next-step · jukekxm · Feb 15, 2025 · Feb 15, 2025 · parkeeseul · Feb 16, 2025
diff --git a/src/main/java/nextstep/app/SecurityConfig.java b/src/main/java/nextstep/app/SecurityConfig.java
@@ -86,9 +86,16 @@ public Set<String> getAuthorities() {
     public RequestAuthorizationManager requestAuthorizationManager() {
         List<RequestMatcherEntry<AuthorizationManager>> mappings = new ArrayList<>();
         mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/members/me"), new AuthenticatedAuthorizationManager()));
-        mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/members"), new HasAuthorityAuthorizationManager("ADMIN")));
+        mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/members"), new HasAuthorityAuthorizationManager("ADMIN", roleHierarchy())));
         mappings.add(new RequestMatcherEntry<>(new MvcRequestMatcher(HttpMethod.GET, "/search"), new PermitAllAuthorizationManager()));
         mappings.add(new RequestMatcherEntry<>(new AnyRequestMatcher(), new PermitAllAuthorizationManager()));
         return new RequestAuthorizationManager(mappings);
     }
+
+    @Bean
+    public RoleHierarchy roleHierarchy() {
+        return RoleHierarchyImpl.with()
+                .role("ADMIN").implies("USER")
+                .build();
+    }
 }
diff --git a/src/main/java/nextstep/security/authorization/HasAuthorityAuthorizationManager.java b/src/main/java/nextstep/security/authorization/HasAuthorityAuthorizationManager.java
@@ -2,16 +2,28 @@
 
 import nextstep.security.authentication.Authentication;
 
+import java.util.Collection;
+
 public class HasAuthorityAuthorizationManager implements AuthorizationManager {
 
     private final String authority;
+    private final RoleHierarchy roleHierarchy;
 
     public HasAuthorityAuthorizationManager(String authority) {
         this.authority = authority;
+        this.roleHierarchy = new NullRoleHierarchy();
+    }
+
+    public HasAuthorityAuthorizationManager(String authority, RoleHierarchy roleHierarchy) {
+        this.authority = authority;
+        this.roleHierarchy = roleHierarchy;
     }
 
