Adding the concept of allowed roles for some operations

src/main/java/org/gcube/informationsystem/resourceregistry/contexts/ContextUtility.java

@@ -5,6 +5,7 @@ import java.util.Map;
 import java.util.NoSuchElementException;
 import java.util.UUID;
 
+import org.gcube.common.authorization.utils.manager.SecretManager;
 import org.gcube.common.authorization.utils.manager.SecretManagerProvider;
 import org.gcube.common.scope.impl.ScopeBean;
 import org.gcube.informationsystem.contexts.reference.entities.Context;
@@ -62,6 +63,11 @@ public class ContextUtility {
 		return ContextUtility.getInstance().getSecurityContextByFullName(fullName);
 	}
 	
+	public static String getCurrentUserUsername() {
+		SecretManager sm = SecretManagerProvider.instance.get();
+		return sm.getUser().getUsername();
+	}
+	
 	public static AdminSecurityContext getAdminSecurityContext() throws ResourceRegistryException {
 		AdminSecurityContext adminSecurityContext = AdminSecurityContext.getInstance();
 		return adminSecurityContext;

src/main/java/org/gcube/informationsystem/resourceregistry/contexts/entities/ContextManagement.java

@@ -442,10 +442,13 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 		SecurityContext thisSecurityContext = ContextUtility.getInstance().getSecurityContextByUUID(uuid);
 		thisSecurityContext.changeParentSecurityContext(newParentSecurityContext, oDatabaseDocument);
 	}
-
 	
 	@Override
 	protected void reallyDelete() throws NotFoundException, ResourceRegistryException {
+		if(workingContext.isUserAllowed()) {
+			throw new ForbiddenException("You are not allowed to delete the Contexts. Allowed roles are " + workingContext.getAllowedRoles()); 
+		}
+		
 		Iterable<OEdge> iterable = getElement().getEdges(ODirection.OUT);
 		Iterator<OEdge> iterator = iterable.iterator();
 		while (iterator.hasNext()) {
@@ -585,10 +588,10 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 	
 	@Override
 	public String createOrUpdate() throws NotFoundException, AvailableInAnotherContextException, ResourceRegistryException {
-		if(isUserAllowed()) {
+		if(workingContext.isUserAllowed()) {
 			return super.createOrUpdate();
 		}
-		throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + allowedRoles);
+		throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + workingContext.getAllowedRoles());
 	}
 
 	@Override

src/main/java/org/gcube/informationsystem/resourceregistry/contexts/security/SecurityContext.java

@@ -4,6 +4,7 @@
 package org.gcube.informationsystem.resourceregistry.contexts.security;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
@@ -11,6 +12,9 @@ import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
 
+import org.gcube.common.authorization.utils.manager.SecretManager;
+import org.gcube.common.authorization.utils.manager.SecretManagerProvider;
+import org.gcube.common.authorization.utils.user.User;
 import org.gcube.informationsystem.contexts.reference.entities.Context;
 import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegistryException;
 import org.gcube.informationsystem.resourceregistry.contexts.ContextUtility;
@@ -90,6 +94,51 @@ public class SecurityContext {
 	
 	protected Set<SecurityContext> children;
 	
+	/**
+	 * Roles allowed to operate on the security context
+	 */
+	protected Set<String> allowedRoles;
+
+	public final static String CONTEXT_MANAGER = "Context-Manager";
+	public final static String INFRASTRUCTURE_MANAGER = "Infrastructure-Manager";
+	public final static String IS_MANAGER = "IS-Manager";
+	
+	protected SecurityContext(UUID context, boolean hierarchical) throws ResourceRegistryException {
+		this.context = context;
+		this.poolMap = new HashMap<>();
+		this.allowedRoles = new HashSet<>();
+		this.allowedRoles.add(INFRASTRUCTURE_MANAGER);
+		this.allowedRoles.add(IS_MANAGER);
+		/*
+		 * Only Infrastructure-Manager and IS-Manager
+		 * are entitled to use hierarchical mode.
+		 * I decide not complains for that instead
+		 * assume the hierarchical was not requested
+		 */
+		if(hierarchical && !isUserAllowed()) {
+			StringBuffer sb = new StringBuffer();
+			sb.append("The user ");
+			sb.append(ContextUtility.getCurrentUserUsername());
+			sb.append(" requested hierarchical mode but he/she does not have one of the fllowing roles ");
+			sb.append(allowedRoles.toString());
+			sb.append(". Instead of complaining, the request will be elaborated not in hierarchical mode.");
+			logger.warn(sb.toString());
+		}
+		this.hierarchical = hierarchical && isUserAllowed();
+		
+		this.children = new HashSet<>(); 
+
+		
+	}
+	
+	public SecurityContext(UUID context) throws ResourceRegistryException {
+		this(context, true);
+	}
+	
+	public Set<String> getAllowedRoles() {
+		return allowedRoles;
+	}
+	
 	protected boolean isHierarchicalMode() {
 		return hierarchical || RequestUtility.getRequestInfo().get().isHierarchicalMode();
 	}
@@ -206,17 +255,6 @@ public class SecurityContext {
 		
