refactor(auth): domain-specific role names (consistent convention)
User feedback: универсальный 'ordinis:approver' отступал от convention
'ordinis:<domain>:<action>'. Меняю на domain-specific:
WorkflowRoles constants:
- APPROVER → SCHEMA_REVIEWER ('ordinis:schema:reviewer')
- PUBLISHER → SCHEMA_PUBLISHER ('ordinis:schema:publisher')
- Новая RECORD_REVIEWER ('ordinis:record:reviewer')
Applied:
- SchemaDraftService.decide() → require SCHEMA_REVIEWER
- SchemaDraftService.publish() → require SCHEMA_PUBLISHER
- DraftService.approve() / .reject() → require RECORD_REVIEWER
Frontend usePermissions.ts:
- ROLE_APPROVER + ROLE_PUBLISHER → ROLE_SCHEMA_REVIEWER +
ROLE_SCHEMA_PUBLISHER + ROLE_RECORD_REVIEWER
- Новый hook useCanReviewRecord() для record draft actions
Keycloak setup (updated):
- ordinis:schema:reviewer
- ordinis:schema:publisher
- ordinis:record:reviewer
(Composite role 'ordinis:admin' = all три + scope roles — для удобства.)
This commit is contained in:
+23
-17
@@ -17,16 +17,17 @@ import java.util.Set;
|
||||
* Realm-role enforcement для workflow actions (approve/reject/publish
|
||||
* как record draft, так и schema draft).
|
||||
*
|
||||
* <p>Naming convention: colon-separated namespace, тот же что у scope ACL
|
||||
* ({@code ordinis:client:public}). Constants:
|
||||
* <p>Naming convention: colon-separated {@code ordinis:<domain>:<action>}
|
||||
* pattern (consistent с scope ACL {@code ordinis:client:public}).
|
||||
* Domain-specific роли для clear separation между record и schema workflows:
|
||||
* <ul>
|
||||
* <li>{@link #APPROVER} {@value APPROVER} — gate на approve / reject /
|
||||
* request_changes для record AND schema drafts. Single role для
|
||||
* всего decide layer'а — easier to assign в Keycloak (one role
|
||||
* grants both review workflows).</li>
|
||||
* <li>{@link #PUBLISHER} {@value PUBLISHER} — gate на publish approved
|
||||
* schema draft. У records publish auto-выполняется при approve,
|
||||
* отдельной publish step нет.</li>
|
||||
* <li>{@link #SCHEMA_REVIEWER} {@value SCHEMA_REVIEWER} — gate на
|
||||
* schema draft decide (approve / request_changes / reject).</li>
|
||||
* <li>{@link #SCHEMA_PUBLISHER} {@value SCHEMA_PUBLISHER} — gate на
|
||||
* publish approved schema draft → live. У records publish
|
||||
* auto-выполняется при approve, отдельной step'и нет.</li>
|
||||
* <li>{@link #RECORD_REVIEWER} {@value RECORD_REVIEWER} — gate на
|
||||
* record draft approve / reject (Approval Workflow v2).</li>
|
||||
* </ul>
|
||||
*
|
||||
* <p>Maker side (create / submit / withdraw) пока не role-gated — любой
|
||||
@@ -37,21 +38,26 @@ import java.util.Set;
|
||||
* <p>JWT источник: {@code realm_access.roles} claim (Keycloak realm roles).
|
||||
* Совместимо с {@code ScopeContext} JWT parsing pattern.
|
||||
*
|
||||
* <p><b>Migration note (Phase 1d enforcement):</b> до deploy этой версии
|
||||
* Keycloak realm должен иметь созданные роли {@code ordinis:approver} и
|
||||
* {@code ordinis:publisher}, и actual reviewer-users должны их получить.
|
||||
* Иначе все decide / publish операции вернут {@code 403 forbidden_role}.
|
||||
* <p><b>Migration note (Phase 1d enforcement):</b> Keycloak realm должен
|
||||
* иметь созданные роли, и users должны их получить. Иначе все decide /
|
||||
* publish операции вернут {@code 403 forbidden_role}.
|
||||
*
|
||||
* <p>Composite role idea: {@code ordinis:admin} = combined из всех трёх
|
||||
* + scope role'ов — single assignment grants full workflow access.
