feat: Add methods for checking roles and authorities (#18700)

peholmst · web-flow · commit cf4abb0d822f · 2024-02-16T08:17:24.000+01:00
diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/AuthenticationContext.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/AuthenticationContext.java
@@ -18,24 +18,29 @@
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
-
-import java.io.IOException;
-import java.security.Principal;
-import java.util.List;
-import java.util.Optional;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.LogoutConfigurer;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.logout.CompositeLogoutHandler;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
 import org.springframework.security.web.authentication.logout.LogoutSuccessHandler;
 
+import java.io.IOException;
+import java.security.Principal;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.List;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
 import com.vaadin.flow.component.UI;
 import com.vaadin.flow.server.VaadinServletRequest;
 import com.vaadin.flow.server.VaadinServletResponse;
@@ -63,6 +68,8 @@ public class AuthenticationContext {
 
     private CompositeLogoutHandler logoutHandler;
 
+    private VaadinRolePrefixHolder rolePrefixHolder;
+
     /**
      * Gets an {@link Optional} with an instance of the current user if it has
      * been authenticated, or empty if the user is not authenticated.
@@ -140,6 +147,198 @@ public void logout() {
         });
     }
 
+    /**
+     * Gets the authorities granted to the current authenticated user.
+     *
+     * @return an unmodifiable collection of {@link GrantedAuthority}s or an
+     *         empty collection if there is no authenticated user.
+     */
+    public Collection<? extends GrantedAuthority> getGrantedAuthorities() {
+        return getAuthentication().filter(Authentication::isAuthenticated)
+                .map(Authentication::getAuthorities)
+                .orElse(Collections.emptyList());
+    }
+
+    private Stream<String> getGrantedAuthoritiesStream() {
+        return getGrantedAuthorities().stream()
+                .map(GrantedAuthority::getAuthority);
+    }
+
+    /**
+     * Gets the roles granted to the current authenticated user.
+     *
+     * @return an unmodifiable collection of role names (without the role
+     *         prefix) or an empty collection if there is no authenticated user.
+     */
+    public Collection<String> getGrantedRoles() {
+        return getGrantedRolesStream().collect(Collectors.toSet());
+    }
+
+    private Stream<String> getGrantedRolesStream() {
+        var rolePrefix = getRolePrefix();
+        return getGrantedAuthoritiesStream()
+                .filter(ga -> ga.startsWith(rolePrefix))
+                .map(ga -> ga.substring(rolePrefix.length()));
+    }
+
+    /**
+     * Checks whether the current authenticated user has the given role.
+     *
+     * @param role
+     *            the role to check.
+     * @return {@literal true} if the user holds the given role, otherwise
+     *         {@literal false}.
+     */
+    public boolean hasRole(String role) {
+        return getGrantedRolesStream().anyMatch(role::equals);
+    }
+
+    /**
+     * Checks whether the current authenticated user has any of the given roles.
+     *
+     * @param roles
+     *            a collection containing at least one role.
+     * @return {@literal true} if the user holds at least one of the given
+     *         roles, otherwise {@literal false}.
+     * @throws IllegalArgumentException
+     *             if the given collection is empty.
+     */
+    public boolean hasAnyRole(Collection<String> roles) {
+        if (roles.isEmpty()) {
+            throw new IllegalArgumentException(
+                    "Must provide at least one role to check");
+        }
+        return getGrantedRolesStream().anyMatch(roles::contains);
+    }
+
+    /**
+     * Checks whether the current authenticated user has any of the given roles.
+     *
+     * @param roles
+     *            an array containing at least one role.
+     * @return {@literal true} if the user holds at least one of the given
+     *         roles, otherwise {@literal false}.
+     * @throws IllegalArgumentException
+     *             if the given array is empty.
+     */
+    public boolean hasAnyRole(String... roles) {
+        return hasAnyRole(Set.of(roles));
+    }
+
+    /**
+     * Checks whether the current authenticated user has all the given roles.
+     *
+     * @param roles
+     *            a collection containing at least one role.
+     * @return {@literal true} if the user holds all the given roles, otherwise
+     *         {@literal false}.
+     * @throws IllegalArgumentException
+     *             if the given collection is empty.
+     */
+    public boolean hasAllRoles(Collection<String> roles) {
+        if (roles.isEmpty()) {
+            throw new IllegalArgumentException(
+                    "Must provide at least one role to check");
+        }
+        return getGrantedRolesStream().collect(Collectors.toSet())
+                .containsAll(roles);
+    }
+
+    /**
+     * Checks whether the current authenticated user has all the given roles.
+     *
+     * @param roles
+     *            an array containing at least one role.
+     * @return {@literal true} if the user holds all the given roles, otherwise
+     *         {@literal false}.
+     * @throws IllegalArgumentException
+     *             if the given array is empty.
+     */
+    public boolean hasAllRoles(String... roles) {
+        return hasAllRoles(Set.of(roles));
+    }
+
+    /**
+     * Checks whether the current authenticated user has the given authority.
+     *
+     * @param authority
+     *            the authority to check.
+     * @return {@literal true} if the user holds the given authority, otherwise
+     *         {@literal false}.
+     */
+    public boolean hasAuthority(String authority) {
+        return getGrantedAuthoritiesStream().anyMatch(authority::equals);
+    }
+
+    /**
+     * Checks whether the current authenticated user has any of the given
+     * authorities.
+     *
+     * @param authorities
+     *            a collection containing at least one authority.
+     * @return {@literal true} if the user holds at least one of the given
+     *         authorities, otherwise {@literal false}.
+     * @throws IllegalArgumentException
+     *             if the given collection is empty.
+     */
+    public boolean hasAnyAuthority(Collection<String> authorities) {
+        if (authorities.isEmpty()) {
+            throw new IllegalArgumentException(
+                    "Must provide at least one authority to check");
+        }
+        return getGrantedAuthoritiesStream().anyMatch(authorities::contains);
+    }
+
+    /**
+     * Checks whether the current authenticated user has any of the given
+     * authorities.
+     *
+     * @param authorities
+     *            an array containing at least one authority.
+     * @return {@literal true} if the user holds at least one of the given
+     *         authorities, otherwise {@literal false}.
+     * @throws IllegalArgumentException
+     *             if the given array is empty.
+     */
+    public boolean hasAnyAuthority(String... authorities) {
+        return hasAnyAuthority(Set.of(authorities));
+    }
+
+    /**
+     * Checks whether the current authenticated user has all the given
+     * authorities.
+     *
+     * @param authorities
+     *            a collection containing at least one authority.
+     * @return {@literal true} if the user holds all the given authorities,
+     *         otherwise {@literal false}.
+     * @throws IllegalArgumentException
+     *             if the given collection is empty.
+     */
+    public boolean hasAllAuthorities(Collection<String> authorities) {
+        if (authorities.isEmpty()) {
+            throw new IllegalArgumentException(
+                    "Must provide at least one authority to check");
+        }
+        return getGrantedAuthoritiesStream().collect(Collectors.toSet())
+                .containsAll(authorities);
+    }
+
+    /**
+     * Checks whether the current authenticated user has all the given
+     * authorities.
+     *
+     * @param authorities
+     *            an array containing at least one authority.
+     * @return {@literal true} if the user holds all the given authorities,
+     *         otherwise {@literal false}.
+     * @throws IllegalArgumentException
+     *             if the given array is empty.
+     */
+    public boolean hasAllAuthorities(String... authorities) {
+        return hasAllAuthorities(Set.of(authorities));
+    }
+
     /**
      * Sets component to handle logout process.
      *
@@ -154,6 +353,18 @@ void setLogoutHandlers(LogoutSuccessHandler logoutSuccessHandler,
         this.logoutHandler = new CompositeLogoutHandler(logoutHandlers);
     }
 
