gCubeSystem
/
VREFolder-hook
15
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

OIDC UMA token in threadlocal changes

This commit is contained in:
Mauro Mugnaini 2020-06-22 12:00:20 +02:00
parent 181eda1949
commit 3ac49f932b
3 changed files with 133 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pom.xml
View File

@ -64,6 +64,12 @@
<artifactId>common-scope</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.gcube.portal</groupId>
<artifactId>oidc-library-portal</artifactId>
<version>[0.1.0,)</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-log4j12</artifactId>

219
src/main/java/org/gcube/portal/plugins/GCubeHookSiteRoleLocalService.java
View File

@ -6,11 +6,13 @@ import java.util.ArrayList;
import java.util.List;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
import org.gcube.common.authorization.library.provider.UmaJWTProvider;
import org.gcube.common.portal.PortalContext;
import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.common.storagehub.client.dsl.StorageHubClient;
import org.gcube.common.storagehub.client.dsl.Util;
import org.gcube.common.storagehub.client.dsl.VREFolderManager;
import org.gcube.portal.oidc.lr62.OIDCUmaUtil;
import org.gcube.vomanagement.usermanagement.GroupManager;
import org.gcube.vomanagement.usermanagement.RoleManager;
import org.gcube.vomanagement.usermanagement.impl.LiferayGroupManager;
@ -32,114 +34,125 @@ import com.liferay.portal.service.UserGroupRoleLocalServiceWrapper;
import com.liferay.portal.service.UserLocalServiceUtil;
public class GCubeHookSiteRoleLocalService extends UserGroupRoleLocalServiceWrapper {
/**
* logger
*/
private static final Logger _log = LoggerFactory.getLogger(GCubeHookSiteRoleLocalService.class);
private GroupManager gm;
private LiferayUserManager uMan;
public GCubeHookSiteRoleLocalService(UserGroupRoleLocalService userGroupRoleLocalService) {
super(userGroupRoleLocalService);
gm = new LiferayGroupManager();
uMan = new LiferayUserManager();
System.out.println("GCubeHookSiteRoleLocalService hook is UP & Listening ...");
}
/**
* logger
*/
private static final Logger _log = LoggerFactory.getLogger(GCubeHookSiteRoleLocalService.class);
private GroupManager gm;
private LiferayUserManager uMan;
//TODO: as soon as Feature https://support.d4science.org/issues/17726 is delivered take care of this also
@Override
public java.util.List<com.liferay.portal.model.UserGroupRole> addUserGroupRoles(long[] userIds, long groupId, long roleId) throws com.liferay.portal.kernel.exception.SystemException {
List<UserGroupRole> toReturn = super.addUserGroupRoles(userIds, groupId, roleId);
return toReturn;
}
public GCubeHookSiteRoleLocalService(UserGroupRoleLocalService userGroupRoleLocalService) {
super(userGroupRoleLocalService);
gm = new LiferayGroupManager();
uMan = new LiferayUserManager();
System.out.println("GCubeHookSiteRoleLocalService hook is UP & Listening ...");
}
@Override
public java.util.List<com.liferay.portal.model.UserGroupRole> addUserGroupRoles(long userId, long groupId, long[] roleIds) throws com.liferay.portal.kernel.exception.SystemException {
List<UserGroupRole> toReturn = super.addUserGroupRoles(userId, groupId, roleIds);
try {
String context = gm.getInfrastructureScope(groupId);
String username = UserLocalServiceUtil.getUser(userId).getScreenName();
/* Check this part CAREFULLY as when the user is just created it fails*/
String userToken = authorizationService().resolveTokenByUserAndContext(username, context);
List<String> userRoles = getUserRoles(roleIds);
authorizationService().setTokenRoles(userToken, userRoles);
_log.debug("Check if addUserGroupRoles is done in a VRE");
if (gm.isVRE(groupId)) {
_log.debug("addUserGroupRoles performed in a VRE, groupId=" + groupId);
boolean vreManagerRolePresent = false;
for (int i = 0; i < roleIds.length; i++) {
Role role = RoleLocalServiceUtil.getRole(roleIds[i]);
if (role.getName().compareTo(GCubeRole.VRE_MANAGER_LABEL) == 0) {
_log.info("User is being promoted (or was) as VREFolder Administrator, userId=" + userId + " on Site groupId="+groupId);
vreManagerRolePresent = true;
break;
}
}
setVREFolderAdministrator(userId, groupId, vreManagerRolePresent);
} else {
_log.debug("addUserGroupRoles NOT done in a VRE, groupId=" + groupId);
}
}
catch (Exception e) {
e.printStackTrace();
}
return toReturn;
}
//TODO: as soon as Feature https://support.d4science.org/issues/17726 is delivered take care of this also
@Override
public java.util.List<com.liferay.portal.model.UserGroupRole> addUserGroupRoles(long[] userIds, long groupId,
long roleId) throws com.liferay.portal.kernel.exception.SystemException {
List<UserGroupRole> toReturn = super.addUserGroupRoles(userIds, groupId, roleId);
return toReturn;
}
private List<String> getUserRoles(long[] roleIds) throws PortalException, SystemException {
List<String> toReturn = new ArrayList<>();
for (int i = 0; i < roleIds.length; i++) {
Role role = RoleLocalServiceUtil.getRole(roleIds[i]);
toReturn.add(role.getName());
}
return toReturn;
}
@Override
public java.util.List<com.liferay.portal.model.UserGroupRole> addUserGroupRoles(long userId, long groupId,
long[] roleIds) throws com.liferay.portal.kernel.exception.SystemException {
List<UserGroupRole> toReturn = super.addUserGroupRoles(userId, groupId, roleIds);
try {
String context = gm.getInfrastructureScope(groupId);
String username = UserLocalServiceUtil.getUser(userId).getScreenName();
/* Check this part CAREFULLY as when the user is just created it fails*/
String userToken = authorizationService().resolveTokenByUserAndContext(username, context);
List<String> userRoles = getUserRoles(roleIds);
authorizationService().setTokenRoles(userToken, userRoles);
_log.debug("Check if addUserGroupRoles is done in a VRE");
if (gm.isVRE(groupId)) {
_log.debug("addUserGroupRoles performed in a VRE, groupId=" + groupId);
boolean vreManagerRolePresent = false;
for (int i = 0; i < roleIds.length; i++) {
Role role = RoleLocalServiceUtil.getRole(roleIds[i]);
if (role.getName().compareTo(GCubeRole.VRE_MANAGER_LABEL) == 0) {
_log.info("User is being promoted (or was) as VREFolder Administrator, userId=" + userId
+ " on Site groupId=" + groupId);
vreManagerRolePresent = true;
break;
}
}
setVREFolderAdministrator(userId, groupId, vreManagerRolePresent);
} else {
_log.debug("addUserGroupRoles NOT done in a VRE, groupId=" + groupId);
}
} catch (Exception e) {
e.printStackTrace();
}
return toReturn;
}
private boolean setVREFolderAdministrator(long userId, long groupId, boolean enable) throws Exception {
String context = gm.getInfrastructureScope(groupId);
ScopeProvider.instance.set(context);
String vreFolderTitle = Util.getVREGroupFromContext(context);
_log.info("The vreFolderTitle on which the VREFolder role is being {} is {}", enable, vreFolderTitle);
_log.info("Before StorageHubClient shc = new StorageHubClient();");
StorageHubClient shc = new StorageHubClient();
_log.info("Before shc.getVreFolderManager(vreFolderTitle);");
VREFolderManager vreFolderManager = shc.getVreFolderManager(vreFolderTitle);
String previousToken = SecurityTokenProvider.instance.get();
//get the super user
_log.info("//get the super user");
private List<String> getUserRoles(long[] roleIds) throws PortalException, SystemException {
List<String> toReturn = new ArrayList<>();
for (int i = 0; i < roleIds.length; i++) {
Role role = RoleLocalServiceUtil.getRole(roleIds[i]);
toReturn.add(role.getName());
}
return toReturn;
}
String infraContext = "/"+PortalContext.getConfiguration().getInfrastructureName();
long rootgroupId = gm.getGroupIdFromInfrastructureScope(infraContext);
User theAdmin = LiferayUserManager.getRandomUserWithRole(rootgroupId, GatewayRolesNames.INFRASTRUCTURE_MANAGER);
if (theAdmin == null) {
_log.warn("Cannot add the user as VRE Folder admin: there is no user having role " + GatewayRolesNames.INFRASTRUCTURE_MANAGER);
return false;
}
else {
RoleManager rm = new LiferayRoleManager();
String adminUsername = theAdmin.getScreenName();
_log.info("Got the super user: " +adminUsername);
String theAdminToken = PortalContext.getConfiguration().getCurrentUserToken(infraContext, adminUsername);
List<String> rolesString = new ArrayList<String>();
List<GCubeRole> theAdminRoles = rm.listRolesByUserAndGroup(theAdmin.getUserId(), rootgroupId);
for (GCubeRole gCubeRole : theAdminRoles) {
rolesString.add(gCubeRole.getRoleName());
}
rolesString.add(GatewayRolesNames.INFRASTRUCTURE_MANAGER.getRoleName());
_log.info("authorizationService().setTokenRoles(theAdminToken, rolesString);" +theAdminToken);
authorizationService().setTokenRoles(theAdminToken, rolesString);
SecurityTokenProvider.instance.set(theAdminToken);
String theUserToPromoteOrDeclass = uMan.getUserById(userId).getUsername();
_log.info("The {} is being promoted? {} ", theUserToPromoteOrDeclass, enable);
if (enable)
vreFolderManager.setAdmin(theUserToPromoteOrDeclass);
else
vreFolderManager.removeAdmin(theUserToPromoteOrDeclass);
SecurityTokenProvider.instance.set(previousToken);
return true;
}
}
private boolean setVREFolderAdministrator(long userId, long groupId, boolean enable) throws Exception {
String context = gm.getInfrastructureScope(groupId);
ScopeProvider.instance.set(context);
String vreFolderTitle = Util.getVREGroupFromContext(context);
_log.info("The vreFolderTitle on which the VREFolder role is being {} is {}", enable, vreFolderTitle);
_log.info("Before StorageHubClient shc = new StorageHubClient();");
StorageHubClient shc = new StorageHubClient();
_log.info("Before shc.getVreFolderManager(vreFolderTitle);");
VREFolderManager vreFolderManager = shc.getVreFolderManager(vreFolderTitle);
String previousToken = SecurityTokenProvider.instance.get();
//get the super user
_log.info("//get the super user");
String infraContext = "/" + PortalContext.getConfiguration().getInfrastructureName();
long rootgroupId = gm.getGroupIdFromInfrastructureScope(infraContext);
User theAdmin = LiferayUserManager.getRandomUserWithRole(rootgroupId, GatewayRolesNames.INFRASTRUCTURE_MANAGER);
if (theAdmin == null) {
_log.warn("Cannot add the user as VRE Folder admin: there is no user having role "
+ GatewayRolesNames.INFRASTRUCTURE_MANAGER);
return false;
} else {
RoleManager rm = new LiferayRoleManager();
String adminUsername = theAdmin.getScreenName();
_log.info("Got the super user: " + adminUsername);
String theAdminToken = PortalContext.getConfiguration().getCurrentUserToken(infraContext, adminUsername);
List<String> rolesString = new ArrayList<String>();
List<GCubeRole> theAdminRoles = rm.listRolesByUserAndGroup(theAdmin.getUserId(), rootgroupId);
for (GCubeRole gCubeRole : theAdminRoles) {
rolesString.add(gCubeRole.getRoleName());
}
rolesString.add(GatewayRolesNames.INFRASTRUCTURE_MANAGER.getRoleName());
_log.info("authorizationService().setTokenRoles(theAdminToken, rolesString);" + theAdminToken);
authorizationService().setTokenRoles(theAdminToken, rolesString);
SecurityTokenProvider.instance.set(theAdminToken);
String previousUmaToken = UmaJWTProvider.instance.get();
OIDCUmaUtil.provideConfiguredPortalClientUMATokenInThreadLocal(infraContext);
String theUserToPromoteOrDeclass = uMan.getUserById(userId).getUsername();
_log.info("The {} is being promoted? {} ", theUserToPromoteOrDeclass, enable);
if (enable)
vreFolderManager.setAdmin(theUserToPromoteOrDeclass);
else
vreFolderManager.removeAdmin(theUserToPromoteOrDeclass);
SecurityTokenProvider.instance.set(previousToken);
if (previousUmaToken != null) {
UmaJWTProvider.instance.set(previousUmaToken);
}
return true;
}
}
}

