Refactor vyhodnocení přístupových práv.

refs #129

src/main/java/info/bukova/isspst/security/Evaluator.java

@@ -0,0 +1,10 @@
+package info.bukova.isspst.security;
+
+import org.springframework.security.core.Authentication;
+
+public interface Evaluator {
+	
+	public boolean evaluate(Authentication authentication,
+			Object targetDomainObject, String permission);
+
+}

src/main/java/info/bukova/isspst/security/EvaluatorsHolder.java

@@ -0,0 +1,41 @@
+package info.bukova.isspst.security;
+
+import java.util.Map;
+
+public class EvaluatorsHolder {
+
+	private Map<Class<?>, Evaluator> globalEvaluators;
+	private Map<Class<?>, Evaluator> specialEvaluators;
+
+	public void setGlobalEvaluators(Map<Class<?>, Evaluator> globalEvaluators) {
+		this.globalEvaluators = globalEvaluators;
+	}
+
+	public void setSpecialEvaluators(Map<Class<?>, Evaluator> specialEvaluators) {
+		this.specialEvaluators = specialEvaluators;
+	}
+	
+	public Evaluator getForObject(Object object, boolean special) {
+		Map<Class<?>, Evaluator> evals;
+		
+		if (special) {
+			evals = specialEvaluators;
+		} else {
+			evals = globalEvaluators;
+		}
+		
+		for (Class<?> key : evals.keySet()) {
+			if (key.equals(object.getClass())) {
+				return evals.get(key);
+			}
+		}
+		
+		for (Class<?> key : evals.keySet()) {
+			if (key.isAssignableFrom(object.getClass())) {
+				return evals.get(key);
+			}
+		}
+		
+		return null;
+	}
+}

src/main/java/info/bukova/isspst/security/IsPermissionEvaluator.java

@@ -0,0 +1,44 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.data.Permission;
+import info.bukova.isspst.data.PermissionType;
+
+import java.io.Serializable;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.access.PermissionEvaluator;
+import org.springframework.security.core.Authentication;
+
+public class IsPermissionEvaluator implements PermissionEvaluator {
+	
+	@Autowired
+	private EvaluatorsHolder evalHolder;
+
+	@Override
+	public boolean hasPermission(Authentication authentication,
+			Object targetDomainObject, Object permission) {
+		
+		Permission appPermission = null;
+		for (Permission p : Constants.SPECIAL_PERMISSIONS) {
+			if (p.getAuthority().equals(permission)) {
+				appPermission = p;
+			}
+		}
+
+		Evaluator eval = evalHolder.getForObject(targetDomainObject, appPermission != null && appPermission.getType() != PermissionType.GLOBAL);
+		
+		if (eval != null) {
+			return eval.evaluate(authentication, targetDomainObject, (String)permission);
+		}
+		
+		return false;
+	}
+
+	@Override
+	public boolean hasPermission(Authentication authentication,
+			Serializable targetId, String targetType, Object permission) {
+		return false;
+	}
+
+}

src/main/java/info/bukova/isspst/security/IsspstPermissionEvaluator.java

@@ -17,9 +17,8 @@ import java.util.List;
 
 import org.springframework.security.access.PermissionEvaluator;
 import org.springframework.security.core.Authentication;
-import org.springframework.transaction.annotation.Transactional;
 
-@Transactional
+@Deprecated
 public class IsspstPermissionEvaluator implements PermissionEvaluator {
 	
 	private WorkgroupService wgService;

src/main/java/info/bukova/isspst/security/RequirementFilterEvaluator.java

@@ -0,0 +1,68 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.data.Permission;
+import info.bukova.isspst.data.PermissionType;
+import info.bukova.isspst.data.RequirementBase;
+import info.bukova.isspst.data.Role;
+import info.bukova.isspst.data.User;
+import info.bukova.isspst.data.Workgroup;
+import info.bukova.isspst.services.workgroups.WorkgroupService;
+
+import java.util.List;
+
+import org.springframework.security.core.Authentication;
+
+public class RequirementFilterEvaluator implements Evaluator {
+	
+	private WorkgroupService wgService;
+	
+	public RequirementFilterEvaluator(WorkgroupService wgService) {
+		this.wgService = wgService;
+	}
+
+	@Override
+	public boolean evaluate(Authentication authentication,
+			Object targetDomainObject, String permission) {
+		
+		RequirementBase req = (RequirementBase) targetDomainObject;
+		Workgroup reqWg;
+		
+		if (!(authentication.getPrincipal() instanceof User)) {
+			return false;
+		}
+		
+		User user = (User)authentication.getPrincipal();
+		
+		Permission appPermission = null;
+		for (Permission p : Constants.SPECIAL_PERMISSIONS) {
+			if (p.getAuthority().equals(permission)) {
+				appPermission = p;
+			}
+		}
+		
+		if (appPermission == null) {
+			return false;
+		}
+		
+		if (appPermission.getType() == PermissionType.CENTRE) {
+			reqWg = req.getCentre();
+		} else {
+			reqWg = req.getWorkgroup();
+		}
+		
+		if (wgService.isMember(reqWg, user)) {
+			List<Role> roles = wgService.getUserWorkgroupRoles(reqWg, user);
+			for (Role r : roles) {
+				for (Permission p : r.getPermissions()) {
+					if (p.getAuthority().equals(appPermission.getAuthority())) {
+						return true;
+					}
+				}
+			}
+		}
+		
+		return false;
+	}
+
+}

