From b92c0ddd35857e8a1e14dbe61a9e69cf942464da Mon Sep 17 00:00:00 2001
From: Josef Rokos <pepa@bukova.info>
Date: Thu, 28 Aug 2014 14:49:06 +0200
Subject: [PATCH] =?UTF-8?q?Refactor=20vyhodnocen=C3=AD=20p=C5=99=C3=ADstup?=
 =?UTF-8?q?ov=C3=BDch=20pr=C3=A1v.=20refs=20#129?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../bukova/isspst/security/Evaluator.java     | 10 +++
 .../isspst/security/EvaluatorsHolder.java     | 41 +++++++++++
 .../security/IsPermissionEvaluator.java       | 44 ++++++++++++
 .../security/IsspstPermissionEvaluator.java   |  3 +-
 .../security/RequirementFilterEvaluator.java  | 68 ++++++++++++++++++
 .../isspst/security/ServiceEvaluator.java     | 46 ++++++++++++
 .../WorkgroupAwareServiceEvaluator.java       | 71 +++++++++++++++++++
 .../webapp/WEB-INF/spring/root-context.xml    | 30 +++++++-
 8 files changed, 308 insertions(+), 5 deletions(-)
 create mode 100644 src/main/java/info/bukova/isspst/security/Evaluator.java
 create mode 100644 src/main/java/info/bukova/isspst/security/EvaluatorsHolder.java
 create mode 100644 src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java
 create mode 100644 src/main/java/info/bukova/isspst/security/RequirementFilterEvaluator.java
 create mode 100644 src/main/java/info/bukova/isspst/security/ServiceEvaluator.java
 create mode 100644 src/main/java/info/bukova/isspst/security/WorkgroupAwareServiceEvaluator.java

diff --git a/src/main/java/info/bukova/isspst/security/Evaluator.java b/src/main/java/info/bukova/isspst/security/Evaluator.java
new file mode 100644
index 00000000..f403cc8b
--- /dev/null
+++ b/src/main/java/info/bukova/isspst/security/Evaluator.java
@@ -0,0 +1,10 @@
+package info.bukova.isspst.security;
+
+import org.springframework.security.core.Authentication;
+
+public interface Evaluator {
+	
+	public boolean evaluate(Authentication authentication,
+			Object targetDomainObject, String permission);
+
+}
diff --git a/src/main/java/info/bukova/isspst/security/EvaluatorsHolder.java b/src/main/java/info/bukova/isspst/security/EvaluatorsHolder.java
new file mode 100644
index 00000000..d5800b8c
--- /dev/null
+++ b/src/main/java/info/bukova/isspst/security/EvaluatorsHolder.java
@@ -0,0 +1,41 @@
+package info.bukova.isspst.security;
+
+import java.util.Map;
+
+public class EvaluatorsHolder {
+
+	private Map<Class<?>, Evaluator> globalEvaluators;
+	private Map<Class<?>, Evaluator> specialEvaluators;
+
+	public void setGlobalEvaluators(Map<Class<?>, Evaluator> globalEvaluators) {
+		this.globalEvaluators = globalEvaluators;
+	}
+
+	public void setSpecialEvaluators(Map<Class<?>, Evaluator> specialEvaluators) {
+		this.specialEvaluators = specialEvaluators;
+	}
+	
+	public Evaluator getForObject(Object object, boolean special) {
+		Map<Class<?>, Evaluator> evals;
+		
+		if (special) {
+			evals = specialEvaluators;
+		} else {
+			evals = globalEvaluators;
+		}
+		
+		for (Class<?> key : evals.keySet()) {
+			if (key.equals(object.getClass())) {
+				return evals.get(key);
+			}
+		}
+		
+		for (Class<?> key : evals.keySet()) {
+			if (key.isAssignableFrom(object.getClass())) {
+				return evals.get(key);
+			}
+		}
+		
+		return null;
+	}
+}
diff --git a/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java b/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java
new file mode 100644
index 00000000..3454bf27
--- /dev/null
+++ b/src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java
@@ -0,0 +1,44 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.data.Permission;
+import info.bukova.isspst.data.PermissionType;
+
+import java.io.Serializable;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.core.Authentication;
+
+public class IsPermissionEvaluator implements PermissionEvaluator {
+	
+	@Autowired
+	private EvaluatorsHolder evalHolder;
+
+	@Override
+	public boolean hasPermission(Authentication authentication,
+			Object targetDomainObject, Object permission) {
+		
+		Permission appPermission = null;
+		for (Permission p : Constants.SPECIAL_PERMISSIONS) {
+			if (p.getAuthority().equals(permission)) {
+				appPermission = p;
+			}
+		}
+
+		Evaluator eval = evalHolder.getForObject(targetDomainObject, appPermission != null && appPermission.getType() != PermissionType.GLOBAL);
+		
+		if (eval != null) {
+			return eval.evaluate(authentication, targetDomainObject, (String)permission);
+		}
+		
+		return false;
+	}
+
+	@Override
+	public boolean hasPermission(Authentication authentication,
+			Serializable targetId, String targetType, Object permission) {
+		return false;
+	}
+
+}
diff --git a/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java b/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java
index 6b118cbd..5f37461a 100644
--- a/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java
+++ b/src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java
@@ -17,9 +17,8 @@ import java.util.List;
 
