Merge remote-tracking branch 'origin/develop' into feature/SUPPORT-9509_fix_mchd
This commit is contained in:
Eduard Tihomiorv
commit
56a682bdeb
19 changed files with 1200 additions and 17 deletions
|
|
@ -6,9 +6,11 @@ package ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_;
|
|||
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.Databasechangeloglock;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.OkopfRecords;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.OrganizationAllowed;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.Shedlock;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.records.DatabasechangeloglockRecord;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.records.OkopfRecordsRecord;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.records.OrganizationAllowedRecord;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.records.ShedlockRecord;
|
||||
|
||||
import org.jooq.TableField;
|
||||
|
|
@ -30,5 +32,7 @@ public class Keys {
|
|||
|
||||
public static final UniqueKey<DatabasechangeloglockRecord> DATABASECHANGELOGLOCK_PKEY = Internal.createUniqueKey(Databasechangeloglock.DATABASECHANGELOGLOCK, DSL.name("databasechangeloglock_pkey"), new TableField[] { Databasechangeloglock.DATABASECHANGELOGLOCK.ID }, true);
|
||||
public static final UniqueKey<OkopfRecordsRecord> OKOPF_RECORDS_PKEY = Internal.createUniqueKey(OkopfRecords.OKOPF_RECORDS, DSL.name("okopf_records_pkey"), new TableField[] { OkopfRecords.OKOPF_RECORDS.OKOPF_RECORDS_ID }, true);
|
||||
public static final UniqueKey<OrganizationAllowedRecord> PK_ORGANIZATION_ALLOWED = Internal.createUniqueKey(OrganizationAllowed.ORGANIZATION_ALLOWED, DSL.name("pk_organization_allowed"), new TableField[] { OrganizationAllowed.ORGANIZATION_ALLOWED.ID }, true);
|
||||
public static final UniqueKey<OrganizationAllowedRecord> UNI_ORGANIZATION_ALLOWED_OGRN = Internal.createUniqueKey(OrganizationAllowed.ORGANIZATION_ALLOWED, DSL.name("uni_organization_allowed_ogrn"), new TableField[] { OrganizationAllowed.ORGANIZATION_ALLOWED.OGRN }, true);
|
||||
public static final UniqueKey<ShedlockRecord> SHEDLOCK_PK = Internal.createUniqueKey(Shedlock.SHEDLOCK, DSL.name("shedlock_pk"), new TableField[] { Shedlock.SHEDLOCK.NAME }, true);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.Databasechangelog;
|
|||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.Databasechangeloglock;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.InteractionLog;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.OkopfRecords;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.OrganizationAllowed;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.Shedlock;
|
||||
|
||||
import java.util.Arrays;
|
||||
|
|
@ -52,6 +53,11 @@ public class Public extends SchemaImpl {
|
|||
*/
|
||||
public final OkopfRecords OKOPF_RECORDS = OkopfRecords.OKOPF_RECORDS;
|
||||
|
||||
/**
|
||||
* The table <code>public.organization_allowed</code>.
|
||||
*/
|
||||
public final OrganizationAllowed ORGANIZATION_ALLOWED = OrganizationAllowed.ORGANIZATION_ALLOWED;
|
||||
|
||||
/**
|
||||
* The table <code>public.shedlock</code>.
|
||||
*/
|
||||
|
|
@ -77,6 +83,7 @@ public class Public extends SchemaImpl {
|
|||
Databasechangeloglock.DATABASECHANGELOGLOCK,
|
||||
InteractionLog.INTERACTION_LOG,
|
||||
OkopfRecords.OKOPF_RECORDS,
|
||||
OrganizationAllowed.ORGANIZATION_ALLOWED,
|
||||
Shedlock.SHEDLOCK
|
||||
);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -8,6 +8,7 @@ import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.Databasechangelog;
|
|||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.Databasechangeloglock;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.InteractionLog;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.OkopfRecords;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.OrganizationAllowed;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.Shedlock;
|
||||
|
||||
|
||||
|
|
@ -37,6 +38,11 @@ public class Tables {
|
|||
*/
|
||||
public static final OkopfRecords OKOPF_RECORDS = OkopfRecords.OKOPF_RECORDS;
|
||||
|
||||
/**
|
||||
* The table <code>public.organization_allowed</code>.
