pcvolkmer/onkostar-plugin-dnpm
1
0
Fork 0
mirror of https://github.com/pcvolkmer/onkostar-plugin-dnpm.git synced 2025-07-02 01:02:55 +00:00
Code Issues Activity

Issue #24: Füge PermissionEvaluator zur Gesamtprüfung der Berechtigung hinzu

Browse Source 
Dieser PermissionEvaluator delegiert die einzelnen Prüfungen an PermissionEvaluatoren
welche `AbstractDelegatedPermissionEvaluator` erweitern.

Nur, wenn all diese PermissionEvaluatoren die Berechtigung erfolgreich geprüft haben,
gibt dieser PermissionEvaluator ein positives Prüfungsergebnis zurück.
This commit is contained in:
Paul-Christian Volkmer
2023-04-10 13:09:54 +02:00
parent 2495d851fc
commit 44396ff04a
5 changed files with 217 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/main/java/DNPM/security/AbstractDelegatedPermissionEvaluator.java Normal file
View File

@ -0,0 +1,26 @@
package DNPM.security;
import de.itc.onkostar.api.IOnkostarApi;
import de.itc.onkostar.api.Patient;
import de.itc.onkostar.api.Procedure;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.access.PermissionEvaluator;
import javax.sql.DataSource;
public abstract class AbstractDelegatedPermissionEvaluator implements PermissionEvaluator {
protected static final String PATIENT = Patient.class.getSimpleName();
protected static final String PROCEDURE = Procedure.class.getSimpleName();
protected final IOnkostarApi onkostarApi;
protected final JdbcTemplate jdbcTemplate;
protected AbstractDelegatedPermissionEvaluator(final IOnkostarApi onkostarApi, final DataSource dataSource) {
this.onkostarApi = onkostarApi;
this.jdbcTemplate = new JdbcTemplate(dataSource);
}
}

56
src/main/java/DNPM/security/DelegatingDataBasedPermissionEvaluator.java Normal file
View File

@ -0,0 +1,56 @@
package DNPM.security;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Component;
import java.io.Serializable;
import java.util.List;
/**
* PermissionEvaluator zur Gesamtprüfung der Zugriffsberechtigung.
* Die konkrete Berechtigungsprüfung wird an die nachgelagerten PermissionEvaluatoren delegiert,
* welche jeweils einzeln dem Zugriff zustimmen müssen.
*/
@Component
public class DelegatingDataBasedPermissionEvaluator implements PermissionEvaluator {
private final List<AbstractDelegatedPermissionEvaluator> permissionEvaluators;
public DelegatingDataBasedPermissionEvaluator(final List<AbstractDelegatedPermissionEvaluator> permissionEvaluators) {
this.permissionEvaluators = permissionEvaluators;
}
/**
* Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung.
* Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert.
* Alle müssen dem Zugriff zustimmen.
*
* @param authentication Das Authentication Objekt
* @param targetObject Das Zielobjekt
* @param permissionType Die angeforderte Berechtigung
* @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat
*/
@Override
public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) {
return permissionEvaluators.stream()
.allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetObject, permissionType));
}
/**
* Auswertung anhand der ID und des Namens des Zielobjekts.
* Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert.
* Alle müssen dem Zugriff zustimmen.
*
* @param authentication Authentication-Object
* @param targetId ID des Objekts
* @param targetType Name der Zielobjektklasse
* @param permissionType Die angeforderte Berechtigung
* @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat
*/
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) {
return permissionEvaluators.stream()
.allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetId, targetType, permissionType));
}
}

13
src/main/java/DNPM/security/FormBasedPermissionEvaluator.java
View File

@ -3,8 +3,6 @@ package DNPM.security;
import de.itc.onkostar.api.IOnkostarApi;
import de.itc.onkostar.api.Patient;
import de.itc.onkostar.api.Procedure;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
@ -17,15 +15,10 @@ import java.util.List;
* Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Formularberechtigung
*/
@Component
public class FormBasedPermissionEvaluator implements PermissionEvaluator {
private final IOnkostarApi onkostarApi;
private final JdbcTemplate jdbcTemplate;
public class FormBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator {
public FormBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final DataSource dataSource) {
this.onkostarApi = onkostarApi;
this.jdbcTemplate = new JdbcTemplate(dataSource);
super(onkostarApi, dataSource);
}
/**
@ -63,7 +56,7 @@ public class FormBasedPermissionEvaluator implements PermissionEvaluator {
@Override
public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) {
if (targetId instanceof Integer) {
if ("Patient".equals(targetType)) {
if (PATIENT.equals(targetType)) {
return true;
}
var procedure = this.onkostarApi.getProcedure((int)targetId);

