2017-11-30 18:06:08 +01:00
|
|
|
/**
|
|
|
|
|
*
|
|
|
|
|
*/
|
2020-01-27 17:07:37 +01:00
|
|
|
package org.gcube.informationsystem.resourceregistry.contexts.security;
|
2017-11-30 18:06:08 +01:00
|
|
|
|
2019-02-13 12:33:29 +01:00
|
|
|
import java.util.ArrayList;
|
2017-11-30 18:06:08 +01:00
|
|
|
import java.util.HashMap;
|
2017-12-05 10:10:34 +01:00
|
|
|
import java.util.HashSet;
|
2019-02-13 12:33:29 +01:00
|
|
|
import java.util.List;
|
2017-11-30 18:06:08 +01:00
|
|
|
import java.util.Map;
|
2017-12-05 10:10:34 +01:00
|
|
|
import java.util.Set;
|
2017-11-30 18:06:08 +01:00
|
|
|
import java.util.UUID;
|
|
|
|
|
import java.util.concurrent.Callable;
|
|
|
|
|
import java.util.concurrent.ExecutorService;
|
|
|
|
|
import java.util.concurrent.Executors;
|
|
|
|
|
import java.util.concurrent.Future;
|
|
|
|
|
|
2021-10-25 11:40:47 +02:00
|
|
|
import org.gcube.informationsystem.contexts.reference.entities.Context;
|
2017-11-30 18:06:08 +01:00
|
|
|
import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegistryException;
|
2020-01-27 17:07:37 +01:00
|
|
|
import org.gcube.informationsystem.resourceregistry.contexts.ContextUtility;
|
2017-11-30 18:06:08 +01:00
|
|
|
import org.gcube.informationsystem.resourceregistry.dbinitialization.DatabaseEnvironment;
|
2023-05-02 14:48:38 +02:00
|
|
|
import org.gcube.informationsystem.resourceregistry.requests.RequestUtility;
|
2023-05-11 18:35:56 +02:00
|
|
|
import org.gcube.informationsystem.resourceregistry.utils.DBUtility;
|
2021-10-21 16:32:05 +02:00
|
|
|
import org.gcube.informationsystem.utils.UUIDManager;
|
2017-11-30 18:06:08 +01:00
|
|
|
import org.slf4j.Logger;
|
|
|
|
|
import org.slf4j.LoggerFactory;
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
import com.arcadedb.database.Document;
|
|
|
|
|
import com.arcadedb.database.Identifiable;
|
|
|
|
|
import com.arcadedb.database.MutableDocument;
|
|
|
|
|
import com.arcadedb.database.RID;
|
|
|
|
|
import com.arcadedb.database.Record;
|
|
|
|
|
import com.arcadedb.remote.RemoteDatabase;
|
2019-02-13 12:33:29 +01:00
|
|
|
import com.orientechnologies.orient.core.db.ODatabasePool;
|
2019-11-05 18:36:44 +01:00
|
|
|
import com.orientechnologies.orient.core.db.document.ODatabaseDocument;
|
2020-11-03 16:30:24 +01:00
|
|
|
import com.orientechnologies.orient.core.db.record.OIdentifiable;
|
|
|
|
|
import com.orientechnologies.orient.core.db.record.ORecordLazySet;
|
2017-11-30 18:06:08 +01:00
|
|
|
import com.orientechnologies.orient.core.metadata.security.ORestrictedOperation;
|
|
|
|
|
import com.orientechnologies.orient.core.metadata.security.ORole;
|
|
|
|
|
import com.orientechnologies.orient.core.metadata.security.OSecurity;
|
|
|
|
|
import com.orientechnologies.orient.core.metadata.security.OSecurityRole.ALLOW_MODES;
|
|
|
|
|
import com.orientechnologies.orient.core.metadata.security.OUser;
|
2019-11-05 18:36:44 +01:00
|
|
|
import com.orientechnologies.orient.core.record.OElement;
|
|
|
|
|
import com.orientechnologies.orient.core.record.ORecord;
|
2017-11-30 18:06:08 +01:00
|
|
|
import com.orientechnologies.orient.core.record.impl.ODocument;
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @author Luca Frosini (ISTI - CNR)
|
|
|
|
|
*/
|
|
|
|
|
public class SecurityContext {
|
|
|
|
|
|
|
|
|
|
private static Logger logger = LoggerFactory.getLogger(SecurityContext.class);
|
|
|
|
|
|
|
|
|
|
protected static final String DEFAULT_WRITER_ROLE = "writer";
|
|
|
|
|
protected static final String DEFAULT_READER_ROLE = "reader";
|
|
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
/*
|
|
|
|
|
* H stand for Hierarchical
|
|
|
|
|
*/
|
2017-11-30 18:06:08 +01:00
|
|
|
public static final String H = "H";
|
|
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
protected final boolean hierarchical;
|
2017-11-30 18:06:08 +01:00
|
|
|
|
|
|
|
|
public enum SecurityType {
|
|
|
|
|
ROLE("Role"), USER("User");
|
|
|
|
|
|
|
|
|
|
private final String name;
|
|
|
|
|
|
|
|
|
|
private SecurityType(String name) {
|
|
|
|
|