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.core.Authentication;
-import org.springframework.transaction.annotation.Transactional;
 
-@Transactional
+@Deprecated
 public class IsspstPermissionEvaluator implements PermissionEvaluator {
 	
 	private WorkgroupService wgService;
diff --git a/src/main/java/info/bukova/isspst/security/RequirementFilterEvaluator.java b/src/main/java/info/bukova/isspst/security/RequirementFilterEvaluator.java
new file mode 100644
index 00000000..db70c8da
--- /dev/null
+++ b/src/main/java/info/bukova/isspst/security/RequirementFilterEvaluator.java
@@ -0,0 +1,68 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.data.Permission;
+import info.bukova.isspst.data.PermissionType;
+import info.bukova.isspst.data.RequirementBase;
+import info.bukova.isspst.data.Role;
+import info.bukova.isspst.data.User;
+import info.bukova.isspst.data.Workgroup;
+import info.bukova.isspst.services.workgroups.WorkgroupService;
+
+import java.util.List;
+
+import org.springframework.security.core.Authentication;
+
+public class RequirementFilterEvaluator implements Evaluator {
+	
+	private WorkgroupService wgService;
+	
+	public RequirementFilterEvaluator(WorkgroupService wgService) {
+		this.wgService = wgService;
+	}
+
+	@Override
+	public boolean evaluate(Authentication authentication,
+			Object targetDomainObject, String permission) {
+		
+		RequirementBase req = (RequirementBase) targetDomainObject;
+		Workgroup reqWg;
+		
+		if (!(authentication.getPrincipal() instanceof User)) {
+			return false;
+		}
+		
+		User user = (User)authentication.getPrincipal();
+		
+		Permission appPermission = null;
+		for (Permission p : Constants.SPECIAL_PERMISSIONS) {
+			if (p.getAuthority().equals(permission)) {
+				appPermission = p;
+			}
+		}
+		
+		if (appPermission == null) {
+			return false;
+		}
+		
+		if (appPermission.getType() == PermissionType.CENTRE) {
+			reqWg = req.getCentre();
+		} else {
+			reqWg = req.getWorkgroup();
+		}
+		
+		if (wgService.isMember(reqWg, user)) {
+			List<Role> roles = wgService.getUserWorkgroupRoles(reqWg, user);
+			for (Role r : roles) {
+				for (Permission p : r.getPermissions()) {
+					if (p.getAuthority().equals(appPermission.getAuthority())) {
+						return true;
+					}
+				}
+			}
+		}
+		
+		return false;
+	}
+
+}
diff --git a/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java b/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java
new file mode 100644
index 00000000..26545acf
--- /dev/null
+++ b/src/main/java/info/bukova/isspst/security/ServiceEvaluator.java
@@ -0,0 +1,46 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.Module;
+import info.bukova.isspst.data.Role;
+
+import java.util.List;
+
+import org.springframework.security.core.Authentication;
+
+public class ServiceEvaluator implements Evaluator {
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public boolean evaluate(Authentication authentication,
+		Object targetDomainObject, String permission) {
+
+		List<Role> roles = (List<Role>) authentication.getAuthorities();
+		String moduleId = "";
+		String perm = permission;
+		
+		for (Module m : Constants.MODULES) {
+			if (m.getServiceClass() != null && m.getServiceClass().isAssignableFrom(targetDomainObject.getClass())) {
+				moduleId = m.getId();
+				break;
+			}
+		}
+		
+		perm += "_" + moduleId;
+		
+		for (int i = 0; i < roles.size(); i++) {
+			if (!(roles.get(i) instanceof Role)) {
+				return false;
+			}
+			if (roles.get(i).getAuthority().equals(perm)) {
+				return true;
+			}
+			if (roles.get(i).getAuthority().equals(Constants.ROLE_ADMIN)) {
+				return true;
+			}
+		}
+		
+		return false;
+	}
+
+}
diff --git a/src/main/java/info/bukova/isspst/security/WorkgroupAwareServiceEvaluator.java b/src/main/java/info/bukova/isspst/security/WorkgroupAwareServiceEvaluator.java
new file mode 100644
index 00000000..dacfee26
--- /dev/null
+++ b/src/main/java/info/bukova/isspst/security/WorkgroupAwareServiceEvaluator.java
@@ -0,0 +1,71 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.data.Permission;
+import info.bukova.isspst.data.PermissionType;
+import info.bukova.isspst.data.Role;
+import info.bukova.isspst.data.User;
+import info.bukova.isspst.data.Workgroup;
+import info.bukova.isspst.services.workgroups.WorkgroupService;
+
+import java.util.List;
+
+import org.springframework.security.core.Authentication;
+
+public class WorkgroupAwareServiceEvaluator implements Evaluator {
+
+	private WorkgroupService wgService;
+	
+	public WorkgroupAwareServiceEvaluator(WorkgroupService wgService) {
+		this.wgService = wgService;
+	}
+	
+	@Override
+	public boolean evaluate(Authentication authentication,
+			Object targetDomainObject, String permission) {
+		
+		List<Workgroup> userWorkgroups;
+		
+		if (!(authentication.getPrincipal() instanceof User)) {
+			return false;
+		}
+		
+		User user = (User)authentication.getPrincipal();
+		
+		Permission appPermission = null;
+		for (Permission p : Constants.SPECIAL_PERMISSIONS) {
+			if (p.getAuthority().equals(permission)) {
+				appPermission = p;
+			}
+		}
+
+		if (appPermission == null) {
+			return false;
+		}
+		
+		if (appPermission.getType() == PermissionType.CENTRE) {
+			userWorkgroups = wgService.getUserCentres(user);
+		} else {
+			userWorkgroups = wgService.getUserWorkgroups(user);
+		}
+		
+		for (Workgroup wg : userWorkgroups) {
+			List<Role> wgRoles = wgService.getUserWorkgroupRoles(wg, user);
+			
+			if (wgRoles == null) {
+				continue;
+			}
+			
+			for (Role r : wgRoles) {
+				for (Permission p : r.getPermissions()) {
+					if (p.getAuthority().equals(appPermission.getAuthority())) {
+						return true;
+					}
+				}
+			}
+		}
+		
+		return false;
+	}
+
+}
diff --git a/src/main/webapp/WEB-INF/spring/root-context.xml b/src/main/webapp/WEB-INF/spring/root-context.xml
index 181e3060..66350175 100644
--- a/src/main/webapp/WEB-INF/spring/root-context.xml
+++ b/src/main/webapp/WEB-INF/spring/root-context.xml
@@ -75,8 +75,32 @@
 		<property name="permissionEvaluator" ref="permissionEvaluator" />
 	</bean>
 	
