Fixes #10435: Add support for hierarchical roles to support child context overview

Task-Url: https://support.d4science.org/issues/10435

git-svn-id: https://svn.d4science.research-infrastructures.eu/gcube/trunk/information-system/resource-registry@160040 82a268e6-3cf1-43bd-a215-b396298e98cf

src/main/java/org/gcube/informationsystem/resourceregistry/context/ContextManagement.java

@@ -75,7 +75,7 @@ public class ContextManagement extends EntityManagement<Context> {
 	
 	protected SecurityContext getWorkingContext() throws ResourceRegistryException {
 		if(workingContext == null) {
-			workingContext = ContextUtility.getInstace()
+			workingContext = ContextUtility.getInstance()
 					.getSecurityContextByUUID(DatabaseEnvironment.CONTEXT_SECURITY_CONTEXT_UUID);
 		}
 		return workingContext;
@@ -192,6 +192,7 @@ public class ContextManagement extends EntityManagement<Context> {
 	@Override
 	protected Vertex reallyCreate() throws ERAlreadyPresentException, ResourceRegistryException {
 		SecurityContext securityContext = null;
+		SecurityContext parentSecurityContext = null;
 		
 		try {
 			JsonNode isParentOfJsonNode = jsonNode.get(Context.PARENT_PROPERTY);
@@ -199,10 +200,13 @@ public class ContextManagement extends EntityManagement<Context> {
 			if(isParentOfJsonNode != null && !(isParentOfJsonNode instanceof NullNode)) {
 				
 				JsonNode parentJsonNode = isParentOfJsonNode.get(Relation.SOURCE_PROPERTY);
-				ContextManagement parentContext = new ContextManagement(orientGraph);
+				ContextManagement parentContextManagement = new ContextManagement(orientGraph);
-				parentContext.setJSON(parentJsonNode);
+				parentContextManagement.setJSON(parentJsonNode);
+				UUID parentUUID = parentContextManagement.uuid;
+				parentSecurityContext = ContextUtility.getInstance().getSecurityContextByUUID(parentUUID);
 				
-				checkContext(parentContext);
+				
+				checkContext(parentContextManagement);
 				if(uuid == null) {
 					uuid = UUID.randomUUID();
 				}
@@ -211,7 +215,7 @@ public class ContextManagement extends EntityManagement<Context> {
 				
 				IsParentOfManagement isParentOfManagement = new IsParentOfManagement(orientGraph);
 				isParentOfManagement.setJSON(isParentOfJsonNode);
-				isParentOfManagement.setSourceEntityManagement(parentContext);
+				isParentOfManagement.setSourceEntityManagement(parentContextManagement);
 				isParentOfManagement.setTargetEntityManagement(this);
 				
 				isParentOfManagement.internalCreate();
@@ -222,13 +226,20 @@ public class ContextManagement extends EntityManagement<Context> {
 			}
 			
 			securityContext = new SecurityContext(uuid);
+			securityContext.setParentSecurityContext(parentSecurityContext);
 			securityContext.create(orientGraph);
 			
+			ContextUtility.getInstance().addSecurityContext(securityContext);
+			
 			return getElement();
 		} catch(Exception e) {
 			orientGraph.rollback();
 			if(securityContext != null) {
 				securityContext.delete(orientGraph);
+				if(parentSecurityContext!=null && securityContext!=null) {
+					parentSecurityContext.getChildren().remove(securityContext);
+				}
+				ContextUtility.getInstance().removeFromCache(uuid, false);
 			}
 			throw e;
 		}
@@ -308,7 +319,7 @@ public class ContextManagement extends EntityManagement<Context> {
 		element = (Vertex) ERManagement.updateProperties(oClass, getElement(), jsonNode, ignoreKeys,
 				ignoreStartWithKeys);
 		
-		ContextUtility.getInstace().removeFromCache(uuid);
+		ContextUtility.getInstance().removeFromCache(uuid, true);
 		
 		return element;
 	}
@@ -319,6 +330,8 @@ public class ContextManagement extends EntityManagement<Context> {
 			checkContext(newParentContextManagement);
 		}
 		
