temp commit

2024-10-08 14:31:30 +02:00 · 2024-10-08 14:31:30 +02:00 · 2360949ad3
parent 48f7b1a73b
commit 2360949ad3
5 changed files with 159 additions and 49 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,3 +3,5 @@ target
 .project
 /.DS_Store
 /bin/
 /.apt_generated/
 /.apt_generated_tests/
--- a/.settings/.gitignore
+++ b/.settings/.gitignore
@ -1,3 +1,4 @@
 /org.eclipse.core.resources.prefs
 /org.eclipse.jdt.core.prefs
 /org.eclipse.m2e.core.prefs
 /org.eclipse.jdt.apt.core.prefs
--- a/src/main/java/org/gcube/informationsystem/resourceregistry/contexts/entities/ContextManagement.java
+++ b/src/main/java/org/gcube/informationsystem/resourceregistry/contexts/entities/ContextManagement.java
@ -5,9 +5,12 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
 import javax.ws.rs.BadRequestException;
 import javax.ws.rs.ForbiddenException;
 import javax.ws.rs.NotAuthorizedException;
 import org.gcube.com.fasterxml.jackson.core.JsonProcessingException;
 import org.gcube.com.fasterxml.jackson.databind.JsonNode;
@ -245,7 +248,36 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 		return context;
 	}
 //	public boolean isUserAllowed() {
 //		switch (operation) {
 //			case CREATE:
 //				break;
 //				
 //			case UPDATE:
 //				break;
 //				
 //			case DELETE:
 //				break;
 //				
 //			default:
 //				break;
 //		}
 //		
 //		return true;
 //	}
 	/*
 	 * The Context-Manager is allowed to operate in a context
 	 * only if he is the Context-Manager of the context
 	 */
 	// TODO in subclass
 	/*
 	 * The Context-Manager is allowed to delete a context
 	 * only if he is the Context-Manager of the parent context
 	 * (so the request must arrive from the parent context).
 	 */
 	@Override
 	protected OVertex reallyCreate() throws AlreadyPresentException, ResourceRegistryException {
@ -263,6 +295,20 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 				UUID parentUUID = parentContextManagement.uuid;
 				parentSecurityContext = ContextUtility.getInstance().getSecurityContextByUUID(parentUUID);
 				SecurityContext requestSecurityContext = ContextUtility.getCurrentSecurityContext();
 				if(requestSecurityContext.getUUID().compareTo(parentContextManagement.getUUID())==0) {
 					Set<String> allowedRoles = SecurityContext.getAllowedRoles();
 					if(!SecurityContext.isUserAllowed(allowedRoles)) {
 						throw new NotAuthorizedException("Only user with one of the following role " + allowedRoles + " can create a child Context.");
 					}
 				}else {
 					Set<String> allowedRoles = SecurityContext.getAllOperationsAllowedRoles();
 					if(!SecurityContext.isUserAllowed(allowedRoles)) {
 						throw new NotAuthorizedException("Only user with one of the following role " + allowedRoles + " can create a child Context requesting the operation from a Context which is not the parent.");
 					}
 				}
 				checkContext(parentContextManagement);
 				if (uuid == null) {
 					uuid = UUIDManager.getInstance().generateValidUUID();
@ -279,6 +325,7 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 				isParentOfManagement.internalCreate();
 			} else {
 				SecurityContext.isUserAllowed(SecurityContext.getAllOperationsAllowedRoles());
 				checkContext(null);
 				logFullPath();
 				createVertex();
@ -446,7 +493,7 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 	@Override
 	protected void reallyDelete() throws NotFoundException, ResourceRegistryException {
 		if(workingContext.isUserAllowed()) {
-			throw new ForbiddenException("You are not allowed to delete the Contexts. Allowed roles are " + workingContext.getAllowedRoles()); 
+			throw new ForbiddenException("You are not allowed to delete the Contexts. Allowed roles are " + SecurityContext.getAllOperationsAllowedRoles()); 
 		}
 		Iterable<OEdge> iterable = getElement().getEdges(ODirection.OUT);
@ -591,7 +638,7 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 		if(workingContext.isUserAllowed()) {
 			return super.createOrUpdate();
 		}
-		throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + workingContext.getAllowedRoles());
+		throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + SecurityContext.getAllOperationsAllowedRoles());
 	}
 	@Override
--- a/src/main/java/org/gcube/informationsystem/resourceregistry/contexts/security/SecurityContext.java
+++ b/src/main/java/org/gcube/informationsystem/resourceregistry/contexts/security/SecurityContext.java
@ -19,6 +19,7 @@ import org.gcube.informationsystem.contexts.reference.entities.Context;
