Updated display rules and agent logic to be based on configured roles…

… (allow_roles_*). #65
Moonshine-IDE · Nov 12, 2024 · 2141edb · 2141edb
1 parent 30665cc
commit 2141edb
Show file tree

Hide file tree

Showing 25 changed files with 292 additions and 33 deletions.
diff --git a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryCreate.java b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryCreate.java
@@ -13,6 +13,10 @@
  */
 public class CategoryCreate extends CategoryCreateBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryDelete.java b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryDelete.java
@@ -13,6 +13,10 @@
  */
 public class CategoryDelete extends CategoryDeleteBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryRead.java b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryRead.java
@@ -15,6 +15,10 @@
  */
 public class CategoryRead extends CategoryReadBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryUpdate.java b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryUpdate.java
@@ -13,6 +13,10 @@
  */
 public class CategoryUpdate extends CategoryUpdateBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkCreate.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkCreate.java
@@ -18,6 +18,10 @@
  */
 public class CustomBookmarkCreate extends CustomBookmarkCreateBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkDelete.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkDelete.java
@@ -12,6 +12,10 @@
  */
 public class CustomBookmarkDelete extends CustomBookmarkDeleteBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkRead.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkRead.java
@@ -24,6 +24,10 @@
  */
 public class CustomBookmarkRead extends CustomBookmarkReadBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_BOOKMARKS_VIEW;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkUpdate.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkUpdate.java
@@ -26,6 +26,10 @@
  */
 public class CustomBookmarkUpdate extends CustomBookmarkUpdateBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/DatabaseRead.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/DatabaseRead.java
@@ -34,6 +34,10 @@ public class DatabaseRead extends CRUDAgentBase implements RoleRestrictedAgent
 
 	protected Map<String, Collection<String> > bookmarkCache = null;
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_BROWSE_MY_SERVER;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormCreate.java b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormCreate.java
@@ -13,6 +13,10 @@
  */
 public class DocumentationFormCreate extends DocumentationFormCreateBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormDelete.java b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormDelete.java
@@ -13,6 +13,10 @@
  */
 public class DocumentationFormDelete extends DocumentationFormDeleteBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormRead.java b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormRead.java
@@ -13,6 +13,10 @@
  */
 public class DocumentationFormRead extends DocumentationFormReadBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormUpdate.java b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormUpdate.java
@@ -13,6 +13,10 @@
  */
 public class DocumentationFormUpdate extends DocumentationFormUpdateBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryCreate.java b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryCreate.java
@@ -14,6 +14,10 @@
  */
 public class GenesisDirectoryCreate extends GenesisDirectoryCreateBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_GENESIS_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryDelete.java b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryDelete.java
@@ -12,6 +12,10 @@
  */
 public class GenesisDirectoryDelete extends GenesisDirectoryDeleteBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_GENESIS_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryRead.java b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryRead.java
@@ -14,6 +14,10 @@
  */
 public class GenesisDirectoryRead extends GenesisDirectoryReadBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_GENESIS_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryUpdate.java b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryUpdate.java
@@ -12,6 +12,10 @@
  */
 public class GenesisDirectoryUpdate extends GenesisDirectoryUpdateBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return SecurityBuilder.RESTRICT_GENESIS_MANAGE;
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR);
 	}

diff --git a/Super.Human.Portal_Agents/src/main/java/auth/RoleRestrictedAgent.java b/Super.Human.Portal_Agents/src/main/java/auth/RoleRestrictedAgent.java
@@ -10,7 +10,14 @@
 public interface RoleRestrictedAgent 
 {
 	/**
-	 * Get the allowed roles for the agent.  Should be used when building the securityi
+	 * Get an ID that will be used to lookup the role restrictions for this agent.
+	 * If not <code>null</code>, this will have priority over {@link #getAllowedRoles()}.
+	 */
+	public String getRoleRestrictionID();
+
+	/**
+	 * Get the allowed roles for the agent.  Should be used when building the security.
+	 * Lower priority than getRoleRestrictionID
 	 */
 	public Collection<String> getAllowedRoles();
 

diff --git a/Super.Human.Portal_Agents/src/main/java/auth/SecurityBuilder.java b/Super.Human.Portal_Agents/src/main/java/auth/SecurityBuilder.java
@@ -16,8 +16,17 @@ public class SecurityBuilder
 {
 	public static final String ROLE_ADMINISTRATOR = "Administrator";
 