+		SecurityContext newParentSecurityContext = null;
+		
 		// Removing the old parent relationship if any
 		Iterable<Edge> edges = getElement().getEdges(Direction.IN, IsParentOf.NAME);
 		if(edges != null && edges.iterator().hasNext()) {
@@ -341,8 +354,11 @@ public class ContextManagement extends EntityManagement<Context> {
 			isParentOfManagement.setSourceEntityManagement(newParentContextManagement);
 			isParentOfManagement.setTargetEntityManagement(this);
 			isParentOfManagement.internalCreate();
+			newParentSecurityContext = ContextUtility.getInstance().getSecurityContextByUUID(newParentContextManagement.uuid);
 		}
 		
+		SecurityContext thisSecurityContext = ContextUtility.getInstance().getSecurityContextByUUID(uuid);
+		thisSecurityContext.changeParentSecurityContext(newParentSecurityContext, orientGraph);
 	}
 	
 	@Override
@@ -355,11 +371,11 @@ public class ContextManagement extends EntityManagement<Context> {
 		
 		element.remove();
 		
-		ContextUtility contextUtility = ContextUtility.getInstace();
+		ContextUtility contextUtility = ContextUtility.getInstance();
 		SecurityContext securityContext = contextUtility.getSecurityContextByUUID(uuid);
 		securityContext.delete(orientGraph);
 		
-		contextUtility.removeFromCache(uuid);
+		contextUtility.removeFromCache(uuid, false);
 		
 		return true;
 		

src/main/java/org/gcube/informationsystem/resourceregistry/context/ContextUtility.java

@@ -40,7 +40,7 @@ public class ContextUtility {
 	
 	private static ContextUtility contextUtility;
 	
-	public static ContextUtility getInstace() {
+	public static ContextUtility getInstance() {
 		if(contextUtility == null) {
 			contextUtility = new ContextUtility();
 		}
@@ -81,26 +81,32 @@ public class ContextUtility {
 		if(fullName == null) {
 			throw new ContextException("Null Token and Scope. Please set your token first.");
 		}
-		return ContextUtility.getInstace().getSecurityContextByFullName(fullName);
+		return ContextUtility.getInstance().getSecurityContextByFullName(fullName);
 	}
 	
 	public static AdminSecurityContext getAdminSecurityContext() throws ResourceRegistryException {
-		AdminSecurityContext adminSecurityContext = (AdminSecurityContext) ContextUtility.getInstace()
+		AdminSecurityContext adminSecurityContext = (AdminSecurityContext) ContextUtility.getInstance()
 				.getSecurityContextByUUID(DatabaseEnvironment.ADMIN_SECURITY_CONTEXT_UUID);
 		return adminSecurityContext;
 	}
 	
-	public synchronized void removeFromCache(UUID uuid) throws ResourceRegistryException {
+	public synchronized void removeFromCache(UUID uuid, boolean fullNameOnly) throws ResourceRegistryException {
 		for(String fullName : contextUUIDs.keySet()) {
 			UUID uuidKey = contextUUIDs.get(fullName);
 			if(uuidKey.compareTo(uuid) == 0) {
 				contextUUIDs.remove(fullName);
-				contexts.remove(uuid);
+				if(!fullNameOnly) {
+					contexts.remove(uuid);
+				}
 				return;
 			}
 		}
 	}
 	
+	public synchronized void addSecurityContext(SecurityContext securityContext) {
+		contexts.put(securityContext.getUUID(), securityContext);
+	}
+	
 	public synchronized void addSecurityContext(String fullname, SecurityContext securityContext) {
 		contextUUIDs.put(fullname, securityContext.getUUID());
 		contexts.put(securityContext.getUUID(), securityContext);

src/main/java/org/gcube/informationsystem/resourceregistry/context/IsParentOfManagement.java

@@ -42,7 +42,7 @@ public class IsParentOfManagement extends RelationManagement<IsParentOf,ContextM
 	@Override
 	protected SecurityContext getWorkingContext() throws ResourceRegistryException {
 		if(workingContext == null) {
-			workingContext = ContextUtility.getInstace()
+			workingContext = ContextUtility.getInstance()
 					.getSecurityContextByUUID(DatabaseEnvironment.CONTEXT_SECURITY_CONTEXT_UUID);
 		}
 		return workingContext;

src/main/java/org/gcube/informationsystem/resourceregistry/context/security/AdminSecurityContext.java

@@ -25,6 +25,7 @@ public class AdminSecurityContext extends SecurityContext {
 		throw new RuntimeException("Cannot use this method for Admin Context");
 	}
 	
