/auth/AuthorizationService.java | 6 +++++ .../auth/DefaultAuthorizationService.java | 25 ++++++++++++++++--- .../config/AuthorizationServiceConfig.java | 4 +-- .../importer/PublicationDeliveryImporter.java | 7 +++++- .../publicationdelivery/ImportResource.java | 5 ---- .../StopPlaceAuthorizationServiceTest.java | 3 +-- 6 files changed, 37 insertions(+), 13 deletions(-) diff --git a/src/main/java/org/rutebanken/tiamat/auth/AuthorizationService.java b/src/main/java/org/rutebanken/tiamat/auth/AuthorizationService.java index 988bc0e46..9ce5317fe 100644 --- a/src/main/java/org/rutebanken/tiamat/auth/AuthorizationService.java +++ b/src/main/java/org/rutebanken/tiamat/auth/AuthorizationService.java @@ -12,6 +12,12 @@ */ public interface AuthorizationService { + /** + * Verify that the current user have right to edit any entity? + */ + void verifyCanEditAllEntities(); + + /** * Does the current user have edit right on all the given entities? */ diff --git a/src/main/java/org/rutebanken/tiamat/auth/DefaultAuthorizationService.java b/src/main/java/org/rutebanken/tiamat/auth/DefaultAuthorizationService.java index 3e81d8621..3c827d70b 100644 --- a/src/main/java/org/rutebanken/tiamat/auth/DefaultAuthorizationService.java +++ b/src/main/java/org/rutebanken/tiamat/auth/DefaultAuthorizationService.java @@ -1,20 +1,39 @@ package org.rutebanken.tiamat.auth; +import org.apache.commons.lang3.StringUtils; +import org.rutebanken.helper.organisation.AuthorizationConstants; import org.rutebanken.helper.organisation.DataScopedAuthorizationService; import org.rutebanken.helper.organisation.RoleAssignment; +import org.rutebanken.helper.organisation.RoleAssignmentExtractor; import org.rutebanken.tiamat.model.EntityStructure; +import org.springframework.security.access.AccessDeniedException; import java.util.Collection; import java.util.Set; -import static org.rutebanken.helper.organisation.AuthorizationConstants.ROLE_DELETE_STOPS; -import static org.rutebanken.helper.organisation.AuthorizationConstants.ROLE_EDIT_STOPS; +import static org.rutebanken.helper.organisation.AuthorizationConstants.*; public class DefaultAuthorizationService implements AuthorizationService { private final DataScopedAuthorizationService dataScopedAuthorizationService; + private final RoleAssignmentExtractor roleAssignmentExtractor; - public DefaultAuthorizationService(DataScopedAuthorizationService dataScopedAuthorizationService) { + public DefaultAuthorizationService(DataScopedAuthorizationService dataScopedAuthorizationService, RoleAssignmentExtractor roleAssignmentExtractor) { this.dataScopedAuthorizationService = dataScopedAuthorizationService; + this.roleAssignmentExtractor = roleAssignmentExtractor; + } + + @Override + public void verifyCanEditAllEntities() { + if (roleAssignmentExtractor.getRoleAssignmentsForUser() + .stream() + .noneMatch(roleAssignment -> ROLE_EDIT_STOPS.equals(roleAssignment.getRole()) + && roleAssignment.getEntityClassifications() != null + && roleAssignment.getEntityClassifications().get(AuthorizationConstants.ENTITY_TYPE) != null + && roleAssignment.getEntityClassifications().get(AuthorizationConstants.ENTITY_TYPE).contains(ENTITY_CLASSIFIER_ALL_ATTRIBUTES) + && StringUtils.isEmpty(roleAssignment.getAdministrativeZone()) + )) { + throw new AccessDeniedException("Insufficient privileges for operation"); + } } @Override diff --git a/src/main/java/org/rutebanken/tiamat/config/AuthorizationServiceConfig.java b/src/main/java/org/rutebanken/tiamat/config/AuthorizationServiceConfig.java index e4eaef5b6..e0a68fda2 100644 --- a/src/main/java/org/rutebanken/tiamat/config/AuthorizationServiceConfig.java +++ b/src/main/java/org/rutebanken/tiamat/config/AuthorizationServiceConfig.java @@ -39,8 +39,8 @@ public class AuthorizationServiceConfig { @Bean - public AuthorizationService authorizationService(DataScopedAuthorizationService dataScopedAuthorizationService) { - return new DefaultAuthorizationService(dataScopedAuthorizationService); + public AuthorizationService authorizationService(DataScopedAuthorizationService dataScopedAuthorizationService, RoleAssignmentExtractor roleAssignmentExtractor) { + return new DefaultAuthorizationService(dataScopedAuthorizationService, roleAssignmentExtractor); } @Bean diff --git a/src/main/java/org/rutebanken/tiamat/importer/PublicationDeliveryImporter.java b/src/main/java/org/rutebanken/tiamat/importer/PublicationDeliveryImporter.java