 import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegistryException;
 import org.gcube.informationsystem.resourceregistry.contexts.ContextUtility;
 import org.gcube.informationsystem.resourceregistry.dbinitialization.DatabaseEnvironment;
 import org.gcube.informationsystem.resourceregistry.instances.model.Operation;
 import org.gcube.informationsystem.resourceregistry.requests.RequestUtility;
 import org.gcube.informationsystem.resourceregistry.requests.ServerRequestInfo;
 import org.gcube.informationsystem.resourceregistry.utils.OrientDBUtility;
@ -97,34 +98,51 @@ public class SecurityContext {
 	/**
 	 * Roles allowed to operate on the security context
 	 */
-	protected Set<String> allowedRoles;
+	protected static Set<String> allOperationAllowedRoles;
 	//protected static Set<String> allowedRoles;
 	public final static String CONTEXT_MANAGER = "Context-Manager";
 	public final static String INFRASTRUCTURE_MANAGER = "Infrastructure-Manager";
 	public final static String IS_MANAGER = "IS-Manager";
 	public final static String CONTEXT_MANAGER = "Context-Manager";
 	static {
 		allOperationAllowedRoles = new HashSet<>();
 		allOperationAllowedRoles.add(INFRASTRUCTURE_MANAGER);
 		allOperationAllowedRoles.add(IS_MANAGER);
 //		allowedRoles = new HashSet<>();
 //		allowedRoles.add(CONTEXT_MANAGER);
 	}
 	public static Set<String> getAllOperationsAllowedRoles() {
 		return new HashSet<>(allOperationAllowedRoles);
 	}
 //	public static Set<String> getAllowedRoles() {
 //		return new HashSet<>(allowedRoles);
 //	}
 	protected SecurityContext(UUID context, boolean hierarchical) throws ResourceRegistryException {
 		this.context = context;
 		this.poolMap = new HashMap<>();
-		this.allowedRoles = new HashSet<>();
+		
-		this.allowedRoles.add(INFRASTRUCTURE_MANAGER);
+		boolean hierarchicalAllowed = SecurityContext.isUserAllowed(allOperationAllowedRoles);
-		this.allowedRoles.add(IS_MANAGER);
+		
 		/*
-		 * Only Infrastructure-Manager and IS-Manager
+		 * Only the Infrastructure Manager and IS Manager are entitled to use hierarchical mode. 
-		 * are entitled to use hierarchical mode.
+		 * I decided not to complain if the user does not have such roles and assumed the hierarchical mode was not requested.
 		 * I decide not complains for that instead
 		 * assume the hierarchical was not requested
 		 */
-		if(hierarchical && !isUserAllowed()) {
+		if(hierarchical && !hierarchicalAllowed) {
 			StringBuffer sb = new StringBuffer();
 			sb.append("The user ");
 			sb.append(ContextUtility.getCurrentUserUsername());
-			sb.append(" requested hierarchical mode but he/she does not have one of the fllowing roles ");
+			sb.append(" requested hierarchical mode but he/she does not have one of the following roles ");
-			sb.append(allowedRoles.toString());
+			sb.append(allOperationAllowedRoles.toString());
 			sb.append(". Instead of complaining, the request will be elaborated not in hierarchical mode.");
 			logger.warn(sb.toString());
 		}
-		this.hierarchical = hierarchical && isUserAllowed();
+		this.hierarchical = hierarchical && hierarchicalAllowed;
 		this.children = new HashSet<>(); 
@ -135,10 +153,6 @@ public class SecurityContext {
 		this(context, true);
 	}
 	public Set<String> getAllowedRoles() {
 		return allowedRoles;
 	}
 	protected boolean isHierarchicalMode() {
 		return hierarchical || RequestUtility.getRequestInfo().get().isHierarchicalMode();
 	}
@ -477,33 +491,67 @@ public class SecurityContext {
 	}
 	private static boolean isUserAllowed(Set<String> allowedRoles) {
 		boolean allowed = false;
 		SecretManager secretManager = SecretManagerProvider.instance.get();
 		User user = secretManager.getUser();
 		Collection<String> roles = new HashSet<>(user.getRoles());
 		roles.retainAll(allowedRoles);
 		if(roles.size()>0) {
 			allowed = true;
 		}
 		return allowed;
 	}
 	public boolean isUserAllowed() {
 		boolean allowed = false;
 		SecretManager secretManager = SecretManagerProvider.instance.get();
 		User user = secretManager.getUser();
 		Collection<String> roles = new HashSet<>(user.getRoles());
-		roles.retainAll(this.allowedRoles);
+		roles.retainAll(allowedRoles);
 		if(roles.size()>0) {
 			allowed = true;
 		}
 		/*
 		 * The Context-Manager is allowed to operate in a context
 		 * only if he is the Context-Manager of the context
 		 */
 		// TODO in subclass
 		/*
 		 * The Context-Manager is allowed to delete a context
 		 * only if he is the Context-Manager of the parent context
 		 * (so the request must arrive from the parent context).
