Merge pull request #15 from nenadjakic/feature/security-and-permissions

Added @PreAuthorize and @PostFilter annotations to controllers and se…

Author: nenadjakic

src/main/kotlin/com/github/nenadjakic/eav/configuration/MainConfiguration.kt

@@ -8,13 +8,10 @@ import io.swagger.v3.oas.models.security.SecurityRequirement
 import io.swagger.v3.oas.models.security.SecurityScheme
 import org.modelmapper.ModelMapper
 import org.springframework.beans.factory.annotation.Value
-import org.springframework.beans.factory.support.BeanDefinitionRegistry
-import org.springframework.beans.factory.support.BeanDefinitionRegistryPostProcessor
 import org.springframework.cache.CacheManager
 import org.springframework.cache.concurrent.ConcurrentMapCacheManager
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
-import org.springframework.context.annotation.DependsOn
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories
 import org.springframework.scheduling.annotation.EnableAsync
 import org.springframework.security.authentication.AuthenticationManager

src/main/kotlin/com/github/nenadjakic/eav/configuration/SecurityConfiguration.kt

@@ -1,11 +1,9 @@
 package com.github.nenadjakic.eav.configuration
 
 import com.github.nenadjakic.eav.security.filter.JwtAuthenticationFilter
-import com.github.nenadjakic.eav.service.security.AttributePermissionService
 import org.springframework.beans.factory.config.BeanDefinition
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
-import org.springframework.context.annotation.DependsOn
 import org.springframework.context.annotation.Role
 import org.springframework.security.authentication.AuthenticationProvider
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity
@@ -28,7 +26,7 @@ open class SecurityConfiguration(
         @Bean
         @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
         open fun grantedAuthorityDefaults(): GrantedAuthorityDefaults {
-            return GrantedAuthorityDefaults("");
+            return GrantedAuthorityDefaults("")
         }
     }
 

src/main/kotlin/com/github/nenadjakic/eav/controller/AttributeController.kt

@@ -14,6 +14,7 @@ import io.swagger.v3.oas.annotations.tags.Tag
 import org.modelmapper.ModelMapper
 import org.springframework.data.domain.Page
 import org.springframework.http.ResponseEntity
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder
@@ -83,6 +84,7 @@ open class AttributeController(
             ApiResponse(responseCode = "204", description = "Entity deleted successfully")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun deleteById(id: Long): ResponseEntity<Void> {
         attributeService.deleteById(id)
         return ResponseEntity.noContent().build()
@@ -99,6 +101,7 @@ open class AttributeController(
             ApiResponse(responseCode = "400", description = "Invalid request data.")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun update(model: AttributeUpdateRequest): ResponseEntity<Void> {
         val entity = modelMapper.map(model, Attribute::class.java)
         attributeService.update(entity)
@@ -116,6 +119,7 @@ open class AttributeController(
             ApiResponse(responseCode = "400", description = "Invalid request data.")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun create(model: AttributeAddRequest): ResponseEntity<Void> {
         val entity = modelMapper.map(model, Attribute::class.java)
         val createdEntity = attributeService.create(entity)