+	@Override
 	protected ORole getSuperRole(OSecurity oSecurity, PermissionMode permissionMode) {
 		return oSecurity.getRole(DatabaseEnvironment.DEFAULT_ADMIN_ROLE);
 	}

src/main/java/org/gcube/informationsystem/resourceregistry/context/security/SecurityContext.java

@@ -4,7 +4,9 @@
 package org.gcube.informationsystem.resourceregistry.context.security;
 
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 import java.util.UUID;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
@@ -15,6 +17,7 @@ import org.gcube.informationsystem.model.entity.Context;
 import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegistryException;
 import org.gcube.informationsystem.resourceregistry.context.ContextUtility;
 import org.gcube.informationsystem.resourceregistry.dbinitialization.DatabaseEnvironment;
+import org.gcube.informationsystem.resourceregistry.utils.Utility;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -79,50 +82,127 @@ public class SecurityContext {
 	
 	protected SecurityContext parentSecurityContext;
 	
+	protected Set<SecurityContext> children;
+	
 	protected boolean isHierarchicMode() {
 		return hierarchic && ContextUtility.getHierarchicMode().get();
 	}
 	
 	public void setParentSecurityContext(SecurityContext parentSecurityContext) {
+		if(this.parentSecurityContext!=null) {
+			this.parentSecurityContext.getChildren().remove(this);
+		}
+		
 		this.parentSecurityContext = parentSecurityContext;
+		if(parentSecurityContext!=null) {
+			this.parentSecurityContext.addChild(this);
+		}
 	}
 	
 	public SecurityContext getParentSecurityContext() {
 		return parentSecurityContext;
 	}
 	
-	/**
+	private void addChild(SecurityContext child) {
-	 * Use to change the parent not to set the first time
+		this.children.add(child);
-	 * 
+	}
-	 * @param newParentSecurityContext
+	
-	 * @throws ResourceRegistryException
+	public Set<SecurityContext> getChildren(){
-	 */
+		return this.children;
-	public void changeParentSecurityContext(SecurityContext newParentSecurityContext) throws ResourceRegistryException {
-		OrientGraph orientGraph = getAdminOrientGraph();
-		changeParentSecurityContext(newParentSecurityContext, orientGraph);
 	}
 	
 	protected OrientGraph getAdminOrientGraph() throws ResourceRegistryException {
 		return ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER);
 	}
 	
+	/**
+	 * @return a set containing all children and recursively
+	 * all children.  
+	 */
+	private Set<SecurityContext> getAllChildren(){
+		Set<SecurityContext> allChildren = new HashSet<>();
+		allChildren.add(this);
+		for(SecurityContext securityContext : getChildren()) {
+			allChildren.addAll(securityContext.getAllChildren());
+		}
+		return allChildren;
+	}
+	
+	/**
+	 * @return 
+	 */
+	private Set<SecurityContext> getAllParents(){
+		Set<SecurityContext> allParents = new HashSet<>();
+		SecurityContext parent = getParentSecurityContext();
+		while(parent!=null) {
+			allParents.add(parent);
+			parent = parent.getParentSecurityContext();
+		}
+		return allParents;
+	}
+	
+	
 	/**
 	 * Use to change the parent not to set the first time
 	 * 
 	 * @param newParentSecurityContext
 	 * @param orientGraph
+	 * @throws ResourceRegistryException 
 	 */
-	public void changeParentSecurityContext(SecurityContext newParentSecurityContext, OrientGraph orientGraph) {
+	public void changeParentSecurityContext(SecurityContext newParentSecurityContext, OrientGraph orientGraph) throws ResourceRegistryException {
-		// TODO Remove from old hierarchy
+		if(!hierarchic) {
-		// TODO Add to new Hierarchy
+			StringBuilder errorMessage = new StringBuilder();
-		// In both cases take in account the new and the old parent
+			errorMessage.append("Cannot change parent ");
+			errorMessage.append(SecurityContext.class.getSimpleName());
+			errorMessage.append(" to non hierarchic ");
+			errorMessage.append(SecurityContext.class.getSimpleName());
+			errorMessage.append(". ");
+			errorMessage.append(Utility.SHOULD_NOT_OCCUR_ERROR_MESSAGE);
+			final String error = errorMessage.toString();
+			logger.error(error);
+			throw new RuntimeException(error);
+		}
+		
+		OSecurity oSecurity = getOSecurity(orientGraph);
+		
+		Set<SecurityContext> allChildren = getAllChildren();
+		
+		Set<SecurityContext> oldParents = getAllParents();
+		
+		Set<SecurityContext> newParents = new HashSet<>();
+		if(newParentSecurityContext!=null) {
+			newParents = newParentSecurityContext.getAllParents();
+		}
+		
+		/* 
+		 * From old parents I remove the new parents so that oldParents
+		 * contains only the parents where I have to remove all 
+		 * HReaderRole-UUID e HWriterRole-UUID of allChildren by using 
+		 * removeHierarchicRoleFromParent() function
+		 * 
+		 */
+		oldParents.removeAll(newParents);
+		removeChildrenHRolesFromParents(oSecurity, oldParents, allChildren);
+		
 		setParentSecurityContext(newParentSecurityContext);
+		
+		if(newParentSecurityContext!=null){
+			for(PermissionMode permissionMode : PermissionMode.values()) {
+				for(SecurityContext child : allChildren) {
+					String roleName = child.getSecurityRoleOrUserName(permissionMode, SecurityType.ROLE, true);
+					ORole role = oSecurity.getRole(roleName);
+					getParentSecurityContext().addHierarchicRoleToParent(oSecurity, permissionMode, role);
+				}
+			}
+		}
+		
 	}
 	
