EDIT

import eu.etaxonomy.cdm.vaadin.permission.annotation.EnableAnnotationBasedAccessControl;

import eu.etaxonomy.cdm.vaadin.permission.RolesAndPermissions;

     * found by searching for usage of the methods {@link eu.etaxonomy.cdm.vaadin.permission.UserHelper#createAuthorityForCurrentUser(eu.etaxonomy.cdm.model.common.CdmBase, EnumSet, String)

     * UserHelper.createAuthorityForCurrentUser(eu.etaxonomy.cdm.model.common.CdmBase, EnumSet, String)} and {@link eu.etaxonomy.cdm.vaadin.permission.UserHelper#createAuthorityForCurrentUser(Class, Integer, EnumSet, String)

import eu.etaxonomy.cdm.vaadin.permission.RolesAndPermissions;

import eu.etaxonomy.cdm.vaadin.permission.VaadinUserHelper;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;

import eu.etaxonomy.cdm.vaadin.permission.PermissionDebugUtils;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;

import eu.etaxonomy.cdm.vaadin.permission.PermissionDebugUtils;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

import java.util.Collection;

import org.springframework.security.core.GrantedAuthority;

/**

 * @author a.kohlbecker

 * @since Apr 25, 2017

 *

 */

public interface AccessRestrictedView extends ReleasableResourcesView {

    /**

     * @return

     */

    public boolean allowAnonymousAccess();

    /**

     * The collections of  {@link GrantedAuthority} objects returned by this method are

     * evaluated by the {@link AnnotationBasedAccessControlBean} to determine if the

     * current authentication is having sufficient grants to access the view.

     * <p>

     * The collections are alternative sets of GrantedAuthorities to check.

     * The GrantedAuthorities of each of the inner collections must instead all be satisfied.

     *

     * @return

     */

    public Collection<Collection<GrantedAuthority>> allowedGrantedAuthorities();

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

import java.io.Serializable;

import org.apache.log4j.Logger;

import org.springframework.security.authentication.AnonymousAuthenticationToken;

import org.springframework.security.core.Authentication;

import org.springframework.security.core.context.SecurityContext;

import org.springframework.security.core.context.SecurityContextHolder;

import com.vaadin.navigator.View;

import com.vaadin.spring.access.ViewInstanceAccessControl;

import com.vaadin.ui.UI;

/**

 * @author a.kohlbecker

 * @since Apr 24, 2017

 *

 *

 * FIMXE consider renaming this class and its interface, since it is no longer annotation based!!!!

 */

public class AnnotationBasedAccessControlBean implements ViewInstanceAccessControl, Serializable {

    private static final long serialVersionUID = -4232241572782673248L;

    private final static Logger logger = Logger.getLogger(AnnotationBasedAccessControlBean.class);

    /**

     * {@inheritDoc}

     */

    @Override

    public boolean isAccessGranted(UI ui, String beanName, View view) {

//        if(view.getClass().isAnnotationPresent(RequireAuthentication.class)){

//            return currentSecurityContext().getAuthentication().isAuthenticated();

//        }

        // no RequireAuthentication annotation => grant access

        if(AccessRestrictedView.class.isAssignableFrom(view.getClass())){

            AccessRestrictedView restricedView = (AccessRestrictedView)view;

            if(restricedView.allowAnonymousAccess()){

                if(logger.isTraceEnabled()){

                    logger.trace("anonymous access to " + view.getClass().getName() + " allowed");

                }

                return true;

            } else {

                Authentication authentication = currentSecurityContext().getAuthentication();

                if(authentication != null && authentication.isAuthenticated() && !(authentication instanceof AnonymousAuthenticationToken)) {

                    if(logger.isTraceEnabled()){

                        logger.trace("allowing authenticated user " + authentication.getName() + " to access " + view.getClass().getName() );

                    }

                    return true;

                }

                if(logger.isTraceEnabled()){

                    logger.trace("denying access to " + view.getClass().getName());

                }

                restricedView.releaseResourcesOnAccessDenied();

                return false;

                // FIMXE implement further checks

                // TODO use the UserHelperBean?

