multi tenant changes
This commit is contained in:
parent
83b5ec5a80
commit
3e37c91035
|
@ -0,0 +1,9 @@
|
|||
package eu.eudat.authorization;
|
||||
|
||||
import org.springframework.boot.context.properties.EnableConfigurationProperties;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
|
||||
@Configuration("AppAuthorizationConfiguration")
|
||||
@EnableConfigurationProperties(AuthorizationProperties.class)
|
||||
public class AuthorizationConfiguration {
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
package eu.eudat.authorization;
|
||||
|
||||
|
||||
import org.springframework.boot.context.properties.ConfigurationProperties;
|
||||
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
|
||||
@ConfigurationProperties(prefix = "authorization")
|
||||
public class AuthorizationProperties {
|
||||
|
||||
private List<String> allowedTenantRoles;
|
||||
|
||||
public List<String> getAllowedTenantRoles() {
|
||||
return allowedTenantRoles;
|
||||
}
|
||||
|
||||
public void setAllowedTenantRoles(List<String> allowedTenantRoles) {
|
||||
this.allowedTenantRoles = allowedTenantRoles;
|
||||
}
|
||||
|
||||
private List<String> allowedGlobalRoles;
|
||||
|
||||
public List<String> getAllowedGlobalRoles() {
|
||||
return allowedGlobalRoles;
|
||||
}
|
||||
|
||||
public void setAllowedGlobalRoles(List<String> allowedGlobalRoles) {
|
||||
this.allowedGlobalRoles = allowedGlobalRoles;
|
||||
}
|
||||
}
|
|
@ -2,4 +2,8 @@ package eu.eudat.authorization;
|
|||
|
||||
public class ClaimNames {
|
||||
public static final String ExternalProviderName = "ExternalProviderName";
|
||||
public static final String TenantCodesClaimName = "TenantCodes";
|
||||
public static final String TenantClaimName = "x-tenant";
|
||||
public static final String GlobalRolesClaimName = "GlobalRoles";
|
||||
public static final String TenantRolesClaimName = "TenantRoles";
|
||||
}
|
||||
|
|
|
@ -16,9 +16,6 @@ import java.util.concurrent.atomic.AtomicReference;
|
|||
@RequestScope
|
||||
public class TenantScope {
|
||||
public static final String TenantReplaceParameter = "::TenantCode::";
|
||||
public static final String TenantCodesClaimName = "TenantCodes";
|
||||
public static final String TenantClaimName = "x-tenant";
|
||||
|
||||
private final MultitenancyProperties multitenancy;
|
||||
private final AtomicReference<UUID> tenant = new AtomicReference<>();
|
||||
private final AtomicReference<String> tenantCode = new AtomicReference<>();
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package eu.eudat.controllers;
|
||||
|
||||
import eu.eudat.audit.AuditableAction;
|
||||
import eu.eudat.authorization.ClaimNames;
|
||||
import eu.eudat.commons.scope.tenant.TenantScope;
|
||||
import eu.eudat.models.Account;
|
||||
import eu.eudat.models.AccountBuilder;
|
||||
|
@ -83,7 +84,7 @@ public class PrincipalController {
|
|||
logger.debug("my-tenants");
|
||||
|
||||
MyPrincipal principal = this.currentPrincipalResolver.currentPrincipal();
|
||||
List<String> tenants = this.claimExtractor.asStrings(principal, TenantScope.TenantCodesClaimName);
|
||||
List<String> tenants = this.claimExtractor.asStrings(principal, ClaimNames.TenantCodesClaimName);
|
||||
|
||||
this.auditService.track(AuditableAction.Principal_MyTenants);
|
||||
//auditService.trackIdentity(AuditableAction.IdentityTracking_Action);
|
||||
|
|
|
@ -1,15 +1,20 @@
|
|||
package eu.eudat.interceptors.tenant;
|
||||
|
||||
|
||||
import eu.eudat.authorization.AuthorizationProperties;
|
||||
import eu.eudat.authorization.ClaimNames;
|
||||
import eu.eudat.authorization.Permission;
|
||||
import eu.eudat.commons.enums.IsActive;
|
||||
import eu.eudat.commons.lock.LockByKeyManager;
|
||||
import eu.eudat.commons.scope.tenant.TenantScope;
|
||||
import eu.eudat.commons.scope.user.UserScope;
|
||||
import eu.eudat.convention.ConventionService;
|
||||
import eu.eudat.data.TenantUserEntity;
|
||||
import eu.eudat.data.UserEntity;
|
||||
import eu.eudat.data.UserRoleEntity;
|
||||
import eu.eudat.data.tenant.TenantScopedBaseEntity;
|
||||
import eu.eudat.errorcode.ErrorThesaurusProperties;
|
||||
