From cc27edc544cec1b892e7c224aec9e6e42342aa39 Mon Sep 17 00:00:00 2001
From: Paul-Christian Volkmer
Date: Sat, 21 Sep 2024 22:10:24 +0200
Subject: refactor: use package name following Java guidelines

---
 .../dnpm/security/FormBasedSecurityAspects.java    | 51 ++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java

(limited to 'src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java')

diff --git a/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java b/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java
new file mode 100644
index 0000000..eb80d47
--- /dev/null
+++ b/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java
@@ -0,0 +1,51 @@
+package dev.dnpm.security;
+
+import de.itc.onkostar.api.Procedure;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.AfterReturning;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import java.util.Arrays;
+
+// TODO Disabled for now - check bytecode reported incompatibility for older OS installations
+//@Component
+@Aspect
+public class FormBasedSecurityAspects {
+
+    private final Logger logger = LoggerFactory.getLogger(this.getClass());
+
+    private final FormBasedPermissionEvaluator permissionEvaluator;
+
+    public FormBasedSecurityAspects(
+            final FormBasedPermissionEvaluator permissionEvaluator
+            ) {
+        this.permissionEvaluator = permissionEvaluator;
+    }
+
+    @AfterReturning(value = "@annotation(dev.dnpm.security.FormSecuredResult)", returning = "procedure")
+    public void afterProcedureFormBased(Procedure procedure) {
+        if (
+                null != procedure
+                        && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)
+        ) {
+            logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId());
+            throw new IllegalSecuredObjectAccessException();
+        }
+    }
+
+    @Before(value = "@annotation(dev.dnpm.security.FormSecured)")
+    public void beforeProcedureFormBased(JoinPoint jp) {
+        Arrays.stream(jp.getArgs())
+                .filter(arg -> arg instanceof Procedure)
+                .forEach(procedure -> {
+                    if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) {
+                        logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId());
+                        throw new IllegalSecuredObjectAccessException();
+                    }
+                });
+    }
+}
-- 
cgit v1.2.3