|
||||
*/
|
||||
public static final OrganizationAllowed ORGANIZATION_ALLOWED = OrganizationAllowed.ORGANIZATION_ALLOWED;
|
||||
|
||||
/**
|
||||
* The table <code>public.shedlock</code>.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -0,0 +1,238 @@
|
|||
/*
|
||||
* This file is generated by jOOQ.
|
||||
*/
|
||||
package ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables;
|
||||
|
||||
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.Keys;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.Public;
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.records.OrganizationAllowedRecord;
|
||||
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
|
||||
import org.jooq.Condition;
|
||||
import org.jooq.Field;
|
||||
import org.jooq.Identity;
|
||||
import org.jooq.Name;
|
||||
import org.jooq.PlainSQL;
|
||||
import org.jooq.QueryPart;
|
||||
import org.jooq.SQL;
|
||||
import org.jooq.Schema;
|
||||
import org.jooq.Select;
|
||||
import org.jooq.Stringly;
|
||||
import org.jooq.Table;
|
||||
import org.jooq.TableField;
|
||||
import org.jooq.TableOptions;
|
||||
import org.jooq.UniqueKey;
|
||||
import org.jooq.impl.DSL;
|
||||
import org.jooq.impl.SQLDataType;
|
||||
import org.jooq.impl.TableImpl;
|
||||
|
||||
|
||||
/**
|
||||
* This class is generated by jOOQ.
|
||||
*/
|
||||
@SuppressWarnings({ "all", "unchecked", "rawtypes" })
|
||||
public class OrganizationAllowed extends TableImpl<OrganizationAllowedRecord> {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
/**
|
||||
* The reference instance of <code>public.organization_allowed</code>
|
||||
*/
|
||||
public static final OrganizationAllowed ORGANIZATION_ALLOWED = new OrganizationAllowed();
|
||||
|
||||
/**
|
||||
* The class holding records for this type
|
||||
*/
|
||||
@Override
|
||||
public Class<OrganizationAllowedRecord> getRecordType() {
|
||||
return OrganizationAllowedRecord.class;
|
||||
}
|
||||
|
||||
/**
|
||||
* The column <code>public.organization_allowed.id</code>.
|
||||
*/
|
||||
public final TableField<OrganizationAllowedRecord, Long> ID = createField(DSL.name("id"), SQLDataType.BIGINT.nullable(false).identity(true), this, "");
|
||||
|
||||
/**
|
||||
* The column <code>public.organization_allowed.ogrn</code>.
|
||||
*/
|
||||
public final TableField<OrganizationAllowedRecord, String> OGRN = createField(DSL.name("ogrn"), SQLDataType.VARCHAR(15).nullable(false), this, "");
|
||||
|
||||
private OrganizationAllowed(Name alias, Table<OrganizationAllowedRecord> aliased) {
|
||||
this(alias, aliased, (Field<?>[]) null, null);
|
||||
}
|
||||
|
||||
private OrganizationAllowed(Name alias, Table<OrganizationAllowedRecord> aliased, Field<?>[] parameters, Condition where) {
|
||||
super(alias, null, aliased, parameters, DSL.comment(""), TableOptions.table(), where);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an aliased <code>public.organization_allowed</code> table
|
||||
* reference
|
||||
*/
|
||||
public OrganizationAllowed(String alias) {
|
||||
this(DSL.name(alias), ORGANIZATION_ALLOWED);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an aliased <code>public.organization_allowed</code> table
|
||||
* reference
|
||||
*/
|
||||
public OrganizationAllowed(Name alias) {
|
||||
this(alias, ORGANIZATION_ALLOWED);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a <code>public.organization_allowed</code> table reference
|
||||
*/
|
||||
public OrganizationAllowed() {
|
||||
this(DSL.name("organization_allowed"), null);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Schema getSchema() {
|
||||
return aliased() ? null : Public.PUBLIC;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Identity<OrganizationAllowedRecord, Long> getIdentity() {
|
||||
return (Identity<OrganizationAllowedRecord, Long>) super.getIdentity();
|
||||
}
|
||||
|
||||
@Override
|
||||
public UniqueKey<OrganizationAllowedRecord> getPrimaryKey() {
|
||||
return Keys.PK_ORGANIZATION_ALLOWED;
|
||||
}
|
||||
|
||||
@Override
|
||||
public List<UniqueKey<OrganizationAllowedRecord>> getUniqueKeys() {
|
||||
