From cc27edc544cec1b892e7c224aec9e6e42342aa39 Mon Sep 17 00:00:00 2001 From: Paul-Christian Volkmer Date: Sat, 21 Sep 2024 22:10:24 +0200 Subject: refactor: use package name following Java guidelines --- .../AbstractDelegatedPermissionEvaluator.java | 23 ------ .../DelegatingDataBasedPermissionEvaluator.java | 56 --------------- .../security/FormBasedPermissionEvaluator.java | 59 ---------------- .../DNPM/security/FormBasedSecurityAspects.java | 51 -------------- src/main/java/DNPM/security/FormSecured.java | 14 ---- src/main/java/DNPM/security/FormSecuredResult.java | 14 ---- .../IllegalSecuredObjectAccessException.java | 13 ---- src/main/java/DNPM/security/PermissionType.java | 6 -- .../PersonPoolBasedPermissionEvaluator.java | 81 ---------------------- .../security/PersonPoolBasedSecurityAspects.java | 74 -------------------- src/main/java/DNPM/security/PersonPoolSecured.java | 14 ---- .../DNPM/security/PersonPoolSecuredResult.java | 14 ---- src/main/java/DNPM/security/SecurityService.java | 60 ---------------- 13 files changed, 479 deletions(-) delete mode 100644 src/main/java/DNPM/security/AbstractDelegatedPermissionEvaluator.java delete mode 100644 src/main/java/DNPM/security/DelegatingDataBasedPermissionEvaluator.java delete mode 100644 src/main/java/DNPM/security/FormBasedPermissionEvaluator.java delete mode 100644 src/main/java/DNPM/security/FormBasedSecurityAspects.java delete mode 100644 src/main/java/DNPM/security/FormSecured.java delete mode 100644 src/main/java/DNPM/security/FormSecuredResult.java delete mode 100644 src/main/java/DNPM/security/IllegalSecuredObjectAccessException.java delete mode 100644 src/main/java/DNPM/security/PermissionType.java delete mode 100644 src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java delete mode 100644 src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java delete mode 100644 src/main/java/DNPM/security/PersonPoolSecured.java delete mode 100644 src/main/java/DNPM/security/PersonPoolSecuredResult.java delete mode 100644 src/main/java/DNPM/security/SecurityService.java (limited to 'src/main/java/DNPM/security') diff --git a/src/main/java/DNPM/security/AbstractDelegatedPermissionEvaluator.java b/src/main/java/DNPM/security/AbstractDelegatedPermissionEvaluator.java deleted file mode 100644 index 60e7ad2..0000000 --- a/src/main/java/DNPM/security/AbstractDelegatedPermissionEvaluator.java +++ /dev/null @@ -1,23 +0,0 @@ -package DNPM.security; - -import de.itc.onkostar.api.IOnkostarApi; -import de.itc.onkostar.api.Patient; -import de.itc.onkostar.api.Procedure; -import org.springframework.security.access.PermissionEvaluator; - -public abstract class AbstractDelegatedPermissionEvaluator implements PermissionEvaluator { - - protected static final String PATIENT = Patient.class.getSimpleName(); - - protected static final String PROCEDURE = Procedure.class.getSimpleName(); - - protected final IOnkostarApi onkostarApi; - - protected final SecurityService securityService; - - protected AbstractDelegatedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { - this.onkostarApi = onkostarApi; - this.securityService = securityService; - } - -} diff --git a/src/main/java/DNPM/security/DelegatingDataBasedPermissionEvaluator.java b/src/main/java/DNPM/security/DelegatingDataBasedPermissionEvaluator.java deleted file mode 100644 index d8ca92e..0000000 --- a/src/main/java/DNPM/security/DelegatingDataBasedPermissionEvaluator.java +++ /dev/null @@ -1,56 +0,0 @@ -package DNPM.security; - -import org.springframework.security.access.PermissionEvaluator; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Component; - -import java.io.Serializable; -import java.util.List; - -/** - * PermissionEvaluator zur Gesamtprüfung der Zugriffsberechtigung. - * Die konkrete Berechtigungsprüfung wird an die nachgelagerten PermissionEvaluatoren delegiert, - * welche jeweils einzeln dem Zugriff zustimmen müssen. - */ -@Component -public class DelegatingDataBasedPermissionEvaluator implements PermissionEvaluator { - - private final List permissionEvaluators; - - public DelegatingDataBasedPermissionEvaluator(final List permissionEvaluators) { - this.permissionEvaluators = permissionEvaluators; - } - - /** - * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. - * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. - * Alle müssen dem Zugriff zustimmen. - * - * @param authentication Das Authentication Objekt - * @param targetObject Das Zielobjekt - * @param permissionType Die angeforderte Berechtigung - * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { - return permissionEvaluators.stream() - .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetObject, permissionType)); - } - - /** - * Auswertung anhand der ID und des Namens des Zielobjekts. - * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. - * Alle müssen dem Zugriff zustimmen. - * - * @param authentication Authentication-Object - * @param targetId ID des Objekts - * @param targetType Name der Zielobjektklasse - * @param permissionType Die angeforderte Berechtigung - * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { - return permissionEvaluators.stream() - .