diff options
Diffstat (limited to 'src/main/java/dev/dnpm/oshelper/security')
13 files changed, 791 insertions, 0 deletions
diff --git a/src/main/java/dev/dnpm/oshelper/security/AbstractDelegatedPermissionEvaluator.java b/src/main/java/dev/dnpm/oshelper/security/AbstractDelegatedPermissionEvaluator.java new file mode 100644 index 0000000..99c3267 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/AbstractDelegatedPermissionEvaluator.java @@ -0,0 +1,47 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.springframework.security.access.PermissionEvaluator; + +public abstract class AbstractDelegatedPermissionEvaluator implements PermissionEvaluator { + + protected static final String PATIENT = Patient.class.getSimpleName(); + + protected static final String PROCEDURE = Procedure.class.getSimpleName(); + + protected final IOnkostarApi onkostarApi; + + protected final SecurityService securityService; + + protected AbstractDelegatedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { + this.onkostarApi = onkostarApi; + this.securityService = securityService; + } + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/DelegatingDataBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/oshelper/security/DelegatingDataBasedPermissionEvaluator.java new file mode 100644 index 0000000..fcc5f05 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/DelegatingDataBasedPermissionEvaluator.java @@ -0,0 +1,80 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.io.Serializable; +import java.util.List; + +/** + * PermissionEvaluator zur Gesamtprüfung der Zugriffsberechtigung. + * Die konkrete Berechtigungsprüfung wird an die nachgelagerten PermissionEvaluatoren delegiert, + * welche jeweils einzeln dem Zugriff zustimmen müssen. + */ +@Component +public class DelegatingDataBasedPermissionEvaluator implements PermissionEvaluator { + + private final List<AbstractDelegatedPermissionEvaluator> permissionEvaluators; + + public DelegatingDataBasedPermissionEvaluator(final List<AbstractDelegatedPermissionEvaluator> permissionEvaluators) { + this.permissionEvaluators = permissionEvaluators; + } + + /** + * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. + * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. + * Alle müssen dem Zugriff zustimmen. + * + * @param authentication Das Authentication Objekt + * @param targetObject Das Zielobjekt + * @param permissionType Die angeforderte Berechtigung + * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { + return permissionEvaluators.stream() + .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetObject, permissionType)); + } + + /** + * Auswertung anhand der ID und des Namens des Zielobjekts. + * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. + * Alle müssen dem Zugriff zustimmen. + * + * @param authentication Authentication-Object + * @param targetId ID des Objekts + * @param targetType Name der Zielobjektklasse + * @param permissionType Die angeforderte Berechtigung + * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { + return permissionEvaluators.stream() + .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetId, targetType, permissionType)); + } +} diff --git a/src/main/java/dev/dnpm/oshelper/security/FormBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/oshelper/security/FormBasedPermissionEvaluator.java new file mode 100644 index 0000000..0de6ff5 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/FormBasedPermissionEvaluator.java @@ -0,0 +1,83 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Procedure; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.io.Serializable; + +/** + * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Formularberechtigung + */ +@Component +public class FormBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { + + public FormBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { + super(onkostarApi, securityService); + } + + /** + * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. + * Zugriff auf Objekte vom Typ "Patient" wird immer gewährt. + * + * @param authentication Das Authentication Objekt + * @param targetObject Das Zielobjekt + * @param permissionType Die angeforderte Berechtigung + * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { + if (permissionType instanceof PermissionType && targetObject instanceof Procedure) { + return this.securityService.getFormNamesForPermission(authentication, (PermissionType)permissionType) + .contains(((Procedure)targetObject).getFormName()); + } + return true; + } + + /** + * Auswertung anhand der ID und des Namens des Zielobjekts. + * Zugriff auf Objekte vom Typ "Patient" wird immer gewährt. + * + * @param authentication Authentication-Object + * @param targetId ID des Objekts + * @param targetType Name der Zielobjektklasse + * @param permissionType Die angeforderte Berechtigung + * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { + if (permissionType instanceof PermissionType && targetId instanceof Integer && PROCEDURE.equals(targetType)) { + var procedure = this.onkostarApi.getProcedure((int)targetId); + if (null != procedure) { + return this.securityService.getFormNamesForPermission(authentication, (PermissionType) permissionType).contains(procedure.getFormName()); + } + } + return true; + } + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/FormBasedSecurityAspects.java b/src/main/java/dev/dnpm/oshelper/security/FormBasedSecurityAspects.java new file mode 100644 index 0000000..36f63f8 