return Arrays.asList(Keys.UNI_ORGANIZATION_ALLOWED_OGRN);
|
||||
}
|
||||
|
||||
@Override
|
||||
public OrganizationAllowed as(String alias) {
|
||||
return new OrganizationAllowed(DSL.name(alias), this);
|
||||
}
|
||||
|
||||
@Override
|
||||
public OrganizationAllowed as(Name alias) {
|
||||
return new OrganizationAllowed(alias, this);
|
||||
}
|
||||
|
||||
@Override
|
||||
public OrganizationAllowed as(Table<?> alias) {
|
||||
return new OrganizationAllowed(alias.getQualifiedName(), this);
|
||||
}
|
||||
|
||||
/**
|
||||
* Rename this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed rename(String name) {
|
||||
return new OrganizationAllowed(DSL.name(name), null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Rename this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed rename(Name name) {
|
||||
return new OrganizationAllowed(name, null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Rename this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed rename(Table<?> name) {
|
||||
return new OrganizationAllowed(name.getQualifiedName(), null);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed where(Condition condition) {
|
||||
return new OrganizationAllowed(getQualifiedName(), aliased() ? this : null, null, condition);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed where(Collection<? extends Condition> conditions) {
|
||||
return where(DSL.and(conditions));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed where(Condition... conditions) {
|
||||
return where(DSL.and(conditions));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed where(Field<Boolean> condition) {
|
||||
return where(DSL.condition(condition));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
@PlainSQL
|
||||
public OrganizationAllowed where(SQL condition) {
|
||||
return where(DSL.condition(condition));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
@PlainSQL
|
||||
public OrganizationAllowed where(@Stringly.SQL String condition) {
|
||||
return where(DSL.condition(condition));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
@PlainSQL
|
||||
public OrganizationAllowed where(@Stringly.SQL String condition, Object... binds) {
|
||||
return where(DSL.condition(condition, binds));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
@PlainSQL
|
||||
public OrganizationAllowed where(@Stringly.SQL String condition, QueryPart... parts) {
|
||||
return where(DSL.condition(condition, parts));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed whereExists(Select<?> select) {
|
||||
return where(DSL.exists(select));
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inline derived table from this table
|
||||
*/
|
||||
@Override
|
||||
public OrganizationAllowed whereNotExists(Select<?> select) {
|
||||
return where(DSL.notExists(select));
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,79 @@
|
|||
/*
|
||||
* This file is generated by jOOQ.
|
||||
*/
|
||||
package ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.records;
|
||||
|
||||
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.OrganizationAllowed;
|
||||
|
||||
import org.jooq.Record1;
|
||||
import org.jooq.impl.UpdatableRecordImpl;
|
||||
|
||||
|
||||
/**
|
||||
* This class is generated by jOOQ.
|
||||
*/
|
||||
@SuppressWarnings({ "all", "unchecked", "rawtypes" })
|
||||
public class OrganizationAllowedRecord extends UpdatableRecordImpl<OrganizationAllowedRecord> {
|
||||
|
||||
private static final long serialVersionUID = 1L;
|
||||
|
||||
/**
|
||||
* Setter for <code>public.organization_allowed.id</code>.
|
||||
*/
|
||||
public void setId(Long value) {
|
||||
set(0, value);
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for <code>public.organization_allowed.id</code>.
|
||||
*/
|
||||
public Long getId() {
|
||||
return (Long) get(0);
|
||||
}
|
||||
|
||||
/**
|
||||
* Setter for <code>public.organization_allowed.ogrn</code>.
|
||||
*/
|
||||
public void setOgrn(String value) {
|
||||
set(1, value);
|
||||
}
|
||||
|
||||
/**
|
||||
* Getter for <code>public.organization_allowed.ogrn</code>.
