Merge pull request #109 from netgrif/NAE-1717

[NAE-1717] Banned roles not hiding menu entries

Author: machacjozef

projects/netgrif-components-core/src/commons/schema.ts

@@ -245,6 +245,7 @@ export interface Access {
      *  For `string` values the format is: <net import id>.<role name>
      */
     role?: Array<string> | string | RoleAccess | Array<RoleAccess>;
+    bannedRole?: Array<string> | string | RoleAccess | Array<RoleAccess>;
     group?: Array<string> | string;
     authority?: Array<string> | string;
 

projects/netgrif-components-core/src/lib/authorization/permission/access.service.ts

@@ -56,7 +56,7 @@ export class AccessService {
      * @returns whether the user passes the role guard condition for accessing the specified view
      */
     public passesRoleGuard(view: View, url: string): boolean {
-        return !view.access.hasOwnProperty('role') || this._roleGuard.canAccessView(view, url);
+        return (!view.access.hasOwnProperty('role') && !view.access.hasOwnProperty('bannedRole')) || this._roleGuard.canAccessView(view, url);
     }
 
     /**

projects/netgrif-components-core/src/lib/authorization/role/role-guard.service.spec.ts

@@ -0,0 +1,94 @@
+import {TestBed} from '@angular/core/testing';
+
+import {MaterialModule} from "../../material/material.module";
+import {CommonModule} from "@angular/common";
+import {FlexModule} from "@angular/flex-layout";
+import {BrowserAnimationsModule, NoopAnimationsModule} from "@angular/platform-browser/animations";
+import {TranslateLibModule} from "../../translate/translate-lib.module";
+import {HttpClientTestingModule} from "@angular/common/http/testing";
+import {UserService} from "../../user/services/user.service";
+import {MockUserService} from "../../utility/tests/mocks/mock-user.service";
+import { Injectable, NO_ERRORS_SCHEMA } from '@angular/core';
+import {ConfigurationService} from "../../configuration/configuration.service";
+import {TestConfigurationService} from "../../utility/tests/test-config";
+import {AuthenticationModule} from "../../authentication/authentication.module";
+import {RouterTestingModule} from "@angular/router/testing";
+import { RoleGuardService } from './role-guard.service';
+import { Access, View } from '../../../commons/schema';
+import { User } from '../../user/models/user';
+
+describe('RoleGuardService', () => {
+    let service: RoleGuardService;
+
+    beforeEach(() => {
+        TestBed.configureTestingModule({
+            imports: [
+                MaterialModule,
+                CommonModule,
+                FlexModule,
+                NoopAnimationsModule,
+                BrowserAnimationsModule,
+                TranslateLibModule,
+                HttpClientTestingModule,
+                AuthenticationModule,
+                RouterTestingModule.withRoutes([]),
+            ],
+            providers: [
+                RoleGuardService,
+                {provide: ConfigurationService, useClass: TestConfigurationService},
+                {provide: UserService, useClass: CustomMockUserService},
+            ],
+            declarations: [],
+            schemas: [NO_ERRORS_SCHEMA]
+        });
+        service = TestBed.inject(RoleGuardService);
+    });
+
+    it('should be created', () => {
+        expect(service).toBeTruthy();
+    });
+
+    it('should access view with role only', () => {
+        const view = {access: {role: ['test.role_user']} as Access} as View
+        expect(service.canAccessView(view, 'test')).toBeTrue();
+    });
+
+    it('should not access view', () => {
+        const view = {access: {role: [], bannedRole: []} as Access} as View
+        expect(service.canAccessView(view, 'test')).toBeFalse();
+    });
+
+    it('should not access view with banned role only', () => {
+        const view = {access: {bannedRole: ['test.banned_role']} as Access} as View
+        expect(service.canAccessView(view, 'test')).toBeFalse();
+    });
+
+    it('should not access view with role and banned role', () => {
+        const view = {access: {role: ['test.role_user'], bannedRole: ['test.banned_role']} as Access} as View
+        expect(service.canAccessView(view, 'test')).toBeFalse();
+    });
+});
+
+@Injectable()
+class CustomMockUserService extends MockUserService {
+    constructor() {
+        super();
+        this._user = new User('123', 'test@netgrif.com', 'Test', 'User', ['ROLE_USER'], [{
+            stringId: 'role_user',
+            name: 'role_user',
+            description: '',
+            importId: 'role_user',
+            netImportId: 'test',
+            netVersion: '1.0.0',
+            netStringId: 'test',
+        },{
+            stringId: 'banned_role',
+            name: 'banned_role',
+            description: '',
+            importId: 'banned_role',
+            netImportId: 'test',
+            netVersion: '1.0.0',
+            netStringId: 'test',
+        } ]);
+    }
+}

projects/netgrif-components-core/src/lib/authorization/role/role-guard.service.ts

