mirror of
https://github.com/pcvolkmer/etl-processor.git
synced 2025-04-19 17:26:51 +00:00
feat: add config page for user role assignment
This commit is contained in:
parent
200c5338ea
commit
feb9f2430c
@ -21,6 +21,7 @@ package dev.dnpm.etl.processor.config
|
||||
|
||||
import dev.dnpm.etl.processor.security.UserRole
|
||||
import dev.dnpm.etl.processor.security.UserRoleRepository
|
||||
import dev.dnpm.etl.processor.services.UserRoleService
|
||||
import org.slf4j.LoggerFactory
|
||||
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties
|
||||
@ -31,6 +32,8 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
|
||||
import org.springframework.security.config.annotation.web.invoke
|
||||
import org.springframework.security.core.authority.SimpleGrantedAuthority
|
||||
import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper
|
||||
import org.springframework.security.core.session.SessionRegistry
|
||||
import org.springframework.security.core.session.SessionRegistryImpl
|
||||
import org.springframework.security.core.userdetails.User
|
||||
import org.springframework.security.core.userdetails.UserDetails
|
||||
import org.springframework.security.crypto.factory.PasswordEncoderFactories
|
||||
@ -82,7 +85,7 @@ class AppSecurityConfiguration(
|
||||
|
||||
@Bean
|
||||
@ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "true")
|
||||
fun filterChainOidc(http: HttpSecurity, passwordEncoder: PasswordEncoder, userRoleRepository: UserRoleRepository): SecurityFilterChain {
|
||||
fun filterChainOidc(http: HttpSecurity, passwordEncoder: PasswordEncoder, userRoleRepository: UserRoleRepository, sessionRegistry: SessionRegistry): SecurityFilterChain {
|
||||
http {
|
||||
authorizeRequests {
|
||||
authorize("/configs/**", hasRole("ADMIN"))
|
||||
@ -95,7 +98,7 @@ class AppSecurityConfiguration(
|
||||
authorize("*.svg", permitAll)
|
||||
authorize("*.css", permitAll)
|
||||
authorize("/login/**", permitAll)
|
||||
authorize(anyRequest, fullyAuthenticated)
|
||||
authorize(anyRequest, permitAll)
|
||||
}
|
||||
httpBasic {
|
||||
realmName = "ETL-Processor"
|
||||
@ -106,6 +109,16 @@ class AppSecurityConfiguration(
|
||||
oauth2Login {
|
||||
loginPage = "/login"
|
||||
}
|
||||
sessionManagement {
|
||||
sessionConcurrency {
|
||||
maximumSessions = 1
|
||||
maxSessionsPreventsLogin = true
|
||||
expiredUrl = "/login?expired"
|
||||
}
|
||||
sessionFixation {
|
||||
newSession()
|
||||
}
|
||||
}
|
||||
csrf { disable() }
|
||||
}
|
||||
return http.build()
|
||||
@ -150,9 +163,19 @@ class AppSecurityConfiguration(
|
||||
return http.build()
|
||||
}
|
||||
|
||||
@Bean
|
||||
fun sessionRegistry(): SessionRegistry {
|
||||
return SessionRegistryImpl()
|
||||
}
|
||||
|
||||
@Bean
|
||||
fun passwordEncoder(): PasswordEncoder {
|
||||
return PasswordEncoderFactories.createDelegatingPasswordEncoder()
|
||||
}
|
||||
|
||||
@Bean
|
||||
@ConditionalOnProperty(value = ["app.security.enable-oidc"], havingValue = "true")
|
||||
fun userRoleService(userRoleRepository: UserRoleRepository, sessionRegistry: SessionRegistry): UserRoleService {
|
||||
return UserRoleService(userRoleRepository, sessionRegistry)
|
||||
}
|
||||
}
|
||||
|
||||
@ -23,13 +23,13 @@ package dev.dnpm.etl.processor.security
|
||||
import org.springframework.data.annotation.Id
|
||||
import org.springframework.data.relational.core.mapping.Table
|
||||
import org.springframework.data.repository.CrudRepository
|
||||
import java.util.Optional
|
||||
import java.util.*
|
||||
|
||||
@Table("user_role")
|
||||
data class UserRole(
|
||||
@Id val id: Long? = null,
|
||||
val username: String,
|
||||
val role: Role = Role.GUEST
|
||||
var role: Role = Role.GUEST
|
||||
)
|
||||
|
||||
enum class Role(val value: String) {
|
||||
|
||||
@ -0,0 +1,61 @@
|
||||
/*
|
||||
* This file is part of ETL-Processor
|
||||
*
|
||||
* Copyright (c) 2024 Comprehensive Cancer Center Mainfranken, Datenintegrationszentrum Philipps-Universität Marburg and Contributors
|
||||
*
|
||||
* This program is free software: you can redistribute it and/or modify
|
||||
* it under the terms of the GNU Affero General Public License as published
|
||||
* by the Free Software Foundation, either version 3 of the License, or
|
||||
* (at your option) any later version.
