diff --git a/src/main/java/DNPM/security/AbstractDelegatedPermissionEvaluator.java b/src/main/java/DNPM/security/AbstractDelegatedPermissionEvaluator.java new file mode 100644 index 0000000..9d5f1ad --- /dev/null +++ b/src/main/java/DNPM/security/AbstractDelegatedPermissionEvaluator.java @@ -0,0 +1,26 @@ +package DNPM.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.springframework.jdbc.core.JdbcTemplate; +import org.springframework.security.access.PermissionEvaluator; + +import javax.sql.DataSource; + +public abstract class AbstractDelegatedPermissionEvaluator implements PermissionEvaluator { + + protected static final String PATIENT = Patient.class.getSimpleName(); + + protected static final String PROCEDURE = Procedure.class.getSimpleName(); + + protected final IOnkostarApi onkostarApi; + + protected final JdbcTemplate jdbcTemplate; + + protected AbstractDelegatedPermissionEvaluator(final IOnkostarApi onkostarApi, final DataSource dataSource) { + this.onkostarApi = onkostarApi; + this.jdbcTemplate = new JdbcTemplate(dataSource); + } + +} diff --git a/src/main/java/DNPM/security/DelegatingDataBasedPermissionEvaluator.java b/src/main/java/DNPM/security/DelegatingDataBasedPermissionEvaluator.java new file mode 100644 index 0000000..d8ca92e --- /dev/null +++ b/src/main/java/DNPM/security/DelegatingDataBasedPermissionEvaluator.java @@ -0,0 +1,56 @@ +package DNPM.security; + +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.io.Serializable; +import java.util.List; + +/** + * PermissionEvaluator zur Gesamtprüfung der Zugriffsberechtigung. + * Die konkrete Berechtigungsprüfung wird an die nachgelagerten PermissionEvaluatoren delegiert, + * welche jeweils einzeln dem Zugriff zustimmen müssen. + */ +@Component +public class DelegatingDataBasedPermissionEvaluator implements PermissionEvaluator { + + private final List permissionEvaluators; + + public DelegatingDataBasedPermissionEvaluator(final List permissionEvaluators) { + this.permissionEvaluators = permissionEvaluators; + } + + /** + * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. + * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. + * Alle müssen dem Zugriff zustimmen. + * + * @param authentication Das Authentication Objekt + * @param targetObject Das Zielobjekt + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { + return permissionEvaluators.stream() + .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetObject, permissionType)); + } + + /** + * Auswertung anhand der ID und des Namens des Zielobjekts. + * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. + * Alle müssen dem Zugriff zustimmen. + * + * @param authentication Authentication-Object + * @param targetId ID des Objekts + * @param targetType Name der Zielobjektklasse + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { + return permissionEvaluators.stream() + .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetId, targetType, permissionType)); + } +} diff --git a/src/main/java/DNPM/security/FormBasedPermissionEvaluator.java b/src/main/java/DNPM/security/FormBasedPermissionEvaluator.java index 73937af..4ba19dc 100644 --- a/src/main/java/DNPM/security/FormBasedPermissionEvaluator.java +++ b/src/main/java/DNPM/security/FormBasedPermissionEvaluator.java @@ -3,8 +3,6 @@ package DNPM.security; import de.itc.onkostar.api.IOnkostarApi; import de.itc.onkostar.api.Patient; import de.itc.onkostar.api.Procedure; -import org.springframework.jdbc.core.JdbcTemplate; -import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Component; @@ -17,15 +15,10 @@ import java.util.List; * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Formularberechtigung */ @Component -public class FormBasedPermissionEvaluator implements PermissionEvaluator { - - private final IOnkostarApi onkostarApi; - - private final JdbcTemplate jdbcTemplate; +public class FormBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { public FormBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final DataSource dataSource) { - this.onkostarApi = onkostarApi; - this.jdbcTemplate = new JdbcTemplate(dataSource); + super(onkostarApi, dataSource); } /** @@ -63,7 +56,7 @@ public class FormBasedPermissionEvaluator implements PermissionEvaluator { @Override public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { if (targetId instanceof Integer) { - if ("Patient".equals(targetType)) { + if (PATIENT.equals(targetType)) { return true; } var procedure = this.onkostarApi.getProcedure((int)targetId); diff --git a/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java b/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java index 0762dc9..21cdca1 100644 --- a/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java +++ b/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java @@ -3,8 +3,6 @@ package DNPM.security; import de.itc.onkostar.api.IOnkostarApi; import de.itc.onkostar.api.Patient; import de.itc.onkostar.api.Procedure; -import org.springframework.jdbc.core.JdbcTemplate; -import org.springframework.security.access.PermissionEvaluator; import