Fixes #10435: Add support for hierarchical roles to support child context overview

Task-Url: https://support.d4science.org/issues/10435

git-svn-id: https://svn.d4science.research-infrastructures.eu/gcube/trunk/information-system/resource-registry@160040 82a268e6-3cf1-43bd-a215-b396298e98cf
This commit is contained in:
Luca Frosini 2017-12-05 09:10:34 +00:00
parent 1fcdccd7af
commit 263bcf07c9
8 changed files with 324 additions and 102 deletions

View File

@ -75,7 +75,7 @@ public class ContextManagement extends EntityManagement<Context> {
protected SecurityContext getWorkingContext() throws ResourceRegistryException { protected SecurityContext getWorkingContext() throws ResourceRegistryException {
if(workingContext == null) { if(workingContext == null) {
workingContext = ContextUtility.getInstace() workingContext = ContextUtility.getInstance()
.getSecurityContextByUUID(DatabaseEnvironment.CONTEXT_SECURITY_CONTEXT_UUID); .getSecurityContextByUUID(DatabaseEnvironment.CONTEXT_SECURITY_CONTEXT_UUID);
} }
return workingContext; return workingContext;
@ -192,6 +192,7 @@ public class ContextManagement extends EntityManagement<Context> {
@Override @Override
protected Vertex reallyCreate() throws ERAlreadyPresentException, ResourceRegistryException { protected Vertex reallyCreate() throws ERAlreadyPresentException, ResourceRegistryException {
SecurityContext securityContext = null; SecurityContext securityContext = null;
SecurityContext parentSecurityContext = null;
try { try {
JsonNode isParentOfJsonNode = jsonNode.get(Context.PARENT_PROPERTY); JsonNode isParentOfJsonNode = jsonNode.get(Context.PARENT_PROPERTY);
@ -199,10 +200,13 @@ public class ContextManagement extends EntityManagement<Context> {
if(isParentOfJsonNode != null && !(isParentOfJsonNode instanceof NullNode)) { if(isParentOfJsonNode != null && !(isParentOfJsonNode instanceof NullNode)) {
JsonNode parentJsonNode = isParentOfJsonNode.get(Relation.SOURCE_PROPERTY); JsonNode parentJsonNode = isParentOfJsonNode.get(Relation.SOURCE_PROPERTY);
ContextManagement parentContext = new ContextManagement(orientGraph); ContextManagement parentContextManagement = new ContextManagement(orientGraph);
parentContext.setJSON(parentJsonNode); parentContextManagement.setJSON(parentJsonNode);
UUID parentUUID = parentContextManagement.uuid;
parentSecurityContext = ContextUtility.getInstance().getSecurityContextByUUID(parentUUID);
checkContext(parentContext);
checkContext(parentContextManagement);
if(uuid == null) { if(uuid == null) {
uuid = UUID.randomUUID(); uuid = UUID.randomUUID();
} }
@ -211,7 +215,7 @@ public class ContextManagement extends EntityManagement<Context> {
IsParentOfManagement isParentOfManagement = new IsParentOfManagement(orientGraph); IsParentOfManagement isParentOfManagement = new IsParentOfManagement(orientGraph);
isParentOfManagement.setJSON(isParentOfJsonNode); isParentOfManagement.setJSON(isParentOfJsonNode);
isParentOfManagement.setSourceEntityManagement(parentContext); isParentOfManagement.setSourceEntityManagement(parentContextManagement);
isParentOfManagement.setTargetEntityManagement(this); isParentOfManagement.setTargetEntityManagement(this);
isParentOfManagement.internalCreate(); isParentOfManagement.internalCreate();
@ -222,13 +226,20 @@ public class ContextManagement extends EntityManagement<Context> {
} }
securityContext = new SecurityContext(uuid); securityContext = new SecurityContext(uuid);
securityContext.setParentSecurityContext(parentSecurityContext);
securityContext.create(orientGraph); securityContext.create(orientGraph);
ContextUtility.getInstance().addSecurityContext(securityContext);
return getElement(); return getElement();
} catch(Exception e) { } catch(Exception e) {
orientGraph.rollback(); orientGraph.rollback();
if(securityContext != null) { if(securityContext != null) {
securityContext.delete(orientGraph); securityContext.delete(orientGraph);
if(parentSecurityContext!=null && securityContext!=null) {
parentSecurityContext.getChildren().remove(securityContext);
}
ContextUtility.getInstance().removeFromCache(uuid, false);
} }
throw e; throw e;
} }
@ -308,7 +319,7 @@ public class ContextManagement extends EntityManagement<Context> {
element = (Vertex) ERManagement.updateProperties(oClass, getElement(), jsonNode, ignoreKeys, element = (Vertex) ERManagement.updateProperties(oClass, getElement(), jsonNode, ignoreKeys,
ignoreStartWithKeys); ignoreStartWithKeys);
ContextUtility.getInstace().removeFromCache(uuid); ContextUtility.getInstance().removeFromCache(uuid, true);
return element; return element;
} }
@ -319,6 +330,8 @@ public class ContextManagement extends EntityManagement<Context> {
checkContext(newParentContextManagement); checkContext(newParentContextManagement);
} }
SecurityContext newParentSecurityContext = null;
// Removing the old parent relationship if any // Removing the old parent relationship if any
Iterable<Edge> edges = getElement().getEdges(Direction.IN, IsParentOf.NAME); Iterable<Edge> edges = getElement().getEdges(Direction.IN, IsParentOf.NAME);
if(edges != null && edges.iterator().hasNext()) { if(edges != null && edges.iterator().hasNext()) {
@ -341,8 +354,11 @@ public class ContextManagement extends EntityManagement<Context> {
isParentOfManagement.setSourceEntityManagement(newParentContextManagement); isParentOfManagement.setSourceEntityManagement(newParentContextManagement);
isParentOfManagement.setTargetEntityManagement(this); isParentOfManagement.setTargetEntityManagement(this);
isParentOfManagement.internalCreate(); isParentOfManagement.internalCreate();
newParentSecurityContext = ContextUtility.getInstance().getSecurityContextByUUID(newParentContextManagement.uuid);
} }
SecurityContext thisSecurityContext = ContextUtility.getInstance().getSecurityContextByUUID(uuid);
thisSecurityContext.changeParentSecurityContext(newParentSecurityContext, orientGraph);
} }
@Override @Override
@ -355,11 +371,11 @@ public class ContextManagement extends EntityManagement<Context> {
element.remove(); element.remove();
ContextUtility contextUtility = ContextUtility.getInstace(); ContextUtility contextUtility = ContextUtility.getInstance();
SecurityContext securityContext = contextUtility.getSecurityContextByUUID(uuid); SecurityContext securityContext = contextUtility.getSecurityContextByUUID(uuid);
securityContext.delete(orientGraph); securityContext.delete(orientGraph);
contextUtility.removeFromCache(uuid); contextUtility.removeFromCache(uuid, false);
return true; return true;

