add checking role

2024-11-06 00:15:23 +00:00 · 2021-03-05 13:27:02 +03:00 · 2021-03-05 13:27:02 +03:00 · bd41a8017e
commit bd41a8017e
parent 69f37c1fa4
3 changed files with 69 additions and 6 deletions
--- a/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java
+++ b/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java
@ -112,13 +112,15 @@ public class OrgsController implements OrgsApi {
        return invitationService.revoke(orgId, invitationId, inlineObject1);
    }

-    // TODO organization? и OrgRole в контекст
    @Override
    public ResponseEntity<Role> getOrgRole(
            String xRequestID,
            String orgId,
            RoleId roleId) {
        log.info("Get organization id: requestId={}, orgId={}, roleId={}", xRequestID, orgId, roleId);
+        MemberRole memberRole = new MemberRole();
+        memberRole.setRoleId(roleId);
+        resourceAccessService.checkRoleRights(orgId, memberRole);
        return organizationRoleService.get(orgId, roleId);
    }

@ -135,7 +137,6 @@ public class OrgsController implements OrgsApi {
        return organizationService.modify(orgId, inlineObject.getName());
    }

-    // TODO  MemberRole и OrgRole одно и тоже? organization и user и OrgRole в контекст
    @Override
    public ResponseEntity<Void> assignMemberRole(
            String xRequestID,
@ -143,6 +144,7 @@ public class OrgsController implements OrgsApi {
            String userId,
            MemberRole body) {
        log.info("Assign member role: requestId={}, orgId={}, payload={}", xRequestID, orgId, body);
+        resourceAccessService.checkRoleRights(orgId, body);
        return organizationService.assignMemberRole(orgId, userId, body);
    }

@ -156,7 +158,6 @@ public class OrgsController implements OrgsApi {
        return organizationService.expelOrgMember(orgId, userId);
    }

-    // TODO  MemberRole и OrgRole одно и тоже? organization и user и OrgRole в контекст
    @Override
    public ResponseEntity<Void> removeMemberRole(
            String xRequestID,
@ -164,6 +165,7 @@ public class OrgsController implements OrgsApi {
            String userId,
            MemberRole memberRole) {
        log.info("Expel member organization: requestId={}, orgId={}, userId={}", xRequestID, orgId, userId);
+        resourceAccessService.checkMemberRoleRights(orgId, userId, memberRole);
        return organizationService.removeMemberRole(orgId, userId, memberRole);
    }
 }
--- a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java
+++ b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java
@ -1,5 +1,7 @@
 package com.rbkmoney.orgmanager.service;

+import com.rbkmoney.swag.organizations.model.MemberRole;
+
 public interface ResourceAccessService {

    void checkRights();
@ -8,4 +10,8 @@ public interface ResourceAccessService {

    void checkMemberRights(String orgId, String memberId);

+    void checkRoleRights(String orgId, MemberRole memberRole);
+
+    void checkMemberRoleRights(String orgId, String memberId, MemberRole memberRole);
+
 }
--- a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java
+++ b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java
@ -3,11 +3,15 @@ package com.rbkmoney.orgmanager.service;
 import com.rbkmoney.orgmanager.config.properties.AccessProperties;
 import com.rbkmoney.orgmanager.exception.AccessDeniedException;
 import com.rbkmoney.orgmanager.service.dto.BouncerContextDto;
+import com.rbkmoney.orgmanager.service.dto.RoleDto;
 import com.rbkmoney.orgmanager.util.StackUtils;
+import com.rbkmoney.swag.organizations.model.MemberRole;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;

+import java.util.Objects;
+
@Slf4j
@Service
@RequiredArgsConstructor
@ -18,7 +22,7 @@ public class ResourceAccessServiceImpl implements ResourceAccessService {

    @Override
    public void checkRights() {
-        if (!accessProperties.getEnabled()) {
+        if (isCheckAccessDisabled()) {
            return;
        }
        String callerMethodName = StackUtils.getCallerMethodName();
@ -32,9 +36,13 @@ public class ResourceAccessServiceImpl implements ResourceAccessService {
        }
    }

+    private boolean isCheckAccessDisabled() {
+        return Boolean.FALSE.equals(accessProperties.getEnabled());
+    }
+
    @Override
    public void checkOrganizationRights(String orgId) {
-        if (!accessProperties.getEnabled()) {
+        if (isCheckAccessDisabled()) {
            return;
        }
        String callerMethodName = StackUtils.getCallerMethodName();
@ -51,7 +59,7 @@ public class ResourceAccessServiceImpl implements ResourceAccessService {

    @Override
    public void checkMemberRights(String orgId, String memberId) {
-        if (!accessProperties.getEnabled()) {
+        if (isCheckAccessDisabled()) {
            return;
        }
        String callerMethodName = StackUtils.getCallerMethodName();
@ -67,4 +75,51 @@ public class ResourceAccessServiceImpl implements ResourceAccessService {
                    String.format("No rights to perform %s in %s with %s", callerMethodName, orgId, memberId));
        }
    }
+
+    @Override
+    public void checkRoleRights(String orgId, MemberRole memberRole) {
+        if (isCheckAccessDisabled()) {
+            return;
+        }
+        String callerMethodName = StackUtils.getCallerMethodName();
+        BouncerContextDto bouncerContext =
+                buildRoleBouncerContextDto(orgId, memberRole, callerMethodName);
+        log.info("Check the user's rights to perform the operation {} in organization {} with role {}",
+                callerMethodName, orgId, memberRole.getRoleId().getValue());
+        if (!bouncerService.havePrivileges(bouncerContext)) {
+            throw new AccessDeniedException(
+                    String.format("No rights to perform %s in %s with %s", callerMethodName, orgId,
+                            memberRole.getRoleId().getValue()));
+        }
+    }
+
+    private BouncerContextDto buildRoleBouncerContextDto(String orgId, MemberRole memberRole, String callerMethodName) {
+        RoleDto role = RoleDto.builder()
+                .roleId(memberRole.getRoleId().getValue())
+                .scopeResourceId(Objects.nonNull(memberRole.getScope()) ? memberRole.getScope().getResourceId() : null)
+                .build();
+        return BouncerContextDto.builder()
+                .operationName(callerMethodName)
+                .organizationId(orgId)
+                .role(role)
+                .build();
+    }
+
+    @Override
+    public void checkMemberRoleRights(String orgId, String memberId, MemberRole memberRole) {
+        if (isCheckAccessDisabled()) {
+            return;
+        }
+        String callerMethodName = StackUtils.getCallerMethodName();
+        BouncerContextDto bouncerContext = buildRoleBouncerContextDto(orgId, memberRole, callerMethodName);
+        bouncerContext.setMemberId(memberId);
+        log.info("Check the user's rights to perform the operation {} in organization {} with member {} role {}",
+                callerMethodName, orgId, memberId, memberRole.getRoleId().getValue());
+        if (!bouncerService.havePrivileges(bouncerContext)) {
+            throw new AccessDeniedException(
+                    String.format("No rights to perform %s in %s with %s and role %s", callerMethodName, orgId,
+                            memberId,
+                            memberRole.getRoleId().getValue()));
+        }
+    }
 }