|
||||
*/
|
||||
@Component
|
||||
public class WorkflowRoles {
|
||||
|
||||
private static final Logger log = LoggerFactory.getLogger(WorkflowRoles.class);
|
||||
|
||||
/** Universal approver роль — gate на decide / approve / reject. */
|
||||
public static final String APPROVER = "ordinis:approver";
|
||||
/** Approve / reject / request_changes schema draft (Phase 1c workflow). */
|
||||
public static final String SCHEMA_REVIEWER = "ordinis:schema:reviewer";
|
||||
|
||||
/** Publish approved schema draft → live (bump dictionary live version). */
|
||||
public static final String PUBLISHER = "ordinis:publisher";
|
||||
/** Publish approved schema draft → live (bump dictionary schema version). */
|
||||
public static final String SCHEMA_PUBLISHER = "ordinis:schema:publisher";
|
||||
|
||||
/** Approve / reject record draft (Approval Workflow v2). */
|
||||
public static final String RECORD_REVIEWER = "ordinis:record:reviewer";
|
||||
|
||||
/** Read realm_access.roles из current request JWT. Anonymous → empty. */
|
||||
public Set<String> currentRoles() {
|
||||
|
||||
+3
-3
@@ -223,8 +223,8 @@ public class DraftService {
|
||||
if (recordService == null) {
|
||||
throw new IllegalStateException("DictionaryRecordService not wired (test ctor used).");
|
||||
}
|
||||
// Phase 1d: realm role gate (universal 'ordinis:approver').
|
||||
requireRoleIfEnforced(cloud.nstart.terravault.ordinis.restapi.auth.WorkflowRoles.APPROVER);
|
||||
// Phase 1d: realm role gate (record-specific 'ordinis:record:reviewer').
|
||||
requireRoleIfEnforced(cloud.nstart.terravault.ordinis.restapi.auth.WorkflowRoles.RECORD_REVIEWER);
|
||||
String reviewerId = currentUserId();
|
||||
RecordDraft draft = findById(draftId);
|
||||
if (draft.getStatus() != DraftStatus.PENDING) {
|
||||
@@ -273,7 +273,7 @@ public class DraftService {
|
||||
@Transactional
|
||||
public RecordDraft reject(UUID draftId, String reviewComment) {
|
||||
// Phase 1d: same role как approve — reviewer'ы могут оба действия.
|
||||
requireRoleIfEnforced(cloud.nstart.terravault.ordinis.restapi.auth.WorkflowRoles.APPROVER);
|
||||
requireRoleIfEnforced(cloud.nstart.terravault.ordinis.restapi.auth.WorkflowRoles.RECORD_REVIEWER);
|
||||
if (reviewComment == null || reviewComment.isBlank()) {
|
||||
throw OrdinisException.badRequest(
|
||||
"reject_reason_required",
|
||||
|
||||
+6
-7
@@ -244,9 +244,9 @@ public class SchemaDraftService {
|
||||
*/
|
||||
@Transactional
|
||||
public DictionarySchemaDraft decide(UUID draftId, DecisionRequest req) {
|
||||
// Phase 1d: realm role gate. Без 'ordinis:approver' actor получит
|
||||
// 403 forbidden_role до даже status checks — fail-fast.
|
||||
requireRoleIfEnforced(WorkflowRoles.APPROVER);
|
||||
// Phase 1d: realm role gate. Без 'ordinis:schema:reviewer' actor
|
||||
// получит 403 forbidden_role до даже status checks — fail-fast.
|
||||
requireRoleIfEnforced(WorkflowRoles.SCHEMA_REVIEWER);
|
||||
DictionarySchemaDraft draft = findById(draftId);
|
||||
String reviewerId = currentUserId();
|
||||
|
||||
@@ -308,10 +308,9 @@ public class SchemaDraftService {
|
||||
*/
|
||||
@Transactional(isolation = Isolation.SERIALIZABLE)
|
||||
public DictionarySchemaDraft publish(UUID draftId, PublishDraftRequest req) {
|
||||
// Phase 1d: publish — отдельная role от approver. У publisher могут
|
||||
// быть более узкие пользователи (production gatekeepers), тогда как
|
||||
// approvers более wide (любой senior reviewer).
