diff options
Diffstat (limited to 'src/main/java/dev/dnpm/security')
13 files changed, 0 insertions, 791 deletions
diff --git a/src/main/java/dev/dnpm/security/AbstractDelegatedPermissionEvaluator.java b/src/main/java/dev/dnpm/security/AbstractDelegatedPermissionEvaluator.java deleted file mode 100644 index 4be54ec..0000000 --- a/src/main/java/dev/dnpm/security/AbstractDelegatedPermissionEvaluator.java +++ /dev/null @@ -1,47 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import de.itc.onkostar.api.IOnkostarApi; -import de.itc.onkostar.api.Patient; -import de.itc.onkostar.api.Procedure; -import org.springframework.security.access.PermissionEvaluator; - -public abstract class AbstractDelegatedPermissionEvaluator implements PermissionEvaluator { - - protected static final String PATIENT = Patient.class.getSimpleName(); - - protected static final String PROCEDURE = Procedure.class.getSimpleName(); - - protected final IOnkostarApi onkostarApi; - - protected final SecurityService securityService; - - protected AbstractDelegatedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { - this.onkostarApi = onkostarApi; - this.securityService = securityService; - } - -} diff --git a/src/main/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluator.java deleted file mode 100644 index 8beca73..0000000 --- a/src/main/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluator.java +++ /dev/null @@ -1,80 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import org.springframework.security.access.PermissionEvaluator; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Component; - -import java.io.Serializable; -import java.util.List; - -/** - * PermissionEvaluator zur Gesamtprüfung der Zugriffsberechtigung. - * Die konkrete Berechtigungsprüfung wird an die nachgelagerten PermissionEvaluatoren delegiert, - * welche jeweils einzeln dem Zugriff zustimmen müssen. - */ -@Component -public class DelegatingDataBasedPermissionEvaluator implements PermissionEvaluator { - - private final List<AbstractDelegatedPermissionEvaluator> permissionEvaluators; - - public DelegatingDataBasedPermissionEvaluator(final List<AbstractDelegatedPermissionEvaluator> permissionEvaluators) { - this.permissionEvaluators = permissionEvaluators; - } - - /** - * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. - * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. - * Alle müssen dem Zugriff zustimmen. - * - * @param authentication Das Authentication Objekt - * @param targetObject Das Zielobjekt - * @param permissionType Die angeforderte Berechtigung - * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { - return permissionEvaluators.stream() - .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetObject, permissionType)); - } - - /** - * Auswertung anhand der ID und des Namens des Zielobjekts. - * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. - * Alle müssen dem Zugriff zustimmen. - * - * @param authentication Authentication-Object - * @param targetId ID des Objekts - * @param targetType Name der Zielobjektklasse - * @param permissionType Die angeforderte Berechtigung - * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { - return permissionEvaluators.stream() - .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetId, targetType, permissionType)); - } -} diff --git a/src/main/java/dev/dnpm/security/FormBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/security/FormBasedPermissionEvaluator.java deleted file mode 100644 index 57552d7..0000000 --- a/src/main/java/dev/dnpm/security/FormBasedPermissionEvaluator.java +++ /dev/null @@ -1,83 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import de.itc.onkostar.api.IOnkostarApi; -import de.itc.onkostar.api.Procedure; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Component; - -import java.io.Serializable; - -/** - * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Formularberechtigung - */ -@Component -public class FormBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { - - public FormBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { - super(onkostarApi, securityService); - } - - /** - * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. - * Zugriff auf Objekte vom Typ "Patient" wird immer gewährt. - * - * @param authentication Das Authentication Objekt - * @param targetObject Das Zielobjekt - * @param permissionType Die angeforderte Berechtigung - * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { - if (permissionType instanceof PermissionType && targetObject instanceof Procedure) { - return this.securityService.getFormNamesForPermission(authentication, (PermissionType)permissionType) - .contains(((Procedure)targetObject).getFormName()); - } - return true; - } - - /** - * Auswertung anhand der ID und des Namens des Zielobjekts. - * Zugriff auf Objekte vom Typ "Patient" wird immer gewährt. - * - * @param authentication Authentication-Object - * @param targetId ID des Objekts - * @param targetType Name der Zielobjektklasse - * @param permissionType Die angeforderte Berechtigung - * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { - if (permissionType instanceof PermissionType && targetId instanceof Integer && PROCEDURE.equals(targetType)) { - var procedure = this.onkostarApi.getProcedure((int)targetId); - if (null != procedure) { - return this.securityService.getFormNamesForPermission(authentication, (PermissionType) permissionType).contains(procedure.getFormName()); - } - } - return true; - } - -} diff --git a/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java b/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java deleted file mode 100644 index 646ec35..0000000 --- a/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java +++ /dev/null @@ -1,75 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import de.itc.onkostar.api.Procedure; -import org.aspectj.lang.JoinPoint; -import org.aspectj.lang.annotation.AfterReturning; -import org.aspectj.lang.annotation.Aspect; -import org.aspectj.lang.annotation.Before; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.security.core.context.SecurityContextHolder; - -import java.util.Arrays; - -// TODO Disabled for now - check bytecode reported incompatibility for older OS installations -//@Component -@Aspect -public class FormBasedSecurityAspects { - - private final Logger logger = LoggerFactory.getLogger(this.getClass()); - - private final FormBasedPermissionEvaluator permissionEvaluator; - - public FormBasedSecurityAspects( - final FormBasedPermissionEvaluator permissionEvaluator - ) { - this.permissionEvaluator = permissionEvaluator; - } - - @AfterReturning(value = "@annotation(dev.dnpm.security.FormSecuredResult)", returning = "procedure") - public void afterProcedureFormBased(Procedure procedure) { - if ( - null != procedure - && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) - ) { - logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); - throw new IllegalSecuredObjectAccessException(); - } - } - - @Before(value = "@annotation(dev.dnpm.security.FormSecured)") - public void beforeProcedureFormBased(JoinPoint jp) { - Arrays.stream(jp.getArgs()) - .filter(arg -> arg instanceof Procedure) - .forEach(procedure -> { - if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { - logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); - throw new IllegalSecuredObjectAccessException(); - } - }); - } -} diff --git a/src/main/java/dev/dnpm/security/FormSecured.java b/src/main/java/dev/dnpm/security/FormSecured.java deleted file mode 100644 index 3b0ec83..0000000 --- a/src/main/java/dev/dnpm/security/FormSecured.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target(ElementType.METHOD) -public @interface FormSecured { - - PermissionType value() default PermissionType.READ_WRITE; - -} diff --git a/src/main/java/dev/dnpm/security/FormSecuredResult.java b/src/main/java/dev/dnpm/security/FormSecuredResult.java deleted file mode 100644 index d0c351e..0000000 --- a/src/main/java/dev/dnpm/security/FormSecuredResult.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target(ElementType.METHOD) -public @interface FormSecuredResult { - - PermissionType value() default PermissionType.READ_WRITE; - -} diff --git a/src/main/java/dev/dnpm/security/IllegalSecuredObjectAccessException.java b/src/main/java/dev/dnpm/security/IllegalSecuredObjectAccessException.java deleted file mode 100644 index c6145e0..0000000 --- a/src/main/java/dev/dnpm/security/IllegalSecuredObjectAccessException.java +++ /dev/null @@ -1,37 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -public class IllegalSecuredObjectAccessException extends RuntimeException { - - public IllegalSecuredObjectAccessException() { - super(); - } - - public IllegalSecuredObjectAccessException(String message) { - super(message); - } - -} diff --git a/src/main/java/dev/dnpm/security/PermissionType.java b/src/main/java/dev/dnpm/security/PermissionType.java deleted file