WIP for policies

oharsta · oharsta · commit a0c4fe033bb5 · 2026-01-22T16:52:05.000+01:00
diff --git a/server/src/main/java/access/api/ManageController.java b/server/src/main/java/access/api/ManageController.java
@@ -3,7 +3,10 @@
 import access.exception.InvalidInputException;
 import access.exception.UserRestrictionException;
 import access.manage.*;
-import access.model.*;
+import access.model.EntityType;
+import access.model.Environment;
+import access.model.Institution;
+import access.model.User;
 import access.security.InstitutionAdmin;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -31,19 +34,21 @@
 
 @RestController
 @RequestMapping(value = {"/api/v1/manage"}, produces = MediaType.APPLICATION_JSON_VALUE)
-public class ManageController implements UserAccessRights{
+public class ManageController implements UserAccessRights, PolicyAccessRights {
 
     private static final Log LOG = LogFactory.getLog(ManageController.class);
 
     private final MetaDataFeedParser metaDataFeedParser = new MetaDataFeedParser();
     private final Manage manage;
+    private final ObjectMapper objectMapper;
     private final Map<String, Object> arpInfo;
     private final List<Map<String, Object>> privacyInfo;
 
     @SneakyThrows
     public ManageController(Manage manage,
                             ObjectMapper objectMapper) {
         this.manage = manage;
+        this.objectMapper = objectMapper;
         this.arpInfo = objectMapper.readValue(new ClassPathResource("/metadata/ARP.json").getInputStream(), new TypeReference<>() {
         });
         this.privacyInfo = objectMapper.readValue(new ClassPathResource("/metadata/Privacy.json").getInputStream(), new TypeReference<>() {
@@ -97,24 +102,33 @@ public ResponseEntity<List<Map<String, Object>>> policies(User user,
                                                               @RequestParam("entityId") String entityId) {
         confirmInstitutionAdmin(user);
         //we need to ensure the application is connected to the IdP of the user - realtime
-        OidcUser oidcUser = (OidcUser) authentication.getPrincipal();
-        Map<String, Object> claims = oidcUser.getUserInfo().getClaims();
-        Institution institution = (Institution) claims.get(InstitutionAdmin.INSTITUTION);
-        //We can't use any cache as this method is called right after automatic connection allowed
-        Map<String, Object> identityProvider = manage.providerById(EntityType.saml20_idp, institution.getManageIdentifier(), Environment.PROD);
-        Map<String, Object> data = getData(identityProvider);
-        boolean noneMatch = ((List<Map<String, String>>) data.getOrDefault("allowedEntities", List.of()))
-                .stream()
-                .noneMatch(allowedEntity -> allowedEntity.get("name").equals(entityId));
+        if (!user.isSuperUser()) {
+            Map<String, Object> data = getIdentityProvider(authentication);
+            boolean noneMatch = ((List<Map<String, String>>) data.getOrDefault("allowedEntities", List.of()))
+                    .stream()
+                    .noneMatch(allowedEntity -> allowedEntity.get("name").equals(entityId));
 
-        if (noneMatch) {
-            throw new UserRestrictionException(String.format("User %s is not allowed to request policies for %s",
-                    user.getEmail(), entityId));
+            if (noneMatch) {
+                throw new UserRestrictionException(String.format("User %s is not allowed to request policies for %s",
+                        user.getEmail(), entityId));
+            }
         }
-        List<Map<String, Object>> policies = this.manage.policiesByServiceProvider(institution.getEntityID(), entityId);
+        List<Map<String, Object>> policies = this.manage
+                .policiesByServiceProvider(user.getAuthenticatingAuthority(), entityId);
         return ResponseEntity.ok(policies);
     }
 
+    @SneakyThrows
+    @PostMapping("/policies")
+    public ResponseEntity<Map<String, Object>> createPolicy(User user,
+                                                            @RequestBody Map<String, Object> policy) {
+        confirmInstitutionAdmin(user);
+        //We don't want to use PolicyDefinition as @RequestBody, because the template from Manage is leading
+        PolicyDefinition policyDefinition = this.objectMapper.convertValue(policy, PolicyDefinition.class);
+        confirmPolicyAccess(user, policyDefinition, manage);
+        return ResponseEntity.ok(policy);
+    }
+
     @SneakyThrows
     @PostMapping("/unique-entity-id/{environment}")
     public ResponseEntity<List<Map<String, Object>>> providersByEntityId(@PathVariable("environment") Environment environment,
@@ -131,4 +145,16 @@ public ResponseEntity<Map<String, Object>> rejectChangeRequest(@RequestBody Chan
         manage.rejectChangeRequest(Environment.PROD, changeRequest);
         return Results.okResult();
     }
+
+    private Map<String, Object> getIdentityProvider(Authentication authentication) {
+        OidcUser oidcUser = (OidcUser) authentication.getPrincipal();
+        Map<String, Object> claims = oidcUser.getUserInfo().getClaims();
+        Institution institution = (Institution) claims.get(InstitutionAdmin.INSTITUTION);
+        //We can't use any cache as this method is called right after automatic connection allowed
+        Map<String, Object> identityProvider = manage.providerById(EntityType.saml20_idp, institution.getManageIdentifier(), Environment.PROD);
+        Map<String, Object> data = getData(identityProvider);
+        return data;
+    }
+
+
 }
diff --git a/server/src/main/java/access/manage/PolicyAccessRights.java b/server/src/main/java/access/manage/PolicyAccessRights.java
@@ -0,0 +1,17 @@
+package access.manage;
+
+import access.model.User;
+
+import java.util.Map;
+
+public interface PolicyAccessRights {
+
+    default void confirmPolicyAccess(User user, PolicyDefinition policyDefinition, Manage manage) {
+        if (user.isSuperUser()) {
+            return;
+        }
+        //Is the IdP of the Policy the same as the IdP of the User?
+
+        //No IdP, all SP's must be owned by the IdP of the user (=organizationGUID of the instituitonAdmin)
+    }
+}
diff --git a/server/src/main/java/access/manage/PolicyAttribute.java b/server/src/main/java/access/manage/PolicyAttribute.java
@@ -0,0 +1,22 @@
+package access.manage;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+@NoArgsConstructor
+@Getter
+@Setter
+@AllArgsConstructor
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class PolicyAttribute {
+
+    private String name;
+
+    private String value;
+
+    private boolean negated;
+
+}
diff --git a/server/src/main/java/access/manage/PolicyDefinition.java b/server/src/main/java/access/manage/PolicyDefinition.java
@@ -0,0 +1,46 @@
+package access.manage;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Map;
+
+@NoArgsConstructor
+@Getter
+@Setter
+@AllArgsConstructor
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class PolicyDefinition {
+
+    private boolean active;
+
+    private boolean allAttributesMustMatch;
+
+    private List<PolicyAttribute> attributes = new ArrayList<>();
+
+    private String denyAdvice;
+
+    private String denyAdviceNl;
+
+    private boolean denyRule;
+
+    private String description;
+
+    private String entityid;
+
+    private List<String> identityProviderIds;
+
+    private Map<String, String> metaDataFields;
+
+    private String name;
+
+    private List<String> serviceProviderIds;
+
+    private String type;
+
+}