|
||||
*/
|
||||
public String getOgrn() {
|
||||
return (String) get(1);
|
||||
}
|
||||
|
||||
// -------------------------------------------------------------------------
|
||||
// Primary key information
|
||||
// -------------------------------------------------------------------------
|
||||
|
||||
@Override
|
||||
public Record1<Long> key() {
|
||||
return (Record1) super.key();
|
||||
}
|
||||
|
||||
// -------------------------------------------------------------------------
|
||||
// Constructors
|
||||
// -------------------------------------------------------------------------
|
||||
|
||||
/**
|
||||
* Create a detached OrganizationAllowedRecord
|
||||
*/
|
||||
public OrganizationAllowedRecord() {
|
||||
super(OrganizationAllowed.ORGANIZATION_ALLOWED);
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a detached, initialised OrganizationAllowedRecord
|
||||
*/
|
||||
public OrganizationAllowedRecord(Long id, String ogrn) {
|
||||
super(OrganizationAllowed.ORGANIZATION_ALLOWED);
|
||||
|
||||
setId(id);
|
||||
setOgrn(ogrn);
|
||||
resetChangedOnNotNull();
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,25 @@
|
|||
package ru.micord.ervu.dao;
|
||||
|
||||
import ervu_lkrp_ul.ervu_lkrp_ul.db_beans.public_.tables.OrganizationAllowed;
|
||||
import org.jooq.DSLContext;
|
||||
|
||||
import org.springframework.stereotype.Repository;
|
||||
|
||||
/**
|
||||
* @author Adel Kalimullin
|
||||
*/
|
||||
@Repository
|
||||
public class OrganizationAccessDao {
|
||||
private final DSLContext dsl;
|
||||
|
||||
public OrganizationAccessDao(DSLContext dsl) {
|
||||
this.dsl = dsl;
|
||||
}
|
||||
|
||||
public boolean existsByOgrn(String ogrn) {
|
||||
return dsl.fetchExists(
|
||||
dsl.selectFrom(OrganizationAllowed.ORGANIZATION_ALLOWED)
|
||||
.where(OrganizationAllowed.ORGANIZATION_ALLOWED.OGRN.eq(ogrn))
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
@ -6,4 +6,6 @@ public class SecurityConstants {
|
|||
public static final String AUTH_MARKER = "webbpm.ervu-lkrp-ul";
|
||||
public static final String PRNS_UUID = "prns_uuid_ul";
|
||||
public static final String STICKY_SESSION = "stickysession";
|
||||
public static final String UPLOAD_ALLOWED_MARKER = "upload_allowed";
|
||||
public static final String EMPLOYEE_DOCUMENT_PATH = "/employee/document";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -62,6 +62,7 @@ import ru.micord.ervu.security.webbpm.jwt.JwtAuthentication;
|
|||
import ru.micord.ervu.security.webbpm.jwt.helper.SecurityHelper;
|
||||
import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService;
|
||||
import ru.micord.ervu.security.webbpm.jwt.model.Token;
|
||||
import ru.micord.ervu.service.UploadAccessService;
|
||||
|
||||
import ru.cg.webbpm.modules.core.runtime.api.LocalizedException;
|
||||
import ru.cg.webbpm.modules.core.runtime.api.MessageBundleUtils;
|
||||
|
|
@ -93,6 +94,8 @@ public class EsiaAuthService {
|
|||
private SecurityHelper securityHelper;
|
||||
@Autowired
|
||||
private AuditService auditService;
|
||||
@Autowired
|
||||
private UploadAccessService uploadAccessService;
|
||||
@Value("${ervu.kafka.org.reply.topic}")
|
||||
private String requestReplyTopic;
|
||||
|
||||
|
|
@ -191,6 +194,7 @@ public class EsiaAuthService {
|
|||
String prnOid = null;
|
||||
Long expiresIn = null;
|
||||
boolean hasRole = false;
|
||||
boolean fileUploadAllowed = false;
|
||||
long timeSignSecret = 0, timeRequestAccessToken = 0, timeVerifySecret = 0;
|
||||
verifyStateFromCookie(request, state, response);
|
||||
try {
|
||||
|
|
@ -280,6 +284,7 @@ public class EsiaAuthService {
|
|||
try {
|
||||
orgInfo = getOrgInfo(esiaAccessTokenStr);
|
||||
hasRole = ulDataService.checkRole(esiaAccessTokenStr);
|
||||
