EndpointInsights/endpoint-insights-api/src/main/java/com/vsp/endpointinsightsapi/model/UserContext.java at develop · git-stuff-done/EndpointInsights · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
package com.vsp.endpointinsightsapi.model;

import com.vsp.endpointinsightsapi.model.enums.UserRole;
import lombok.Builder;
import lombok.Data;

import java.util.List;

/**
 * Immutable user session data extracted from JWT token claims.
 *
 * <p>Contains user identification and role information that is available
 * throughout the request lifecycle. Created by
 * {@link com.vsp.endpointinsightsapi.authentication.AuthorizationInterceptor}
 * during JWT validation and accessed via {@link com.vsp.endpointinsightsapi.util.CurrentUser}.
 *
 * <h2>Fields:</h2>
 * <ul>
 *   <li><strong>issuer</strong> - OIDC issuer URL from JWT 'iss' claim</li>
 *   <li><strong>subject</strong> - Unique user identifier from JWT 'subject' claim</li>
 *   <li><strong>username</strong> - Display username from JWT 'preferred_username' claim</li>
 *   <li><strong>email</strong> - User email from JWT 'email' claim</li>
 *   <li><strong>role</strong> - User role determined from JWT 'groups' claim</li>
 * </ul>
 *
 * @see com.vsp.endpointinsightsapi.util.CurrentUser
 * @see UserRole
 */
@Data
@Builder
public class UserContext {
    private final String issuer;
    private final String subject;
    private final String username;
    private final String email;
    private final List<UserRole> roles;

    /**
     * Returns a formatted identifier suitable for logging.
     *
     * @return formatted string "username (subject)"
     */
    public String getLogIdentifier() {
        return String.format("%s (%s/%s)", username, subject, issuer);
    }

    /**
     * Returns the OIDC identity in standard format: "iss/subject"
     *
     * @return formatted string "issuer/subject"
     */
    public String getOidcIdentity() {
        return issuer + "/" + subject;
    }

    /**
     * Checks if user has write access (WRITE role).
     *
     * @return true if user has WRITE role, false otherwise
     */
    public boolean hasWriteAccess() {
        return roles.contains(UserRole.WRITE);
    }

    /**
     * Checks if user has read access (READ or WRITE role).
     *
     * @return true if user has READ or WRITE role, false otherwise
     */
    public boolean hasReadAccess() {
        return roles.contains(UserRole.READ) || roles.contains(UserRole.WRITE);
    }
}