src/main/kotlin/com/github/nenadjakic/eav/controller/AttributeValueController.kt

@@ -12,6 +12,7 @@ import io.swagger.v3.oas.annotations.tags.Tag
 import jakarta.validation.Valid
 import org.modelmapper.ModelMapper
 import org.springframework.http.ResponseEntity
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.validation.annotation.Validated
 import org.springframework.web.bind.annotation.DeleteMapping
 import org.springframework.web.bind.annotation.GetMapping
@@ -81,6 +82,7 @@ open class AttributeValueController(
         ]
     )
     @PostMapping
+    @PreAuthorize("@attributeSecurityService.canCreate(#attributeValueAddRequest.attributeId)")
     open fun create(@RequestBody @Valid attributeValueAddRequest: AttributeValueAddRequest): ResponseEntity<Void> {
         val attributeValue = modelMapper.map(attributeValueAddRequest, AttributeValue::class.java)
         val createdAttributeValue = attributeValueService.create(attributeValue)
@@ -106,6 +108,7 @@ open class AttributeValueController(
         ]
     )
     @PutMapping
+    @PreAuthorize("@attributeSecurityService.canUpdate(#attributeValueAddRequest.attributeId)")
     open fun update(@RequestBody @Valid attributeValueAddRequest: AttributeValueAddRequest): ResponseEntity<Void> {
         val attributeValue = modelMapper.map(attributeValueAddRequest, AttributeValue::class.java)
         attributeValueService.update(attributeValue)
@@ -123,6 +126,7 @@ open class AttributeValueController(
         ]
     )
     @DeleteMapping
+    @PreAuthorize("@attributeSecurityService.canDelete(#attributeId)")
     open fun deleteById(@PathVariable entityId: Long, @PathVariable attributeId: Long): ResponseEntity<Void> {
         attributeValueService.deleteById(entityId, attributeId)
         return ResponseEntity.noContent().build()

src/main/kotlin/com/github/nenadjakic/eav/controller/EavReadController.kt

@@ -3,7 +3,6 @@ package com.github.nenadjakic.eav.controller
 import org.springframework.data.domain.Page
 import org.springframework.http.MediaType
 import org.springframework.http.ResponseEntity
-import org.springframework.security.access.prepost.PostAuthorize
 import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.PathVariable

src/main/kotlin/com/github/nenadjakic/eav/controller/EavWriteController.kt

@@ -3,13 +3,8 @@ package com.github.nenadjakic.eav.controller
 import jakarta.validation.Valid
 import org.springframework.http.MediaType
 import org.springframework.http.ResponseEntity
-import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.validation.annotation.Validated
-import org.springframework.web.bind.annotation.DeleteMapping
-import org.springframework.web.bind.annotation.PathVariable
-import org.springframework.web.bind.annotation.PostMapping
-import org.springframework.web.bind.annotation.PutMapping
-import org.springframework.web.bind.annotation.RequestBody
+import org.springframework.web.bind.annotation.*
 
 /**
  * Interface for writing operations in the EAV (Entity-Attribute-Value) system.
@@ -21,16 +16,16 @@ import org.springframework.web.bind.annotation.RequestBody
 @Validated
 interface EavWriteController<CR, UR> {
 
-    @PreAuthorize("hasRole('WRITER')")
+    //@PreAuthorize("hasRole('ADMINISTRATOR')")
     @PostMapping(consumes = [MediaType.APPLICATION_JSON_VALUE],
         produces = [MediaType.APPLICATION_JSON_VALUE])
     fun create(@Valid @RequestBody model:CR): ResponseEntity<Void>
 
-    @PreAuthorize("hasRole('WRITER')")
+    //@PreAuthorize("hasRole('ADMINISTRATOR')")
     @PutMapping(consumes = [MediaType.APPLICATION_JSON_VALUE])
     fun update(@Valid @RequestBody model:UR): ResponseEntity<Void>
 
-    @PreAuthorize("hasRole('WRITER')")
+    //@PreAuthorize("hasRole('ADMINISTRATOR')")
     @DeleteMapping("/{id}")
     fun deleteById(@PathVariable id: Long): ResponseEntity<Void>
 }

src/main/kotlin/com/github/nenadjakic/eav/controller/EntityController.kt

@@ -14,6 +14,7 @@ import io.swagger.v3.oas.annotations.tags.Tag
 import org.modelmapper.ModelMapper
 import org.springframework.data.domain.Page
 import org.springframework.http.ResponseEntity
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder
@@ -91,6 +92,7 @@ class EntityController(
             ApiResponse(responseCode = "400", description = "Invalid request data.")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun create(model: EntityAddRequest): ResponseEntity<Void> {
         val entity = modelMapper.map(model, Entity::class.java)
         val createdEntity = entityService.create(entity)
@@ -114,6 +116,7 @@ class EntityController(
             ApiResponse(responseCode = "400", description = "Invalid request data.")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun update(model: EntityUpdateRequest): ResponseEntity<Void> {
         val entity = modelMapper.map(model, Entity::class.java)
         entityService.update(entity)
@@ -130,6 +133,7 @@ class EntityController(
             ApiResponse(responseCode = "204", description = "Entity deleted successfully")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun deleteById(id: Long): ResponseEntity<Void> {
         entityService.deleteById(id)
         return ResponseEntity.noContent().build()

