gCubeSystem
/
gcube-ckan-datacatalog
15
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fixed roles check 

git-svn-id: http://svn.d4science-ii.research-infrastructures.eu/gcube/trunk/portlets/user/gcube-ckan-datacatalog@129707 82a268e6-3cf1-43bd-a215-b396298e98cf
This commit is contained in:
Costantino Perciante 2016-06-30 15:22:37 +00:00
parent 425b890bac
commit f78e01c1e4
2 changed files with 313 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/GcubeCkanDataCatalogServiceImpl.java
View File

@ -21,19 +21,10 @@ import org.gcube.application.framework.core.session.ASLSession;
import org.gcube.application.framework.core.session.SessionManager;
import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.datacatalogue.ckanutillibrary.CKanUtilsImpl;
import org.gcube.datacatalogue.ckanutillibrary.models.RolesIntoOrganization;
import org.gcube.portal.custom.scopemanager.scopehelper.ScopeHelper;
import org.gcube.portlets.gcubeckan.gcubeckandatacatalog.client.GcubeCkanDataCatalogService;
import org.gcube.portlets.gcubeckan.gcubeckandatacatalog.shared.CkanConnectorAccessPoint;
import org.gcube.portlets.gcubeckan.gcubeckandatacatalog.shared.CkanRole;
import org.gcube.vomanagement.usermanagement.GroupManager;
import org.gcube.vomanagement.usermanagement.RoleManager;
import org.gcube.vomanagement.usermanagement.UserManager;
import org.gcube.vomanagement.usermanagement.impl.LiferayGroupManager;
import org.gcube.vomanagement.usermanagement.impl.LiferayRoleManager;
import org.gcube.vomanagement.usermanagement.impl.LiferayUserManager;
import org.gcube.vomanagement.usermanagement.model.GCubeRole;
import org.gcube.vomanagement.usermanagement.model.GatewayRolesNames;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -71,6 +62,8 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem
public final static String TEST_SEC_TOKEN = "4620e6d0-2313-4f48-9d54-eb3efd01a810";
public static final String CKAN_TOKEN_KEY = "ckanToken";
public static final String CKAN_ORGS_USER_KEY = "ckanOrgs";
public static final String CKAN_HIGHEST_ROLE = "ckanHigherRole"; // editor, member, admin, sysadmin
// ckan utils methods
private CKanUtilsImpl instance;
@ -136,12 +129,12 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem
* @return the ckan connector access point
*/
private CkanConnectorAccessPoint getCkanConnectorAccessPoint(String pathInfoParameter, String queryStringParameters) {
if(outsidePortal()){
CkanConnectorAccessPoint ckan = new CkanConnectorAccessPoint(getCkanUtilsObj().getCatalogueUrl());
return ckan;
}
//CKAN BASE URL
@ -258,86 +251,60 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem
* @see org.gcube.portlets.gcubeckan.gcubeckandatacatalog.client.GcubeCkanDataCatalogService#getMyRole()
*/
@Override
public CkanRole getMyRole() throws Exception{
HttpSession httpSession = this.getThreadLocalRequest().getSession();
public CkanRole getMyRole(){
// we need to evaluate which roles the user has in this scope
String username = getASLSession(httpSession).getUsername();
String currentScope = getASLSession(httpSession).getScope();
String groupName = getASLSession(httpSession).getGroupName();
// base role as default value
CkanRole toReturn = CkanRole.MEMBER;
try{
if(!SessionUtil.isIntoPortal()){
logger.warn("OUT FROM PORTAL DETECTED RETURNING ROLE: "+CkanRole.ADMIN);
toReturn = CkanRole.ADMIN;
}else{
if(!SessionUtil.isIntoPortal()){
logger.warn("OUT FROM PORTAL DETECTED RETURNING ROLE: "+CkanRole.ADMIN);
