git-svn-id: http://svn.research-infrastructures.eu/public/d4science/gcube/trunk/Common/authorization-common-library@122881 82a268e6-3cf1-43bd-a215-b396298e98cf
This commit is contained in:
parent
00091c59ee
commit
4dd3723fc5
|
@ -1,66 +0,0 @@
|
|||
package org.gcube.common.authorization.library;
|
||||
|
||||
import java.lang.reflect.InvocationHandler;
|
||||
import java.lang.reflect.Method;
|
||||
|
||||
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
|
||||
import org.gcube.common.authorization.library.provider.ClientInfo;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
public class AuthorizationInvocationHandler<T, I extends T> implements InvocationHandler{
|
||||
|
||||
public static Logger log = LoggerFactory.getLogger(AuthorizationInvocationHandler.class);
|
||||
|
||||
private String handledClass;
|
||||
|
||||
private Object obj;
|
||||
|
||||
ResourceAuthorizationProxy<T, I> resourceAuthorizationProxy;
|
||||
|
||||
protected AuthorizationInvocationHandler(I obj, String className, ResourceAuthorizationProxy<T, I> resourceAuthorizationProxy) {
|
||||
handledClass = className;
|
||||
this.obj = obj;
|
||||
this.resourceAuthorizationProxy = resourceAuthorizationProxy;
|
||||
}
|
||||
|
||||
public Object invoke(Object proxy, Method method,
|
||||
Object[] args) throws Throwable {
|
||||
log.trace("calling proxed method "+method.getName()+" on "+handledClass);
|
||||
ClientInfo info = AuthorizationProvider.instance.get();
|
||||
//checkSubjectToQuota(info, method);
|
||||
//checkIsAllowedFor(info, method);
|
||||
return method.invoke(obj, args);
|
||||
}
|
||||
/*
|
||||
private static boolean isOneElementContainedinRoles(List<String> elements, String[] allowedRoles){
|
||||
for (String role: allowedRoles )
|
||||
if (elements.contains(role))
|
||||
return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
private void checkSubjectToQuota(ClientInfo info, Method method){
|
||||
if(method.isAnnotationPresent(SubjectToQuota.class)){
|
||||
BannedService service = new BannedService(resourceAuthorizationProxy.getServiceClass(), resourceAuthorizationProxy.getServiceName());
|
||||
log.debug("subjectToQuota annotation present, checking for service {} in bannedServices {}",service, info.getBannedServices());
|
||||
if (info.getPolicies().contains(service)){
|
||||
String message = "blocking method "+method.getName()+" for user "+info.getUserName()+": overquota reached";
|
||||
log.warn(message);
|
||||
throw new SecurityException(message);
|
||||
}
|
||||
} else log.debug("is subjectToQuota not present in "+method.getName());
|
||||
}
|
||||
|
||||
private void checkIsAllowedFor(ClientInfo info, Method method){
|
||||
if(method.isAnnotationPresent(IsAllowedFor.class)){
|
||||
IsAllowedFor allowed = method.getAnnotation(IsAllowedFor.class);
|
||||
if (allowed.roles().length>0 && !isOneElementContainedinRoles(info.getRoles(), allowed.roles())){
|
||||
String message = "blocking method "+method.getName()+" for user "+info.getUserName()+": only roles "+Arrays.toString(allowed.roles()) +" can access";
|
||||
log.warn(message);
|
||||
throw new SecurityException(message);
|
||||
}
|
||||
} else log.debug("is allowedFor not present in "+method.getName());
|
||||
}
|
||||
*/
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
package org.gcube.common.authorization.library;
|
||||
|
||||
import java.lang.reflect.Proxy;
|
||||
|
||||
public class GenericProxyFactory {
|
||||
|
||||
@SuppressWarnings("unchecked")
|
||||
public static <T, I extends T> T getProxy(Class<T> intf,
|
||||
final I obj, ResourceAuthorizationProxy<T, I> resourceAuthorizationProxy) {
