Feature/attribute security read filter (#13)

* Changed bean creation to static instantiation.

* Added unique constraints.
  Implemented equals and hashCode functions.

* Created service to check attribute permissions.
  Added result filtering to attribute-value service.

* Updated README.md.

Author: nenadjakic

.scripts/001-init-db-schema.sql

@@ -0,0 +1,2 @@
+CREATE SCHEMA IF NOT EXISTS "public";
+CREATE SCHEMA IF NOT EXISTS "security";

.scripts/002-test-data.sql

@@ -0,0 +1,70 @@
+INSERT INTO "security"."role" (id, "name") VALUES (nextval('security.role_id_seq'), 'READER');
+INSERT INTO "security"."role" (id, "name") VALUES (nextval('security.role_id_seq'), 'ADMINISTRATOR');
+INSERT INTO "security"."role" (id, "name") VALUES (nextval('security.role_id_seq'), 'TEST_ROLE_1');
+INSERT INTO "security"."role" (id, "name") VALUES (nextval('security.role_id_seq'), 'TEST_ROLE_2');
+
+INSERT INTO "security"."user" (id, email, email_confirmed, enabled, expire_at, "password", username)
+VALUES(nextval('security.user_id_seq'), 'admin@eav.eav', true, true, '2030-12-31 00:00:00.000', '$2a$10$iz4lSRkDXgzjBCZupy9IS.D0RfI5HJK9eoCES.YWHwbtj/mGVA0M6', 'admin@eav.eav');
+INSERT INTO "security"."user" (id, email, email_confirmed, enabled, expire_at, "password", username)
+VALUES(nextval('security.user_id_seq'), 'reader@eav.eav', true, true, '2030-12-31 00:00:00.000', '$2a$10$iz4lSRkDXgzjBCZupy9IS.D0RfI5HJK9eoCES.YWHwbtj/mGVA0M6', 'reader@eav.eav');
+
+INSERT INTO "security"."user_role" (user_id, role_id)
+VALUES ((SELECT id FROM "security"."user" WHERE username = 'admin@eav.eav'), (SELECT id from "security"."role" WHERE "name" = 'ADMINISTRATOR'));
+INSERT INTO "security"."user_role" (user_id, role_id)
+VALUES ((SELECT id FROM "security"."user" WHERE username = 'reader@eav.eav'), (SELECT id from "security"."role" WHERE "name" = 'READER'));
+
+INSERT INTO "public"."entity_type" (id, "name", "description") VALUES (nextval('public.entity_type_id_seq'), 'car', NULL);
+INSERT INTO "public"."entity_type" (id, "name", "description") VALUES (nextval('public.entity_type_id_seq'), 'book', NULL);
+
+INSERT INTO "public"."attribute" (id, description, "name", entity_type_id) VALUES(nextval('public.attribute_id_seq'), NULL, 'make', (SELECT id FROM "public"."entity_type" WHERE "name" = 'car'));
+INSERT INTO "public"."attribute" (id, description, "name", entity_type_id) VALUES(nextval('public.attribute_id_seq'), NULL, 'model', (SELECT id FROM "public"."entity_type" WHERE "name" = 'car'));
+INSERT INTO "public"."attribute" (id, description, "name", entity_type_id) VALUES(nextval('public.attribute_id_seq'), NULL, 'color', (SELECT id FROM "public"."entity_type" WHERE "name" = 'car'));
+
+INSERT INTO "public"."attribute" (id, description, "name", entity_type_id) VALUES(nextval('public.attribute_id_seq'), NULL, 'isbn', (SELECT id FROM "public"."entity_type" WHERE "name" = 'book'));
+INSERT INTO "public"."attribute" (id, description, "name", entity_type_id) VALUES(nextval('public.attribute_id_seq'), NULL, 'author', (SELECT id FROM "public"."entity_type" WHERE "name" = 'book'));
+INSERT INTO "public"."attribute" (id, description, "name", entity_type_id) VALUES(nextval('public.attribute_id_seq'), NULL, 'title', (SELECT id FROM "public"."entity_type" WHERE "name" = 'book'));
+INSERT INTO "public"."attribute" (id, description, "name", entity_type_id) VALUES(nextval('public.attribute_id_seq'), NULL, 'publish_year', (SELECT id FROM "public"."entity_type" WHERE "name" = 'book'));
+
+INSERT INTO public.metadata (id, data_type, max_length, max_value, min_length, min_value, "repeatable", required, sub_attribute_ids)
+VALUES((SELECT id FROM "public"."attribute" WHERE "name" = 'make' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), 'STRING', NULL, NULL, NULL, NULL, false, true, '[]'::jsonb);
+INSERT INTO public.metadata (id, data_type, max_length, max_value, min_length, min_value, "repeatable", required, sub_attribute_ids)
+VALUES((SELECT id FROM "public"."attribute" WHERE "name" = 'model' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), 'STRING', NULL, NULL, NULL, NULL, false, true, '[]'::jsonb);
+INSERT INTO public.metadata (id, data_type, max_length, max_value, min_length, min_value, "repeatable", required, sub_attribute_ids)
+VALUES((SELECT id FROM "public"."attribute" WHERE "name" = 'color' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), 'STRING', NULL, NULL, NULL, NULL, false, true, '[]'::jsonb);
