[NAE-1617] Authority Refactor

docs/authorization/authority.md

@@ -0,0 +1,120 @@
+# Authority management
+Netgrif Application Engine implements authority objects to manage access
+to resources, to protect resources from unauthorized access. Then these 
+authorities can be assigned to users to provide access to those secured
+resources.
+
+## Authorizing objects
+Authorizing objects are Java enum values, that represent authorities,
+that are needed to access a resource or use an action. E.g. to be able to import new 
+process (Petri Net) into the application, the user must have authority 
+created from `AuthorizingObject.PROCESS_UPLOAD` authorizing object.
+
+These authorizing objects are predefined, and they are used to create the 
+`Authority` objects/entities at application startup. There followings are predefined:
+
+- `PROCESS_UPLOAD`- to import new process
+- `PROCESS_VIEW_ALL`- to retrieve all the processes imported by any user
+- `PROCESS_VIEW_OWN`- to retrieve only processes imported by logged user
+- `PROCESS_DELETE_ALL`- to delete processes imported by any user
+- `PROCESS_DELETE_OWN`- to delete processes imported by logged user
+- `FILTER_UPLOAD`- to upload filter
+- `FILTER_DELETE_OWN`- to delete filter imported by logged user
+- `FILTER_DELETE_ALL`- to delete filter imported by any user
+- `USER_CREATE`- to invite or create user
+- `USER_DELETE`- to remove user
+- `USER_EDIT_ALL`- to edit any user
+- `USER_EDIT_SELF`- to edit only logged user
+- `USER_VIEW_ALL`- to retrieve all users
+- `USER_VIEW_SELF`- to retrieve only logged user
+- `GROUP_CREATE`- to create group
+- `GROUP_DELETE_OWN`- to delete group created by logged user
+- `GROUP_DELETE_ALL`- to delete group create by any user
+- `GROUP_ADD_USER`- to add any user to any group
+- `GROUP_REMOVE_USER`- to remove any user from any group
+- `GROUP_VIEW_ALL`- to retrieve any group
+- `GROUP_VIEW_OWN`- to retrieve group of logged user
+- `ROLE_ASSIGN_TO_USER`- to assign role to user
+- `ROLE_REMOVE_FROM_USER`- to remove role from user
+- `AUTHORITY_CREATE`- to create authority
+- `AUTHORITY_DELETE`- to delete authority
+- `AUTHORITY_VIEW_ALL`- to retrieve any authority
+- `CASE_VIEW_ALL`- to view all cases
+- `CASE_CREATE`- to create case
+- `CASE_DELETE`- to delete case
+- `CASE_DATA_GET_ALL`- to get all data of case
+- `TASK_RELOAD`- to reload tasks
+- `TASK_ASSIGN`- to assign task
+- `TASK_FINISH`- to finish task
+- `TASK_CANCEL`- to cancel task
+- `TASK_DELEGATE`- to delegate task
+- `TASK_SAVE_DATA`- to save data on task
+- `ELASTIC_REINDEX` - to reindex Elasticsearch database
+- `LDAP_GROUP_GET_ALL` - to get all LDAP groups 
+- `LDAP_GROUP_ASSIGN_ROLES` - to assign roles to LDAP groups
+
+However, it is possible to add custom authorizing objects using `nae.authority.authorizing-objects` 
+property in `application.properties` files as following:
+
+```
+# Authorities
+nae.authority.authorizing-objects=EXAMPLE_AUTHORITY_1,EXAMPLE_AUTHORITY_2
+```
+
+## Authorization definition
+
+You can define authorization for any method in the Netgrif Application Engine project.
+You can use the new `@Authorize` annotation over the method definitions. This annotation can
+be defined once or multiple times over a method:
+
+```
+@Authorize(authority = "PROCESS_UPLOAD", expression = "#canUpload(#userId)"
+void importPetriNet(File petriNet) {
+    ...
+}
+```
+
+The ``@Authorize`` annotation has two fields: 
+- `authority` - an authority, that the authenticated user is needed to be checked for
+- `expression` - an expression that returns boolean and serves as additional authorization
+
+## Authorization check
+
+The statements are evaluated in `BaseAuthorizationServiceAspect` bean that is implemented using AOP. The user will have 
+valid authorization if it has the required `authority` AND fulfills additional authorization defined 
+in `expression` (authority check returns `true` AND expression check returns `true`).
+
+
+If there is no `authority` defined, the authorization method returns `true` for authority check.
+In the following example, user must fulfill addition authorization implemented in `canUpload(String userId)` 
+function:
+```
+@Authorize(expression = "#canUpload(#userId))
+void importPetriNet(File petriNet) {
+    ...
+}
+```
+
+If there is no `expression` defined, the authorization method always returns`true` for expression check.
+In the following example, user must have `PROCESS_UPLOAD` authority:
+```
+@Authorize(authority = "PROCESS_UPLOAD")
+void importPetriNet(File petriNet) {
+    ...
+}
+```
+
+
+If there are more authorizations defined using `@Authorize`, then OR statement is valid
+between the multiple `@Authorize` statements, so user must fulfill at least one `@Authorize` statement.
+In the following example, the logged user must have `PROCESS_UPLOAD` authority AND must fulfill `canUpload(String userId)`
+expression, OR must fulfill `isAdmin(String userId)` expression:
+```
+@Authorize(authority = "PROCESS_UPLOAD", expression = "#canUpload(#userId)",
+@Authorize(expression = "isAdmin(#userId)")
+void importPetriNet(File petriNet) {
+    ...
+}
+```
+
+

