refactor(auth): domain-specific role names (consistent convention)

User feedback: универсальный 'ordinis:approver' отступал от convention
'ordinis:<domain>:<action>'. Меняю на domain-specific:

WorkflowRoles constants:
- APPROVER → SCHEMA_REVIEWER ('ordinis:schema:reviewer')
- PUBLISHER → SCHEMA_PUBLISHER ('ordinis:schema:publisher')
- Новая RECORD_REVIEWER ('ordinis:record:reviewer')

Applied:
- SchemaDraftService.decide() → require SCHEMA_REVIEWER
- SchemaDraftService.publish() → require SCHEMA_PUBLISHER
- DraftService.approve() / .reject() → require RECORD_REVIEWER

Frontend usePermissions.ts:
- ROLE_APPROVER + ROLE_PUBLISHER → ROLE_SCHEMA_REVIEWER +
  ROLE_SCHEMA_PUBLISHER + ROLE_RECORD_REVIEWER
- Новый hook useCanReviewRecord() для record draft actions

Keycloak setup (updated):
- ordinis:schema:reviewer
- ordinis:schema:publisher
- ordinis:record:reviewer
(Composite role 'ordinis:admin' = all три + scope roles — для удобства.)
This commit is contained in:
Zimin A.N.
2026-05-13 12:44:23 +03:00
parent 24aa94d130
commit c5b00ff623
6 changed files with 68 additions and 54 deletions
+1
View File
@@ -21,3 +21,4 @@ HELP.md
# Sensitive # Sensitive
*.pem *.pem
*.key *.key
.gstack/
+22 -14
View File
@@ -4,10 +4,9 @@ import { useAuth } from 'react-oidc-context'
* Permission helpers для schema + record workflow. Phase 1d — **ACTIVE**: * Permission helpers для schema + record workflow. Phase 1d — **ACTIVE**:
* читает {@code realm_access.roles} из JWT и гейтит actions. * читает {@code realm_access.roles} из JWT и гейтит actions.
* *
* <p>Naming convention: colon-separated namespace * <p>Naming convention: colon-separated {@code ordinis:<domain>:<action>}
* {@code ordinis:<domain>:<action>} consistent с scope ACL ролями * pattern (consistent с scope ACL {@code ordinis:client:public}). Backend
* ({@code ordinis:client:public}). Backend parser в * parser в {@code WorkflowRoles.java}.
* {@code ScopeContext.java} / {@code WorkflowRoles.java}.
* *
* <p>Backend enforcement (см. {@code WorkflowRoles}): * <p>Backend enforcement (см. {@code WorkflowRoles}):
* <ul> * <ul>
@@ -21,13 +20,19 @@ import { useAuth } from 'react-oidc-context'
* backend всё равно 403'нет на прямой API call. * backend всё равно 403'нет на прямой API call.
* *
* <p><b>Migration note (Phase 1d enforcement):</b> Keycloak realm `nstart` * <p><b>Migration note (Phase 1d enforcement):</b> Keycloak realm `nstart`
* должен иметь созданные роли {@code ordinis:approver} и * должен иметь созданные роли:
* {@code ordinis:publisher}, и actual reviewer-users должны их получить. * <ul>
* До этого все decide / publish операции вернут {@code 403 forbidden_role}. * <li>{@code ordinis:schema:reviewer} — schema decide</li>
* <li>{@code ordinis:schema:publisher} — schema publish</li>
* <li>{@code ordinis:record:reviewer} — record approve/reject</li>
* </ul>
* и actual reviewer-users должны их получить. До этого все decide /
* publish операции вернут {@code 403 forbidden_role}.