org.springframework.security.core.Authentication; import org.springframework.security.core.userdetails.UserDetails; import org.springframework.stereotype.Component; @@ -17,15 +15,10 @@ import java.util.List; * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Personenstammberechtigung */ @Component -public class PersonPoolBasedPermissionEvaluator implements PermissionEvaluator { - - private final IOnkostarApi onkostarApi; - - private final JdbcTemplate jdbcTemplate; +public class PersonPoolBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { public PersonPoolBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final DataSource dataSource) { - this.onkostarApi = onkostarApi; - this.jdbcTemplate = new JdbcTemplate(dataSource); + super(onkostarApi, dataSource); } /** @@ -70,18 +63,14 @@ public class PersonPoolBasedPermissionEvaluator implements PermissionEvaluator { private String getPersonPoolCode(int id, String type) { Patient patient = null; - switch (type) { - case "Patient": - patient = onkostarApi.getPatient(id); - break; - case "Procedure": - var procedure = onkostarApi.getProcedure(id); - if (null != procedure) { - patient = procedure.getPatient(); - } - break; - default: - break; + + if (PATIENT.equals(type)) { + patient = onkostarApi.getPatient(id); + } else if (PROCEDURE.equals(type)) { + var procedure = onkostarApi.getProcedure(id); + if (null != procedure) { + patient = procedure.getPatient(); + } } if (null != patient) { diff --git a/src/test/java/DNPM/security/DelegatingDataBasedPermissionEvaluatorTest.java b/src/test/java/DNPM/security/DelegatingDataBasedPermissionEvaluatorTest.java new file mode 100644 index 0000000..1d8ecf8 --- /dev/null +++ b/src/test/java/DNPM/security/DelegatingDataBasedPermissionEvaluatorTest.java @@ -0,0 +1,122 @@ +package DNPM.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.GrantedAuthority; + +import java.util.Collection; +import java.util.List; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.ArgumentMatchers.*; +import static org.mockito.Mockito.when; + +@ExtendWith(MockitoExtension.class) +class DelegatingDataBasedPermissionEvaluatorTest { + + private IOnkostarApi onkostarApi; + + private PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator; + + private FormBasedPermissionEvaluator formBasedPermissionEvaluator; + + private DelegatingDataBasedPermissionEvaluator delegatingDataBasedPermissionEvaluator; + + @BeforeEach + void setup( + @Mock IOnkostarApi onkostarApi, + @Mock PersonPoolBasedPermissionEvaluator personPoolBasedPermissionEvaluator, + @Mock FormBasedPermissionEvaluator formBasedPermissionEvaluator + ) { + this.onkostarApi = onkostarApi; + this.personPoolBasedPermissionEvaluator = personPoolBasedPermissionEvaluator; + this.formBasedPermissionEvaluator = formBasedPermissionEvaluator; + + this.delegatingDataBasedPermissionEvaluator = new DelegatingDataBasedPermissionEvaluator( + List.of(personPoolBasedPermissionEvaluator, formBasedPermissionEvaluator) + ); + } + + @Test + void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByObject() { + when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true); + when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true); + + var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ); + + assertThat(actual).isTrue(); + } + + @Test + void testShouldGrantPermissionIfAllDelegatedPermissionEvaluatorsGrantsAccessByIdAndType() { + when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true); + when(formBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(true); + + var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ); + + assertThat(actual).isTrue(); + } + + @Test + void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByObject() { + when(personPoolBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(true); + when(formBasedPermissionEvaluator.hasPermission(any(), any(Patient.class), any(PermissionType.class))).thenReturn(false); + + var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), new Patient(this.onkostarApi), PermissionType.READ); + + assertThat(actual).isFalse(); + } + + @Test + void testShouldDenyPermissionIfAtLeastOneDelegatedPermissionEvaluatorsDeniesAccessByIdAndType() { + when(personPoolBasedPermissionEvaluator.hasPermission(any(), anyInt(), anyString(), any(PermissionType.class))).thenReturn(false); + + var actual = delegatingDataBasedPermissionEvaluator.hasPermission(new DummyAuthentication(), 123, "Patient", PermissionType.READ); + + assertThat(actual).isFalse(); + } + +} + +class DummyAuthentication implements Authentication { + @Override + public String getName() { + return "dummy"; + } + + @Override + public Collection getAuthorities() { + return null; + } + + @Override + public Object getCredentials() { + return null; + } + + @Override + public Object getDetails() { + return null; + } + + @Override + public Object getPrincipal() { + return null; + } + + @Override + public boolean isAuthenticated() { + return false; + } + + @Override + public void setAuthenticated(boolean b) throws IllegalArgumentException { + + } +} \ No newline at end of file