 	protected SecurityContext(UUID context, boolean hierarchic) throws ResourceRegistryException {
 		this.context = context;
 		this.factoryMap = new HashMap<>();
 		this.hierarchic = hierarchic;
+		this.children = new HashSet<>(); 
 	}
 	
 	public SecurityContext(UUID context) throws ResourceRegistryException {
@@ -176,19 +256,9 @@ public class SecurityContext {
 		return stringBuilder.toString();
 	}
 	
-	private ODatabaseDocumentTx getAdminODatabaseDocumentTx(OrientGraph orientGraph) {
+	private OSecurity getOSecurity(OrientGraph orientGraph) {
 		ODatabaseDocumentTx oDatabaseDocumentTx = orientGraph.getRawGraph();
-		return oDatabaseDocumentTx;
+		return oDatabaseDocumentTx.getMetadata().getSecurity();
-	}
-	
-	private OSecurity getAdminOSecurity(ODatabaseDocumentTx oDatabaseDocumentTx) {
-		OSecurity oSecurity = oDatabaseDocumentTx.getMetadata().getSecurity();
-		return oSecurity;
-	}
-	
-	private OSecurity getAdminOSecurity(OrientGraph orientGraph) {
-		ODatabaseDocumentTx oDatabaseDocumentTx = getAdminODatabaseDocumentTx(orientGraph);
-		return getAdminOSecurity(oDatabaseDocumentTx);
 	}
 	
 	public void addElement(Element element) throws ResourceRegistryException {
@@ -205,34 +275,22 @@ public class SecurityContext {
 	public void addElement(Element element, OrientGraph orientGraph) {
 		OrientElement orientElement = (OrientElement) element;
 		ODocument oDocument = orientElement.getRecord();
-		OSecurity oSecurity = getAdminOSecurity(orientGraph);
+		OSecurity oSecurity = getOSecurity(orientGraph);
 		allow(oSecurity, oDocument, false);
 		if(hierarchic) {
 			allow(oSecurity, oDocument, true);
-			if(getParentSecurityContext() != null) {
-				getParentSecurityContext().addElementToHierarchy(oSecurity, oDocument);
-			}
 		}
 		oDocument.save();
 		orientElement.save();
 	}
 	
-	protected void addElementToHierarchy(OSecurity oSecurity, ODocument oDocument) {
-		allow(oSecurity, oDocument, true);
-		if(getParentSecurityContext() != null) {
-			getParentSecurityContext().addElementToHierarchy(oSecurity, oDocument);
-		}
-	}
-	
 	public void removeElement(Element element) throws ResourceRegistryException {
 		removeElement(element, getAdminOrientGraph());
 	}
 	