src/main/kotlin/com/github/nenadjakic/eav/controller/EntityTypeController.kt

@@ -14,6 +14,7 @@ import io.swagger.v3.oas.annotations.tags.Tag
 import org.modelmapper.ModelMapper
 import org.springframework.data.domain.Page
 import org.springframework.http.ResponseEntity
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.servlet.support.ServletUriComponentsBuilder
@@ -84,6 +85,7 @@ open class EntityTypeController(
             ApiResponse(responseCode = "400", description = "Invalid request data.")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun create(model: EntityTypeAddRequest): ResponseEntity<Void> {
         val entity = modelMapper.map(model, EntityType::class.java)
         val createdEntity = entityTypeService.create(entity)
@@ -107,6 +109,7 @@ open class EntityTypeController(
             ApiResponse(responseCode = "400", description = "Invalid request data.")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun update(model: EntityTypeUpdateRequest): ResponseEntity<Void> {
         val entityType = modelMapper.map(model, EntityType::class.java)
         entityTypeService.update(entityType)
@@ -123,6 +126,7 @@ open class EntityTypeController(
             ApiResponse(responseCode = "204", description = "Entity type deleted successfully")
         ]
     )
+    @PreAuthorize("hasRole('ADMINISTRATOR')")
     open override fun deleteById(id: Long): ResponseEntity<Void> {
         entityTypeService.deleteById(id)
         return ResponseEntity.noContent().build()

src/main/kotlin/com/github/nenadjakic/eav/dto/AttributeAddRequest.kt

@@ -2,7 +2,6 @@ package com.github.nenadjakic.eav.dto
 
 import jakarta.validation.Valid
 import jakarta.validation.constraints.NotNull
-import jakarta.xml.bind.annotation.XmlElement
 
 class AttributeAddRequest {
     @NotNull

src/main/kotlin/com/github/nenadjakic/eav/security/AttributeSecurityService.kt

@@ -9,10 +9,16 @@ import org.springframework.security.core.context.SecurityContextHolder
 import org.springframework.security.core.userdetails.UserDetails
 import org.springframework.stereotype.Service
 
+/**
+ * Service class for attribute-based security operations.
+ *
+ * @param attributePermissionService The service for managing attribute permissions
+ */
 @Service
 class AttributeSecurityService(
     private val attributePermissionService: AttributePermissionService
 ) {
+    @Deprecated(message = "Test purpose only. Use canRead(attributeId: Long).")
     fun canRead(root: MethodSecurityExpressionOperations, attributeId: Long): Boolean {
         val user = (root.authentication.principal as SecurityUser?) ?: throw Exception("User does not exists.")
         val roles = getRoles(user)
@@ -27,16 +33,48 @@ class AttributeSecurityService(
         return false
     }
 
+    /**
+     * Checks if the user has permission to read an attribute-value for given attribute.
+     *
+     * @param attributeId The ID of the attribute to check for read permission
+     * @return true if the user has permission to read the attribute-value, otherwise false
+     */
     fun canRead(attributeId: Long): Boolean = hasPermission(attributeId, Action.READ)
 
+    /**
+     * Checks if the user has permission to create an attribute-value for the given attribute.
+     *
+     * @param attributeId The ID of the attribute to check for creation permission
+     * @return true if the user has permission to create the attribute-value, otherwise false
+     */
     fun canCreate(attributeId: Long): Boolean = hasPermission(attributeId, Action.CREATE)
 
+    /**
+     * Checks if the user has permission to update an attribute-value for the given attribute.
+     *
+     * @param attributeId The ID of the attribute to check for update permission
+     * @return true if the user has permission to update the attribute-value, otherwise false
+     */
     fun canUpdate(attributeId: Long): Boolean = hasPermission(attributeId, Action.UPDATE)
 
