Skip to content
Snippets Groups Projects
Commit b701ffbb authored by OZGCloud's avatar OZGCloud
Browse files

OZG-3570 fix role check for role hierarchy

parent 15f881d3
No related branches found
No related tags found
No related merge requests found
......@@ -61,6 +61,7 @@ public class Command {
private String vorgangId;
@JsonIgnore
private String relationId;
// FIXME refactor to string to allow new orders
private CommandOrder order;
private RedirectRequest redirectRequest;
......
......@@ -34,6 +34,7 @@ import java.util.Optional;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.representations.AccessToken;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Service;
......@@ -50,9 +51,17 @@ public class CurrentUserService {
@Autowired
private UserService userService;
@Autowired
private RoleHierarchy roleHierarchy;
public boolean hasRole(String role) {
return CurrentUserHelper.hasRole(role);
return CurrentUserHelper.hasRole(role) || hasRoleReachable(role);
}
private boolean hasRoleReachable(String role) {
var reachableRoles = roleHierarchy.getReachableGrantedAuthorities(getAuthorities());
return CurrentUserHelper.containsRole(reachableRoles, role);
}
public Collection<GrantedAuthority> getAuthorities() {
......
package de.ozgcloud.alfa.common.user;
import static de.ozgcloud.alfa.common.user.UserRole.*;
import org.apache.commons.lang3.StringUtils;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
......@@ -12,10 +14,10 @@ import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
import io.grpc.Channel;
import io.grpc.ManagedChannelBuilder;
@ConditionalOnProperty(name = "grpc.client.user-manager.address")
@Configuration
class UserConfiguration {
@ConditionalOnProperty(name = "grpc.client.user-manager.address")
@Bean
Channel userManagerChannel(UserManagerClientProperties properties) {
var builder = ManagedChannelBuilder.forTarget(properties.getAddress())
......@@ -34,15 +36,18 @@ class UserConfiguration {
@Bean
static RoleHierarchy roleHierarchy() {
var hierarchy = new RoleHierarchyImpl();
hierarchy.setHierarchy(UserRole.VERWALTUNG_LOESCHEN + " > " + UserRole.VERWALTUNG_USER);
hierarchy.setHierarchy(addRolePrefix(VERWALTUNG_LOESCHEN) + " > " + addRolePrefix(VERWALTUNG_USER));
return hierarchy;
}
private static String addRolePrefix(String roleName) {
return CurrentUserHelper.ROLE_PREFIX + roleName;
}
@Bean
static MethodSecurityExpressionHandler methodSecurityExpressionHandler(RoleHierarchy roleHierarchy) {
DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
expressionHandler.setRoleHierarchy(roleHierarchy);
return expressionHandler;
}
}
package de.ozgcloud.alfa.common.user;
import static org.assertj.core.api.Assertions.*;
import org.junit.jupiter.api.Nested;
import org.junit.jupiter.api.Test;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.test.context.support.WithMockUser;
import de.itvsh.kop.common.test.ITCase;
@ITCase
class CurrentUserServiceITCase {
@Autowired
private CurrentUserService service;
@Nested
class TestHasRole {
@WithMockUser(roles = "VERWALTUNG_LOESCHEN")
@Test
void shouldHaveUserRole() {
var result = service.hasRole(UserRole.VERWALTUNG_USER);
assertThat(result).isTrue();
}
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment