/*
* Copyright 2015 herd contributors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.finra.herd.app.security;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
import org.finra.herd.core.ApplicationContextHolder;
import org.finra.herd.core.helper.ConfigurationHelper;
import org.finra.herd.core.helper.SpelExpressionHelper;
import org.finra.herd.dao.SecurityFunctionDao;
import org.finra.herd.model.dto.ConfigurationValue;
import org.finra.herd.model.dto.SecurityUserWrapper;
/**
* A helper class for Security code.
*/
@Component
public class SecurityHelper
{
@Autowired
private ConfigurationHelper configurationHelper;
@Autowired
private SpelExpressionHelper spelExpressionHelper;
/**
* Retrieves functional points that have no roles mapped to them.
*
* @return set of {@link GrantedAuthority} representing functional points
*/
public Set<GrantedAuthority> getUnrestrictedFunctions()
{
// TODO Getting HerdDao from applicationContext statically because if we try to wire HerdDao here it does not get constructed with proxy class that is
// needed for @Cacheable methods to work.
SecurityFunctionDao securityFunctionDao = ApplicationContextHolder.getApplicationContext().getBean(SecurityFunctionDao.class);
Set<GrantedAuthority> authorities = new HashSet<>();
// Add all unrestricted functional points.
for (String function : securityFunctionDao.getUnrestrictedSecurityFunctions())
{
authorities.add(new SimpleGrantedAuthority(function));
}
return authorities;
}
/**
* Checks whether security is enabled based on SpEL expression defined in environment.
*
* @param request {@link HttpServletRequest} to determine whether security is enabled.
*
* @return true if security is enabled, false if disabled.
*/
public boolean isSecurityEnabled(HttpServletRequest request)
{
Boolean isSecurityEnabled = true;
String enableSecuritySpelExpression = configurationHelper.getProperty(ConfigurationValue.SECURITY_ENABLED_SPEL_EXPRESSION);
if (StringUtils.isNotBlank(enableSecuritySpelExpression))
{
Map<String, Object> variables = new HashMap<>();
variables.put("request", request);
isSecurityEnabled = spelExpressionHelper.evaluate(enableSecuritySpelExpression, Boolean.class, variables);
}
return isSecurityEnabled;
}
/**
* Checks whether the user was generated by.
*
* @param authentication the Authentication containing the user object.
* @param generatedByClass the class to check that the user was generated by.
*
* @return boolean
*/
public boolean isUserGeneratedByClass(Authentication authentication, Class<?> generatedByClass)
{
boolean isGeneratedBy = false;
if (authentication != null)
{
SecurityUserWrapper securityUserWrapper = (SecurityUserWrapper) authentication.getPrincipal();
if (securityUserWrapper != null && securityUserWrapper.getApplicationUser().getGeneratedByClass().equals(generatedByClass))
{
isGeneratedBy = true;
}
}
return isGeneratedBy;
}
/**
* Maps the given collection of roles to functional points.
*
* @param roles - the collection of roles to map to functions.
*
* @return set of {@link GrantedAuthority} representing functional points.
*/
public Set<GrantedAuthority> mapRolesToFunctions(Collection<String> roles)
{
// TODO Getting HerdDao from applicationContext statically because if we try to wire HerdDao here it does not get constructed with proxy class that is
// needed for @Cacheable methods to work.
SecurityFunctionDao securityFunctionDao = ApplicationContextHolder.getApplicationContext().getBean(SecurityFunctionDao.class);
Set<GrantedAuthority> authorities = new HashSet<>();
for (String role : roles)
{
if (role.equalsIgnoreCase(TrustedApplicationUserBuilder.TRUSTED_USER_ROLE))
{
// Add all functional points.
for (String function : securityFunctionDao.getSecurityFunctions())
{
authorities.add(new SimpleGrantedAuthority(function));
}
}
else
{
for (String function : securityFunctionDao.getSecurityFunctionsForRole(role))
{
authorities.add(new SimpleGrantedAuthority(function));
}
}
}
return authorities;
}
}