@@ -37,29 +37,51 @@ export class RoleGuardService implements CanActivate {
     }
 
     public canAccessView(view: View, url: string): boolean {
-        if (typeof view.access !== 'string' && view.access.hasOwnProperty('role')) {
-            const allowedRoles = this.parseRoleConstraints(view.access.role, url);
-
-            return allowedRoles.some(constraint => {
-                if (constraint.roleIdentifier) {
-                    return this._userService.hasRoleByIdentifier(constraint.roleIdentifier, constraint.processIdentifier);
-                } else {
-                    return this._userService.hasRoleByName(constraint.roleName, constraint.processIdentifier);
+        if (typeof view.access !== 'string' && (view.access.hasOwnProperty('role') || view.access.hasOwnProperty('bannedRole'))) {
+
+            if (view.access.hasOwnProperty('role') && view.access.hasOwnProperty('bannedRole')) {
+                const bannedRoles = this.parseRoleConstraints(view.access.bannedRole, url);
+                const allowedRoles = this.parseRoleConstraints(view.access.role, url);
+
+                if (bannedRoles.some(role => this.decideAccessByRole(role))) {
+                    return false;
+                }
+
+                if (allowedRoles.length === 0) {
+                    this._log.warn(`View at '${url}' defines role access constraint with an empty array!`
+                        + ` No users will be allowed to enter this view!`);
                 }
-            });
+                return allowedRoles.some(role => this.decideAccessByRole(role)); // user was not denied access by a banned role, they need at least one allowed role
+            }
+
+            if (view.access.hasOwnProperty('bannedRole')) {
+                const bannedRoles = this.parseRoleConstraints(view.access.bannedRole, url);
+                return !bannedRoles.some(constraint => {
+                    return this.decideAccessByRole(constraint);
+                });
+            }
+
+            if (view.access.hasOwnProperty('role')) {
+                const allowedRoles = this.parseRoleConstraints(view.access.role, url);
+                if (allowedRoles.length === 0) {
+                    this._log.warn(`View at '${url}' defines role access constraint with an empty array!`
+                        + ` No users will be allowed to enter this view!`);
+                }
+                return allowedRoles.some(constraint => {
+                    return this.decideAccessByRole(constraint);
+                });
+            }
         }
         throw new Error('Role guard is declared for a view with no role guard configuration!'
             + ` Add role guard configuration for view at ${url}, or remove the guard.`);
     }
 
-    protected parseRoleConstraints(roleConstrains: Access['role'], viewUrl: string): Array<RoleConstraint> {
+    protected parseRoleConstraints(roleConstrains: Access['role'] | Access['bannedRole'], viewUrl: string): Array<RoleConstraint> {
         if (typeof roleConstrains === 'string') {
             return this.parseStringRoleConstraints(roleConstrains);
         }
         if (Array.isArray(roleConstrains)) {
             if (roleConstrains.length === 0) {
-                this._log.warn(`View at '${viewUrl}' defines role access constraint with an empty array!`
-                    + ` No users will be allowed to enter this view!`);
                 return [];
             }
             if (typeof roleConstrains[0] === 'string') {
@@ -102,4 +124,12 @@ export class RoleGuardService implements CanActivate {
         });
     }
 
+    private decideAccessByRole(constraint: RoleConstraint): boolean {
+        if (constraint.roleIdentifier) {
+            return this._userService.hasRoleByIdentifier(constraint.roleIdentifier, constraint.processIdentifier);
+        } else {
+            return this._userService.hasRoleByName(constraint.roleName, constraint.processIdentifier);
+        }
+    }
+
 }

projects/netgrif-components-core/src/lib/navigation/navigation-double-drawer/abstract-navigation-double-drawer.spec.ts