this.name = name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public String toString() {
|
|
|
|
|
return name;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public enum PermissionMode {
|
|
|
|
|
READER("Reader"), WRITER("Writer");
|
|
|
|
|
|
|
|
|
|
private final String name;
|
|
|
|
|
|
|
|
|
|
private PermissionMode(String name) {
|
|
|
|
|
this.name = name;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public String toString() {
|
|
|
|
|
return name;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
protected final UUID context;
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected final Map<Boolean,Map<PermissionMode,RemoteDatabase>> databasesMap;
|
2017-11-30 18:06:08 +01:00
|
|
|
|
|
|
|
|
protected SecurityContext parentSecurityContext;
|
|
|
|
|
|
2017-12-05 10:10:34 +01:00
|
|
|
protected Set<SecurityContext> children;
|
|
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
protected boolean isHierarchicalMode() {
|
2023-05-02 14:48:38 +02:00
|
|
|
return hierarchical && RequestUtility.getRequestInfo().get().isHierarchicalMode();
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void setParentSecurityContext(SecurityContext parentSecurityContext) {
|
2017-12-05 10:10:34 +01:00
|
|
|
if(this.parentSecurityContext!=null) {
|
|
|
|
|
this.parentSecurityContext.getChildren().remove(this);
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-30 18:06:08 +01:00
|
|
|
this.parentSecurityContext = parentSecurityContext;
|
2017-12-05 10:10:34 +01:00
|
|
|
if(parentSecurityContext!=null) {
|
|
|
|
|
this.parentSecurityContext.addChild(this);
|
|
|
|
|
}
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public SecurityContext getParentSecurityContext() {
|
|
|
|
|
return parentSecurityContext;
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-05 10:10:34 +01:00
|
|
|
private void addChild(SecurityContext child) {
|
|
|
|
|
this.children.add(child);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public Set<SecurityContext> getChildren(){
|
|
|
|
|
return this.children;
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected RemoteDatabase getAdminDatabaseDocument() throws ResourceRegistryException {
|
|
|
|
|
return ContextUtility.getAdminSecurityContext().getRemoteDatabase(PermissionMode.WRITER);
|
2019-02-13 12:33:29 +01:00
|
|
|
}
|
|
|
|
|
|
2017-12-05 10:10:34 +01:00
|
|
|
/**
|
|
|
|
|
* @return a set containing all children and recursively
|
|
|
|
|
* all children.
|
|
|
|
|
*/
|
|
|
|
|
private Set<SecurityContext> getAllChildren(){
|
|
|
|
|
Set<SecurityContext> allChildren = new HashSet<>();
|
|
|
|
|
allChildren.add(this);
|
|
|
|
|
for(SecurityContext securityContext : getChildren()) {
|
|
|
|
|
allChildren.addAll(securityContext.getAllChildren());
|
|
|
|
|
}
|
|
|
|
|
return allChildren;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @return
|
|
|
|
|
*/
|
|
|
|
|
private Set<SecurityContext> getAllParents(){
|
|
|
|
|
Set<SecurityContext> allParents = new HashSet<>();
|
|
|
|
|
SecurityContext parent = getParentSecurityContext();
|
|
|
|
|
while(parent!=null) {
|
|
|
|
|
allParents.add(parent);
|
|
|
|
|
parent = parent.getParentSecurityContext();
|
|
|
|
|
}
|
|
|
|
|
return allParents;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2017-11-30 18:06:08 +01:00
|
|
|
/**
|
|
|
|
|
* Use to change the parent not to set the first time
|
|
|
|
|
*
|
|
|
|
|
* @param newParentSecurityContext
|
|
|
|
|
* @param orientGraph
|
2017-12-05 10:10:34 +01:00
|
|
|
* @throws ResourceRegistryException
|
2017-11-30 18:06:08 +01:00
|
|
|
*/
|
2023-05-11 18:35:56 +02:00
|
|
|
public void changeParentSecurityContext(SecurityContext newParentSecurityContext, RemoteDatabase database) throws ResourceRegistryException {
|
2020-10-27 15:12:11 +01:00
|
|
|
if(!hierarchical) {
|
2017-12-05 10:10:34 +01:00
|
|
|
StringBuilder errorMessage = new StringBuilder();
|
|
|
|
|
errorMessage.append("Cannot change parent ");
|
|
|
|
|
errorMessage.append(SecurityContext.class.getSimpleName());
|
|
|
|
|
errorMessage.append(" to non hierarchic ");