12
src/main/java/org/gcube/portal/plugins/GCubeHookUserLocalService.java
View File

@ -6,10 +6,12 @@ import java.util.ArrayList;
import java.util.List;
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
import org.gcube.common.authorization.library.provider.UmaJWTProvider;
import org.gcube.common.portal.PortalContext;
import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.common.storagehub.client.plugins.AbstractPlugin;
import org.gcube.common.storagehub.client.proxies.GroupManagerClient;
import org.gcube.portal.oidc.lr62.OIDCUmaUtil;
import org.gcube.portal.plugins.thread.CheckShareLatexUserThread;
import org.gcube.portal.plugins.thread.RemoveUserTokenFromVREThread;
import org.gcube.portal.plugins.thread.UpdateUserToLDAPGroupThread;
@ -174,13 +176,21 @@ public class GCubeHookUserLocalService extends UserLocalServiceWrapper {
_log.info("authorizationService().setTokenRoles(theAdminToken, rolesString);" +theAdminToken);
authorizationService().setTokenRoles(theAdminToken, rolesString);
SecurityTokenProvider.instance.set(theAdminToken);
String previousUmaToken = UmaJWTProvider.instance.get();
OIDCUmaUtil.provideConfiguredPortalClientUMATokenInThreadLocal(infraContext);
GroupManagerClient client = AbstractPlugin.groups().build();
if (add)
client.addUserToGroup(username2Add, getVREFolderNameFromContext(context));
else
client.removeUserFromGroup(username2Add, getVREFolderNameFromContext(context));
SecurityTokenProvider.instance.set(previousToken);
return true;
if (previousUmaToken != null) {
UmaJWTProvider.instance.set(previousUmaToken);
}
return true;
}
}