From 5eee631c7ecf0714dd002ef50e34cb9a9396282e Mon Sep 17 00:00:00 2001 From: Florian Lacreuse Date: Mon, 4 Nov 2024 11:24:06 +0100 Subject: [PATCH] User security: super user check only for role system --- .../BasicApplicationPermissionConstants.java | 11 +++-- .../front/user/template/UserTemplate.java | 6 +-- .../test/web/AnnouncementPageTestCase.java | 3 ++ .../test/web/BasicUserDetailPageTestCase.java | 9 ++++ .../test/web/BasicUserListPageTestCase.java | 49 +++++-------------- .../test/java/test/web/HomePageTestCase.java | 11 +++++ .../test/web/ReferenceDataPageTestCase.java | 3 ++ .../test/java/test/web/ValidatorTestCase.java | 4 ++ .../AbstractCorePermissionEvaluator.java | 3 +- 9 files changed, 54 insertions(+), 45 deletions(-) diff --git a/basic-application/basic-application-back/src/main/java/basicapp/back/security/model/BasicApplicationPermissionConstants.java b/basic-application/basic-application-back/src/main/java/basicapp/back/security/model/BasicApplicationPermissionConstants.java index 045c570cd6..46ba45ba94 100644 --- a/basic-application/basic-application-back/src/main/java/basicapp/back/security/model/BasicApplicationPermissionConstants.java +++ b/basic-application/basic-application-back/src/main/java/basicapp/back/security/model/BasicApplicationPermissionConstants.java @@ -39,12 +39,15 @@ public class BasicApplicationPermissionConstants extends CorePermissionConstants // Add contants of the form public static final String MY_PERMISSION_NAME = "MY_PERMISSION_NAME"; // here - public static final String GLOBAL_ROLE_READ = "GLOBAL_ROLE_READ"; - public static final String GLOBAL_ROLE_WRITE = "GLOBAL_ROLE_WRITE"; + public static final String GLOBAL_REFERENCE_DATA_READ = "GLOBAL_REFERENCE_DATA_READ"; + public static final String GLOBAL_REFERENCE_DATA_WRITE = "GLOBAL_REFERENCE_DATA_WRITE"; + public static final String GLOBAL_USER_READ = "GLOBAL_USER_READ"; public static final String GLOBAL_USER_WRITE = "GLOBAL_USER_WRITE"; + + public static final String GLOBAL_ROLE_READ = "GLOBAL_ROLE_READ"; + public static final String GLOBAL_ROLE_WRITE = "GLOBAL_ROLE_WRITE"; + public static final String GLOBAL_ANNOUNCEMENT_READ = "GLOBAL_ANNOUNCEMENT_READ"; public static final String GLOBAL_ANNOUNCEMENT_WRITE = "GLOBAL_ANNOUNCEMENT_WRITE"; - public static final String GLOBAL_REFERENCE_DATA_READ = "GLOBAL_REFERENCE_DATA_READ"; - public static final String GLOBAL_REFERENCE_DATA_WRITE = "GLOBAL_REFERENCE_DATA_WRITE"; } diff --git a/basic-application/basic-application-front/src/main/java/basicapp/front/user/template/UserTemplate.java b/basic-application/basic-application-front/src/main/java/basicapp/front/user/template/UserTemplate.java index 7d2ecfa006..845ba636c5 100644 --- a/basic-application/basic-application-front/src/main/java/basicapp/front/user/template/UserTemplate.java +++ b/basic-application/basic-application-front/src/main/java/basicapp/front/user/template/UserTemplate.java @@ -1,6 +1,7 @@ package basicapp.front.user.template; -import basicapp.back.security.model.BasicApplicationPermissionConstants; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ; + import basicapp.front.common.template.MainTemplate; import basicapp.front.user.page.BasicUserListPage; import org.apache.wicket.markup.html.WebPage; @@ -9,8 +10,7 @@ import org.iglooproject.wicket.more.markup.html.template.model.BreadCrumbElement; import org.iglooproject.wicket.more.security.authorization.AuthorizeInstantiationIfPermission; -@AuthorizeInstantiationIfPermission( - permissions = BasicApplicationPermissionConstants.GLOBAL_USER_READ) +@AuthorizeInstantiationIfPermission(permissions = GLOBAL_USER_READ) public abstract class UserTemplate extends MainTemplate { private static final long serialVersionUID = 1L; diff --git a/basic-application/basic-application-front/src/test/java/test/web/AnnouncementPageTestCase.java b/basic-application/basic-application-front/src/test/java/test/web/AnnouncementPageTestCase.java index e7749dc411..461c034806 100644 --- a/basic-application/basic-application-front/src/test/java/test/web/AnnouncementPageTestCase.java +++ b/basic-application/basic-application-front/src/test/java/test/web/AnnouncementPageTestCase.java @@ -1,5 +1,6 @@ package test.web; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_ANNOUNCEMENT_READ; import static org.junit.jupiter.api.Assertions.assertThrows; import basicapp.front.announcement.page.AnnouncementListPage; @@ -14,6 +15,8 @@ class AnnouncementPageTestCase extends AbstractBasicApplicationWebappTestCase { @Test void initPage() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_ANNOUNCEMENT_READ); + authenticateUser(administrator); tester.startPage(AnnouncementListPage.class); diff --git a/basic-application/basic-application-front/src/test/java/test/web/BasicUserDetailPageTestCase.java b/basic-application/basic-application-front/src/test/java/test/web/BasicUserDetailPageTestCase.java