View File

@ -40,7 +40,7 @@ public class ContextUtility {
private static ContextUtility contextUtility; private static ContextUtility contextUtility;
public static ContextUtility getInstace() { public static ContextUtility getInstance() {
if(contextUtility == null) { if(contextUtility == null) {
contextUtility = new ContextUtility(); contextUtility = new ContextUtility();
} }
@ -81,26 +81,32 @@ public class ContextUtility {
if(fullName == null) { if(fullName == null) {
throw new ContextException("Null Token and Scope. Please set your token first."); throw new ContextException("Null Token and Scope. Please set your token first.");
} }
return ContextUtility.getInstace().getSecurityContextByFullName(fullName); return ContextUtility.getInstance().getSecurityContextByFullName(fullName);
} }
public static AdminSecurityContext getAdminSecurityContext() throws ResourceRegistryException { public static AdminSecurityContext getAdminSecurityContext() throws ResourceRegistryException {
AdminSecurityContext adminSecurityContext = (AdminSecurityContext) ContextUtility.getInstace() AdminSecurityContext adminSecurityContext = (AdminSecurityContext) ContextUtility.getInstance()
.getSecurityContextByUUID(DatabaseEnvironment.ADMIN_SECURITY_CONTEXT_UUID); .getSecurityContextByUUID(DatabaseEnvironment.ADMIN_SECURITY_CONTEXT_UUID);
return adminSecurityContext; return adminSecurityContext;
} }
public synchronized void removeFromCache(UUID uuid) throws ResourceRegistryException { public synchronized void removeFromCache(UUID uuid, boolean fullNameOnly) throws ResourceRegistryException {
for(String fullName : contextUUIDs.keySet()) { for(String fullName : contextUUIDs.keySet()) {
UUID uuidKey = contextUUIDs.get(fullName); UUID uuidKey = contextUUIDs.get(fullName);
if(uuidKey.compareTo(uuid) == 0) { if(uuidKey.compareTo(uuid) == 0) {
contextUUIDs.remove(fullName); contextUUIDs.remove(fullName);
contexts.remove(uuid); if(!fullNameOnly) {
contexts.remove(uuid);
}
return; return;
} }
} }
} }
public synchronized void addSecurityContext(SecurityContext securityContext) {
contexts.put(securityContext.getUUID(), securityContext);
}
public synchronized void addSecurityContext(String fullname, SecurityContext securityContext) { public synchronized void addSecurityContext(String fullname, SecurityContext securityContext) {
contextUUIDs.put(fullname, securityContext.getUUID()); contextUUIDs.put(fullname, securityContext.getUUID());
contexts.put(securityContext.getUUID(), securityContext); contexts.put(securityContext.getUUID(), securityContext);

View File

@ -42,7 +42,7 @@ public class IsParentOfManagement extends RelationManagement<IsParentOf,ContextM
@Override @Override
protected SecurityContext getWorkingContext() throws ResourceRegistryException { protected SecurityContext getWorkingContext() throws ResourceRegistryException {
if(workingContext == null) { if(workingContext == null) {
workingContext = ContextUtility.getInstace() workingContext = ContextUtility.getInstance()
.getSecurityContextByUUID(DatabaseEnvironment.CONTEXT_SECURITY_CONTEXT_UUID); .getSecurityContextByUUID(DatabaseEnvironment.CONTEXT_SECURITY_CONTEXT_UUID);
} }
return workingContext; return workingContext;