pom.xml

@@ -399,6 +399,13 @@
             <version>2.2.0-rc2</version>
         </dependency>
 
+        <!-- Language injection -->
+        <dependency>
+            <groupId>org.jetbrains</groupId>
+            <artifactId>annotations</artifactId>
+            <version>23.0.0</version>
+        </dependency>
+
         <!-- Dev tools -->
         <dependency>
             <groupId>org.springframework.boot</groupId>

src/main/groovy/com/netgrif/application/engine/petrinet/domain/dataset/logic/action/ActionDelegate.groovy

@@ -2,6 +2,9 @@ package com.netgrif.application.engine.petrinet.domain.dataset.logic.action
 
 import com.netgrif.application.engine.AsyncRunner
 import com.netgrif.application.engine.auth.domain.Author
+import com.netgrif.application.engine.auth.domain.Authorizations
+import com.netgrif.application.engine.auth.domain.AuthorizingObject
+import com.netgrif.application.engine.auth.domain.Authorize
 import com.netgrif.application.engine.auth.domain.IUser
 import com.netgrif.application.engine.auth.domain.LoggedUser
 import com.netgrif.application.engine.auth.service.UserDetailsServiceImpl
@@ -1137,6 +1140,8 @@ class ActionDelegate {
         mailService.sendMail(mailDraft)
     }
 
+    @Authorize(authority = "USER_EDIT_ALL")
+    @Authorize(authority = "USER_EDIT_OWN", expression = "@userService.getLoggedUser().email.equals(#email)")
     def changeUserByEmail(String email) {
         [email  : { cl ->
             changeUserByEmail(email, "email", cl)
@@ -1153,6 +1158,8 @@ class ActionDelegate {
         ]
     }
 
+    @Authorize(authority = "USER_EDIT_ALL")
+    @Authorize(authority = "USER_EDIT_OWN", expression = "@userService.getLoggedUser().stringId.equals(#id)")
     def changeUser(String id) {
         [email  : { cl ->
             changeUser(id, "email", cl)
@@ -1169,6 +1176,8 @@ class ActionDelegate {
         ]
     }
 
+    @Authorize(authority = "USER_EDIT_ALL")
+    @Authorize(authority = "USER_EDIT_OWN", expression = "@userService.getLoggedUser().stringId.equals(#user.getStringId())")
     def changeUser(IUser user) {
         [email  : { cl ->
             changeUser(user, "email", cl)
@@ -1185,16 +1194,22 @@ class ActionDelegate {
         ]
     }
 