import eu.eudat.integrationevent.outbox.usertouched.UserTouchedIntegrationEventHandler;
|
||||
import eu.eudat.query.utils.BuildSubQueryInput;
|
||||
import eu.eudat.query.utils.QueryUtilsService;
|
||||
import gr.cite.commons.web.authz.service.AuthorizationService;
|
||||
|
@ -19,7 +24,6 @@ import gr.cite.tools.exception.MyForbiddenException;
|
|||
import gr.cite.tools.logging.LoggerService;
|
||||
import jakarta.persistence.EntityManager;
|
||||
import jakarta.persistence.PersistenceContext;
|
||||
import jakarta.persistence.Tuple;
|
||||
import jakarta.persistence.criteria.CriteriaBuilder;
|
||||
import jakarta.persistence.criteria.CriteriaQuery;
|
||||
import jakarta.persistence.criteria.Root;
|
||||
|
@ -41,6 +45,7 @@ import org.springframework.web.context.request.WebRequestInterceptor;
|
|||
|
||||
import javax.management.InvalidApplicationException;
|
||||
import java.time.Instant;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.UUID;
|
||||
|
@ -61,6 +66,9 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
private final ErrorThesaurusProperties errors;
|
||||
private final QueryUtilsService queryUtilsService;
|
||||
private final LockByKeyManager lockByKeyManager;
|
||||
private final ConventionService conventionService;
|
||||
private final UserTouchedIntegrationEventHandler userTouchedIntegrationEventHandler;
|
||||
private final AuthorizationProperties authorizationProperties;
|
||||
@PersistenceContext
|
||||
public EntityManager entityManager;
|
||||
|
||||
|
@ -74,7 +82,7 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
TenantScopeProperties tenantScopeProperties,
|
||||
UserAllowedTenantCacheService userAllowedTenantCacheService,
|
||||
PlatformTransactionManager transactionManager,
|
||||
ErrorThesaurusProperties errors, QueryUtilsService queryUtilsService, LockByKeyManager lockByKeyManager) {
|
||||
ErrorThesaurusProperties errors, QueryUtilsService queryUtilsService, LockByKeyManager lockByKeyManager, ConventionService conventionService, UserTouchedIntegrationEventHandler userTouchedIntegrationEventHandler, AuthorizationProperties authorizationProperties) {
|
||||
this.tenantScope = tenantScope;
|
||||
this.userScope = userScope;
|
||||
this.currentPrincipalResolver = currentPrincipalResolver;
|
||||
|
@ -86,6 +94,9 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
this.errors = errors;
|
||||
this.queryUtilsService = queryUtilsService;
|
||||
this.lockByKeyManager = lockByKeyManager;
|
||||
this.conventionService = conventionService;
|
||||
this.userTouchedIntegrationEventHandler = userTouchedIntegrationEventHandler;
|
||||
this.authorizationProperties = authorizationProperties;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -95,7 +106,7 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
|
||||
boolean isAllowedNoTenant = this.applicationContext.getBean(AuthorizationService.class).authorize(Permission.AllowNoTenant);
|
||||
if (tenantScope.isSet() && this.entityManager != null) {
|
||||
List<String> currentPrincipalTenantCodes = this.claimExtractor.asStrings(this.currentPrincipalResolver.currentPrincipal(), TenantScope.TenantCodesClaimName);
|
||||
List<String> currentPrincipalTenantCodes = this.claimExtractor.asStrings(this.currentPrincipalResolver.currentPrincipal(), ClaimNames.TenantCodesClaimName);
|
||||
if ((currentPrincipalTenantCodes == null || !currentPrincipalTenantCodes.contains(tenantScope.getTenantCode())) && !isAllowedNoTenant) {
|
||||
logger.warn("tenant not allowed {}", this.tenantScope.getTenant());
|
||||
throw new MyForbiddenException(this.errors.getTenantNotAllowed().getCode(), this.errors.getTenantNotAllowed().getMessage());
|
||||
|
@ -133,6 +144,8 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
throw new MyForbiddenException(this.errors.getTenantNotAllowed().getCode(), this.errors.getTenantNotAllowed().getMessage());
|
||||
}
|
||||
}
|
||||
|
||||
this.syncUserWithClaims();
|
||||
} else {
|
||||
if (!isAllowedNoTenant) {
|
||||
if (!this.isWhiteListedEndpoint(request)) {
|
||||
|
@ -163,7 +176,7 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