return CkanRole.ADMIN;
}
// first of all, check if the user is a sysadmin in the catalog (in this case he can do everything)
boolean isSysAdmin = getCkanUtilsObj().isSysAdmin(username, getUserCKanTokenFromSession());
// we need to evaluate which roles the user has in this scope / or in his vre if the current scope is the root
HttpSession httpSession = this.getThreadLocalRequest().getSession();
ASLSession session = getASLSession(httpSession);
String currentScope = session.getScope();
String username = session.getUsername();
String groupName = session.getGroupName(); // e.g. devVRE
if(isSysAdmin){
// check if session expired
if(username.equals(TEST_USER)){
logger.debug("The user is a sysadmin of the catalog -> he can edit/add");
return CkanRole.SYSADMIN;
logger.warn("Session expired, returning " + toReturn);
}else{
// check into session
if(session.getAttribute(CKAN_HIGHEST_ROLE) != null){
// retrieve the liferay's roles for the user
UserManager userManager = new LiferayUserManager();
RoleManager roleManager = new LiferayRoleManager();
GroupManager groupManager = new LiferayGroupManager();
List<GCubeRole> roles = roleManager.listRolesByUserAndGroup(userManager.getUserId(username), groupManager.getGroupId(groupName));
toReturn = (CkanRole)session.getAttribute(CKAN_HIGHEST_ROLE);
logger.info("Found user role into session " + toReturn + " and it is going to be returned");
logger.debug("The list of roles for " + username + " into " + groupName + " is " + roles);
}else{
// the default one
String mainRole = "Catalogue-Member";
RolesIntoOrganization correspondentRoleToCheck = RolesIntoOrganization.MEMBER;
CKanUtilsImpl ckanUtils = getCkanUtilsObj();
// NOTE: it is supposed that there is just one role for this person correspondent to the one in the catalog
for (GCubeRole role : roles) {
// first of all, check if the user is a sysadmin in the catalog (in this case he can do everything)
boolean isSysAdmin = ckanUtils.isSysAdmin(username, getUserCKanTokenFromSession());
logger.debug("User " + username + " has role " + role.getRoleName() + " in " + currentScope);
if(role.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_ADMIN.getRoleName())){
mainRole = GatewayRolesNames.CATALOGUE_ADMIN.getRoleName();
correspondentRoleToCheck = RolesIntoOrganization.ADMIN;
break;
}else if(role.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_EDITOR.getRoleName())){
mainRole = GatewayRolesNames.CATALOGUE_EDITOR.getRoleName();
correspondentRoleToCheck = RolesIntoOrganization.EDITOR;
break;
if(isSysAdmin){
logger.debug("The user is a sysadmin of the catalog -> he can edit/add");
session.setAttribute(CKAN_HIGHEST_ROLE, CkanRole.SYSADMIN);
toReturn = CkanRole.SYSADMIN;
}else{
toReturn = UserUtil.getHighestRole(currentScope, username, groupName, ckanUtils);
session.setAttribute(CKAN_HIGHEST_ROLE, toReturn);
logger.debug("Set role " + toReturn + " into session for user " + username);
}
}
// with this invocation, we check if the role is present in ckan and if it is not it will be added
boolean res = getCkanUtilsObj().checkRole(username, groupName, correspondentRoleToCheck);
if(res)
return reMapRole(mainRole);
}
}catch(Exception e){
logger.error("Unable to retrieve the role information for this user. Returning member role", e);
}
logger.debug("Unable to check the role into ckan organization, returning MEMBER as role");
// return the base role
return CkanRole.MEMBER;
}
/**
* Map between roles.
