pcvolkmer/onkostar-plugin-dnpm
1
0
Fork 0
mirror of https://github.com/pcvolkmer/onkostar-plugin-dnpm.git synced 2025-07-02 01:02:55 +00:00
Code Issues Activity

Issue #24: Annotationen für formularbasierte Berechtigungsprüfung

Browse Source
This commit is contained in:
Paul-Christian Volkmer
2023-04-10 14:56:15 +02:00
parent 5b9b12afc9
commit f2dc5b014d
6 changed files with 242 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
src/main/java/DNPM/security/FormBasedSecurityAspects.java Normal file
View File

@ -0,0 +1,51 @@
package DNPM.security;
import de.itc.onkostar.api.Procedure;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.AfterReturning;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import java.util.Arrays;
@Component
@Aspect
public class FormBasedSecurityAspects {
private final Logger logger = LoggerFactory.getLogger(this.getClass());
private final FormBasedPermissionEvaluator permissionEvaluator;
public FormBasedSecurityAspects(
final FormBasedPermissionEvaluator permissionEvaluator
) {
this.permissionEvaluator = permissionEvaluator;
}
@AfterReturning(value = "@annotation(FormSecuredResult)", returning = "procedure")
public void afterProcedureFormBased(Procedure procedure) {
if (
null != procedure
&& ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)
) {
logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId());
throw new IllegalSecuredObjectAccessException();
}
}
@Before(value = "@annotation(FormSecured)")
public void beforeProcedureFormBased(JoinPoint jp) {
Arrays.stream(jp.getArgs())
.filter(arg -> arg instanceof Procedure)
.forEach(procedure -> {
if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) {
logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId());
throw new IllegalSecuredObjectAccessException();
}
});
}
}

14
src/main/java/DNPM/security/FormSecured.java Normal file
View File

@ -0,0 +1,14 @@
package DNPM.security;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
public @interface FormSecured {
PermissionType value() default PermissionType.READ_WRITE;
}

14
src/main/java/DNPM/security/FormSecuredResult.java Normal file
View File

@ -0,0 +1,14 @@
package DNPM.security;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
public @interface FormSecuredResult {
PermissionType value() default PermissionType.READ_WRITE;
}

4
src/main/java/DNPM/security/SecurityAspects.java → src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java
View File

@ -15,13 +15,13 @@ import java.util.Arrays;
@Component
@Aspect
public class SecurityAspects {
public class PersonPoolBasedSecurityAspects {
private final Logger logger = LoggerFactory.getLogger(this.getClass());
private final PersonPoolBasedPermissionEvaluator permissionEvaluator;
public SecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) {
public PersonPoolBasedSecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) {
this.permissionEvaluator = permissionEvaluator;
}

132
src/test/java/DNPM/security/FormBasedSecurityAspectsTest.java Normal file
View File

