This is an automated email from the ASF dual-hosted git repository. danhaywood pushed a commit to branch ISIS-2699 in repository https://gitbox.apache.org/repos/asf/isis.git
commit 0abc75f089e15dbbca6bf41da16af55c17c80562 Author: danhaywood <[email protected]> AuthorDate: Sun May 30 20:32:53 2021 +0100 ISIS-2699: adds config props for PermissionsEvaluationService also --- .../apache/isis/core/config/IsisConfiguration.java | 14 +++++++ .../secman/applib/IsisModuleExtSecmanApplib.java | 12 +++++- .../secman/applib/SecmanAutoConfiguration.java | 48 +++++++++------------- .../secman/applib/SecmanConfiguration.java | 14 +++---- ...PermissionsEvaluationServiceAllowBeatsVeto.java | 3 ++ ...PermissionsEvaluationServiceVetoBeatsAllow.java | 3 ++ 6 files changed, 58 insertions(+), 36 deletions(-) diff --git a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java index f790afd..7b7f29a 100644 --- a/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java +++ b/core/config/src/main/java/org/apache/isis/core/config/IsisConfiguration.java @@ -3182,6 +3182,20 @@ public class IsisConfiguration { } + public enum PermissionsEvaluationPolicy { + ALLOW_BEATS_VETO, + VETO_BEATS_ALLOW + } + + /** + * If there are conflicting (allow vs veto) permissions at the same scope, then this policy determines + * whether to prefer to allow the permission or to veto it. + * + * <p> + * This is only used if a {@link org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationService} has not been declared explicitly. + * </p> + */ + private PermissionsEvaluationPolicy permissionsEvaluationPolicy = PermissionsEvaluationPolicy.ALLOW_BEATS_VETO; private final UserRegistration userRegistration = new UserRegistration(); @Data diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/IsisModuleExtSecmanApplib.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/IsisModuleExtSecmanApplib.java index c0db454..542ebd9 100644 --- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/IsisModuleExtSecmanApplib.java +++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/IsisModuleExtSecmanApplib.java @@ -18,10 +18,15 @@ */ package org.apache.isis.extensions.secman.applib; +import org.springframework.boot.autoconfigure.AutoConfigureOrder; import org.springframework.boot.autoconfigure.EnableAutoConfiguration; +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Import; +import org.apache.isis.applib.annotation.OrderPrecedence; +import org.apache.isis.core.config.IsisConfiguration; import org.apache.isis.extensions.secman.applib.feature.api.ApplicationFeatureChoices; import org.apache.isis.extensions.secman.applib.feature.contributions.ApplicationFeatureViewModel_permissions; import org.apache.isis.extensions.secman.applib.permission.app.ApplicationOrphanedPermissionManager; @@ -34,6 +39,9 @@ import org.apache.isis.extensions.secman.applib.permission.dom.mixins.Applicatio import org.apache.isis.extensions.secman.applib.permission.dom.mixins.ApplicationPermission_veto; import org.apache.isis.extensions.secman.applib.permission.dom.mixins.ApplicationPermission_viewing; import org.apache.isis.extensions.secman.applib.permission.menu.ApplicationPermissionMenu; +import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationService; +import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationServiceAllowBeatsVeto; +import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationServiceVetoBeatsAllow; import org.apache.isis.extensions.secman.applib.role.dom.mixins.ApplicationRole_addPermission; import org.apache.isis.extensions.secman.applib.role.dom.mixins.ApplicationRole_addUser; import org.apache.isis.extensions.secman.applib.role.dom.mixins.ApplicationRole_delete; @@ -77,6 +85,8 @@ import org.apache.isis.extensions.secman.applib.user.dom.mixins.perms.UserPermis import org.apache.isis.extensions.secman.applib.user.menu.ApplicationUserMenu; import org.apache.isis.extensions.secman.applib.user.menu.MeService; +import lombok.val; + /** * @since 2.0 {@index} */ @@ -167,7 +177,6 @@ import org.apache.isis.extensions.secman.applib.user.menu.MeService; // SecmanAutoConfiguration.class, }) -//@EnableAutoConfiguration() public class IsisModuleExtSecmanApplib { public static final String NAMESPACE = "isis.ext.secman"; @@ -181,4 +190,5 @@ public class IsisModuleExtSecmanApplib { public abstract static class PropertyDomainEvent<S, T> extends org.apache.isis.applib.events.domain.PropertyDomainEvent<S, T> {} + } diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanAutoConfiguration.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanAutoConfiguration.java index df8b7d8..0120cc9 100644 --- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanAutoConfiguration.java +++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanAutoConfiguration.java @@ -1,39 +1,16 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ package org.apache.isis.extensions.secman.applib; -import javax.inject.Inject; -import javax.inject.Named; - -import org.springframework.beans.factory.annotation.Qualifier; import org.springframework.boot.autoconfigure.AutoConfigureOrder; import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; -import org.springframework.core.annotation.Order; -import org.springframework.stereotype.Service; import org.apache.isis.applib.annotation.OrderPrecedence; import org.apache.isis.core.config.IsisConfiguration; +import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationService; +import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationServiceAllowBeatsVeto; +import org.apache.isis.extensions.secman.applib.permission.spi.PermissionsEvaluationServiceVetoBeatsAllow; -import lombok.RequiredArgsConstructor; -import lombok.extern.log4j.Log4j2; import lombok.val; @AutoConfigureOrder(OrderPrecedence.LAST) @@ -41,11 +18,11 @@ import lombok.val; public class SecmanAutoConfiguration { /** - * Provides a default implementation of {@link SecmanConfiguration}. + * Provides a default implementation of {@link SecmanConfiguration} based on configuration properties. */ @Bean @ConditionalOnMissingBean(SecmanConfiguration.class) - public SecmanConfiguration bean(final IsisConfiguration isisConfiguration) { + public SecmanConfiguration secmanConfiguration(final IsisConfiguration isisConfiguration) { val secman = isisConfiguration.getExtensions().getSecman(); return SecmanConfiguration.builder() .adminUserName(secman.getSeed().getAdmin().getUserName()) @@ -58,4 +35,19 @@ public class SecmanAutoConfiguration { .build(); } + /** + * Provides a default implementation of {@link PermissionsEvaluationService} based on configuration properties. + */ + @Bean + @ConditionalOnMissingBean(PermissionsEvaluationService.class) + public PermissionsEvaluationService permissionsEvaluationService(final IsisConfiguration isisConfiguration) { + val policy = isisConfiguration.getExtensions().getSecman().getPermissionsEvaluationPolicy(); + switch (policy) { + case ALLOW_BEATS_VETO: + return new PermissionsEvaluationServiceAllowBeatsVeto(); + case VETO_BEATS_ALLOW: + return new PermissionsEvaluationServiceVetoBeatsAllow(); + } + throw new IllegalArgumentException(String.format("PermissionsEvaluationPolicy '%s' not recognised", policy)); + } } diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanConfiguration.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanConfiguration.java index 88dfcfb..f484383 100644 --- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanConfiguration.java +++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/SecmanConfiguration.java @@ -61,7 +61,7 @@ public class SecmanConfiguration { /** * @see IsisConfiguration.Extensions.Secman.Seed.Admin#getUserName() * - * @deprecated + * @deprecated - use <code>application.yml</code> config properties instead. */ @Deprecated @Getter @@ -74,7 +74,7 @@ public class SecmanConfiguration { /** * @see IsisConfiguration.Extensions.Secman.Seed.Admin#getPassword() * - * @deprecated + * @deprecated - use <code>application.yml</code> config properties instead. */ @Deprecated @Getter @@ -86,7 +86,7 @@ public class SecmanConfiguration { /** * @see IsisConfiguration.Extensions.Secman.Seed.Admin#getRoleName() * - * @deprecated + * @deprecated - use <code>application.yml</code> config properties instead. */ @Deprecated @Getter @@ -97,7 +97,7 @@ public class SecmanConfiguration { /** * @see IsisConfiguration.Extensions.Secman.Seed.Admin.NamespacePermissions#getSticky() * - * @deprecated + * @deprecated - use <code>application.yml</code> config properties instead. */ @Deprecated @Getter @@ -108,7 +108,7 @@ public class SecmanConfiguration { /** * @see IsisConfiguration.Extensions.Secman.Seed.Admin.NamespacePermissions#getAdditional() * - * @deprecated + * @deprecated - use <code>application.yml</code> config properties instead. */ @Deprecated @Getter @@ -122,7 +122,7 @@ public class SecmanConfiguration { /** * @see IsisConfiguration.Extensions.Secman.Seed.RegularUser#getRoleName() * - * @deprecated + * @deprecated - use <code>application.yml</code> config properties instead. */ @Deprecated @Getter @@ -133,7 +133,7 @@ public class SecmanConfiguration { /** * @see IsisConfiguration.Extensions.Secman.DelegatedUsers#getAutoCreatePolicy() * - * @deprecated + * @deprecated - use <code>application.yml</code> config properties instead. */ @Deprecated @Getter diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceAllowBeatsVeto.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceAllowBeatsVeto.java index d7a15e3..6cdedd2 100644 --- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceAllowBeatsVeto.java +++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceAllowBeatsVeto.java @@ -27,7 +27,10 @@ import org.apache.isis.extensions.secman.applib.permission.dom.ApplicationPermis * An implementation whereby a VETO permission for a feature overrides an ALLOW (for same scope). * * @since 2.0 {@index} + * + * @deprecated - use <code>application.yml</code> config properties instead. */ +@Deprecated public class PermissionsEvaluationServiceAllowBeatsVeto extends PermissionsEvaluationServiceAbstract { private static final long serialVersionUID = 1L; diff --git a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceVetoBeatsAllow.java b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceVetoBeatsAllow.java index c08b795..1b493db 100644 --- a/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceVetoBeatsAllow.java +++ b/extensions/security/secman/applib/src/main/java/org/apache/isis/extensions/secman/applib/permission/spi/PermissionsEvaluationServiceVetoBeatsAllow.java @@ -31,7 +31,10 @@ import lombok.val; * An implementation whereby a VETO permission for a feature overrides an ALLOW (for same scope). * * @since 2.0 {@index} + * + * @deprecated - use <code>application.yml</code> config properties instead. */ +@Deprecated public class PermissionsEvaluationServiceVetoBeatsAllow extends PermissionsEvaluationServiceAbstract { private static final long serialVersionUID = 1L;