|
||||
return (T)
|
||||
Proxy.newProxyInstance(obj.getClass().getClassLoader(),
|
||||
new Class[] { intf },
|
||||
new AuthorizationInvocationHandler<T,I>(obj, intf.getSimpleName(), resourceAuthorizationProxy));
|
||||
}
|
||||
}
|
|
@ -1,19 +0,0 @@
|
|||
package org.gcube.common.authorization.library;
|
||||
|
||||
public abstract class ResourceAuthorizationProxy<I,T extends I> {
|
||||
|
||||
private I delegate;
|
||||
|
||||
public ResourceAuthorizationProxy(Class<I> classIntrface, T wrapped){
|
||||
delegate = GenericProxyFactory.getProxy(classIntrface,wrapped, this );
|
||||
}
|
||||
|
||||
public I getDelegate() {
|
||||
return delegate;
|
||||
}
|
||||
|
||||
public abstract String getServiceClass();
|
||||
|
||||
public abstract String getServiceName();
|
||||
|
||||
}
|
|
@ -6,12 +6,12 @@ import java.lang.annotation.Retention;
|
|||
import java.lang.annotation.RetentionPolicy;
|
||||
import java.lang.annotation.Target;
|
||||
|
||||
import org.gcube.common.authorization.library.policies.Mode;
|
||||
import org.gcube.common.authorization.library.policies.Action;
|
||||
|
||||
@Inherited
|
||||
@Retention(RetentionPolicy.RUNTIME)
|
||||
@Target(ElementType.METHOD)
|
||||
public @interface AuthorizationControl {
|
||||
|
||||
Mode[] check() default {Mode.ALL};
|
||||
Action[] check() default {Action.ALL};
|
||||
}
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
package org.gcube.common.authorization.library.policies;
|
||||
|
||||
public enum Mode {
|
||||
public enum Action {
|
||||
|
||||
ALL, ACCESS, WRITE, EXECUTE;
|
||||
ALL, ACCESS, WRITE, DELETE, EXECUTE;
|
||||
}
|
|
@ -22,7 +22,7 @@ public abstract class Policy {
|
|||
|
||||
public abstract String getContext();
|
||||
|
||||
public abstract Mode getMode();
|
||||
public abstract Action getMode();
|
||||
|
||||
public long getId() {
|
||||
return id;
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
package org.gcube.common.authorization.library.policies;
|
||||
|
||||
import java.util.List;
|
||||
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlRootElement;
|
||||
|
@ -8,17 +10,37 @@ import javax.xml.bind.annotation.XmlRootElement;
|
|||
@XmlAccessorType(XmlAccessType.FIELD)
|
||||
public class Role extends UserEntity {
|
||||
|
||||
|
||||
protected Role() {
|
||||
super();
|
||||
}
|
||||
|
||||
public Role(String identifier) {
|
||||
protected Role(String identifier) {
|
||||
super(identifier);
|
||||
}
|
||||
|
||||
protected Role(List<String> excludes) {
|
||||
super(excludes);
|
||||
}
|
||||
|
||||
@Override
|
||||
public UserEntityType getType() {
|
||||
return UserEntityType.ROLE;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isSubsetOf(UserEntity entity) {
|
||||
if (entity.getType()==UserEntityType.ROLE){
|
||||
if (this.getIdentifier()==null)
|
||||
return entity.getIdentifier()==null && entity.getExcludes().containsAll(this.getExcludes());
|
||||
else {
|
||||
if (entity.getIdentifier()!=null)
|
||||
return entity.getIdentifier().equals(this.getIdentifier());
|
||||
else
|
||||
return !entity.getExcludes().contains(this.getIdentifier());
|
||||
}
|
||||
|
||||
} else return entity.getIdentifier()==null;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
package org.gcube.common.authorization.library.policies;
|
||||
|
||||
import java.util.Arrays;
|
||||
|
||||
public class Roles {
|
||||
|
||||
public static Role one(String identifier){
|
||||
return new Role(identifier);
|
||||
}
|
||||
|
||||
public static Role allExcept(String ... identifiers){
|
||||
return new Role(Arrays.asList(identifiers));
|
||||
}
|
||||
}
|
|