+
+INSERT INTO public.metadata (id, data_type, max_length, max_value, min_length, min_value, "repeatable", required, sub_attribute_ids)
+VALUES((SELECT id FROM "public"."attribute" WHERE "name" = 'isbn' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'book')), 'STRING', NULL, NULL, NULL, NULL, false, true, '[]'::jsonb);
+INSERT INTO public.metadata (id, data_type, max_length, max_value, min_length, min_value, "repeatable", required, sub_attribute_ids)
+VALUES((SELECT id FROM "public"."attribute" WHERE "name" = 'author' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'book')), 'STRING', NULL, NULL, NULL, NULL, false, true, '[]'::jsonb);
+INSERT INTO public.metadata (id, data_type, max_length, max_value, min_length, min_value, "repeatable", required, sub_attribute_ids)
+VALUES((SELECT id FROM "public"."attribute" WHERE "name" = 'title' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'book')), 'STRING', NULL, NULL, NULL, NULL, false, true, '[]'::jsonb);
+INSERT INTO public.metadata (id, data_type, max_length, max_value, min_length, min_value, "repeatable", required, sub_attribute_ids)
+VALUES((SELECT id FROM "public"."attribute" WHERE "name" = 'publish_year' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'book')), 'INTEGER', NULL, NULL, NULL, NULL, false, false, '[]'::jsonb);
+
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'make' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), (SELECT id FROM "security"."role" WHERE "name" = 'READER'));
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'model' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), (SELECT id FROM "security"."role" WHERE "name" = 'READER'));
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'isbn' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'book')), (SELECT id FROM "security"."role" WHERE "name" = 'READER'));
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'author' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'book')), (SELECT id FROM "security"."role" WHERE "name" = 'READER'));
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'title' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'book')), (SELECT id FROM "security"."role" WHERE "name" = 'READER'));
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'publish_year' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'book')), (SELECT id FROM "security"."role" WHERE "name" = 'READER'));
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ", "CREATE"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'make' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), (SELECT id FROM "security"."role" WHERE "name" = 'ADMINISTRATOR'));
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ", "CREATE", "UPDATE", "DELETE"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'model' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), (SELECT id FROM "security"."role" WHERE "name" = 'ADMINISTRATOR'));
+INSERT INTO "security"."attribute_permission" (actions, attribute_id, role_id)
+VALUES('["READ", "CREATE", "DELETE"]'::jsonb, (SELECT id FROM "public"."attribute" WHERE "name" = 'color' AND entity_type_id =  (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), (SELECT id FROM "security"."role" WHERE "name" = 'ADMINISTRATOR'));
+
+INSERT INTO "public"."entity" (id, entity_type_id) VALUES (nextval('public.entity_id_seq'), (SELECT id FROM "public"."entity_type" WHERE "name" = 'car'));
+
+INSERT INTO "public"."attribute_value" (value, "position", attribute_id, entity_id)
+VALUES('Ford', NULL, (SELECT id FROM "public"."attribute" WHERE "name" = 'make' AND entity_type_id = (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), (SELECT id from "public"."entity" LIMIT 1));
+INSERT INTO "public"."attribute_value" (value, "position", attribute_id, entity_id)
+VALUES('Puma', NULL, (SELECT id FROM "public"."attribute" WHERE "name" = 'model' AND entity_type_id = (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), (SELECT id from "public"."entity" LIMIT 1));
+INSERT INTO "public"."attribute_value" (value, "position", attribute_id, entity_id)
+VALUES('red', NULL, (SELECT id FROM "public"."attribute" WHERE "name" = 'color' AND entity_type_id = (SELECT id FROM "public"."entity_type" WHERE "name" = 'car')), (SELECT id from "public"."entity" LIMIT 1));