+
+    /**
+     * Checks if the user has permission to delete an attribute-value for the given attribute.
+     *
+     * @param attributeId The ID of the attribute to check for delete permission
+     * @return true if the user has permission to delete the attribute-value, otherwise false
+     */
     fun canDelete(attributeId: Long): Boolean = hasPermission(attributeId, Action.DELETE)
 
+    /**
+     * Checks if the user has permission to perform a specific action on an attribute-value for the given attribute.
+     *
+     * @param attributeId The ID of the attribute to check for permission
+     * @param action The action to check permission for (e.g., READ, CREATE, UPDATE, DELETE)
+     * @return true if the user has permission to perform the action, otherwise false
+     */
     private fun hasPermission(attributeId: Long, action: Action): Boolean {
-        var hasPermission = false;
+        var hasPermission = false
         for (role in getRoles(getUser() ?: throw Exception("User does not exists."))) {
             hasPermission = hasPermission(role, attributeId, action)
             if (hasPermission) {
@@ -46,12 +84,33 @@ class AttributeSecurityService(
         return hasPermission
     }
 
+    /**
+     * Checks if a user with the specified role has permission to perform a specific action
+     * on an attribute-value for the given attribute.
+     *
+     * @param role The role of the user to check for permission
+     * @param attributeId The ID of the attribute to check for permission
+     * @param action The action to check permission for (e.g., READ, CREATE, UPDATE, DELETE)
+     * @return true if the user with the specified role has permission to perform the action, otherwise false
+     */
     private fun hasPermission(role: String, attributeId: Long, action: Action): Boolean = hasPermission(attributePermissionService.findByRoleNameAndAttributeId(role, attributeId), action)
 
+    /**
+     * Checks if the attribute permission allows a specific action to be performed.
+     *
+     * @param attributePermission The attribute permission object to check
+     * @param action The action to check permission for (e.g., READ, CREATE, UPDATE, DELETE)
+     * @return true if the attribute permission allows the action, otherwise false
+     */
     private fun hasPermission(attributePermission: AttributePermission?, action: Action): Boolean {
         return attributePermission != null && attributePermission.actions.contains(action)
     }
 
+    /**
+     * Retrieves the current authenticated user from the security context.
+     *
+     * @return The authenticated user as a SecurityUser object, or null if not authenticated
+     */
     private fun getUser(): SecurityUser? {
         return if (SecurityContextHolder.getContext().authentication == null) {
             null
@@ -60,5 +119,11 @@ class AttributeSecurityService(
         }
     }
 
+    /**
+     * Retrieves the roles associated with the provided UserDetails.
+     *
+     * @param user The UserDetails object for which roles are to be retrieved
+     * @return A list of roles (as strings) associated with the user
+     */
     private fun getRoles(user: UserDetails): List<out String> = user.authorities.map { it.authority }
 }

src/test/kotlin/com/github/nenadjakic/eav/controller/EntityControllerTest.kt

@@ -38,7 +38,7 @@ class EntityControllerTest {
         val securityUser = SecurityUser()
         securityUser.username = "test"
         securityUser.addAuthority(SimpleGrantedAuthority("READER"))
-        securityUser.addAuthority(SimpleGrantedAuthority("WRITER"))
+        securityUser.addAuthority(SimpleGrantedAuthority("ADMINISTRATOR"))
         val token = jwtService.createToken(securityUser)
 
         headers = HttpHeaders()

src/test/kotlin/com/github/nenadjakic/eav/controller/EntityTypeControllerTest.kt

@@ -39,7 +39,7 @@ class EntityTypeControllerTest {
         val securityUser = SecurityUser()
         securityUser.username = "test"
         securityUser.addAuthority(SimpleGrantedAuthority("READER"))
-        securityUser.addAuthority(SimpleGrantedAuthority("WRITER"))
+        securityUser.addAuthority(SimpleGrantedAuthority("ADMINISTRATOR"))
         val token = jwtService.createToken(securityUser)
 
         headers = HttpHeaders()