if (this.tenantScopeProperties.getAutoCreateTenantUser()) usedResource = this.lockByKeyManager.tryLock(lockId, 5000, TimeUnit.MILLISECONDS);
|
||||
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<Tuple> query = criteriaBuilder.createQuery(Tuple.class);
|
||||
CriteriaQuery<UserEntity> query = criteriaBuilder.createQuery(UserEntity.class);
|
||||
Root<UserEntity> root = query.from(UserEntity.class);
|
||||
query.where(criteriaBuilder.and(
|
||||
criteriaBuilder.equal(root.get(UserEntity._isActive), IsActive.Active),
|
||||
|
@ -188,7 +201,7 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
)
|
||||
));
|
||||
query.multiselect(root.get(UserEntity._id).alias(UserEntity._id));
|
||||
List<Tuple> results = this.entityManager.createQuery(query).getResultList();
|
||||
List<UserEntity> results = this.entityManager.createQuery(query).getResultList();
|
||||
if (results.isEmpty() && this.tenantScopeProperties.getAutoCreateTenantUser()) {
|
||||
return this.createTenantUser();
|
||||
} else {
|
||||
|
@ -210,7 +223,6 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
user.setIsActive(IsActive.Active);
|
||||
user.setTenantId(this.tenantScope.getTenant());
|
||||
user.setUserId(userScope.getUserId());
|
||||
|
||||
|
||||
|
||||
DefaultTransactionDefinition definition = new DefaultTransactionDefinition();
|
||||
|
@ -227,9 +239,122 @@ public class TenantInterceptor implements WebRequestInterceptor {
|
|||
if (status != null) transactionManager.rollback(status);
|
||||
throw ex;
|
||||
}
|
||||
this.userTouchedIntegrationEventHandler.handle(this.userScope.getUserId());
|
||||
return true;
|
||||
}
|
||||
|
||||
private void syncUserWithClaims() throws InvalidApplicationException, InterruptedException {
|
||||
boolean usedResource = false;
|
||||
String lockId = userScope.getUserId().toString().toLowerCase(Locale.ROOT);
|
||||
boolean hasChanges = false;
|
||||
try {
|
||||
usedResource = this.lockByKeyManager.tryLock(lockId, 5000, TimeUnit.MILLISECONDS);
|
||||
|
||||
DefaultTransactionDefinition definition = new DefaultTransactionDefinition();
|
||||
definition.setName(UUID.randomUUID().toString());
|
||||
definition.setIsolationLevel(TransactionDefinition.ISOLATION_READ_COMMITTED);
|
||||
definition.setPropagationBehavior(TransactionDefinition.PROPAGATION_REQUIRED);
|
||||
TransactionStatus status = null;
|
||||
try {
|
||||
status = transactionManager.getTransaction(definition);
|
||||
|
||||
List<String> existingUserRoles = this.collectUserRoles();
|
||||
if (!this.userRolesSynced(existingUserRoles)) {
|
||||
this.syncRoles();
|
||||
hasChanges = true;
|
||||
}
|
||||
|
||||
this.entityManager.flush();
|
||||
transactionManager.commit(status);
|
||||
} catch (Exception ex) {
|
||||
if (status != null) transactionManager.rollback(status);
|
||||
throw ex;
|
||||
}
|
||||
} finally {
|
||||
if (usedResource) this.lockByKeyManager.unlock(lockId);
|
||||
}
|
||||
if (hasChanges){
|
||||
this.userTouchedIntegrationEventHandler.handle(this.userScope.getUserId());
|
||||
}
|
||||
}
|
||||
|
||||
private List<String> getRolesFromClaims() {
|
||||
List<String> claimsRoles = this.claimExtractor.asStrings(currentPrincipalResolver.currentPrincipal(), ClaimNames.TenantRolesClaimName);
|
||||
if (claimsRoles == null) claimsRoles = new ArrayList<>();
|
||||
claimsRoles = claimsRoles.stream().filter(x -> x != null && !x.isBlank() && (this.conventionService.isListNullOrEmpty(this.authorizationProperties.getAllowedTenantRoles()) || this.authorizationProperties.getAllowedTenantRoles().contains(x))).distinct().toList();
|
||||
return claimsRoles;
|
||||
}
|
||||
|
||||
private List<String> collectUserRoles() throws InvalidApplicationException {
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<UserRoleEntity> query = criteriaBuilder.createQuery(UserRoleEntity.class);
|
||||
Root<UserRoleEntity> root = query.from(UserRoleEntity.class);
|
||||
|
||||
CriteriaBuilder.In<String> inRolesClause = criteriaBuilder.in(root.get(UserRoleEntity._role));
|
||||
for (String item : this.authorizationProperties.getAllowedTenantRoles()) inRolesClause.value(item);
|
||||
|
||||
query.where(criteriaBuilder.and(
|
||||
