Notion de Contrôle d'Accès dans Plateforme

Compte rendu

heimdall utilise les preceptes Role Based Access Control (RBAC)
- création de rôle dans heimdall
asgard-user utilise les preceptes Discretionary Access Control (DAC)/Access Control List (ACL)
- création d'accréditation dans asgard-user

asgard-admin utilise heimdall & asgard-user

graph LR H[Heimdall] AA[Asgard-admin] AU[Asgard-User] RBAC ACL TAcc[table Account] TApp[table Application] H -.- RBAC AU -.- ACL TAcc -.- RBAC TApp -.- ACL AA --> H AA --> AU H --> TAcc AU --> TApp

Vision RBACK de Heimdall

graph LR U[Utilisateur] R[Rôle] P[Privilège] U -.- Toto U -.- Tata U -.- Titi R -.- CLIEN R -.- SUPPO R -.- ADMIN PF[Plateforme] -.- P PA[Plateforme ADMIN] -.- P PS[Plateforme SUPERVISOR] -.- P subgraph RBACK HEIMDALL CLIEN ---> PF SUPPO ---> PF SUPPO ---> PS ADMIN ---> PF ADMIN ---> PS ADMIN ---> PA Toto --> CLIEN Tata --> SUPPO Titi --> ADMIN end

Vision DAC/ACL de Asgard-User

graph LR U[Utilisateur] A[Accréditation] U -.- Toto U -.- Tata U -.- Titi BACKUP-WEBCLIENT -.- A BOARDNOX -.- A C2C -.- A subgraph ACL ASGARD-USER Toto --> BACKUP-WEBCLIENT Toto --> BOARDNOX Toto --> C2C Tata --> C2C Titi --> BOARDNOX Titi --> C2C end

Vision réunit de RBACK de Heimdall & DAC/ACL de Asgard-User

graph LR U[Utilisateur] R[Rôle] P[Privilège] A[Accréditation] U -.- Toto U -.- Tata U -.- Titi CLIEN -.- R SUPPO -.- R ADMIN -.- R PF[Plateforme] -.- P PA[Plateforme ADMIN] -.- P PS[Plateforme SUPERVISOR] -.- P subgraph USER Toto Tata Titi end U -.- Toto U -.- Tata U -.- Titi BACKUP-WEBCLIENT -.- A BOARDNOX -.- A C2C -.- A subgraph RBACK HEIMDALL CLIEN ---> PF SUPPO ---> PF SUPPO ---> PS ADMIN ---> PF ADMIN ---> PS ADMIN ---> PA Toto ---> CLIEN Tata ---> SUPPO Titi ---> ADMIN end subgraph ACL ASGARD-USER Toto ----> BACKUP-WEBCLIENT Toto ----> BOARDNOX Toto ----> C2C Tata ----> C2C Titi ----> BOARDNOX Titi ----> C2C end

Dans le code

asgard-admin

application.yml

# Heimdall
sso.roles: ROLE_ADMINISTRATOR, ROLE_SUPPORT, ROLE_SALESREP, ROLE_TECHNICAL, ROLE_USER-SUPERVISOR, ROLE_CLIENT, ROLE_AUTH-SUPERVISOR, ROLE_ORPHEA-MANAGER, ROLE_ORPHEA-ADMIN

pour rappel, les type dispo dans "public.account", column "account_type_code"

Type d'utilisateur pour la plateforme actuelle
- ADMIN (ROLE_ADMINISTRATOR)
- CLIEN (ROLE_CLIENT)
- SALES (ROLE_SALESREP)
- SUPPO (ROLE_SUPPORT)
- TECHN (ROLE_TECHNICAL)
Type d'utilisateur old
- REVEN
- ROBOT
Type non utilisateur
- SUBSC
Type ???
- UNKNOWN
- ADMWS
- USE
- USER
- USER2
Parmis les rôles Heimdall, ceux-ci ne sont pas clairement identifier dans cette table account
- ROLE_USER-SUPERVISOR?
- ROLE_AUTH-SUPERVISOR?
- ROLE_ORPHEA-MANAGER?
- ROLE_ORPHEA-ADMIN?