View File

@ -25,6 +25,7 @@ public class AdminSecurityContext extends SecurityContext {
throw new RuntimeException("Cannot use this method for Admin Context"); throw new RuntimeException("Cannot use this method for Admin Context");
} }
@Override
protected ORole getSuperRole(OSecurity oSecurity, PermissionMode permissionMode) { protected ORole getSuperRole(OSecurity oSecurity, PermissionMode permissionMode) {
return oSecurity.getRole(DatabaseEnvironment.DEFAULT_ADMIN_ROLE); return oSecurity.getRole(DatabaseEnvironment.DEFAULT_ADMIN_ROLE);
} }

View File

@ -4,7 +4,9 @@
package org.gcube.informationsystem.resourceregistry.context.security; package org.gcube.informationsystem.resourceregistry.context.security;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set;
import java.util.UUID; import java.util.UUID;
import java.util.concurrent.Callable; import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
@ -15,6 +17,7 @@ import org.gcube.informationsystem.model.entity.Context;
import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegistryException; import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegistryException;
import org.gcube.informationsystem.resourceregistry.context.ContextUtility; import org.gcube.informationsystem.resourceregistry.context.ContextUtility;
import org.gcube.informationsystem.resourceregistry.dbinitialization.DatabaseEnvironment; import org.gcube.informationsystem.resourceregistry.dbinitialization.DatabaseEnvironment;
import org.gcube.informationsystem.resourceregistry.utils.Utility;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -79,50 +82,127 @@ public class SecurityContext {
protected SecurityContext parentSecurityContext; protected SecurityContext parentSecurityContext;
protected Set<SecurityContext> children;
protected boolean isHierarchicMode() { protected boolean isHierarchicMode() {
return hierarchic && ContextUtility.getHierarchicMode().get(); return hierarchic && ContextUtility.getHierarchicMode().get();
} }
public void setParentSecurityContext(SecurityContext parentSecurityContext) { public void setParentSecurityContext(SecurityContext parentSecurityContext) {
if(this.parentSecurityContext!=null) {
this.parentSecurityContext.getChildren().remove(this);
}
this.parentSecurityContext = parentSecurityContext; this.parentSecurityContext = parentSecurityContext;
if(parentSecurityContext!=null) {
this.parentSecurityContext.addChild(this);
}
} }
public SecurityContext getParentSecurityContext() { public SecurityContext getParentSecurityContext() {
return parentSecurityContext; return parentSecurityContext;
} }
/** private void addChild(SecurityContext child) {
* Use to change the parent not to set the first time this.children.add(child);
* }
* @param newParentSecurityContext
* @throws ResourceRegistryException public Set<SecurityContext> getChildren(){
*/ return this.children;
public void changeParentSecurityContext(SecurityContext newParentSecurityContext) throws ResourceRegistryException {
OrientGraph orientGraph = getAdminOrientGraph();
changeParentSecurityContext(newParentSecurityContext, orientGraph);
} }
protected OrientGraph getAdminOrientGraph() throws ResourceRegistryException { protected OrientGraph getAdminOrientGraph() throws ResourceRegistryException {
return ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER); return ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER);
} }
/**
* @return a set containing all children and recursively
* all children.
*/
private Set<SecurityContext> getAllChildren(){
Set<SecurityContext> allChildren = new HashSet<>();
allChildren.add(this);
for(SecurityContext securityContext : getChildren()) {
allChildren.addAll(securityContext.getAllChildren());
}
return allChildren;
}
/**
* @return
*/
private Set<SecurityContext> getAllParents(){
Set<SecurityContext> allParents = new HashSet<>();
SecurityContext parent = getParentSecurityContext();
while(parent!=null) {
allParents.add(parent);
parent = parent.getParentSecurityContext();
}
return allParents;
}
/** /**
* Use to change the parent not to set the first time * Use to change the parent not to set the first time
* *
* @param newParentSecurityContext * @param newParentSecurityContext
* @param orientGraph * @param orientGraph
* @throws ResourceRegistryException
*/ */
public void changeParentSecurityContext(SecurityContext newParentSecurityContext, OrientGraph orientGraph) { public void changeParentSecurityContext(SecurityContext newParentSecurityContext, OrientGraph orientGraph) throws ResourceRegistryException {
// TODO Remove from old hierarchy if(!hierarchic) {
// TODO Add to new Hierarchy StringBuilder errorMessage = new StringBuilder();
// In both cases take in account the new and the old parent errorMessage.append("Cannot change parent ");
errorMessage.append(SecurityContext.class.getSimpleName());
errorMessage.append(" to non hierarchic ");
errorMessage.append(SecurityContext.class.getSimpleName());
errorMessage.append(". ");
errorMessage.append(Utility.SHOULD_NOT_OCCUR_ERROR_MESSAGE);
final String error = errorMessage.toString();
logger.error(error);
throw new RuntimeException(error);
}
OSecurity oSecurity = getOSecurity(orientGraph);
Set<SecurityContext> allChildren = getAllChildren();
Set<SecurityContext> oldParents = getAllParents();
Set<SecurityContext> newParents = new HashSet<>();
if(newParentSecurityContext!=null) {
newParents = newParentSecurityContext.getAllParents();
}
/*
* From old parents I remove the new parents so that oldParents
* contains only the parents where I have to remove all
* HReaderRole-UUID e HWriterRole-UUID of allChildren by using
* removeHierarchicRoleFromParent() function
*
*/
oldParents.removeAll(newParents);
removeChildrenHRolesFromParents(oSecurity, oldParents, allChildren);
setParentSecurityContext(newParentSecurityContext); setParentSecurityContext(newParentSecurityContext);
