From b9f971b295be6c9a711c964e3d0795406b9f3670 Mon Sep 17 00:00:00 2001 From: Paul-Christian Volkmer Date: Wed, 5 Apr 2023 17:33:16 +0200 Subject: [PATCH] Issue #24: Erste Implementierung eines PermissionEvaluators MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Diese erste Implementierung wertet die Zugriffsberechtigung auf den Personenstamm aus, in dem der Patient oder eines der Formulare zum Patienten gehört. --- pom.xml | 7 ++ .../java/DNPM/config/PluginConfiguration.java | 7 ++ .../java/DNPM/security/PermissionType.java | 6 ++ .../PersonPoolBasedPermissionEvaluator.java | 78 +++++++++++++++++++ 4 files changed, 98 insertions(+) create mode 100644 src/main/java/DNPM/security/PermissionType.java create mode 100644 src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java diff --git a/pom.xml b/pom.xml index cd7d802..0f7ffdb 100644 --- a/pom.xml +++ b/pom.xml @@ -14,6 +14,7 @@ UTF-8 4.3.8.RELEASE + 4.2.2.RELEASE @@ -55,6 +56,12 @@ ${spring-version} provided + + org.springframework.security + spring-security-core + ${spring-security-version} + provided + org.springframework.data spring-data-jpa diff --git a/src/main/java/DNPM/config/PluginConfiguration.java b/src/main/java/DNPM/config/PluginConfiguration.java index 30d8fb3..654d4c4 100644 --- a/src/main/java/DNPM/config/PluginConfiguration.java +++ b/src/main/java/DNPM/config/PluginConfiguration.java @@ -1,6 +1,7 @@ package DNPM.config; import DNPM.database.SettingsRepository; +import DNPM.security.PersonPoolBasedPermissionEvaluator; import DNPM.services.*; import DNPM.services.consent.ConsentManagerServiceFactory; import DNPM.services.mtb.DefaultMtbService; @@ -12,6 +13,7 @@ import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.ComponentScan; import org.springframework.context.annotation.Configuration; import org.springframework.data.jpa.repository.config.EnableJpaRepositories; +import org.springframework.security.access.PermissionEvaluator; import javax.sql.DataSource; @@ -25,6 +27,11 @@ import javax.sql.DataSource; @EnableJpaRepositories(basePackages = "DNPM.database") public class PluginConfiguration { + @Bean + public PermissionEvaluator personBasedPermissionEvaluator(final DataSource dataSource) { + return new PersonPoolBasedPermissionEvaluator(dataSource); + } + @Bean public FormService formService(final DataSource dataSource) { return new DefaultFormService(dataSource); diff --git a/src/main/java/DNPM/security/PermissionType.java b/src/main/java/DNPM/security/PermissionType.java new file mode 100644 index 0000000..50a0bd3 --- /dev/null +++ b/src/main/java/DNPM/security/PermissionType.java @@ -0,0 +1,6 @@ +package DNPM.security; + +public enum PermissionType { + READ, + WRITE +} diff --git a/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java b/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java new file mode 100644 index 0000000..766cc70 --- /dev/null +++ b/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java @@ -0,0 +1,78 @@ +package DNPM.security; + +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.springframework.jdbc.core.JdbcTemplate; +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.userdetails.UserDetails; + +import javax.sql.DataSource; +import java.io.Serializable; +import java.util.List; + +/** + * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Personenstammberechtigung + */ +public class PersonPoolBasedPermissionEvaluator implements PermissionEvaluator { + + private final JdbcTemplate jdbcTemplate; + + public PersonPoolBasedPermissionEvaluator(final DataSource dataSource) { + this.jdbcTemplate = new JdbcTemplate(dataSource); + } + + /** + * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. + * @param authentication Das Authentication Objekt + * @param targetObject Das Zielobjekt + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { + if (permissionType instanceof PermissionType) { + if (targetObject instanceof Patient) { + return getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) + .contains(((Patient)targetObject).getPersonPoolCode()); + } else if (targetObject instanceof Procedure) { + return getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) + .contains(((Procedure)targetObject).getPatient().getPersonPoolCode()); + } + } + return false; + } + + /** + * Auswertung nicht anhand der ID möglich. Gibt immer false zurück. + * @param authentication Authentication-Object + * @param targetId ID des Objekts + * @param s + * @param o + * @return Gibt immer false zurück + */ + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String s, Object o) { + return false; + } + + private List getPersonPoolIdsForPermission(Authentication authentication, PermissionType permissionType) { + var sql = "SELECT p.kennung FROM personenstamm_zugriff " + + " JOIN usergroup u ON personenstamm_zugriff.benutzergruppe_id = u.id " + + " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + + " JOIN akteur a ON au.akteur_id = a.id " + + " JOIN personenstamm p on personenstamm_zugriff.personenstamm_id = p.id " + + " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; + + if (PermissionType.WRITE == permissionType) { + sql += " AND personenstamm_zugriff.bearbeiten "; + } + + var userDetails = (UserDetails)authentication.getPrincipal(); + + return jdbcTemplate + .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("id")); + } + + +}