From cc27edc544cec1b892e7c224aec9e6e42342aa39 Mon Sep 17 00:00:00 2001 From: Paul-Christian Volkmer Date: Sat, 21 Sep 2024 22:10:24 +0200 Subject: refactor: use package name following Java guidelines --- .../AbstractDelegatedPermissionEvaluator.java | 23 ++++++ .../DelegatingDataBasedPermissionEvaluator.java | 56 +++++++++++++++ .../security/FormBasedPermissionEvaluator.java | 59 ++++++++++++++++ .../dnpm/security/FormBasedSecurityAspects.java | 51 ++++++++++++++ src/main/java/dev/dnpm/security/FormSecured.java | 14 ++++ .../java/dev/dnpm/security/FormSecuredResult.java | 14 ++++ .../IllegalSecuredObjectAccessException.java | 13 ++++ .../java/dev/dnpm/security/PermissionType.java | 6 ++ .../PersonPoolBasedPermissionEvaluator.java | 81 ++++++++++++++++++++++ .../security/PersonPoolBasedSecurityAspects.java | 74 ++++++++++++++++++++ .../java/dev/dnpm/security/PersonPoolSecured.java | 14 ++++ .../dev/dnpm/security/PersonPoolSecuredResult.java | 14 ++++ .../java/dev/dnpm/security/SecurityService.java | 60 ++++++++++++++++ 13 files changed, 479 insertions(+) create mode 100644 src/main/java/dev/dnpm/security/AbstractDelegatedPermissionEvaluator.java create mode 100644 src/main/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluator.java create mode 100644 src/main/java/dev/dnpm/security/FormBasedPermissionEvaluator.java create mode 100644 src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java create mode 100644 src/main/java/dev/dnpm/security/FormSecured.java create mode 100644 src/main/java/dev/dnpm/security/FormSecuredResult.java create mode 100644 src/main/java/dev/dnpm/security/IllegalSecuredObjectAccessException.java create mode 100644 src/main/java/dev/dnpm/security/PermissionType.java create mode 100644 src/main/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluator.java create mode 100644 src/main/java/dev/dnpm/security/PersonPoolBasedSecurityAspects.java create mode 100644 src/main/java/dev/dnpm/security/PersonPoolSecured.java create mode 100644 src/main/java/dev/dnpm/security/PersonPoolSecuredResult.java create mode 100644 src/main/java/dev/dnpm/security/SecurityService.java (limited to 'src/main/java/dev/dnpm/security') diff --git a/src/main/java/dev/dnpm/security/AbstractDelegatedPermissionEvaluator.java b/src/main/java/dev/dnpm/security/AbstractDelegatedPermissionEvaluator.java new file mode 100644 index 0000000..11bdcb6 --- /dev/null +++ b/src/main/java/dev/dnpm/security/AbstractDelegatedPermissionEvaluator.java @@ -0,0 +1,23 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.springframework.security.access.PermissionEvaluator; + +public abstract class AbstractDelegatedPermissionEvaluator implements PermissionEvaluator { + + protected static final String PATIENT = Patient.class.getSimpleName(); + + protected static final String PROCEDURE = Procedure.class.getSimpleName(); + + protected final IOnkostarApi onkostarApi; + + protected final SecurityService securityService; + + protected AbstractDelegatedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { + this.onkostarApi = onkostarApi; + this.securityService = securityService; + } + +} diff --git a/src/main/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluator.java new file mode 100644 index 0000000..09c212b --- /dev/null +++ b/src/main/java/dev/dnpm/security/DelegatingDataBasedPermissionEvaluator.java @@ -0,0 +1,56 @@ +package dev.dnpm.security; + +import org.springframework.security.access.PermissionEvaluator; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.io.Serializable; +import java.util.List; + +/** + * PermissionEvaluator zur Gesamtprüfung der Zugriffsberechtigung. + * Die konkrete Berechtigungsprüfung wird an die nachgelagerten PermissionEvaluatoren delegiert, + * welche jeweils einzeln dem Zugriff zustimmen müssen. + */ +@Component +public class DelegatingDataBasedPermissionEvaluator implements PermissionEvaluator { + + private final List permissionEvaluators; + + public DelegatingDataBasedPermissionEvaluator(final List permissionEvaluators) { + this.permissionEvaluators = permissionEvaluators; + } + + /** + * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. + * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. + * Alle müssen dem Zugriff zustimmen. + * + * @param authentication Das Authentication Objekt + * @param targetObject Das Zielobjekt + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { + return permissionEvaluators.stream() + .