@ -11,7 +11,7 @@ public class Service2ServicePolicy extends Policy{
|
|||
private ServiceAccess client;
|
||||
private String context;
|
||||
private ServiceAccess serviceAccess;
|
||||
private Mode mode = Mode.ALL;
|
||||
private Action mode = Action.ALL;
|
||||
|
||||
protected Service2ServicePolicy(){}
|
||||
|
||||
|
@ -23,7 +23,7 @@ public class Service2ServicePolicy extends Policy{
|
|||
}
|
||||
|
||||
public Service2ServicePolicy(String context, ServiceAccess serviceAccess,
|
||||
ServiceAccess client, Mode mode) {
|
||||
ServiceAccess client, Action mode) {
|
||||
this(context, serviceAccess, client);
|
||||
this.mode = mode;
|
||||
}
|
||||
|
@ -35,7 +35,7 @@ public class Service2ServicePolicy extends Policy{
|
|||
|
||||
@Override
|
||||
public String getPolicyAsString() {
|
||||
return this.context+","+serviceAccess.getAsString()+","+serviceAccess.getAsString()+"["+mode.toString()+"]";
|
||||
return this.context+","+serviceAccess.getAsString()+","+serviceAccess.getAsString()+","+mode.toString();
|
||||
}
|
||||
|
||||
public ServiceAccess getClient() {
|
||||
|
@ -99,7 +99,7 @@ public class Service2ServicePolicy extends Policy{
|
|||
}
|
||||
|
||||
@Override
|
||||
public Mode getMode() {
|
||||
public Action getMode() {
|
||||
return this.mode;
|
||||
}
|
||||
|
||||
|
|
|
@ -40,6 +40,8 @@ public class ServiceAccess {
|
|||
this.serviceSpecificPolices = serviceSpecificPolices;
|
||||
}*/
|
||||
|
||||
|
||||
|
||||
public String getAsString(){
|
||||
if (serviceClass == null)
|
||||
return "*";
|
||||
|
@ -60,6 +62,30 @@ public class ServiceAccess {
|
|||
return toReturn.toString();
|
||||
}
|
||||
|
||||
public String getServiceClass() {
|
||||
return serviceClass;
|
||||
}
|
||||
|
||||
public String getName() {
|
||||
return name;
|
||||
}
|
||||
|
||||
public String getServiceId() {
|
||||
return serviceId;
|
||||
}
|
||||
|
||||
public boolean isSubsetOf(ServiceAccess access){
|
||||
if (this.equals(access)) return true;
|
||||
if (access.getServiceClass()==null) return true;
|
||||
|
||||
if (access.getServiceClass().equals(this.serviceClass)){
|
||||
if (access.getName()==null) return true;
|
||||
if (access.getName().equals(this.name) && access.getServiceId()==null)
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
final int prime = 31;
|
||||
|
|
|
@ -12,7 +12,7 @@ public class User extends UserEntity {
|
|||
super();
|
||||
}
|
||||
|
||||
public User(String identifier) {
|
||||
protected User(String identifier) {
|
||||
super(identifier);
|
||||
}
|
||||
|
||||
|
@ -21,4 +21,12 @@ public class User extends UserEntity {
|
|||
return UserEntityType.USER;
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean isSubsetOf(UserEntity entity) {
|
||||
if (entity.getType()== UserEntityType.USER)
|
||||
return entity.getIdentifier() ==null || this.getIdentifier().equals(entity.getIdentifier());
|
||||
else return false;
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -18,7 +18,7 @@ public class User2ServicePolicy extends Policy {
|
|||
private String context;
|
||||
private ServiceAccess serviceAccess;
|
||||
|
||||
private Mode mode = Mode.ALL;
|
||||
private Action mode = Action.ALL;
|
||||
|
||||
protected User2ServicePolicy(){}
|
||||
|
||||
|
@ -28,12 +28,11 @@ public class User2ServicePolicy extends Policy {
|
|||
this.entity = entity;
|
||||
}
|
||||
|
||||
public User2ServicePolicy(String context, ServiceAccess serviceAccess, UserEntity entity, Mode mode) {
|
||||
public User2ServicePolicy(String context, ServiceAccess serviceAccess, UserEntity entity, Action mode) {
|
||||
this(context, serviceAccess, entity);
|
||||
this.mode = mode;
|
||||