31
src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java
View File

@ -3,8 +3,6 @@ package DNPM.security;
import de.itc.onkostar.api.IOnkostarApi;
import de.itc.onkostar.api.Patient;
import de.itc.onkostar.api.Procedure;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
@ -17,15 +15,10 @@ import java.util.List;
* Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Personenstammberechtigung
*/
@Component
public class PersonPoolBasedPermissionEvaluator implements PermissionEvaluator {
private final IOnkostarApi onkostarApi;
private final JdbcTemplate jdbcTemplate;
public class PersonPoolBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator {
public PersonPoolBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final DataSource dataSource) {
this.onkostarApi = onkostarApi;
this.jdbcTemplate = new JdbcTemplate(dataSource);
super(onkostarApi, dataSource);
}
/**
@ -70,18 +63,14 @@ public class PersonPoolBasedPermissionEvaluator implements PermissionEvaluator {
private String getPersonPoolCode(int id, String type) {
Patient patient = null;
switch (type) {
case "Patient":
patient = onkostarApi.getPatient(id);
break;
case "Procedure":
var procedure = onkostarApi.getProcedure(id);
if (null != procedure) {
patient = procedure.getPatient();
}
break;
default:
break;
if (PATIENT.equals(type)) {
patient = onkostarApi.getPatient(id);
} else if (PROCEDURE.equals(type)) {
var procedure = onkostarApi.getProcedure(id);
if (null != procedure) {
patient = procedure.getPatient();
}
}
if (null != patient) {

122
src/test/java/DNPM/security/DelegatingDataBasedPermissionEvaluatorTest.java Normal file
View File

@ -0,0 +1,122 @@
package DNPM.security;
import de.itc.onkostar.api.IOnkostarApi;
import de.itc.onkostar.api.Patient;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import java.util.Collection;
import java.util.List;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.*;
import static org.mockito.Mockito.when;
@ExtendWith(MockitoExtension.class)
class DelegatingDataBasedPermissionEvaluatorTest {
private IOnkostarApi onkostarApi;
private PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator;
private FormBasedPermissionEvaluator formBasedPermissionEvaluator;
private DelegatingDataBasedPermissionEvaluator delegatingDataBasedPermissionEvaluator;
@BeforeEach
void setup(
@Mock IOnkostarApi onkostarApi,
@Mock PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator,
@Mock FormBasedPermissionEvaluator formBasedPermissionEvaluator
) {
this.onkostarApi = onkostarApi;
this.personPoolBasedPermissionEvaluator = personPoolBasedPermissionEvaluator;
this.formBasedPermissionEvaluator = formBasedPermissionEvaluator;
this.delegatingDataBasedPermissionEvaluator = new DelegatingDataBasedPermissionEvaluator(
List.of(personPoolBasedPermissionEvaluator, formBasedPermissionEvaluator)
);
}
@Test
void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByObject() {
when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ);
assertThat(actual).isTrue();
}
@Test
void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByIdAndType() {
when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
when(formBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true);
var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ);
assertThat(actual).isTrue();
}
@Test
void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByObject() {
when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true);
when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(false);
var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ);
assertThat(actual).isFalse();
}
@Test
void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByIdAndType() {
when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(false);
var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ);
assertThat(actual).isFalse();
}
}
class DummyAuthentication implements Authentication {
@Override
public String getName() {
return "dummy";
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return null;
}
@Override
public Object getCredentials() {
return null;
}
@Override
public Object getDetails() {
return null;
}
@Override
public Object getPrincipal() {
return null;
}
@Override
public boolean isAuthenticated() {
return false;
}
@Override
public void setAuthenticated(boolean b) throws IllegalArgumentException {
}
}