+    @Authorize(authority = "USER_EDIT_ALL")
+    @Authorize(authority = "USER_EDIT_SELF", expression = "@userService.getLoggedUser().email.equals(#email)")
     def changeUserByEmail(String email, String attribute, def cl) {
         IUser user = userService.findByEmail(email, false)
         changeUser(user, attribute, cl)
     }
 
+    @Authorize(authority = "USER_EDIT_ALL")
+    @Authorize(authority = "USER_EDIT_SELF", expression = "@userService.getLoggedUser().stringId.equals(#id)")
     def changeUser(String id, String attribute, def cl) {
         IUser user = userService.findById(id, false)
         changeUser(user, attribute, cl)
     }
 
+    @Authorize(authority = "USER_EDIT_ALL")
+    @Authorize(authority = "USER_EDIT_SELF", expression = "@userService.getLoggedUser().stringId.equals(#user.getStringId())")
     def changeUser(IUser user, String attribute, def cl) {
         if (user == null) {
             log.error("Cannot find user.")
@@ -1210,6 +1225,7 @@ class ActionDelegate {
         userService.save(user)
     }
 
+    @Authorize(authority = "USER_CREATE")
     MessageResource inviteUser(String email) {
         NewUserRequest newUserRequest = new NewUserRequest()
         newUserRequest.email = email
@@ -1218,6 +1234,7 @@ class ActionDelegate {
         return inviteUser(newUserRequest)
     }
 
+    @Authorize(authority = "USER_CREATE")
     MessageResource inviteUser(NewUserRequest newUserRequest) {
         IUser user = registrationService.createNewUser(newUserRequest);
         if (user == null)
@@ -1228,13 +1245,15 @@ class ActionDelegate {
         return MessageResource.successMessage("Done");
     }
 
+    @Authorize(authority = "USER_DELETE")
     void deleteUser(String email) {
         IUser user = userService.findByEmail(email, false)
         if (user == null)
             log.error("Cannot find user with email [" + email + "]")
         deleteUser(user)
     }
 
+    @Authorize(authority = "USER_DELETE")
     void deleteUser(IUser user) {
         List<Task> tasks = taskService.findByUser(new FullPageRequest(), user).toList()
         if (tasks != null && tasks.size() > 0)

src/main/groovy/com/netgrif/application/engine/startup/AuthorityRunner.groovy

@@ -1,21 +1,30 @@
 package com.netgrif.application.engine.startup
 
-import com.netgrif.application.engine.auth.domain.Authority
+import com.netgrif.application.engine.auth.domain.AuthorizingObject
 import com.netgrif.application.engine.auth.service.interfaces.IAuthorityService
+import groovy.util.logging.Slf4j
 import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.beans.factory.annotation.Value
 import org.springframework.stereotype.Component
 
+@Slf4j
 @Component
 class AuthorityRunner extends AbstractOrderedCommandLineRunner {
 
+    @Value('${nae.authority.authorizing-objects:}')
+    private String[] additionalAuthorizingObjects
+
     @Autowired
     private IAuthorityService service
 
     @Override
     void run(String... strings) throws Exception {
-        service.getOrCreate(Authority.user)
-        service.getOrCreate(Authority.admin)
-        service.getOrCreate(Authority.systemAdmin)
-        service.getOrCreate(Authority.anonymous)
+        createAll()
+    }
+
+    void createAll() {
+        AuthorizingObject.values().toList().forEach(authority -> service.getOrCreate(authority.name()))
+        additionalAuthorizingObjects.toList().forEach(authority -> service.getOrCreate(authority))
+        log.info("Authorities created.")
     }
 }

src/main/groovy/com/netgrif/application/engine/startup/ImportHelper.groovy

@@ -91,10 +91,12 @@ class ImportHelper {
 
 
     @SuppressWarnings("GroovyAssignabilityCheck")
-    Map<String, Authority> createAuthorities(Map<String, String> authorities) {
-        HashMap<String, Authority> authoritities = new HashMap<>()
+    Map<String, List<Authority>> createAuthorities(Map<String, List<String>> authorities) {
+        HashMap<String, List<Authority>> authoritities = new HashMap<>()
         authorities.each { authority ->
-            authoritities.put(authority.key, authorityService.getOrCreate(authority.value))
+            if (!authoritities.containsKey(authority.key))
+                authoritities.put(authority.key, new ArrayList<Authority>())
+            authoritities.get(authority.key).addAll(authorityService.getOrCreate(authority.value))
         }
 
         log.info("Creating ${authoritities.size()} authorities")
@@ -123,24 +125,6 @@ class ImportHelper {
         return Optional.of(petriNet)
     }
 