}
|
||||
|
||||
|
||||
public UserEntity getEntity() {
|
||||
return entity;
|
||||
}
|
||||
|
@ -49,15 +48,13 @@ public class User2ServicePolicy extends Policy {
|
|||
|
||||
@Override
|
||||
public String getPolicyAsString() {
|
||||
return this.context+","+serviceAccess.getAsString()+","+entity.getAsString()+"["+mode.toString()+"]";
|
||||
return this.context+","+serviceAccess.getAsString()+","+entity.getAsString()+","+mode.toString();
|
||||
}
|
||||
|
||||
public String getContext() {
|
||||
return context;
|
||||
}
|
||||
|
||||
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
final int prime = 31;
|
||||
|
@ -106,7 +103,7 @@ public class User2ServicePolicy extends Policy {
|
|||
}
|
||||
|
||||
@Override
|
||||
public Mode getMode() {
|
||||
public Action getMode() {
|
||||
return this.mode;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,8 @@
|
|||
package org.gcube.common.authorization.library.policies;
|
||||
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
import javax.xml.bind.annotation.XmlAccessType;
|
||||
import javax.xml.bind.annotation.XmlAccessorType;
|
||||
import javax.xml.bind.annotation.XmlRootElement;
|
||||
|
@ -10,7 +13,9 @@ import javax.xml.bind.annotation.XmlSeeAlso;
|
|||
@XmlSeeAlso({User.class,Role.class})
|
||||
public abstract class UserEntity {
|
||||
|
||||
private String identifier;
|
||||
private String identifier = null;
|
||||
|
||||
private List<String> excludes = new ArrayList<String>();
|
||||
|
||||
public enum UserEntityType {
|
||||
ROLE , USER
|
||||
|
@ -20,25 +25,42 @@ public abstract class UserEntity {
|
|||
super();
|
||||
}
|
||||
|
||||
public UserEntity(String identifier) {
|
||||
super();
|
||||
protected UserEntity(String identifier) {
|
||||
this.identifier = identifier;
|
||||
}
|
||||
|
||||
protected UserEntity(List<String> excludes) {
|
||||
if (excludes==null || excludes.isEmpty()) throw new IllegalArgumentException("list of excludes cannot be empty");
|
||||
this.excludes = excludes;
|
||||
}
|
||||
|
||||
|
||||
public String getIdentifier(){
|
||||
return identifier;
|
||||
}
|
||||
|
||||
public List<String> getExcludes() {
|
||||
return excludes;
|
||||
}
|
||||
|
||||
public abstract UserEntityType getType();
|
||||
|
||||
public final String getAsString() {
|
||||
return this.getType()+":"+this.identifier;
|
||||
if (identifier!=null )
|
||||
return this.getType()+":"+this.identifier;
|
||||
else {
|
||||
if (excludes !=null && !excludes.isEmpty())
|
||||
return this.getType()+":allExcept"+this.excludes;
|
||||
else return this.getType()+":*";
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public int hashCode() {
|
||||
final int prime = 31;
|
||||
int result = 1;
|
||||
result = prime * result
|
||||
+ ((excludes == null) ? 0 : excludes.hashCode());
|
||||
result = prime * result
|
||||
+ ((identifier == null) ? 0 : identifier.hashCode());
|
||||
return result;
|
||||
|
@ -53,6 +75,11 @@ public abstract class UserEntity {
|
|||
if (getClass() != obj.getClass())
|
||||
return false;
|
||||
UserEntity other = (UserEntity) obj;
|
||||
if (excludes == null) {
|
||||
if (other.excludes != null)
|
||||
return false;
|
||||
} else if (!excludes.equals(other.excludes))
|
||||
return false;
|
||||
if (identifier == null) {
|
||||
if (other.identifier != null)
|
||||
return false;
|
||||
|
@ -66,7 +93,7 @@ public abstract class UserEntity {
|
|||
return "UserEntity [ "+getAsString()+" ]";
|
||||
}
|
||||
|
||||
|
||||
public abstract boolean isSubsetOf(UserEntity entity);
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -0,0 +1,14 @@
|
|||
package org.gcube.common.authorization.library.policies;
