inteligr8/alfresco-ng2-components
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-ng2-components.git synced 2025-07-24 17:32:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AAE-5414] - SSO Auth Guard - Add the concept of excluded roles (#7222)

Browse Source 
Co-authored-by: Ardit Domi <arditdomi@apl-c02g64vpmd6t.home>
This commit is contained in:
arditdomi
2021-08-24 09:25:36 +01:00
committed by GitHub
parent d0e99c6bbf
commit aac821a1fe
3 changed files with 48 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
lib/core/services/auth-guard-sso-role.service.spec.ts
View File

@@ -225,4 +225,38 @@ describe('Auth Guard SSO role service', () => {
expect(getCurrentPersonSpy).not.toHaveBeenCalled();
});
});
describe('Excluded Roles', () => {
it('Should canActivate be false when the user has one of the excluded roles', async () => {
spyOn(peopleContentService, 'getCurrentPerson').and.returnValue(of(getFakeUserWithContentAdminCapability()));
spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token');
spyOn(jwtHelperService, 'decodeToken').and.returnValue({ 'realm_access': { roles: ['role1'] } });
const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot();
router.data = { 'roles': ['ALFRESCO_ADMINISTRATORS'], 'excludedRoles': ['role1'] };
expect(await authGuard.canActivate(router)).toBeFalsy();
});
it('Should canActivate be true when the user has none of the excluded roles', async () => {
spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token');
spyOn(jwtHelperService, 'decodeToken').and.returnValue({ 'realm_access': { roles: ['role2'] } });
const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot();
router.data = { 'roles': ['role1', 'role2'], 'excludedRoles': ['role3'] };
expect(await authGuard.canActivate(router)).toBeTruthy();
});
it('Should canActivate be false when the user is a content admin and the ALFRESCO_ADMINISTRATORS role is excluded', async () => {
spyOn(peopleContentService, 'getCurrentPerson').and.returnValue(of(getFakeUserWithContentAdminCapability()));
spyOn(jwtHelperService, 'getAccessToken').and.returnValue('my-access_token');
spyOn(jwtHelperService, 'decodeToken').and.returnValue({ 'realm_access': { roles: ['role1'] } });
const router: ActivatedRouteSnapshot = new ActivatedRouteSnapshot();
router.data = { 'roles': ['role1'], 'excludedRoles': ['ALFRESCO_ADMINISTRATORS'] };
expect(await authGuard.canActivate(router)).toBeFalsy();
});
});
});

13
lib/core/services/auth-guard-sso-role.service.ts
View File

@@ -39,8 +39,9 @@ export class AuthGuardSsoRoleService implements CanActivate {
if (route.data) {
if (route.data['roles']) {
const rolesToCheck: string[] = route.data['roles'];
const isContentAdmin = rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) ? await this.peopleContentService.isContentAdmin() : false;
hasRealmRole = this.jwtHelperService.hasRealmRoles(rolesToCheck) || isContentAdmin;
const excludedRoles = route.data['excludedRoles'] || [];
const isContentAdmin = rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) || excludedRoles.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) ? await this.peopleContentService.isContentAdmin() : false;
hasRealmRole = excludedRoles.length ? this.checkAccessWithExcludedRoles(rolesToCheck, excludedRoles, isContentAdmin) : this.hasRoles(rolesToCheck, isContentAdmin);
}
if (route.data['clientRoles']) {
@@ -62,4 +63,12 @@ export class AuthGuardSsoRoleService implements CanActivate {
return hasRole;
}
private checkAccessWithExcludedRoles(rolesToCheck: string[], excludedRoles: string[], isContentAdmin: boolean): boolean {
return this.hasRoles(rolesToCheck, isContentAdmin) && !this.hasRoles(excludedRoles, isContentAdmin);
}
private hasRoles(rolesToCheck: string[], isContentAdmin: boolean): boolean {
return rolesToCheck.includes(ContentGroups.ALFRESCO_ADMINISTRATORS) ? this.jwtHelperService.hasRealmRoles(rolesToCheck) || isContentAdmin : this.jwtHelperService.hasRealmRoles(rolesToCheck);
}
}