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetObject, permissionType)); + } + + /** + * Auswertung anhand der ID und des Namens des Zielobjekts. + * Hierbei wird die Berechtigungsprüfung an alle nachgelagerten PermissionEvaluatoren delegiert. + * Alle müssen dem Zugriff zustimmen. + * + * @param authentication Authentication-Object + * @param targetId ID des Objekts + * @param targetType Name der Zielobjektklasse + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { + return permissionEvaluators.stream() + .allMatch(permissionEvaluator -> permissionEvaluator.hasPermission(authentication, targetId, targetType, permissionType)); + } +} diff --git a/src/main/java/dev/dnpm/security/FormBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/security/FormBasedPermissionEvaluator.java new file mode 100644 index 0000000..64f6833 --- /dev/null +++ b/src/main/java/dev/dnpm/security/FormBasedPermissionEvaluator.java @@ -0,0 +1,59 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Procedure; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.io.Serializable; + +/** + * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Formularberechtigung + */ +@Component +public class FormBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { + + public FormBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { + super(onkostarApi, securityService); + } + + /** + * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. + * Zugriff auf Objekte vom Typ "Patient" wird immer gewährt. + * + * @param authentication Das Authentication Objekt + * @param targetObject Das Zielobjekt + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { + if (permissionType instanceof PermissionType && targetObject instanceof Procedure) { + return this.securityService.getFormNamesForPermission(authentication, (PermissionType)permissionType) + .contains(((Procedure)targetObject).getFormName()); + } + return true; + } + + /** + * Auswertung anhand der ID und des Namens des Zielobjekts. + * Zugriff auf Objekte vom Typ "Patient" wird immer gewährt. + * + * @param authentication Authentication-Object + * @param targetId ID des Objekts + * @param targetType Name der Zielobjektklasse + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { + if (permissionType instanceof PermissionType && targetId instanceof Integer && PROCEDURE.equals(targetType)) { + var procedure = this.onkostarApi.getProcedure((int)targetId); + if (null != procedure) { + return this.securityService.getFormNamesForPermission(authentication, (PermissionType) permissionType).contains(procedure.getFormName()); + } + } + return true; + } + +} diff --git a/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java b/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java new file mode 100644 index 0000000..eb80d47 --- /dev/null +++ b/src/main/java/dev/dnpm/security/FormBasedSecurityAspects.java @@ -0,0 +1,51 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.Procedure; +import org.aspectj.lang.JoinPoint; +import org.aspectj.lang.annotation.AfterReturning; +import org.aspectj.lang.annotation.Aspect; +import org.aspectj.lang.annotation.Before; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.context.SecurityContextHolder; + +import java.util.Arrays; + +// TODO Disabled for now - check bytecode reported incompatibility for older OS installations +//@Component +@Aspect +public class FormBasedSecurityAspects { + + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + private final FormBasedPermissionEvaluator permissionEvaluator; + + public FormBasedSecurityAspects( + final FormBasedPermissionEvaluator permissionEvaluator + ) { + this.permissionEvaluator = permissionEvaluator; + } + + @AfterReturning(value = "@annotation(dev.dnpm.security.FormSecuredResult)", returning = "procedure") + public void afterProcedureFormBased(Procedure procedure) { + if ( + null != procedure + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @Before(value = "@annotation(dev.dnpm.security.FormSecured)") + public void beforeProcedureFormBased(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Procedure) + .forEach(procedure -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } +} diff --git a/src/main/java/dev/dnpm/security/FormSecured.java b/src/main/java/dev/dnpm/security/FormSecured.java new file mode 100644 index 0000000..0ea277e --- /dev/null +++ b/src/main/java/dev/dnpm/security/FormSecured.java @@ -0,0 +1,14 @@ +package dev.dnpm.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface FormSecured { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/dev/dnpm/security/FormSecuredResult.java b/src/main/java/dev/dnpm/security/FormSecuredResult.java new file mode 100644 index 0000000..64f9bce --- /dev/null +++ b/src/main/java/dev/dnpm/security/FormSecuredResult.java @@ -0,0 +1,14 @@ +package dev.dnpm.