✨ exposing user claims (list of domain/available action pairs); names…

… pending Signed-off-by: dseurotech <davide.salvador@eurotech.com>
dseurotech · Feb 24, 2025 · 94320d6 · 94320d6
1 parent 9e83a3d
commit 94320d6
Show file tree

Hide file tree

Showing 6 changed files with 158 additions and 16 deletions.
diff --git a/.../resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/Aaaaaaaaaa.java b/.../resources/src/main/java/org/eclipse/kapua/app/api/resources/v1/resources/Aaaaaaaaaa.java
@@ -0,0 +1,54 @@
+/*******************************************************************************
+ * Copyright (c) 2016, 2022 Eurotech and/or its affiliates and others
+ *
+ * This program and the accompanying materials are made
+ * available under the terms of the Eclipse Public License 2.0
+ * which is available at https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *     Eurotech - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.kapua.app.api.resources.v1.resources;
+
+import java.util.Set;
+
+import javax.inject.Inject;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.eclipse.kapua.KapuaException;
+import org.eclipse.kapua.app.api.core.model.ScopeId;
+import org.eclipse.kapua.app.api.core.resources.AbstractKapuaResource;
+import org.eclipse.kapua.service.KapuaService;
+import org.eclipse.kapua.service.authorization.AuthorizationService;
+
+@Path("{scopeId}/aaaaaaaaaa/claims")
+public class Aaaaaaaaaa extends AbstractKapuaResource {
+
+    @Inject
+    private AuthorizationService authorizationService;
+
+    /**
+     * Gets the list of user's claims in the scope.
+     *
+     * @param scopeId
+     *         The {@link ScopeId} in which to search results.
+     * @return The list of all the available claims associated to the current selected scope (and user).
+     * @throws KapuaException
+     *         Whenever something bad happens. See specific {@link KapuaService} exceptions.
+     * @since 1.0.0
+     */
+    @GET
+    @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
+    public Set<String> fetchClaims(
+            @PathParam("scopeId") ScopeId scopeId
+    ) throws KapuaException {
+        return authorizationService.fetchUserClaims(scopeId);
+    }
+
+}
diff --git a/rest-api/resources/src/main/resources/openapi/aaaaaaaaaa/aaaaaaaaaa-scopeId.yaml b/rest-api/resources/src/main/resources/openapi/aaaaaaaaaa/aaaaaaaaaa-scopeId.yaml
@@ -0,0 +1,39 @@
+openapi: 3.0.3
+
+info:
+  title: Eclipse Kapua REST API - Aaaaaaaaaa
+  version: '1.0'
+  contact:
+    name: Eclipse Kapua Dev Team
+    url: https://eclipse.org/kapua
+    email: kapua-dev@eclipse.org
+  license:
+    name: Eclipse Public License 2.0
+    url: https://www.eclipse.org/legal/epl-2.0
+
+paths:
+  /{scopeId}/claims:
+    get:
+      tags:
+        - Claims
+      summary: Get all the Claims
+      operationId: fetchUserClaims
+      parameters:
+        - $ref: '../openapi.yaml#/components/parameters/scopeId'
+      responses:
+        200:
+          description: The list of User's claims in the Scope
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  type: string
+    400:
+      $ref: '../openapi.yaml#/components/responses/illegalArgument'
+      401:
+        $ref: '../openapi.yaml#/components/responses/unauthenticated'
+      403:
+        $ref: '../openapi.yaml#/components/responses/subjectUnauthorized'
+      500:
+        $ref: '../openapi.yaml#/components/responses/kapuaError'
diff --git a/rest-api/resources/src/main/resources/openapi/openapi.yaml b/rest-api/resources/src/main/resources/openapi/openapi.yaml
@@ -64,6 +64,9 @@ paths:
     $ref: './authentication/authentication-logout.yaml#/paths/~1authentication~1logout'
   /authentication/mfa:
     $ref: './authentication/authentication-mfa.yaml#/paths/~1authentication~1mfa'
+  ### Aaaaaaaaaa ###
+  /{scopeId}/aaaaaaaaaa/claims:
+    $ref: './aaaaaaaaaa/aaaaaaaaaa-scopeId.yaml#/paths/~1{scopeId}~1claims'
   ### Access Info ###
   /{scopeId}/accessinfos:
     $ref: './accessInfo/accessInfo-scopeId.yaml#/paths/~1{scopeId}~1accessinfos'

diff --git a/rest-api/web/src/main/resources/shiro.ini b/rest-api/web/src/main/resources/shiro.ini
@@ -43,6 +43,8 @@ kapuaAuthcAccessToken = org.eclipse.kapua.app.api.core.auth.KapuaTokenAuthentica
 /v1/*/credentials.xml           = kapuaAuthcAccessToken
 /v1/*/credentials/**            = kapuaAuthcAccessToken
 
+/v1/*/aaaaaaaaaa/**             = kapuaAuthcAccessToken
+
 # Authorization
 /v1/*/accessinfos.xml           = kapuaAuthcAccessToken
 /v1/*/accessinfos.json          = kapuaAuthcAccessToken

diff --git a/...ation/api/src/main/java/org/eclipse/kapua/service/authorization/AuthorizationService.java b/...ation/api/src/main/java/org/eclipse/kapua/service/authorization/AuthorizationService.java
@@ -13,45 +13,54 @@
 package org.eclipse.kapua.service.authorization;
 
 import java.util.List;
+import java.util.Set;
 
 import org.eclipse.kapua.KapuaException;
+import org.eclipse.kapua.model.id.KapuaId;
 import org.eclipse.kapua.service.KapuaService;
 import org.eclipse.kapua.service.authorization.permission.Permission;
 
