git-svn-id: http://svn.research-infrastructures.eu/public/d4science/gcube/trunk/Common/authorization-common-client@122673 82a268e6-3cf1-43bd-a215-b396298e98cf
This commit is contained in:
parent
ae430ef365
commit
a6b366e32a
|
@ -0,0 +1,20 @@
|
||||||
|
package org.gcube.common.authorization.client.exceptions;
|
||||||
|
|
||||||
|
public class UnauthorizedAccessException extends RuntimeException {
|
||||||
|
|
||||||
|
/**
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
private static final long serialVersionUID = -950230930130868466L;
|
||||||
|
|
||||||
|
protected UnauthorizedAccessException() {
|
||||||
|
super();
|
||||||
|
}
|
||||||
|
|
||||||
|
public UnauthorizedAccessException(String message) {
|
||||||
|
super(message);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -0,0 +1,8 @@
|
||||||
|
package org.gcube.common.authorization.client.helper;
|
||||||
|
|
||||||
|
public interface Authorizable {
|
||||||
|
|
||||||
|
String getServiceName();
|
||||||
|
|
||||||
|
String getServiceClass();
|
||||||
|
}
|
|
@ -0,0 +1,101 @@
|
||||||
|
package org.gcube.common.authorization.client.helper;
|
||||||
|
|
||||||
|
import static org.gcube.common.authorization.client.Constants.authorizationService;
|
||||||
|
|
||||||
|
import java.lang.reflect.Method;
|
||||||
|
import java.util.Arrays;
|
||||||
|
import java.util.HashMap;
|
||||||
|
import java.util.List;
|
||||||
|
import java.util.Map;
|
||||||
|
|
||||||
|
import javassist.util.proxy.MethodHandler;
|
||||||
|
import javassist.util.proxy.ProxyFactory;
|
||||||
|
import javassist.util.proxy.ProxyObject;
|
||||||
|
|
||||||
|
import org.gcube.common.authorization.client.exceptions.UnauthorizedAccessException;
|
||||||
|
import org.gcube.common.authorization.library.AuthorizationEntry;
|
||||||
|
import org.gcube.common.authorization.library.PolicyUtils;
|
||||||
|
import org.gcube.common.authorization.library.annotations.AuthorizationControl;
|
||||||
|
import org.gcube.common.authorization.library.policies.Mode;
|
||||||
|
import org.gcube.common.authorization.library.policies.Policy;
|
||||||
|
import org.gcube.common.authorization.library.provider.SecurityTokenProvider;
|
||||||
|
import org.gcube.common.authorization.library.provider.ServiceIdentifier;
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* enables authorization control on classes using proxies
|
||||||
|
*
|
||||||
|
* when a user in not allowed to call a method annotated with {@link AuthorizationControl}
|
||||||
|
* an {@link UnauthorizedAccessException} is thrown
|
||||||
|
*
|
||||||
|
* @author lucio lelii
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public class Authorization {
|
||||||
|
|
||||||
|
private static Map<Class<?>, Class<?>> proxyClassMap = new HashMap<Class<?>, Class<?>>();
|
||||||
|
|
||||||
|
private static ProxyFactory proxyfactory = new ProxyFactory();
|
||||||
|
|
||||||
|
private static Class<?> getProxied(Class<?> proxyClass){
|
||||||
|
if (proxyClassMap.containsKey(proxyClass))
|
||||||
|
return proxyClassMap.get(proxyClass);
|
||||||
|
|
||||||
|
proxyfactory.setSuperclass(proxyClass);
|
||||||
|
Class<?> proxied=proxyfactory.createClass();
|
||||||
|
proxyClassMap.put(proxyClass, proxied);
|
||||||
|
return proxied;
|
||||||
|
}
|
||||||
|
|
||||||
|
public static <T extends Authorizable> T getAuthorizedInstance(Class<T> proxyClass){
|
||||||
|
Class<?> proxied = getProxied(proxyClass);
|
||||||
|
|
||||||
|
Object obj;
|
||||||
|
try {
|
||||||
|
obj = proxied.newInstance();
|
||||||
|
MethodHandler handler = new MethodHandler() {
|
||||||
|
|
||||||
|
public Object invoke(Object self, Method thisMethod, Method proceed,
|
||||||
|
Object[] args) throws Throwable {
|
||||||
|
if (thisMethod.isAnnotationPresent(AuthorizationControl.class) && !thisMethod.getName().equals("getServiceName")
|
||||||
|
&& !thisMethod.getName().equals("getServiceClass")){
|
||||||
|
if (SecurityTokenProvider.instance.get()==null)
|
||||||
|
throw new RuntimeException("the Security token is not set");
|
||||||
|
Authorizable obj = (Authorizable) self;
|
||||||
|
Mode[] modes = null;
|
||||||
|
if (thisMethod.isAnnotationPresent(AuthorizationControl.class))
|
||||||
|
modes = thisMethod.getAnnotation(AuthorizationControl.class).check();
|
||||||
|
checkAuthorization(obj.getServiceClass(), obj.getServiceName(), modes);
|
||||||
|
}
|
||||||
|
return proceed.invoke(self, args);
|
||||||
|
}
|
||||||
|
};
|
||||||
|
((ProxyObject)obj).setHandler(handler);
|
||||||
|
return proxyClass.cast(obj);
|
||||||
|
} catch (InstantiationException | IllegalAccessException e) {
|
||||||
|
throw new RuntimeException(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
public static void checkAuthorization(String serviceClass, String serviceName, Mode ... modes) throws Exception{
|
||||||
|
if (modes==null || modes.length==0) return;
|
||||||
|
if (SecurityTokenProvider.instance.get()==null)
|
||||||
|
throw new UnauthorizedAccessException("the Security token is not set");
|
||||||
|
|
||||||
|
List<Mode> modesList = Arrays.asList(modes);
|
||||||
|
|
||||||
|
AuthorizationEntry entry = authorizationService().get(SecurityTokenProvider.instance.get());
|
||||||
|
|
||||||
|
if (entry.getPolicies()!=null){
|
||||||
|
//DO we need a library identifier ??