+    /**
+     * Sets the role prefix holder to use when checking the current user's
+     * roles.
+     *
+     * @param rolePrefixHolder
+     *            {@link VaadinRolePrefixHolder} instance, or {@literal null} to
+     *            revert to the default {@code ROLE_} prefix.
+     */
+    void setRolePrefixHolder(VaadinRolePrefixHolder rolePrefixHolder) {
+        this.rolePrefixHolder = rolePrefixHolder;
+    }
+
     private static Optional<Authentication> getAuthentication() {
         return Optional.of(SecurityContextHolder.getContext())
                 .map(SecurityContext::getAuthentication)
@@ -170,6 +381,11 @@ CompositeLogoutHandler getLogoutHandler() {
         return logoutHandler;
     }
 
+    private String getRolePrefix() {
+        return Optional.ofNullable(rolePrefixHolder)
+                .map(VaadinRolePrefixHolder::getRolePrefix).orElse("ROLE_");
+    }
+
     /**
      * Augments the given {@link AuthenticationContext} with Spring Security.
      *
@@ -188,7 +404,6 @@ public static void applySecurityConfiguration(HttpSecurity httpSecurity,
                 .getConfigurer(LogoutConfigurer.class);
         authCtx.setLogoutHandlers(logoutConfigurer.getLogoutSuccessHandler(),
                 logoutConfigurer.getLogoutHandlers());
-
     }
 
 }
diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurity.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinWebSecurity.java
@@ -129,6 +129,7 @@ public abstract class VaadinWebSecurity {
     @PostConstruct
     void afterPropertiesSet() {
         accessControl = accessControlProvider.getIfAvailable();
+        authenticationContext.setRolePrefixHolder(vaadinRolePrefixHolder);
     }
 
     private final AuthenticationContext authenticationContext = new AuthenticationContext();
diff --git a/vaadin-spring/src/test/java/com/vaadin/flow/spring/security/AuthenticationContextTest.java b/vaadin-spring/src/test/java/com/vaadin/flow/spring/security/AuthenticationContextTest.java

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,7 @@ public abstract class VaadinWebSecurity {`
`129`	`129`	`@PostConstruct`
`130`	`130`	`void afterPropertiesSet() {`
`131`	`131`	`accessControl = accessControlProvider.getIfAvailable();`
	`132`	`+ authenticationContext.setRolePrefixHolder(vaadinRolePrefixHolder);`
`132`	`133`	`}`
`133`	`134`
`134`	`135`	`private final AuthenticationContext authenticationContext = new AuthenticationContext();`