From bd41a8017eb1e44a26d6072078d5869e16ccfb8b Mon Sep 17 00:00:00 2001 From: ggmaleva Date: Fri, 5 Mar 2021 13:27:02 +0300 Subject: [PATCH] add checking role --- .../orgmanager/controller/OrgsController.java | 8 ++- .../service/ResourceAccessService.java | 6 ++ .../service/ResourceAccessServiceImpl.java | 61 ++++++++++++++++++- 3 files changed, 69 insertions(+), 6 deletions(-) diff --git a/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java b/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java index 87b8da2..23e2a8b 100644 --- a/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java +++ b/src/main/java/com/rbkmoney/orgmanager/controller/OrgsController.java @@ -112,13 +112,15 @@ public class OrgsController implements OrgsApi { return invitationService.revoke(orgId, invitationId, inlineObject1); } - // TODO organization? и OrgRole в контекст @Override public ResponseEntity getOrgRole( String xRequestID, String orgId, RoleId roleId) { log.info("Get organization id: requestId={}, orgId={}, roleId={}", xRequestID, orgId, roleId); + MemberRole memberRole = new MemberRole(); + memberRole.setRoleId(roleId); + resourceAccessService.checkRoleRights(orgId, memberRole); return organizationRoleService.get(orgId, roleId); } @@ -135,7 +137,6 @@ public class OrgsController implements OrgsApi { return organizationService.modify(orgId, inlineObject.getName()); } - // TODO MemberRole и OrgRole одно и тоже? organization и user и OrgRole в контекст @Override public ResponseEntity assignMemberRole( String xRequestID, @@ -143,6 +144,7 @@ public class OrgsController implements OrgsApi { String userId, MemberRole body) { log.info("Assign member role: requestId={}, orgId={}, payload={}", xRequestID, orgId, body); + resourceAccessService.checkRoleRights(orgId, body); return organizationService.assignMemberRole(orgId, userId, body); } @@ -156,7 +158,6 @@ public class OrgsController implements OrgsApi { return organizationService.expelOrgMember(orgId, userId); } - // TODO MemberRole и OrgRole одно и тоже? organization и user и OrgRole в контекст @Override public ResponseEntity removeMemberRole( String xRequestID, @@ -164,6 +165,7 @@ public class OrgsController implements OrgsApi { String userId, MemberRole memberRole) { log.info("Expel member organization: requestId={}, orgId={}, userId={}", xRequestID, orgId, userId); + resourceAccessService.checkMemberRoleRights(orgId, userId, memberRole); return organizationService.removeMemberRole(orgId, userId, memberRole); } } diff --git a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java index 458845d..1056807 100644 --- a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java +++ b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessService.java @@ -1,5 +1,7 @@ package com.rbkmoney.orgmanager.service; +import com.rbkmoney.swag.organizations.model.MemberRole; + public interface ResourceAccessService { void checkRights(); @@ -8,4 +10,8 @@ public interface ResourceAccessService { void checkMemberRights(String orgId, String memberId); + void checkRoleRights(String orgId, MemberRole memberRole); + + void checkMemberRoleRights(String orgId, String memberId, MemberRole memberRole); + } diff --git a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java index 72249da..0790374 100644 --- a/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java +++ b/src/main/java/com/rbkmoney/orgmanager/service/ResourceAccessServiceImpl.java @@ -3,11 +3,15 @@ package com.rbkmoney.orgmanager.service; import com.rbkmoney.orgmanager.config.properties.AccessProperties; import com.rbkmoney.orgmanager.exception.AccessDeniedException; import com.rbkmoney.orgmanager.service.dto.BouncerContextDto; +import com.rbkmoney.orgmanager.service.dto.RoleDto; import com.rbkmoney.orgmanager.util.StackUtils; +import com.rbkmoney.swag.organizations.model.MemberRole; import lombok.RequiredArgsConstructor; import lombok.extern.slf4j.Slf4j; import org.springframework.stereotype.Service; +import java.util.Objects; + @Slf4j @Service @RequiredArgsConstructor @@ -18,7 +22,7 @@ public class ResourceAccessServiceImpl implements ResourceAccessService { @Override public void checkRights() { - if (!accessProperties.getEnabled()) { + if (isCheckAccessDisabled()) { return; } String callerMethodName = StackUtils.getCallerMethodName(); @@ -32,9 +36,13 @@ public class ResourceAccessServiceImpl implements ResourceAccessService { } } + private boolean isCheckAccessDisabled() { + return Boolean.FALSE.equals(accessProperties.getEnabled()); + } + @Override public void checkOrganizationRights(String orgId) { - if (!accessProperties.getEnabled()) { + if (isCheckAccessDisabled()) { return; } String callerMethodName = StackUtils.getCallerMethodName(); @@ -51,7 +59,7 @@ public class ResourceAccessServiceImpl implements ResourceAccessService { @Override public void checkMemberRights(String orgId, String memberId) { - if (!accessProperties.getEnabled()) { + if (isCheckAccessDisabled()) { return; } String callerMethodName = StackUtils.getCallerMethodName(); @@ -67,4 +75,51 @@ public class ResourceAccessServiceImpl implements ResourceAccessService { String.format("No rights to perform %s in %s with %s", callerMethodName, orgId, memberId)); } } + + @Override + public void checkRoleRights(String orgId, MemberRole memberRole) { + if (isCheckAccessDisabled()) { + return; + } + String callerMethodName = StackUtils.getCallerMethodName(); + BouncerContextDto bouncerContext = + buildRoleBouncerContextDto(orgId, memberRole, callerMethodName); + log.info("Check the user's rights to perform the operation {} in organization {} with role {}", + callerMethodName, orgId, memberRole.getRoleId().getValue()); + if (!bouncerService.havePrivileges(bouncerContext)) { + throw new AccessDeniedException( + String.format("No rights to perform %s in %s with %s", callerMethodName, orgId, + memberRole.getRoleId().getValue())); + } + } + + private BouncerContextDto buildRoleBouncerContextDto(String orgId, MemberRole memberRole, String callerMethodName) { + RoleDto role = RoleDto.builder() + .roleId(memberRole.getRoleId().getValue()) + .scopeResourceId(Objects.nonNull(memberRole.getScope()) ? memberRole.getScope().getResourceId() : null) + .build(); + return BouncerContextDto.builder() + .operationName(callerMethodName) + .organizationId(orgId) + .role(role) + .build(); + } + + @Override + public void checkMemberRoleRights(String orgId, String memberId, MemberRole memberRole) { + if (isCheckAccessDisabled()) { + return; + } + String callerMethodName = StackUtils.getCallerMethodName(); + BouncerContextDto bouncerContext = buildRoleBouncerContextDto(orgId, memberRole, callerMethodName); + bouncerContext.setMemberId(memberId); + log.info("Check the user's rights to perform the operation {} in organization {} with member {} role {}", + callerMethodName, orgId, memberId, memberRole.getRoleId().getValue()); + if (!bouncerService.havePrivileges(bouncerContext)) { + throw new AccessDeniedException( + String.format("No rights to perform %s in %s with %s and role %s", callerMethodName, orgId, + memberId, + memberRole.getRoleId().getValue())); + } + } }