From 6f1b3a93fe53de44fe215e751c46d91c45e545d5 Mon Sep 17 00:00:00 2001 From: Igor Kulikov Date: Mon, 6 Jun 2022 16:42:47 +0300 Subject: [PATCH] Version control permissions --- .../server/controller/AdminController.java | 18 +++++++++--------- .../EntitiesVersionControlController.java | 12 ++++++++++++ .../service/security/permission/Resource.java | 3 ++- .../permission/TenantAdminPermissions.java | 1 + 4 files changed, 24 insertions(+), 10 deletions(-) diff --git a/application/src/main/java/org/thingsboard/server/controller/AdminController.java b/application/src/main/java/org/thingsboard/server/controller/AdminController.java index 470ec738af..54cbdd9b0f 100644 --- a/application/src/main/java/org/thingsboard/server/controller/AdminController.java +++ b/application/src/main/java/org/thingsboard/server/controller/AdminController.java @@ -198,7 +198,7 @@ public class AdminController extends BaseController { @ResponseBody public RepositorySettings getRepositorySettings() throws ThingsboardException { try { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.READ); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); RepositorySettings versionControlSettings = checkNotNull(versionControlService.getVersionControlSettings(getTenantId())); versionControlSettings.setPassword(null); versionControlSettings.setPrivateKey(null); @@ -216,7 +216,7 @@ public class AdminController extends BaseController { @ResponseBody public Boolean repositorySettingsExists() throws ThingsboardException { try { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.READ); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); return versionControlService.getVersionControlSettings(getTenantId()) != null; } catch (Exception e) { throw handleException(e); @@ -228,7 +228,7 @@ public class AdminController extends BaseController { @PreAuthorize("hasAuthority('TENANT_ADMIN')") @PostMapping("/repositorySettings") public DeferredResult saveRepositorySettings(@RequestBody RepositorySettings settings) throws ThingsboardException { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.WRITE); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.WRITE); ListenableFuture future = versionControlService.saveVersionControlSettings(getTenantId(), settings); return wrapFuture(Futures.transform(future, savedSettings -> { savedSettings.setPassword(null); @@ -246,7 +246,7 @@ public class AdminController extends BaseController { @ResponseStatus(value = HttpStatus.OK) public DeferredResult deleteRepositorySettings() throws ThingsboardException { try { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.DELETE); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.DELETE); return wrapFuture(versionControlService.deleteVersionControlSettings(getTenantId())); } catch (Exception e) { throw handleException(e); @@ -262,7 +262,7 @@ public class AdminController extends BaseController { @ApiParam(value = "A JSON value representing the Repository Settings.") @RequestBody RepositorySettings settings) throws ThingsboardException { try { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.READ); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); settings = checkNotNull(settings); return wrapFuture(versionControlService.checkVersionControlAccess(getTenantId(), settings)); } catch (Exception e) { @@ -277,7 +277,7 @@ public class AdminController extends BaseController { @ResponseBody public AutoCommitSettings getAutoCommitSettings() throws ThingsboardException { try { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.READ); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); return checkNotNull(autoCommitSettingsService.get(getTenantId())); } catch (Exception e) { throw handleException(e); @@ -291,7 +291,7 @@ public class AdminController extends BaseController { @ResponseBody public Boolean autoCommitSettingsExists() throws ThingsboardException { try { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.READ); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); return autoCommitSettingsService.get(getTenantId()) != null; } catch (Exception e) { throw handleException(e); @@ -303,7 +303,7 @@ public class AdminController extends BaseController { @PreAuthorize("hasAuthority('TENANT_ADMIN')") @PostMapping("/autoCommitSettings") public AutoCommitSettings saveAutoCommitSettings(@RequestBody AutoCommitSettings settings) throws ThingsboardException { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.WRITE); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.WRITE); return autoCommitSettingsService.save(getTenantId(), settings); } @@ -315,7 +315,7 @@ public class AdminController extends BaseController { @ResponseStatus(value = HttpStatus.OK) public void deleteAutoCommitSettings() throws ThingsboardException { try { - accessControlService.checkPermission(getCurrentUser(), Resource.ADMIN_SETTINGS, Operation.DELETE); + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.DELETE); autoCommitSettingsService.delete(getTenantId()); } catch (Exception e) { throw handleException(e); diff --git a/application/src/main/java/org/thingsboard/server/controller/EntitiesVersionControlController.java b/application/src/main/java/org/thingsboard/server/controller/EntitiesVersionControlController.java index d55fe3dec0..337a850ab1 100644 --- a/application/src/main/java/org/thingsboard/server/controller/EntitiesVersionControlController.java +++ b/application/src/main/java/org/thingsboard/server/controller/EntitiesVersionControlController.java @@ -50,6 +50,8 @@ import org.thingsboard.server.common.data.sync.vc.request.create.VersionCreateRe import org.thingsboard.server.common.data.sync.vc.request.load.VersionLoadRequest; import org.thingsboard.server.queue.util.TbCoreComponent; import org.thingsboard.server.service.security.model.SecurityUser; +import org.thingsboard.server.service.security.permission.Operation; +import org.thingsboard.server.service.security.permission.Resource; import org.thingsboard.server.service.sync.vc.EntitiesVersionControlService; import java.util.ArrayList; @@ -118,6 +120,7 @@ public class EntitiesVersionControlController extends BaseController { public DeferredResult saveEntitiesVersion(@RequestBody VersionCreateRequest