RoleSupport.java
- package no.nav.data.common.security;
- import lombok.RequiredArgsConstructor;
- import lombok.extern.slf4j.Slf4j;
- import no.nav.data.common.security.dto.AppRole;
- import org.springframework.security.core.GrantedAuthority;
- import org.springframework.security.core.authority.SimpleGrantedAuthority;
- import org.springframework.stereotype.Service;
- import java.util.List;
- import java.util.Objects;
- import java.util.Set;
- import java.util.stream.Collectors;
- import static no.nav.data.common.security.dto.AppRole.ROLE_PREFIX;
- import static no.nav.data.common.utils.StreamUtils.convert;
- @Slf4j
- @Service
- @RequiredArgsConstructor
- public class RoleSupport {
- private final SecurityProperties securityProperties;
- public Set<GrantedAuthority> lookupGrantedAuthorities(List<String> groupIds) {
- Set<GrantedAuthority> roles = groupIds.stream()
- .map(this::roleFor)
- .filter(Objects::nonNull)
- .map(this::convertAuthority)
- .collect(Collectors.toSet());
- roles.add(convertAuthority(AppRole.READ.name()));
- log.trace("roles {}", convert(roles, GrantedAuthority::getAuthority));
- return roles;
- }
- /**
- * token v2 does not allow us to fetch group details, so we have to map by id instead
- */
- private String roleFor(String group) {
- if (securityProperties.getAdminGroups().contains(group)) {
- return AppRole.ADMIN.name();
- }
- // for future - add team -> system roles here
- // temporarily give WRITE access to everyone with a valid token
- return AppRole.WRITE.name();
- }
- private GrantedAuthority convertAuthority(String role) {
- return new SimpleGrantedAuthority(ROLE_PREFIX + role);
- }
- }