|
|
|
|
|
errorMessage.append(SecurityContext.class.getSimpleName());
|
|
|
|
|
errorMessage.append(". ");
|
2023-05-11 18:35:56 +02:00
|
|
|
errorMessage.append(DBUtility.SHOULD_NOT_OCCUR_ERROR_MESSAGE);
|
2017-12-05 10:10:34 +01:00
|
|
|
final String error = errorMessage.toString();
|
|
|
|
|
logger.error(error);
|
|
|
|
|
throw new RuntimeException(error);
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
// OSecurity oSecurity = getOSecurity(database);
|
2017-12-05 10:10:34 +01:00
|
|
|
|
|
|
|
|
Set<SecurityContext> allChildren = getAllChildren();
|
|
|
|
|
|
|
|
|
|
Set<SecurityContext> oldParents = getAllParents();
|
|
|
|
|
|
|
|
|
|
Set<SecurityContext> newParents = new HashSet<>();
|
|
|
|
|
if(newParentSecurityContext!=null) {
|
|
|
|
|
newParents = newParentSecurityContext.getAllParents();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* From old parents I remove the new parents so that oldParents
|
|
|
|
|
* contains only the parents where I have to remove all
|
|
|
|
|
* HReaderRole-UUID e HWriterRole-UUID of allChildren by using
|
|
|
|
|
* removeHierarchicRoleFromParent() function
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
oldParents.removeAll(newParents);
|
2023-05-11 18:35:56 +02:00
|
|
|
removeChildrenHRolesFromParents(database, oldParents, allChildren);
|
2017-12-05 10:10:34 +01:00
|
|
|
|
2017-11-30 18:06:08 +01:00
|
|
|
setParentSecurityContext(newParentSecurityContext);
|
2017-12-05 10:10:34 +01:00
|
|
|
|
|
|
|
|
if(newParentSecurityContext!=null){
|
|
|
|
|
for(PermissionMode permissionMode : PermissionMode.values()) {
|
2023-05-11 18:35:56 +02:00
|
|
|
List<Role> roles = new ArrayList<>();
|
2017-12-05 10:10:34 +01:00
|
|
|
for(SecurityContext child : allChildren) {
|
|
|
|
|
String roleName = child.getSecurityRoleOrUserName(permissionMode, SecurityType.ROLE, true);
|
2023-05-11 18:35:56 +02:00
|
|
|
Role role = database.getRole(roleName);
|
2019-02-13 12:33:29 +01:00
|
|
|
roles.add(role);
|
2017-12-05 10:10:34 +01:00
|
|
|
}
|
2023-05-11 18:35:56 +02:00
|
|
|
newParentSecurityContext.addHierarchicalRoleToParent(database, permissionMode, roles.toArray(new Role[allChildren.size()]));
|
2017-12-05 10:10:34 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
protected SecurityContext(UUID context, boolean hierarchical) throws ResourceRegistryException {
|
2017-11-30 18:06:08 +01:00
|
|
|
this.context = context;
|
2023-05-11 18:35:56 +02:00
|
|
|
this.databasesMap = new HashMap<>();
|
2020-10-27 15:12:11 +01:00
|
|
|
this.hierarchical = hierarchical;
|
2017-12-05 10:10:34 +01:00
|
|
|
this.children = new HashSet<>();
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public SecurityContext(UUID context) throws ResourceRegistryException {
|
|
|
|
|
this(context, true);
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
private synchronized RemoteDatabase getPool(PermissionMode permissionMode, boolean recreate) {
|
|
|
|
|
RemoteDatabase db = null;
|
2019-02-13 12:33:29 +01:00
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
Boolean h = isHierarchicalMode();
|
2019-02-13 12:33:29 +01:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
Map<PermissionMode,RemoteDatabase> databases = databasesMap.get(h);
|
|
|
|
|
if(databases == null) {
|
|
|
|
|
databases = new HashMap<>();
|
|
|
|
|
databasesMap.put(h, databases);
|
2019-02-13 12:33:29 +01:00
|
|
|
} else {
|
|
|
|
|
if(recreate) {
|
2023-05-11 18:35:56 +02:00
|
|
|
db = databases.get(permissionMode);
|
|
|
|
|
if(db!=null) {
|
|
|
|
|
db.close();
|
|
|
|
|
databases.remove(permissionMode);
|
2019-02-13 12:33:29 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
db = databases.get(permissionMode);
|
2019-02-13 12:33:29 +01:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
if(db == null) {
|
2019-02-13 12:33:29 +01:00
|
|
|
|
|
|
|
|
String username = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, h);
|
|
|
|
|
String password = DatabaseEnvironment.DEFAULT_PASSWORDS.get(permissionMode);
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
db = new RemoteDatabase(DatabaseEnvironment.HOST, DatabaseEnvironment.PORT, DatabaseEnvironment.DB ,username, password);
|
2019-02-13 12:33:29 +01:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
databases.put(permissionMode, db);
|
2019-02-13 12:33:29 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
return db;
|
2019-02-13 12:33:29 +01:00
|
|
|
}
|
|
|
|
|
|
2017-11-30 18:06:08 +01:00
|
|
|
public UUID getUUID() {
|
|
|
|
|
return context;
|
|
|
|
|
}
|
|
|
|
|
|
2020-11-03 16:30:24 +01:00
|
|
|
public static String getRoleOrUserName(PermissionMode permissionMode, SecurityType securityType) {
|
|
|
|
|
return getRoleOrUserName(permissionMode, securityType, false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public static String getRoleOrUserName(PermissionMode permissionMode, SecurityType securityType,
|
2017-11-30 18:06:08 +01:00
|
|
|
boolean hierarchic) {
|
|
|
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
|
|
|
if(hierarchic) {
|
|
|
|
|
stringBuilder.append(H);
|
|
|
|
|
}
|
|
|
|
|
stringBuilder.append(permissionMode);
|
|
|
|
|
stringBuilder.append(securityType);
|
2020-11-03 16:30:24 +01:00
|
|
|
return stringBuilder.toString();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
public String getSecurityRoleOrUserName(PermissionMode permissionMode, SecurityType securityType,
|
|
|
|
|
boolean hierarchic) {
|
|
|
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
|
|
|
stringBuilder.append(getRoleOrUserName(permissionMode, securityType, hierarchic));
|
2017-11-30 18:06:08 +01:00
|
|
|
stringBuilder.append("_");
|
|
|
|
|
stringBuilder.append(context.toString());
|
|
|
|
|
return stringBuilder.toString();
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public static Set<String> getContexts(Document element) {
|
2020-11-03 16:30:24 +01:00
|
|
|
Set<String> contexts = new HashSet<>();
|
|
|
|
|
ORecordLazySet oRecordLazySet = element.getProperty(OSecurity.ALLOW_ALL_FIELD);
|
2023-05-11 18:35:56 +02:00
|
|
|
for (Identifiable identifiable : oRecordLazySet) {
|
|
|
|
|
Document oDocument = (Document) identifiable;
|
|
|
|
|
String name = oDocument.getString("name");
|
2020-11-03 16:30:24 +01:00
|
|
|
if (name.startsWith(getRoleOrUserName(PermissionMode.WRITER, SecurityType.ROLE))
|
|
|
|
|
|| name.startsWith(getRoleOrUserName(PermissionMode.READER, SecurityType.ROLE))) {
|
|
|
|
|
String[] list = name.split("_");
|
|
|
|
|
if (list.length == 2) {
|
|
|
|
|
String contextUUID = list[1];
|
2023-04-18 17:52:07 +02:00
|
|
|
if (!UUIDManager.getInstance().isReservedUUID(contextUUID)) {
|
2020-11-03 16:30:24 +01:00
|
|
|
contexts.add(contextUUID);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return contexts;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public void addElement(Document element) throws ResourceRegistryException {
|
|
|
|
|
RemoteDatabase current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
|
|
|
|
RemoteDatabase adminDatabase = null;
|
2021-09-16 15:23:04 +02:00
|
|
|
try {
|
2023-05-11 18:35:56 +02:00
|
|
|
adminDatabase = getAdminDatabaseDocument();
|
|
|
|
|
addElement(element, adminDatabase);
|
2021-09-16 15:23:04 +02:00
|
|
|
}finally {
|
2023-05-11 18:35:56 +02:00
|
|
|
if(adminDatabase!=null) {
|
|
|
|
|
adminDatabase.close();
|
2021-09-16 15:23:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
// if(current!=null) {
|
|
|
|
|
// current.activateOnCurrentThread();
|
|
|
|
|
// }
|
2019-11-05 18:36:44 +01:00
|
|
|
}
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void allow(RemoteDatabase database, Document document, boolean hierarchic) {
|
2017-11-30 18:06:08 +01:00
|
|
|
String writerRoleName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.ROLE, hierarchic);
|
2023-05-11 18:35:56 +02:00
|
|
|
|
|
|
|
|
oSecurity.allowRole(document, RestrictedOperation.ALLOW_ALL, writerRoleName);
|
|
|
|
|
|
2017-11-30 18:06:08 +01:00
|
|
|
String readerRoleName = getSecurityRoleOrUserName(PermissionMode.READER, SecurityType.ROLE, hierarchic);
|
2023-05-11 18:35:56 +02:00
|