criteriaBuilder.equal(root.get(UserRoleEntity._userId), userScope.getUserId()),
|
||||
this.conventionService.isListNullOrEmpty(this.authorizationProperties.getAllowedTenantRoles()) ? criteriaBuilder.isNotNull(root.get(UserRoleEntity._role)) : inRolesClause,
|
||||
this.tenantScope.isDefaultTenant() ? criteriaBuilder.isNull(root.get(UserRoleEntity._tenantId)) : criteriaBuilder.equal(root.get(UserRoleEntity._tenantId), this.tenantScope.getTenant())
|
||||
)).multiselect(root.get(UserRoleEntity._role).alias(UserRoleEntity._role));
|
||||
List<UserRoleEntity> results = this.entityManager.createQuery(query).getResultList();
|
||||
|
||||
return results.stream().map(UserRoleEntity::getRole).toList();
|
||||
}
|
||||
|
||||
private boolean userRolesSynced(List<String> existingUserRoles) {
|
||||
List<String> claimsRoles = this.getRolesFromClaims();
|
||||
if (existingUserRoles == null) existingUserRoles = new ArrayList<>();
|
||||
existingUserRoles = existingUserRoles.stream().filter(x -> x != null && !x.isBlank()).distinct().toList();
|
||||
if (claimsRoles.size() != existingUserRoles.size()) return false;
|
||||
|
||||
for (String claim : claimsRoles) {
|
||||
if (existingUserRoles.stream().noneMatch(claim::equalsIgnoreCase)) return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private void syncRoles() throws InvalidApplicationException {
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<UserRoleEntity> query = criteriaBuilder.createQuery(UserRoleEntity.class);
|
||||
Root<UserRoleEntity> root = query.from(UserRoleEntity.class);
|
||||
|
||||
CriteriaBuilder.In<String> inRolesClause = criteriaBuilder.in(root.get(UserRoleEntity._role));
|
||||
for (String item : this.authorizationProperties.getAllowedTenantRoles()) inRolesClause.value(item);
|
||||
query.where(criteriaBuilder.and(
|
||||
criteriaBuilder.equal(root.get(UserRoleEntity._userId), userScope.getUserId()),
|
||||
this.conventionService.isListNullOrEmpty(this.authorizationProperties.getAllowedTenantRoles()) ? criteriaBuilder.isNotNull(root.get(UserRoleEntity._role)) : inRolesClause,
|
||||
this.tenantScope.isDefaultTenant() ? criteriaBuilder.isNull(root.get(UserRoleEntity._tenantId)) : criteriaBuilder.equal(root.get(UserRoleEntity._tenantId), this.tenantScope.getTenant())
|
||||
));
|
||||
List<UserRoleEntity> existingUserRoles = this.entityManager.createQuery(query).getResultList();
|
||||
|
||||
List<UUID> foundRoles = new ArrayList<>();
|
||||
for (String claimRole : this.getRolesFromClaims()) {
|
||||
UserRoleEntity roleEntity = existingUserRoles.stream().filter(x -> x.getRole().equals(claimRole)).findFirst().orElse(null);
|
||||
if (roleEntity == null) {
|
||||
roleEntity = this.buildRole(claimRole);
|
||||
this.entityManager.persist(roleEntity);
|
||||
}
|
||||
foundRoles.add(roleEntity.getId());
|
||||
}
|
||||
for (UserRoleEntity existing : existingUserRoles) {
|
||||
if (!foundRoles.contains(existing.getId())) {
|
||||
this.entityManager.remove(existing);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private UserRoleEntity buildRole(String role) throws InvalidApplicationException {
|
||||
UserRoleEntity data = new UserRoleEntity();
|
||||
data.setId(UUID.randomUUID());
|
||||
data.setUserId( userScope.getUserId());
|
||||
data.setRole(role);
|
||||
if (this.tenantScope.isDefaultTenant()) data.setTenantId(this.tenantScope.getTenant());
|
||||
data.setCreatedAt(Instant.now());
|
||||
return data;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void postHandle(@NonNull WebRequest request, ModelMap model) {
|
||||
this.tenantScope.setTenant(null, null);
|
||||
|
|
|
@ -1,10 +1,12 @@
|
|||
package eu.eudat.interceptors.tenant;
|
||||
|
||||
|
||||
import eu.eudat.authorization.ClaimNames;
|
||||
import eu.eudat.commons.enums.IsActive;
|
||||
import eu.eudat.commons.scope.tenant.TenantScope;
|
||||
import eu.eudat.convention.ConventionService;
|
||||
import eu.eudat.data.TenantEntity;
|
||||
import eu.eudat.data.UserEntity;
|
||||
import eu.eudat.errorcode.ErrorThesaurusProperties;
|
||||
import gr.cite.commons.web.oidc.principal.CurrentPrincipalResolver;
|
||||