|
||||
|
||||
|
||||
public class Users {
|
||||
|
||||
public static User one(String identifier){
|
||||
return new User(identifier);
|
||||
}
|
||||
|
||||
public static User all(){
|
||||
return new User();
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,68 @@
|
|||
package org.gcube.common.authorization.library.binder;
|
||||
|
||||
|
||||
import org.gcube.common.authorization.library.policies.Role;
|
||||
import org.gcube.common.authorization.library.policies.Roles;
|
||||
import org.gcube.common.authorization.library.policies.ServiceAccess;
|
||||
import org.gcube.common.authorization.library.policies.User;
|
||||
import org.gcube.common.authorization.library.policies.Users;
|
||||
import org.junit.Assert;
|
||||
import org.junit.Test;
|
||||
|
||||
public class SubsetTest {
|
||||
|
||||
@Test
|
||||
public void serviceAccess(){
|
||||
ServiceAccess sa1 = new ServiceAccess();
|
||||
ServiceAccess sa2 = new ServiceAccess("C1");
|
||||
ServiceAccess sa3 = new ServiceAccess("S1", "C1");
|
||||
ServiceAccess sa4 = new ServiceAccess("S1", "C1", "I1");
|
||||
ServiceAccess sa5 = new ServiceAccess("S1", "C1", "I1");
|
||||
ServiceAccess sa6 = new ServiceAccess("S1", "C1", "I2");
|
||||
ServiceAccess sa7 = new ServiceAccess("S2", "C1", "I1");
|
||||
ServiceAccess sa8 = new ServiceAccess("S2", "C2", "I1");
|
||||
|
||||
Assert.assertTrue(sa2.isSubsetOf(sa1));
|
||||
Assert.assertFalse(sa1.isSubsetOf(sa2));
|
||||
Assert.assertTrue(sa3.isSubsetOf(sa1));
|
||||
Assert.assertTrue(sa3.isSubsetOf(sa2));
|
||||
|
||||
Assert.assertTrue(sa4.isSubsetOf(sa1));
|
||||
Assert.assertTrue(sa4.isSubsetOf(sa2));
|
||||
Assert.assertTrue(sa4.isSubsetOf(sa3));
|
||||
Assert.assertTrue(sa4.isSubsetOf(sa4));
|
||||
Assert.assertTrue(sa4.isSubsetOf(sa5));
|
||||
|
||||
Assert.assertTrue(sa5.isSubsetOf(sa4));
|
||||
Assert.assertFalse(sa5.isSubsetOf(sa6));
|
||||
Assert.assertFalse(sa7.isSubsetOf(sa3));
|
||||
Assert.assertFalse(sa8.isSubsetOf(sa2));
|
||||
Assert.assertFalse(sa8.isSubsetOf(sa3));
|
||||
Assert.assertTrue(sa8.isSubsetOf(sa1));
|
||||
|
||||
}
|
||||
|
||||
@Test
|
||||
public void users(){
|
||||
User u1 = Users.one("u1");
|
||||
User u2 = Users.one("u2");
|
||||
User u3 = Users.all();
|
||||
|
||||
Assert.assertTrue(u1.isSubsetOf(u3));
|
||||
Assert.assertTrue(u2.isSubsetOf(u3));
|
||||
Assert.assertFalse(u1.isSubsetOf(u2));
|
||||
Assert.assertFalse(u2.isSubsetOf(u1));
|
||||
|
||||
Role r1 = Roles.one("VREManager");
|
||||
Role r2 = Roles.allExcept("VREManager");
|
||||
Role r3 = Roles.allExcept("VOManager");
|
||||
Role r4 = Roles.allExcept("VOManager", "VREManager");
|
||||
|
||||
Assert.assertTrue(r1.isSubsetOf(r3));
|
||||
Assert.assertFalse(r2.isSubsetOf(r3));
|
||||
Assert.assertTrue(r2.isSubsetOf(r4));
|
||||
Assert.assertTrue(r3.isSubsetOf(r4));
|
||||
Assert.assertFalse(r4.isSubsetOf(r3));
|
||||
|
||||
}
|
||||
}
|
|
@ -20,7 +20,7 @@ public class SerializationTest {
|
|||
|
||||
@Test
|
||||
public void serializeUserPolicy() throws Exception{
|
||||
User2ServicePolicy up = new User2ServicePolicy("/gcube", new ServiceAccess("ServiceName", "ServiceClass","serviceID"), new User("userID"));
|
||||
User2ServicePolicy up = new User2ServicePolicy("/gcube", new ServiceAccess("ServiceName", "ServiceClass","serviceID"), Roles.allExcept("VREManager", "VOManager"));
|
||||
StringWriter sw = new StringWriter();
|
||||
context.createMarshaller().marshal(up, sw);
|
||||
User2ServicePolicy upCopy = (User2ServicePolicy)context.createUnmarshaller().unmarshal(new StringReader(sw.toString()));
|
||||
|
|
Loading…
Reference in New Issue