*/ */
export const ROLE_APPROVER = 'ordinis:approver' export const ROLE_SCHEMA_REVIEWER = 'ordinis:schema:reviewer'
export const ROLE_PUBLISHER = 'ordinis:publisher' export const ROLE_SCHEMA_PUBLISHER = 'ordinis:schema:publisher'
export const ROLE_RECORD_REVIEWER = 'ordinis:record:reviewer'
/** Достаёт realm roles из JWT (Keycloak claim path: realm_access.roles). */ /** Достаёт realm roles из JWT (Keycloak claim path: realm_access.roles). */
function realmRoles(profile: unknown): string[] { function realmRoles(profile: unknown): string[] {
@@ -43,19 +48,22 @@ function hasRole(profile: unknown, role: string): boolean {
return realmRoles(profile).includes(role) return realmRoles(profile).includes(role)
} }
/** Может ли актор approve / request_changes / reject schema OR record draft. */ /** Может ли актор approve / request_changes / reject schema draft. */
export function useCanReviewSchema(): boolean { export function useCanReviewSchema(): boolean {
const auth = useAuth() const auth = useAuth()
return auth.isAuthenticated && hasRole(auth.user?.profile, ROLE_APPROVER) return auth.isAuthenticated && hasRole(auth.user?.profile, ROLE_SCHEMA_REVIEWER)
} }
/** Universal alias — то же что {@link useCanReviewSchema}. */ /** Может ли актор approve / reject record draft. */
export const useCanReviewDraft = useCanReviewSchema export function useCanReviewRecord(): boolean {
const auth = useAuth()
return auth.isAuthenticated && hasRole(auth.user?.profile, ROLE_RECORD_REVIEWER)
}
/** Может ли актор publish approved schema draft (bump live version). */ /** Может ли актор publish approved schema draft (bump live version). */
export function useCanPublishSchema(): boolean { export function useCanPublishSchema(): boolean {
const auth = useAuth() const auth = useAuth()
return auth.isAuthenticated && hasRole(auth.user?.profile, ROLE_PUBLISHER) return auth.isAuthenticated && hasRole(auth.user?.profile, ROLE_SCHEMA_PUBLISHER)
} }
/** /**
@@ -17,16 +17,17 @@ import java.util.Set;
* Realm-role enforcement для workflow actions (approve/reject/publish * Realm-role enforcement для workflow actions (approve/reject/publish
* как record draft, так и schema draft). * как record draft, так и schema draft).
* *
* <p>Naming convention: colon-separated namespace, тот же что у scope ACL * <p>Naming convention: colon-separated {@code ordinis:<domain>:<action>}
* ({@code ordinis:client:public}). Constants: * pattern (consistent с scope ACL {@code ordinis:client:public}).
* Domain-specific роли для clear separation между record и schema workflows:
* <ul> * <ul>
* <li>{@link #APPROVER} {@value APPROVER} — gate на approve / reject / * <li>{@link #SCHEMA_REVIEWER} {@value SCHEMA_REVIEWER} — gate на
* request_changes для record AND schema drafts. Single role для * schema draft decide (approve / request_changes / reject).</li>
* всего decide layer'а — easier to assign в Keycloak (one role * <li>{@link #SCHEMA_PUBLISHER} {@value SCHEMA_PUBLISHER} — gate на
* grants both review workflows).</li> * publish approved schema draft → live. У records publish
* <li>{@link #PUBLISHER} {@value PUBLISHER} — gate на publish approved * auto-выполняется при approve, отдельной step'и нет.</li>
* schema draft. У records publish auto-выполняется при approve, * <li>{@link #RECORD_REVIEWER} {@value RECORD_REVIEWER} — gate на
* отдельной publish step нет.</li> * record draft approve / reject (Approval Workflow v2).</li>
* </ul> * </ul>
* *
* <p>Maker side (create / submit / withdraw) пока не role-gated — любой * <p>Maker side (create / submit / withdraw) пока не role-gated — любой
@@ -37,21 +38,26 @@ import java.util.Set;
* <p>JWT источник: {@code realm_access.roles} claim (Keycloak realm roles). * <p>JWT источник: {@code realm_access.roles} claim (Keycloak realm roles).
* Совместимо с {@code ScopeContext} JWT parsing pattern. * Совместимо с {@code ScopeContext} JWT parsing pattern.
* *
* <p><b>Migration note (Phase 1d enforcement):</b> до deploy этой версии * <p><b>Migration note (Phase 1d enforcement):</b> Keycloak realm должен
* Keycloak realm должен иметь созданные роли {@code ordinis:approver} и * иметь созданные роли, и users должны их получить. Иначе все decide /
* {@code ordinis:publisher}, и actual reviewer-users должны их получить. * publish операции вернут {@code 403 forbidden_role}.
* Иначе все decide / publish операции вернут {@code 403 forbidden_role}. *
* <p>Composite role idea: {@code ordinis:admin} = combined из всех трёх
* + scope role'ов — single assignment grants full workflow access.