|
|
|
|
|
|
|
oSecurity.allowRole(document, RestrictedOperation.ALLOW_READ, readerRoleName);
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public boolean isElementInContext(final Document element) throws ResourceRegistryException {
|
|
|
|
|
RID rid = element.getIdentity();
|
|
|
|
|
RemoteDatabase current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
|
|
|
|
RemoteDatabase database = null;
|
2021-02-02 16:50:48 +01:00
|
|
|
|
2021-09-16 15:23:04 +02:00
|
|
|
try {
|
2023-05-11 18:35:56 +02:00
|
|
|
database = getRemoteDatabase(PermissionMode.READER);
|
2021-09-16 15:23:04 +02:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
return database.existsRecord(rid);
|
2021-09-16 15:23:04 +02:00
|
|
|
|
|
|
|
|
} finally {
|
2023-05-11 18:35:56 +02:00
|
|
|
if(database!=null) {
|
|
|
|
|
database.close();
|
2021-09-16 15:23:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
// if(current!=null) {
|
|
|
|
|
// current.activateOnCurrentThread();
|
|
|
|
|
// }
|
2021-02-02 16:50:48 +01:00
|
|
|
}
|
2021-09-16 15:23:04 +02:00
|
|
|
|
2021-02-02 16:50:48 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public void addElement(Document document, RemoteDatabase database) {
|
|
|
|
|
allow(database, document, false);
|
2020-10-27 15:12:11 +01:00
|
|
|
if(hierarchical) {
|
2023-05-11 18:35:56 +02:00
|
|
|
allow(database, document, true);
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
2023-05-11 18:35:56 +02:00
|
|
|
// document.save();
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public void removeElement(Document document) throws ResourceRegistryException {
|
|
|
|
|
RemoteDatabase current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
|
|
|
|
RemoteDatabase adminDatabase = null;
|
2021-09-16 15:23:04 +02:00
|
|
|
try {
|
2023-05-11 18:35:56 +02:00
|
|
|
adminDatabase = getAdminDatabaseDocument();
|
|
|
|
|
removeElement(document, adminDatabase);
|
2021-09-16 15:23:04 +02:00
|
|
|
}finally {
|
2023-05-11 18:35:56 +02:00
|
|
|
if(adminDatabase!=null) {
|
|
|
|
|
adminDatabase.close();
|
2021-09-16 15:23:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
// if(current!=null) {
|
|
|
|
|
// current.activateOnCurrentThread();
|
|
|
|
|
// }
|
2019-11-05 18:36:44 +01:00
|
|
|
}
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void deny(RemoteDatabase database, Document document, boolean hierarchical) {
|
2017-11-30 18:06:08 +01:00
|
|
|
// The element could be created in such a context so the writerUser for the
|
2017-12-05 10:10:34 +01:00
|
|
|
// context is allowed by default because it was the creator
|
2020-10-27 15:12:11 +01:00
|
|
|
String writerUserName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.USER, hierarchical);
|
2023-05-11 18:35:56 +02:00
|
|
|
oSecurity.denyUser(document, RestrictedOperation.ALLOW_ALL, writerUserName);
|
2020-10-27 15:12:11 +01:00
|
|
|
String readerUserName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.USER, hierarchical);
|
2023-05-11 18:35:56 +02:00
|
|
|
oSecurity.denyUser(document, RestrictedOperation.ALLOW_READ, readerUserName);
|
2017-11-30 18:06:08 +01:00
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
String writerRoleName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.ROLE, hierarchical);
|
2023-05-11 18:35:56 +02:00
|
|
|
oSecurity.denyRole(document, RestrictedOperation.ALLOW_ALL, writerRoleName);
|
2020-10-27 15:12:11 +01:00
|
|
|
String readerRoleName = getSecurityRoleOrUserName(PermissionMode.READER, SecurityType.ROLE, hierarchical);
|
2023-05-11 18:35:56 +02:00
|
|
|
oSecurity.denyRole(document, RestrictedOperation.ALLOW_READ, readerRoleName);
|
2017-11-30 18:06:08 +01:00
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public void removeElement(Document document, RemoteDatabase database) {
|
|
|
|
|
deny(database, document, false);
|
2020-10-27 15:12:11 +01:00
|
|
|
if(hierarchical) {
|
2023-05-11 18:35:56 +02:00
|
|
|
deny(database, document, true);
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
2023-05-11 18:35:56 +02:00
|
|
|
// document.save();