 	protected void deny(OSecurity oSecurity, ODocument oDocument, boolean hierarchic) {
-		
 		// The element could be created in such a context so the writerUser for the
-		// context is allowed by default
+		// context is allowed by default because it was the creator
-		// because it was the creator
 		String writerUserName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.USER, hierarchic);
 		oSecurity.denyUser(oDocument, ORestrictedOperation.ALLOW_ALL, writerUserName);
 		String readerUserName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.USER, hierarchic);
@@ -248,13 +306,10 @@ public class SecurityContext {
 	public void removeElement(Element element, OrientGraph orientGraph) {
 		OrientElement orientElement = (OrientElement) element;
 		ODocument oDocument = orientElement.getRecord();
-		OSecurity oSecurity = getAdminOSecurity(orientGraph);
+		OSecurity oSecurity = getOSecurity(orientGraph);
 		deny(oSecurity, oDocument, false);
 		if(hierarchic) {
 			deny(oSecurity, oDocument, true);
-			if(getParentSecurityContext() != null) {
-				getParentSecurityContext().removeElementFromHierarchy(oSecurity, oDocument);
-			}
 		}
 		oDocument.save();
 		orientElement.save();
@@ -293,26 +348,6 @@ public class SecurityContext {
 		}
 	}
 	
-	protected void removeElementFromHierarchy(OSecurity oSecurity, ODocument oDocument) {
-		// I don't have to deny the Hierarchic role if the element belong to context
-		String writerRoleName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.ROLE, false);
-		ORole writerRole = oSecurity.getRole(writerRoleName);
-		
-		/*
-		 * This check if the writerRole (not hierarchic) has the right to operate on the
-		 * document. In such a case don't have to deny the hierarchy
-		 */
-		boolean allowed = allowed(writerRole, oDocument);
-		
-		// If allowed not denying the hierarchy and continuing to parents
-		if(!allowed) {
-			deny(oSecurity, oDocument, true);
-			if(getParentSecurityContext() != null) {
-				getParentSecurityContext().removeElementFromHierarchy(oSecurity, oDocument);
-			}
-		}
-	}
-	
 	public void create() throws ResourceRegistryException {
 		OrientGraph orientGraph = getAdminOrientGraph();
 		create(orientGraph);
@@ -325,7 +360,19 @@ public class SecurityContext {
 	}
 	
 	protected ORole getSuperRole(OSecurity oSecurity, PermissionMode permissionMode) {
-		return oSecurity.getRole(permissionMode.name().toLowerCase());
+		String superRoleName = permissionMode.name().toLowerCase();
+		return oSecurity.getRole(superRoleName);
+	}
+	
+	protected void addHierarchicRoleToParent(OSecurity oSecurity, PermissionMode permissionMode, ORole role) {
+		String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
+		OUser user = oSecurity.getUser(userName);
+		user.addRole(role);
+		user.save();
+		
+		if(getParentSecurityContext() != null) {
+			getParentSecurityContext().addHierarchicRoleToParent(oSecurity, permissionMode, role);
+		}
 	}
 	
 	protected void createRolesAndUsers(OSecurity oSecurity) {
@@ -346,6 +393,10 @@ public class SecurityContext {
 				role.save();
 				logger.trace("{} created", role);
 				
+				if(hierarchic && getParentSecurityContext() != null) {
+					getParentSecurityContext().addHierarchicRoleToParent(oSecurity, permissionMode, role);
+				}
+				
 				String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchic);
 				OUser user = oSecurity.createUser(userName, DatabaseEnvironment.DEFAULT_PASSWORDS.get(permissionMode),
 						role);
@@ -353,11 +404,11 @@ public class SecurityContext {
 				logger.trace("{} created", user);
 			}
 		}
+		
 	}
 	
 	public void create(OrientGraph orientGraph) {
-		ODatabaseDocumentTx oDatabaseDocumentTx = getAdminODatabaseDocumentTx(orientGraph);
+		OSecurity oSecurity = getOSecurity(orientGraph);
-		OSecurity oSecurity = getAdminOSecurity(oDatabaseDocumentTx);
 		
 		createRolesAndUsers(oSecurity);
 		
@@ -392,6 +443,42 @@ public class SecurityContext {
 		orientGraph.shutdown();
 	}
 	