|
||||
*
|
||||
* This program is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
* GNU Affero General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Affero General Public License
|
||||
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
package dev.dnpm.etl.processor.services
|
||||
|
||||
import dev.dnpm.etl.processor.security.Role
|
||||
import dev.dnpm.etl.processor.security.UserRole
|
||||
import dev.dnpm.etl.processor.security.UserRoleRepository
|
||||
import org.springframework.data.repository.findByIdOrNull
|
||||
import org.springframework.security.core.session.SessionRegistry
|
||||
import org.springframework.security.oauth2.core.oidc.user.OidcUser
|
||||
|
||||
class UserRoleService(
|
||||
private val userRoleRepository: UserRoleRepository,
|
||||
private val sessionRegistry: SessionRegistry
|
||||
) {
|
||||
fun updateUserRole(id: Long, role: Role) {
|
||||
val userRole = userRoleRepository.findByIdOrNull(id) ?: return
|
||||
userRole.role = role
|
||||
userRoleRepository.save(userRole)
|
||||
expireSessionFor(userRole.username)
|
||||
}
|
||||
|
||||
fun deleteUserRole(id: Long) {
|
||||
val userRole = userRoleRepository.findByIdOrNull(id) ?: return
|
||||
userRoleRepository.delete(userRole)
|
||||
expireSessionFor(userRole.username)
|
||||
}
|
||||
|
||||
fun findAll(): List<UserRole> {
|
||||
return userRoleRepository.findAll().toList()
|
||||
}
|
||||
|
||||
private fun expireSessionFor(username: String) {
|
||||
sessionRegistry.allPrincipals
|
||||
.filterIsInstance<OidcUser>()
|
||||
.filter { it.preferredUsername == username }
|
||||
.flatMap {
|
||||
sessionRegistry.getAllSessions(it, true)
|
||||
}
|
||||
.onEach {
|
||||
it.expireNow()
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -22,9 +22,12 @@ package dev.dnpm.etl.processor.web
|
||||
import dev.dnpm.etl.processor.monitoring.ConnectionCheckService
|
||||
import dev.dnpm.etl.processor.output.MtbFileSender
|
||||
import dev.dnpm.etl.processor.pseudonym.Generator
|
||||
import dev.dnpm.etl.processor.security.Role
|
||||
import dev.dnpm.etl.processor.security.UserRole
|
||||
import dev.dnpm.etl.processor.services.Token
|
||||
import dev.dnpm.etl.processor.services.TokenService
|
||||
import dev.dnpm.etl.processor.services.TransformationService
|
||||
import dev.dnpm.etl.processor.services.UserRoleService
|
||||
import org.springframework.beans.factory.annotation.Qualifier
|
||||
import org.springframework.http.MediaType
|
||||
import org.springframework.http.codec.ServerSentEvent
|
||||
@ -43,7 +46,8 @@ class ConfigController(
|
||||
private val pseudonymGenerator: Generator,
|
||||
private val mtbFileSender: MtbFileSender,
|
||||
private val connectionCheckService: ConnectionCheckService,
|
||||
private val tokenService: TokenService?