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface FormSecuredResult { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/dev/dnpm/security/IllegalSecuredObjectAccessException.java b/src/main/java/dev/dnpm/security/IllegalSecuredObjectAccessException.java new file mode 100644 index 0000000..69cd456 --- /dev/null +++ b/src/main/java/dev/dnpm/security/IllegalSecuredObjectAccessException.java @@ -0,0 +1,13 @@ +package dev.dnpm.security; + +public class IllegalSecuredObjectAccessException extends RuntimeException { + + public IllegalSecuredObjectAccessException() { + super(); + } + + public IllegalSecuredObjectAccessException(String message) { + super(message); + } + +} diff --git a/src/main/java/dev/dnpm/security/PermissionType.java b/src/main/java/dev/dnpm/security/PermissionType.java new file mode 100644 index 0000000..da3c471 --- /dev/null +++ b/src/main/java/dev/dnpm/security/PermissionType.java @@ -0,0 +1,6 @@ +package dev.dnpm.security; + +public enum PermissionType { + READ, + READ_WRITE +} diff --git a/src/main/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluator.java b/src/main/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluator.java new file mode 100644 index 0000000..293614b --- /dev/null +++ b/src/main/java/dev/dnpm/security/PersonPoolBasedPermissionEvaluator.java @@ -0,0 +1,81 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.IOnkostarApi; +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.springframework.security.core.Authentication; +import org.springframework.stereotype.Component; + +import java.io.Serializable; + +/** + * Permission-Evaluator zur Auswertung der Berechtigung auf Objekte aufgrund der Personenstammberechtigung + */ +@Component +public class PersonPoolBasedPermissionEvaluator extends AbstractDelegatedPermissionEvaluator { + + public PersonPoolBasedPermissionEvaluator(final IOnkostarApi onkostarApi, final SecurityService securityService) { + super(onkostarApi, securityService); + } + + /** + * Auswertung der Zugriffsberechtigung für authentifizierten Benutzer auf Zielobjekt mit angeforderter Berechtigung. + * @param authentication Das Authentication Objekt + * @param targetObject Das Zielobjekt + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Object targetObject, Object permissionType) { + if (permissionType instanceof PermissionType) { + if (targetObject instanceof Patient) { + return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) + .contains(((Patient)targetObject).getPersonPoolCode()); + } else if (targetObject instanceof Procedure) { + return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType)permissionType) + .contains(((Procedure)targetObject).getPatient().getPersonPoolCode()); + } + } + return false; + } + + /** + * Auswertung anhand der ID und des Namens des Zielobjekts. + * @param authentication Authentication-Object + * @param targetId ID des Objekts + * @param targetType Name der Zielobjektklasse + * @param permissionType Die angeforderte Berechtigung + * @return Gibt true zurück, wenn der Benutzer die Berechtigung hat + */ + @Override + public boolean hasPermission(Authentication authentication, Serializable targetId, String targetType, Object permissionType) { + if (targetId instanceof Integer && permissionType instanceof PermissionType) { + var personPoolCode = getPersonPoolCode((int)targetId, targetType); + if (null != personPoolCode) { + return this.securityService.getPersonPoolIdsForPermission(authentication, (PermissionType) permissionType).contains(personPoolCode); + } + } + return false; + } + + private String getPersonPoolCode(int id, String type) { + Patient patient = null; + + if (PATIENT.equals(type)) { + patient = onkostarApi.getPatient(id); + } else if (PROCEDURE.equals(type)) { + var procedure = onkostarApi.getProcedure(id); + if (null != procedure) { + patient = procedure.getPatient(); + } + } + + if (null != patient) { + return patient.getPersonPoolCode(); + } + + return null; + } + + +} diff --git a/src/main/java/dev/dnpm/security/PersonPoolBasedSecurityAspects.java b/src/main/java/dev/dnpm/security/PersonPoolBasedSecurityAspects.java new file mode 100644 index 0000000..66179f7 --- /dev/null +++ b/src/main/java/dev/dnpm/security/PersonPoolBasedSecurityAspects.java @@ -0,0 +1,74 @@ +package dev.dnpm.security; + +import de.itc.onkostar.api.Patient; +import de.itc.onkostar.api.Procedure; +import org.aspectj.lang.JoinPoint; +import org.aspectj.lang.annotation.AfterReturning; +import org.aspectj.lang.annotation.Aspect; +import org.aspectj.lang.annotation.Before; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.stereotype.Component; + +import java.util.Arrays; + +@Component +@Aspect +public class PersonPoolBasedSecurityAspects { + + private final Logger logger = LoggerFactory.getLogger(this.getClass()); + + private final PersonPoolBasedPermissionEvaluator permissionEvaluator; + + public PersonPoolBasedSecurityAspects(PersonPoolBasedPermissionEvaluator permissionEvaluator) { + this.permissionEvaluator = permissionEvaluator; + } + + @AfterReturning(value = "@annotation(dev.dnpm.security.PersonPoolSecuredResult) ", returning = "patient") + public void afterPatient(Patient patient) { + if ( + null != patient + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Patient blockiert: {}", patient.