README.md

@@ -10,10 +10,12 @@
 
 ## Features (details)
 
-### JWT Authentication
+### Security: Authentication & Authorization
 - Uses JWT tokens for user authentication and authorization.
 - Implements refresh tokens to extend JWT validity without requiring reauthentication.
 - Provides enhanced security by reducing token exposure and improving session management.
+- Role-Based Access Control (RBAC)
+- Row-Level data protection
 #### Description
 - **_User Registration:_**
   - Users can register using their email and password.
@@ -24,12 +26,31 @@
 - **_User Login:_**
   - Users log in using their email (username) and password.
   - Upon successful authentication, the user receives a JWT access token and a refresh token.
-
+- **_Role-Based Access Control (RBAC) with attribute level permissions_**: TODO
 ### Data Management with Spring Data JPA
 - Data model is implemented using Spring JPA (Java Persistence API).
 - Repository interfaces extend `JpaRepository`, providing methods for common database operations.
 - For enhanced performance and optimized data retrieval, `Entity graphs` is leveraged in certain scenarios.
 
 ## Requirements
 - **Java Development Kit (JDK):** While the project may work with JDK versions 21 or higher, it is recommended to use the latest stable version of JDK for optimal compatibility and performance.
-- **Gradle Build Tool:** is used for project management and dependency resolution.
+- **Gradle Build Tool** is used for project management and dependency resolution.
+
+## Build and Run
+1. Clone this repository:
+
+   `git clone https://github.com/nenadjakic/eav-platform.git`
+
+   `cd eav-platform`
+2. Create a new database for the project. `eav-platform` uses ORM (`Hibernate`) so you can choose any relational database engine 
+which is supported by `Hibernate` (e.g., MySQL, PostgreSQL, Oracle).
+3. Configure database connection:
+   - Open the `application.properties` file located in src/main/resources.
+   - Update the database connection settings (URL, username, password, dialect).
+4. Open a terminal and navigate to the project directory.
+5. Build the project using Gradle:
+
+   `./gradlew clean build`
+6. Run the project using Gradle:
+
+   `./gradlew bootRun`

src/main/kotlin/com/github/nenadjakic/eav/configuration/MainConfiguration.kt

@@ -8,10 +8,13 @@ import io.swagger.v3.oas.models.security.SecurityRequirement
 import io.swagger.v3.oas.models.security.SecurityScheme
 import org.modelmapper.ModelMapper
 import org.springframework.beans.factory.annotation.Value
+import org.springframework.beans.factory.support.BeanDefinitionRegistry
+import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor
 import org.springframework.cache.CacheManager
 import org.springframework.cache.concurrent.ConcurrentMapCacheManager
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
+import org.springframework.context.annotation.DependsOn
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories
 import org.springframework.scheduling.annotation.EnableAsync
 import org.springframework.security.authentication.AuthenticationManager
@@ -74,8 +77,9 @@ open class MainConfiguration(
     open fun authenticationManager(config: AuthenticationConfiguration): AuthenticationManager {
         return config.authenticationManager
     }
+
     @Bean
-    open fun authenticationProvider(userDetailsService: UserDetailsService?): AuthenticationProvider {
+    open fun authenticationProvider(): AuthenticationProvider {
         val provider = DaoAuthenticationProvider()
         provider.setUserDetailsService(userDetailsService)
         provider.setPasswordEncoder(passwordEncoder)