*/ */
@Component @Component
public class WorkflowRoles { public class WorkflowRoles {
private static final Logger log = LoggerFactory.getLogger(WorkflowRoles.class); private static final Logger log = LoggerFactory.getLogger(WorkflowRoles.class);
/** Universal approver роль — gate на decide / approve / reject. */ /** Approve / reject / request_changes schema draft (Phase 1c workflow). */
public static final String APPROVER = "ordinis:approver"; public static final String SCHEMA_REVIEWER = "ordinis:schema:reviewer";
/** Publish approved schema draft → live (bump dictionary live version). */ /** Publish approved schema draft → live (bump dictionary schema version). */
public static final String PUBLISHER = "ordinis:publisher"; public static final String SCHEMA_PUBLISHER = "ordinis:schema:publisher";
/** Approve / reject record draft (Approval Workflow v2). */
public static final String RECORD_REVIEWER = "ordinis:record:reviewer";
/** Read realm_access.roles из current request JWT. Anonymous → empty. */ /** Read realm_access.roles из current request JWT. Anonymous → empty. */
public Set<String> currentRoles() { public Set<String> currentRoles() {
@@ -223,8 +223,8 @@ public class DraftService {
if (recordService == null) { if (recordService == null) {
throw new IllegalStateException("DictionaryRecordService not wired (test ctor used)."); throw new IllegalStateException("DictionaryRecordService not wired (test ctor used).");
} }
// Phase 1d: realm role gate (universal 'ordinis:approver'). // Phase 1d: realm role gate (record-specific 'ordinis:record:reviewer').
requireRoleIfEnforced(cloud.nstart.terravault.ordinis.restapi.auth.WorkflowRoles.APPROVER); requireRoleIfEnforced(cloud.nstart.terravault.ordinis.restapi.auth.WorkflowRoles.RECORD_REVIEWER);
String reviewerId = currentUserId(); String reviewerId = currentUserId();
RecordDraft draft = findById(draftId); RecordDraft draft = findById(draftId);
if (draft.getStatus() != DraftStatus.PENDING) { if (draft.getStatus() != DraftStatus.PENDING) {
@@ -273,7 +273,7 @@ public class DraftService {
@Transactional @Transactional
public RecordDraft reject(UUID draftId, String reviewComment) { public RecordDraft reject(UUID draftId, String reviewComment) {
// Phase 1d: same role как approve — reviewer'ы могут оба действия. // Phase 1d: same role как approve — reviewer'ы могут оба действия.
requireRoleIfEnforced(cloud.nstart.terravault.ordinis.restapi.auth.WorkflowRoles.APPROVER); requireRoleIfEnforced(cloud.nstart.terravault.ordinis.restapi.auth.WorkflowRoles.RECORD_REVIEWER);
if (reviewComment == null || reviewComment.isBlank()) { if (reviewComment == null || reviewComment.isBlank()) {
throw OrdinisException.badRequest( throw OrdinisException.badRequest(
"reject_reason_required", "reject_reason_required",
@@ -244,9 +244,9 @@ public class SchemaDraftService {
*/ */
@Transactional @Transactional
public DictionarySchemaDraft decide(UUID draftId, DecisionRequest req) { public DictionarySchemaDraft decide(UUID draftId, DecisionRequest req) {
// Phase 1d: realm role gate. Без 'ordinis:approver' actor получит // Phase 1d: realm role gate. Без 'ordinis:schema:reviewer' actor
// 403 forbidden_role до даже status checks — fail-fast. // получит 403 forbidden_role до даже status checks — fail-fast.
requireRoleIfEnforced(WorkflowRoles.APPROVER); requireRoleIfEnforced(WorkflowRoles.SCHEMA_REVIEWER);
DictionarySchemaDraft draft = findById(draftId); DictionarySchemaDraft draft = findById(draftId);
String reviewerId = currentUserId(); String reviewerId = currentUserId();
@@ -308,10 +308,9 @@ public class SchemaDraftService {
*/ */
@Transactional(isolation = Isolation.SERIALIZABLE) @Transactional(isolation = Isolation.SERIALIZABLE)
public DictionarySchemaDraft publish(UUID draftId, PublishDraftRequest req) { public DictionarySchemaDraft publish(UUID draftId, PublishDraftRequest req) {
// Phase 1d: publish — отдельная role от approver. У publisher могут // Phase 1d: publish — отдельная role от reviewer'а. Publishers
// быть более узкие пользователи (production gatekeepers), тогда как // обычно более узкая группа (production gatekeepers) чем reviewers.
