Apply role hierarchy in hasPermission checks (#1675)
Signed-off-by: Marinov Avgustin <Avgustin.Marinov@bosch.com>
This commit is contained in:
@@ -12,6 +12,7 @@ package org.eclipse.hawkbit.security;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.UUID;
|
||||
import java.util.concurrent.Callable;
|
||||
|
||||
@@ -22,6 +23,7 @@ import lombok.extern.slf4j.Slf4j;
|
||||
import org.eclipse.hawkbit.im.authentication.TenantAwareAuthenticationDetails;
|
||||
import org.eclipse.hawkbit.im.authentication.SpPermission.SpringEvalExpressions;
|
||||
import org.eclipse.hawkbit.tenancy.TenantAware;
|
||||
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
|
||||
import org.springframework.security.authentication.AnonymousAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.GrantedAuthority;
|
||||
@@ -29,6 +31,7 @@ import org.springframework.security.core.authority.SimpleGrantedAuthority;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextImpl;
|
||||
import org.springframework.util.ObjectUtils;
|
||||
|
||||
/**
|
||||
* A Service which provide to run system code.
|
||||
@@ -37,15 +40,26 @@ import org.springframework.security.core.context.SecurityContextImpl;
|
||||
public class SystemSecurityContext {
|
||||
|
||||
private final TenantAware tenantAware;
|
||||
private final RoleHierarchy roleHierarchy;
|
||||
|
||||
/**
|
||||
* Autowired constructor.
|
||||
*
|
||||
* @param tenantAware
|
||||
* the tenant aware bean to retrieve the current tenant
|
||||
* @param tenantAware the tenant aware bean to retrieve the current tenant
|
||||
*/
|
||||
public SystemSecurityContext(final TenantAware tenantAware) {
|
||||
this(tenantAware, null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Autowired constructor.
|
||||
*
|
||||
* @param tenantAware the tenant aware bean to retrieve the current tenant
|
||||
* @param roleHierarchy the roleHierarchy that is applied
|
||||
*/
|
||||
public SystemSecurityContext(final TenantAware tenantAware, final RoleHierarchy roleHierarchy) {
|
||||
this.tenantAware = tenantAware;
|
||||
this.roleHierarchy = roleHierarchy;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -160,6 +174,27 @@ public class SystemSecurityContext {
|
||||
return SecurityContextHolder.getContext().getAuthentication() instanceof SystemCodeAuthentication;
|
||||
}
|
||||
|
||||
public boolean hasPermission(final String permission) {
|
||||
final SecurityContext context = SecurityContextHolder.getContext();
|
||||
if (context != null) {
|
||||
final Authentication authentication = context.getAuthentication();
|
||||
if (authentication != null) {
|
||||
Collection<? extends GrantedAuthority> grantedAuthorities = authentication.getAuthorities();
|
||||
if (!ObjectUtils.isEmpty(grantedAuthorities)) {
|
||||
if (roleHierarchy != null) {
|
||||
grantedAuthorities = roleHierarchy.getReachableGrantedAuthorities(grantedAuthorities);
|
||||
}
|
||||
for (final GrantedAuthority authority : grantedAuthorities) {
|
||||
if (authority.getAuthority().equals(permission)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
private void setCustomSecurityContext(final String tenantId, final Object principal,
|
||||
final Collection<? extends GrantedAuthority> authorities) {
|
||||
final AnonymousAuthenticationToken authenticationToken = new AnonymousAuthenticationToken(
|
||||
|
||||
Reference in New Issue
Block a user