import gr.cite.commons.web.oidc.principal.MyPrincipal;
|
||||
|
@ -68,7 +70,7 @@ public class TenantScopeClaimInterceptor implements WebRequestInterceptor {
|
|||
this.claimExtractorContext = claimExtractorContext;
|
||||
this.tenantByCodeCacheService = tenantByCodeCacheService;
|
||||
this.tenantByIdCacheService = tenantByIdCacheService;
|
||||
this.clientTenantClaimName = this.tenantScopeProperties.getClientClaimsPrefix() + TenantScope.TenantClaimName;
|
||||
this.clientTenantClaimName = this.tenantScopeProperties.getClientClaimsPrefix() + ClaimNames.TenantClaimName;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -140,7 +142,7 @@ public class TenantScopeClaimInterceptor implements WebRequestInterceptor {
|
|||
|
||||
private UUID getTenantIdFromDatabase(String tenantCode) {
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<Tuple> query = criteriaBuilder.createQuery(Tuple.class);
|
||||
CriteriaQuery<UserEntity> query = criteriaBuilder.createQuery(UserEntity.class);
|
||||
Root<TenantEntity> root = query.from(TenantEntity.class);
|
||||
query = query.where(
|
||||
criteriaBuilder.and(
|
||||
|
@ -148,27 +150,16 @@ public class TenantScopeClaimInterceptor implements WebRequestInterceptor {
|
|||
criteriaBuilder.equal(root.get(TenantEntity._isActive), IsActive.Active)
|
||||
)
|
||||
).multiselect(root.get(TenantEntity._id).alias(TenantEntity._id));
|
||||
List<Tuple> results = this.entityManager.createQuery(query).getResultList();
|
||||
List<UserEntity> results = this.entityManager.createQuery(query).getResultList();
|
||||
if (results.size() == 1) {
|
||||
Object o;
|
||||
try {
|
||||
o = results.getFirst().get(TenantEntity._id);
|
||||
} catch (IllegalArgumentException e) {
|
||||
return null;
|
||||
}
|
||||
if (o == null) return null;
|
||||
try {
|
||||
return (UUID) o;
|
||||
} catch (ClassCastException e) {
|
||||
return null;
|
||||
}
|
||||
return results.getFirst().getId();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private String getTenantCodeFromDatabase(UUID tenantId) {
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<Tuple> query = criteriaBuilder.createQuery(Tuple.class);
|
||||
CriteriaQuery<TenantEntity> query = criteriaBuilder.createQuery(TenantEntity.class);
|
||||
Root<TenantEntity> root = query.from(TenantEntity.class);
|
||||
query = query.where(
|
||||
criteriaBuilder.and(
|
||||
|
@ -176,20 +167,9 @@ public class TenantScopeClaimInterceptor implements WebRequestInterceptor {
|
|||
criteriaBuilder.equal(root.get(TenantEntity._isActive), IsActive.Active)
|
||||
)
|
||||
).multiselect(root.get(TenantEntity._code).alias(TenantEntity._code));
|
||||
List<Tuple> results = this.entityManager.createQuery(query).getResultList();
|
||||
List<TenantEntity> results = this.entityManager.createQuery(query).getResultList();
|
||||
if (results.size() == 1) {
|
||||
Object o;
|
||||
try {
|
||||
o = results.getFirst().get(TenantEntity._code);
|
||||
} catch (IllegalArgumentException e) {
|
||||
return null;
|
||||
}
|
||||
if (o == null) return null;
|
||||
try {
|
||||
return (String) o;
|
||||
} catch (ClassCastException e) {
|
||||
return null;
|
||||
}
|
||||
return results.getFirst().getCode();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package eu.eudat.interceptors.tenant;
|
||||
|
||||
|
||||
import eu.eudat.authorization.ClaimNames;
|
||||
import eu.eudat.commons.enums.IsActive;
|
||||
import eu.eudat.commons.scope.tenant.TenantScope;
|
||||
import eu.eudat.convention.ConventionService;
|
||||
|
@ -60,7 +61,7 @@ public class TenantScopeHeaderInterceptor implements WebRequestInterceptor {
|
|||
if (!this.currentPrincipalResolver.currentPrincipal().isAuthenticated()) return;
|
||||
if (!this.tenantScope.isMultitenant()) return;
|
||||
|
||||
String tenantCode = request.getHeader(TenantScope.TenantClaimName);
|
||||
String tenantCode = request.getHeader(ClaimNames.TenantClaimName);
|
||||
logger.debug("retrieved request tenant header is: {}", tenantCode);
|
||||
if (tenantCode == null || this.conventionService.isNullOrEmpty(tenantCode)) return;
|
||||
|
||||
|