index 4c951b616..1637e4920 100644 --- a/src/main/java/org/rutebanken/tiamat/importer/PublicationDeliveryImporter.java +++ b/src/main/java/org/rutebanken/tiamat/importer/PublicationDeliveryImporter.java @@ -17,6 +17,7 @@ import org.rutebanken.netex.model.PublicationDeliveryStructure; import org.rutebanken.netex.model.SiteFrame; +import org.rutebanken.tiamat.auth.AuthorizationService; import org.rutebanken.tiamat.exporter.PublicationDeliveryCreator; import org.rutebanken.tiamat.importer.handler.GroupOfTariffZonesImportHandler; import org.rutebanken.tiamat.importer.handler.ParkingsImportHandler; @@ -57,6 +58,7 @@ public class PublicationDeliveryImporter { private final ParkingsImportHandler parkingsImportHandler; private final TopographicPlaceImportHandler topographicPlaceImportHandler; private final BackgroundJobs backgroundJobs; + private final AuthorizationService authorizationService; @Autowired public PublicationDeliveryImporter(PublicationDeliveryHelper publicationDeliveryHelper, NetexMapper netexMapper, @@ -67,7 +69,7 @@ public PublicationDeliveryImporter(PublicationDeliveryHelper publicationDelivery GroupOfTariffZonesImportHandler groupOfTariffZonesImportHandler, StopPlaceImportHandler stopPlaceImportHandler, ParkingsImportHandler parkingsImportHandler, - BackgroundJobs backgroundJobs) { + BackgroundJobs backgroundJobs, AuthorizationService authorizationService) { this.publicationDeliveryHelper = publicationDeliveryHelper; this.parkingsImportHandler = parkingsImportHandler; this.publicationDeliveryCreator = publicationDeliveryCreator; @@ -77,6 +79,7 @@ public PublicationDeliveryImporter(PublicationDeliveryHelper publicationDelivery this.groupOfTariffZonesImportHandler = groupOfTariffZonesImportHandler; this.stopPlaceImportHandler = stopPlaceImportHandler; this.backgroundJobs = backgroundJobs; + this.authorizationService = authorizationService; } @@ -87,6 +90,8 @@ public PublicationDeliveryStructure importPublicationDelivery(PublicationDeliver @SuppressWarnings("unchecked") public PublicationDeliveryStructure importPublicationDelivery(PublicationDeliveryStructure incomingPublicationDelivery, ImportParams importParams) { + authorizationService.verifyCanEditAllEntities(); + if (incomingPublicationDelivery.getDataObjects() == null) { String responseMessage = "Received publication delivery but it does not contain any data objects."; logger.warn(responseMessage); diff --git a/src/main/java/org/rutebanken/tiamat/rest/netex/publicationdelivery/ImportResource.java b/src/main/java/org/rutebanken/tiamat/rest/netex/publicationdelivery/ImportResource.java index 8a3379a8c..0c3a86da1 100644 --- a/src/main/java/org/rutebanken/tiamat/rest/netex/publicationdelivery/ImportResource.java +++ b/src/main/java/org/rutebanken/tiamat/rest/netex/publicationdelivery/ImportResource.java @@ -36,7 +36,6 @@ import org.slf4j.LoggerFactory; import org.springframework.beans.factory.annotation.Autowired; import org.springframework.beans.factory.annotation.Value; -import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Component; import org.xml.sax.SAXException; @@ -44,9 +43,6 @@ import java.io.InputStream; import java.util.Set; -import static org.rutebanken.helper.organisation.AuthorizationConstants.ROLE_EDIT_STOPS; - - /** * Import publication deliveries */ @@ -54,7 +50,6 @@ @Tag(name = "Import resource", description = "Import resource") @Produces(MediaType.APPLICATION_XML + "; charset=UTF-8") @Path("netex") -@PreAuthorize("hasRole('"+ROLE_EDIT_STOPS+"')") public class ImportResource { private static final Logger logger = LoggerFactory.getLogger(ImportResource.class); diff --git a/src/test/java/org/rutebanken/tiamat/auth/StopPlaceAuthorizationServiceTest.java b/src/test/java/org/rutebanken/tiamat/auth/StopPlaceAuthorizationServiceTest.java index abe9b00e2..67dbe1f20 100644 --- a/src/test/java/org/rutebanken/tiamat/auth/StopPlaceAuthorizationServiceTest.java +++ b/src/test/java/org/rutebanken/tiamat/auth/StopPlaceAuthorizationServiceTest.java @@ -122,8 +122,7 @@ public void StopPlaceAuthorizationServiceTest() { tiamatOriganisationChecker, topographicPlaceChecker, tiamatEntityResolver); - this.authorizationService = authorizationServiceConfig.authorizationService(dataScopedAuthorizationService - ); + this.authorizationService = authorizationServiceConfig.authorizationService(dataScopedAuthorizationService, roleAssignmentExtractor);