feat: implement Security

Author: Lukasz Gadomski

pom.xml

@@ -43,6 +43,10 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-web</artifactId>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
 		<dependency>
 			<groupId>org.flywaydb</groupId>
 			<artifactId>flyway-core</artifactId>
@@ -214,7 +218,7 @@
 							<generateApiTests>false</generateApiTests>
 							<generateModelTests>false</generateModelTests>
 							<configOptions>
-<!--								<delegatePattern>true</delegatePattern>-->
+								<!--								<delegatePattern>true</delegatePattern>-->
 								<useTags>true</useTags>
 								<library>spring-boot</library>
 								<interfaceOnly>true</interfaceOnly>

src/main/java/com/capgemini/training/appointmentbooking/logic/FindAppointmentUc.java

@@ -2,6 +2,9 @@
 
 import com.capgemini.training.appointmentbooking.common.to.AppointmentCto;
 import com.capgemini.training.appointmentbooking.dataaccess.repository.criteria.AppointmentCriteria;
+import com.capgemini.training.appointmentbooking.security.AccessControl;
+import com.capgemini.training.appointmentbooking.security.access.HasRole;
+
 import jakarta.validation.constraints.NotNull;
 
 import java.time.Instant;
@@ -10,12 +13,16 @@
 
 public interface FindAppointmentUc {
 
+	@HasRole(AccessControl.ROLE_RECEPTIONIST)
 	Optional<AppointmentCto> findById(@NotNull Long id);
 
+	@HasRole(AccessControl.ROLE_RECEPTIONIST)
 	List<AppointmentCto> findByCriteria(AppointmentCriteria criteria);
 
+	@HasRole(AccessControl.ROLE_RECEPTIONIST)
 	List<AppointmentCto> findAll();
 
+	@HasRole(AccessControl.ROLE_RECEPTIONIST)
 	boolean hasConflictingAppointment(@NotNull Long specialistId, @NotNull Instant dateTime);
 
 }

src/main/java/com/capgemini/training/appointmentbooking/logic/ManageAppointmentUc.java

@@ -4,13 +4,18 @@
 import com.capgemini.training.appointmentbooking.common.to.AppointmentBookingEto;
 import com.capgemini.training.appointmentbooking.common.to.AppointmentCto;
 import com.capgemini.training.appointmentbooking.common.to.AppointmentEto;
+import com.capgemini.training.appointmentbooking.security.AccessControl;
+import com.capgemini.training.appointmentbooking.security.access.HasRole;
+
 import jakarta.validation.Valid;
 import jakarta.validation.constraints.NotNull;
 
 public interface ManageAppointmentUc {
 
+	@HasRole(AccessControl.ROLE_RECEPTIONIST)
 	AppointmentCto bookAppointment(@Valid AppointmentBookingEto appointmentBookingEto);
 
+	@HasRole(AccessControl.ROLE_SPECIALIST)
 	AppointmentEto updateAppointmentStatus(@NotNull Long appointmentId, @NotNull AppointmentStatus appointmentStatus);
 
 }

src/main/java/com/capgemini/training/appointmentbooking/logic/ManageTreatmentUc.java

@@ -2,10 +2,14 @@
 
 import com.capgemini.training.appointmentbooking.common.to.TreatmentCreationTo;
 import com.capgemini.training.appointmentbooking.common.to.TreatmentCto;
+import com.capgemini.training.appointmentbooking.security.AccessControl;
+import com.capgemini.training.appointmentbooking.security.access.HasRole;
+
 import jakarta.validation.Valid;
 
 public interface ManageTreatmentUc {
 
+	@HasRole(AccessControl.ROLE_ADMIN)
 	TreatmentCto createTreatment(@Valid TreatmentCreationTo treatmentCreationTo);
 
 }

src/main/java/com/capgemini/training/appointmentbooking/security/AccessControl.java

@@ -0,0 +1,10 @@
+package com.capgemini.training.appointmentbooking.security;
+
+import org.springframework.stereotype.Component;
+
+@Component
+public class AccessControl {
+	public static final String ROLE_ADMIN = "ADMIN";
+	public static final String ROLE_SPECIALIST = "SPECIALIST";
+	public static final String ROLE_RECEPTIONIST = "RECEPTIONIST";
+}

src/main/java/com/capgemini/training/appointmentbooking/security/SecurityController.java

@@ -0,0 +1,35 @@
+package com.capgemini.training.appointmentbooking.security;
+
+import java.util.List;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import lombok.Data;
+
+@RestController()
+@RequestMapping("auth")
+public class SecurityController {
+
+	@GetMapping("/me")
+	public ResponseEntity<UserDetailsResponse> me(@AuthenticationPrincipal UserDetails userDetails) {
+		if (userDetails == null) {
+			return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
+		}
+
+		List<String> roles = userDetails.getAuthorities().stream().map(GrantedAuthority::getAuthority).toList();
+		return ResponseEntity.ok(new UserDetailsResponse(userDetails.getUsername(), roles));
+	}
+
+	@Data
+	public static class UserDetailsResponse {
+		private final String username;
+		private final List<String> roles;
+	}
+}

src/main/java/com/capgemini/training/appointmentbooking/security/access/HasRole.java

@@ -0,0 +1,15 @@
+package com.capgemini.training.appointmentbooking.security.access;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+
+@Target({ElementType.METHOD, ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@PreAuthorize("hasRole('{value}')")
+public @interface HasRole {
+	String value();
+}

src/main/java/com/capgemini/training/appointmentbooking/security/config/SecurityConfiguration.java

@@ -0,0 +1,59 @@
+package com.capgemini.training.appointmentbooking.security.config;
+
+import static org.springframework.security.config.Customizer.withDefaults;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.core.annotation.AnnotationTemplateExpressionDefaults;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.web.SecurityFilterChain;
+
+import com.capgemini.training.appointmentbooking.security.AccessControl;
+
+@Configuration
+@EnableMethodSecurity
+public class SecurityConfiguration {
+
+	private static final String[] UNAUTHORIZED_ENDPOINTS = {"/", "/appointments", "/treatments", "/auth/me"};
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		http.authorizeHttpRequests(
+				auth -> auth.requestMatchers(UNAUTHORIZED_ENDPOINTS).permitAll().anyRequest().authenticated())
+				.formLogin(withDefaults()).httpBasic(withDefaults()).csrf(AbstractHttpConfigurer::disable)
+				.headers(customizer -> customizer.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin));
+
+		return http.build();
+	}
+
+	@Bean
+	public UserDetailsService userDetailsService() {
+		UserDetails client = createTestUser("client");
+		UserDetails receptionist = createTestUser("receptionist", AccessControl.ROLE_RECEPTIONIST);
+		UserDetails specialist = createTestUser("specialist", AccessControl.ROLE_SPECIALIST, AccessControl.ROLE_RECEPTIONIST);
+		UserDetails admin = createTestUser("admin", AccessControl.ROLE_ADMIN, AccessControl.ROLE_SPECIALIST,
+				AccessControl.ROLE_RECEPTIONIST);
+
+		return new InMemoryUserDetailsManager(client, receptionist, specialist, admin);
+	}
+
+	@Bean
+	static AnnotationTemplateExpressionDefaults templateExpressionDefaults() {
+		return new AnnotationTemplateExpressionDefaults();
+	}
+
+	@SuppressWarnings("deprecation")
+	private UserDetails createTestUser(String login, String... roles) {
+		// As stated in documentation.
+		// Using this method is not considered safe for production, but is acceptable
+		// for demos and getting started.
+		return User.withDefaultPasswordEncoder().username(login).password("password").roles(roles).build();
+	}
+}