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected boolean allowed(final ORole role, final Document document) {
|
2017-11-30 18:06:08 +01:00
|
|
|
|
|
|
|
|
ExecutorService executor = Executors.newSingleThreadExecutor();
|
|
|
|
|
|
|
|
|
|
Callable<Boolean> callable = new Callable<Boolean>() {
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public Boolean call() throws Exception {
|
2023-05-02 14:48:38 +02:00
|
|
|
RequestUtility.getRequestInfo().get().setHierarchicalMode(false);
|
2021-09-16 15:23:04 +02:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
RemoteDatabase current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
|
|
|
|
RemoteDatabase database = null;
|
2017-11-30 18:06:08 +01:00
|
|
|
try {
|
2023-05-11 18:35:56 +02:00
|
|
|
database = getRemoteDatabase(PermissionMode.READER);
|
|
|
|
|
// database.activateOnCurrentThread();
|
|
|
|
|
return database.existsRecord(document.getIdentity());
|
2017-11-30 18:06:08 +01:00
|
|
|
} catch(Exception e) {
|
|
|
|
|
return false;
|
|
|
|
|
} finally {
|
2023-05-11 18:35:56 +02:00
|
|
|
if(database!=null) {
|
|
|
|
|
database.close();
|
2021-09-16 15:23:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
// if(current!=null) {
|
|
|
|
|
// current.activateOnCurrentThread();
|
|
|
|
|
// }
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
Future<Boolean> result = executor.submit(callable);
|
|
|
|
|
try {
|
|
|
|
|
return result.get();
|
|
|
|
|
} catch(Exception e) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void create() throws ResourceRegistryException {
|
2023-05-11 18:35:56 +02:00
|
|
|
RemoteDatabase current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
|
|
|
|
RemoteDatabase adminDatabase = null;
|
2021-09-16 15:23:04 +02:00
|
|
|
try {
|
2023-05-11 18:35:56 +02:00
|
|
|
adminDatabase = getAdminDatabaseDocument();
|
2021-09-16 15:23:04 +02:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
create(adminDatabase);
|
2021-09-16 15:23:04 +02:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
adminDatabase.commit();
|
2021-09-16 15:23:04 +02:00
|
|
|
} finally {
|
2023-05-11 18:35:56 +02:00
|
|
|
if(adminDatabase!=null) {
|
|
|
|
|
adminDatabase.close();
|
2021-09-16 15:23:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
// if(current!=null) {
|
|
|
|
|
// current.activateOnCurrentThread();
|
|
|
|
|
// }
|
2019-11-05 18:36:44 +01:00
|
|
|
}
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected Role addExtraRules(Role role, PermissionMode permissionMode) {
|
2017-11-30 18:06:08 +01:00
|
|
|
return role;
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected Role getSuperRole(RemoteDatabase database, PermissionMode permissionMode) {
|
2017-12-05 10:10:34 +01:00
|
|
|
String superRoleName = permissionMode.name().toLowerCase();
|
2023-05-11 18:35:56 +02:00
|
|
|
return database.getRole(superRoleName);
|
2017-12-05 10:10:34 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void addHierarchicalRoleToParent(RemoteDatabase database, PermissionMode permissionMode, ORole... roles) {
|
2017-12-05 10:10:34 +01:00
|
|
|
String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
|
2023-05-11 18:35:56 +02:00
|
|
|
User user = database.getUser(userName);
|
|
|
|
|
for(Role role : roles) {
|
2019-02-13 12:33:29 +01:00
|
|
|
user.addRole(role);
|
|
|
|
|
}
|
2017-12-05 10:10:34 +01:00
|
|
|
user.save();
|
|
|
|
|
|
|
|
|
|
if(getParentSecurityContext() != null) {
|
2023-05-11 18:35:56 +02:00
|
|
|
getParentSecurityContext().addHierarchicalRoleToParent(database, permissionMode, roles);
|
2017-12-05 10:10:34 +01:00
|
|
|
}
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void createRolesAndUsers(RemoteDatabase database) {
|
2017-11-30 18:06:08 +01:00
|
|
|
boolean[] booleanArray;
|
2020-10-27 15:12:11 +01:00
|
|
|
if(hierarchical) {
|
2017-11-30 18:06:08 +01:00
|
|
|
booleanArray = new boolean[] {false, true};
|
|
|
|
|
} else {
|
|
|
|
|
booleanArray = new boolean[] {false};
|
|
|
|
|
}
|
|
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