request) throws ThingsboardException { SecurityUser user = getCurrentUser(); try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.WRITE); return wrapFuture(versionControlService.saveEntitiesVersion(user, request)); } catch (Exception e) { throw handleException(e); @@ -146,6 +149,7 @@ public class EntitiesVersionControlController extends BaseController { @ApiParam(value = SORT_ORDER_DESCRIPTION, allowableValues = SORT_ORDER_ALLOWABLE_VALUES) @RequestParam(required = false) String sortOrder) throws ThingsboardException { try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); EntityId externalEntityId = EntityIdFactory.getByTypeAndUuid(entityType, externalEntityUuid); PageLink pageLink = createPageLink(pageSize, page, textSearch, sortProperty, sortOrder); return wrapFuture(versionControlService.listEntityVersions(getTenantId(), branch, externalEntityId, pageLink)); @@ -175,6 +179,7 @@ public class EntitiesVersionControlController extends BaseController { @ApiParam(value = SORT_ORDER_DESCRIPTION, allowableValues = SORT_ORDER_ALLOWABLE_VALUES) @RequestParam(required = false) String sortOrder) throws ThingsboardException { try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); PageLink pageLink = createPageLink(pageSize, page, textSearch, sortProperty, sortOrder); return wrapFuture(versionControlService.listEntityTypeVersions(getTenantId(), branch, entityType, pageLink)); } catch (Exception e) { @@ -210,6 +215,7 @@ public class EntitiesVersionControlController extends BaseController { @ApiParam(value = SORT_ORDER_DESCRIPTION, allowableValues = SORT_ORDER_ALLOWABLE_VALUES) @RequestParam(required = false) String sortOrder) throws ThingsboardException { try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); PageLink pageLink = createPageLink(pageSize, page, textSearch, sortProperty, sortOrder); return wrapFuture(versionControlService.listVersions(getTenantId(), branch, pageLink)); } catch (Exception e) { @@ -223,6 +229,7 @@ public class EntitiesVersionControlController extends BaseController { @PathVariable EntityType entityType, @PathVariable String versionId) throws ThingsboardException { try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); return wrapFuture(versionControlService.listEntitiesAtVersion(getTenantId(), branch, versionId, entityType)); } catch (Exception e) { throw handleException(e); @@ -233,6 +240,7 @@ public class EntitiesVersionControlController extends BaseController { public DeferredResult> listAllEntitiesAtVersion(@PathVariable String branch, @PathVariable String versionId) throws ThingsboardException { try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); return wrapFuture(versionControlService.listAllEntitiesAtVersion(getTenantId(), branch, versionId)); } catch (Exception e) { throw handleException(e); @@ -244,6 +252,7 @@ public class EntitiesVersionControlController extends BaseController { @PathVariable EntityType entityType, @PathVariable UUID externalEntityUuid) throws ThingsboardException { try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); EntityId entityId = EntityIdFactory.getByTypeAndUuid(entityType, externalEntityUuid); return wrapFuture(versionControlService.getEntityDataInfo(getCurrentUser(), entityId, versionId)); } catch (Exception e) { @@ -257,6 +266,7 @@ public class EntitiesVersionControlController extends BaseController { @PathVariable UUID internalEntityUuid, @RequestParam String versionId) throws ThingsboardException { try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); EntityId entityId = EntityIdFactory.getByTypeAndUuid(entityType, internalEntityUuid); return wrapFuture(versionControlService.compareEntityDataToVersion(getCurrentUser(), branch, entityId, versionId)); } catch (Exception e) { @@ -300,6 +310,7 @@ public class EntitiesVersionControlController extends BaseController { public DeferredResult loadEntitiesVersion(@RequestBody VersionLoadRequest request) throws ThingsboardException { SecurityUser user = getCurrentUser(); try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); return wrapFuture(versionControlService.loadEntitiesVersion(user, request)); } catch (Exception e) { throw handleException(e); @@ -325,6 +336,7 @@ public class EntitiesVersionControlController extends BaseController { @GetMapping("/branches") public DeferredResult> listBranches() throws ThingsboardException { try { + accessControlService.checkPermission(getCurrentUser(), Resource.VERSION_CONTROL, Operation.READ); final TenantId tenantId = getTenantId(); ListenableFuture> branches = versionControlService.listBranches(tenantId); return wrapFuture(Futures.transform(branches, remoteBranches -> { diff --git a/application/src/main/java/org/thingsboard/server/service/security/permission/Resource.java b/application/src/main/java/org/thingsboard/server/service/security/permission/Resource.java index f86680f156..3b1e4f5fa2 100644 --- a/application/src/main/java/org/thingsboard/server/service/security/permission/Resource.java +++ b/application/src/main/java/org/thingsboard/server/service/security/permission/Resource.java @@ -41,7 +41,8 @@ public enum Resource { OTA_PACKAGE(EntityType.OTA_PACKAGE), EDGE(EntityType.EDGE), RPC(EntityType.RPC), - QUEUE(EntityType.QUEUE); + QUEUE(EntityType.QUEUE), + VERSION_CONTROL; private final EntityType entityType; diff --git a/application/src/main/java/org/thingsboard/server/service/security/permission/TenantAdminPermissions.java b/application/src/main/java/org/thingsboard/server/service/security/permission/TenantAdminPermissions.java index 14e05c49dd..fe61f16ad3 100644 --- a/application/src/main/java/org/thingsboard/server/service/security/permission/TenantAdminPermissions.java +++ b/application/src/main/java/org/thingsboard/server/service/security/permission/TenantAdminPermissions.java @@ -47,6 +47,7 @@ public class TenantAdminPermissions extends AbstractPermissions { put(Resource.EDGE, tenantEntityPermissionChecker); put(Resource.RPC, tenantEntityPermissionChecker); put(Resource.QUEUE, queuePermissionChecker); + put(Resource.VERSION_CONTROL, PermissionChecker.allowAllPermissionChecker); } public static final PermissionChecker tenantEntityPermissionChecker = new PermissionChecker() {