diff --git a/descriptor.xml b/descriptor.xml
index bb35e25..fb7fd5c 100644
--- a/descriptor.xml
+++ b/descriptor.xml
@@ -24,7 +24,7 @@
-
+
/${artifactId}
diff --git a/pom.xml b/pom.xml
index a8ec8fa..0cef8ae 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,11 +11,7 @@
org.gcube.tools
1.1.0
-
-
- distro
-
-
+
org.gcube.common
diff --git a/src/main/java/org/gcube/common/authorization/control/AuthorizationAspect.java b/src/main/java/org/gcube/common/authorization/control/AuthorizationAspect.java
index 7a47026..837bdc6 100644
--- a/src/main/java/org/gcube/common/authorization/control/AuthorizationAspect.java
+++ b/src/main/java/org/gcube/common/authorization/control/AuthorizationAspect.java
@@ -4,6 +4,8 @@ package org.gcube.common.authorization.control;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.Aspect;
@@ -35,13 +37,19 @@ public class AuthorizationAspect {
MethodSignature signature = (MethodSignature) joinPoint.getSignature();
Method method = signature.getMethod();
AuthorizationControl authAnn = (AuthorizationControl) method.getAnnotation(AuthorizationControl.class);
- log.info("aspect before with annotation {} with action {}, allowed {} in method {}", authAnn.annotationType(), authAnn.actions(), authAnn.allowed(), method.getName());
+ log.info("aspect before with annotation {} with action {}, allowed {} in method {}", authAnn.annotationType(), authAnn.actions(), authAnn.allowedRoles(), authAnn.allowedUsers(), method.getName());
String userId = AuthorizationProvider.instance.get().getClient().getId();
+ List userRoles = AuthorizationProvider.instance.get().getClient().getRoles();
- if (authAnn.allowed().length!=0 && !Arrays.asList(authAnn.allowed()).contains(userId)) {
+ if (authAnn.allowedUsers().length!=0 && !Arrays.asList(authAnn.allowedUsers()).contains(userId)) {
RuntimeException ex = authAnn.exception().getConstructor(Throwable.class).newInstance(new AuthorizationException(String.format("user %s not allowed to call method %s", userId, method.getName())));
throw ex;
}
+ List allowedRoles = Arrays.asList(authAnn.allowedRoles());
+ if (authAnn.allowedRoles().length!=0 && userRoles.stream().filter(i -> allowedRoles.contains(i)).collect(Collectors.toList()).isEmpty()) {
+ RuntimeException ex = authAnn.exception().getConstructor(Throwable.class).newInstance(new AuthorizationException(String.format("user %s not allowed to call method %s (role non allowed)", userId, method.getName())));
+ throw ex;
+ }
}
}
diff --git a/src/main/java/org/gcube/common/authorization/control/annotations/AuthorizationControl.java b/src/main/java/org/gcube/common/authorization/control/annotations/AuthorizationControl.java
index 81c0fcb..016ddc5 100644
--- a/src/main/java/org/gcube/common/authorization/control/annotations/AuthorizationControl.java
+++ b/src/main/java/org/gcube/common/authorization/control/annotations/AuthorizationControl.java
@@ -14,6 +14,7 @@ import org.gcube.common.authorization.library.policies.Action;
public @interface AuthorizationControl {
Action[] actions() default {};
- String[] allowed() default {};
+ String[] allowedUsers() default {};
+ String[] allowedRoles() default {};
Class extends RuntimeException> exception();
}