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetId, targetType, permissionType)); - } -} diff --git a/src/main/java/DNPM/security/FormBasedPermissionEvaluator.java b/src/main/java/DNPM/security/FormBasedPermissionEvaluator.java deleted file mode 100644 index 912a19c..0000000 --- a/src/main/java/DNPM/security/FormBasedPermissionEvaluator.java +++ /dev/null @@ -1,59 +0,0 @@ -package DNPM.security; - -import de.itc.onkostar.api.IOnkostarApi; -import de.itc.onkostar.api.Procedure; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Component; - -import java.io.Serializable; - -/** - * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Formularberechtigung - */ -@Component -public class FormBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { - - public FormBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { - super(onkostarApi, securityService); - } - - /** - * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. - * Zugriff auf Objekte vom Typ "Patient" wird immer gewährt. - * - * @param authentication Das Authentication Objekt - * @param targetObject Das Zielobjekt - * @param permissionType Die angeforderte Berechtigung - * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { - if (permissionType instanceof PermissionType && targetObject instanceof Procedure) { - return this.securityService.getFormNamesForPermission(authentication, (PermissionType)permissionType) - .contains(((Procedure)targetObject).getFormName()); - } - return true; - } - - /** - * Auswertung anhand der ID und des Namens des Zielobjekts. - * Zugriff auf Objekte vom Typ "Patient" wird immer gewährt. - * - * @param authentication Authentication-Object - * @param targetId ID des Objekts - * @param targetType Name der Zielobjektklasse - * @param permissionType Die angeforderte Berechtigung - * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { - if (permissionType instanceof PermissionType && targetId instanceof Integer && PROCEDURE.equals(targetType)) { - var procedure = this.onkostarApi.getProcedure((int)targetId); - if (null != procedure) { - return this.securityService.getFormNamesForPermission(authentication, (PermissionType) permissionType).contains(procedure.getFormName()); - } - } - return true; - } - -} diff --git a/src/main/java/DNPM/security/FormBasedSecurityAspects.java b/src/main/java/DNPM/security/FormBasedSecurityAspects.java deleted file mode 100644 index 306c062..0000000 --- a/src/main/java/DNPM/security/FormBasedSecurityAspects.java +++ /dev/null @@ -1,51 +0,0 @@ -package DNPM.security; - -import de.itc.onkostar.api.Procedure; -import org.aspectj.lang.JoinPoint; -import org.aspectj.lang.annotation.AfterReturning; -import org.aspectj.lang.annotation.Aspect; -import org.aspectj.lang.annotation.Before; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.security.core.context.SecurityContextHolder; - -import java.util.Arrays; - -// TODO Disabled for now - check bytecode reported incompatibility for older OS installations -//@Component -@Aspect -public class FormBasedSecurityAspects { - - private final Logger logger = LoggerFactory.getLogger(this.getClass()); - - private final FormBasedPermissionEvaluator permissionEvaluator; - - public FormBasedSecurityAspects( - final FormBasedPermissionEvaluator permissionEvaluator - ) { - this.permissionEvaluator = permissionEvaluator; - } - - @AfterReturning(value = "@annotation(FormSecuredResult)", returning = "procedure") - public void afterProcedureFormBased(Procedure procedure) { - if ( - null != procedure - && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) - ) { - logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); - throw new IllegalSecuredObjectAccessException(); - } - } - - @Before(value = "@annotation(FormSecured)") - public void beforeProcedureFormBased(JoinPoint jp) { - Arrays.stream(jp.getArgs()) - .filter(arg -> arg instanceof Procedure) - .forEach(procedure -> { - if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { - logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); - throw new IllegalSecuredObjectAccessException(); - } - }); - } -} diff --git a/src/main/java/DNPM/security/FormSecured.java b/src/main/java/DNPM/security/FormSecured.java deleted file mode 100644 index 2e12667..0000000 --- a/src/main/java/DNPM/security/FormSecured.java +++ /dev/null @@ -1,14 +0,0 @@ -package DNPM.security; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target(ElementType.METHOD) -public @interface FormSecured { - - PermissionType value() default PermissionType.READ_WRITE; - -} diff --git a/src/main/java/DNPM/security/FormSecuredResult.java b/src/main/java/DNPM/security/FormSecuredResult.java deleted file mode 100644 index ccfbd24..0000000 --- a/src/main/java/DNPM/security/FormSecuredResult.java +++ /dev/null @@ -1,14 +0,0 @@ -package DNPM.security; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target(ElementType.METHOD) -public @interface FormSecuredResult { - - PermissionType value() default PermissionType.READ_WRITE; - -} diff --git a/src/main/java/DNPM/security/IllegalSecuredObjectAccessException.java b/src/main/java/DNPM/security/IllegalSecuredObjectAccessException.java deleted file mode 100644 index 542b604..0000000 --- a/src/main/java/DNPM/security/IllegalSecuredObjectAccessException.java +++ /dev/null @@ -1,13 +0,0 @@ -package DNPM.security; - -public class IllegalSecuredObjectAccessException extends RuntimeException { - - public IllegalSecuredObjectAccessException() { - super(); - } - - public IllegalSecuredObjectAccessException(String message) { - super(message); - } - -} diff --git a/src/main/java/DNPM/security/PermissionType.java b/src/main/java/DNPM/security/PermissionType.java deleted file mode 100644 index 1539aea..0000000 --- a/src/main/java/DNPM/security/PermissionType.java +++ /dev/null @@ -1,6 +0,0 @@ -package DNPM.security; - -public enum PermissionType { - READ, - READ_WRITE -} diff --git a/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java b/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java deleted file mode 100644 index e3ba16e..0000000 --- a/src/main/java/DNPM/security/PersonPoolBasedPermissionEvaluator.java +++ /dev/null @@ -1,81 +0,0 @@ -package DNPM.security; - -import de.itc.onkostar.api.IOnkostarApi; -import de.itc.onkostar.api.Patient; -import de.itc.onkostar.api.Procedure; -import org.springframework.security.core.Authentication; -import org.springframework.stereotype.Component; - -import java.io.Serializable; - -/** - * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Personenstammberechtigung - */ -@Component -public class PersonPoolBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { - - public PersonPoolBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { - super(onkostarApi, securityService); - } - - /** - * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. - * @param authentication Das Authentication Objekt - * @param targetObject Das Zielobjekt - * @param permissionType Die angeforderte Berechtigung - * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { - if (permissionType instanceof PermissionType) { - if (targetObject instanceof Patient) { - return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) - .contains(((Patient)targetObject).getPersonPoolCode()); - } else if (targetObject instanceof Procedure) { - return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) - .contains(((Procedure)targetObject).getPatient().getPersonPoolCode()); - } - } - return false; - } - - /** - * Auswertung anhand der ID und des Namens des Zielobjekts. - * @param authentication Authentication-Object - * @param targetId ID des Objekts - * @param targetType Name der Zielobjektklasse - * @param permissionType Die angeforderte Berechtigung - * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat - */ - @Override - public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { - if (targetId instanceof Integer && permissionType instanceof PermissionType) { - var personPoolCode = getPersonPoolCode((int)targetId, targetType); - if (null != personPoolCode) { - return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType) permissionType).contains(personPoolCode); - } - } - return false; - } - - private String getPersonPoolCode(int id, String type) { - Patient patient = null; - - if (PATIENT.equals(type)) { - patient = onkostarApi.getPatient(id); - } else if (PROCEDURE.equals(type)) { - var procedure = onkostarApi.getProcedure(id); - if (null != procedure) { - patient = procedure.getPatient(); - } - } - - if (null != patient) { - return patient.getPersonPoolCode(); - } - - return null; - } - - -} diff --git a/src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java b/src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java deleted file mode 100644 index 37c313f..0000000 --- a/src/main/java/DNPM/security/PersonPoolBasedSecurityAspects.java +++ /dev/null @@ -1,74 +0,0 @@ -package DNPM.security; - -import de.itc.onkostar.api.Patient; -import de.itc.onkostar.api.Procedure; -import org.aspectj.lang.JoinPoint; -import org.aspectj.lang.annotation.AfterReturning; -import org.aspectj.lang.annotation.Aspect; -import org.aspectj.lang.annotation.Before; -import org.slf4j.Logger; -import org.slf4j.LoggerFactory; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.stereotype.Component; - -import java.util.Arrays; - -@Component -@Aspect -public class PersonPoolBasedSecurityAspects { - - private final Logger logger = LoggerFactory.getLogger(this.getClass()); - - private final PersonPoolBasedPermissionEvaluator permissionEvaluator; - - public PersonPoolBasedSecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) { - this.permissionEvaluator = permissionEvaluator; - } - - @AfterReturning(value = "@annotation(PersonPoolSecuredResult) ", returning = "patient") - public void afterPatient(Patient patient) { - if ( - null != patient - && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE) - ) { - logger.warn("Rückgabe von Patient blockiert: {}", patient.getId()); - throw new IllegalSecuredObjectAccessException(); - } - } - - @AfterReturning(value = "@annotation(PersonPoolSecuredResult)", returning = "procedure") - public void afterProcedure(Procedure procedure) { - if ( - null != procedure - && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) - ) { - logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); - throw new IllegalSecuredObjectAccessException(); - } - } - - @Before(value = "@annotation(PersonPoolSecured)") - public void beforePatient(JoinPoint jp) { - Arrays.stream(jp.getArgs()) - .filter(arg -> arg instanceof Patient) - .forEach(patient -> { - if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE)) { - logger.warn("Zugriff auf Patient blockiert: {}", ((Patient)patient).getId()); - throw new IllegalSecuredObjectAccessException(); - } - }); - } - - @Before(value = "@annotation(PersonPoolSecured)") - public void beforeProcedure(JoinPoint jp) { - Arrays.stream(jp.getArgs()) - .filter(arg -> arg instanceof Procedure) - .forEach(procedure -> { - if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { - logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); - throw new IllegalSecuredObjectAccessException(); - } - }); - } - -} diff --git a/src/main/java/DNPM/security/PersonPoolSecured.java b/src/main/java/DNPM/security/PersonPoolSecured.java deleted file mode 100644 index cac0f78..0000000 --- a/src/main/java/DNPM/security/PersonPoolSecured.java +++ /dev/null @@ -1,14 +0,0 @@ -package DNPM.security; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target(ElementType.METHOD) -public @interface PersonPoolSecured { - - PermissionType value() default PermissionType.READ_WRITE; - -} diff --git a/src/main/java/DNPM/security/PersonPoolSecuredResult.java b/src/main/java/DNPM/security/PersonPoolSecuredResult.java deleted file mode 100644 index 0ca8edf..0000000 --- a/src/main/java/DNPM/security/PersonPoolSecuredResult.java +++ /dev/null @@ -1,14 +0,0 @@ -package DNPM.security; - -import java.lang.annotation.ElementType; -import java.lang.annotation.Retention; -import java.lang.annotation.RetentionPolicy; -import java.lang.annotation.Target; - -@Retention(RetentionPolicy.RUNTIME) -@Target(ElementType.METHOD) -public @interface PersonPoolSecuredResult { - - PermissionType value() default PermissionType.READ_WRITE; - -} diff --git a/src/main/java/DNPM/security/SecurityService.java b/src/main/java/DNPM/security/SecurityService.java deleted file mode 100644 index 479701f..0000000 --- a/src/main/java/DNPM/security/SecurityService.java +++ /dev/null @@ -1,60 +0,0 @@ -package DNPM.security; - -import org.springframework.jdbc.core.JdbcTemplate; -import org.springframework.security.core.Authentication; -import org.springframework.security.core.userdetails.UserDetails; -import org.springframework.stereotype.Service; - -import javax.sql.DataSource; -import java.util.List; - -/** - * Service mit Methoden zum Feststellen von sicherheitsrelevanten Informationen eines Benutzers - */ -@Service -public class SecurityService { - - private final JdbcTemplate jdbcTemplate; - - public SecurityService(final DataSource dataSource) { - this.jdbcTemplate = new JdbcTemplate(dataSource); - } - - List getPersonPoolIdsForPermission(Authentication authentication, PermissionType permissionType) { - var sql = "SELECT p.kennung FROM personenstamm_zugriff " + - " JOIN usergroup u ON personenstamm_zugriff.benutzergruppe_id = u.id " + - " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + - " JOIN akteur a ON au.akteur_id = a.id " + - " JOIN personenstamm p on personenstamm_zugriff.personenstamm_id = p.id " + - " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; - - if (PermissionType.READ_WRITE == permissionType) { - sql += " AND personenstamm_zugriff.bearbeiten "; - } - - var userDetails = (UserDetails)authentication.getPrincipal(); - - return jdbcTemplate - .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("kennung")); - } - - List getFormNamesForPermission(Authentication authentication, PermissionType permissionType) { - - var sql = "SELECT df.name FROM formular_usergroup_zugriff " + - " JOIN data_form df ON formular_usergroup_zugriff.formular_id = df.id " + - " JOIN usergroup u ON formular_usergroup_zugriff.usergroup_id = u.id " + - " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + - " JOIN akteur a on au.akteur_id = a.id " + - " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; - - if (PermissionType.READ_WRITE == permissionType) { - sql += " AND formular_usergroup_zugriff.bearbeiten "; - } - - var userDetails = (UserDetails)authentication.getPrincipal(); - - return jdbcTemplate - .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("name")); - } - -} -- cgit v1.2.3