Adding the concept of allowed roles for some operations

This commit is contained in:
Luca Frosini 2024-07-10 17:59:14 +02:00
parent bf09efc8fd
commit 48f7b1a73b
4 changed files with 94 additions and 42 deletions

View File

@ -5,6 +5,7 @@ import java.util.Map;
import java.util.NoSuchElementException;
import java.util.UUID;
import org.gcube.common.authorization.utils.manager.SecretManager;
import org.gcube.common.authorization.utils.manager.SecretManagerProvider;
import org.gcube.common.scope.impl.ScopeBean;
import org.gcube.informationsystem.contexts.reference.entities.Context;
@ -62,6 +63,11 @@ public class ContextUtility {
return ContextUtility.getInstance().getSecurityContextByFullName(fullName);
}
public static String getCurrentUserUsername() {
SecretManager sm = SecretManagerProvider.instance.get();
return sm.getUser().getUsername();
}
public static AdminSecurityContext getAdminSecurityContext() throws ResourceRegistryException {
AdminSecurityContext adminSecurityContext = AdminSecurityContext.getInstance();
return adminSecurityContext;

View File

@ -443,9 +443,12 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
thisSecurityContext.changeParentSecurityContext(newParentSecurityContext, oDatabaseDocument);
}
@Override
protected void reallyDelete() throws NotFoundException, ResourceRegistryException {
if(workingContext.isUserAllowed()) {
throw new ForbiddenException("You are not allowed to delete the Contexts. Allowed roles are " + workingContext.getAllowedRoles());
}
Iterable<OEdge> iterable = getElement().getEdges(ODirection.OUT);
Iterator<OEdge> iterator = iterable.iterator();
while (iterator.hasNext()) {
@ -585,10 +588,10 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
@Override
public String createOrUpdate() throws NotFoundException, AvailableInAnotherContextException, ResourceRegistryException {
if(isUserAllowed()) {
if(workingContext.isUserAllowed()) {
return super.createOrUpdate();
}
throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + allowedRoles);
throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + workingContext.getAllowedRoles());
}
@Override

View File

@ -4,6 +4,7 @@
package org.gcube.informationsystem.resourceregistry.contexts.security;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@ -11,6 +12,9 @@ import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.gcube.common.authorization.utils.manager.SecretManager;
import org.gcube.common.authorization.utils.manager.SecretManagerProvider;
import org.gcube.common.authorization.utils.user.User;
import org.gcube.informationsystem.contexts.reference.entities.Context;
import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegistryException;
import org.gcube.informationsystem.resourceregistry.contexts.ContextUtility;
@ -90,6 +94,51 @@ public class SecurityContext {
protected Set<SecurityContext> children;
/**
* Roles allowed to operate on the security context
*/
protected Set<String> allowedRoles;
public final static String CONTEXT_MANAGER = "Context-Manager";
public final static String INFRASTRUCTURE_MANAGER = "Infrastructure-Manager";
public final static String IS_MANAGER = "IS-Manager";
protected SecurityContext(UUID context, boolean hierarchical) throws ResourceRegistryException {
this.context = context;
this.poolMap = new HashMap<>();
this.allowedRoles = new HashSet<>();
this.allowedRoles.add(INFRASTRUCTURE_MANAGER);
this.allowedRoles.add(IS_MANAGER);
/*
* Only Infrastructure-Manager and IS-Manager
* are entitled to use hierarchical mode.
* I decide not complains for that instead
* assume the hierarchical was not requested
*/
if(hierarchical && !isUserAllowed()) {
StringBuffer sb = new StringBuffer();
sb.append("The user ");
sb.append(ContextUtility.getCurrentUserUsername());
sb.append(" requested hierarchical mode but he/she does not have one of the fllowing roles ");
sb.append(allowedRoles.toString());
sb.append(". Instead of complaining, the request will be elaborated not in hierarchical mode.");
logger.warn(sb.toString());
}
this.hierarchical = hierarchical && isUserAllowed();
this.children = new HashSet<>();
}
public SecurityContext(UUID context) throws ResourceRegistryException {
this(context, true);
}
public Set<String> getAllowedRoles() {
return allowedRoles;
}
protected boolean isHierarchicalMode() {
return hierarchical || RequestUtility.getRequestInfo().get().isHierarchicalMode();
}
@ -206,17 +255,6 @@ public class SecurityContext {
}
protected SecurityContext(UUID context, boolean hierarchical) throws ResourceRegistryException {
this.context = context;
this.poolMap = new HashMap<>();
this.hierarchical = hierarchical;
this.children = new HashSet<>();
}
public SecurityContext(UUID context) throws ResourceRegistryException {
this(context, true);
}
private synchronized ODatabasePool getPool(PermissionMode permissionMode, boolean recreate) {
ODatabasePool pool = null;
@ -270,7 +308,6 @@ public class SecurityContext {
return stringBuilder.toString();
}
public String getSecurityRoleOrUserName(PermissionMode permissionMode, SecurityType securityType,
boolean hierarchic) {
StringBuilder stringBuilder = new StringBuilder();
@ -440,6 +477,33 @@ public class SecurityContext {
}
public boolean isUserAllowed() {
boolean allowed = false;
SecretManager secretManager = SecretManagerProvider.instance.get();
User user = secretManager.getUser();
Collection<String> roles = new HashSet<>(user.getRoles());
roles.retainAll(this.allowedRoles);
if(roles.size()>0) {
allowed = true;
}
/*
* The Context-Manager is allowed to operate in a context
* only if he is the Context-Manager of the context
*/
// TODO in subclass
/*
* The Context-Manager is allowed to delete a context
* only if he is the Context-Manager of the parent context
* (so the request must arrive from the parent context).
*/
return allowed;
}
public void create() throws ResourceRegistryException {
ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
ODatabaseDocument adminDatabaseDocument = null;