if(newParentSecurityContext!=null){
for(PermissionMode permissionMode : PermissionMode.values()) {
for(SecurityContext child : allChildren) {
String roleName = child.getSecurityRoleOrUserName(permissionMode, SecurityType.ROLE, true);
ORole role = oSecurity.getRole(roleName);
getParentSecurityContext().addHierarchicRoleToParent(oSecurity, permissionMode, role);
}
}
}
} }
protected SecurityContext(UUID context, boolean hierarchic) throws ResourceRegistryException { protected SecurityContext(UUID context, boolean hierarchic) throws ResourceRegistryException {
this.context = context; this.context = context;
this.factoryMap = new HashMap<>(); this.factoryMap = new HashMap<>();
this.hierarchic = hierarchic; this.hierarchic = hierarchic;
this.children = new HashSet<>();
} }
public SecurityContext(UUID context) throws ResourceRegistryException { public SecurityContext(UUID context) throws ResourceRegistryException {
@ -176,19 +256,9 @@ public class SecurityContext {
return stringBuilder.toString(); return stringBuilder.toString();
} }
private ODatabaseDocumentTx getAdminODatabaseDocumentTx(OrientGraph orientGraph) { private OSecurity getOSecurity(OrientGraph orientGraph) {
ODatabaseDocumentTx oDatabaseDocumentTx = orientGraph.getRawGraph(); ODatabaseDocumentTx oDatabaseDocumentTx = orientGraph.getRawGraph();
return oDatabaseDocumentTx; return oDatabaseDocumentTx.getMetadata().getSecurity();
}
private OSecurity getAdminOSecurity(ODatabaseDocumentTx oDatabaseDocumentTx) {
OSecurity oSecurity = oDatabaseDocumentTx.getMetadata().getSecurity();
return oSecurity;
}
private OSecurity getAdminOSecurity(OrientGraph orientGraph) {
ODatabaseDocumentTx oDatabaseDocumentTx = getAdminODatabaseDocumentTx(orientGraph);
return getAdminOSecurity(oDatabaseDocumentTx);
} }
public void addElement(Element element) throws ResourceRegistryException { public void addElement(Element element) throws ResourceRegistryException {
@ -205,34 +275,22 @@ public class SecurityContext {
public void addElement(Element element, OrientGraph orientGraph) { public void addElement(Element element, OrientGraph orientGraph) {
OrientElement orientElement = (OrientElement) element; OrientElement orientElement = (OrientElement) element;
ODocument oDocument = orientElement.getRecord(); ODocument oDocument = orientElement.getRecord();
OSecurity oSecurity = getAdminOSecurity(orientGraph); OSecurity oSecurity = getOSecurity(orientGraph);
allow(oSecurity, oDocument, false); allow(oSecurity, oDocument, false);
if(hierarchic) { if(hierarchic) {
allow(oSecurity, oDocument, true); allow(oSecurity, oDocument, true);
if(getParentSecurityContext() != null) {
getParentSecurityContext().addElementToHierarchy(oSecurity, oDocument);
}
} }
oDocument.save(); oDocument.save();
orientElement.save(); orientElement.save();
} }
protected void addElementToHierarchy(OSecurity oSecurity, ODocument oDocument) {
allow(oSecurity, oDocument, true);
if(getParentSecurityContext() != null) {
getParentSecurityContext().addElementToHierarchy(oSecurity, oDocument);
}
}
public void removeElement(Element element) throws ResourceRegistryException { public void removeElement(Element element) throws ResourceRegistryException {
removeElement(element, getAdminOrientGraph()); removeElement(element, getAdminOrientGraph());
} }
protected void deny(OSecurity oSecurity, ODocument oDocument, boolean hierarchic) { protected void deny(OSecurity oSecurity, ODocument oDocument, boolean hierarchic) {
// The element could be created in such a context so the writerUser for the // The element could be created in such a context so the writerUser for the
// context is allowed by default // context is allowed by default because it was the creator
// because it was the creator
String writerUserName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.USER, hierarchic); String writerUserName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.USER, hierarchic);
oSecurity.denyUser(oDocument, ORestrictedOperation.ALLOW_ALL, writerUserName); oSecurity.denyUser(oDocument, ORestrictedOperation.ALLOW_ALL, writerUserName);
String readerUserName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.USER, hierarchic); String readerUserName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.USER, hierarchic);
@ -248,13 +306,10 @@ public class SecurityContext {
public void removeElement(Element element, OrientGraph orientGraph) { public void removeElement(Element element, OrientGraph orientGraph) {
OrientElement orientElement = (OrientElement) element; OrientElement orientElement = (OrientElement) element;
ODocument oDocument = orientElement.getRecord(); ODocument oDocument = orientElement.getRecord();
OSecurity oSecurity = getAdminOSecurity(orientGraph); OSecurity oSecurity = getOSecurity(orientGraph);
deny(oSecurity, oDocument, false); deny(oSecurity, oDocument, false);
if(hierarchic) { if(hierarchic) {
deny(oSecurity, oDocument, true); deny(oSecurity, oDocument, true);
if(getParentSecurityContext() != null) {
getParentSecurityContext().removeElementFromHierarchy(oSecurity, oDocument);
}
} }
oDocument.save(); oDocument.save();
orientElement.save(); orientElement.save();
@ -293,26 +348,6 @@ public class SecurityContext {
} }
} }
protected void removeElementFromHierarchy(OSecurity oSecurity, ODocument oDocument) {
// I don't have to deny the Hierarchic role if the element belong to context
String writerRoleName = getSecurityRoleOrUserName(PermissionMode.WRITER, SecurityType.ROLE, false);
ORole writerRole = oSecurity.getRole(writerRoleName);
/*
* This check if the writerRole (not hierarchic) has the right to operate on the
* document. In such a case don't have to deny the hierarchy
*/
boolean allowed = allowed(writerRole, oDocument);
// If allowed not denying the hierarchy and continuing to parents
if(!allowed) {
deny(oSecurity, oDocument, true);