-	<bean id="permissionEvaluator" class="info.bukova.isspst.security.IsspstPermissionEvaluator">
-		<property name="workgroupService" ref="workgroupServiceNoTx"/>
+	<bean id="permissionEvaluator" class="info.bukova.isspst.security.IsPermissionEvaluator">
+		<!-- <property name="workgroupService" ref="workgroupServiceNoTx"/> -->
+	</bean>
+	
+	<bean id="serviceEval" class="info.bukova.isspst.security.ServiceEvaluator"/>
+	
+	<bean id="wgServiceEval" class="info.bukova.isspst.security.WorkgroupAwareServiceEvaluator">
+		<constructor-arg ref="workgroupServiceNoTx"/>
+	</bean>
+	
+	<bean id="requirementEval" class="info.bukova.isspst.security.RequirementFilterEvaluator">
+		<constructor-arg ref="workgroupServiceNoTx"/>
+	</bean>
+	
+	<bean id="evalHolder" class="info.bukova.isspst.security.EvaluatorsHolder">
+		<property name="globalEvaluators">
+			<map>
+				<entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="serviceEval"/>
+			</map>
+		</property>
+		<property name="specialEvaluators">
+			<map>
+				<entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="wgServiceEval"/>
+				<entry key="#{T(info.bukova.isspst.data.RequirementBase)}" value-ref="requirementEval"/>
+			</map>
+		</property>
 	</bean>
     
 	<security:http auto-config="true" use-expressions="true">
@@ -85,7 +109,7 @@
 		<security:intercept-url pattern="/admin/permissions/**" access="hasRole('PERM_READ_PERMISSIONS')"/>
 		<security:intercept-url pattern="/admin/addressbook/**" access="hasRole('PERM_READ_ADDRESSBOOK')"/>
 		<security:intercept-url pattern="/munits/**" access="hasRole('PERM_READ_MUNITS')"/>
-		<security:form-login login-page="/login-gmail.zhtml"
+		<security:form-login login-page="/login.zhtml"
 			authentication-failure-handler-ref="loginFail"
 			authentication-success-handler-ref="loginSuccess"/>
 		<security:http-basic/>