 		 */
 		return allowed;
 	}
 	public boolean isUserAllowed(Operation operation) {
 		switch (operation) {
 			case CREATE:
 				break;
 			case READ:
 				break;
 			case EXISTS:
 				break;
 			case UPDATE:
 				break;
 			case DELETE:
 				break;
 			case ADD_TO_CONTEXT:
 				break;
 			case REMOVE_FROM_CONTEXT:
 				break;
 			case QUERY:
 				break;
 			case GET_METADATA:
 				return isUserAllowed(allOperationAllowedRoles);
 			default:
 				break;
 		}
 		return true;
 	}
 	public void create() throws ResourceRegistryException {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		ODatabaseDocument adminDatabaseDocument = null;
--- a/src/main/java/org/gcube/informationsystem/resourceregistry/instances/base/ElementManagement.java
+++ b/src/main/java/org/gcube/informationsystem/resourceregistry/instances/base/ElementManagement.java
@ -262,7 +262,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 			Context context = ServerContextCache.getInstance().getContextByUUID(workingContext.getUUID());
 			if(context.getState().compareTo(ContextState.ACTIVE.getState())!=0) {
 				if(!workingContext.isUserAllowed()) {
-					throw new ForbiddenException("You are not allowed to operate in non " + ContextState.ACTIVE.getState() + " Contexts. Allowed roles are " + workingContext.getAllowedRoles());
+					throw new ForbiddenException("You are not allowed to operate in non " + ContextState.ACTIVE.getState() + " Contexts. Allowed roles are " + SecurityContext.getAllOperationsAllowedRoles());
 				}
 			}
 		}
@ -734,17 +734,20 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 			throws NotFoundException, AvailableInAnotherContextException, ResourceRegistryException {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		try {
-			oDatabaseDocument = getWorkingContext().getDatabaseDocument(PermissionMode.WRITER);
+			SecurityContext securityContext = getWorkingContext();
 			oDatabaseDocument = securityContext.getDatabaseDocument(PermissionMode.WRITER);
 			oDatabaseDocument.begin();
 			boolean update = false;
 			setAsEntryPoint();
 			setOperation(Operation.UPDATE);
 			try {
 				getElement();
-				setOperation(Operation.UPDATE);
+				securityContext.isUserAllowed(operation);
 				update = true;
 				internalUpdate();
 			} catch(NotFoundException e) {
 				setOperation(Operation.CREATE);
 				securityContext.isUserAllowed(operation);
 				String calledMethod = CalledMethodProvider.instance.get();
 				calledMethod = calledMethod.replace("update", "create");
 				CalledMethodProvider.instance.set(calledMethod);
@ -788,7 +791,9 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		try {
-			oDatabaseDocument = getWorkingContext().getDatabaseDocument(PermissionMode.WRITER);
+			SecurityContext securityContext = getWorkingContext();
 			securityContext.isUserAllowed(Operation.CREATE);
 			oDatabaseDocument = securityContext.getDatabaseDocument(PermissionMode.WRITER);
 			oDatabaseDocument.begin();
 			setAsEntryPoint();
@ -827,10 +832,12 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		try {
-			oDatabaseDocument = getWorkingContext().getDatabaseDocument(PermissionMode.READER);
+			SecurityContext securityContext = getWorkingContext();
 			setOperation(Operation.READ);
 			securityContext.isUserAllowed(operation);
 			oDatabaseDocument = securityContext.getDatabaseDocument(PermissionMode.READER);
 			setAsEntryPoint();
 			setOperation(Operation.READ);
 			getElement();
@ -853,10 +860,11 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 	}
 	public String update() throws NotFoundException, AvailableInAnotherContextException, ResourceRegistryException {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		try {
-			oDatabaseDocument = getWorkingContext().getDatabaseDocument(PermissionMode.WRITER);
+			SecurityContext securityContext = getWorkingContext();
 			securityContext.isUserAllowed(Operation.UPDATE);
 			oDatabaseDocument = securityContext.getDatabaseDocument(PermissionMode.WRITER);
 			oDatabaseDocument.begin();
 			setAsEntryPoint();
@ -898,7 +906,10 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		try {
 			// oDatabaseDocument = ContextUtility.getAdminSecurityContext().getDatabaseDocument(PermissionMode.WRITER);
-			oDatabaseDocument = getWorkingContext().getDatabaseDocument(PermissionMode.WRITER);
+			SecurityContext securityContext = getWorkingContext();
 			setOperation(Operation.DELETE);
 			securityContext.isUserAllowed(operation);
 			oDatabaseDocument = securityContext.getDatabaseDocument(PermissionMode.WRITER);
 			oDatabaseDocument.begin();
 			setAsEntryPoint();
@ -939,10 +950,11 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		ODatabaseDocument instanceDB = this.oDatabaseDocument;
 		try {
 			AdminSecurityContext adminSecurityContext = ContextUtility.getAdminSecurityContext();
 			setOperation(Operation.GET_METADATA);
 			adminSecurityContext.isUserAllowed(operation);
 			oDatabaseDocument = adminSecurityContext.getDatabaseDocument(PermissionMode.READER);
 			setAsEntryPoint();
 			setOperation(Operation.GET_METADATA);
 			Set<String> contexts = SecurityContext.getContexts(getElement());
 			return contexts;
@ -1249,7 +1261,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		if(roles.contains(SecurityContext.CONTEXT_MANAGER)) {
 			return true;
 		}
-		roles.retainAll(workingContext.getAllowedRoles());
+		roles.retainAll(SecurityContext.getAllOperationsAllowedRoles());
 		if(roles.size()>0) {
 			allowed = true;
 		}