mode 100644 index 835ac95..0000000 --- a/src/main/java/dev/dnpm/security/PermissionType.java +++ /dev/null @@ -1,30 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -public enum PermissionType { - READ, - READ_WRITE -} diff --git a/src/main/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluator.java deleted file mode 100644 index 9686a47..0000000 --- a/src/main/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluator.java +++ /dev/null @@ -1,105 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import de.itc.onkostar.api.IOnkostarApi; -import de.itc.onkostar.api.Patient; -import de.itc.onkostar.api.Procedure; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Component; - -import java.io.Serializable; - -/** - * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Personenstammberechtigung - */ -@Component -public class PersonPoolBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { - - public PersonPoolBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { - super(onkostarApi, securityService); - } - - /** - * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. - * @param authentication Das Authentication Objekt - * @param targetObject Das Zielobjekt - * @param permissionType Die angeforderte Berechtigung - * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { - if (permissionType instanceof PermissionType) { - if (targetObject instanceof Patient) { - return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) - .contains(((Patient)targetObject).getPersonPoolCode()); - } else if (targetObject instanceof Procedure) { - return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) - .contains(((Procedure)targetObject).getPatient().getPersonPoolCode()); - } - } - return false; - } - - /** - * Auswertung anhand der ID und des Namens des Zielobjekts. - * @param authentication Authentication-Object - * @param targetId ID des Objekts - * @param targetType Name der Zielobjektklasse - * @param permissionType Die angeforderte Berechtigung - * @return Gibt <code>true</code> zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { - if (targetId instanceof Integer && permissionType instanceof PermissionType) { - var personPoolCode = getPersonPoolCode((int)targetId, targetType); - if (null != personPoolCode) { - return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType) permissionType).contains(personPoolCode); - } - } - return false; - } - - private String getPersonPoolCode(int id, String type) { - Patient patient = null; - - if (PATIENT.equals(type)) { - patient = onkostarApi.getPatient(id); - } else if (PROCEDURE.equals(type)) { - var procedure = onkostarApi.getProcedure(id); - if (null != procedure) { - patient = procedure.getPatient(); - } - } - - if (null != patient) { - return patient.getPersonPoolCode(); - } - - return null; - } - - -} diff --git a/src/main/java/dev/dnpm/security/PersonPoolBasedSecurityAspects.java b/src/main/java/dev/dnpm/security/PersonPoolBasedSecurityAspects.java deleted file mode 100644 index ebe65d9..0000000 --- a/src/main/java/dev/dnpm/security/PersonPoolBasedSecurityAspects.java +++ /dev/null @@ -1,98 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import de.itc.onkostar.api.Patient; -import de.itc.onkostar.api.Procedure; -import org.aspectj.lang.JoinPoint; -import org.aspectj.lang.annotation.AfterReturning; -import org.aspectj.lang.annotation.Aspect; -import org.aspectj.lang.annotation.Before; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.stereotype.Component; - -import java.util.Arrays; - -@Component -@Aspect -public class PersonPoolBasedSecurityAspects { - - private final Logger logger = LoggerFactory.getLogger(this.getClass()); - - private final PersonPoolBasedPermissionEvaluator permissionEvaluator; - - public PersonPoolBasedSecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) { - this.permissionEvaluator = permissionEvaluator; - } - - @AfterReturning(value = "@annotation(dev.dnpm.security.PersonPoolSecuredResult) ", returning = "patient") - public void afterPatient(Patient patient) { - if ( - null != patient - && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE) - ) { - logger.warn("Rückgabe von Patient blockiert: {}", patient.getId()); - throw new IllegalSecuredObjectAccessException(); - } - } - - @AfterReturning(value = "@annotation(dev.dnpm.security.PersonPoolSecuredResult)", returning = "procedure") - public void afterProcedure(Procedure procedure) { - if ( - null != procedure - && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) - ) { - logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); - throw new IllegalSecuredObjectAccessException(); - } - } - - @Before(value = "@annotation(dev.dnpm.security.PersonPoolSecured)") - public void beforePatient(JoinPoint jp) { - Arrays.stream(jp.getArgs()) - .filter(arg -> arg instanceof Patient) - .forEach(patient -> { - if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE)) { - logger.warn("Zugriff auf Patient blockiert: {}", ((Patient)patient).getId()); - throw new IllegalSecuredObjectAccessException(); - } - }); - } - - @Before(value = "@annotation(dev.dnpm.security.PersonPoolSecured)") - public void beforeProcedure(JoinPoint jp) { - Arrays.stream(jp.getArgs()) - .filter(arg -> arg instanceof Procedure) - .forEach(procedure -> { - if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { - logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); - throw new IllegalSecuredObjectAccessException(); - } - }); - } - -} diff --git a/src/main/java/dev/dnpm/security/PersonPoolSecured.java b/src/main/java/dev/dnpm/security/PersonPoolSecured.java deleted file mode 100644 index bb80926..0000000 --- a/src/main/java/dev/dnpm/security/PersonPoolSecured.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target(ElementType.METHOD) -public @interface PersonPoolSecured { - - PermissionType value() default PermissionType.READ_WRITE; - -} diff --git a/src/main/java/dev/dnpm/security/PersonPoolSecuredResult.java b/src/main/java/dev/dnpm/security/PersonPoolSecuredResult.java deleted file mode 100644 index 5df40fe..0000000 --- a/src/main/java/dev/dnpm/security/PersonPoolSecuredResult.java +++ /dev/null @@ -1,38 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target(ElementType.METHOD) -public @interface PersonPoolSecuredResult { - - PermissionType value() default PermissionType.READ_WRITE; - -} diff --git a/src/main/java/dev/dnpm/security/SecurityService.java b/src/main/java/dev/dnpm/security/SecurityService.java deleted file mode 100644 index 4f87511..0000000 --- a/src/main/java/dev/dnpm/security/SecurityService.java +++ /dev/null @@ -1,84 +0,0 @@ -/* - * This file is part of onkostar-plugin-dnpm - * - * Copyright (c) 2025 the original author or authors. - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all - * copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -package dev.dnpm.security; - -import org.springframework.jdbc.core.JdbcTemplate; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.userdetails.UserDetails; -import org.springframework.stereotype.Service; - -import javax.sql.DataSource; -import java.util.List; - -/** - * Service mit Methoden zum Feststellen von sicherheitsrelevanten Informationen eines Benutzers - */ -@Service -public class SecurityService { - - private final JdbcTemplate jdbcTemplate; - - public SecurityService(final DataSource dataSource) { - this.jdbcTemplate = new JdbcTemplate(dataSource); - } - - List<String> getPersonPoolIdsForPermission(Authentication authentication, PermissionType permissionType) { - var sql = "SELECT p.kennung FROM personenstamm_zugriff " + - " JOIN usergroup u ON personenstamm_zugriff.benutzergruppe_id = u.id " + - " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + - " JOIN akteur a ON au.akteur_id = a.id " + - " JOIN personenstamm p on personenstamm_zugriff.personenstamm_id = p.id " + - " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; - - if (PermissionType.READ_WRITE == permissionType) { - sql += " AND personenstamm_zugriff.bearbeiten "; - } - - var userDetails = (UserDetails)authentication.getPrincipal(); - - return jdbcTemplate - .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("kennung")); - } - - List<String> getFormNamesForPermission(Authentication authentication, PermissionType permissionType) { - - var sql = "SELECT df.name FROM formular_usergroup_zugriff " + - " JOIN data_form df ON formular_usergroup_zugriff.formular_id = df.id " + - " JOIN usergroup u ON formular_usergroup_zugriff.usergroup_id = u.id " + - " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + - " JOIN akteur a on au.akteur_id = a.id " + - " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; - - if (PermissionType.READ_WRITE == permissionType) { - sql += " AND formular_usergroup_zugriff.bearbeiten "; - } - - var userDetails = (UserDetails)authentication.getPrincipal(); - - return jdbcTemplate - .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("name")); - } - -} |