 /**
- * AuthenticationService exposes APIs to manage User object under an Account.<br>
- * It includes APIs to create, update, find, list and delete Users.<br>
- * Instances of the UserService can be acquired through the ServiceLocator.
+ * AuthenticationService exposes APIs to manage User object under an Account.<br> It includes APIs to create, update, find, list and delete Users.<br> Instances of the UserService can be acquired
+ * through the ServiceLocator.
  *
  * @since 1.0.0
  */
 public interface AuthorizationService extends KapuaService {
 
+    Set<String> fetchUserClaims(KapuaId inScope);
+
     /**
      * Returns if the user (the current logged user retrieved by thread context) is allowed to perform the operation identified by provided the permission.
      *
-     * @param permission The permission to check.
+     * @param permission
+     *         The permission to check.
      * @return {@code true} if the current user has the given permission, {@code false} otherwise.
-     * @throws KapuaException If there is no logged context.
+     * @throws KapuaException
+     *         If there is no logged context.
      * @since 1.0.0
      */
     boolean isPermitted(Permission permission) throws KapuaException;
 
     /**
      * Returns if the user (the current logged user retrieved by thread context) is allowed to perform the operation identified by provided the permission.
      *
-     * @param permission The permissions to check.
+     * @param permission
+     *         The permissions to check.
      * @return an array representing the current user permissions.
-     * @throws KapuaException If there is no logged context.
+     * @throws KapuaException
+     *         If there is no logged context.
      * @since 1.0.0
      */
     boolean[] isPermitted(List<Permission> permission) throws KapuaException;
 
     /**
      * Checks if the user (the current logged user retrieved by thread context) is allowed to perform the operation identified by provided the permission.
      *
-     * @param permission The permission to check.
-     * @throws KapuaException if there is no logged context or if the user has no right for the provided permission.
+     * @param permission
+     *         The permission to check.
+     * @throws KapuaException
+     *         if there is no logged context or if the user has no right for the provided permission.
      * @since 1.0.0
      */
     void checkPermission(Permission permission) throws KapuaException;

diff --git a/...src/main/java/org/eclipse/kapua/service/authorization/shiro/AuthorizationServiceImpl.java b/...src/main/java/org/eclipse/kapua/service/authorization/shiro/AuthorizationServiceImpl.java
@@ -12,20 +12,25 @@
  *******************************************************************************/
 package org.eclipse.kapua.service.authorization.shiro;
 
+import java.util.Arrays;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+
 import org.apache.shiro.SecurityUtils;
 import org.eclipse.kapua.KapuaException;
 import org.eclipse.kapua.KapuaUnauthenticatedException;
 import org.eclipse.kapua.commons.security.KapuaSecurityUtils;
 import org.eclipse.kapua.commons.security.KapuaSession;
+import org.eclipse.kapua.model.domain.Domain;
+import org.eclipse.kapua.model.id.KapuaId;
 import org.eclipse.kapua.service.authorization.AuthorizationService;
 import org.eclipse.kapua.service.authorization.exception.SubjectUnauthorizedException;
 import org.eclipse.kapua.service.authorization.permission.Permission;
-
-import javax.inject.Inject;
-import javax.inject.Singleton;
-import java.util.Arrays;
-import java.util.List;
-import java.util.stream.Collectors;
+import org.eclipse.kapua.service.authorization.permission.PermissionFactory;
 
 /**
  * {@link AuthorizationService} implementation.
@@ -34,10 +39,16 @@
  */
 @Singleton
 public class AuthorizationServiceImpl implements AuthorizationService {
+
+    private final PermissionFactory permissionFactory;
+    private final Set<Domain> knownDomains;
     private final PermissionMapper permissionMapper;
 
     @Inject
-    public AuthorizationServiceImpl(PermissionMapper permissionMapper) {
+    public AuthorizationServiceImpl(PermissionFactory permissionFactory, Set<Domain> knownDomains,
+            PermissionMapper permissionMapper) {
+        this.permissionFactory = permissionFactory;
+        this.knownDomains = knownDomains;
         this.permissionMapper = permissionMapper;
     }
 
@@ -60,6 +71,30 @@ public boolean[] isPermitted(List<Permission> permissions) throws KapuaException
         }
     }
 
+    @Override
+    public Set<String> fetchUserClaims(KapuaId inScope) {
+        final KapuaSession kapuaSession = KapuaSecurityUtils.getSession();
+        final Set<String> claims = knownDomains.stream()
+                .flatMap(domain -> {
+                    return domain.getActions()
+                            .stream()
+                            .filter(action -> {
+                                if (kapuaSession.isTrustedMode()) {
+                                    return true;
+                                }
+                                try {
+                                    final Permission permission = permissionFactory.newPermission(domain.getName(), action, inScope);
+                                    return this.isPermitted(permission);
+                                } catch (KapuaException e) {
+                                    return false;
+                                }
+                            })
+                            .map(action -> String.format("%s:%s", domain.getName(), action));
+                })
+                .collect(Collectors.toSet());
+        return claims;
+    }
+
     @Override
     public boolean isPermitted(Permission permission)
             throws KapuaException {