if(getParentSecurityContext() != null) {
getParentSecurityContext().removeElementFromHierarchy(oSecurity, oDocument);
}
}
}
public void create() throws ResourceRegistryException { public void create() throws ResourceRegistryException {
OrientGraph orientGraph = getAdminOrientGraph(); OrientGraph orientGraph = getAdminOrientGraph();
create(orientGraph); create(orientGraph);
@ -325,7 +360,19 @@ public class SecurityContext {
} }
protected ORole getSuperRole(OSecurity oSecurity, PermissionMode permissionMode) { protected ORole getSuperRole(OSecurity oSecurity, PermissionMode permissionMode) {
return oSecurity.getRole(permissionMode.name().toLowerCase()); String superRoleName = permissionMode.name().toLowerCase();
return oSecurity.getRole(superRoleName);
}
protected void addHierarchicRoleToParent(OSecurity oSecurity, PermissionMode permissionMode, ORole role) {
String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
OUser user = oSecurity.getUser(userName);
user.addRole(role);
user.save();
if(getParentSecurityContext() != null) {
getParentSecurityContext().addHierarchicRoleToParent(oSecurity, permissionMode, role);
}
} }
protected void createRolesAndUsers(OSecurity oSecurity) { protected void createRolesAndUsers(OSecurity oSecurity) {
@ -346,6 +393,10 @@ public class SecurityContext {
role.save(); role.save();
logger.trace("{} created", role); logger.trace("{} created", role);
if(hierarchic && getParentSecurityContext() != null) {
getParentSecurityContext().addHierarchicRoleToParent(oSecurity, permissionMode, role);
}
String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchic); String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchic);
OUser user = oSecurity.createUser(userName, DatabaseEnvironment.DEFAULT_PASSWORDS.get(permissionMode), OUser user = oSecurity.createUser(userName, DatabaseEnvironment.DEFAULT_PASSWORDS.get(permissionMode),
role); role);
@ -353,11 +404,11 @@ public class SecurityContext {
logger.trace("{} created", user); logger.trace("{} created", user);
} }
} }
} }
public void create(OrientGraph orientGraph) { public void create(OrientGraph orientGraph) {
ODatabaseDocumentTx oDatabaseDocumentTx = getAdminODatabaseDocumentTx(orientGraph); OSecurity oSecurity = getOSecurity(orientGraph);
OSecurity oSecurity = getAdminOSecurity(oDatabaseDocumentTx);
createRolesAndUsers(oSecurity); createRolesAndUsers(oSecurity);
@ -392,6 +443,42 @@ public class SecurityContext {
orientGraph.shutdown(); orientGraph.shutdown();
} }
protected void removeChildrenHRolesFromParents(OSecurity oSecurity) {
Set<SecurityContext> parents = getAllParents();
Set<SecurityContext> allChildren = getAllChildren();
removeChildrenHRolesFromParents(oSecurity, parents, allChildren);
}
protected void removeChildrenHRolesFromParents(OSecurity oSecurity, Set<SecurityContext> parents, Set<SecurityContext> children) {
for(SecurityContext parent : parents) {
parent.removeChildrenHRolesFromMyHUsers(oSecurity, children);
}
}
protected void removeChildrenHRolesFromMyHUsers(OSecurity oSecurity, Set<SecurityContext> children) {
for(PermissionMode permissionMode : PermissionMode.values()) {
String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
OUser user = oSecurity.getUser(userName);
for(SecurityContext child : children) {
String roleName = child.getSecurityRoleOrUserName(permissionMode, SecurityType.ROLE, true);
logger.debug("Going to remove {} from {}", roleName, userName);
boolean removed = user.removeRole(roleName);
logger.trace("{} {} removed from {}", roleName, removed ? "successfully" : "NOT", userName);
}
user.save();
}
}
protected void removeHierarchicRoleFromMyHUser(OSecurity oSecurity, PermissionMode permissionMode, String roleName) {
String userName = getSecurityRoleOrUserName(permissionMode, SecurityType.USER, true);
OUser user = oSecurity.getUser(userName);
logger.debug("Going to remove {} from {}", roleName, userName);
boolean removed = user.removeRole(roleName);
logger.trace("{} {} removed from {}", roleName, removed ? "successfully" : "NOT", userName);
user.save();
}
protected void deleteRolesAndUsers(OSecurity oSecurity) { protected void deleteRolesAndUsers(OSecurity oSecurity) {
boolean[] booleanArray; boolean[] booleanArray;
if(hierarchic) { if(hierarchic) {
@ -400,6 +487,9 @@ public class SecurityContext {
booleanArray = new boolean[] {false}; booleanArray = new boolean[] {false};
} }
for(boolean hierarchic : booleanArray) { for(boolean hierarchic : booleanArray) {
if(hierarchic) {
removeChildrenHRolesFromParents(oSecurity);
}
for(PermissionMode permissionMode : PermissionMode.values()) { for(PermissionMode permissionMode : PermissionMode.values()) {
for(SecurityType securityType : SecurityType.values()) { for(SecurityType securityType : SecurityType.values()) {
String name = getSecurityRoleOrUserName(permissionMode, securityType, hierarchic); String name = getSecurityRoleOrUserName(permissionMode, securityType, hierarchic);
@ -410,14 +500,14 @@ public class SecurityContext {
} }
public void delete(OrientGraph orientGraph) { public void delete(OrientGraph orientGraph) {
ODatabaseDocumentTx oDatabaseDocumentTx = getAdminODatabaseDocumentTx(orientGraph); OSecurity oSecurity = getOSecurity(orientGraph);
OSecurity oSecurity = getAdminOSecurity(oDatabaseDocumentTx);
logger.trace("Going to remove Security Context (roles and users) with UUID {}", context.toString()); logger.trace("Going to remove Security Context (roles and users) with UUID {}", context.toString());
deleteRolesAndUsers(oSecurity); deleteRolesAndUsers(oSecurity);
logger.trace("Security Context (roles and users) with UUID {} successfully removed", context.toString()); logger.trace("Security Context (roles and users) with UUID {} successfully removed", context.toString());
} }
public OrientGraph getGraph(PermissionMode permissionMode) { public OrientGraph getGraph(PermissionMode permissionMode) {

