ASWI - Pokročilé softwarové inženýrství » ASWI 2022 » Zpracování geografických údajů v novoasyrských textech (KBS FF) - Code of Duty

package cz.zcu.kiv.backendapi.security;

import cz.zcu.kiv.backendapi.security.jwt.JwtTokenVerifier;

import cz.zcu.kiv.backendapi.security.jwt.JwtUsernameAndPasswordAuthenticationFilter;

import cz.zcu.kiv.backendapi.security.jwt.JwtUtils;

import cz.zcu.kiv.backendapi.user.Role;

import cz.zcu.kiv.backendapi.user.permission.Permission;

import lombok.RequiredArgsConstructor;

import org.springframework.context.annotation.Bean;

import org.springframework.context.annotation.Configuration;

import org.springframework.http.HttpMethod;

import org.springframework.security.authentication.dao.DaoAuthenticationProvider;

import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;

import org.springframework.security.config.annotation.web.builders.HttpSecurity;

import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;

import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;

import org.springframework.security.config.http.SessionCreationPolicy;

import org.springframework.security.core.userdetails.UserDetailsService;

import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;

import org.springframework.web.cors.CorsConfiguration;

import org.springframework.web.cors.CorsConfigurationSource;

import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

import java.util.HashMap;

import java.util.Map;

/**

 * Security config class

 */

@Configuration

@EnableWebSecurity

@RequiredArgsConstructor

public class SecurityConfig extends WebSecurityConfigurerAdapter {

    /**

     * Map of permitted endpoints with HTTP method (user does not need to be authenticated perform the request)

     */

    private static final Map<String, HttpMethod> PERMITTED_ENDPOINTS;

    /**

     * User detail service

     */

    private final UserDetailsService userDetailsService;

    /**

     * Password encoder

     */

    private final BCryptPasswordEncoder bCryptPasswordEncoder;

    /**

     * JWT utils

     */

    private final JwtUtils jwtUtils;

    static {

        PERMITTED_ENDPOINTS = new HashMap<>();

        PERMITTED_ENDPOINTS.put("/login", HttpMethod.POST);

        PERMITTED_ENDPOINTS.put("/users/token", HttpMethod.GET);

        PERMITTED_ENDPOINTS.put("/swagger-ui/**", HttpMethod.GET);

        PERMITTED_ENDPOINTS.put("/swagger-ui.html", HttpMethod.GET);

        PERMITTED_ENDPOINTS.put("/v3/api-docs", HttpMethod.GET);

        PERMITTED_ENDPOINTS.put("/v3/api-docs/swagger-config", HttpMethod.GET);

        PERMITTED_ENDPOINTS.put("/catalog-items", HttpMethod.GET);

        PERMITTED_ENDPOINTS.put("/catalog-items/**", HttpMethod.GET);

        PERMITTED_ENDPOINTS.put("/title-page", HttpMethod.GET);

        PERMITTED_ENDPOINTS.put("/sources", HttpMethod.GET);

    }

    /**

     * Security configuration

     *

     * @param http http security

     * @throws Exception exception

     */

    // TODO configure and check rights

    @Override

    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable()

                .cors()

                .and()

                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)

                .and()

                .addFilter(new JwtUsernameAndPasswordAuthenticationFilter(authenticationManager(), jwtUtils))

                .addFilterAfter(new JwtTokenVerifier(jwtUtils, PERMITTED_ENDPOINTS), JwtUsernameAndPasswordAuthenticationFilter.class)

                .authorizeRequests()

                .antMatchers(HttpMethod.GET, PERMITTED_ENDPOINTS.keySet().stream().filter(k -> PERMITTED_ENDPOINTS.get(k).equals(HttpMethod.GET)).toArray(String[]::new)).permitAll()

                .antMatchers(HttpMethod.POST, "/login").permitAll()

                .antMatchers("/external-catalog-items").hasRole(Role.ADMIN.name())

                .antMatchers(HttpMethod.PATCH, "/users/*/permissions", "/users/*/password").hasRole(Role.ADMIN.name())

                .antMatchers(HttpMethod.DELETE, "/users/**").hasRole(Role.ADMIN.name())

                .antMatchers(HttpMethod.GET, "/users").hasRole(Role.ADMIN.name())

                .antMatchers(HttpMethod.GET, "/path").hasAuthority(Permission.READ.name())

                .antMatchers(HttpMethod.POST, "/catalog-items").hasAuthority(Permission.WRITE.name())

                .antMatchers(HttpMethod.PUT, "/catalog-items/*").hasAuthority(Permission.WRITE.name())

                .antMatchers(HttpMethod.DELETE, "/catalog-items/*").hasAuthority(Permission.DELETE.name())

                .antMatchers(HttpMethod.POST, "/title-page", "/sources").hasRole(Role.ADMIN.name())

                .anyRequest()

                .authenticated();

    }

    /**

     * Sets authentication provider to authentication manager

     *

     * @param auth authentication manager builder

     */

    @Override

    protected void configure(final AuthenticationManagerBuilder auth) {

        auth.authenticationProvider(authenticationProvider());

    }

    /**

     * Returns authentication provider

     *

     * @return authentication provider

     */

    @Bean

    public DaoAuthenticationProvider authenticationProvider() {

        final DaoAuthenticationProvider provider = new DaoAuthenticationProvider();

        provider.setUserDetailsService(userDetailsService);

        provider.setPasswordEncoder(bCryptPasswordEncoder);

        return provider;

    }

    @Bean

    CorsConfigurationSource corsConfigurationSource() {

        final UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();

        source.registerCorsConfiguration("/**", new CorsConfiguration().applyPermitDefaultValues());

        return source;

    }

}