com.oodrive.asgard.admin.common.annotation

NoRole
RoleAdminOrSupport
RoleAdminOrSupportOrClient

RoleAdminOrSupportOrClientOrSalesrep

@Target({ ElementType.METHOD, ElementType.TYPE })
@Retention(RetentionPolicy.RUNTIME)
@PreAuthorize("hasRole('ROLE_SUPPORT') or hasRole('ROLE_ADMINISTRATOR') or hasRole('ROLE_CLIENT') or hasRole('ROLE_SALESREP')")
public @interface RoleAdminOrSupportOrClientOrSalesrep {

}

RoleAdminOrSupportOrClientOrSalesrepOrTechnical
RoleAdminOrSupportOrSalesrep
RoleAdminOrSupportOrSalesrepOrTechnical
RoleSalesrep
RoleSupervisor
RoleSupport
RoleSupportOrClient
RoleSupportOrClientOrSalesrep
RoleSupportOrClientOrSalesrepOrTechnical
RoleSupportOrSalesrep
RoleSupportOrSalesrepOrTechnical
RoleSupportOrTechnical
RoleSupportOrUserSupervisor
RoleTechnical
RoleUserSupervisor

asgard-user

recuperer la liste des accès pour un account d'un workspace

GetApplicationAccess.java

 public List<Application> getApplications(UUID accountId, String workspaceName) {
  return get(accountId, workspaceName, Collections.emptySet(), true);
 }

 private List<Application> get(UUID accountId,
   String workspaceName,
   Set<ApplicationType> types,
   boolean noAccountAccess) {
  List<AccountApplicationId> accountApplicationIds = accountApplicationReadRepository.findIdByAccountId(accountId, noAccountAccess);
  List<Application> roleApplication = applicationReadRepository.findByApplicationIds(accountApplicationIds.stream()
    .map(AccountApplicationId::getApplicationId)
    .collect(Collectors.toList()));
  List<Application> subscriptionApplication;
  if(applicationReadRepository.isPlatformSubscription(accountId)) {
   subscriptionApplication = applicationReadRepository.findBySubscriptionAccountId(accountId);
  } else {
   subscriptionApplication = applicationReadRepository.findLegacyBySubscriptionAccountId(accountId);
  }
  roleApplication.addAll(subscriptionApplication.stream()
    .filter(e -> ! roleApplication.contains(e))
    .collect(Collectors.toList()));
  if( ! CollectionUtils.isEmpty(types)) {
   List<Application> baseApplications = applicationReadRepository.findByMarketingTypes(types);
   roleApplication.addAll(baseApplications.stream()
     .filter(e -> ! roleApplication.contains(e))
     .collect(Collectors.toList()));
  }
  if(roleApplication.stream()
    .anyMatch(a -> (a.getApplicationCode().equals("BOARDNOX")))
    && roleApplication.stream()
      .noneMatch(a -> a.getApplicationCode().equals("POSTFILES") || a.getApplicationCode().equals("IEXTRANET"))) {
   Optional<Application> applicationIextranet = applicationReadRepository.findByCode("IEXTRANET");
   applicationIextranet.ifPresent(roleApplication::add);
  }

  roleApplication.forEach(ap -> replacePlaceholder(workspaceName, ap));
  return roleApplication;
 }

requete de "accountApplicationReadRepository.findIdByAccountId"

les droits pour un client d'utiliser une application se trouve dans les nouvelles tables plateforme; dans les schema "asgard" dans les tables

