Merge pull request #15 from andriawan/14-role-based-access-implementation

Role based access implementation

Author: andriawan

.github/workflows/pull_request_flow.yml

@@ -16,6 +16,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run Spotless check
+        run: mvn spotless:check
       - name: Copy Private and Public Keys
         run: |
           echo "${{ secrets.SAMPLE_PRIVATE_KEY }}" > ${CERTS_PATH}/private_key.pem
@@ -37,23 +39,6 @@ jobs:
       - name: Run tests and collect coverage
         run: mvn -B clean test jacoco:report
       - name: Upload coverage to Codecov
-        if: false
         uses: codecov/codecov-action@v5
         env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-      - name: Run Spotless and apply formatting
-        run: mvn spotless:apply
-      - name: Commit and push changes if formatting was applied
-        env:
-          GIT_EMAIL: ${{ github.actor }}@users.noreply.github.com
-          GIT_NAME: ${{ github.actor }}"
-        run: |
-          git config --global user.name "$GIT_NAME"
-          git config --global user.email "$GIT_EMAIL"
-          if [[ -n "$(git status --porcelain)" ]]; then
-            git add -A
-            git commit -m "chore(format): apply Spotless auto-format"
-            git push
-          else
-            echo "No formatting changes to commit."
-          fi
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

README.md

@@ -2,6 +2,10 @@
 
 This is a minimal Spring Boot application built with standard best practices. It includes JWT bearer token authentication via Spring Security, supports auto-reloading .env configuration, and provides clean, self-documented APIs using Swagger/OpenAPI. Designed as a lightweight foundation for scalable, secure RESTful services.
 
+## Coverage Status
+
+[![codecov](https://codecov.io/gh/andriawan/springboot-best-practice/graph/badge.svg?token=4QCLOGCOXI)](https://codecov.io/gh/andriawan/springboot-best-practice)
+
 ## Prerequisites
 
 This project uses JWTs signed with **asymmetric encryption** (e.g., RSA).  

src/main/java/com/andriawan/andresource/config/Security.java

@@ -16,6 +16,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.annotation.Order;
 import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -32,6 +33,7 @@
 
 @Configuration
 @EnableWebSecurity
+@EnableMethodSecurity
 public class Security {
 
   @Value("${rsa.key.private}")

src/main/java/com/andriawan/andresource/controller/UserController.java

@@ -8,6 +8,7 @@
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -22,12 +23,14 @@ public class UserController {
   private final UserService userService;
 
   @GetMapping("/users")
+  @PreAuthorize("hasAuthority('SCOPE_ROLE_ADMIN')")
   public ResponseEntity<List<UserResponse>> getAllUser(Principal principal) {
     List<UserResponse> users = userService.getAllUsers();
     return ResponseEntity.ok(users);
   }
 
   @GetMapping("/me")
+  @PreAuthorize("hasAuthority('SCOPE_ROLE_USER') or hasAuthority('SCOPE_ROLE_ADMIN')")
   public ResponseEntity<UserResponse> getAuthenticatedUser(Principal principal) {
     try {
       UserResponse user = userService.getUserByEmail(principal.getName());

src/main/java/com/andriawan/andresource/dto/UserResponse.java

@@ -1,6 +1,7 @@
 package com.andriawan.andresource.dto;
 
 import java.time.ZonedDateTime;
+import java.util.Set;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
@@ -17,4 +18,5 @@ public class UserResponse {
   private ZonedDateTime createdAt;
   private ZonedDateTime updatedAt;
   private Boolean isActive;
+  private Set<String> roles;
 }

src/main/java/com/andriawan/andresource/entity/AuthenticatedUser.java

@@ -1,22 +1,25 @@
 package com.andriawan.andresource.entity;
 
-import java.util.ArrayList;
 import java.util.Collection;
+import java.util.stream.Collectors;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
 import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.userdetails.UserDetails;
 
+@AllArgsConstructor
+@Getter
 public class AuthenticatedUser implements UserDetails {
 
-  private User user;
-
-  public AuthenticatedUser(User user) {
-    this.user = user;
-  }
+  private final User user;
 
   @Override
   public Collection<? extends GrantedAuthority> getAuthorities() {
-    final ArrayList<GrantedAuthority> roles = new ArrayList<GrantedAuthority>();
-    return roles;
+    var roles = user.getRoles();
+    return roles.stream()
+        .map(role -> new SimpleGrantedAuthority(role.getName()))
+        .collect(Collectors.toList());
   }
 