for(boolean hierarchical : booleanArray) {
|
2017-11-30 18:06:08 +01:00
|
|
|
for(PermissionMode permissionMode : PermissionMode.values()) {
|
2023-05-11 18:35:56 +02:00
|
|
|
Role superRole = getSuperRole(database, permissionMode);
|
2017-11-30 18:06:08 +01:00
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
String roleName = getSecurityRoleOrUserName(permissionMode, SecurityType.ROLE, hierarchical);
|
2023-05-11 18:35:56 +02:00
|
|
|
Role role = database.createRole(roleName, superRole, ALLOW_MODES.DENY_ALL_BUT);
|
2017-11-30 18:06:08 +01:00
|
|
|
addExtraRules(role, permissionMode);
|
|
|
|
|
role.save();
|
|
|
|
|
logger.trace("{} created", role);
|
|
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
if(hierarchical && getParentSecurityContext() != null) {
|
2023-05-11 18:35:56 +02:00
|
|
|
getParentSecurityContext().addHierarchicalRoleToParent(database, permissionMode, role);
|
2017-12-05 10:10:34 +01:00
|
|
|
}
|
|
|
|
|
|
2020-10-27 15:12:11 +01:00
|
|
|
String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchical);
|
2023-05-11 18:35:56 +02:00
|
|
|
User user = database.createUser(userName, DatabaseEnvironment.DEFAULT_PASSWORDS.get(permissionMode),
|
2017-11-30 18:06:08 +01:00
|
|
|
role);
|
|
|
|
|
user.save();
|
|
|
|
|
logger.trace("{} created", user);
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-12-05 10:10:34 +01:00
|
|
|
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public void create(RemoteDatabase database) {
|
|
|
|
|
createRolesAndUsers(database);
|
2017-11-30 18:06:08 +01:00
|
|
|
logger.trace("Security Context (roles and users) with UUID {} successfully created", context.toString());
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
private void drop(RemoteDatabase database, String name, SecurityType securityType) {
|
2017-11-30 18:06:08 +01:00
|
|
|
switch(securityType) {
|
|
|
|
|
case ROLE:
|
2023-05-11 18:35:56 +02:00
|
|
|
database.dropRole(name);
|
2017-11-30 18:06:08 +01:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case USER:
|
2023-05-11 18:35:56 +02:00
|
|
|
database.dropUser(name);
|
2017-11-30 18:06:08 +01:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
2023-05-11 18:35:56 +02:00
|
|
|
logger.trace("{} successfully dropped", name);
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public void delete() throws ResourceRegistryException {
|
2023-05-11 18:35:56 +02:00
|
|
|
RemoteDatabase remoteDatabase = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
|
|
|
|
RemoteDatabase database = null;
|
2021-09-16 15:23:04 +02:00
|
|
|
try {
|
2023-05-11 18:35:56 +02:00
|
|
|
database = getAdminDatabaseDocument();
|
2021-09-16 15:23:04 +02:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
delete(database);
|
2021-09-16 15:23:04 +02:00
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
database.commit();
|
2021-09-16 15:23:04 +02:00
|
|
|
} finally {
|
2023-05-11 18:35:56 +02:00
|
|
|
if(database!=null) {
|
|
|
|
|
database.close();
|
2021-09-16 15:23:04 +02:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
// if(current!=null) {
|
|
|
|
|
// current.activateOnCurrentThread();
|
|
|
|
|
// }
|
2019-11-05 18:36:44 +01:00
|
|
|
}
|
2021-09-16 15:23:04 +02:00
|
|
|
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void removeChildrenHRolesFromParents(RemoteDatabase remoteDatabase) {
|
2017-12-05 10:10:34 +01:00
|
|
|
Set<SecurityContext> parents = getAllParents();
|
|
|
|
|
Set<SecurityContext> allChildren = getAllChildren();
|
2023-05-11 18:35:56 +02:00
|
|
|
removeChildrenHRolesFromParents(remoteDatabase, parents, allChildren);
|
2017-12-05 10:10:34 +01:00
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void removeChildrenHRolesFromParents(RemoteDatabase remoteDatabase, Set<SecurityContext> parents, Set<SecurityContext> children) {
|
2017-12-05 10:10:34 +01:00
|
|
|
for(SecurityContext parent : parents) {
|
2023-05-11 18:35:56 +02:00
|
|
|
parent.removeChildrenHRolesFromMyHUsers(remoteDatabase, children);
|