            }

        }

        return true;

    }

    /**

     * @return

     *

     * FIXME is it ok to use the SecurityContextHolder or do we need to hold the context in the vaadin session?

     */

    private SecurityContext currentSecurityContext() {

        return SecurityContextHolder.getContext();

    }

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import com.vaadin.spring.annotation.UIScope;

/**

 * @author a.kohlbecker

 * @since Apr 24, 2017

 *

 */

@Configuration

public class AnnotationBasedAccessControlConfiguration {

    @Bean

    @UIScope

    public AnnotationBasedAccessControlBean annotationBasedAccessControlBean() {

        return new AnnotationBasedAccessControlBean();

    }

}

/**

* Copyright (C) 2018 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

import eu.etaxonomy.cdm.model.common.CdmBase;

import eu.etaxonomy.cdm.persistence.hibernate.permission.CRUD;

import eu.etaxonomy.vaadin.permission.EditPermissionTester;

/**

 * To be used for {@link ToManyRelatedEntitiesComboboxSelect}

 *

 * @author a.kohlbecker

 * @since Apr 20, 2018

 *

 */

public class CdmEditDeletePermissionTester implements EditPermissionTester {

    @Override

    public boolean userHasEditPermission(Object bean) {

        return  UserHelper.fromSession().userHasPermission((CdmBase)bean, CRUD.UPDATE, CRUD.DELETE);

    }

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

import java.io.Serializable;

import java.util.EnumSet;

import java.util.UUID;

import org.apache.log4j.Logger;

import org.springframework.context.annotation.Profile;

import com.vaadin.server.FontAwesome;

import com.vaadin.server.VaadinSession;

import com.vaadin.spring.annotation.SpringComponent;

import com.vaadin.spring.annotation.UIScope;

import com.vaadin.ui.AbstractComponentContainer;

import com.vaadin.ui.Button;

import com.vaadin.ui.themes.ValoTheme;

import eu.etaxonomy.cdm.model.common.CdmBase;

import eu.etaxonomy.cdm.persistence.hibernate.permission.CRUD;

/**

 * PermissionDebugUtils provide the following tools:

 * <ul>

 *   <li>{@link #addGainPerEntityPermissionButton(AbstractComponentContainer, Class, Integer, EnumSet)}:

 *   A button which gives a per entity authority to the current user.</li>

 * </ul>

 *

 *

 *

 * To enable the PermissionDebugUtils you need to activate the spring profile <code>debug</code>. You can add

 * <code>-Dspring.profiles.active=debug</code> to the command starting the jvm

 * or set this as an environment variable.

 *

 * @author a.kohlbecker

 * @since Oct 11, 2017

 *

 */

@SpringComponent

@UIScope

@Profile("debug")

public class PermissionDebugUtils implements Serializable {

    private static final long serialVersionUID = -210079304170235459L;

    private final static Logger logger = Logger.getLogger(PermissionDebugUtils.class);

    public static final String VADDIN_SESSION_KEY = "PERMISSION_DEBUG_UTILS";

    public static final String SYSTEM_PROP_KEY = "GainPerEntityPermissionButtons";

    public PermissionDebugUtils() {

        VaadinSession.getCurrent().setAttribute(VADDIN_SESSION_KEY, this);

    }

    public static PermissionDebugUtils fromSession() {

        return (PermissionDebugUtils)VaadinSession.getCurrent().getAttribute(VADDIN_SESSION_KEY);

     }

    public static Button addGainPerEntityPermissionButton(AbstractComponentContainer toContainer, Class<? extends CdmBase> cdmType,

            UUID entitiyUuid, EnumSet<CRUD> crud, String property){

        PermissionDebugUtils pu = PermissionDebugUtils.fromSession();

        if(pu != null){

            Button button = pu.gainPerEntityPermissionButton(cdmType, entitiyUuid, crud, property);

            if(button != null){

                toContainer.addComponent(button);

            }

            return button;

        }

        return null;