fileUploadAllowed = uploadAccessService.canUploadFiles(orgInfo.getOgrn());
|
||||
ervuId = getErvuId(prnOid, orgInfo);
|
||||
if (!hasRole) {
|
||||
LOGGER.error("The user with id = " + prnOid + " does not have the required role");
|
||||
|
|
@ -298,7 +303,7 @@ public class EsiaAuthService {
|
|||
auditService.processAuthEvent(request, orgInfo, prnOid, status,
|
||||
AuditConstants.LOGIN_EVENT_TYPE);
|
||||
}
|
||||
createTokenAndAddCookie(response, prnOid, ervuId, hasRole , expiresIn);
|
||||
createTokenAndAddCookie(response, prnOid, ervuId, hasRole, fileUploadAllowed, expiresIn);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -371,8 +376,9 @@ public class EsiaAuthService {
|
|||
EsiaAuthInfoStore.addAccessToken(prnOid, esiaAccessTokenStr, expiresIn);
|
||||
EsiaAuthInfoStore.addRefreshToken(prnOid, esiaNewRefreshToken, expiresIn);
|
||||
OrgInfo orgInfo = getOrgInfo(esiaAccessTokenStr);
|
||||
boolean fileUploadAllowed = uploadAccessService.canUploadFiles(orgInfo.getOgrn());
|
||||
String ervuId = getErvuId(prnOid, orgInfo);
|
||||
createTokenAndAddCookie(response, esiaAccessToken.getSbjId(), ervuId, true, expiresIn);
|
||||
createTokenAndAddCookie(response, esiaAccessToken.getSbjId(), ervuId, true, fileUploadAllowed, expiresIn);
|
||||
}
|
||||
catch (EsiaException | IOException | InterruptedException e) {
|
||||
throw new EsiaException(e);
|
||||
|
|
@ -548,9 +554,9 @@ public class EsiaAuthService {
|
|||
}
|
||||
|
||||
private void createTokenAndAddCookie(HttpServletResponse response, String userId, String ervuId,
|
||||
Boolean hasRole, Long expiresIn) {
|
||||
Token token = jwtTokenService.createAccessToken(userId, expiresIn, ervuId, hasRole);
|
||||
securityHelper.addAccessCookies(response, token.getValue(), expiresIn.intValue());
|
||||
Boolean hasRole, Boolean fileUploadAllowed, Long expiresIn) {
|
||||
Token token = jwtTokenService.createAccessToken(userId, expiresIn, ervuId, hasRole, fileUploadAllowed);
|
||||
securityHelper.addAccessCookies(response, token.getValue(), expiresIn.intValue(), fileUploadAllowed);
|
||||
UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken =
|
||||
new UsernamePasswordAuthenticationToken(token.getUserAccountId(), null);
|
||||
SecurityContext context = SecurityContextHolder.createEmptyContext();
|
||||
|
|
|
|||
|
|
@ -6,6 +6,7 @@ import javax.servlet.http.HttpServletRequest;
|
|||
|
||||
import io.jsonwebtoken.ExpiredJwtException;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.access.AccessDeniedException;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.authentication.BadCredentialsException;
|
||||
import org.springframework.security.authentication.CredentialsExpiredException;
|
||||
|
|
@ -19,10 +20,10 @@ import ru.micord.ervu.security.webbpm.jwt.model.Token;
|
|||
import ru.micord.ervu.security.webbpm.jwt.service.JwtTokenService;
|
||||
|
||||
import static org.springframework.web.context.request.RequestAttributes.REFERENCE_REQUEST;
|
||||
import static ru.micord.ervu.security.SecurityConstants.EMPLOYEE_DOCUMENT_PATH;
|
||||
|
||||
@Component
|
||||
public class JwtAuthenticationProvider implements AuthenticationProvider {
|
||||
|
||||
private final JwtTokenService jwtTokenService;
|
||||
|
||||
@Autowired
|
||||
|
|
@ -56,6 +57,12 @@ public class JwtAuthenticationProvider implements AuthenticationProvider {
|
|||
}
|
||||
|
||||
if (jwtTokenService.isValid(token) && token.getHasRole()) {
|
||||
String requestPath = request.getRequestURI();
|
||||
if (EMPLOYEE_DOCUMENT_PATH.equals(requestPath) &&
|
||||
Boolean.FALSE.equals(token.isFileUploadAllowed())) {
|
||||
throw new AccessDeniedException("File upload is not allowed for this organization");
|
||||
}
|
||||
|
||||
