com.sap.cloud.security.ams.spring.adapter.PolicyDecisionPointSecurityExpression Maven / Gradle / Ivy

Go to download
/************************************************************************
* © 2019-2023 SAP SE or an SAP affiliate company. All rights reserved. *
************************************************************************/
package com.sap.cloud.security.ams.spring.adapter;

import com.sap.cloud.security.ams.api.Principal;
import com.sap.cloud.security.ams.api.PrincipalBuilder;
import com.sap.cloud.security.ams.dcl.client.pdp.PolicyDecisionPoint;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.access.expression.method.MethodSecurityExpressionOperations;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;

import java.util.Collection;
import java.util.Map;

/**
 * An extension class for Method Security expressions
 */
public class PolicyDecisionPointSecurityExpression implements MethodSecurityExpressionOperations {

	private final Logger logger = LoggerFactory.getLogger(getClass());
	private PolicyDecisionPoint policyDecisionPoint;
	private Principal principal;
	private Object filterObject;
	private Object returnObject;
	protected final Authentication authentication;
	private final AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();

	public PolicyDecisionPointSecurityExpression(Authentication authentication) {
		this.authentication = authentication;
		logger.debug("Create PolicyDecisionPointWebSecurityExpression for anonymous user.");
	}

	public PolicyDecisionPointSecurityExpression(Authentication authentication, Map claims) {
		this.authentication = authentication;
		logger.debug("Create PolicyDecisionPointWebSecurityExpression with authentication.");
		this.principal = PrincipalBuilder.create(claims).build();
	}

	public PolicyDecisionPointSecurityExpression policyDecisionPoint(PolicyDecisionPoint policyDecisionPoint) {
		this.policyDecisionPoint = policyDecisionPoint;
		return this;
	}

	public boolean forAction(String action, String... attributes) {
		return forResourceAction(null, action, attributes);
	}

	public boolean forResource(String resource, String... attributes) {
		return forResourceAction(resource, null, attributes);
	}

	public boolean forResourceAction(String resource, String action, String... attributes) {
		if (isAnonymous() || principal == null) {
			return false;
		}
		return PolicyDecisionPointPermissionEvaluator.hasPermission(policyDecisionPoint, principal,
				resource, action,
				attributes);
	}

	public boolean hasBaseAuthority(String action, String resource) {
		if (isAnonymous()) {
			return false;
		}
		boolean hasBaseAuthority = false;
		Collection userAuthorities = getAuthentication().getAuthorities();
		for (GrantedAuthority authority : userAuthorities) {
			if (PolicyDecisionPointPermissionEvaluator.hasPartialPermission(authority.getAuthority(), action,
					resource)) {
				hasBaseAuthority = true;
				break;
			}
		}
		logger.debug("{} hasBaseAuthority() for action '{}' on resource '{}' ? {}.", principal, action, resource,
				hasBaseAuthority);
		return hasBaseAuthority;
	}

	@Override
	public final Authentication getAuthentication() {
		return this.authentication;
	}

	@Override
	public boolean hasAuthority(String action) {
		if (isAnonymous() || principal == null) {
			return false;
		}
		return PolicyDecisionPointPermissionEvaluator.hasPermission(policyDecisionPoint, principal, action);
	}

	@Override
	public boolean hasAnyAuthority(String... actions) {
		if (isAnonymous()) {
			return false;
		}
		for (String action : actions) {
			if (hasAuthority(action)) {
				return true;
			}
		}
		return false;
	}

	@Override
	public final boolean hasRole(String s) {
		throw new UnsupportedOperationException("method hasRole() is not supported");
	}

	@Override
	public final boolean hasAnyRole(String... strings) {
		throw new UnsupportedOperationException("method hasAnyRole() is not supported");
	}

	@Override
	public final boolean permitAll() {
		return true;
	}

	@Override
	public final boolean denyAll() {
		return false;
	}

	@Override
	public boolean isAnonymous() {
		return trustResolver.isAnonymous(authentication);
	}

	@Override
	public final boolean isAuthenticated() {
		return !isAnonymous();
	}

	@Override
	public final boolean isRememberMe() {
		return trustResolver.isRememberMe(authentication);
	}

	@Override
	public final boolean isFullyAuthenticated() {
		return !trustResolver.isAnonymous(authentication)
				&& !trustResolver.isRememberMe(authentication);
	}

	@Override
	public boolean hasPermission(Object o, Object o1) {
		throw new UnsupportedOperationException("method hasPermission() is not supported");
	}

	@Override
	public boolean hasPermission(Object o, String s, Object o1) {
		throw new UnsupportedOperationException("method hasPermission() is not supported");
	}

	@Override
	public void setFilterObject(Object filterObject) {
		this.filterObject = filterObject;
	}

	@Override
	public Object getFilterObject() {
		return filterObject;
	}

	@Override
	public void setReturnObject(Object returnObject) {
		this.returnObject = returnObject;
	}

	@Override
	public Object getReturnObject() {
		return returnObject;
	}

	@Override
	public Object getThis() {
		return this;
	}

}