    }

    public Button gainPerEntityPermissionButton(Class<? extends CdmBase> cdmType, UUID entitiyUuid, EnumSet<CRUD> crud, String property){

       Button button = new Button(FontAwesome.BOLT);

       button.addClickListener(e -> UserHelper.fromSession().createAuthorityFor(UserHelper.fromSession().userName(), cdmType, entitiyUuid, crud, property));

       button.addStyleName(ValoTheme.BUTTON_DANGER);

       return button;

    }

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

/**

 * @author a.kohlbecker

 * @since 25.10.2017

 *

 */

public interface ReleasableResourcesView {

    /**

     * Callback

     */

    public void releaseResourcesOnAccessDenied();

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

import java.util.UUID;

import eu.etaxonomy.cdm.persistence.hibernate.permission.Role;

/**

 * Provides the Roles required by the

 * vaadin applications.

 *

 * @author a.kohlbecker

 * @since May 8, 2017

 *

 */

public class RolesAndPermissions {

    public static final Role ROLE_CURATION = new Role(UUID.fromString("642d9ea7-f18c-4ac3-b437-ed05ce5461c3"), "ROLE_CURATION");

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

import java.util.EnumSet;

import java.util.UUID;

import com.vaadin.server.VaadinSession;

import eu.etaxonomy.cdm.model.common.CdmBase;

import eu.etaxonomy.cdm.model.common.User;

import eu.etaxonomy.cdm.persistence.hibernate.permission.CRUD;

import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmAuthority;

/**

 * UserHelper interface. Implementations should use the {@link #VADDIN_SESSION_KEY} to auto registers

 * in the VaadinSession.

 *

 * @author a.kohlbecker

 * @since May 23, 2017

 *

 */

public interface UserHelper {

    public static final String VADDIN_SESSION_KEY = "USER_HELPER";

    /**

     * Static accessor method to obtain the auto-registered UserHelper-Bean from the

     * VaadinSession.

     *

     * @return

     */

    public static UserHelper fromSession() {

       return (UserHelper)VaadinSession.getCurrent().getAttribute(VADDIN_SESSION_KEY);

    }

    boolean userHasPermission(Class<? extends CdmBase> cdmType, Integer entitiyId, Object ... args);

    boolean userHasPermission(Class<? extends CdmBase> cdmType, UUID entitiyUUID, Object ... args);

    boolean userHasPermission(Class<? extends CdmBase> cdmType, Object ... args);

    boolean userHasPermission(CdmBase entity, Object ... args);

    boolean userIsRegistrationCurator();

    boolean userIsAdmin();

    User user();

    String userName();

    boolean userIsAnnonymous();

    boolean userIsAutheticated();

    /**

     *

     * @param username

     * @param cdmEntity

     * @param crud

     * @param property

     * @return the newly created CdmAuthority only if a new CdmAuthority has been added to the user otherwise

     * <code>null</code> in case the operation failed of if the user was already granted with this authority.

     */

    public CdmAuthority createAuthorityFor(String username, CdmBase cdmEntity, EnumSet<CRUD> crud, String property);

    /**

     *

     * @param username

     * @param cdmType

     * @param entitiyId

     * @param crud

     * @param property

     * @return the newly created CdmAuthority only if a new CdmAuthority has been added to the user otherwise

     * <code>null</code> in case the operation failed of if the user was already granted with this authority.

     */

    public CdmAuthority createAuthorityFor(String username, Class<? extends CdmBase> cdmType, Integer entitiyId, EnumSet<CRUD> crud, String property);

    /**

    *

    * @param username

    * @param cdmType

    * @param entitiyUuid

    * @param crud

    * @param property

    * @return the newly created CdmAuthority only if a new CdmAuthority has been added to the user otherwise

    * <code>null</code> in case the operation failed of if the user was already granted with this authority.

    */

   public CdmAuthority createAuthorityFor(String username, Class<? extends CdmBase> cdmType, UUID entitiyUuid, EnumSet<CRUD> crud, String property);

    /**

     * @param cdmType

     * @param entitiyId

     * @param crud

     * @return the newly created CdmAuthority only if a new CdmAuthority has been added to the user otherwise

     * <code>null</code> in case the operation failed of if the user was already granted with this authority.