src/main/kotlin/com/github/nenadjakic/eav/configuration/SecurityConfiguration.kt

@@ -1,9 +1,12 @@
 package com.github.nenadjakic.eav.configuration
 
 import com.github.nenadjakic.eav.security.filter.JwtAuthenticationFilter
+import com.github.nenadjakic.eav.service.security.AttributePermissionService
+import org.springframework.beans.factory.config.BeanDefinition
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
-import org.springframework.security.access.vote.RoleVoter
+import org.springframework.context.annotation.DependsOn
+import org.springframework.context.annotation.Role
 import org.springframework.security.authentication.AuthenticationProvider
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
@@ -21,10 +24,12 @@ open class SecurityConfiguration(
     private val authenticationProvider: AuthenticationProvider,
     private val jwtAuthenticationFilter: JwtAuthenticationFilter
 ) {
-
-    @Bean
-    open fun grantedAuthorityDefaults() : GrantedAuthorityDefaults {
-        return GrantedAuthorityDefaults("");
+    companion object {
+        @Bean
+        @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
+        open fun grantedAuthorityDefaults(): GrantedAuthorityDefaults {
+            return GrantedAuthorityDefaults("");
+        }
     }
 
     @Bean

src/main/kotlin/com/github/nenadjakic/eav/entity/Attribute.kt

@@ -8,7 +8,9 @@ import jakarta.persistence.Entity
  * This class is mapped to the "attribute" table in the "public" schema.
  */
 @Entity
-@Table(schema = "public", name = "attribute",
+@Table(
+    schema = "public",
+    name = "attribute",
     uniqueConstraints = [
         UniqueConstraint(name = "uq_attribute_entity_type_id_name", columnNames = ["entity_type_id", "name"])
     ])

src/main/kotlin/com/github/nenadjakic/eav/entity/EntityAttributeId.kt

@@ -15,4 +15,23 @@ class EntityAttributeId {
 
     @Column(name = "attribute_id", nullable = false)
     var attributeId: Long? = null
+
+    override fun equals(other: Any?): Boolean {
+        if (this === other) return true
+        if (javaClass != other?.javaClass) return false
+
+        other as EntityAttributeId
+
+        if (entityId != other.entityId) return false
+        if (attributeId != other.attributeId) return false
+
+        return true
+    }
+
+    override fun hashCode(): Int {
+        var result = entityId?.hashCode() ?: 0
+        result = 31 * result + (attributeId?.hashCode() ?: 0)
+        return result
+    }
+
 }

src/main/kotlin/com/github/nenadjakic/eav/entity/EntityType.kt

@@ -4,9 +4,11 @@ import jakarta.persistence.*
 import jakarta.persistence.Entity
 
 @Entity
-@Table(schema = "public", name = "entity_type",
+@Table(
+    schema = "public",
+    name = "entity_type",
     uniqueConstraints = [
-        UniqueConstraint(name = "uq_entity_type_name", columnNames = ["name"])
+        UniqueConstraint(name = "uq_entity_type_name", columnNames = [ "name" ])
     ])
 class EntityType : AbstractEntityId<Long>() {
 

src/main/kotlin/com/github/nenadjakic/eav/entity/security/ConfirmationToken.kt

@@ -11,7 +11,13 @@ import java.util.*
  *
  */
 @Entity
-@Table(schema = "security", name = "confirmation_token")
+@Table(
+    schema = "security",
+    name = "confirmation_token",
+    uniqueConstraints = [
+        UniqueConstraint(name = "uq_security_confirmation_token_token", columnNames = [ "token" ])
+    ]
+)
 class ConfirmationToken() : AbstractEntityId<Long>() {
 
     @Id
@@ -23,7 +29,7 @@ class ConfirmationToken() : AbstractEntityId<Long>() {
     @JoinColumn(name = "id", nullable = false)
     lateinit var user: User
 