*
* @param mainRole the main role
* @return the ckan role
*/
private CkanRole reMapRole(String mainRole) {
switch(mainRole){
case "Catalogue-Admin": return CkanRole.ADMIN;
case "Catalogue-Editor": return CkanRole.EDITOR;
case "Catalogue-Member": return CkanRole.MEMBER;
default : return CkanRole.MEMBER;
}
return toReturn;
}
/* (non-Javadoc)
@ -360,31 +327,40 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem
*/
private String getUserCKanTokenFromSession(){
HttpSession httpSession = this.getThreadLocalRequest().getSession();
ASLSession session = getASLSession(httpSession);
String username = session.getUsername();
logger.debug("User in session is " + username);
String token = null;
try{
if(!SessionUtil.isIntoPortal()){
logger.warn("You are running outside the portal");
token = TEST_SEC_TOKEN;
}else{
String token = null;
if(this.getThreadLocalRequest().getSession().getAttribute(CKAN_TOKEN_KEY) != null)
token = (String)this.getThreadLocalRequest().getSession().getAttribute(CKAN_TOKEN_KEY);
else{
HttpSession httpSession = this.getThreadLocalRequest().getSession();
ASLSession session = getASLSession(httpSession);
String username = session.getUsername();
token = getCkanUtilsObj().getApiKeyFromUsername(username);
this.getThreadLocalRequest().getSession().setAttribute(CKAN_TOKEN_KEY, token);
logger.debug("Ckan token has been set for user " + username);
// check if session expired
if(username.equals(TEST_USER)){
logger.warn("Session expired, returning null token");
token = null;
}else{
try{
logger.debug("User in session is " + username);
if(session.getAttribute(CKAN_TOKEN_KEY) != null)
token = (String)session.getAttribute(CKAN_TOKEN_KEY);
else{
token = getCkanUtilsObj().getApiKeyFromUsername(username);
session.setAttribute(CKAN_TOKEN_KEY, token);
logger.debug("Ckan token has been set for user " + username);
}
logger.debug("Found ckan token " + token.substring(0, 3) + "************************" + " for user " + username);
}catch(Exception e){
logger.error("Error while retrieving the key" , e);
}
}
logger.debug("Found ckan token " + token + " for user " + username);
return token;
}catch(Exception e){
logger.error("Error while retrieving the key" , e);
}
return null;
return token;
}
@Override
@ -470,37 +446,39 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem
}
}
@SuppressWarnings("unchecked")
@Override
public Map<String, String> getCkanOrganizationsNamesAndUrlsForUser() {
HttpSession httpSession = this.getThreadLocalRequest().getSession();
ASLSession session = getASLSession(httpSession);
String username = session.getUsername();
Map<String, String> toReturn = new HashMap<>();
if(!SessionUtil.isIntoPortal()){
logger.warn("You are not into the portal");
// toReturn.put("testVRE", "random");
// toReturn.put("testVRE2", "random");
// toReturn.put("testVRE3", "random");
// toReturn.put("testVRE4", "random");
// toReturn.put("testVRE5", "random");
toReturn.put("testVRE", "/organization/devvre");
}
}else{
if(username.equals(TEST_USER))
return toReturn;
else{
HttpSession httpSession = this.getThreadLocalRequest().getSession();
ASLSession session = getASLSession(httpSession);
String username = session.getUsername();
List<CkanOrganization> organizations = instance.getOrganizationsByUser(username);
if(!username.equals(TEST_USER)){
for (CkanOrganization ckanOrganization : organizations) {
toReturn.put(ckanOrganization.getTitle(), "/organization/" + ckanOrganization.getName());
// check if the aslsession already has such information
if(session.getAttribute(CKAN_ORGS_USER_KEY) != null){
toReturn = (Map<String, String>) session.getAttribute(CKAN_ORGS_USER_KEY);
logger.debug("List of organizations was into the session " + toReturn);
}else{
logger.debug("Organizations list wasn't into session, retrieving them");
List<CkanOrganization> organizations = instance.getOrganizationsByUser(username);
for (CkanOrganization ckanOrganization : organizations) {
toReturn.put(ckanOrganization.getTitle(), "/organization/" + ckanOrganization.getName());
}
logger.debug("List of organizations to return for user " + username + " is " + toReturn);
session.setAttribute(CKAN_ORGS_USER_KEY, toReturn);
}
}
logger.debug("List of organizations to return for user " + username + " is " + toReturn);
}
return toReturn;
@ -508,14 +486,23 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem
@Override
public boolean outsidePortal() {
HttpSession httpSession = this.getThreadLocalRequest().getSession();
ASLSession session = getASLSession(httpSession);
String username = session.getUsername();
if(username.equals(TEST_USER))
return true;
return false;
if(!SessionUtil.isIntoPortal()){
logger.warn("You are not into the portal");
return false;
}else{
HttpSession httpSession = this.getThreadLocalRequest().getSession();
ASLSession session = getASLSession(httpSession);
String username = session.getUsername();
if(username.equals(TEST_USER))
return true;
return false;
}
}
/*

207
src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/UserUtil.java
View File

@ -6,15 +6,22 @@ package org.gcube.portlets.gcubeckan.gcubeckandatacatalog.server;
import java.util.ArrayList;
import java.util.List;
import org.gcube.datacatalogue.ckanutillibrary.CKanUtilsImpl;
import org.gcube.datacatalogue.ckanutillibrary.models.RolesIntoOrganization;
import org.gcube.portlets.gcubeckan.gcubeckandatacatalog.shared.CkanRole;
import org.gcube.vomanagement.usermanagement.GroupManager;
import org.gcube.vomanagement.usermanagement.RoleManager;
import org.gcube.vomanagement.usermanagement.UserManager;
import org.gcube.vomanagement.usermanagement.exception.GroupRetrievalFault;
import org.gcube.vomanagement.usermanagement.exception.UserManagementSystemException;
import org.gcube.vomanagement.usermanagement.exception.UserRetrievalFault;
import org.gcube.vomanagement.usermanagement.impl.LiferayGroupManager;
import org.gcube.vomanagement.usermanagement.impl.LiferayRoleManager;
import org.gcube.vomanagement.usermanagement.impl.LiferayUserManager;
import org.gcube.vomanagement.usermanagement.model.GCubeGroup;
import org.gcube.vomanagement.usermanagement.model.GCubeRole;
import org.gcube.vomanagement.usermanagement.model.GCubeUser;
import org.gcube.vomanagement.usermanagement.model.GatewayRolesNames;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -60,4 +67,204 @@ public class UserUtil {
return null;
}
}
/**
* Retrieve the highest ckan role the user has.
* @param currentScope the current scope
* @param username the current username
* @param groupName the current groupName
* @param ckanUtils ckanUtils
*/
public static CkanRole getHighestRole(String currentScope, String username, String groupName, CKanUtilsImpl ckanUtils){
// base role as default value
CkanRole toReturn = CkanRole.MEMBER;
try{
// retrieve the liferay's roles for the user: we need to check every vre is the current scope is the root
// and just the current one if the scope is a vre, the vres inside the vo if it is a VO.
UserManager userManager = new LiferayUserManager();
RoleManager roleManager = new LiferayRoleManager();
GroupManager groupManager = new LiferayGroupManager();
// user id
long userid = userManager.getUserId(username);
// retrieve current group id
long currentGroupId = groupManager.getGroupId(groupName);
logger.debug("Group id is " + currentGroupId + " and scope is " + currentScope);
// root
if(groupManager.isRootVO(currentGroupId)){
List<GCubeGroup> groups = groupManager.listGroupsByUser(userid);
logger.debug("The list of organizations of the user " + username + " is " + groups);
for (GCubeGroup gCubeGroup : groups) {
// skip if it is not a vre
if(!groupManager.isVRE(gCubeGroup.getGroupId()))
continue;
// get the name of this vre
String vreName = gCubeGroup.getGroupName();
// get the role of the users in this vre
List<GCubeRole> roles = roleManager.listRolesByUserAndGroup(userid, groupManager.getGroupId(vreName));
// the default one
RolesIntoOrganization correspondentRoleToCheck = RolesIntoOrganization.MEMBER;
CkanRole ckanRoleMatched = CkanRole.MEMBER;
// NOTE: it is supposed that there is just one role for this person correspondent to the one in the catalog
for (GCubeRole gCubeRole : roles) {
if(gCubeRole.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_ADMIN.getRoleName())){
logger.debug("User " + username + " has role " + gCubeRole.getRoleName() + " in " + vreName);
correspondentRoleToCheck = RolesIntoOrganization.ADMIN;
ckanRoleMatched = CkanRole.ADMIN;
break;
}else if(gCubeRole.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_EDITOR.getRoleName())){
logger.debug("User " + username + " has role " + gCubeRole.getRoleName() + " in " + vreName);
correspondentRoleToCheck = RolesIntoOrganization.EDITOR;
ckanRoleMatched = CkanRole.EDITOR;
break;
}
}
// if the role is member, continue
if(correspondentRoleToCheck.equals(RolesIntoOrganization.MEMBER))
continue;
// with this invocation, we check if the role is present in ckan and if it is not it will be added
boolean res = ckanUtils.checkRole(username, vreName, correspondentRoleToCheck);
if(res){
// ok, we have a editor/admin role here
if(toReturn.equals(CkanRole.ADMIN))
continue; // it is already the highest
else if(toReturn.equals(CkanRole.EDITOR) && correspondentRoleToCheck.equals(RolesIntoOrganization.ADMIN))
toReturn = CkanRole.ADMIN;
else if(toReturn.equals(CkanRole.MEMBER))
toReturn = ckanRoleMatched;
}
}
// set the role
logger.debug("Setting role " + toReturn + " into session for user " + username);
}else if(groupManager.isVO(currentGroupId)){
List<GCubeGroup> groups = groupManager.listGroupsByUser(userid);
logger.debug("The list of organizations of the user " + username + " is " + groups);
for (GCubeGroup gCubeGroup : groups) {
// skip if it is not a vre
if(!groupManager.isVRE(gCubeGroup.getGroupId()))
continue;
// check if this vre is a child of the vo
if(currentGroupId != gCubeGroup.getParentGroupId())