UsernamePasswordAuthenticationToken pwdToken =
|
||||
UsernamePasswordAuthenticationToken.authenticated(token.getUserAccountId(), null,
|
||||
Collections.emptyList()
|
||||
|
|
|
|||
|
|
@ -17,6 +17,7 @@ import static org.springframework.web.context.request.RequestAttributes.REFERENC
|
|||
import static ru.micord.ervu.security.SecurityConstants.AUTH_MARKER;
|
||||
import static ru.micord.ervu.security.SecurityConstants.AUTH_TOKEN;
|
||||
import static ru.micord.ervu.security.SecurityConstants.PRNS_UUID;
|
||||
import static ru.micord.ervu.security.SecurityConstants.UPLOAD_ALLOWED_MARKER;
|
||||
|
||||
public final class SecurityHelper {
|
||||
@Value("${cookie.path:#{null}}")
|
||||
|
|
@ -45,6 +46,14 @@ public final class SecurityHelper {
|
|||
.httpOnly(false)
|
||||
.build();
|
||||
addResponseCookie(response, emptyAuthMarker);
|
||||
|
||||
ResponseCookie emptyUploadAllowed = createCookie(UPLOAD_ALLOWED_MARKER, null, "/")
|
||||
.maxAge(0)
|
||||
.secure(false)
|
||||
.httpOnly(false)
|
||||
.build();
|
||||
addResponseCookie(response, emptyUploadAllowed);
|
||||
|
||||
clearCookie(response, PRNS_UUID, accessCookiePath);
|
||||
}
|
||||
|
||||
|
|
@ -52,7 +61,8 @@ public final class SecurityHelper {
|
|||
response.addHeader(HttpHeaders.SET_COOKIE, cookie.toString());
|
||||
}
|
||||
|
||||
public void addAccessCookies(HttpServletResponse response, String cookieValue, int expiry) {
|
||||
public void addAccessCookies(HttpServletResponse response, String cookieValue, int expiry,
|
||||
Boolean fileUploadAllowed) {
|
||||
ResponseCookie authTokenCookie = createCookie(AUTH_TOKEN, cookieValue, accessCookiePath)
|
||||
.maxAge(expiry)
|
||||
.build();
|
||||
|
|
@ -64,6 +74,15 @@ public final class SecurityHelper {
|
|||
.httpOnly(false)
|
||||
.build();
|
||||
addResponseCookie(response, authMarker);
|
||||
|
||||
if (fileUploadAllowed) {
|
||||
ResponseCookie uploadAllowedCookie = createCookie(UPLOAD_ALLOWED_MARKER, "true", "/")
|
||||
.maxAge(expiry)
|
||||
.secure(false)
|
||||
.httpOnly(false)
|
||||
.build();
|
||||
addResponseCookie(response, uploadAllowedCookie);
|
||||
}
|
||||
}
|
||||
|
||||
public ResponseCookie.ResponseCookieBuilder createCookie(String name, String value, String path) {
|
||||
|
|
|
|||
|
|
@ -8,13 +8,16 @@ public class Token {
|
|||
private final Date expirationDate;
|
||||
private final String value;
|
||||
private final Boolean hasRole;
|
||||
private final Boolean fileUploadAllowed;
|
||||
|
||||
public Token(String userAccountId, String issuer, Date expirationDate, String value, Boolean hasRole) {
|
||||
public Token(String userAccountId, String issuer, Date expirationDate, String value, Boolean hasRole,
|
||||
Boolean fileUploadAllowed) {
|
||||
this.userAccountId = userAccountId;
|
||||
this.issuer = issuer;
|
||||
this.expirationDate = expirationDate;
|
||||
this.value = value;
|
||||
this.hasRole = hasRole;
|
||||
this.fileUploadAllowed = fileUploadAllowed;
|
||||
}
|
||||
|
||||
public String getUserAccountId() {
|
||||
|
|
@ -40,4 +43,8 @@ public class Token {
|
|||
public Boolean getHasRole() {
|
||||
return hasRole;
|
||||
}
|
||||
|
||||
public Boolean isFileUploadAllowed() {
|
||||
return fileUploadAllowed;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -43,8 +43,7 @@ public class JwtTokenService {
|
|||
this.signingKey = Keys.hmacShaKeyFor(encodedKey);
|
||||
}
|
||||
|
||||
public Token createAccessToken(String userAccountId, Long expiresIn, String ervuId, Boolean hasRole) {
|
||||
|
||||
public Token createAccessToken(String userAccountId, Long expiresIn, String ervuId, Boolean hasRole, Boolean fileUploadAllowed) {
|
||||
Date expirationDate = new Date(System.currentTimeMillis() + 1000L * expiresIn);
|
||||