|
||||||
|
ServiceIdentifier serviceIdentifier = new ServiceIdentifier(serviceClass, serviceName, "*");
|
||||||
|
for (Policy policy: entry.getPolicies())
|
||||||
|
if (PolicyUtils.isPolicyValidForClient(policy.getServiceAccess(), serviceIdentifier))
|
||||||
|
if (modesList.contains(policy.getMode()) || policy.getMode()==Mode.ALL)
|
||||||
|
throw new UnauthorizedAccessException("the invoked method is protected by the Authorization system, cannot be invoked by "+entry.getClientInfo().getId());
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
}
|
|
@ -7,7 +7,6 @@ import java.io.BufferedReader;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
import java.io.InputStreamReader;
|
import java.io.InputStreamReader;
|
||||||
import java.io.OutputStream;
|
import java.io.OutputStream;
|
||||||
import java.io.StringWriter;
|
|
||||||
import java.net.HttpURLConnection;
|
import java.net.HttpURLConnection;
|
||||||
import java.net.URL;
|
import java.net.URL;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
|
@ -15,8 +14,7 @@ import java.util.Collections;
|
||||||
import java.util.HashMap;
|
import java.util.HashMap;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import java.util.Map;
|
import java.util.Map;
|
||||||
import javax.xml.bind.JAXBContext;
|
|
||||||
import javax.xml.bind.JAXBException;
|
|
||||||
import org.gcube.common.authorization.client.Binder;
|
import org.gcube.common.authorization.client.Binder;
|
||||||
import org.gcube.common.authorization.client.Constants;
|
import org.gcube.common.authorization.client.Constants;
|
||||||
import org.gcube.common.authorization.client.exceptions.ObjectNotFound;
|
import org.gcube.common.authorization.client.exceptions.ObjectNotFound;
|
||||||
|
@ -26,7 +24,6 @@ import org.gcube.common.authorization.library.enpoints.AuthorizationEndpoint;
|
||||||
import org.gcube.common.authorization.library.enpoints.AuthorizationEndpointScanner;
|
import org.gcube.common.authorization.library.enpoints.AuthorizationEndpointScanner;
|
||||||
import org.gcube.common.authorization.library.policies.Policy;
|
import org.gcube.common.authorization.library.policies.Policy;
|
||||||
import org.gcube.common.authorization.library.provider.ClientInfo;
|
import org.gcube.common.authorization.library.provider.ClientInfo;
|
||||||
import org.gcube.common.authorization.library.provider.ServiceInfo;
|
|
||||||
import org.gcube.common.authorization.library.provider.UserInfo;
|
import org.gcube.common.authorization.library.provider.UserInfo;
|
||||||
import org.gcube.common.encryption.StringEncrypter;
|
import org.gcube.common.encryption.StringEncrypter;
|
||||||
import org.gcube.common.scope.api.ScopeProvider;
|
import org.gcube.common.scope.api.ScopeProvider;
|
||||||
|
@ -93,6 +90,9 @@ public class DefaultAuthorizationProxy implements AuthorizationProxy {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public AuthorizationEntry get(String token) throws ObjectNotFound, Exception{
|
public AuthorizationEntry get(String token) throws ObjectNotFound, Exception{
|
||||||
|
if (cache.containsKey(token) && cache.get(token).isValid())
|
||||||
|
return cache.get(token).getEntry();
|
||||||
|
|
||||||
final String methodPath = "/retrieve/";
|
final String methodPath = "/retrieve/";
|
||||||
|
|
||||||
StringBuilder callUrl = new StringBuilder(getInternalEnpoint()).append(methodPath).append(token);
|
StringBuilder callUrl = new StringBuilder(getInternalEnpoint()).append(methodPath).append(token);
|
||||||
|
|
|
@ -6,6 +6,7 @@ import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
|
||||||
import org.gcube.common.authorization.client.exceptions.ObjectNotFound;
|
import org.gcube.common.authorization.client.exceptions.ObjectNotFound;
|
||||||
|
import org.gcube.common.authorization.library.policies.Mode;
|
||||||
import org.gcube.common.authorization.library.policies.Policy;
|
import org.gcube.common.authorization.library.policies.Policy;
|
||||||
import org.gcube.common.authorization.library.policies.ServiceAccess;
|
import org.gcube.common.authorization.library.policies.ServiceAccess;
|
||||||
import org.gcube.common.authorization.library.policies.User;
|
import org.gcube.common.authorization.library.policies.User;
|
||||||
|
@ -36,7 +37,7 @@ public class CallTest {
|
||||||
@Test
|
@Test
|
||||||
public void addPolicy() throws Exception {
|
public void addPolicy() throws Exception {
|
||||||
List<Policy> policies = new ArrayList<Policy>();
|
List<Policy> policies = new ArrayList<Policy>();
|
||||||
policies.add(new User2ServicePolicy("/gcube/devsec", new ServiceAccess(), new User("lucio.lelii") ));
|
policies.add(new User2ServicePolicy("/gcube/devsec", new ServiceAccess(), new User("lucio.lelii"), Mode.ACCESS ));
|
||||||
authorizationService().addPolicies(policies);
|
authorizationService().addPolicies(policies);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -48,6 +49,6 @@ public class CallTest {
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void removePolicy() throws Exception {
|
public void removePolicy() throws Exception {
|
||||||
authorizationService().removePolicies(3);
|
authorizationService().removePolicies(2, 3, 4);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue