From f78e01c1e4c75b38e8b4b3bdacdcec181fc207d9 Mon Sep 17 00:00:00 2001 From: Costantino Perciante Date: Thu, 30 Jun 2016 15:22:37 +0000 Subject: [PATCH] Fixed roles check git-svn-id: http://svn.d4science-ii.research-infrastructures.eu/gcube/trunk/portlets/user/gcube-ckan-datacatalog@129707 82a268e6-3cf1-43bd-a215-b396298e98cf --- .../GcubeCkanDataCatalogServiceImpl.java | 225 +++++++++--------- .../gcubeckandatacatalog/server/UserUtil.java | 207 ++++++++++++++++ 2 files changed, 313 insertions(+), 119 deletions(-) diff --git a/src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/GcubeCkanDataCatalogServiceImpl.java b/src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/GcubeCkanDataCatalogServiceImpl.java index 59be83b..b493f74 100644 --- a/src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/GcubeCkanDataCatalogServiceImpl.java +++ b/src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/GcubeCkanDataCatalogServiceImpl.java @@ -21,19 +21,10 @@ import org.gcube.application.framework.core.session.ASLSession; import org.gcube.application.framework.core.session.SessionManager; import org.gcube.common.scope.api.ScopeProvider; import org.gcube.datacatalogue.ckanutillibrary.CKanUtilsImpl; -import org.gcube.datacatalogue.ckanutillibrary.models.RolesIntoOrganization; import org.gcube.portal.custom.scopemanager.scopehelper.ScopeHelper; import org.gcube.portlets.gcubeckan.gcubeckandatacatalog.client.GcubeCkanDataCatalogService; import org.gcube.portlets.gcubeckan.gcubeckandatacatalog.shared.CkanConnectorAccessPoint; import org.gcube.portlets.gcubeckan.gcubeckandatacatalog.shared.CkanRole; -import org.gcube.vomanagement.usermanagement.GroupManager; -import org.gcube.vomanagement.usermanagement.RoleManager; -import org.gcube.vomanagement.usermanagement.UserManager; -import org.gcube.vomanagement.usermanagement.impl.LiferayGroupManager; -import org.gcube.vomanagement.usermanagement.impl.LiferayRoleManager; -import org.gcube.vomanagement.usermanagement.impl.LiferayUserManager; -import org.gcube.vomanagement.usermanagement.model.GCubeRole; -import org.gcube.vomanagement.usermanagement.model.GatewayRolesNames; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -71,6 +62,8 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem public final static String TEST_SEC_TOKEN = "4620e6d0-2313-4f48-9d54-eb3efd01a810"; public static final String CKAN_TOKEN_KEY = "ckanToken"; + public static final String CKAN_ORGS_USER_KEY = "ckanOrgs"; + public static final String CKAN_HIGHEST_ROLE = "ckanHigherRole"; // editor, member, admin, sysadmin // ckan utils methods private CKanUtilsImpl instance; @@ -136,12 +129,12 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem * @return the ckan connector access point */ private CkanConnectorAccessPoint getCkanConnectorAccessPoint(String pathInfoParameter, String queryStringParameters) { - + if(outsidePortal()){ - + CkanConnectorAccessPoint ckan = new CkanConnectorAccessPoint(getCkanUtilsObj().getCatalogueUrl()); return ckan; - + } //CKAN BASE URL @@ -258,86 +251,60 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem * @see org.gcube.portlets.gcubeckan.gcubeckandatacatalog.client.GcubeCkanDataCatalogService#getMyRole() */ @Override - public CkanRole getMyRole() throws Exception{ - HttpSession httpSession = this.getThreadLocalRequest().getSession(); + public CkanRole getMyRole(){ - // we need to evaluate which roles the user has in this scope - String username = getASLSession(httpSession).getUsername(); - String currentScope = getASLSession(httpSession).getScope(); - String groupName = getASLSession(httpSession).getGroupName(); + // base role as default value + CkanRole toReturn = CkanRole.MEMBER; - try{ + if(!SessionUtil.isIntoPortal()){ + logger.warn("OUT FROM PORTAL DETECTED RETURNING ROLE: "+CkanRole.ADMIN); + toReturn = CkanRole.ADMIN; + }else{ - if(!SessionUtil.isIntoPortal()){ - logger.warn("OUT FROM PORTAL DETECTED RETURNING ROLE: "+CkanRole.ADMIN); - return CkanRole.ADMIN; - } - // first of all, check if the user is a sysadmin in the catalog (in this case he can do everything) - boolean isSysAdmin = getCkanUtilsObj().isSysAdmin(username, getUserCKanTokenFromSession()); + // we need to evaluate which roles the user has in this scope / or in his vre if the current scope is the root + HttpSession httpSession = this.getThreadLocalRequest().getSession(); + ASLSession session = getASLSession(httpSession); + String currentScope = session.getScope(); + String username = session.getUsername(); + String groupName = session.getGroupName(); // e.g. devVRE - if(isSysAdmin){ + // check if session expired + if(username.equals(TEST_USER)){ - logger.debug("The user is a sysadmin of the catalog -> he can edit/add"); - return CkanRole.SYSADMIN; + logger.warn("Session expired, returning " + toReturn); }else{ + // check into session + if(session.getAttribute(CKAN_HIGHEST_ROLE) != null){ - // retrieve the liferay's roles for the user - UserManager userManager = new LiferayUserManager(); - RoleManager roleManager = new LiferayRoleManager(); - GroupManager groupManager = new LiferayGroupManager(); - List roles = roleManager.listRolesByUserAndGroup(userManager.getUserId(username), groupManager.getGroupId(groupName)); + toReturn = (CkanRole)session.getAttribute(CKAN_HIGHEST_ROLE); + logger.info("Found user role into session " + toReturn + " and it is going to be returned"); - logger.debug("The list of roles for " + username + " into " + groupName + " is " + roles); + }else{ - // the default one - String mainRole = "Catalogue-Member"; - RolesIntoOrganization correspondentRoleToCheck = RolesIntoOrganization.MEMBER; + CKanUtilsImpl ckanUtils = getCkanUtilsObj(); - // NOTE: it is supposed that there is just one role for this person correspondent to the one in the catalog - for (GCubeRole role : roles) { + // first of all, check if the user is a sysadmin in the catalog (in this case he can do everything) + boolean isSysAdmin = ckanUtils.isSysAdmin(username, getUserCKanTokenFromSession()); - logger.debug("User " + username + " has role " + role.getRoleName() + " in " + currentScope); - if(role.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_ADMIN.getRoleName())){ - mainRole = GatewayRolesNames.CATALOGUE_ADMIN.getRoleName(); - correspondentRoleToCheck = RolesIntoOrganization.ADMIN; - break; - }else if(role.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_EDITOR.getRoleName())){ - mainRole = GatewayRolesNames.CATALOGUE_EDITOR.getRoleName(); - correspondentRoleToCheck = RolesIntoOrganization.EDITOR; - break; + if(isSysAdmin){ + + logger.debug("The user is a sysadmin of the catalog -> he can edit/add"); + session.setAttribute(CKAN_HIGHEST_ROLE, CkanRole.SYSADMIN); + toReturn = CkanRole.SYSADMIN; + + }else{ + + toReturn = UserUtil.getHighestRole(currentScope, username, groupName, ckanUtils); + session.setAttribute(CKAN_HIGHEST_ROLE, toReturn); + logger.debug("Set role " + toReturn + " into session for user " + username); } } - - // with this invocation, we check if the role is present in ckan and if it is not it will be added - boolean res = getCkanUtilsObj().checkRole(username, groupName, correspondentRoleToCheck); - - if(res) - return reMapRole(mainRole); } - }catch(Exception e){ - logger.error("Unable to retrieve the role information for this user. Returning member role", e); } - logger.debug("Unable to check the role into ckan organization, returning MEMBER as role"); - // return the base role - return CkanRole.MEMBER; - } - - /** - * Map between roles. - * - * @param mainRole the main role - * @return the ckan role - */ - private CkanRole reMapRole(String mainRole) { - switch(mainRole){ - case "Catalogue-Admin": return CkanRole.ADMIN; - case "Catalogue-Editor": return CkanRole.EDITOR; - case "Catalogue-Member": return CkanRole.MEMBER; - default : return CkanRole.MEMBER; - } + return toReturn; } /* (non-Javadoc) @@ -360,31 +327,40 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem */ private String getUserCKanTokenFromSession(){ - HttpSession httpSession = this.getThreadLocalRequest().getSession(); - ASLSession session = getASLSession(httpSession); - String username = session.getUsername(); - logger.debug("User in session is " + username); + String token = null; - try{ + if(!SessionUtil.isIntoPortal()){ + logger.warn("You are running outside the portal"); + token = TEST_SEC_TOKEN; + }else{ - String token = null; - if(this.getThreadLocalRequest().getSession().getAttribute(CKAN_TOKEN_KEY) != null) - token = (String)this.getThreadLocalRequest().getSession().getAttribute(CKAN_TOKEN_KEY); - else{ + HttpSession httpSession = this.getThreadLocalRequest().getSession(); + ASLSession