@ -0,0 +1,132 @@
package DNPM.security;
import de.itc.onkostar.api.IOnkostarApi;
import de.itc.onkostar.api.Patient;
import de.itc.onkostar.api.Procedure;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.springframework.aop.aspectj.annotation.AspectJProxyFactory;
import static org.assertj.core.api.Assertions.assertThat;
import static org.junit.jupiter.api.Assertions.assertThrows;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.*;
@ExtendWith(MockitoExtension.class)
class FormBasedSecurityAspectsTest {
private DummyClass dummyClass;
private IOnkostarApi onkostarApi;
private FormBasedPermissionEvaluator permissionEvaluator;
@BeforeEach
void setup(
@Mock IOnkostarApi onkostarApi,
@Mock FormBasedPermissionEvaluator permissionEvaluator
) {
this.onkostarApi = onkostarApi;
this.permissionEvaluator = permissionEvaluator;
// Create proxied instance of DummyClass as done within Onkostar using Spring AOP
var dummyClass = new DummyClass(onkostarApi);
AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass);
FormBasedSecurityAspects securityAspects = new FormBasedSecurityAspects(this.permissionEvaluator);
factory.addAspect(securityAspects);
this.dummyClass = factory.getProxy();
}
@Test
void testShouldAllowSecuredMethodCallWithPatientParam() {
this.dummyClass.methodWithPatientParam(new Patient(onkostarApi));
verify(onkostarApi, times(1)).savePatient(any(Patient.class));
}
@Test
void testShouldPreventSecuredMethodCallWithProcedureParam() {
when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
.thenReturn(false);
var exception = assertThrows(
Exception.class,
() -> this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi))
);
assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
}
@Test
void testShouldAllowSecuredMethodCallWithProcedureParam() throws Exception {
when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
.thenReturn(true);
this.dummyClass.methodWithProcedureParam(new Procedure(onkostarApi));
verify(onkostarApi, times(1)).saveProcedure(any(Procedure.class), anyBoolean());
}
@Test
void testShouldAllowSecuredMethodCallWithPatientReturnValue() {
var actual = this.dummyClass.methodWithPatientReturnValue(1);
assertThat(actual).isNotNull();
}
@Test
void testShouldPreventSecuredMethodCallWithProcedureReturnValue() {
when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
.thenReturn(false);
var exception = assertThrows(
Exception.class,
() -> this.dummyClass.methodWithProcedureReturnValue(1)
);
assertThat(exception).isExactlyInstanceOf(IllegalSecuredObjectAccessException.class);
}
@Test
void testShouldAllowSecuredMethodCallWithProcedureReturnValue() {
when(this.permissionEvaluator.hasPermission(any(), any(Procedure.class), any(PermissionType.class)))
.thenReturn(true);
var actual = this.dummyClass.methodWithProcedureReturnValue(1);
assertThat(actual).isNotNull();
}
private static class DummyClass {
private final IOnkostarApi onkostarApi;
DummyClass(final IOnkostarApi onkostarApi) {
this.onkostarApi = onkostarApi;
}
@FormSecured
public void methodWithPatientParam(Patient patient) {
this.onkostarApi.savePatient(patient);
}
@FormSecured
public void methodWithProcedureParam(Procedure procedure) throws Exception {
this.onkostarApi.saveProcedure(procedure, false);
}
@FormSecuredResult
public Patient methodWithPatientReturnValue(int id) {
var patient = new Patient(this.onkostarApi);
patient.setId(id);
return patient;
}
@FormSecuredResult
public Procedure methodWithProcedureReturnValue(int id) {
var procedure = new Procedure(this.onkostarApi);
procedure.setId(id);
return procedure;
}
}
}

58
src/test/java/DNPM/security/SecurityAspectsTest.java → src/test/java/DNPM/security/PersonPoolBasedSecurityAspectsTest.java
View File

@ -16,7 +16,7 @@ import static org.mockito.ArgumentMatchers.any;
import static org.mockito.Mockito.*;
@ExtendWith(MockitoExtension.class)
class SecurityAspectsTest {
class PersonPoolBasedSecurityAspectsTest {
private DummyClass dummyClass;
@ -35,7 +35,7 @@ class SecurityAspectsTest {
// Create proxied instance of DummyClass as done within Onkostar using Spring AOP
var dummyClass = new DummyClass(onkostarApi);
AspectJProxyFactory factory = new AspectJProxyFactory(dummyClass);
SecurityAspects securityAspects = new SecurityAspects(this.permissionEvaluator);
PersonPoolBasedSecurityAspects securityAspects = new PersonPoolBasedSecurityAspects(this.permissionEvaluator);
factory.addAspect(securityAspects);
this.dummyClass = factory.getProxy();
}
@ -128,37 +128,37 @@ class SecurityAspectsTest {
assertThat(actual).isNotNull();
}
}
private static class DummyClass {
class DummyClass {
private final IOnkostarApi onkostarApi;
private final IOnkostarApi onkostarApi;
DummyClass(final IOnkostarApi onkostarApi) {
this.onkostarApi = onkostarApi;
}
DummyClass(final IOnkostarApi onkostarApi) {
this.onkostarApi = onkostarApi;
}
@PersonPoolSecured
public void methodWithPatientParam(Patient patient) {
@PersonPoolSecured
public void methodWithPatientParam(Patient patient) {
this.onkostarApi.savePatient(patient);
}
@PersonPoolSecured
public void methodWithProcedureParam(Procedure procedure) throws Exception {
this.onkostarApi.saveProcedure(procedure, false);
}
@PersonPoolSecuredResult
public Patient methodWithPatientReturnValue(int id) {
var patient = new Patient(this.onkostarApi);
patient.setId(id);
return patient;
}
@PersonPoolSecuredResult
public Procedure methodWithProcedureReturnValue(int id) {
var procedure = new Procedure(this.onkostarApi);
procedure.setId(id);
return procedure;
}
}
@PersonPoolSecured
public void methodWithProcedureParam(Procedure procedure) throws Exception {
this.onkostarApi.saveProcedure(procedure, false);
}
@PersonPoolSecuredResult
public Patient methodWithPatientReturnValue(int id) {
var patient = new Patient(this.onkostarApi);
patient.setId(id);
return patient;
}
@PersonPoolSecuredResult
public Procedure methodWithProcedureReturnValue(int id) {
var procedure = new Procedure(this.onkostarApi);
procedure.setId(id);
return procedure;
}
}