src/main/java/info/bukova/isspst/security/ServiceEvaluator.java

@@ -0,0 +1,46 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.Module;
+import info.bukova.isspst.data.Role;
+
+import java.util.List;
+
+import org.springframework.security.core.Authentication;
+
+public class ServiceEvaluator implements Evaluator {
+
+	@SuppressWarnings("unchecked")
+	@Override
+	public boolean evaluate(Authentication authentication,
+		Object targetDomainObject, String permission) {
+
+		List<Role> roles = (List<Role>) authentication.getAuthorities();
+		String moduleId = "";
+		String perm = permission;
+		
+		for (Module m : Constants.MODULES) {
+			if (m.getServiceClass() != null && m.getServiceClass().isAssignableFrom(targetDomainObject.getClass())) {
+				moduleId = m.getId();
+				break;
+			}
+		}
+		
+		perm += "_" + moduleId;
+		
+		for (int i = 0; i < roles.size(); i++) {
+			if (!(roles.get(i) instanceof Role)) {
+				return false;
+			}
+			if (roles.get(i).getAuthority().equals(perm)) {
+				return true;
+			}
+			if (roles.get(i).getAuthority().equals(Constants.ROLE_ADMIN)) {
+				return true;
+			}
+		}
+		
+		return false;
+	}
+
+}

src/main/java/info/bukova/isspst/security/WorkgroupAwareServiceEvaluator.java

@@ -0,0 +1,71 @@
+package info.bukova.isspst.security;
+
+import info.bukova.isspst.Constants;
+import info.bukova.isspst.data.Permission;
+import info.bukova.isspst.data.PermissionType;
+import info.bukova.isspst.data.Role;
+import info.bukova.isspst.data.User;
+import info.bukova.isspst.data.Workgroup;
+import info.bukova.isspst.services.workgroups.WorkgroupService;
+
+import java.util.List;
+
+import org.springframework.security.core.Authentication;
+
+public class WorkgroupAwareServiceEvaluator implements Evaluator {
+
+	private WorkgroupService wgService;
+	
+	public WorkgroupAwareServiceEvaluator(WorkgroupService wgService) {
+		this.wgService = wgService;
+	}
+	
+	@Override
+	public boolean evaluate(Authentication authentication,
+			Object targetDomainObject, String permission) {
+		
+		List<Workgroup> userWorkgroups;
+		
+		if (!(authentication.getPrincipal() instanceof User)) {
+			return false;
+		}
+		
+		User user = (User)authentication.getPrincipal();
+		
+		Permission appPermission = null;
+		for (Permission p : Constants.SPECIAL_PERMISSIONS) {
+			if (p.getAuthority().equals(permission)) {
+				appPermission = p;
+			}
+		}
+
+		if (appPermission == null) {
+			return false;
+		}
+		
+		if (appPermission.getType() == PermissionType.CENTRE) {
+			userWorkgroups = wgService.getUserCentres(user);
+		} else {
+			userWorkgroups = wgService.getUserWorkgroups(user);
+		}
+		
+		for (Workgroup wg : userWorkgroups) {
+			List<Role> wgRoles = wgService.getUserWorkgroupRoles(wg, user);
+			
+			if (wgRoles == null) {
+				continue;
+			}
+			
+			for (Role r : wgRoles) {
+				for (Permission p : r.getPermissions()) {
+					if (p.getAuthority().equals(appPermission.getAuthority())) {
+						return true;
+					}
+				}
+			}
+		}
+		
+		return false;
+	}
+
+}

src/main/webapp/WEB-INF/spring/root-context.xml

@@ -75,8 +75,32 @@
 		<property name="permissionEvaluator" ref="permissionEvaluator" />
 	</bean>
 	
-	<bean id="permissionEvaluator" class="info.bukova.isspst.security.IsspstPermissionEvaluator">
+	<bean id="permissionEvaluator" class="info.bukova.isspst.security.IsPermissionEvaluator">
-		<property name="workgroupService" ref="workgroupServiceNoTx"/>
+		<!-- <property name="workgroupService" ref="workgroupServiceNoTx"/> -->
+	</bean>
+	
+	<bean id="serviceEval" class="info.bukova.isspst.security.ServiceEvaluator"/>
+	
+	<bean id="wgServiceEval" class="info.bukova.isspst.security.WorkgroupAwareServiceEvaluator">
+		<constructor-arg ref="workgroupServiceNoTx"/>
+	</bean>
+	
+	<bean id="requirementEval" class="info.bukova.isspst.security.RequirementFilterEvaluator">
+		<constructor-arg ref="workgroupServiceNoTx"/>
+	</bean>
+	
+	<bean id="evalHolder" class="info.bukova.isspst.security.EvaluatorsHolder">
+		<property name="globalEvaluators">
+			<map>
+				<entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="serviceEval"/>
+			</map>
+		</property>
+		<property name="specialEvaluators">
+			<map>
+				<entry key="#{T(info.bukova.isspst.services.Service)}" value-ref="wgServiceEval"/>
+				<entry key="#{T(info.bukova.isspst.data.RequirementBase)}" value-ref="requirementEval"/>
+			</map>
+		</property>
 	</bean>
     
 	<security:http auto-config="true" use-expressions="true">
@@ -85,7 +109,7 @@
 		<security:intercept-url pattern="/admin/permissions/**" access="hasRole('PERM_READ_PERMISSIONS')"/>
 		<security:intercept-url pattern="/admin/addressbook/**" access="hasRole('PERM_READ_ADDRESSBOOK')"/>
 		<security:intercept-url pattern="/munits/**" access="hasRole('PERM_READ_MUNITS')"/>
-		<security:form-login login-page="/login-gmail.zhtml"
+		<security:form-login login-page="/login.zhtml"
 			authentication-failure-handler-ref="loginFail"
 			authentication-success-handler-ref="loginSuccess"/>
 		<security:http-basic/>