|
||||
private val tokenService: TokenService?,
|
||||
private val userRoleService: UserRoleService?
|
||||
) {
|
||||
|
||||
@GetMapping
|
||||
@ -56,10 +60,16 @@ class ConfigController(
|
||||
if (tokenService != null) {
|
||||
model.addAttribute("tokens", tokenService.findAll())
|
||||
} else {
|
||||
model.addAttribute("tokens", listOf<Token>())
|
||||
model.addAttribute("tokens", emptyList<Token>())
|
||||
}
|
||||
model.addAttribute("transformations", transformationService.getTransformations())
|
||||
|
||||
if (userRoleService != null) {
|
||||
model.addAttribute("userRolesEnabled", true)
|
||||
model.addAttribute("userRoles", userRoleService.findAll())
|
||||
} else {
|
||||
model.addAttribute("userRolesEnabled", false)
|
||||
model.addAttribute("userRoles", emptyList<UserRole>())
|
||||
}
|
||||
return "configs"
|
||||
}
|
||||
|
||||
@ -112,6 +122,34 @@ class ConfigController(
|
||||
return "configs/tokens"
|
||||
}
|
||||
|
||||
@DeleteMapping(path = ["userroles/{id}"])
|
||||
fun deleteUserRole(@PathVariable id: Long, model: Model): String {
|
||||
if (userRoleService != null) {
|
||||
userRoleService.deleteUserRole(id)
|
||||
|
||||
model.addAttribute("userRolesEnabled", true)
|
||||
model.addAttribute("userRoles", userRoleService.findAll())
|
||||
} else {
|
||||
model.addAttribute("userRolesEnabled", false)
|
||||
model.addAttribute("userRoles", emptyList<UserRole>())
|
||||
}
|
||||
return "configs/userroles"
|
||||
}
|
||||
|
||||
@PutMapping(path = ["userroles/{id}"])
|
||||
fun updateUserRole(@PathVariable id: Long, @ModelAttribute("role") role: Role, model: Model): String {
|
||||
if (userRoleService != null) {
|
||||
userRoleService.updateUserRole(id, role)
|
||||
|
||||
model.addAttribute("userRolesEnabled", true)
|
||||
model.addAttribute("userRoles", userRoleService.findAll())
|
||||
} else {
|
||||
model.addAttribute("userRolesEnabled", false)
|
||||
model.addAttribute("userRoles", emptyList<UserRole>())
|
||||
}
|
||||
return "configs/userroles"
|
||||
}
|
||||
|
||||
@GetMapping(path = ["events"], produces = [MediaType.TEXT_EVENT_STREAM_VALUE])
|
||||
fun events(): Flux<ServerSentEvent<Any>> {
|
||||
return configsUpdateProducer.asFlux().map {
|
||||
|
||||
@ -202,6 +202,17 @@ form.samplecode-input input:focus-visible {
|
||||
background: none;
|
||||
}
|
||||
|
||||
.userrole-form form {
|
||||
margin: 0;
|
||||
padding: 0;
|
||||
|
||||
border: none;
|
||||
border-radius: 0;
|
||||
background: none;
|
||||
|
||||
text-align: inherit;
|
||||
}
|
||||
|
||||
.login-form form *,
|
||||
.token-form form * {
|
||||
padding: 0.5em;
|
||||
@ -210,7 +221,8 @@ form.samplecode-input input:focus-visible {
|
||||
}
|
||||
|
||||
.login-form form hr,
|
||||
.token-form form hr {
|
||||
.token-form form hr,
|
||||
.userrole-form form hr {
|
||||
padding: 0;
|
||||
width: 100%;
|
||||
}
|
||||
@ -224,6 +236,14 @@ form.samplecode-input input:focus-visible {
|
||||
border: none;
|
||||
}
|
||||
|
||||
.userrole-form form select {
|
||||
padding: 0.5em;
|
||||
border: none;
|
||||
border-radius: 3px;
|
