diff --git a/core/src/main/java/org/springframework/security/authorization/SqlAllAuthoritiesAuthorizationManager.java b/core/src/main/java/org/springframework/security/authorization/SqlAllAuthoritiesAuthorizationManager.java new file mode 100644 index 0000000000..c362f72cc5 --- /dev/null +++ b/core/src/main/java/org/springframework/security/authorization/SqlAllAuthoritiesAuthorizationManager.java @@ -0,0 +1,125 @@ +/* + * Copyright 2004-present the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.authorization; + +import java.util.Arrays; +import java.util.List; +import java.util.Map; +import java.util.function.Supplier; + +import javax.sql.DataSource; + +import org.jspecify.annotations.Nullable; + +import org.springframework.jdbc.core.namedparam.NamedParameterJdbcOperations; +import org.springframework.jdbc.core.namedparam.NamedParameterJdbcTemplate; +import org.springframework.security.core.Authentication; +import org.springframework.util.Assert; + +/** + * An {@link AuthorizationManager} that can lookup authorities using a configured SQL + * statement + * + * @author Andrey Litvitski + * @since 7.0.0 + */ +public final class SqlAllAuthoritiesAuthorizationManager implements AuthorizationManager { + + private final NamedParameterJdbcOperations jdbc; + + private final @Nullable List additionalAuthorities; + + private final String sql; + + private final boolean whenTrueMode; + + private SqlAllAuthoritiesAuthorizationManager(NamedParameterJdbcOperations jdbc, String sql, + @Nullable List additionalAuthorities, boolean whenTrueMode) { + this.jdbc = jdbc; + this.sql = sql; + this.additionalAuthorities = additionalAuthorities; + this.whenTrueMode = whenTrueMode; + } + + @Override + public AuthorizationResult authorize(Supplier authentication, T object) { + List additionalAuthorities = findAdditionalAuthorities(authentication.get().getName()); + if (additionalAuthorities.isEmpty()) { + return new AuthorizationDecision(true); + } + else { + return AllAuthoritiesAuthorizationManager.hasAllAuthorities(additionalAuthorities) + .authorize(authentication, object); + } + } + + private List findAdditionalAuthorities(String authenticationName) { + Map params = Map.of("username", authenticationName); + if (this.whenTrueMode) { + List> rows = this.jdbc.queryForList(this.sql, params); + if (rows.isEmpty()) { + return List.of(); + } + return (this.additionalAuthorities == null) ? List.of() : List.copyOf(this.additionalAuthorities); + } + else { + return this.jdbc.query(this.sql, params, (rs, rowNum) -> rs.getString(1)); + } + } + + public static final class Builder { + + @Nullable private NamedParameterJdbcOperations jdbc; + + @Nullable private List additionalAuthorities; + + private boolean whenTrueMode; + + @Nullable private String sql; + + public Builder whenTrue(String sql) { + this.whenTrueMode = true; + this.sql = sql; + return this; + } + + public Builder selectAuthorities(String sql) { + this.whenTrueMode = false; + this.sql = sql; + return this; + } + + public Builder additionalAuthorities(String... authorities) { + this.additionalAuthorities = Arrays.asList(authorities); + return this; + } + + public Builder dataSource(DataSource dataSource) { + this.jdbc = new NamedParameterJdbcTemplate(dataSource); + return this; + } + + public SqlAllAuthoritiesAuthorizationManager build() { + Assert.notNull(this.jdbc, "jdbc cannot be null"); + Assert.notNull(this.sql, "sql cannot be null"); + return new SqlAllAuthoritiesAuthorizationManager<>(this.jdbc, this.sql, this.additionalAuthorities, + this.whenTrueMode); + } + + } + +}