continue;
String vreName = gCubeGroup.getGroupName();
List<GCubeRole> roles = roleManager.listRolesByUserAndGroup(userid, groupManager.getGroupId(vreName));
// the default one
RolesIntoOrganization correspondentRoleToCheck = RolesIntoOrganization.MEMBER;
CkanRole ckanRoleMatched = CkanRole.MEMBER;
// NOTE: it is supposed that there is just one role for this person correspondent to the one in the catalog
for (GCubeRole gCubeRole : roles) {
logger.debug("User " + username + " has role " + gCubeRole.getRoleName() + " in " + vreName);
if(gCubeRole.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_ADMIN.getRoleName())){
correspondentRoleToCheck = RolesIntoOrganization.ADMIN;
ckanRoleMatched = CkanRole.ADMIN;
break;
}else if(gCubeRole.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_EDITOR.getRoleName())){
correspondentRoleToCheck = RolesIntoOrganization.EDITOR;
ckanRoleMatched = CkanRole.EDITOR;
break;
}
}
// if the role is member, continue
if(correspondentRoleToCheck.equals(RolesIntoOrganization.MEMBER))
continue;
// with this invocation, we check if the role is present in ckan and if it is not it will be added
boolean res = ckanUtils.checkRole(username, vreName, correspondentRoleToCheck);
if(res){
// ok, we have a editor/admin role here
if(toReturn.equals(CkanRole.ADMIN))
continue; // it is already the highest
else if(toReturn.equals(CkanRole.EDITOR) && correspondentRoleToCheck.equals(RolesIntoOrganization.ADMIN))
toReturn = CkanRole.ADMIN;
else if(toReturn.equals(CkanRole.MEMBER))
toReturn = ckanRoleMatched;
}
}
// set the role
logger.debug("Setting role " + toReturn + " into session for user " + username );
}else if(groupManager.isVRE(currentGroupId)){ // vre
List<GCubeRole> roles = roleManager.listRolesByUserAndGroup(userManager.getUserId(username), groupManager.getGroupId(groupName));
logger.debug("The list of roles for " + username + " into " + groupName + " is " + roles);
// the default one
String mainRole = "Catalogue-Member";
RolesIntoOrganization correspondentRoleToCheck = RolesIntoOrganization.MEMBER;
// NOTE: it is supposed that there is just one role for this person correspondent to the one in the catalog
for (GCubeRole role : roles) {
logger.debug("User " + username + " has role " + role.getRoleName() + " in " + currentScope);
if(role.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_ADMIN.getRoleName())){
mainRole = GatewayRolesNames.CATALOGUE_ADMIN.getRoleName();
correspondentRoleToCheck = RolesIntoOrganization.ADMIN;
break;
}else if(role.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_EDITOR.getRoleName())){
mainRole = GatewayRolesNames.CATALOGUE_EDITOR.getRoleName();
correspondentRoleToCheck = RolesIntoOrganization.EDITOR;
break;
}
}
// with this invocation, we check if the role is present in ckan and if it is not it will be added
boolean res = ckanUtils.checkRole(username, groupName, correspondentRoleToCheck);
if(res){
// set the role
toReturn = mapRoleLiferayToCkan(mainRole);
}
}
}catch(Exception e){
logger.error("Unable to retrieve the role information for this user. Returning member role", e);
toReturn = CkanRole.MEMBER;
}
return toReturn;
}
/**
* Map between roles.
*
* @param mainRole the main role
* @return the ckan role
*/
public static CkanRole mapRoleLiferayToCkan(String mainRole) {
switch(mainRole){
case "Catalogue-Admin": return CkanRole.ADMIN;
case "Catalogue-Editor": return CkanRole.EDITOR;
case "Catalogue-Member":
default : return CkanRole.MEMBER;
}
}
}