@@ -0,0 +1,114 @@
+import {waitForAsync, ComponentFixture, TestBed} from '@angular/core/testing';
+import {CommonModule} from '@angular/common';
+import {FlexLayoutModule, FlexModule} from '@angular/flex-layout';
+import {NoopAnimationsModule} from '@angular/platform-browser/animations';
+import {HttpClientTestingModule} from '@angular/common/http/testing';
+import {MaterialModule} from '../../material/material.module';
+import {TranslateLibModule} from '../../translate/translate-lib.module';
+import {ConfigurationService} from '../../configuration/configuration.service';
+import {Component, CUSTOM_ELEMENTS_SCHEMA} from '@angular/core';
+import {BreakpointObserver} from '@angular/cdk/layout';
+import {LoggerService} from '../../logger/services/logger.service';
+import {RouterTestingModule} from '@angular/router/testing';
+import {UserPreferenceService} from '../../user/services/user-preference.service';
+import {MockUserPreferenceService} from '../../utility/tests/mocks/mock-user-preference.service';
+import {ResizableModule} from 'angular-resizable-element';
+import {TestLoggingConfigurationService} from '../../utility/tests/test-logging-config';
+import {AuthenticationMethodService} from '../../authentication/services/authentication-method.service';
+import {MockAuthenticationMethodService} from '../../utility/tests/mocks/mock-authentication-method-service';
+import {AuthenticationService} from '../../authentication/services/authentication/authentication.service';
+import {UserResourceService} from '../../resources/engine-endpoint/user-resource.service';
+import {MockAuthenticationService} from '../../utility/tests/mocks/mock-authentication.service';
+import {MockUserResourceService} from '../../utility/tests/mocks/mock-user-resource.service';
+import { AbstractNavigationDoubleDrawerComponent } from './abstract-navigation-double-drawer';
+import { ActivatedRoute, Router } from '@angular/router';
+import { UserService } from '../../user/services/user.service';
+import { AccessService } from '../../authorization/permission/access.service';
+import { UriService } from '../service/uri.service';
+import { LanguageService } from '../../translate/language.service';
+import {
+    DynamicNavigationRouteProviderService
+} from '../../routing/dynamic-navigation-route-provider/dynamic-navigation-route-provider.service';
+import { AuthenticationModule } from '../../authentication/authentication.module';
+
+describe('AbstractNavigationDoubleDrawerComponent', () => {
+    let component: TestDrawerComponent;
+    let fixture: ComponentFixture<TestDrawerComponent>;
+
+    beforeEach(waitForAsync(() => {
+        TestBed.configureTestingModule({
+            declarations: [TestDrawerComponent],
+            imports: [
+                CommonModule,
+                RouterTestingModule.withRoutes([]),
+                MaterialModule,
+                FlexModule,
+                FlexLayoutModule,
+                NoopAnimationsModule,
+                TranslateLibModule,
+                HttpClientTestingModule,
+                ResizableModule,
+                AuthenticationModule
+            ],
+            providers: [
+                {provide: AuthenticationMethodService, useClass: MockAuthenticationMethodService},
+                {provide: ConfigurationService, useClass: TestLoggingConfigurationService},
+                {provide: AuthenticationService, useClass: MockAuthenticationService},
+                {provide: UserResourceService, useClass: MockUserResourceService},
+                {provide: UserPreferenceService, useClass: MockUserPreferenceService}
+            ],
+            schemas: [CUSTOM_ELEMENTS_SCHEMA]
+        }).compileComponents();
+    }));
+
+    beforeEach(() => {
+        fixture = TestBed.createComponent(TestDrawerComponent);
+        component = fixture.componentInstance;
+        spyOn(component, 'toggleLeftMenu');
+        spyOn(component, 'toggleRightMenu');
+        fixture.detectChanges();
+    });
+
+    it('should create', () => {
+        expect(component).toBeTruthy();
+    });
+
+    it('should toggle menu', (done) => {
+        component.toggleMenu();
+        expect(component.toggleLeftMenu).toHaveBeenCalled();
+        expect(component.toggleRightMenu).toHaveBeenCalled();
+        done();
+    });
+
+    it('should logout', () => {
+        component.logout();
+        expect(component.user.id).toEqual('');
+    });
+
+    afterEach(() => {
+        TestBed.resetTestingModule();
+    });
+
+});
+
+@Component({
+    selector: 'ncc-test-nav-drawer',
+    template: ''
+})
+class TestDrawerComponent extends AbstractNavigationDoubleDrawerComponent {
+    constructor(_router: Router,
+                _activatedRoute: ActivatedRoute,
+                _breakpoint: BreakpointObserver,
+                _languageService: LanguageService,
+                _userService: UserService,
+                _accessService: AccessService,
+                _log: LoggerService,
+                _config: ConfigurationService,
+                _uriService: UriService,
+                _dynamicRouteProviderService: DynamicNavigationRouteProviderService) {
+        super(_router, _activatedRoute, _breakpoint, _languageService, _userService, _accessService, _log, _config, _uriService,
+            _dynamicRouteProviderService)
+    }
+}
+
+

