From 9a3898a377a5bf3b7c9c722ad03ea5c4346914b6 Mon Sep 17 00:00:00 2001 From: maverickstuder Date: Mon, 22 Jan 2024 11:23:07 +0100 Subject: [PATCH 1/2] RED-5369: View dossier & access permissions are not working for dossier attributes controller * now when no permissions are given to view dossiers the endpoint to get dossier attributes returns an empty list instead of a 403 access denied --- .../impl/controller/DossierAttributesController.java | 8 ++++++-- .../v1/processor/acl/ACLBeanConfiguration.java | 12 +++++++++--- .../v1/processor/service/AccessControlService.java | 7 +++++++ 3 files changed, 22 insertions(+), 5 deletions(-) diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java index c1010dda4..501048fb8 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java @@ -6,6 +6,7 @@ import static com.iqser.red.service.persistence.management.v1.processor.roles.Ac import static com.iqser.red.service.persistence.management.v1.processor.roles.ActionRoles.WRITE_DOSSIER_ATTRIBUTES_CONFIG; import static com.iqser.red.service.persistence.management.v1.processor.roles.ActionRoles.WRITE_FILE_ATTRIBUTES; +import java.util.Collections; import java.util.List; import java.util.Map; @@ -146,10 +147,13 @@ public class DossierAttributesController implements DossierAttributesResource { } - @PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "') && hasPermission(#dossierId, 'Dossier', 'VIEW_OBJECT')") + @PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "')") public DossierAttributes getDossierAttributes(String dossierId) { - var result = dossierAttributesManagementService.getDossierAttributes(dossierId); + List result = Collections.emptyList(); + if (accessControlService.hasUserViewPermissionsForDossier(dossierId)) { + result = dossierAttributesManagementService.getDossierAttributes(dossierId); + } auditPersistenceService.insertRecord(AuditRequest.builder() .userId(KeycloakSecurity.getUserId()) .objectId(dossierId) diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java index 93c32eff3..b0364f7ad 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/acl/ACLBeanConfiguration.java @@ -76,14 +76,20 @@ public class ACLBeanConfiguration { } + @Bean + public AclPermissionEvaluator defaultACLPermissionEvaluator() { + return new AclPermissionEvaluator(aclService()); + } + @Bean @Primary public MethodSecurityExpressionHandler defaultMethodSecurityExpressionHandler() { DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler(); - AclPermissionEvaluator permissionEvaluator = new AclPermissionEvaluator(aclService()); - permissionEvaluator.setPermissionFactory(permissionFactory()); - expressionHandler.setPermissionEvaluator(permissionEvaluator); + + AclPermissionEvaluator aclPermissionEvaluator = defaultACLPermissionEvaluator(); + aclPermissionEvaluator.setPermissionFactory(permissionFactory()); + expressionHandler.setPermissionEvaluator(aclPermissionEvaluator); var permissionCacheOptimizer = new AclPermissionCacheOptimizer(aclService()); permissionCacheOptimizer.setObjectIdentityRetrievalStrategy(new RedObjectIdentityRetrievalStrategy()); diff --git a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java index 5a1ff5859..4be6329ee 100644 --- a/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java +++ b/persistence-service-v1/persistence-service-processor-v1/src/main/java/com/iqser/red/service/persistence/management/v1/processor/service/AccessControlService.java @@ -2,6 +2,8 @@ package com.iqser.red.service.persistence.management.v1.processor.service; import org.springframework.http.HttpStatus; import org.springframework.security.access.prepost.PostAuthorize; +import org.springframework.security.acls.AclPermissionEvaluator; +import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Service; import com.iqser.red.service.persistence.management.v1.processor.acl.custom.dossier.DossierACLService; @@ -23,6 +25,7 @@ public class AccessControlService { private final FileStatusManagementService fileStatusManagementService; private final DossierManagementService dossierManagementService; private final DossierACLService dossierACLService; + private final AclPermissionEvaluator aclPermissionEvaluator; public void verifyUserIsReviewer(String dossierId, String fileId) { @@ -122,6 +125,10 @@ public class AccessControlService { } + public boolean hasUserViewPermissionsForDossier(String dossierId) { + return aclPermissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), dossierId, "Dossier", "VIEW_OBJECT"); + } + public void verifyFileIsNotApproved(String dossierId, String fileId) { -- 2.47.2 From 56dcd421a9dac08e077424b1f25467941dbfc24c Mon Sep 17 00:00:00 2001 From: maverickstuder Date: Mon, 22 Jan 2024 12:34:02 +0100 Subject: [PATCH 2/2] RED-5369: View dossier & access permissions are not working for dossier attributes controller * now when no permissions are given to view dossiers the endpoint to get dossier attributes returns an empty list instead of a 403 access denied --- .../api/impl/controller/DossierAttributesController.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java index 501048fb8..6e0428ac8 100644 --- a/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java +++ b/persistence-service-v1/persistence-service-external-api-impl-v1/src/main/java/com/iqser/red/persistence/service/v1/external/api/impl/controller/DossierAttributesController.java @@ -16,6 +16,7 @@ import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestParam; import org.springframework.web.bind.annotation.RestController; +import com.iqser.red.service.persistence.management.v1.processor.service.persistence.DossierPersistenceService; import com.knecon.fforesight.keycloakcommons.security.KeycloakSecurity; import com.iqser.red.service.persistence.management.v1.processor.entity.dossier.DossierAttributeConfigEntity; import com.iqser.red.service.persistence.management.v1.processor.service.AccessControlService; @@ -37,6 +38,7 @@ import lombok.RequiredArgsConstructor; @RequiredArgsConstructor public class DossierAttributesController implements DossierAttributesResource { + private final DossierPersistenceService dossierPersistenceService; private final DossierAttributeConfigPersistenceService dossierAttributeConfigPersistenceService; private final AuditPersistenceService auditPersistenceService; private final DossierAttributesManagementService dossierAttributesManagementService; @@ -150,6 +152,9 @@ public class DossierAttributesController implements DossierAttributesResource { @PreAuthorize("hasAuthority('" + READ_DOSSIER_ATTRIBUTES + "')") public DossierAttributes getDossierAttributes(String dossierId) { + //check if dossier exists before verifying permissions + dossierPersistenceService.findByDossierId(dossierId); + List result = Collections.emptyList(); if (accessControlService.hasUserViewPermissionsForDossier(dossierId)) { result = dossierAttributesManagementService.getDossierAttributes(dossierId); -- 2.47.2