     @Override
     public AuthorizationDecision check(Authentication authentication, Object object) {
-        return new AuthorizationDecision(authentication.getAuthorities().contains(authority));
+
+        Collection<String> reachableGrantedAuthorities = roleHierarchy.getReachableGrantedAuthorities(authentication.getAuthorities());
+
+        return new AuthorizationDecision(reachableGrantedAuthorities.contains(authority));
     }
 }
diff --git a/src/main/java/nextstep/security/authorization/NullRoleHierarchy.java b/src/main/java/nextstep/security/authorization/NullRoleHierarchy.java
@@ -0,0 +1,10 @@
+package nextstep.security.authorization;
+
+import java.util.Collection;
+
+public class NullRoleHierarchy implements RoleHierarchy {
+    @Override
+    public Collection<String> getReachableGrantedAuthorities(Collection<String> authorities) {
+        return authorities;
+    }
+}
diff --git a/src/main/java/nextstep/security/authorization/RoleHierarchy.java b/src/main/java/nextstep/security/authorization/RoleHierarchy.java
@@ -0,0 +1,8 @@
+package nextstep.security.authorization;
+
+import java.util.Collection;
+
+public interface RoleHierarchy {
+
+    Collection<String> getReachableGrantedAuthorities(Collection<String> authorities);
+}
diff --git a/src/main/java/nextstep/security/authorization/RoleHierarchyImpl.java b/src/main/java/nextstep/security/authorization/RoleHierarchyImpl.java
@@ -0,0 +1,75 @@
+package nextstep.security.authorization;
+
+import org.springframework.util.CollectionUtils;
+
+import java.util.*;
+
+public class RoleHierarchyImpl implements RoleHierarchy {
+
+    private final Map<String, Set<String>> rolesReachableInOneOrMoreStepsMap;
+
+    public RoleHierarchyImpl(Map<String, Set<String>> rolesReachableInOneOrMoreStepsMap) {
+        this.rolesReachableInOneOrMoreStepsMap = rolesReachableInOneOrMoreStepsMap;
+    }
+
+    public static Builder with() {
+        return new Builder();
+    }
+
+    @Override
+    public Collection<String> getReachableGrantedAuthorities(Collection<String> authorities) {
+
+        Set<String> reachableRoles = new HashSet<>();
+
+        if (CollectionUtils.isEmpty(authorities)) {
+            return Collections.emptyList();
+        }
+
+        for (String authority : authorities) {
+            addReachableRoles(authority, reachableRoles);
+        }
+
+        return reachableRoles;
+    }
+
+    private void addReachableRoles(String authority, Set<String> reachableRoles) {
+        reachableRoles.add(authority);
+        Set<String> lowerRoles = rolesReachableInOneOrMoreStepsMap.computeIfAbsent(authority, k -> new HashSet<>());
+        reachableRoles.addAll(lowerRoles);
+    }
+
+    public static class Builder {
+        private final Map<String, Set<String>> hierarchy;
+
+        private Builder() {
+            this.hierarchy = new HashMap<>();
+        }
+
+        public RoleHierarchyImpl build() {
+            return new RoleHierarchyImpl(hierarchy);
+        }
+
+        public ImpliedRoles role(String role) {
+            return new ImpliedRoles(role);
+        }
+
+        private Builder addHierarchy(String role, String... impliedRoles) {
+            Set<String> impliedRoleSet = hierarchy.computeIfAbsent(role, k -> new HashSet<>());
+            impliedRoleSet.addAll(Arrays.asList(impliedRoles));
+            return this;
+        }
+
+        public final class ImpliedRoles {
+            private final String role;
+
+            public ImpliedRoles(String role) {
+                this.role = role;
+            }
+
+            public Builder implies(String... impliedRoles) {
+                return Builder.this.addHierarchy(this.role, impliedRoles);
+            }
+        }
+    }
+}
+
diff --git a/src/test/java/nextstep/app/RoleHierachyTest.java b/src/test/java/nextstep/app/RoleHierachyTest.java
@@ -0,0 +1,51 @@
+package nextstep.app;
+
+import nextstep.security.authorization.NullRoleHierarchy;
+import nextstep.security.authorization.RoleHierarchyImpl;
+import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+
+import java.util.Collection;
+import java.util.HashSet;
+import java.util.Set;
+
+public class RoleHierachyTest {
+
+    @DisplayName("상위 권한의 reachable authorities는 사용자의 권한과 하위 권한을 같이 반환한다.")
+    @Test
+    public void roleHierarchyTest() {
+
+        // given
+        RoleHierarchyImpl roleHierarchy = RoleHierarchyImpl.with()
+                .role("ADMIN").implies("USER")
+                .build();
+
+        Set<String> authorites = new HashSet<>();
+        authorites.add("ADMIN");
+
+        // when
+        Collection<String> reachableGrantedAuthorities = roleHierarchy.getReachableGrantedAuthorities(authorites);
+
+        // then
+        Assertions.assertThat(reachableGrantedAuthorities).containsOnly("ADMIN", "USER");
+    }
+
+    @DisplayName("NullRoleHierarchy의 reachable authorities는 사용자의 권한 리스트를 그대로 반환한다.")
+    @Test
+    public void nullRoleHierarchyTest() {
+
+        // given
+        NullRoleHierarchy nullRoleHierarchy = new NullRoleHierarchy();
+
+        Set<String> authorites = new HashSet<>();
+        authorites.add("ADMIN");
+        authorites.add("USER");
+
+        // when
+        Collection<String> result = nullRoleHierarchy.getReachableGrantedAuthorities(authorites);
+
+        // then
+        Assertions.assertThat(result).isSameAs(authorites);
+    }
+}