Unresolved security bugs.

Author: sean-huni

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,5 @@
-#Wed Jun 20 18:50:19 SAST 2018
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-4.8-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-4.8-all.zip

src/main/java/io/home/pi/domain/Authority.java src/main/java/io/home/pi/domain/Auth.java

@@ -15,19 +15,24 @@
 @Setter
 @Getter
 @Entity
-@Table(schema = "rpi", name = "authority")
-public class Authority {
+@Table(schema = "rpi", name = "auth")
+public class Auth {
     @Id
     @GeneratedValue(strategy = GenerationType.IDENTITY)
     @Column(name = "id")
     private Integer id;
-    @Enumerated(EnumType.STRING)
-    @Column(name = "level")
-    private Enum level;
+
+    //    @Enumerated(EnumType.STRING)
+    @Column(name = "level", nullable = false, length = 50)
+    private String level;
+
+    @ManyToOne(fetch = FetchType.EAGER)
+    @JoinColumn(name = "id", insertable = false, updatable = false)
+    private GrpAuth grpAuth;
 
     @Override
     public String toString() {
-        return "Authority{" +
+        return "Auth{" +
                 "id=" + id +
                 ", level='" + level + '\'' +
                 '}';

src/main/java/io/home/pi/domain/Grp.java

@@ -4,14 +4,13 @@
 import lombok.Setter;
 
 import javax.persistence.*;
-import java.util.Set;
 
 /**
- * PROJECT   :pi
- * PACKAGE   :io.home.pi.domain
- * USER      :Sean
- * DATE      :2018/06/14
- * TIME      :21:40
+ * PROJECT   : pi
+ * PACKAGE   : io.home.pi.domain
+ * USER      : sean
+ * DATE      : 25-June-2018
+ * TIME      : 20:38
  */
 @Setter
 @Getter
@@ -22,22 +21,16 @@ public class Grp {
     @GeneratedValue(strategy = GenerationType.IDENTITY)
     @Column(name = "id")
     private Integer id;
-    @Column(name = "name")
-    private String name;
-
-    @OneToMany(cascade = CascadeType.ALL, targetEntity = User.class, fetch = FetchType.LAZY)
-    private Set<User> users;
 
-    @OneToOne(cascade = CascadeType.ALL)
-    private GrpAuthority grpAuthority;
+    //    @Enumerated(EnumType.STRING)
+    @Column(name = "name", nullable = false, length = 50)
+    private String name;
 
     @Override
     public String toString() {
         return "Grp{" +
                 "id=" + id +
-                ", name='" + name + '\'' +
-                ", users=" + users +
-                ", grpAuthority=" + grpAuthority +
+                ", name=" + name +
                 '}';
     }
 }

src/main/java/io/home/pi/domain/GrpAuthority.java src/main/java/io/home/pi/domain/GrpAuth.java

@@ -16,25 +16,22 @@
 @Setter
 @Getter
 @Entity
-@Table(schema = "rpi", name = "grp_authority")
-public class GrpAuthority {
+@Table(schema = "rpi", name = "g_auth")
+public class GrpAuth {
     @Id
     @GeneratedValue(strategy = GenerationType.IDENTITY)
     @Column(name = "id")
     private Integer id;
 
-    @OneToOne(cascade = CascadeType.ALL)
-    private Grp grp;
-
     //    @OneToMany(cascade = CascadeType.ALL, mappedBy = "grp_authority")
-    @OneToMany(cascade = CascadeType.ALL)
-    private Set<Authority> authorities;
+    @OneToMany(cascade = CascadeType.ALL, fetch = FetchType.EAGER, targetEntity = Auth.class)
+    @JoinColumn(name = "id")
+    private Set<Auth> authorities;
 
     @Override
     public String toString() {
-        return "GrpAuthority{" +
+        return "GrpAuth{" +
                 "id=" + id +
-                ", grp=" + grp +
                 ", authorities=" + authorities +
                 '}';
     }

src/main/java/io/home/pi/domain/Team.java

@@ -0,0 +1,43 @@
+package io.home.pi.domain;
+
+import lombok.Getter;
+import lombok.Setter;
+
+import javax.persistence.*;
+import java.util.Set;
+
+/**
+ * PROJECT   :pi
+ * PACKAGE   :io.home.pi.domain
+ * USER      :Sean
+ * DATE      :2018/06/14
+ * TIME      :21:40
+ */
+@Setter
+@Getter
+@Entity
+@Table(schema = "rpi", name = "team")
+public class Team {
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    @Column(name = "id")
+    private Integer id;
+
+    @OneToOne(cascade = CascadeType.DETACH)
+    private Grp grp;
+
+    @OneToOne(cascade = CascadeType.ALL, fetch = FetchType.EAGER)
+    private GrpAuth grpAuth;
+
+    @OneToMany(cascade = CascadeType.ALL, targetEntity = User.class, fetch = FetchType.LAZY)
+    private Set<User> users;
+
+    @Override
+    public String toString() {
+        return "Team{" +
+                "id=" + id +
+                ", grp=" + grp +
+                ", grpAuth=" + grpAuth +
+                '}';
+    }
+}

src/main/java/io/home/pi/domain/User.java

@@ -4,7 +4,6 @@
 import lombok.Setter;
 
 import javax.persistence.*;
-import java.util.Set;
 
 /**
  * PROJECT   :pi
@@ -33,8 +32,8 @@ public class User {
     @Transient
     private String token;
 
-    @ManyToOne(targetEntity = Grp.class, fetch = FetchType.LAZY)
-    private Set<Grp> grps;
+    @ManyToOne(targetEntity = Team.class, fetch = FetchType.EAGER)
+    private Team team;
 