@ -101,7 +102,7 @@ public class TenantScopeHeaderInterceptor implements WebRequestInterceptor {
|
|||
|
||||
private UUID getTenantIdFromDatabase(String tenantCode) {
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<Tuple> query = criteriaBuilder.createQuery(Tuple.class);
|
||||
CriteriaQuery<TenantEntity> query = criteriaBuilder.createQuery(TenantEntity.class);
|
||||
Root<TenantEntity> root = query.from(TenantEntity.class);
|
||||
query = query.where(
|
||||
criteriaBuilder.and(
|
||||
|
@ -109,27 +110,16 @@ public class TenantScopeHeaderInterceptor implements WebRequestInterceptor {
|
|||
criteriaBuilder.equal(root.get(TenantEntity._isActive), IsActive.Active)
|
||||
)
|
||||
).multiselect(root.get(TenantEntity._id).alias(TenantEntity._id));
|
||||
List<Tuple> results = this.entityManager.createQuery(query).getResultList();
|
||||
List<TenantEntity> results = this.entityManager.createQuery(query).getResultList();
|
||||
if (results.size() == 1) {
|
||||
Object o;
|
||||
try {
|
||||
o = results.getFirst().get(TenantEntity._id);
|
||||
} catch (IllegalArgumentException e) {
|
||||
return null;
|
||||
}
|
||||
if (o == null) return null;
|
||||
try {
|
||||
return (UUID) o;
|
||||
} catch (ClassCastException e) {
|
||||
return null;
|
||||
}
|
||||
return results.getFirst().getId();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
private String getTenantCodeFromDatabase(UUID tenantId) {
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<Tuple> query = criteriaBuilder.createQuery(Tuple.class);
|
||||
CriteriaQuery<TenantEntity> query = criteriaBuilder.createQuery(TenantEntity.class);
|
||||
Root<TenantEntity> root = query.from(TenantEntity.class);
|
||||
query = query.where(
|
||||
criteriaBuilder.and(
|
||||
|
@ -137,20 +127,9 @@ public class TenantScopeHeaderInterceptor implements WebRequestInterceptor {
|
|||
criteriaBuilder.equal(root.get(TenantEntity._isActive), IsActive.Active)
|
||||
)
|
||||
).multiselect(root.get(TenantEntity._code).alias(TenantEntity._code));
|
||||
List<Tuple> results = this.entityManager.createQuery(query).getResultList();
|
||||
List<TenantEntity> results = this.entityManager.createQuery(query).getResultList();
|
||||
if (results.size() == 1) {
|
||||
Object o;
|
||||
try {
|
||||
o = results.getFirst().get(TenantEntity._code);
|
||||
} catch (IllegalArgumentException e) {
|
||||
return null;
|
||||
}
|
||||
if (o == null) return null;
|
||||
try {
|
||||
return (String) o;
|
||||
} catch (ClassCastException e) {
|
||||
return null;
|
||||
}
|
||||
return results.getFirst().getCode();
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package eu.eudat.interceptors.user;
|
||||
|
||||
|
||||
import eu.eudat.authorization.AuthorizationProperties;
|
||||
import eu.eudat.authorization.ClaimNames;
|
||||
import eu.eudat.commons.JsonHandlingService;
|
||||
import eu.eudat.commons.enums.ContactInfoType;
|
||||
|
@ -10,17 +11,13 @@ import eu.eudat.commons.scope.user.UserScope;
|
|||
import eu.eudat.commons.types.user.AdditionalInfoEntity;
|
||||
import eu.eudat.commons.types.usercredential.UserCredentialDataEntity;
|
||||
import eu.eudat.commons.locale.LocaleProperties;
|
||||
import eu.eudat.data.UserContactInfoEntity;
|
||||
import eu.eudat.data.UserCredentialEntity;
|
||||
import eu.eudat.data.UserEntity;
|
||||
import eu.eudat.data.UserRoleEntity;
|
||||
import eu.eudat.convention.ConventionService;
|
||||
import eu.eudat.data.*;
|
||||
import eu.eudat.integrationevent.outbox.usertouched.UserTouchedIntegrationEventHandler;
|
||||
import eu.eudat.model.UserContactInfo;
|
||||
import eu.eudat.model.UserCredential;
|
||||
import eu.eudat.model.UserRole;
|
||||
import eu.eudat.query.UserContactInfoQuery;
|
||||
import eu.eudat.query.UserCredentialQuery;
|
||||
import eu.eudat.query.UserRoleQuery;
|
||||
import gr.cite.commons.web.oidc.principal.CurrentPrincipalResolver;
|
||||
import gr.cite.commons.web.oidc.principal.extractor.ClaimExtractor;
|
||||
import gr.cite.tools.data.query.QueryFactory;
|
||||
|
@ -29,6 +26,10 @@ import gr.cite.tools.fieldset.BaseFieldSet;
|
|||
import gr.cite.tools.logging.LoggerService;
|
||||
import jakarta.persistence.EntityManager;