String value = Jwts.builder()
|
||||
.setSubject(userAccountId + ":" + ervuId)
|
||||
|
|
@ -52,9 +51,12 @@ public class JwtTokenService {
|
|||
.setIssuedAt(new Date(System.currentTimeMillis()))
|
||||
.setExpiration(expirationDate)
|
||||
.claim("hasRole", hasRole)
|
||||
.claim("fileUploadAllowed", fileUploadAllowed)
|
||||
.signWith(signingKey)
|
||||
.compact();
|
||||
return new Token(userAccountId + ":" + ervuId, tokenIssuerName, expirationDate, value, hasRole);
|
||||
return new Token(userAccountId + ":" + ervuId, tokenIssuerName, expirationDate, value, hasRole,
|
||||
fileUploadAllowed
|
||||
);
|
||||
}
|
||||
|
||||
public boolean isValid(Token token) {
|
||||
|
|
@ -77,7 +79,9 @@ public class JwtTokenService {
|
|||
.parseClaimsJws(token)
|
||||
.getBody();
|
||||
|
||||
return new Token(claims.getSubject(), claims.getIssuer(), claims.getExpiration(), token, claims.get("hasRole", Boolean.class));
|
||||
return new Token(claims.getSubject(), claims.getIssuer(), claims.getExpiration(), token,
|
||||
claims.get("hasRole", Boolean.class), claims.get("fileUploadAllowed", Boolean.class)
|
||||
);
|
||||
}
|
||||
|
||||
public String getAccessToken(HttpServletRequest request) {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,32 @@
|
|||
package ru.micord.ervu.service;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.stereotype.Service;
|
||||
import org.springframework.util.StringUtils;
|
||||
import ru.micord.ervu.dao.OrganizationAccessDao;
|
||||
|
||||
|
||||
/**
|
||||
* @author Adel Kalimullin
|
||||
*/
|
||||
@Service
|
||||
public class UploadAccessService {
|
||||
private final OrganizationAccessDao organizationAccessDao;
|
||||
private final boolean ogrnCheckEnabled;
|
||||
|
||||
public UploadAccessService(
|
||||
OrganizationAccessDao organizationAccessDao,
|
||||
@Value("${ervu.file.upload.ogrn.check.enabled:false}") boolean ogrnCheckEnabled
|
||||
) {
|
||||
this.organizationAccessDao = organizationAccessDao;
|
||||
this.ogrnCheckEnabled = ogrnCheckEnabled;
|
||||
}
|
||||
|
||||
public boolean canUploadFiles(String ogrn) {
|
||||
if (!ogrnCheckEnabled) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return StringUtils.hasText(ogrn) && organizationAccessDao.existsByOgrn(ogrn);
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,15 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:ext="http://www.liquibase.org/xml/ns/dbchangelog-ext" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog-ext http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-ext.xsd http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.5.xsd">
|
||||
|
||||
<changeSet id="create-table-organization_allowed" author="adel.ka">
|
||||
<comment>Create table for organizations allowed to upload files</comment>
|
||||
<createTable tableName="organization_allowed">
|
||||
<column name="id" type="bigint" autoIncrement="true">
|
||||
<constraints primaryKey="true" primaryKeyName="pk_organization_allowed"/>
|
||||
</column>
|
||||
<column name="ogrn" type="varchar(15)">
|
||||
<constraints nullable="false" unique="true" uniqueConstraintName="uni_organization_allowed_ogrn"/>
|
||||
</column>
|
||||
</createTable>
|
||||
</changeSet>
|
||||
</databaseChangeLog>
|
||||
|
|
@ -9,6 +9,6 @@
|
|||
<include file="2024-09-11--01-create-table-interaction-log.xml" relativeToChangelogFile="true"/>
|
||||
<include file="2024-09-18--02-add-shedlock-table.xml" relativeToChangelogFile="true"/>
|
||||
<include file="2025-10-20-create-offset-column.xml" relativeToChangelogFile="true"/>
|
||||
|
||||
<include file="2025-10-24-add-org-allowed-table.xml" relativeToChangelogFile="true"/>
|
||||
|
||||
</databaseChangeLog>
|
||||
Loading…
Add table
Add a link
Reference in a new issue