     */

    public CdmAuthority createAuthorityForCurrentUser(Class<? extends CdmBase> cdmType, Integer entitiyId, EnumSet<CRUD> crud, String property);

    /**

     * @param cdmType

     * @param entitiyUuid

     * @param crud

     * @return the newly created CdmAuthority only if a new CdmAuthority has been added to the user otherwise

     * <code>null</code> in case the operation failed of if the user was already granted with this authority.

     */

    public CdmAuthority createAuthorityForCurrentUser(Class<? extends CdmBase> cdmType, UUID entitiyUuid, EnumSet<CRUD> crud, String property);

    /**

     * @param cdmType

     * @param entitiyId

     * @param crud

     * @return the newly created CdmAuthority only if a new CdmAuthority has been added to the user otherwise

     * <code>null</code> in case the operation failed of if the user was already granted with this authority.

     */

    public CdmAuthority createAuthorityForCurrentUser(CdmBase cdmEntity, EnumSet<CRUD> crud, String property);

    /**

     * @param newAuthority

     */

    public void removeAuthorityForCurrentUser(CdmAuthority newAuthority);

    /**

     * @param username

     * @param newAuthority

     */

    public void removeAuthorityForCurrentUser(String username, CdmAuthority newAuthority);

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission;

import com.vaadin.server.VaadinSession;

/**

 * Abstract UserHelper which auto registers in the VaadinSession.

 *

 * @author a.kohlbecker

 * @since May 23, 2017

 *

 */

public abstract class VaadinUserHelper implements UserHelper {

    public VaadinUserHelper() {

        VaadinSession.getCurrent().setAttribute(VADDIN_SESSION_KEY, this);

    }

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission.annotation;

import static java.lang.annotation.ElementType.TYPE;

import static java.lang.annotation.RetentionPolicy.RUNTIME;

import java.lang.annotation.Documented;

import java.lang.annotation.Retention;

import java.lang.annotation.Target;

import org.springframework.context.annotation.Import;

import eu.etaxonomy.cdm.vaadin.permission.AnnotationBasedAccessControlConfiguration;

@Documented

@Retention(RUNTIME)

@Target(TYPE)

@Import(AnnotationBasedAccessControlConfiguration.class)

/**

 * @author a.kohlbecker

 * @since Apr 24, 2017

 *

 */

public @interface EnableAnnotationBasedAccessControl {

}

/**

* Copyright (C) 2017 EDIT

* European Distributed Institute of Taxonomy

* http://www.e-taxonomy.eu

*

* The contents of this file are subject to the Mozilla Public License Version 1.1

* See LICENSE.TXT at the top of this package for the full license terms.

*/

package eu.etaxonomy.cdm.vaadin.permission.annotation;

import java.lang.annotation.Documented;

import java.lang.annotation.ElementType;

import java.lang.annotation.Retention;

import java.lang.annotation.RetentionPolicy;

import java.lang.annotation.Target;

/**

 * Annotate a Spring View with this to require users to authenticate.

 *

 * @author a.kohlbecker

 * @since Apr 24, 2017

 *

 */

@Target({ ElementType.TYPE})

@Retention(RetentionPolicy.RUNTIME)

@Documented

public @interface RequireAuthentication {

}

import eu.etaxonomy.cdm.vaadin.permission.ReleasableResourcesView;

import eu.etaxonomy.cdm.vaadin.permission.AccessRestrictedView;

import eu.etaxonomy.cdm.vaadin.permission.CdmEditDeletePermissionTester;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;

import eu.etaxonomy.cdm.vaadin.permission.AccessRestrictedView;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;

import eu.etaxonomy.cdm.vaadin.permission.AccessRestrictedView;

import eu.etaxonomy.cdm.vaadin.permission.CdmEditDeletePermissionTester;

import eu.etaxonomy.cdm.vaadin.permission.UserHelper;