+	protected void removeChildrenHRolesFromParents(OSecurity oSecurity) {
+		Set<SecurityContext> parents = getAllParents();
+		Set<SecurityContext> allChildren = getAllChildren();
+		removeChildrenHRolesFromParents(oSecurity, parents, allChildren);
+	}
+	
+	protected void removeChildrenHRolesFromParents(OSecurity oSecurity, Set<SecurityContext> parents, Set<SecurityContext> children) {
+		for(SecurityContext parent : parents) {
+			parent.removeChildrenHRolesFromMyHUsers(oSecurity, children);
+		}
+	}
+	
+	protected void removeChildrenHRolesFromMyHUsers(OSecurity oSecurity, Set<SecurityContext> children) {
+		for(PermissionMode permissionMode : PermissionMode.values()) {
+			String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
+			OUser user = oSecurity.getUser(userName);
+			for(SecurityContext child : children) {
+				String roleName = child.getSecurityRoleOrUserName(permissionMode, SecurityType.ROLE, true);
+				logger.debug("Going to remove {} from {}", roleName, userName);
+				boolean removed = user.removeRole(roleName);
+				logger.trace("{} {} removed from {}", roleName, removed ? "successfully" : "NOT", userName);
+			}
+			user.save();
+		}
+		
+	}
+	
+	protected void removeHierarchicRoleFromMyHUser(OSecurity oSecurity, PermissionMode permissionMode, String roleName) {
+		String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
+		OUser user = oSecurity.getUser(userName);
+		logger.debug("Going to remove {} from {}", roleName, userName);
+		boolean removed = user.removeRole(roleName);
+		logger.trace("{} {} removed from {}", roleName, removed ? "successfully" : "NOT", userName);
+		user.save();
+	}
+	
 	protected void deleteRolesAndUsers(OSecurity oSecurity) {
 		boolean[] booleanArray;
 		if(hierarchic) {
@@ -400,6 +487,9 @@ public class SecurityContext {
 			booleanArray = new boolean[] {false};
 		}
 		for(boolean hierarchic : booleanArray) {
+			if(hierarchic) {
+				removeChildrenHRolesFromParents(oSecurity);
+			}
 			for(PermissionMode permissionMode : PermissionMode.values()) {
 				for(SecurityType securityType : SecurityType.values()) {
 					String name = getSecurityRoleOrUserName(permissionMode, securityType, hierarchic);
@@ -410,14 +500,14 @@ public class SecurityContext {
 	}
 	
 	public void delete(OrientGraph orientGraph) {
-		ODatabaseDocumentTx oDatabaseDocumentTx = getAdminODatabaseDocumentTx(orientGraph);
+		OSecurity oSecurity = getOSecurity(orientGraph);
-		OSecurity oSecurity = getAdminOSecurity(oDatabaseDocumentTx);
 		
 		logger.trace("Going to remove Security Context (roles and users) with UUID {}", context.toString());
 		
 		deleteRolesAndUsers(oSecurity);
 		
 		logger.trace("Security Context (roles and users) with UUID {} successfully removed", context.toString());
+		
 	}
 	
 	public OrientGraph getGraph(PermissionMode permissionMode) {

src/main/java/org/gcube/informationsystem/resourceregistry/dbinitialization/DatabaseEnvironment.java

@@ -175,7 +175,7 @@ public class DatabaseEnvironment {
 		try {
 			boolean created = initGraphDB();
 			
-			ContextUtility contextUtility = ContextUtility.getInstace();
+			ContextUtility contextUtility = ContextUtility.getInstance();
 			
 			AdminSecurityContext adminSecurityContext = new AdminSecurityContext();
 			contextUtility.addSecurityContext(adminSecurityContext.getUUID().toString(), adminSecurityContext);

src/main/java/org/gcube/informationsystem/resourceregistry/er/ERManagement.java

@@ -255,7 +255,7 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
 		} catch(ResourceRegistryException e) {
 			throw e;
 		} catch(Exception e) {
-			throw new ResourceRegistryException("Error Creating " + erType + " with " + jsonNode, e.getCause());
+			throw new ResourceRegistryException("Error Creating " + erType + " with " + jsonNode, e);
 		}
 	}
 	
@@ -273,7 +273,7 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
 		} catch(ResourceRegistryException e) {
 			throw e;
 		} catch(Exception e) {
-			throw new ResourceRegistryException("Error Updating " + erType + " with " + jsonNode, e.getCause());
+			throw new ResourceRegistryException("Error Updating " + erType + " with " + jsonNode, e);
 		}
 	}
 	
@@ -438,6 +438,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
 		
 		try {
 			orientGraph = getWorkingContext().getGraph(PermissionMode.WRITER);
+			orientGraph.setAutoStartTx(false);
+			orientGraph.begin();
 			
 			element = internalCreate();
 			