|
||||
import jakarta.persistence.PersistenceContext;
|
||||
import jakarta.persistence.Tuple;
|
||||
import jakarta.persistence.criteria.CriteriaBuilder;
|
||||
import jakarta.persistence.criteria.CriteriaQuery;
|
||||
import jakarta.persistence.criteria.Root;
|
||||
import org.apache.commons.validator.routines.EmailValidator;
|
||||
import org.slf4j.LoggerFactory;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
|
@ -61,6 +62,8 @@ public class UserInterceptor implements WebRequestInterceptor {
|
|||
private final LockByKeyManager lockByKeyManager;
|
||||
private final LocaleProperties localeProperties;
|
||||
private final UserTouchedIntegrationEventHandler userTouchedIntegrationEventHandler;
|
||||
private final AuthorizationProperties authorizationProperties;
|
||||
private final ConventionService conventionService;
|
||||
@PersistenceContext
|
||||
public EntityManager entityManager;
|
||||
|
||||
|
@ -74,7 +77,7 @@ public class UserInterceptor implements WebRequestInterceptor {
|
|||
JsonHandlingService jsonHandlingService,
|
||||
QueryFactory queryFactory,
|
||||
LockByKeyManager lockByKeyManager,
|
||||
LocaleProperties localeProperties, UserTouchedIntegrationEventHandler userTouchedIntegrationEventHandler) {
|
||||
LocaleProperties localeProperties, UserTouchedIntegrationEventHandler userTouchedIntegrationEventHandler, AuthorizationProperties authorizationProperties, ConventionService conventionService) {
|
||||
this.userScope = userScope;
|
||||
this.currentPrincipalResolver = currentPrincipalResolver;
|
||||
this.claimExtractor = claimExtractor;
|
||||
|
@ -85,6 +88,8 @@ public class UserInterceptor implements WebRequestInterceptor {
|
|||
this.lockByKeyManager = lockByKeyManager;
|
||||
this.localeProperties = localeProperties;
|
||||
this.userTouchedIntegrationEventHandler = userTouchedIntegrationEventHandler;
|
||||
this.authorizationProperties = authorizationProperties;
|
||||
this.conventionService = conventionService;
|
||||
}
|
||||
|
||||
@Override
|
||||
|
@ -173,11 +178,11 @@ public class UserInterceptor implements WebRequestInterceptor {
|
|||
}
|
||||
}
|
||||
|
||||
// List<String> existingUserRoles = this.collectUserRoles(userId);
|
||||
// if (!this.userRolesSynced(existingUserRoles)) {
|
||||
// this.syncRoles(userId);
|
||||
// hasChanges = true;
|
||||
// }
|
||||
List<String> existingUserRoles = this.collectUserRoles(userId);
|
||||
if (!this.userRolesSynced(existingUserRoles)) {
|
||||
this.syncRoles(userId);
|
||||
hasChanges = true;
|
||||
}
|
||||
|
||||
UserCredentialEntity userCredential = this.queryFactory.query(UserCredentialQuery.class).externalIds(subjectId).first();
|
||||
if (userCredential == null) {
|
||||
|
@ -230,14 +235,27 @@ public class UserInterceptor implements WebRequestInterceptor {
|
|||
}
|
||||
|
||||
private List<String> getRolesFromClaims() {
|
||||
List<String> claimsRoles = claimExtractor.roles(currentPrincipalResolver.currentPrincipal());
|
||||
List<String> claimsRoles = this.claimExtractor.asStrings(currentPrincipalResolver.currentPrincipal(), ClaimNames.GlobalRolesClaimName);
|
||||
if (claimsRoles == null) claimsRoles = new ArrayList<>();
|
||||
claimsRoles = claimsRoles.stream().filter(x -> x != null && !x.isBlank() && (this.conventionService.isListNullOrEmpty(this.authorizationProperties.getAllowedGlobalRoles()) || this.authorizationProperties.getAllowedGlobalRoles().contains(x))).distinct().toList();
|
||||
claimsRoles = claimsRoles.stream().filter(x -> x != null && !x.isBlank()).distinct().toList();
|
||||
return claimsRoles;
|
||||
}
|
||||
|
||||
private void syncRoles(UUID userId) {
|
||||
List<UserRoleEntity> existingUserRoles = this.queryFactory.query(UserRoleQuery.class).userIds(userId).collect();
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<UserRoleEntity> query = criteriaBuilder.createQuery(UserRoleEntity.class);
|
||||
Root<UserRoleEntity> root = query.from(UserRoleEntity.class);
|
||||
|
||||
CriteriaBuilder.In<String> inRolesClause = criteriaBuilder.in(root.get(UserRoleEntity._role));
|
||||
for (String item : this.authorizationProperties.getAllowedGlobalRoles()) inRolesClause.value(item);