-    @Column(name = "token", nullable = false)
+    @Column(name = "token", nullable = false, length = 100, unique = true)
     lateinit var token: String
 
     @Column(name = "expire_at", nullable = false)

src/main/kotlin/com/github/nenadjakic/eav/entity/security/Permission.kt

@@ -6,6 +6,7 @@ import jakarta.persistence.Entity
 import jakarta.persistence.Id
 import jakarta.persistence.ManyToMany
 import jakarta.persistence.Table
+import jakarta.persistence.UniqueConstraint
 
 /**
  * Represents a permission entity within the system.
@@ -14,13 +15,19 @@ import jakarta.persistence.Table
  *
  */
 @Entity
-@Table(schema = "security", name = "permission")
+@Table(
+    schema = "security",
+    name = "permission",
+    uniqueConstraints = [
+        UniqueConstraint(name = "security_permission_name", columnNames = [ "name" ])
+    ]
+)
 class Permission : AbstractEntityId<Long>() {
     @Id
     @Column(name = "id")
     override var id: Long? = null
 
-    @Column(name = "name", nullable = false, length = 100)
+    @Column(name = "name", nullable = false, length = 100, unique = true)
     lateinit var name: String
 
     @Column(name = "description", length = 10000)

src/main/kotlin/com/github/nenadjakic/eav/entity/security/RefreshToken.kt

@@ -12,7 +12,12 @@ import java.util.*
  * for managing entities with a Long type ID.
  */
 @Entity
-@Table(schema = "security", name = "refresh_token")
+@Table(
+    schema = "security",
+    name = "refresh_token",
+    uniqueConstraints = [
+        UniqueConstraint(name = "uq_security_refresh_token_token", columnNames = [ "token" ])
+    ])
 class RefreshToken() : AbstractEntityId<Long>() {
 
     @Id
@@ -25,7 +30,7 @@ class RefreshToken() : AbstractEntityId<Long>() {
     @JoinColumn(name = "user_id", nullable = false)
     lateinit var user: User
 
-    @Column(name = "token", nullable = false, length = 100)
+    @Column(name = "token", nullable = false, length = 100, unique = true)
     lateinit var token: String
 
     @Column(name = "expire_at", nullable = false)

src/main/kotlin/com/github/nenadjakic/eav/entity/security/Role.kt

@@ -8,15 +8,21 @@ import jakarta.persistence.*
  * This class is mapped to the "role" table in the "security" schema.
  */
 @Entity
-@Table(schema = "security", name = "role")
+@Table(
+    schema = "security",
+    name = "role",
+    uniqueConstraints = [
+        UniqueConstraint(name = "uq_security_role_name", columnNames = [ "name" ])
+    ]
+)
 class Role : AbstractEntityId<Long>() {
     @Id
     @GeneratedValue(strategy = GenerationType.SEQUENCE, generator = "security.role_id_seq")
     @SequenceGenerator(schema = "security", name = "role_id_seq", allocationSize = 1)
     @Column(name = "id")
     override var id: Long? = null
 
-    @Column(name = "name", nullable = false, length = 100)
+    @Column(name = "name", nullable = false, length = 100, unique = true)
     lateinit var name: String
 
     @ManyToMany

src/main/kotlin/com/github/nenadjakic/eav/entity/security/RoleAttributeId.kt

@@ -15,4 +15,22 @@ class RoleAttributeId {
 
     @Column(name = "attribute_id", nullable = false)
     var attributeId: Long? = null
+
+    override fun equals(other: Any?): Boolean {
+        if (this === other) return true
+        if (javaClass != other?.javaClass) return false
+
+        other as RoleAttributeId
+
+        if (roleId != other.roleId) return false
+        if (attributeId != other.attributeId) return false
+
+        return true
+    }
+
+    override fun hashCode(): Int {
+        var result = roleId?.hashCode() ?: 0
+        result = 31 * result + (attributeId?.hashCode() ?: 0)
+        return result
+    }
 }