+	public static final String RESTRICT_DOCUMENTATION_VIEW = "viewDocumentation";
+	public static final String RESTRICT_DOCUMENTATION_MANAGE = "manageDocumentation";
+	public static final String RESTRICT_APPS_VIEW = "viewInstalledApps";
+	public static final String RESTRICT_APPS_INSTALL = "installApps";
+	public static final String RESTRICT_BOOKMARKS_VIEW = "viewBookmarks";
+	public static final String RESTRICT_BOOKMARKS_MANAGE = "manageBookmarks";
+	public static final String RESTRICT_BROWSE_MY_SERVER = "browseMyServer";
+	public static final String RESTRICT_GENESIS_MANAGE = "additionalGenesis";
+
 	public static SecurityInterface buildInstance(Database roleDatabase, RoleRestrictedAgent agent, Session session, LogInterface log) {
-		return new SimpleRoleSecurity(roleDatabase, agent.getAllowedRoles(), session, log);
+		return new SimpleRoleSecurity(roleDatabase, agent.getRoleRestrictionID(), agent.getAllowedRoles(), session, log);
 	}
 
 	public static Collection<String> buildList(String role1) {

diff --git a/Super.Human.Portal_Agents/src/main/java/auth/SimpleRoleSecurity.java b/Super.Human.Portal_Agents/src/main/java/auth/SimpleRoleSecurity.java
@@ -50,8 +50,9 @@
 public class SimpleRoleSecurity  extends SecurityInterface
 {
 	protected LogInterface log = null;
-	protected Set<String> allowedRoles = new TreeSet<String>();
+	protected Set<String> allowedRoles = null;  // Initialize when loaded.   new TreeSet<String>();
 	protected Set<String> userRoles = new TreeSet<String>();
+	protected String roleRestrictionID = null;
 	protected Database roleDatabase = null;
 
 	protected Collection<String> userLookupKeys = new ArrayList<String>();
@@ -125,6 +126,33 @@ public SimpleRoleSecurity(Database roleDatabase, Collection<String> roles, Sessi
 		}
 	}
 
+	/**
+	 * Initialize the security with a list of roles.
+	 * Add additional roles with {@link #addAllowedRole(String)}.
+	 * @param roleDatabase  the role configuration database
+	 * @param session  the session
+	 * @param log  the log
+	 */
+	public SimpleRoleSecurity(Database roleDatabase, String roleRestrictionID, Collection<String> roles, Session session, LogInterface log)
+	{
+		this(roleDatabase, session, log);
+		if (!DominoUtils.isValueEmpty(roleRestrictionID)){
+			log.dbg("Using role restriction ID for agent security.");
+			this.roleRestrictionID = roleRestrictionID;
+			// initialize role list dynamically to avoid Domino calls in test cases
+		}
+		else {
+			if (null != roles && roles.size() > 0) {
+				for (String role : roles) {
+					addAllowedRole(role);
+				}
+			}
+			else {
+				log.err("No roles defined.");
+			}
+		}
+	}
+
 
 	/**
 	 * See {@link #isAuthorizedForRoles()}.
@@ -375,7 +403,11 @@ public void refreshUserRoles() {
 	 * With the default logic, this will return <code>true</code> if the user has any of the specified roles.
 	 */
 	public boolean isAuthorizedForRoles() {
-		for (String allowedRole : this.allowedRoles) {
+		return isAuthorizedForRoles(getAllowedRoles());
+	}
+
+	public boolean isAuthorizedForRoles(Collection<String> allowedRoles) {
+		for (String allowedRole : allowedRoles) {
 			if (userRoles.contains(allowedRole)) {
 				return true;
 			}
@@ -384,20 +416,70 @@ public boolean isAuthorizedForRoles() {
 		return false;
 	}
 
+	/**
+	 * Utility for XMLAuthenticationTest to lookup restrictions for multiple IDs
+	 */
+	public boolean isAuthorizedForRoles(String roleRestrictionID) {
+		return isAuthorizedForRoles(getRolesByRestrictionID(roleRestrictionID));
+	}
+
 	/**
 	 * Get the allowed roles for a user
 	 */
 	public Collection<String> getAllowedRoles() {
+		// initialize dynamically when using roleRestrictionID
+		if (null == allowedRoles) {
+			if (!DominoUtils.isValueEmpty(roleRestrictionID)) {
+				// make sure the roles are initialized regardless
+				allowedRoles = new TreeSet<String>();
+				allowedRoles.addAll(getRolesByRestrictionID(roleRestrictionID));
+			}
+			else {
+				log.dbg("No roles defined.  Initializing empty list");
+				allowedRoles = new TreeSet<String>();
+			}
+		}
 		// return an independent copy to avoid edits
 		return new TreeSet<String>(allowedRoles);
 	}
 