@@ -489,6 +491,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
 	public String update() throws ERNotFoundException, ERAvailableInAnotherContextException, ResourceRegistryException {
 		try {
 			orientGraph = getWorkingContext().getGraph(PermissionMode.WRITER);
+			orientGraph.setAutoStartTx(false);
+			orientGraph.begin();
 			
 			element = internalUpdate();
 			
@@ -526,6 +530,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
 		try {
 			
 			orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER);
+			orientGraph.setAutoStartTx(false);
+			orientGraph.begin();
 			
 			boolean deleted = reallyDelete();
 			
@@ -564,6 +570,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
 		
 		try {
 			orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER);
+			orientGraph.setAutoStartTx(false);
+			orientGraph.begin();
 			
 			boolean added = internalAddToContext();
 			
@@ -596,6 +604,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
 		try {
 			
 			orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER);
+			orientGraph.setAutoStartTx(false);
+			orientGraph.begin();
 			
 			boolean removed = internalRemoveFromContext();
 			

src/test/java/org/gcube/informationsystem/resourceregistry/context/ContextManagementTest.java

@@ -90,16 +90,21 @@ public class ContextManagementTest extends ScopedTest {
 
 	}
 
-	protected void roleUserAssertions(UUID uuid, boolean deleted) throws ResourceRegistryException {
+	protected void roleUserAssertions(UUID uuid, UUID oldParentUUID, boolean deleted) throws ResourceRegistryException {
 		ContextSecurityContext contextSecurityContext = new ContextSecurityContext();
-		ContextUtility.getInstace().addSecurityContext(contextSecurityContext.getUUID().toString(),
+		ContextUtility.getInstance().addSecurityContext(contextSecurityContext.getUUID().toString(),
 				contextSecurityContext);
 
 		OrientGraph orientGraph = contextSecurityContext.getGraph(PermissionMode.READER);
 		ODatabaseDocumentTx oDatabaseDocumentTx = orientGraph.getRawGraph();
 		OSecurity oSecurity = oDatabaseDocumentTx.getMetadata().getSecurity();
 		
-		SecurityContext securityContext = new SecurityContext(uuid);
+		SecurityContext securityContext = null;
+		if(deleted) {
+			securityContext = new SecurityContext(uuid);
+		} else {
+			securityContext = ContextUtility.getInstance().getSecurityContextByUUID(uuid);
+		}
 
 		boolean[] booleanArray = new boolean[] { false, true };
 		for (boolean hierarchic : booleanArray) {
@@ -111,6 +116,26 @@ public class ContextManagementTest extends ScopedTest {
 				String user = securityContext.getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchic);
 				OUser oUser = oSecurity.getUser(user);
 				Assert.assertEquals(oUser == null, deleted);
+				if(oUser!=null) {
+					Assert.assertTrue(oUser.hasRole(oRole.getName(), false));
+				}
+				
+				if(hierarchic) {
+					SecurityContext parent = null;
+					if(deleted){
+						if(oldParentUUID!=null) {
+							parent = ContextUtility.getInstance().getSecurityContextByUUID(oldParentUUID);
+						}
+					}
+					parent = securityContext.getParentSecurityContext();
+					while(parent!=null) {
+						String parentUser = parent.getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchic);
+						OUser parentOUser = oSecurity.getUser(parentUser);
+						Assert.assertTrue(parentOUser != null);
+						Assert.assertEquals(parentOUser.hasRole(oRole.getName(), false), !deleted);
+						parent = parent.getParentSecurityContext();
+					}
+				}
 				
 			}
 		}
@@ -121,7 +146,7 @@ public class ContextManagementTest extends ScopedTest {
 		contextManagement.setUUID(uuid);
 		String contextString = contextManagement.read();
 		logger.debug("Read {}", contextString);
-		roleUserAssertions(uuid, false);
+		roleUserAssertions(uuid, null, false);
 		return ISMapper.unmarshal(Context.class, contextString);
 	}
 
@@ -132,7 +157,7 @@ public class ContextManagementTest extends ScopedTest {
 		logger.debug("Created {}", contextString);
 		Context c = ISMapper.unmarshal(Context.class, contextString);
 		assertions(context, c, true, true);
-		roleUserAssertions(c.getHeader().getUUID(), false);
+		roleUserAssertions(c.getHeader().getUUID(), null, false);
 		return c;
 	}
 