   @Override
@@ -28,8 +31,4 @@ public String getPassword() {
   public String getUsername() {
     return user.getEmail();
   }
-
-  public User getUser() {
-    return user;
-  }
 }

src/main/java/com/andriawan/andresource/entity/Role.java

@@ -0,0 +1,46 @@
+package com.andriawan.andresource.entity;
+
+import jakarta.persistence.*;
+import java.time.Instant;
+import java.util.Set;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+import lombok.ToString;
+import org.hibernate.annotations.CreationTimestamp;
+import org.hibernate.annotations.UpdateTimestamp;
+
+@Entity
+@Table(name = "roles")
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@EqualsAndHashCode(onlyExplicitlyIncluded = true)
+@Builder
+@ToString(exclude = "users")
+public class Role {
+
+  @Id
+  @EqualsAndHashCode.Include
+  @GeneratedValue(strategy = GenerationType.IDENTITY)
+  private Integer id;
+
+  @Column(nullable = false, unique = true)
+  @EqualsAndHashCode.Include
+  private String name;
+
+  @ManyToMany(mappedBy = "roles")
+  private Set<User> users;
+
+  @CreationTimestamp
+  @Column(name = "created_at", updatable = false)
+  private Instant createdAt;
+
+  @UpdateTimestamp
+  @Column(name = "updated_at")
+  private Instant updatedAt;
+}

src/main/java/com/andriawan/andresource/entity/User.java

@@ -1,28 +1,41 @@
 package com.andriawan.andresource.entity;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
+import jakarta.persistence.CascadeType;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
 import jakarta.persistence.GeneratedValue;
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.JoinTable;
+import jakarta.persistence.ManyToMany;
 import jakarta.persistence.PrePersist;
 import jakarta.persistence.PreUpdate;
 import jakarta.persistence.Table;
 import java.time.ZonedDateTime;
+import java.util.Set;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
-import lombok.Data;
+import lombok.EqualsAndHashCode;
+import lombok.Getter;
 import lombok.NoArgsConstructor;
+import lombok.Setter;
+import lombok.ToString;
 
-@Data
+@Getter
+@Setter
 @NoArgsConstructor
 @AllArgsConstructor
+@EqualsAndHashCode(onlyExplicitlyIncluded = true)
 @Builder
 @Entity
 @Table(name = "users")
+@ToString(exclude = "roles")
 public class User {
   @Id
+  @EqualsAndHashCode.Include
   @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
@@ -43,18 +56,27 @@ public class User {
   private ZonedDateTime updatedAt;
 
   @Column(name = "is_active", nullable = false)
-  private Boolean isActive;
+  @Builder.Default
+  private Boolean isActive = true;
 
   @Column(name = "is_deleted", nullable = false)
-  private Boolean isDeleted;
+  @Builder.Default
+  private Boolean isDeleted = false;
+
+  @ManyToMany(
+      fetch = FetchType.LAZY,
+      cascade = {CascadeType.MERGE, CascadeType.PERSIST})
+  @JoinTable(
+      name = "user_roles",
+      joinColumns = @JoinColumn(name = "user_id"),
+      inverseJoinColumns = @JoinColumn(name = "role_id"))
+  private Set<Role> roles;
 
   @PrePersist
   protected void onCreate() {
     ZonedDateTime now = ZonedDateTime.now();
     this.createdAt = now;
     this.updatedAt = now;
-    this.isActive = true;
-    this.isDeleted = false;
   }
 
   @PreUpdate

src/main/java/com/andriawan/andresource/mapper/UserMapper.java

@@ -3,13 +3,17 @@
 import com.andriawan.andresource.dto.UserCreate;
 import com.andriawan.andresource.dto.UserResponse;
 import com.andriawan.andresource.dto.UserUpdate;
+import com.andriawan.andresource.entity.Role;
 import com.andriawan.andresource.entity.User;
 import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
 import org.mapstruct.BeanMapping;
 import org.mapstruct.InjectionStrategy;
 import org.mapstruct.Mapper;
 import org.mapstruct.Mapping;
 import org.mapstruct.MappingTarget;
+import org.mapstruct.Named;
 import org.mapstruct.NullValuePropertyMappingStrategy;
 
 @Mapper(componentModel = "spring", injectionStrategy = InjectionStrategy.CONSTRUCTOR)
@@ -20,17 +24,25 @@ public interface UserMapper {
   @Mapping(target = "updatedAt", ignore = true)
   @Mapping(target = "isActive", ignore = true)
   @Mapping(target = "isDeleted", ignore = true)
+  @Mapping(target = "roles", ignore = true)
   User toEntity(UserCreate dto);
 
   @Mapping(target = "id", ignore = true)
   @Mapping(target = "createdAt", ignore = true)
   @Mapping(target = "updatedAt", ignore = true)
   @Mapping(target = "isDeleted", ignore = true)
   @Mapping(target = "password", ignore = true)
+  @Mapping(target = "roles", ignore = true)
   @BeanMapping(nullValuePropertyMappingStrategy = NullValuePropertyMappingStrategy.IGNORE)
   void updateEntityFromDto(UserUpdate dto, @MappingTarget User entity);
 
+  @Mapping(source = "roles", target = "roles", qualifiedByName = "rolesToRoleNames")
   UserResponse toResponseDto(User entity);
 
   List<UserResponse> toResponseDtoList(List<User> entities);
+
+  @Named("rolesToRoleNames")
+  default Set<String> rolesToRoleNames(Set<Role> roles) {
+    return roles.stream().map(Role::getName).collect(Collectors.toSet());
+  }
 }

src/main/java/com/andriawan/andresource/repository/RoleRepository.java

@@ -0,0 +1,11 @@
+package com.andriawan.andresource.repository;
+
+import com.andriawan.andresource.entity.Role;
+import java.util.Optional;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+@Repository
+public interface RoleRepository extends JpaRepository<Role, Integer> {
+  Optional<Role> findByName(String name);
+}