-//    ProcessRole createUserProcessRole(PetriNet net, String name) {
-//        ProcessRole role = processRoleRepository.save(new ProcessRole(roleId:
-//                net.roles.values().find { it -> it.name.defaultValue == name }.stringId, netId: net.getStringId()))
-//        log.info("Created user process role $name")
-//        return role
-//    }
-//
-//    Map<String, ProcessRole> createUserProcessRoles(Map<String, String> roles, PetriNet net) {
-//        HashMap<String, ProcessRole> userRoles = new HashMap<>()
-//        roles.each { it ->
-//            userRoles.put(it.key, createUserProcessRole(net, it.value))
-//        }
-//
-//        log.info("Created ${userRoles.size()} process roles")
-//        return userRoles
-//    }
-
-
     ProcessRole getProcessRoleByImportId(PetriNet net, String roleId) {
         ProcessRole role = net.roles.values().find { it -> it.importId == roleId }
         return role

src/main/groovy/com/netgrif/application/engine/startup/SuperCreator.groovy

@@ -43,9 +43,7 @@ class SuperCreator extends AbstractOrderedCommandLineRunner {
     }
 
     private IUser createSuperUser() {
-        Authority adminAuthority = authorityService.getOrCreate(Authority.admin)
-        Authority systemAuthority = authorityService.getOrCreate(Authority.systemAdmin)
-
+        Set<Authority> adminAuthorities = authorityService.getDefaultAdminAuthorities()
         IUser superUser = userService.findByEmail("super@netgrif.com", false)
         if (superUser == null) {
             this.superUser = userService.saveNew(new User(
@@ -54,14 +52,19 @@ class SuperCreator extends AbstractOrderedCommandLineRunner {
                     email: "super@netgrif.com",
                     password: superAdminPassword,
                     state: UserState.ACTIVE,
-                    authorities: [adminAuthority, systemAuthority] as Set<Authority>,
+                    authorities: adminAuthorities as Set<Authority>,
                     processRoles: processRoleService.findAll() as Set<ProcessRole>))
             log.info("Super user created")
         } else {
             log.info("Super user detected")
             this.superUser = superUser
         }
 
+        adminAuthorities.forEach({
+            it.addUser(this.superUser)
+            authorityService.save(it)
+        })
+
         return this.superUser
     }
 

src/main/java/com/netgrif/application/engine/auth/domain/AbstractUser.java

@@ -34,11 +34,17 @@ public AbstractUser() {
     }
 
     public void addAuthority(Authority authority) {
-        if (authorities.stream().anyMatch(it -> it.get_id().equals(authority.get_id())))
+        if (authorities.stream().anyMatch(it -> it.getName().equals(authority.getName())))
             return;
         authorities.add(authority);
     }
 
+    public void removeAuthority(Authority authority) {
+        if (authorities.stream().noneMatch(it -> it.getName().equals(authority.getName())))
+            return;
+        authorities.remove(authority);
+    }
+
     public void addProcessRole(ProcessRole role) {
         if (processRoles.stream().anyMatch(it -> it.getStringId().equals(role.getStringId())))
             return;

src/main/java/com/netgrif/application/engine/auth/domain/AnonymousUser.java

@@ -2,8 +2,11 @@
 
 import lombok.Data;
 import org.bson.types.ObjectId;
+import org.springframework.cache.annotation.Cacheable;
 import org.springframework.data.mongodb.core.mapping.Document;
 
+import java.util.Set;
+
 @Document
 @Data
 public class AnonymousUser extends User {