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @AfterReturning(value = "@annotation(dev.dnpm.security.PersonPoolSecuredResult)", returning = "procedure") + public void afterProcedure(Procedure procedure) { + if ( + null != procedure + && ! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE) + ) { + logger.warn("Rückgabe von Prozedur blockiert: {}", procedure.getId()); + throw new IllegalSecuredObjectAccessException(); + } + } + + @Before(value = "@annotation(dev.dnpm.security.PersonPoolSecured)") + public void beforePatient(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Patient) + .forEach(patient -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), patient, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Patient blockiert: {}", ((Patient)patient).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } + + @Before(value = "@annotation(dev.dnpm.security.PersonPoolSecured)") + public void beforeProcedure(JoinPoint jp) { + Arrays.stream(jp.getArgs()) + .filter(arg -> arg instanceof Procedure) + .forEach(procedure -> { + if (! permissionEvaluator.hasPermission(SecurityContextHolder.getContext().getAuthentication(), procedure, PermissionType.READ_WRITE)) { + logger.warn("Zugriff auf Prozedur blockiert: {}", ((Procedure)procedure).getId()); + throw new IllegalSecuredObjectAccessException(); + } + }); + } + +} diff --git a/src/main/java/dev/dnpm/security/PersonPoolSecured.java b/src/main/java/dev/dnpm/security/PersonPoolSecured.java new file mode 100644 index 0000000..8a5709c --- /dev/null +++ b/src/main/java/dev/dnpm/security/PersonPoolSecured.java @@ -0,0 +1,14 @@ +package dev.dnpm.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface PersonPoolSecured { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/dev/dnpm/security/PersonPoolSecuredResult.java b/src/main/java/dev/dnpm/security/PersonPoolSecuredResult.java new file mode 100644 index 0000000..36e19da --- /dev/null +++ b/src/main/java/dev/dnpm/security/PersonPoolSecuredResult.java @@ -0,0 +1,14 @@ +package dev.dnpm.security; + +import java.lang.annotation.ElementType; +import java.lang.annotation.Retention; +import java.lang.annotation.RetentionPolicy; +import java.lang.annotation.Target; + +@Retention(RetentionPolicy.RUNTIME) +@Target(ElementType.METHOD) +public @interface PersonPoolSecuredResult { + + PermissionType value() default PermissionType.READ_WRITE; + +} diff --git a/src/main/java/dev/dnpm/security/SecurityService.java b/src/main/java/dev/dnpm/security/SecurityService.java new file mode 100644 index 0000000..ba80a9d --- /dev/null +++ b/src/main/java/dev/dnpm/security/SecurityService.java @@ -0,0 +1,60 @@ +package dev.dnpm.security; + +import org.springframework.jdbc.core.JdbcTemplate; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.userdetails.UserDetails; +import org.springframework.stereotype.Service; + +import javax.sql.DataSource; +import java.util.List; + +/** + * Service mit Methoden zum Feststellen von sicherheitsrelevanten Informationen eines Benutzers + */ +@Service +public class SecurityService { + + private final JdbcTemplate jdbcTemplate; + + public SecurityService(final DataSource dataSource) { + this.jdbcTemplate = new JdbcTemplate(dataSource); + } + + List getPersonPoolIdsForPermission(Authentication authentication, PermissionType permissionType) { + var sql = "SELECT p.kennung FROM personenstamm_zugriff " + + " JOIN usergroup u ON personenstamm_zugriff.benutzergruppe_id = u.id " + + " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + + " JOIN akteur a ON au.akteur_id = a.id " + + " JOIN personenstamm p on personenstamm_zugriff.personenstamm_id = p.id " + + " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; + + if (PermissionType.READ_WRITE == permissionType) { + sql += " AND personenstamm_zugriff.bearbeiten "; + } + + var userDetails = (UserDetails)authentication.getPrincipal(); + + return jdbcTemplate + .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("kennung")); + } + + List getFormNamesForPermission(Authentication authentication, PermissionType permissionType) { + + var sql = "SELECT df.name FROM formular_usergroup_zugriff " + + " JOIN data_form df ON formular_usergroup_zugriff.formular_id = df.id " + + " JOIN usergroup u ON formular_usergroup_zugriff.usergroup_id = u.id " + + " JOIN akteur_usergroup au ON u.id = au.usergroup_id " + + " JOIN akteur a on au.akteur_id = a.id " + + " WHERE a.login = ? AND a.aktiv AND a.anmelden_moeglich "; + + if (PermissionType.READ_WRITE == permissionType) { + sql += " AND formular_usergroup_zugriff.bearbeiten "; + } + + var userDetails = (UserDetails)authentication.getPrincipal(); + + return jdbcTemplate + .query(sql, new Object[]{userDetails.getUsername()}, (rs, rowNum) -> rs.getString("name")); + } + +} -- cgit v1.2.3