index 331289f747..60fa04fc37 100644 --- a/basic-application/basic-application-front/src/test/java/test/web/BasicUserDetailPageTestCase.java +++ b/basic-application/basic-application-front/src/test/java/test/web/BasicUserDetailPageTestCase.java @@ -1,5 +1,7 @@ package test.web; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_WRITE; import static org.junit.jupiter.api.Assertions.assertEquals; import static org.junit.jupiter.api.Assertions.assertFalse; import static org.junit.jupiter.api.Assertions.assertTrue; @@ -21,7 +23,10 @@ class BasicUserDetailPageTestCase extends AbstractBasicApplicationWebappTestCase @Test void initPage() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); + String url = BasicUserDetailPage.MAPPER.ignoreParameter2().map(GenericEntityModel.of(basicUser)).url(); tester.executeUrl(url); @@ -31,6 +36,8 @@ void initPage() throws ServiceException, SecurityServiceException { @Test void breadcrumb() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); String url = @@ -64,6 +71,8 @@ void breadcrumb() throws ServiceException, SecurityServiceException { @Test void desactivateUser() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ, GLOBAL_USER_WRITE); + authenticateUser(administrator); String url = diff --git a/basic-application/basic-application-front/src/test/java/test/web/BasicUserListPageTestCase.java b/basic-application/basic-application-front/src/test/java/test/web/BasicUserListPageTestCase.java index 1166621745..fa40991b03 100644 --- a/basic-application/basic-application-front/src/test/java/test/web/BasicUserListPageTestCase.java +++ b/basic-application/basic-application-front/src/test/java/test/web/BasicUserListPageTestCase.java @@ -1,23 +1,19 @@ package test.web; -import static org.assertj.core.api.Assertions.assertThat; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ; import static org.junit.jupiter.api.Assertions.assertTrue; import basicapp.back.business.user.model.User; import basicapp.back.business.user.search.UserSort; -import basicapp.front.user.form.UserAjaxDropDownSingleChoice; import basicapp.front.user.page.BasicUserDetailPage; import basicapp.front.user.page.BasicUserListPage; import basicapp.front.user.page.TechnicalUserListPage; import igloo.wicket.component.CountLabel; -import java.util.Objects; import org.apache.wicket.util.tester.FormTester; import org.iglooproject.jpa.exception.SecurityServiceException; import org.iglooproject.jpa.exception.ServiceException; import org.iglooproject.wicket.more.markup.repeater.sequence.SequenceGridView; -import org.iglooproject.wicket.more.markup.repeater.table.DecoratedCoreDataTablePanel; import org.iglooproject.wicket.more.markup.repeater.table.column.CoreLabelLinkColumnPanel; -import org.junit.jupiter.api.Disabled; import org.junit.jupiter.api.Test; import test.web.config.spring.SpringBootTestBasicApplicationWebapp; @@ -26,6 +22,8 @@ class BasicUserListPageTestCase extends AbstractBasicApplicationWebappTestCase { @Test void initPage() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); tester.startPage(BasicUserListPage.class); @@ -34,6 +32,8 @@ void initPage() throws ServiceException, SecurityServiceException { @Test void dataTableBuilderCountZero() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); tester.startPage(TechnicalUserListPage.class); @@ -51,6 +51,8 @@ void dataTableBuilderCountZero() throws ServiceException, SecurityServiceExcepti @Test void dataTableBuilderCountOne() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); tester.startPage(TechnicalUserListPage.class); @@ -64,6 +66,8 @@ void dataTableBuilderCountOne() throws ServiceException, SecurityServiceExceptio @Test void dataTableBuilderCountMultiple() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); tester.startPage(BasicUserListPage.class); @@ -75,39 +79,10 @@ void dataTableBuilderCountMultiple() throws ServiceException, SecurityServiceExc "results:headingAddInContainer:leftAddInWrapper:leftAddIn:1", "2 utilisateurs"); } - @Test - @Disabled("n'est plus utile car plus de usergroup, a modifier pour checker le quicksearch ?") - public void dataTableBuilderFiltersDropDown() throws ServiceException, SecurityServiceException { - authenticateUser(administrator); - - tester.startPage(BasicUserListPage.class); - tester.assertRenderedPage(BasicUserListPage.class); - - tester.assertVisible("results", DecoratedCoreDataTablePanel.class); - @SuppressWarnings("unchecked") - DecoratedCoreDataTablePanel results = - (DecoratedCoreDataTablePanel) tester.getComponentFromLastRenderedPage("results"); - assertThat(results.getItemCount()).isEqualTo(2); - - FormTester form = tester.newFormTester("search:form"); - - // TODO voir comment on peut ajouter une valeur dans un AjaxDropDown et la selectionnée - UserAjaxDropDownSingleChoice userQuickSearch = - (UserAjaxDropDownSingleChoice) - form.getForm() - .streamChildren() - .filter(children -> Objects.equals(children.getId(), "quickAccess")) - .findFirst() - .orElse(null); - form.setValue(userQuickSearch, "basicUser2"); - - form.submit(); - - assertThat(results.getItemCount()).isEqualTo(1); - } - @Test void accessToDetail() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); tester.startPage(BasicUserListPage.class); @@ -136,6 +111,8 @@ void accessToDetail() throws ServiceException, SecurityServiceException { @Test void excelButtonTootilp() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); tester.startPage(BasicUserListPage.class); diff --git a/basic-application/basic-application-front/src/test/java/test/web/HomePageTestCase.java b/basic-application/basic-application-front/src/test/java/test/web/HomePageTestCase.java index da7fc62897..0842142b8e 100644 --- a/basic-application/basic-application-front/src/test/java/test/web/HomePageTestCase.java +++ b/basic-application/basic-application-front/src/test/java/test/web/HomePageTestCase.java @@ -1,5 +1,9 @@ package test.web; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_ANNOUNCEMENT_READ; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_REFERENCE_DATA_READ; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_ROLE_READ; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ; import static org.junit.jupiter.api.Assertions.assertEquals; import basicapp.back.security.model.BasicApplicationPermissionConstants; @@ -77,6 +81,13 @@ void sidebarMenuUserAuthenticated() throws ServiceException, SecurityServiceExce @Test void sidebarMenuUserAdmin() throws ServiceException, SecurityServiceException { + addPermissions( + administrator, + GLOBAL_REFERENCE_DATA_READ, + GLOBAL_USER_READ, + GLOBAL_ROLE_READ, + GLOBAL_ANNOUNCEMENT_READ); + authenticateUser(administrator); tester.startPage(HomePage.class); diff --git a/basic-application/basic-application-front/src/test/java/test/web/ReferenceDataPageTestCase.java b/basic-application/basic-application-front/src/test/java/test/web/ReferenceDataPageTestCase.java index 3cd19389e7..8f97dda464 100644 --- a/basic-application/basic-application-front/src/test/java/test/web/ReferenceDataPageTestCase.java +++ b/basic-application/basic-application-front/src/test/java/test/web/ReferenceDataPageTestCase.java @@ -1,5 +1,6 @@ package test.web; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_REFERENCE_DATA_READ; import static org.junit.jupiter.api.Assertions.assertThrows; import basicapp.front.referencedata.page.ReferenceDataPage; @@ -14,6 +15,8 @@ class ReferenceDataPageTestCase extends AbstractBasicApplicationWebappTestCase { @Test void initPage() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_REFERENCE_DATA_READ); + authenticateUser(administrator); tester.startPage(ReferenceDataPage.class); diff --git a/basic-application/basic-application-front/src/test/java/test/web/ValidatorTestCase.java b/basic-application/basic-application-front/src/test/java/test/web/ValidatorTestCase.java index 456f61bfbf..5df9319f81 100644 --- a/basic-application/basic-application-front/src/test/java/test/web/ValidatorTestCase.java +++ b/basic-application/basic-application-front/src/test/java/test/web/ValidatorTestCase.java @@ -1,5 +1,7 @@ package test.web; +import static basicapp.back.security.model.BasicApplicationPermissionConstants.GLOBAL_USER_READ; + import basicapp.front.profile.page.ProfilePage; import basicapp.front.user.page.TechnicalUserListPage; import org.apache.wicket.Component; @@ -17,6 +19,8 @@ class ValidatorTestCase extends AbstractBasicApplicationWebappTestCase { /** Test the UserPasswordValidator when username = password which shouldn't be allowed */ @Test void technicalUserPasswordValidator() throws ServiceException, SecurityServiceException { + addPermissions(administrator, GLOBAL_USER_READ); + authenticateUser(administrator); tester.startPage(TechnicalUserListPage.class); diff --git a/igloo/igloo-components/igloo-component-jpa-security/src/main/java/org/iglooproject/jpa/security/service/AbstractCorePermissionEvaluator.java b/igloo/igloo-components/igloo-component-jpa-security/src/main/java/org/iglooproject/jpa/security/service/AbstractCorePermissionEvaluator.java index f5b785db6a..62d3550c56 100644 --- a/igloo/igloo-components/igloo-component-jpa-security/src/main/java/org/iglooproject/jpa/security/service/AbstractCorePermissionEvaluator.java +++ b/igloo/igloo-components/igloo-component-jpa-security/src/main/java/org/iglooproject/jpa/security/service/AbstractCorePermissionEvaluator.java @@ -108,8 +108,7 @@ protected Collection getPermissions(Authentication authentication) { @Override public boolean isSuperUser(Authentication authentication) { if (authentication != null) { - return securityService.hasSystemRole(authentication) - || securityService.hasAdminRole(authentication); + return securityService.hasSystemRole(authentication); } return false; }