|
||||
query.where(criteriaBuilder.and(
|
||||
criteriaBuilder.equal(root.get(UserRoleEntity._userId), userId),
|
||||
this.conventionService.isListNullOrEmpty(this.authorizationProperties.getAllowedGlobalRoles()) ? criteriaBuilder.isNotNull(root.get(UserRoleEntity._role)) : inRolesClause,
|
||||
criteriaBuilder.isNull(root.get(UserRoleEntity._tenantId))
|
||||
));
|
||||
List<UserRoleEntity> existingUserRoles = this.entityManager.createQuery(query).getResultList();
|
||||
|
||||
List<UUID> foundRoles = new ArrayList<>();
|
||||
for (String claimRole : this.getRolesFromClaims()) {
|
||||
UserRoleEntity roleEntity = existingUserRoles.stream().filter(x -> x.getRole().equals(claimRole)).findFirst().orElse(null);
|
||||
|
@ -255,8 +273,21 @@ public class UserInterceptor implements WebRequestInterceptor {
|
|||
}
|
||||
|
||||
private List<String> collectUserRoles(UUID userId) {
|
||||
List<UserRoleEntity> items = this.queryFactory.query(UserRoleQuery.class).userIds(userId).collectAs(new BaseFieldSet().ensure(UserRole._role));
|
||||
return items == null ? new ArrayList<>() : items.stream().map(UserRoleEntity::getRole).toList();
|
||||
CriteriaBuilder criteriaBuilder = this.entityManager.getCriteriaBuilder();
|
||||
CriteriaQuery<UserRoleEntity> query = criteriaBuilder.createQuery(UserRoleEntity.class);
|
||||
Root<UserRoleEntity> root = query.from(UserRoleEntity.class);
|
||||
|
||||
CriteriaBuilder.In<String> inRolesClause = criteriaBuilder.in(root.get(UserRoleEntity._role));
|
||||
for (String item : this.authorizationProperties.getAllowedGlobalRoles()) inRolesClause.value(item);
|
||||
|
||||
query.where(criteriaBuilder.and(
|
||||
criteriaBuilder.equal(root.get(UserRoleEntity._userId), userId),
|
||||
this.conventionService.isListNullOrEmpty(this.authorizationProperties.getAllowedGlobalRoles()) ? criteriaBuilder.isNotNull(root.get(UserRoleEntity._role)) : inRolesClause,
|
||||
criteriaBuilder.isNull(root.get(UserRoleEntity._tenantId))
|
||||
)).multiselect(root.get(UserRoleEntity._role).alias(UserRoleEntity._role));
|
||||
List<UserRoleEntity> results = this.entityManager.createQuery(query).getResultList();
|
||||
|
||||
return results.stream().map(UserRoleEntity::getRole).toList();
|
||||
}
|
||||
|
||||
private List<String> collectUserEmails(UUID userId) {
|
||||
|
|
|
@ -31,6 +31,7 @@ spring:
|
|||
optional:classpath:config/public-api.yml[.yml], optional:classpath:config/public-api-${spring.profiles.active}.yml[.yml], optional:file:../config/public-api-${spring.profiles.active}.yml[.yml],
|
||||
optional:classpath:config/dashboard.yml[.yml], optional:classpath:config/dashboard-${spring.profiles.active}.yml[.yml], optional:file:../config/dashboard-${spring.profiles.active}.yml[.yml],
|
||||
optional:classpath:config/transformer.yml[.yml], optional:classpath:config/transformer-${spring.profiles.active}.yml[.yml], optional:file:../config/transformer-${spring.profiles.active}.yml[.yml],
|
||||
optional:classpath:config/authorization.yml[.yml], optional:classpath:config/authorization-${spring.profiles.active}.yml[.yml], optional:file:../config/authorization-${spring.profiles.active}.yml[.yml],
|
||||
optional:classpath:config/lock.yml[.yml], optional:classpath:config/lock-${spring.profiles.active}.yml[.yml], optional:file:../config/lock-${spring.profiles.active}.yml[.yml]
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
authorization:
|
||||
allowedTenantRoles:
|
||||
- TenantAdmin
|
||||
- TenantUser
|
||||
- TenantManager
|
||||
- TenantDescriptionTemplateEditor
|
||||
allowedGlobalRoles:
|
||||
- Admin
|
||||
- User
|
|
@ -24,6 +24,14 @@ idpclient:
|
|||
filterBy: "(.*):::TenantCode::"
|
||||
extractByExpression: "(.*):(.*)"
|
||||
extractExpressionValue: "[[g1]]"
|
||||
GlobalRoles:
|
||||
- type: resource_access
|
||||
path: dmp_web.roles
|
||||
TenantRoles:
|
||||
- type: tenant_roles
|
||||
filterBy: "(.*):::TenantCode::"
|
||||
extractByExpression: "(.*):(.*)"
|
||||
extractExpressionValue: "[[g1]]"
|
||||
Scope:
|
||||
- type: scope
|
||||
AccessToken:
|
||||
|
|
Loading…
Reference in New Issue