View File

@ -175,7 +175,7 @@ public class DatabaseEnvironment {
try { try {
boolean created = initGraphDB(); boolean created = initGraphDB();
ContextUtility contextUtility = ContextUtility.getInstace(); ContextUtility contextUtility = ContextUtility.getInstance();
AdminSecurityContext adminSecurityContext = new AdminSecurityContext(); AdminSecurityContext adminSecurityContext = new AdminSecurityContext();
contextUtility.addSecurityContext(adminSecurityContext.getUUID().toString(), adminSecurityContext); contextUtility.addSecurityContext(adminSecurityContext.getUUID().toString(), adminSecurityContext);

View File

@ -255,7 +255,7 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
} catch(ResourceRegistryException e) { } catch(ResourceRegistryException e) {
throw e; throw e;
} catch(Exception e) { } catch(Exception e) {
throw new ResourceRegistryException("Error Creating " + erType + " with " + jsonNode, e.getCause()); throw new ResourceRegistryException("Error Creating " + erType + " with " + jsonNode, e);
} }
} }
@ -273,7 +273,7 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
} catch(ResourceRegistryException e) { } catch(ResourceRegistryException e) {
throw e; throw e;
} catch(Exception e) { } catch(Exception e) {
throw new ResourceRegistryException("Error Updating " + erType + " with " + jsonNode, e.getCause()); throw new ResourceRegistryException("Error Updating " + erType + " with " + jsonNode, e);
} }
} }
@ -438,6 +438,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
try { try {
orientGraph = getWorkingContext().getGraph(PermissionMode.WRITER); orientGraph = getWorkingContext().getGraph(PermissionMode.WRITER);
orientGraph.setAutoStartTx(false);
orientGraph.begin();
element = internalCreate(); element = internalCreate();
@ -489,6 +491,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
public String update() throws ERNotFoundException, ERAvailableInAnotherContextException, ResourceRegistryException { public String update() throws ERNotFoundException, ERAvailableInAnotherContextException, ResourceRegistryException {
try { try {
orientGraph = getWorkingContext().getGraph(PermissionMode.WRITER); orientGraph = getWorkingContext().getGraph(PermissionMode.WRITER);
orientGraph.setAutoStartTx(false);
orientGraph.begin();
element = internalUpdate(); element = internalUpdate();
@ -526,6 +530,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
try { try {
orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER); orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER);
orientGraph.setAutoStartTx(false);
orientGraph.begin();
boolean deleted = reallyDelete(); boolean deleted = reallyDelete();
@ -564,6 +570,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
try { try {
orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER); orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER);
orientGraph.setAutoStartTx(false);
orientGraph.begin();
boolean added = internalAddToContext(); boolean added = internalAddToContext();
@ -596,6 +604,8 @@ public abstract class ERManagement<ERType extends ER, El extends Element> {
try { try {
orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER); orientGraph = ContextUtility.getAdminSecurityContext().getGraph(PermissionMode.WRITER);
orientGraph.setAutoStartTx(false);
orientGraph.begin();
boolean removed = internalRemoveFromContext(); boolean removed = internalRemoveFromContext();