projects/netgrif-components-core/src/lib/navigation/navigation-double-drawer/abstract-navigation-double-drawer.ts

@@ -353,14 +353,16 @@ export abstract class AbstractNavigationDoubleDrawerComponent implements OnInit,
             id: filter.stringId,
             resource: filter
         };
-        const resolvedRoles = this.resolveAccessRoles(filter);
+        const resolvedRoles = this.resolveAccessRoles(filter, 'allowed_roles');
+        const resolvedBannedRoles = this.resolveAccessRoles(filter, 'banned_roles');
         if(!!resolvedRoles) item.access['role'] = resolvedRoles;
+        if(!!resolvedBannedRoles) item.access['bannedRole'] = resolvedBannedRoles;
         if (!this._accessService.canAccessView(item, item.routingPath)) return;
         return item;
     }
 
-    protected resolveAccessRoles(filter: Case): Array<RoleAccess> | undefined {
-        const allowedRoles = filter.immediateData.find(f => f.stringId === 'allowed_roles')?.options;
+    protected resolveAccessRoles(filter: Case, roleType: string): Array<RoleAccess> | undefined {
+        const allowedRoles = filter.immediateData.find(f => f.stringId === roleType)?.options;
         if (!allowedRoles || Object.keys(allowedRoles).length === 0) return undefined;
         const roles = [];
         Object.keys(allowedRoles).forEach(combined => {

projects/netgrif-components-core/src/lib/navigation/service/uri.service.spec.ts

@@ -0,0 +1,59 @@
+import {TestBed} from '@angular/core/testing';
+import { UriService } from './uri.service';
+import { HttpClientTestingModule } from '@angular/common/http/testing';
+import { NoopAnimationsModule } from '@angular/platform-browser/animations';
+import { ConfigurationService } from '../../configuration/configuration.service';
+import { TestLoggingConfigurationService } from '../../utility/tests/test-logging-config';
+import { AuthenticationModule } from '../../authentication/authentication.module';
+import { UriResourceService } from './uri-resource.service';
+import { MockUriResourceService } from '../../utility/tests/mocks/mock-uri-resource.service';
+import { RouterTestingModule } from '@angular/router/testing';
+
+describe('UriService', () => {
+    let service: UriService;
+
+    beforeEach(() => {
+        TestBed.configureTestingModule({
+            imports: [
+                HttpClientTestingModule,
+                NoopAnimationsModule,
+                AuthenticationModule,
+                RouterTestingModule.withRoutes([])
+            ],
+            providers: [
+                {provide: ConfigurationService, useClass: TestLoggingConfigurationService},
+                {provide: UriResourceService, useClass: MockUriResourceService}
+            ]
+        });
+        service = TestBed.inject(UriService);
+    });
+
+    it('should be created', () => {
+        expect(service).toBeTruthy();
+    });
+
+    it('should get node by path', done => {
+        const sub = service.getNodeByPath('test');
+        sub.subscribe(res => {
+            expect(res.uriPath).toEqual('root/test1')
+            done();
+        })
+    });
+
+    it('should get nodes by level', done => {
+        const sub = service.getNodesOnLevel(1);
+        sub.subscribe(res => {
+            expect(res.length).toEqual(2)
+            done();
+        })
+    });
+
+    it('should get child nodes', done => {
+        const sub = service.getChildNodes();
+        sub.subscribe(res => {
+            expect(res.length).toEqual(2)
+            done();
+        })
+    });
+
+});