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/FormBasedSecurityAspects.java @@ -0,0 +1,75 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import de.itc.onkostar.api.Procedure; +import org.aspectj.lang.JoinPoint; +import org.aspectj.lang.annotation.AfterReturning; +import org.aspectj.lang.annotation.Aspect; +import org.aspectj.lang.annotation.Before; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.context.SecurityContextHolder; + +import java.util.Arrays; + +// TODO Disabled for now - check bytecode reported incompatibility for older OS installations +//@Component +@Aspect +public class FormBasedSecurityAspects { + + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + private final FormBasedPermissionEvaluator permissionEvaluator; + + public FormBasedSecurityAspects( + final FormBasedPermissionEvaluator permissionEvaluator + ) { + this.permissionEvaluator = permissionEvaluator; + } + + @AfterReturning(value = "@annotation(dev.dnpm.oshelper.security.FormSecuredResult)", returning = "procedure") + public void afterProcedureFormBased(Procedure procedure) { + if ( + null != procedure + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @Before(value = "@annotation(dev.dnpm.oshelper.security.FormSecured)") + public void beforeProcedureFormBased(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Procedure) + .forEach(procedure -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } +} diff --git a/src/main/java/dev/dnpm/oshelper/security/FormSecured.java b/src/main/java/dev/dnpm/oshelper/security/FormSecured.java new file mode 100644 index 0000000..560e674 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/FormSecured.java @@ -0,0 +1,38 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface FormSecured { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/FormSecuredResult.java b/src/main/java/dev/dnpm/oshelper/security/FormSecuredResult.java new file mode 100644 index 0000000..94680e8 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/FormSecuredResult.java @@ -0,0 +1,38 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface FormSecuredResult { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/IllegalSecuredObjectAccessException.java b/src/main/java/dev/dnpm/oshelper/security/IllegalSecuredObjectAccessException.java new file mode 100644 index 0000000..92caf46 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/IllegalSecuredObjectAccessException.java @@ -0,0 +1,37 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +public class IllegalSecuredObjectAccessException extends RuntimeException { + + public IllegalSecuredObjectAccessException() { + super(); + } + + public IllegalSecuredObjectAccessException(String message) { + super(message); + } + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/PermissionType.java b/src/main/java/dev/dnpm/oshelper/security/PermissionType.java new file mode 100644 index 0000000..a28dd45 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/PermissionType.java @@ -0,0 +1,30 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +public enum PermissionType { + READ, + READ_WRITE +} diff --git a/src/main/java/dev/dnpm/oshelper/security/PersonPoolBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/oshelper/security/PersonPoolBasedPermissionEvaluator.java new file mode 100644 index 0000000..f715a36 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/PersonPoolBasedPermissionEvaluator.java @@ -0,0 +1,105 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.io.Serializable; + +/** + * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Personenstammberechtigung + */ +@Component +public class PersonPoolBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { + + public PersonPoolBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { + super(onkostarApi, securityService); + } + + /** + * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. + * @param authentication Das Authentication Objekt + * @param targetObject Das Zielobjekt + * @param permissionType Die angeforderte Berechtigung + * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { + if (permissionType instanceof PermissionType) { + if (targetObject instanceof Patient) { + return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) + .contains(((Patient)targetObject).getPersonPoolCode()); + } else if (targetObject instanceof Procedure) { + return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) + .contains(((Procedure)targetObject).getPatient().getPersonPoolCode()); + } + } + return false; + } + + /** + * Auswertung anhand der ID und des Namens des Zielobjekts. + * @param authentication Authentication-Object + * @param targetId ID des Objekts + * @param targetType Name der Zielobjektklasse + * @param permissionType Die angeforderte Berechtigung + * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { + if (targetId instanceof Integer && permissionType instanceof PermissionType) { + var personPoolCode = getPersonPoolCode((int)targetId, targetType); + if (null != personPoolCode) { + return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType) permissionType).contains(personPoolCode); + } + } + return false; + } + + private String getPersonPoolCode(int id, String type) { + Patient patient = null; + + if (PATIENT.equals(type)) { + patient = onkostarApi.getPatient(id); + } else if (PROCEDURE.equals(type)) { + var procedure = onkostarApi.getProcedure(id); + if (null != procedure) { + patient = procedure.getPatient(); + } + } + + if (null != patient) { + return patient.getPersonPoolCode(); + } + + return null; + } + + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/PersonPoolBasedSecurityAspects.java b/src/main/java/dev/dnpm/oshelper/security/PersonPoolBasedSecurityAspects.java new file mode 100644 index 0000000..fdf5a92 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/PersonPoolBasedSecurityAspects.java @@ -0,0 +1,98 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.aspectj.lang.JoinPoint; +import org.aspectj.lang.annotation.AfterReturning; +import org.aspectj.lang.annotation.Aspect; +import org.aspectj.lang.annotation.Before; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.stereotype.Component; + +import java.util.Arrays; + +@Component +@Aspect +public class PersonPoolBasedSecurityAspects { + + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + private final PersonPoolBasedPermissionEvaluator permissionEvaluator; + + public PersonPoolBasedSecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) { + this.permissionEvaluator = permissionEvaluator; + } + + @AfterReturning(value = "@annotation(dev.dnpm.oshelper.security.PersonPoolSecuredResult) ", returning = "patient") + public void afterPatient(Patient patient) { + if ( + null != patient + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Patient blockiert: {}", patient.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @AfterReturning(value = "@annotation(dev.dnpm.oshelper.security.PersonPoolSecuredResult)", returning = "procedure") + public void afterProcedure(Procedure procedure) { + if ( + null != procedure + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @Before(value = "@annotation(dev.dnpm.oshelper.security.PersonPoolSecured)") + public void beforePatient(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Patient) + .forEach(patient -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Patient blockiert: {}", ((Patient)patient).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } + + @Before(value = "@annotation(dev.dnpm.oshelper.security.PersonPoolSecured)") + public void beforeProcedure(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Procedure) + .forEach(procedure -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/PersonPoolSecured.java b/src/main/java/dev/dnpm/oshelper/security/PersonPoolSecured.java new file mode 100644 index 0000000..c1dad0c --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/PersonPoolSecured.java @@ -0,0 +1,38 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface PersonPoolSecured { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/PersonPoolSecuredResult.java b/src/main/java/dev/dnpm/oshelper/security/PersonPoolSecuredResult.java new file mode 100644 index 0000000..5d4bdf7 --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/PersonPoolSecuredResult.java @@ -0,0 +1,38 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface PersonPoolSecuredResult { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/dev/dnpm/oshelper/security/SecurityService.java b/src/main/java/dev/dnpm/oshelper/security/SecurityService.java new file mode 100644 index 0000000..8d952ea --- /dev/null +++ b/src/main/java/dev/dnpm/oshelper/security/SecurityService.java @@ -0,0 +1,84 @@ +/* + * This file is part of onkostar-plugin-dnpm + * + * Copyright (c) 2025 the original author or authors. + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +package dev.dnpm.oshelper.security; + +import org.springframework.jdbc.core.JdbcTemplate; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.stereotype.Service; + +import javax.sql.DataSource; +import java.util.List; + +/** + * Service mit Methoden zum Feststellen von sicherheitsrelevanten Informationen eines Benutzers + */ +@Service +public class SecurityService { + + private final JdbcTemplate jdbcTemplate; + + public SecurityService(final DataSource dataSource) { + this.jdbcTemplate = new JdbcTemplate(dataSource); + } + + List<String> getPersonPoolIdsForPermission(Authentication authentication, PermissionType permissionType) { + var sql = "SELECT p.kennung FROM personenstamm_zugriff " + + " JOIN usergroup u ON personenstamm_zugriff.benutzergruppe_id = u.id " + + " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + + " JOIN akteur a ON au.akteur_id = a.id " + + " JOIN personenstamm p on personenstamm_zugriff.personenstamm_id = p.id " + + " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; + + if (PermissionType.READ_WRITE == permissionType) { + sql += " AND personenstamm_zugriff.bearbeiten "; + } + + var userDetails = (UserDetails)authentication.getPrincipal(); + + return jdbcTemplate + .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("kennung")); + } + + List<String> getFormNamesForPermission(Authentication authentication, PermissionType permissionType) { + + var sql = "SELECT df.name FROM formular_usergroup_zugriff " + + " JOIN data_form df ON formular_usergroup_zugriff.formular_id = df.id " + + " JOIN usergroup u ON formular_usergroup_zugriff.usergroup_id = u.id " + + " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + + " JOIN akteur a on au.akteur_id = a.id " + + " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; + + if (PermissionType.READ_WRITE == permissionType) { + sql += " AND formular_usergroup_zugriff.bearbeiten "; + } + + var userDetails = (UserDetails)authentication.getPrincipal(); + + return jdbcTemplate + .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("name")); + } + +} |