+	/**
+	 * Lookup the allowed roles for the given roleRestrictionID
+	 */
+	public Collection<String> getRolesByRestrictionID(String roleRestrictionID) {
+		TreeSet<String> roles = new TreeSet<String>();
+		try {
+			String key = "allow_roles_" + roleRestrictionID;
+			log.dbg("Looking up roles for key '" + key + "'");
+			Vector raw = ConfigurationUtils.getConfigAsVector(roleDatabase, key);
+			if (!DominoUtils.isListEmpty(raw)) {
+				for (Object curRole : raw) {
+					roles.add(curRole.toString());
+				}
+			}
+			else {
+				log.err("No roles defined for key '" + key + "'");
+			}
+		}
+		catch(Exception ex) {
+			log.err("Exception while loading roles for ID '" + roleRestrictionID + "':  ", ex);
+		}
+		return roles;
+	}
+
+	public String getRoleRestrictionID() {
+		return roleRestrictionID;
+	}
+
 	/**
 	 * Add an allowed role for this agent.
 	 * @param role  the role to add
 	 * @return <code>true</code> if the role was not already added
 	 */
 	public boolean addAllowedRole(String role) {
+		if (null == allowedRoles) {
+			allowedRoles = new TreeSet<String>();
+		}
 		return allowedRoles.add(role);
 	}
 

diff --git a/Super.Human.Portal_Agents/src/main/java/auth/XMLAuthenticationTest.java b/Super.Human.Portal_Agents/src/main/java/auth/XMLAuthenticationTest.java
@@ -26,6 +26,10 @@
  */
 public class XMLAuthenticationTest extends CRUDAgentBase implements RoleRestrictedAgent {
 
+	public String getRoleRestrictionID() {
+		return null;  // allow all
+	}
+
 	public Collection<String> getAllowedRoles() {
 		return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL);
 	}
@@ -211,13 +215,15 @@ else if (DominoUtils.isValueEmpty(vector.get(0).toString())) {
 
 	public JSONObject getDisplayRules(Database configDatabase) {
 		JSONObject display = new JSONObject();
-		display.put("documentation", shouldDisplay(configDatabase, "documentation"));
-		display.put("installApps", shouldDisplay(configDatabase, "installApps"));
-		display.put("genesisDirectory", shouldDisplay(configDatabase, "genesisDirectory"));
-		display.put("viewInstalledApps", shouldDisplay(configDatabase, "viewInstalledApps"));
-		display.put("viewBookmarks", shouldDisplay(configDatabase, "viewBookmarks"));
-		display.put("manageBookmarks", shouldDisplay(configDatabase, "manageBookmarks"));
-		display.put("browseMyServer", shouldDisplay(configDatabase, "browseMyServer"));
+		display.put("documentation", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW));
+		display.put("viewDocumentation", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW));
+		display.put("manageDocumentation", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW));
+		display.put("installApps", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_APPS_INSTALL));
+		display.put("additionalGenesis", shouldDisplay(configDatabase,  SecurityBuilder.RESTRICT_GENESIS_MANAGE));
+		display.put("viewInstalledApps", shouldDisplay(configDatabase,  SecurityBuilder.RESTRICT_APPS_VIEW));
+		display.put("viewBookmarks", shouldDisplay(configDatabase,  SecurityBuilder.RESTRICT_BOOKMARKS_VIEW));
+		display.put("manageBookmarks", shouldDisplay(configDatabase,  SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE));
+		display.put("browseMyServer", shouldDisplay(configDatabase,  SecurityBuilder.RESTRICT_BROWSE_MY_SERVER));
 		return display;
 	}
 
@@ -230,9 +236,11 @@ public JSONObject getDisplayRules(Database configDatabase) {
 	 */
 	public boolean shouldDisplay(Database configDatabase, String sectionID) {
 		try {
-			String value = ConfigurationUtils.getConfigAsString(configDatabase, "allow_" + sectionID);
-			return "true".equalsIgnoreCase(value);
-			// treat any other value as false
+			// // UI Testing
+			// String value = ConfigurationUtils.getConfigAsString(configDatabase, "allow_" + sectionID);
+			// return "true".equalsIgnoreCase(value);
+			// // treat any other value as false
+			return ((SimpleRoleSecurity)getSecurity()).isAuthorizedForRoles(sectionID);
 		}
 		catch (Exception ex) {
 			getLog().err("Exception when checking display rights for '" + sectionID + "'.   Default to hidden");