View File

@ -90,16 +90,21 @@ public class ContextManagementTest extends ScopedTest {
} }
protected void roleUserAssertions(UUID uuid, boolean deleted) throws ResourceRegistryException { protected void roleUserAssertions(UUID uuid, UUID oldParentUUID, boolean deleted) throws ResourceRegistryException {
ContextSecurityContext contextSecurityContext = new ContextSecurityContext(); ContextSecurityContext contextSecurityContext = new ContextSecurityContext();
ContextUtility.getInstace().addSecurityContext(contextSecurityContext.getUUID().toString(), ContextUtility.getInstance().addSecurityContext(contextSecurityContext.getUUID().toString(),
contextSecurityContext); contextSecurityContext);
OrientGraph orientGraph = contextSecurityContext.getGraph(PermissionMode.READER); OrientGraph orientGraph = contextSecurityContext.getGraph(PermissionMode.READER);
ODatabaseDocumentTx oDatabaseDocumentTx = orientGraph.getRawGraph(); ODatabaseDocumentTx oDatabaseDocumentTx = orientGraph.getRawGraph();
OSecurity oSecurity = oDatabaseDocumentTx.getMetadata().getSecurity(); OSecurity oSecurity = oDatabaseDocumentTx.getMetadata().getSecurity();
SecurityContext securityContext = new SecurityContext(uuid); SecurityContext securityContext = null;
if(deleted) {
securityContext = new SecurityContext(uuid);
} else {
securityContext = ContextUtility.getInstance().getSecurityContextByUUID(uuid);
}
boolean[] booleanArray = new boolean[] { false, true }; boolean[] booleanArray = new boolean[] { false, true };
for (boolean hierarchic : booleanArray) { for (boolean hierarchic : booleanArray) {
@ -111,7 +116,27 @@ public class ContextManagementTest extends ScopedTest {
String user = securityContext.getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchic); String user = securityContext.getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchic);
OUser oUser = oSecurity.getUser(user); OUser oUser = oSecurity.getUser(user);
Assert.assertEquals(oUser == null, deleted); Assert.assertEquals(oUser == null, deleted);
if(oUser!=null) {
Assert.assertTrue(oUser.hasRole(oRole.getName(), false));
}
if(hierarchic) {
SecurityContext parent = null;
if(deleted){
if(oldParentUUID!=null) {
parent = ContextUtility.getInstance().getSecurityContextByUUID(oldParentUUID);
}
}
parent = securityContext.getParentSecurityContext();
while(parent!=null) {
String parentUser = parent.getSecurityRoleOrUserName(permissionMode, SecurityType.USER, hierarchic);
OUser parentOUser = oSecurity.getUser(parentUser);
Assert.assertTrue(parentOUser != null);
Assert.assertEquals(parentOUser.hasRole(oRole.getName(), false), !deleted);
parent = parent.getParentSecurityContext();
}
}
} }
} }
} }
@ -121,7 +146,7 @@ public class ContextManagementTest extends ScopedTest {
contextManagement.setUUID(uuid); contextManagement.setUUID(uuid);
String contextString = contextManagement.read(); String contextString = contextManagement.read();
logger.debug("Read {}", contextString); logger.debug("Read {}", contextString);
roleUserAssertions(uuid, false); roleUserAssertions(uuid, null, false);
return ISMapper.unmarshal(Context.class, contextString); return ISMapper.unmarshal(Context.class, contextString);
} }
@ -132,7 +157,7 @@ public class ContextManagementTest extends ScopedTest {
logger.debug("Created {}", contextString); logger.debug("Created {}", contextString);
Context c = ISMapper.unmarshal(Context.class, contextString); Context c = ISMapper.unmarshal(Context.class, contextString);
assertions(context, c, true, true); assertions(context, c, true, true);
roleUserAssertions(c.getHeader().getUUID(), false); roleUserAssertions(c.getHeader().getUUID(), null, false);
return c; return c;
} }
@ -143,16 +168,24 @@ public class ContextManagementTest extends ScopedTest {
logger.debug("Updated {}", contextString); logger.debug("Updated {}", contextString);
Context c = ISMapper.unmarshal(Context.class, contextString); Context c = ISMapper.unmarshal(Context.class, contextString);
assertions(context, c, true, false); assertions(context, c, true, false);
roleUserAssertions(c.getHeader().getUUID(), false); roleUserAssertions(c.getHeader().getUUID(), null, false);
return c; return c;
} }
protected boolean delete(UUID uuid) throws ResourceRegistryException { protected boolean delete(UUID uuid) throws ResourceRegistryException {
ContextManagement contextManagement = new ContextManagement(); ContextManagement contextManagement = new ContextManagement();
contextManagement.setUUID(uuid); contextManagement.setUUID(uuid);
SecurityContext securityContext = ContextUtility.getInstance().getSecurityContextByUUID(uuid);
UUID oldParentUUID = null;
if(securityContext.getParentSecurityContext()!=null) {