2017-12-05 10:10:34 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void removeChildrenHRolesFromMyHUsers(RemoteDatabase database, Set<SecurityContext> children) {
|
2017-12-05 10:10:34 +01:00
|
|
|
for(PermissionMode permissionMode : PermissionMode.values()) {
|
|
|
|
|
String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
|
2023-05-11 18:35:56 +02:00
|
|
|
User user = database.getUser(userName);
|
2017-12-05 10:10:34 +01:00
|
|
|
for(SecurityContext child : children) {
|
|
|
|
|
String roleName = child.getSecurityRoleOrUserName(permissionMode, SecurityType.ROLE, true);
|
|
|
|
|
logger.debug("Going to remove {} from {}", roleName, userName);
|
|
|
|
|
boolean removed = user.removeRole(roleName);
|
|
|
|
|
logger.trace("{} {} removed from {}", roleName, removed ? "successfully" : "NOT", userName);
|
|
|
|
|
}
|
|
|
|
|
user.save();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void removeHierarchicRoleFromMyHUser(RemoteDatabase database, PermissionMode permissionMode, String roleName) {
|
2017-12-05 10:10:34 +01:00
|
|
|
String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
|
2023-05-11 18:35:56 +02:00
|
|
|
User user = database.getUser(userName);
|
2017-12-05 10:10:34 +01:00
|
|
|
logger.debug("Going to remove {} from {}", roleName, userName);
|
|
|
|
|
boolean removed = user.removeRole(roleName);
|
|
|
|
|
logger.trace("{} {} removed from {}", roleName, removed ? "successfully" : "NOT", userName);
|
|
|
|
|
user.save();
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
protected void deleteRolesAndUsers(RemoteDatabase remoteDatabase) {
|
2017-11-30 18:06:08 +01:00
|
|
|
boolean[] booleanArray;
|
2020-10-27 15:12:11 +01:00
|
|
|
if(hierarchical) {
|
2017-11-30 18:06:08 +01:00
|
|
|
booleanArray = new boolean[] {false, true};
|
|
|
|
|
} else {
|
|
|
|
|
booleanArray = new boolean[] {false};
|
|
|
|
|
}
|
|
|
|
|
for(boolean hierarchic : booleanArray) {
|
2017-12-05 10:10:34 +01:00
|
|
|
if(hierarchic) {
|
2023-05-11 18:35:56 +02:00
|
|
|
removeChildrenHRolesFromParents(remoteDatabase);
|
2017-12-05 10:10:34 +01:00
|
|
|
}
|
2017-11-30 18:06:08 +01:00
|
|
|
for(PermissionMode permissionMode : PermissionMode.values()) {
|
|
|
|
|
for(SecurityType securityType : SecurityType.values()) {
|
|
|
|
|
String name = getSecurityRoleOrUserName(permissionMode, securityType, hierarchic);
|
2023-05-11 18:35:56 +02:00
|
|
|
drop(remoteDatabase, name, securityType);
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public void delete(RemoteDatabase remoteDatabase) {
|
|
|
|
|
// OSecurity oSecurity = getOSecurity(orientGraph);
|
2017-11-30 18:06:08 +01:00
|
|
|
logger.trace("Going to remove Security Context (roles and users) with UUID {}", context.toString());
|
2023-05-11 18:35:56 +02:00
|
|
|
deleteRolesAndUsers(remoteDatabase);
|
2017-11-30 18:06:08 +01:00
|
|
|
logger.trace("Security Context (roles and users) with UUID {} successfully removed", context.toString());
|
|
|
|
|
}
|
|
|
|
|
|
2023-05-11 18:35:56 +02:00
|
|
|
public RemoteDatabase getRemoteDatabase(PermissionMode permissionMode) throws ResourceRegistryException {
|
|
|
|
|
// try {
|
|
|
|
|
// ODatabasePool oDatabasePool = getPool(permissionMode, false);
|
|
|
|
|
// ODatabaseSession oDatabaseSession = null;
|
|
|
|
|
// try {
|
|
|
|
|
// oDatabaseSession = oDatabasePool.acquire();
|
|
|
|
|
// if(oDatabaseSession.isClosed()) {
|
|
|
|
|
// // Enforcing pool recreation
|
|
|
|
|
// throw new Exception();
|
|
|
|
|
// }
|
|
|
|
|
// }catch (Exception e) {
|
|
|
|
|
// oDatabasePool = getPool(permissionMode, true);
|
|
|
|
|
// oDatabaseSession = oDatabasePool.acquire();
|
|
|
|
|
// }
|
|
|
|
|
// oDatabaseSession.activateOnCurrentThread();
|
|
|
|
|
// return oDatabaseSession;
|
|
|
|
|
// }catch (Exception e) {
|
|
|
|
|
// throw new ResourceRegistryException(e);
|
|
|
|
|
// }
|
|
|
|
|
|
|
|
|
|
return null;
|
2017-11-30 18:06:08 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
@Override
|
|
|
|
|
public String toString() {
|
|
|
|
|
return String.format("%s %s", Context.NAME, getUUID().toString());
|
|
|
|
|
}
|
|
|
|
|
}
|