session = getASLSession(httpSession); + String username = session.getUsername(); - token = getCkanUtilsObj().getApiKeyFromUsername(username); - this.getThreadLocalRequest().getSession().setAttribute(CKAN_TOKEN_KEY, token); - logger.debug("Ckan token has been set for user " + username); + // check if session expired + if(username.equals(TEST_USER)){ + + logger.warn("Session expired, returning null token"); + token = null; + + }else{ + try{ + logger.debug("User in session is " + username); + if(session.getAttribute(CKAN_TOKEN_KEY) != null) + token = (String)session.getAttribute(CKAN_TOKEN_KEY); + else{ + token = getCkanUtilsObj().getApiKeyFromUsername(username); + session.setAttribute(CKAN_TOKEN_KEY, token); + logger.debug("Ckan token has been set for user " + username); + } + logger.debug("Found ckan token " + token.substring(0, 3) + "************************" + " for user " + username); + }catch(Exception e){ + logger.error("Error while retrieving the key" , e); + } } - - logger.debug("Found ckan token " + token + " for user " + username); - return token; - - }catch(Exception e){ - logger.error("Error while retrieving the key" , e); } - return null; - + return token; } @Override @@ -470,37 +446,39 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem } } + @SuppressWarnings("unchecked") @Override public Map getCkanOrganizationsNamesAndUrlsForUser() { - HttpSession httpSession = this.getThreadLocalRequest().getSession(); - ASLSession session = getASLSession(httpSession); - String username = session.getUsername(); - Map toReturn = new HashMap<>(); if(!SessionUtil.isIntoPortal()){ logger.warn("You are not into the portal"); - // toReturn.put("testVRE", "random"); - // toReturn.put("testVRE2", "random"); - // toReturn.put("testVRE3", "random"); - // toReturn.put("testVRE4", "random"); - // toReturn.put("testVRE5", "random"); + toReturn.put("testVRE", "/organization/devvre"); - } + }else{ - if(username.equals(TEST_USER)) - return toReturn; - else{ + HttpSession httpSession = this.getThreadLocalRequest().getSession(); + ASLSession session = getASLSession(httpSession); + String username = session.getUsername(); - List organizations = instance.getOrganizationsByUser(username); + if(!username.equals(TEST_USER)){ - for (CkanOrganization ckanOrganization : organizations) { - toReturn.put(ckanOrganization.getTitle(), "/organization/" + ckanOrganization.getName()); + // check if the aslsession already has such information + if(session.getAttribute(CKAN_ORGS_USER_KEY) != null){ + toReturn = (Map) session.getAttribute(CKAN_ORGS_USER_KEY); + logger.debug("List of organizations was into the session " + toReturn); + }else{ + logger.debug("Organizations list wasn't into session, retrieving them"); + List organizations = instance.getOrganizationsByUser(username); + for (CkanOrganization ckanOrganization : organizations) { + toReturn.put(ckanOrganization.getTitle(), "/organization/" + ckanOrganization.getName()); + } + logger.debug("List of organizations to return for user " + username + " is " + toReturn); + session.setAttribute(CKAN_ORGS_USER_KEY, toReturn); + } } - - logger.debug("List of organizations to return for user " + username + " is " + toReturn); } return toReturn; @@ -508,14 +486,23 @@ public class GcubeCkanDataCatalogServiceImpl extends RemoteServiceServlet implem @Override public boolean outsidePortal() { - HttpSession httpSession = this.getThreadLocalRequest().getSession(); - ASLSession session = getASLSession(httpSession); - String username = session.getUsername(); - if(username.equals(TEST_USER)) - return true; - - return false; + if(!SessionUtil.isIntoPortal()){ + + logger.warn("You are not into the portal"); + return false; + + }else{ + + HttpSession httpSession = this.getThreadLocalRequest().getSession(); + ASLSession session = getASLSession(httpSession); + String username = session.getUsername(); + + if(username.equals(TEST_USER)) + return true; + + return false; + } } /* diff --git a/src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/UserUtil.java b/src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/UserUtil.java index c5240d0..fe83d24 100644 --- a/src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/UserUtil.java +++ b/src/main/java/org/gcube/portlets/gcubeckan/gcubeckandatacatalog/server/UserUtil.java @@ -6,15 +6,22 @@ package org.gcube.portlets.gcubeckan.gcubeckandatacatalog.server; import java.util.ArrayList; import java.util.List; +import org.gcube.datacatalogue.ckanutillibrary.CKanUtilsImpl; +import org.gcube.datacatalogue.ckanutillibrary.models.RolesIntoOrganization; +import org.gcube.portlets.gcubeckan.gcubeckandatacatalog.shared.CkanRole; import org.gcube.vomanagement.usermanagement.GroupManager; +import org.gcube.vomanagement.usermanagement.RoleManager; import org.gcube.vomanagement.usermanagement.UserManager; import org.gcube.vomanagement.usermanagement.exception.GroupRetrievalFault; import org.gcube.vomanagement.usermanagement.exception.UserManagementSystemException; import org.gcube.vomanagement.usermanagement.exception.UserRetrievalFault; import org.gcube.vomanagement.usermanagement.impl.LiferayGroupManager; +import org.gcube.vomanagement.usermanagement.impl.LiferayRoleManager; import org.gcube.vomanagement.usermanagement.impl.LiferayUserManager; import org.gcube.vomanagement.usermanagement.model.GCubeGroup; +import org.gcube.vomanagement.usermanagement.model.GCubeRole; import org.gcube.vomanagement.usermanagement.model.GCubeUser; +import org.gcube.vomanagement.usermanagement.model.GatewayRolesNames; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -60,4 +67,204 @@ public class UserUtil { return null; } } + + /** + * Retrieve the highest ckan role the user has. + * @param currentScope the current scope + * @param username the current username + * @param groupName the current groupName + * @param ckanUtils ckanUtils + */ + public static CkanRole getHighestRole(String currentScope, String username, String groupName, CKanUtilsImpl ckanUtils){ + + // base role as default value + CkanRole toReturn = CkanRole.MEMBER; + + try{ + // retrieve the liferay's roles for the user: we need to check every vre is the current scope is the root + // and just the current one if the scope is a vre, the vres inside the vo if it is a VO. + UserManager userManager = new LiferayUserManager(); + RoleManager roleManager = new LiferayRoleManager(); + GroupManager groupManager = new LiferayGroupManager(); + + // user id + long userid = userManager.getUserId(username); + + // retrieve current group id + long currentGroupId = groupManager.getGroupId(groupName); + + logger.debug("Group id is " + currentGroupId + " and scope is " + currentScope); + + // root + if(groupManager.isRootVO(currentGroupId)){ + + List groups = groupManager.listGroupsByUser(userid); + logger.debug("The list of organizations of the user " + username + " is " + groups); + + for (GCubeGroup gCubeGroup : groups) { + + // skip if it is not a vre + if(!groupManager.isVRE(gCubeGroup.getGroupId())) + continue; + + // get the name of this vre + String vreName = gCubeGroup.getGroupName(); + + // get the role of the users in this vre + List roles = roleManager.listRolesByUserAndGroup(userid, groupManager.getGroupId(vreName)); + + // the default one + RolesIntoOrganization correspondentRoleToCheck = RolesIntoOrganization.MEMBER; + CkanRole ckanRoleMatched = CkanRole.MEMBER; + + // NOTE: it is supposed that there is just one role for this person correspondent to the one in the catalog + for (GCubeRole gCubeRole : roles) { + if(gCubeRole.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_ADMIN.getRoleName())){ + logger.debug("User " + username + " has role " + gCubeRole.getRoleName() + " in " + vreName); + correspondentRoleToCheck = RolesIntoOrganization.ADMIN; + ckanRoleMatched = CkanRole.ADMIN; + break; + }else if(gCubeRole.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_EDITOR.getRoleName())){ + logger.debug("User " + username + " has role " + gCubeRole.getRoleName() + " in " + vreName); + correspondentRoleToCheck = RolesIntoOrganization.EDITOR; + ckanRoleMatched = CkanRole.EDITOR; + break; + } + } + + // if the role is member, continue + if(correspondentRoleToCheck.equals(RolesIntoOrganization.MEMBER)) + continue; + + // with this invocation, we check if the role is present in ckan and if it is not it will be added + boolean res = ckanUtils.checkRole(username, vreName, correspondentRoleToCheck); + if(res){ + + // ok, we have a editor/admin role here + if(toReturn.equals(CkanRole.ADMIN)) + continue; // it is already the highest + else if(toReturn.equals(CkanRole.EDITOR) && correspondentRoleToCheck.equals(RolesIntoOrganization.ADMIN)) + toReturn = CkanRole.ADMIN; + else if(toReturn.equals(CkanRole.MEMBER)) + toReturn = ckanRoleMatched; + } + } + + // set the role + logger.debug("Setting role " + toReturn + " into session for user " + username); + + }else if(groupManager.isVO(currentGroupId)){ + + List groups = groupManager.listGroupsByUser(userid); + + logger.debug("The list of organizations of the user " + username + " is " + groups); + + for (GCubeGroup gCubeGroup : groups) { + + // skip if it is not a vre + if(!groupManager.isVRE(gCubeGroup.getGroupId())) + continue; + + // check if this vre is a child of the vo + if(currentGroupId != gCubeGroup.getParentGroupId()) + continue; + + String vreName = gCubeGroup.getGroupName(); + + List roles = roleManager.listRolesByUserAndGroup(userid, groupManager.getGroupId(vreName)); + + // the default one + RolesIntoOrganization correspondentRoleToCheck = RolesIntoOrganization.MEMBER; + CkanRole ckanRoleMatched = CkanRole.MEMBER; + + // NOTE: it is supposed that there is just one role for this person correspondent to the one in the catalog + for (GCubeRole gCubeRole : roles) { + + logger.debug("User " + username + " has role " + gCubeRole.getRoleName() + " in " + vreName); + if(gCubeRole.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_ADMIN.getRoleName())){ + correspondentRoleToCheck = RolesIntoOrganization.ADMIN; + ckanRoleMatched = CkanRole.ADMIN; + break; + }else if(gCubeRole.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_EDITOR.getRoleName())){ + correspondentRoleToCheck = RolesIntoOrganization.EDITOR; + ckanRoleMatched = CkanRole.EDITOR; + break; + } + } + + // if the role is member, continue + if(correspondentRoleToCheck.equals(RolesIntoOrganization.MEMBER)) + continue; + + // with this invocation, we check if the role is present in ckan and if it is not it will be added + boolean res = ckanUtils.checkRole(username, vreName, correspondentRoleToCheck); + if(res){ + + // ok, we have a editor/admin role here + if(toReturn.equals(CkanRole.ADMIN)) + continue; // it is already the highest + else if(toReturn.equals(CkanRole.EDITOR) && correspondentRoleToCheck.equals(RolesIntoOrganization.ADMIN)) + toReturn = CkanRole.ADMIN; + else if(toReturn.equals(CkanRole.MEMBER)) + toReturn = ckanRoleMatched; + } + } + + // set the role + logger.debug("Setting role " + toReturn + " into session for user " + username ); + + }else if(groupManager.isVRE(currentGroupId)){ // vre + List roles = roleManager.listRolesByUserAndGroup(userManager.getUserId(username), groupManager.getGroupId(groupName)); + + logger.debug("The list of roles for " + username + " into " + groupName + " is " + roles); + + // the default one + String mainRole = "Catalogue-Member"; + RolesIntoOrganization correspondentRoleToCheck = RolesIntoOrganization.MEMBER; + + // NOTE: it is supposed that there is just one role for this person correspondent to the one in the catalog + for (GCubeRole role : roles) { + + logger.debug("User " + username + " has role " + role.getRoleName() + " in " + currentScope); + if(role.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_ADMIN.getRoleName())){ + mainRole = GatewayRolesNames.CATALOGUE_ADMIN.getRoleName(); + correspondentRoleToCheck = RolesIntoOrganization.ADMIN; + break; + }else if(role.getRoleName().equalsIgnoreCase(GatewayRolesNames.CATALOGUE_EDITOR.getRoleName())){ + mainRole = GatewayRolesNames.CATALOGUE_EDITOR.getRoleName(); + correspondentRoleToCheck = RolesIntoOrganization.EDITOR; + break; + } + } + + // with this invocation, we check if the role is present in ckan and if it is not it will be added + boolean res = ckanUtils.checkRole(username, groupName, correspondentRoleToCheck); + + if(res){ + // set the role + toReturn = mapRoleLiferayToCkan(mainRole); + } + } + }catch(Exception e){ + logger.error("Unable to retrieve the role information for this user. Returning member role", e); + toReturn = CkanRole.MEMBER; + } + + return toReturn; + } + + /** + * Map between roles. + * + * @param mainRole the main role + * @return the ckan role + */ + public static CkanRole mapRoleLiferayToCkan(String mainRole) { + switch(mainRole){ + case "Catalogue-Admin": return CkanRole.ADMIN; + case "Catalogue-Editor": return CkanRole.EDITOR; + case "Catalogue-Member": + default : return CkanRole.MEMBER; + } + } }