View File

@ -159,15 +159,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
*/
protected final Map<UUID,JsonNode> affectedInstances;
/**
* Roles allowed to operate on Context and
* on instances when the context is not active
*/
protected Set<String> allowedRoles;
protected final static String CONTEXT_MANAGER = "Context-Manager";
protected final static String INFRASTRUCTURE_MANAGER = "Infrastructure-Manager";
protected final static String IS_MANAGER = "IS-Manager";
protected ElementManagement(AccessType accessType) {
this.accessType = accessType;
@ -200,10 +192,6 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
this.forceIncludeMeta = false;
this.forceIncludeAllMeta = false;
this.allowedRoles = new HashSet<>();
this.allowedRoles.add(CONTEXT_MANAGER);
this.allowedRoles.add(INFRASTRUCTURE_MANAGER);
this.allowedRoles.add(IS_MANAGER);
}
public boolean isForceIncludeMeta() {
@ -268,25 +256,13 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
protected SecurityContext workingContext;
public boolean isUserAllowed() {
boolean allowed = false;
SecretManager secretManager = SecretManagerProvider.instance.get();
User user = secretManager.getUser();
Collection<String> roles = new HashSet<>(user.getRoles());
roles.retainAll(this.allowedRoles);
if(roles.size()>0) {
allowed = true;
}
return allowed;
}
protected SecurityContext getWorkingContext() throws ResourceRegistryException {
if(workingContext == null) {
workingContext = ContextUtility.getCurrentSecurityContext();
Context context = ServerContextCache.getInstance().getContextByUUID(workingContext.getUUID());
if(context.getState().compareTo(ContextState.ACTIVE.getState())!=0) {
if(!isUserAllowed()) {
throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + allowedRoles);
if(!workingContext.isUserAllowed()) {
throw new ForbiddenException("You are not allowed to operate in non " + ContextState.ACTIVE.getState() + " Contexts. Allowed roles are " + workingContext.getAllowedRoles());
}
}
}
@ -1270,7 +1246,10 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
SecretManager secretManager = SecretManagerProvider.instance.get();
User user = secretManager.getUser();
Collection<String> roles = new HashSet<>(user.getRoles());
roles.retainAll(this.allowedRoles);
if(roles.contains(SecurityContext.CONTEXT_MANAGER)) {
return true;
}
roles.retainAll(workingContext.getAllowedRoles());
if(roles.size()>0) {
allowed = true;
}