@@ -143,16 +168,24 @@ public class ContextManagementTest extends ScopedTest {
 		logger.debug("Updated {}", contextString);
 		Context c = ISMapper.unmarshal(Context.class, contextString);
 		assertions(context, c, true, false);
-		roleUserAssertions(c.getHeader().getUUID(), false);
+		roleUserAssertions(c.getHeader().getUUID(), null, false);
 		return c;
 	}
 
 	protected boolean delete(UUID uuid) throws ResourceRegistryException {
 		ContextManagement contextManagement = new ContextManagement();
 		contextManagement.setUUID(uuid);
+		
+		SecurityContext securityContext = ContextUtility.getInstance().getSecurityContextByUUID(uuid);
+		
+		UUID oldParentUUID = null;
+		if(securityContext.getParentSecurityContext()!=null) {
+			oldParentUUID = securityContext.getParentSecurityContext().getUUID();
+		}
+		
 		boolean deleted = contextManagement.delete();
 		Assert.assertTrue(deleted);
-		roleUserAssertions(uuid, true);
+		roleUserAssertions(uuid, oldParentUUID, true);
 		logger.debug("Deleted {} with UUID {}", Context.NAME, uuid);
 		return deleted;
 	}
@@ -336,6 +369,44 @@ public class ContextManagementTest extends ScopedTest {
 		// ___A2_______B4____
 		// B3______________A5
 		
+		/*
+		// This updates (move) has been made to test HRoles and HUsers
+		
+		contextA2.setParent(contextA5);
+		update(contextA2);
+		// __A1______________
+		// _____B4___________
+		// ________A5________
+		// ___________A2_____
+		// ______________B3__
+		
+		
+		contextA5.setParent(contextA1);
+		update(contextA5);
+		// _________A1________
+		// ______A5_____B4____
+		// ___A2______________
+		// B3_________________
+		
+		
+		contextA5.setParent(contextB4);
+		update(contextA5);
+		// __A1______________
+		// _____B4___________
+		// ________A5________
+		// ___________A2_____
+		// ______________B3__
+				
+		
+		
+		contextA2.setParent(contextA1);
+		update(contextA2);
+		// ________A1________
+		// ___A2_______B4____
+		// B3______________A5
+		*/
+		
+
 		// The following delete are not allowed because they are not child contexts
 		invalidDelete(contextA1);
 		invalidDelete(contextA2);
@@ -372,12 +443,33 @@ public class ContextManagementTest extends ScopedTest {
 		logger.debug("The DB should be now clean");
 	}
 	
+	private List<Context> getAll() throws Exception{
+		ContextManagement contextManagement = new ContextManagement();
+		String allString = contextManagement.all(false);
+		logger.trace(allString);
+		List<Context> all = ISMapper.unmarshalList(Context.class, allString);
+		return all;
+	}
+	
+	
+	// @Test
+	public void deleteAll() throws Exception {
+		List<Context> all = getAll();
+		while(all.size()>0) {
+			for (Context context : all) {
+				logger.trace(ISMapper.marshal(context));
+				List<IsParentOf<Context, Context>> children = context.getChildren();
+				if(children==null || children.size()==0) {
+					// delete(context);
+				}
+			}
+			// all = getAll();
+		}
+	}
+	
 	@Test
 	public void testGetAll() throws Exception {
-		ContextManagement contextManagement = new ContextManagement();
+		List<Context> contexts = getAll();
-		String all = contextManagement.all(false);
-		logger.trace(all);
-		List<Context> contexts = ISMapper.unmarshalList(Context.class, all);
 		for (Context context : contexts) {
 			logger.trace(ISMapper.marshal(context));
 			List<IsParentOf<Context, Context>> children = context.getChildren();
@@ -386,10 +478,17 @@ public class ContextManagementTest extends ScopedTest {
 				Context childContext = child.getTarget();
 				Assert.assertTrue(childContext.getParent().getSource() == context);
 			}
-			roleUserAssertions(context.getHeader().getUUID(), false);
+			roleUserAssertions(context.getHeader().getUUID(), null, false);
 		}
 	}
 
+	// @Test
+	public void readContext() throws ResourceRegistryException, IOException {
+		Context context = read(UUID.fromString(""));
+		logger.debug("{}", context);
+	}
+
+	
 	// @Test
 	public void deleteContext() throws ResourceRegistryException, IOException {
 		Context context = read(UUID.fromString(""));