||||
line-height: 1.2rem;
|
||||
font-size: 0.8rem;
|
||||
}
|
||||
|
||||
.border {
|
||||
padding: 1.5em;
|
||||
border: 1px solid var(--table-border);
|
||||
@ -527,6 +547,10 @@ input.inline:focus-visible {
|
||||
color: var(--bg-green);
|
||||
}
|
||||
|
||||
.notification.notice {
|
||||
color: var(--bg-yellow);
|
||||
}
|
||||
|
||||
.notification.error {
|
||||
color: var(--bg-red);
|
||||
}
|
||||
|
||||
@ -40,6 +40,9 @@
|
||||
<section th:insert="~{configs/tokens.html}">
|
||||
</section>
|
||||
|
||||
<section th:insert="~{configs/userroles.html}">
|
||||
</section>
|
||||
|
||||
<section hx-ext="sse" th:sse-connect="@{/configs/events}">
|
||||
<div th:insert="~{configs/connectionAvailable.html}" th:hx-get="@{/configs?connectionAvailable}" hx-trigger="sse:connection-available">
|
||||
</div>
|
||||
|
||||
39
src/main/resources/templates/configs/userroles.html
Normal file
39
src/main/resources/templates/configs/userroles.html
Normal file
@ -0,0 +1,39 @@
|
||||
<div th:if="${not userRolesEnabled}">
|
||||
<h2><span>⛔</span> Benutzerberechtigungen</h2>
|
||||
<p>Die Verwendung von rollenbasierten Benutzerberechtigungen ist nicht aktiviert.</p>
|
||||
</div>
|
||||
|
||||
<div id="userroles" th:if="${userRolesEnabled}">
|
||||
<h2><span>✅</span> Benutzerberechtigungen</h2>
|
||||
<div class="border">
|
||||
<div th:if="${userRoles.isEmpty()}">Noch keine Benutzerberechtigungen vorhanden.</div>
|
||||
<table th:if="${not userRoles.isEmpty()}">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Benutzername</th>
|
||||
<th>Rolle</th>
|
||||
<th></th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr th:each="userRole : ${userRoles}">
|
||||
<td>[[ ${userRole.username} ]]</td>
|
||||
<td>
|
||||
<div class="userrole-form">
|
||||
<form th:hx-put="@{/configs/userroles/{id}(id=${userRole.id})}" hx-target="#userroles">
|
||||
<select name="role">
|
||||
<option th:selected="${userRole.role.value == 'guest'}" value="GUEST">Gast</option>
|
||||
<option th:selected="${userRole.role.value == 'user'}" value="USER">Benutzer</option>
|
||||
</select>
|
||||
<button class="btn btn-blue">Übernehmen</button>
|
||||
</form>
|
||||
</div>
|
||||
</td>
|
||||
<td>
|
||||
<button class="btn btn-red" th:hx-delete="@{/configs/userroles/{id}(id=${userRole.id})}" hx-target="#userroles">Löschen</button>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
</div>
|
||||
@ -11,6 +11,7 @@
|
||||
<div class="login-form">
|
||||
<h2 class="centered">Anmelden</h2>
|
||||
<div class="centered notification error" th:if="${param.error}">Anmeldung nicht erfolgreich</div>
|
||||
<div class="centered notification notice" th:if="${param.expired}">Sitzung abgelaufen oder von einem Administrator beendet.</div>
|
||||
<div class="centered notification success" th:if="${param.logout}">Sie haben sich abgemeldet</div>
|
||||
<form method="post" th:action="@{/login}">
|
||||
<input type="text" id="username" name="username" class="form-control" placeholder="Username" required="" autofocus="" />
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user