// approvers более wide (любой senior reviewer). requireRoleIfEnforced(WorkflowRoles.SCHEMA_PUBLISHER);
requireRoleIfEnforced(WorkflowRoles.PUBLISHER);
DictionarySchemaDraft draft = findById(draftId); DictionarySchemaDraft draft = findById(draftId);
DictionaryDefinition def = definitionService.findById(draft.getDictionaryId()); DictionaryDefinition def = definitionService.findById(draft.getDictionaryId());
@@ -36,50 +36,50 @@ class WorkflowRolesTest {
@Test @Test
void anonymous_hasRole_false() { void anonymous_hasRole_false() {
SecurityContextHolder.clearContext(); SecurityContextHolder.clearContext();
assertThat(roles.hasRole(WorkflowRoles.APPROVER)).isFalse(); assertThat(roles.hasRole(WorkflowRoles.SCHEMA_REVIEWER)).isFalse();
} }
@Test @Test
void jwtWithApprover_hasRole_true() { void jwtWithApprover_hasRole_true() {
setJwtWithRealmRoles(List.of(WorkflowRoles.APPROVER)); setJwtWithRealmRoles(List.of(WorkflowRoles.SCHEMA_REVIEWER));
assertThat(roles.hasRole(WorkflowRoles.APPROVER)).isTrue(); assertThat(roles.hasRole(WorkflowRoles.SCHEMA_REVIEWER)).isTrue();
assertThat(roles.hasRole(WorkflowRoles.PUBLISHER)).isFalse(); assertThat(roles.hasRole(WorkflowRoles.SCHEMA_PUBLISHER)).isFalse();
} }
@Test @Test
void jwtWithMultipleRoles_currentRoles_contains() { void jwtWithMultipleRoles_currentRoles_contains() {
setJwtWithRealmRoles(List.of( setJwtWithRealmRoles(List.of(
WorkflowRoles.APPROVER, WorkflowRoles.SCHEMA_REVIEWER,
WorkflowRoles.PUBLISHER, WorkflowRoles.SCHEMA_PUBLISHER,
"ordinis:client:restricted", "ordinis:client:restricted",
"some-other-role")); "some-other-role"));
assertThat(roles.currentRoles()) assertThat(roles.currentRoles())
.containsExactlyInAnyOrder( .containsExactlyInAnyOrder(
WorkflowRoles.APPROVER, WorkflowRoles.SCHEMA_REVIEWER,
WorkflowRoles.PUBLISHER, WorkflowRoles.SCHEMA_PUBLISHER,
"ordinis:client:restricted", "ordinis:client:restricted",
"some-other-role"); "some-other-role");
} }
@Test @Test
void requireRole_present_noThrow() { void requireRole_present_noThrow() {
setJwtWithRealmRoles(List.of(WorkflowRoles.APPROVER)); setJwtWithRealmRoles(List.of(WorkflowRoles.SCHEMA_REVIEWER));
roles.requireRole(WorkflowRoles.APPROVER); roles.requireRole(WorkflowRoles.SCHEMA_REVIEWER);
// no exception — passes // no exception — passes
} }
@Test @Test
void requireRole_missing_throws403() { void requireRole_missing_throws403() {
setJwtWithRealmRoles(List.of("some-other-role")); setJwtWithRealmRoles(List.of("some-other-role"));
assertThatThrownBy(() -> roles.requireRole(WorkflowRoles.PUBLISHER)) assertThatThrownBy(() -> roles.requireRole(WorkflowRoles.SCHEMA_PUBLISHER))
.isInstanceOf(OrdinisException.class) .isInstanceOf(OrdinisException.class)
.hasMessageContaining(WorkflowRoles.PUBLISHER); .hasMessageContaining(WorkflowRoles.SCHEMA_PUBLISHER);
} }
@Test @Test
void requireRole_anonymous_throws() { void requireRole_anonymous_throws() {
SecurityContextHolder.clearContext(); SecurityContextHolder.clearContext();
assertThatThrownBy(() -> roles.requireRole(WorkflowRoles.APPROVER)) assertThatThrownBy(() -> roles.requireRole(WorkflowRoles.SCHEMA_REVIEWER))
.isInstanceOf(OrdinisException.class); .isInstanceOf(OrdinisException.class);
} }