 	}
 	
-	protected SecurityContext(UUID context, boolean hierarchical) throws ResourceRegistryException {
-		this.context = context;
-		this.poolMap = new HashMap<>();
-		this.hierarchical = hierarchical;
-		this.children = new HashSet<>(); 
-	}
-	
-	public SecurityContext(UUID context) throws ResourceRegistryException {
-		this(context, true);
-	}
-	
 	private synchronized ODatabasePool getPool(PermissionMode permissionMode, boolean recreate) {
 		ODatabasePool pool = null;
 		
@@ -270,7 +308,6 @@ public class SecurityContext {
 		return stringBuilder.toString();
 	}
 	
-	
 	public String getSecurityRoleOrUserName(PermissionMode permissionMode, SecurityType securityType,
 			boolean hierarchic) {
 		StringBuilder stringBuilder = new StringBuilder();
@@ -440,6 +477,33 @@ public class SecurityContext {
 		
 	}
 	
+	public boolean isUserAllowed() {
+		boolean allowed = false;
+		SecretManager secretManager = SecretManagerProvider.instance.get();
+		User user = secretManager.getUser();
+		Collection<String> roles = new HashSet<>(user.getRoles());
+		roles.retainAll(this.allowedRoles);
+		if(roles.size()>0) {
+			allowed = true;
+		}
+		
+		
+		/*
+		 * The Context-Manager is allowed to operate in a context
+		 * only if he is the Context-Manager of the context
+		 */
+		
+		// TODO in subclass
+		
+		/*
+		 * The Context-Manager is allowed to delete a context
+		 * only if he is the Context-Manager of the parent context
+		 * (so the request must arrive from the parent context).
+		 */
+		
+		return allowed;
+	}
+	
 	public void create() throws ResourceRegistryException {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		ODatabaseDocument adminDatabaseDocument = null;

src/main/java/org/gcube/informationsystem/resourceregistry/instances/base/ElementManagement.java

@@ -159,15 +159,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 	 */
 	protected final Map<UUID,JsonNode> affectedInstances;
 	
-	/**
-	 * Roles allowed to operate on Context and
-	 * on instances when the context is not active
-	 */
-	protected Set<String> allowedRoles;
 	
-	protected final static String CONTEXT_MANAGER = "Context-Manager";
-	protected final static String INFRASTRUCTURE_MANAGER = "Infrastructure-Manager";
-	protected final static String IS_MANAGER = "IS-Manager";
 	
 	protected ElementManagement(AccessType accessType) {
 		this.accessType = accessType;
@@ -200,10 +192,6 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		this.forceIncludeMeta = false;
 		this.forceIncludeAllMeta = false;
 		
-		this.allowedRoles = new HashSet<>();
-		this.allowedRoles.add(CONTEXT_MANAGER);
-		this.allowedRoles.add(INFRASTRUCTURE_MANAGER);
-		this.allowedRoles.add(IS_MANAGER);
 	}
 
 	public boolean isForceIncludeMeta() {
@@ -268,25 +256,13 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 	
 	protected SecurityContext workingContext;
 	
-	public boolean isUserAllowed() {
-		boolean allowed = false;
-		SecretManager secretManager = SecretManagerProvider.instance.get();
-		User user = secretManager.getUser();
-		Collection<String> roles = new HashSet<>(user.getRoles());
-		roles.retainAll(this.allowedRoles);
-		if(roles.size()>0) {
-			allowed = true;
-		}
-		return allowed;
-	}
-	
 	protected SecurityContext getWorkingContext() throws ResourceRegistryException {
 		if(workingContext == null) {
 			workingContext = ContextUtility.getCurrentSecurityContext();
 			Context context = ServerContextCache.getInstance().getContextByUUID(workingContext.getUUID());
 			if(context.getState().compareTo(ContextState.ACTIVE.getState())!=0) {
-				if(!isUserAllowed()) {
-					throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + allowedRoles);
+				if(!workingContext.isUserAllowed()) {
+					throw new ForbiddenException("You are not allowed to operate in non " + ContextState.ACTIVE.getState() + " Contexts. Allowed roles are " + workingContext.getAllowedRoles());
 				}
 			}
 		}
@@ -1270,7 +1246,10 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		SecretManager secretManager = SecretManagerProvider.instance.get();
 		User user = secretManager.getUser();
 		Collection<String> roles = new HashSet<>(user.getRoles());
-		roles.retainAll(this.allowedRoles);
+		if(roles.contains(SecurityContext.CONTEXT_MANAGER)) {
+			return true;
+		}
+		roles.retainAll(workingContext.getAllowedRoles());
 		if(roles.size()>0) {
 			allowed = true;
 		}