|
||||
requireRoleIfEnforced(WorkflowRoles.PUBLISHER);
|
||||
// Phase 1d: publish — отдельная role от reviewer'а. Publishers
|
||||
// обычно более узкая группа (production gatekeepers) чем reviewers.
|
||||
requireRoleIfEnforced(WorkflowRoles.SCHEMA_PUBLISHER);
|
||||
DictionarySchemaDraft draft = findById(draftId);
|
||||
DictionaryDefinition def = definitionService.findById(draft.getDictionaryId());
|
||||
|
||||
|
||||
+13
-13
@@ -36,50 +36,50 @@ class WorkflowRolesTest {
|
||||
@Test
|
||||
void anonymous_hasRole_false() {
|
||||
SecurityContextHolder.clearContext();
|
||||
assertThat(roles.hasRole(WorkflowRoles.APPROVER)).isFalse();
|
||||
assertThat(roles.hasRole(WorkflowRoles.SCHEMA_REVIEWER)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
void jwtWithApprover_hasRole_true() {
|
||||
setJwtWithRealmRoles(List.of(WorkflowRoles.APPROVER));
|
||||
assertThat(roles.hasRole(WorkflowRoles.APPROVER)).isTrue();
|
||||
assertThat(roles.hasRole(WorkflowRoles.PUBLISHER)).isFalse();
|
||||
setJwtWithRealmRoles(List.of(WorkflowRoles.SCHEMA_REVIEWER));
|
||||
assertThat(roles.hasRole(WorkflowRoles.SCHEMA_REVIEWER)).isTrue();
|
||||
assertThat(roles.hasRole(WorkflowRoles.SCHEMA_PUBLISHER)).isFalse();
|
||||
}
|
||||
|
||||
@Test
|
||||
void jwtWithMultipleRoles_currentRoles_contains() {
|
||||
setJwtWithRealmRoles(List.of(
|
||||
WorkflowRoles.APPROVER,
|
||||
WorkflowRoles.PUBLISHER,
|
||||
WorkflowRoles.SCHEMA_REVIEWER,
|
||||
WorkflowRoles.SCHEMA_PUBLISHER,
|
||||
"ordinis:client:restricted",
|
||||
"some-other-role"));
|
||||
assertThat(roles.currentRoles())
|
||||
.containsExactlyInAnyOrder(
|
||||
WorkflowRoles.APPROVER,
|
||||
WorkflowRoles.PUBLISHER,
|
||||
WorkflowRoles.SCHEMA_REVIEWER,
|
||||
WorkflowRoles.SCHEMA_PUBLISHER,
|
||||
"ordinis:client:restricted",
|
||||
"some-other-role");
|
||||
}
|
||||
|
||||
@Test
|
||||
void requireRole_present_noThrow() {
|
||||
setJwtWithRealmRoles(List.of(WorkflowRoles.APPROVER));
|
||||
roles.requireRole(WorkflowRoles.APPROVER);
|
||||
setJwtWithRealmRoles(List.of(WorkflowRoles.SCHEMA_REVIEWER));
|
||||
roles.requireRole(WorkflowRoles.SCHEMA_REVIEWER);
|
||||
// no exception — passes
|
||||
}
|
||||
|
||||
@Test
|
||||
void requireRole_missing_throws403() {
|
||||
setJwtWithRealmRoles(List.of("some-other-role"));
|
||||
assertThatThrownBy(() -> roles.requireRole(WorkflowRoles.PUBLISHER))
|
||||
assertThatThrownBy(() -> roles.requireRole(WorkflowRoles.SCHEMA_PUBLISHER))
|
||||
.isInstanceOf(OrdinisException.class)
|
||||
.hasMessageContaining(WorkflowRoles.PUBLISHER);
|
||||
.hasMessageContaining(WorkflowRoles.SCHEMA_PUBLISHER);
|
||||
}
|
||||
|
||||
@Test
|
||||
void requireRole_anonymous_throws() {
|
||||
SecurityContextHolder.clearContext();
|
||||
assertThatThrownBy(() -> roles.requireRole(WorkflowRoles.APPROVER))
|
||||
assertThatThrownBy(() -> roles.requireRole(WorkflowRoles.SCHEMA_REVIEWER))
|
||||
.isInstanceOf(OrdinisException.class);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user