oldParentUUID = securityContext.getParentSecurityContext().getUUID();
}
boolean deleted = contextManagement.delete(); boolean deleted = contextManagement.delete();
Assert.assertTrue(deleted); Assert.assertTrue(deleted);
roleUserAssertions(uuid, true); roleUserAssertions(uuid, oldParentUUID, true);
logger.debug("Deleted {} with UUID {}", Context.NAME, uuid); logger.debug("Deleted {} with UUID {}", Context.NAME, uuid);
return deleted; return deleted;
} }
@ -188,7 +221,7 @@ public class ContextManagementTest extends ScopedTest {
logger.debug("As expected {} cannot be deleted.", contextString); logger.debug("As expected {} cannot be deleted.", contextString);
} }
} }
@Test @Test
public void completeTest() throws Exception { public void completeTest() throws Exception {
Context contextA1 = new ContextImpl(CTX_NAME_A); Context contextA1 = new ContextImpl(CTX_NAME_A);
@ -335,6 +368,44 @@ public class ContextManagementTest extends ScopedTest {
// ________A1________ // ________A1________
// ___A2_______B4____ // ___A2_______B4____
// B3______________A5 // B3______________A5
/*
// This updates (move) has been made to test HRoles and HUsers
contextA2.setParent(contextA5);
update(contextA2);
// __A1______________
// _____B4___________
// ________A5________
// ___________A2_____
// ______________B3__
contextA5.setParent(contextA1);
update(contextA5);
// _________A1________
// ______A5_____B4____
// ___A2______________
// B3_________________
contextA5.setParent(contextB4);
update(contextA5);
// __A1______________
// _____B4___________
// ________A5________
// ___________A2_____
// ______________B3__
contextA2.setParent(contextA1);
update(contextA2);
// ________A1________
// ___A2_______B4____
// B3______________A5
*/
// The following delete are not allowed because they are not child contexts // The following delete are not allowed because they are not child contexts
invalidDelete(contextA1); invalidDelete(contextA1);
@ -371,13 +442,34 @@ public class ContextManagementTest extends ScopedTest {
delete(contextA1); delete(contextA1);
logger.debug("The DB should be now clean"); logger.debug("The DB should be now clean");
} }
private List<Context> getAll() throws Exception{
ContextManagement contextManagement = new ContextManagement();
String allString = contextManagement.all(false);
logger.trace(allString);
List<Context> all = ISMapper.unmarshalList(Context.class, allString);
return all;
}
// @Test
public void deleteAll() throws Exception {
List<Context> all = getAll();
while(all.size()>0) {
for (Context context : all) {
logger.trace(ISMapper.marshal(context));
List<IsParentOf<Context, Context>> children = context.getChildren();
if(children==null || children.size()==0) {
// delete(context);
}
}
// all = getAll();
}
}
@Test @Test
public void testGetAll() throws Exception { public void testGetAll() throws Exception {
ContextManagement contextManagement = new ContextManagement(); List<Context> contexts = getAll();
String all = contextManagement.all(false);
logger.trace(all);
List<Context> contexts = ISMapper.unmarshalList(Context.class, all);
for (Context context : contexts) { for (Context context : contexts) {
logger.trace(ISMapper.marshal(context)); logger.trace(ISMapper.marshal(context));
List<IsParentOf<Context, Context>> children = context.getChildren(); List<IsParentOf<Context, Context>> children = context.getChildren();
@ -386,10 +478,17 @@ public class ContextManagementTest extends ScopedTest {
Context childContext = child.getTarget(); Context childContext = child.getTarget();
Assert.assertTrue(childContext.getParent().getSource() == context); Assert.assertTrue(childContext.getParent().getSource() == context);
} }
roleUserAssertions(context.getHeader().getUUID(), false); roleUserAssertions(context.getHeader().getUUID(), null, false);
} }
} }
// @Test
public void readContext() throws ResourceRegistryException, IOException {
Context context = read(UUID.fromString(""));
logger.debug("{}", context);
}
// @Test // @Test
public void deleteContext() throws ResourceRegistryException, IOException { public void deleteContext() throws ResourceRegistryException, IOException {
Context context = read(UUID.fromString("")); Context context = read(UUID.fromString(""));
@ -408,7 +507,7 @@ public class ContextManagementTest extends ScopedTest {
Context devVRE = new ContextImpl("devVRE"); Context devVRE = new ContextImpl("devVRE");
devVRE.setParent(devsec); devVRE.setParent(devsec);
devVRE = create(devVRE); devVRE = create(devVRE);
Context devNext = new ContextImpl("devNext"); Context devNext = new ContextImpl("devNext");
devNext.setParent(gcube); devNext.setParent(gcube);
devNext = create(devNext); devNext = create(devNext);