Add endpoints to read, create, update and delete entity permissions

[dnlkoch]

This initializes the BasePermissionController which adds all relevant CRUD endpoints to manage all kind permissions (UserInstancePermission, UserClassPermission, GroupInstancePermission, GroupClassPermission) on entity level:

READ

• @GetMapping("/{id}/permissions/class/group/{groupId}")
  • Returns the GroupClassPermission for the given Group and entity.
• @GetMapping("/{id}/permissions/class/user/{userId}")
  • Returns the UserClassPermission for the given User and entity.
• @GetMapping("/{id}/permissions/instance/group/{groupId}")
  • Returns the GroupInstancePermission for the given Group and entity.
• @GetMapping("/{id}/permissions/instance/user/{userId}")
  • Returns the UserInstancePermission for the given User and entity.
• @GetMapping("/{id}/permissions/class/group")
  • Returns all GroupClassPermission for the given entity.
• @GetMapping("/{id}/permissions/class/user")
  • Returns all UserClassPermission for the given entity.
• @GetMapping("/{id}/permissions/instance/group")
  • Returns all GroupInstancePermission for the given entity.
• @GetMapping("/{id}/permissions/instance/user")
  • Returns all UserInstancePermission for the given entity.

CREATE/UPDATE

• @PostMapping("/{id}/permissions/class/group/{groupId}")
  • Creates/Updates the GroupClassPermission for the given Group and entity (via the provided PermissionType in the request body).
• @PostMapping("/{id}/permissions/class/user/{userId}")
  • Creates/Updates the UserClassPermission for the given Group and entity (via the provided PermissionType in the request body).
• @PostMapping("/{id}/permissions/instance/group/{groupId}")
  • Creates/Updates the GroupInstancePermission for the given Group and entity (via the provided PermissionType in the request body).
• @PostMapping("/{id}/permissions/instance/user/{userId}")
  • Creates/Updates the UserInstancePermission for the given Group and entity (via the provided PermissionType in the request body).

DELETE

• @DeleteMapping("/{id}/permissions/class/group/{groupId}")
  • Deletes the GroupClassPermission for the given Group and entity.
• @DeleteMapping("/{id}/permissions/class/user/{userId}")
  • Deletes the UserClassPermission for the given User and entity.
• @DeleteMapping("/{id}/permissions/instance/group/{groupId}")
  • Deletes the GroupInstancePermission for the given Group and entity.
• @DeleteMapping("/{id}/permissions/instance/user/{userId}")
  • Deletes the UserInstancePermission for the given User and entity.
• @DeleteMapping("/{id}/permissions/class/group")
  • Deletes all GroupClassPermission for the given entity.
• @DeleteMapping("/{id}/permissions/class/user")
  • Deletes all GroupClassPermission for the given entity.
• @DeleteMapping("/{id}/permissions/instance/group")
  • Deletes all GroupInstancePermission for the given entity.
• @DeleteMapping("/{id}/permissions/instance/user")
  • Deletes all UserInstancePermission for the given entity.

Breaking change:

The permissions field of the BasePermission has been renamed to permission.

Please review @terrestris/devs.

[hwbllmnn]

LGTM in principle, just a question wrt. migrations and some suggestions about exception handling

[LukasLohoff]

todo list:

• fix tests for switch to repositories (DefaultPermissionEvaluatorTest)
• for permission check setPermission(List<? extends BaseEntity> persistedEntityList, User user, PermissionCollectionType permissionCollectionType): call setPermission for each entity in persistedEntityList
• for List<User> findOwner(BaseEntity entity): filter list of users (postfilter?)
• resolve inconsistencies with read permissions on users
  • currently, users need read permission on other users to grant them permissions
  • possible solution: separate controller /service which grants access to users or user lists, but only exposes basic information
• fix pipeline

[LukasLohoff]

Now all (Group/Class)PermissionServices are annotated with security checks.

One issue remains: Right now, we can't test permissions for permission objects. This is needed for example for the following method:

    @Override
    @PreAuthorize("hasRole('ROLE_ADMIN') or hasPermission(#group, 'READ')")
    @PostFilter("hasRole('ROLE_ADMIN') or hasPermission(filterObject, 'READ')")
    // todo: in postfilter permission check: how to get either targetDomainType or entity from permission.entityId?
    public List<GroupClassPermission> findFor(Group group) {
        return super.findFor(group);
    }

I added a PostFilter check here to test if the user has permission on all entities of the returned GroupClassPermissions. However, this will only work if we find a way to get either the class name or the entity itself from the permission entity.

All methods which work like this are unused until now. So it might be enough for now to restrict them to users with role ADMIN only.

[LukasLohoff]

New changes since last review: https://github.com/terrestris/shogun/compare/8c3d20a..7b72a28ff7c2a3e7b2e17013d497d0ff9f66e22e

@terrestris/devs Please review

[Unraveler]

Some spaces on the Doc-strings seem to be off. I would suggest changes on them all, but there are too many. Anyway, it is just a minor issue. Otherwise It looks good to me