"account_application"
- account_id
  - n'est pas unique
  - surement de type client, le modèle ne fournissant pas cette règle/contrainte, cela doit être une vérification effectuer dans le code
- application_id
  - n'est pas unique
  - application de la table applicatioàn
"application"
- application_id
  - 302
- application_code
  - ACCOUNT
  - ADDRESSBOOK
  - AUTH-CLIENT
  - AUTH-SUPERVISOR
  - AUTH-SUPPORT
  - BACKUP-SUPERVISOR
  - BACKUP-WEBCLIENT
  - BOARDNOX
  - C2C
  - CRONOS-TRIGGER
  - DELEGATION
  - DELEGATION-SUPERVISOR
  - DEVELOPER
  - E2EE
  - FAKE-FILER
  - FILER
  - HERMOD
  - HERMOD-CLIENT
  - HERMOD-SUPERVISOR
  - IEXTRANET
  - INSIDER
  - LOKI
  - LOKI-CLIENT
  - LOKI-SUPERVISOR
  - MEDIA-SUPPORT
  - MEETING
  - MEETING-ADMIN
  - MIGRATION-B2M
  - MIGRATION-V4V5
  - OPTIONS-ADMIN
  - ORPHEA
  - ORPHEA-ADMIN
  - ORPHEA-MANAGER
  - PORTAL
  - POSTFILES
  - RELEASE-NOTES
  - SAVE-SUPPORT
  - SAVE-WEBAPP
  - SHARE
  - SHARE-ADMIN
  - SHARE-FILER
  - SHARE-SUPERVISOR
  - SIGN
  - SIGN-SUPERVISOR
  - TODO-LIST
  - TRACKING
  - TRANSFORMER-MONITORING
  - USER-ADMIN
  - USER-HOME
  - USER-SUPERVISOR
- application_path
  - asgard-admin/ws/{workspaceName}
  - auth/ws/{workspaceName}/supervision
  - boardnox/ws/{workspaceName}
  - c2c/ws/{workspaceName}
  - cronos-trigger/ws/none
  - cs/ws/{workspaceName}
  - e2ee/ws/{workspaceName}
  - filer/ws/{workspaceName}
  - geppetto/ws/{workspaceName}
  - hermod/ws/{workspaceName}
  - loki/ws/{workspaceName}
  - mar/ws/{workspaceName}
  - media-admin/ws/{workspaceName}
  - media-manager/ws/{workspaceName}
  - media-support/ws/{workspaceName}
  - media/ws/{workspaceName}
  - meeting/ws/{workspaceName}
  - meeting/ws/{workspaceName}/admin
  - meili/ws/{workspaceName}
  - migration-b2m
  - migration-v4v5
  - portal/ws/{workspaceName}/account
  - portal/ws/{workspaceName}/addressbook
  - portal/ws/{workspaceName}/delegation
  - portal/ws/{workspaceName}/developer
  - portal/ws/{workspaceName}/home
  - portal/ws/{workspaceName}/release-notes
  - save-support/ws/{workspaceName}
  - save/ws/{workspaceName}
  - share/ws/{workspaceName}
  - sign/admin/ws/{workspaceName}
  - sign/ws/{workspaceName}
  - super/ws/{workspaceName}
  - tracking/ws/none/
  - tracking/ws/{workspaceName}
  - transformer-monitoring/ws/none/
- marketing_product_family_id
- addressbook
- delegation
- enabled
- filer

 private static final String SELECT_ID = ""
   + "SELECT acc.uuid AS accountUUID, "
   + "       app.application_id AS applicationId "
   + " FROM   asgard.account_application aapp "
   + " JOIN   asgard.application app ON app.application_id = aapp.application_id "
   + " JOIN    account acc on (acc.account_id = aapp.account_id) "
   + " WHERE  acc.uuid = :uuid";

creation d'une utilisateur

dans UserApplicationsHandling.java

les applications se trouve dans l'objet User (liste de code)

 @Override
 public void forCreate(User user, UserInfo userInfo) throws NotFoundException {
  Optional<Set<String>> applicationCodes = userInfo.getApplicationCodes();
  Set<String> appCodes = (applicationCodes.isPresent() && ! applicationCodes.get().isEmpty())
    ? applicationCodes.get()
    : getApplicationAccess.getApplications(user.getId(), user.getWorkspace().getName())
      .stream()
      .map(Application::getApplicationCode)
      .collect(Collectors.toSet());
  changeApplicationAccess.update(user.getId(), appCodes);
  user.setApplicationCodes(appCodes);
  Set<Integer> filterStorage = filterStorage(appCodes);
  for(int storage : filterStorage) {
   AccountStorageStatus accountStorageStatus = new AccountStorageStatus(user.getId(), 0, user.getSpace().getMax(),
     storage);
   accountStorageStatusWriteRepository.insertOrUpdate(accountStorageStatus);
  }
 }

Backlinks