Newer
Older
package it.inaf.ia2.gms.manager;
import it.inaf.ia2.gms.exception.UnauthorizedException;
import it.inaf.ia2.gms.model.Permission;
import it.inaf.ia2.gms.model.RapUserPermission;
import it.inaf.ia2.gms.persistence.LoggingDAO;
import it.inaf.ia2.gms.persistence.model.GroupEntity;
import it.inaf.ia2.gms.persistence.model.PermissionEntity;
import it.inaf.ia2.gms.service.PermissionUtils;
import it.inaf.ia2.gms.service.PermissionsService;
import it.inaf.ia2.gms.authn.RapClient;
import it.inaf.ia2.gms.persistence.model.ActionType;
import it.inaf.ia2.gms.service.GroupsService;
import it.inaf.ia2.rap.data.RapUser;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;
@Service
public class PermissionsManager extends UserAwareComponent {
private final PermissionsService permissionsService;
private final RapClient rapClient;
private final LoggingDAO loggingDAO;
@Autowired
public PermissionsManager(PermissionsService permissionsService, RapClient rapClient, LoggingDAO loggingDAO) {
this.permissionsService = permissionsService;
this.rapClient = rapClient;
this.loggingDAO = loggingDAO;
}
public List<RapUserPermission> getAllPermissions(GroupEntity group) {
verifyUserCanManagePermissions(group);
List<PermissionEntity> permissions = permissionsService.getGroupPermissions(group);
Set<String> userIdentifiers = permissions.stream()
.map(p -> p.getUserId())
.collect(Collectors.toSet());
List<RapUser> users = rapClient.getUsers(userIdentifiers);
Map<String, RapUser> usersMap = users.stream()
.collect(Collectors.toMap(RapUser::getId, Function.identity()));
List<RapUserPermission> result = new ArrayList<>();
for (PermissionEntity p : permissions) {
RapUser rapUser = usersMap.get(p.getUserId());
if (rapUser != null) {
RapUserPermission permission = new RapUserPermission();
permission.setPermission(p.getPermission());
permission.setUser(rapUser);
result.add(permission);
}
}
return result;
}
public Permission getDirectUserPermission(GroupEntity group, String userId) {
verifyUserCanManagePermissions(group);
List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, userId);
for (PermissionEntity permission : permissions) {
if (permission.getGroupId().equals(group.getId())) {
return permission.getPermission();
}
}
return null;
}
public PermissionEntity addPermission(GroupEntity group, String userId, Permission permission) {
Permission currentUserPermission = getCurrentUserPermission(group);
if (currentUserPermission == Permission.MANAGE_MEMBERS && permission == Permission.VIEW_MEMBERS) {
// Automatically assign the VIEW_MEMBERS permission ("Add collaborator" feature)
Sonia Zorba
committed
return permissionsService.addPermission(group, userId, Permission.VIEW_MEMBERS, getCurrentUserId());
} else if (currentUserPermission == Permission.ADMIN) {
// Admin users can specify a permission
Sonia Zorba
committed
return permissionsService.addPermission(group, userId, permission, getCurrentUserId());
}
throw unauthorizedExceptionSupplier(group).get();
Sonia Zorba
committed
}
public PermissionEntity createOrUpdatePermission(GroupEntity group, String userId, Permission permission) {
verifyUserCanManagePermissions(group);
Sonia Zorba
committed
return permissionsService.createOrUpdatePermission(group, userId, permission, getCurrentUserId());
Sonia Zorba
committed
public PermissionEntity updatePermission(GroupEntity group, String userId, Permission permission) {
verifyUserCanManagePermissions(group);
Sonia Zorba
committed
return permissionsService.updatePermission(group, userId, permission, getCurrentUserId());
}
public void removePermission(GroupEntity group, String userId) {
Permission currentUserPermission = getCurrentUserPermission(group);
// For users having the MANAGE_MEMBERS permission, the VIEW_MEMBERS permission
// is automatically assigned when they add a member ("Add collaborator" feature).
// We want to keep also the reverse behavior.
if (currentUserPermission == Permission.MANAGE_MEMBERS) {
if (getUserPermission(group, userId, false) == Permission.VIEW_MEMBERS) {
permissionsService.removePermission(group, userId);
}
// If the member permission is not VIEW_MEMBERS that means that it has been
// changed by an ADMIN user, so we don't remove it.
} else if (currentUserPermission == Permission.ADMIN) {
permissionsService.removePermission(group, userId);
} else {
throw unauthorizedExceptionSupplier(group).get();
}
}
public List<PermissionEntity> findUserPermissions(GroupEntity group, String userId) {
verifyUserCanManagePermissions(group);
return permissionsService.findUserPermissions(group, userId);
}
public Permission getUserPermission(GroupEntity group, String userId) {
return getUserPermission(group, userId, true);
}
private Permission getUserPermission(GroupEntity group, String userId, boolean verify) {
if (verify) {
verifyUserCanManagePermissions(group);
}
List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, userId);
return PermissionUtils.getGroupPermission(group, permissions).orElse(null);
}
private void verifyUserCanManagePermissions(GroupEntity group) {
Permission permission = getCurrentUserPermission(group);
if (permission != Permission.ADMIN) {
throw unauthorizedExceptionSupplier(group).get();
}
}
private Supplier<UnauthorizedException> unauthorizedExceptionSupplier(GroupEntity group) {
loggingDAO.logAction(ActionType.UNAUTHORIZED_ACCESS_ATTEMPT, "Unauthorized attempt to manage permissions [group_id=" + group.getId() + "]");
return () -> new UnauthorizedException("You don't have the privileges for managing the requested permission");
}
public List<PermissionEntity> getCurrentUserPermissions() {
return permissionsService.findUserPermissions(getCurrentUserId());
}
public List<PermissionEntity> getCurrentUserPermissions(GroupEntity group) {
return permissionsService.findUserPermissions(group, getCurrentUserId());
}
public Permission getCurrentUserPermission(GroupEntity group) {
List<PermissionEntity> permissions = permissionsService.findUserPermissions(group, getCurrentUserId());
return PermissionUtils.getGroupPermission(group, permissions).orElse(
GroupsService.ROOT.equals(group.getId()) ? Permission.TRAVERSE : null
);