     @Override
     public String toString() {
@@ -44,7 +43,7 @@ public String toString() {
                 ", password='" + password + '\'' +
                 ", enabled=" + enabled +
                 ", token='" + token + '\'' +
-                ", grp=" + grps +
+                ", teams=" + team +
                 '}';
     }
 }

src/main/java/io/home/pi/repo/AuthorityRepo.java

@@ -1,6 +1,6 @@
 package io.home.pi.repo;
 
-import io.home.pi.domain.Authority;
+import io.home.pi.domain.Auth;
 import org.springframework.data.repository.CrudRepository;
 
 /**
@@ -10,6 +10,6 @@
  * DATE      : 19-June-2018
  * TIME      : 23:38
  */
-public interface AuthorityRepo extends CrudRepository<Authority, Integer> {
+public interface AuthorityRepo extends CrudRepository<Auth, Integer> {
 
 }

src/main/java/io/home/pi/repo/GroupAuthorityRepo.java

@@ -1,6 +1,6 @@
 package io.home.pi.repo;
 
-import io.home.pi.domain.GrpAuthority;
+import io.home.pi.domain.GrpAuth;
 import org.springframework.data.repository.CrudRepository;
 
 /**
@@ -10,6 +10,6 @@
  * DATE      : 19-June-2018
  * TIME      : 23:24
  */
-public interface GroupAuthorityRepo extends CrudRepository<GrpAuthority, Integer> {
+public interface GroupAuthorityRepo extends CrudRepository<GrpAuth, Integer> {
 
 }

src/main/java/io/home/pi/repo/GroupRepo.java

@@ -1,6 +1,6 @@
 package io.home.pi.repo;
 
-import io.home.pi.domain.Grp;
+import io.home.pi.domain.Team;
 import org.springframework.data.repository.CrudRepository;
 import org.springframework.stereotype.Repository;
 
@@ -12,6 +12,6 @@
  * TIME      : 20:16
  */
 @Repository
-public interface GroupRepo extends CrudRepository<Grp, Integer> {
+public interface GroupRepo extends CrudRepository<Team, Integer> {
 
 }

src/main/java/io/home/pi/service/impl/LoginServiceImpl.java

@@ -2,8 +2,7 @@
 
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import io.home.pi.domain.Grp;
-import io.home.pi.domain.GrpAuthority;
+import io.home.pi.domain.GrpAuth;
 import io.home.pi.domain.User;
 import io.home.pi.service.UserService;
 import org.slf4j.Logger;
@@ -67,15 +66,14 @@ public UserDetails loadUserByUsername(String username) throws UsernameNotFoundEx
     private List<GrantedAuthority> getGrantedAuthorities(User user) {
         List<GrantedAuthority> authorities = new ArrayList<>();
         try {
-            List<GrpAuthority> groupAuthorities = new ArrayList<>();
+            List<GrpAuth> groupAuthorities = new ArrayList<>();
+
+            groupAuthorities.add(user.getTeam().getGrpAuth());
 
-            for (Grp grp : user.getGrps()) {
-                groupAuthorities.add(grp.getGrpAuthority());
-            }
 
-            for (GrpAuthority userAuth : decodeHashMap(groupAuthorities)) {
-                LOGGER.info("User Authority: " + userAuth.toString());
-                authorities.add(new SimpleGrantedAuthority(USER_ROLE_PREFIX + userAuth.getAuthorities()));
+            for (GrpAuth userAuth : groupAuthorities) {
+                LOGGER.info("User Auth: " + userAuth.toString());
+                authorities.add(new SimpleGrantedAuthority(USER_ROLE_PREFIX + userAuth.getAuthorities().iterator().next().getLevel()));
             }
         } catch (Exception e) {
             LOGGER.error(e.getMessage(), e);
@@ -90,13 +88,13 @@ private List<GrantedAuthority> getGrantedAuthorities(User user) {
     }
 
 
-    private List<GrpAuthority> decodeHashMap(List<GrpAuthority> authorities) {
-        List<GrpAuthority> authoritiesArrayList = new ArrayList<>();
+    private List<GrpAuth> decodeHashMap(List<GrpAuth> authorities) {
+        List<GrpAuth> authoritiesArrayList = new ArrayList<>();
         ObjectMapper mapper = new ObjectMapper();
 
         try {
-            List<GrpAuthority> groupAuthorities = mapper.convertValue(authorities,
-                    new TypeReference<List<GrpAuthority>>() {
+            List<GrpAuth> groupAuthorities = mapper.convertValue(authorities,
+                    new TypeReference<List<GrpAuth>>() {
                     });
 
             authoritiesArrayList.addAll(groupAuthorities);

src/main/resources/data.sql

@@ -0,0 +1,19 @@
+insert into rpi.g_auth (id) values (1);
+insert into rpi.g_auth (id) values (2);
+insert into rpi.g_auth (id) values (3);
+insert into rpi.g_auth (id) values (4);
+
+insert into rpi.auth (id, level) values (1, 'USER');
+insert into rpi.auth (id, level) values (2, 'ADMIN');
+insert into rpi.auth (id, level) values (3, 'SUPER');
+insert into rpi.auth (id, level) values (4, 'ANONYMOUS');
+
+insert into rpi.grp (name) values ('GREEN');
+insert into rpi.grp (name) values ('ORANGE');
+insert into rpi.grp (name) values ('RED');
+insert into rpi.grp (name) values ('YELLOW');
+
+insert into rpi.team (grp_id, grp_auth_id) values (1, 1);
+
+insert into rpi.user (username, password, enabled, team_id)
+values ('demo@email.com', 'ebde6e599feaa84afdf86ab799964e60', true, 1)