From e29a78cd2db238ee32a2d1316c9456916c384c62 Mon Sep 17 00:00:00 2001
From: Luca Frosini <luca.frosini@isti.cnr.it>
Date: Thu, 31 Oct 2024 17:26:34 +0100
Subject: [PATCH] revising role operation checks

---
 .../base/ElementManagement.java               | 14 ++--
 .../contexts/entities/ContextManagement.java  | 62 +++++++-------
 .../environments/Environment.java             | 84 ++++++++-----------
 3 files changed, 70 insertions(+), 90 deletions(-)

diff --git a/src/main/java/org/gcube/informationsystem/resourceregistry/base/ElementManagement.java b/src/main/java/org/gcube/informationsystem/resourceregistry/base/ElementManagement.java
index 523cb3f..9f9b816 100644
--- a/src/main/java/org/gcube/informationsystem/resourceregistry/base/ElementManagement.java
+++ b/src/main/java/org/gcube/informationsystem/resourceregistry/base/ElementManagement.java
@@ -744,12 +744,12 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 			setOperation(Operation.UPDATE);
 			try {
 				getElement();
-				environment.isUserAllowed(operation);
+				// TODO environment.isUserAllowed(operation);
 				update = true;
 				internalUpdate();
 			} catch(NotFoundException e) {
 				setOperation(Operation.CREATE);
-				environment.isUserAllowed(operation);
+				// TODO environment.isUserAllowed(operation);
 				String calledMethod = CalledMethodProvider.instance.get();
 				calledMethod = calledMethod.replace("update", "create");
 				CalledMethodProvider.instance.set(calledMethod);
@@ -794,7 +794,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		try {
 			Environment environment = getWorkingEnvironment();
-			environment.isUserAllowed(Operation.CREATE);
+			// TODO environment.isUserAllowed(Operation.CREATE);
 			oDatabaseDocument = environment.getDatabaseDocument(PermissionMode.WRITER);
 			oDatabaseDocument.begin();
 			setAsEntryPoint();
@@ -836,7 +836,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		try {
 			Environment environment = getWorkingEnvironment();
 			setOperation(Operation.READ);
-			environment.isUserAllowed(operation);
+			// TODO environment.isUserAllowed(operation);
 			oDatabaseDocument = environment.getDatabaseDocument(PermissionMode.READER);
 			
 			setAsEntryPoint();
@@ -865,7 +865,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
 		try {
 			Environment environment = getWorkingEnvironment();
-			environment.isUserAllowed(Operation.UPDATE);
+			// TODO environment.isUserAllowed(Operation.UPDATE);
 			oDatabaseDocument = environment.getDatabaseDocument(PermissionMode.WRITER);
 			oDatabaseDocument.begin();
 			
@@ -909,7 +909,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		try {
 			Environment environment = getWorkingEnvironment();
 			setOperation(Operation.DELETE);
-			environment.isUserAllowed(operation);
+			// TODO environment.isUserAllowed(operation);
 			oDatabaseDocument = environment.getDatabaseDocument(PermissionMode.WRITER);
 			oDatabaseDocument.begin();
 			setAsEntryPoint();
@@ -952,7 +952,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
 		try {
 			AdminEnvironment adminEnvironment = AdminEnvironment.getInstance();
 			setOperation(Operation.GET_METADATA);
-			adminEnvironment.isUserAllowed(operation);
+			// TODO adminEnvironment.isUserAllowed(operation);
 			oDatabaseDocument = adminEnvironment.getDatabaseDocument(PermissionMode.READER);
 			
 			setAsEntryPoint();
diff --git a/src/main/java/org/gcube/informationsystem/resourceregistry/contexts/entities/ContextManagement.java b/src/main/java/org/gcube/informationsystem/resourceregistry/contexts/entities/ContextManagement.java
index 6e848b2..45b5ffa 100644
--- a/src/main/java/org/gcube/informationsystem/resourceregistry/contexts/entities/ContextManagement.java
+++ b/src/main/java/org/gcube/informationsystem/resourceregistry/contexts/entities/ContextManagement.java
@@ -8,7 +8,6 @@ import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
 
-import javax.ws.rs.ForbiddenException;
 import javax.ws.rs.NotAuthorizedException;
 
 import org.gcube.com.fasterxml.jackson.core.JsonProcessingException;
@@ -38,7 +37,6 @@ import org.gcube.informationsystem.resourceregistry.contexts.relations.IsParentO
 import org.gcube.informationsystem.resourceregistry.environments.Environment;
 import org.gcube.informationsystem.resourceregistry.environments.contexts.ContextEnvironment;
 import org.gcube.informationsystem.resourceregistry.environments.instances.InstanceEnvironment;
-import org.gcube.informationsystem.resourceregistry.instances.model.Operation;
 import org.gcube.informationsystem.resourceregistry.queries.operators.ComparisonOperator;
 import org.gcube.informationsystem.resourceregistry.queries.operators.LogicalOperator;
 import org.gcube.informationsystem.resourceregistry.rest.requests.RequestUtility;
@@ -249,27 +247,6 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 		return context;
 	}
 
-//	public boolean isUserAllowed() {
-//		switch (operation) {
-//			case CREATE:
-//				break;
-//				
-//			case UPDATE:
-//				break;
-//				
-//			case DELETE:
-//				break;
-//				
-//			default:
-//				break;
-//		}
-//		
-//		return true;
-//	}
-
-
-
-	
 	/*
 	 * The Context-Manager is allowed to delete a context
 	 * only if he is the Context-Manager of the parent context
@@ -375,6 +352,8 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 	@Override
 	protected OVertex reallyUpdate() throws NotFoundException, ResourceRegistryException {
 
+		// TODO Add role check
+		
 		boolean parentChanged = false;
 		boolean nameChanged = false;
 
@@ -495,8 +474,27 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 	@Override
 	protected void reallyDelete() throws NotFoundException, ResourceRegistryException {
 		
-		if(workingEnvironment.isUserAllowed(Operation.CREATE)) {
-			throw new ForbiddenException("You are not allowed to delete the Contexts. Allowed roles are " + Environment.getAllOperationsAllowedRoles()); 
+		InstanceEnvironment requestEnvironment = ContextUtility.getCurrentRequestEnvironment();
+		InstanceEnvironment	parentInstanceEnvironment = (InstanceEnvironment) requestEnvironment.getParentEnvironment();
+		
+		if(parentInstanceEnvironment==null) {
+			// We are trying to delete the root
+			Set<String> allowedRoles = Environment.getAllOperationsAllowedRoles();
+			if(!requestEnvironment.isUserAllowed(allowedRoles)) {
+				throw new NotAuthorizedException("Only user with one of the following roles " + allowedRoles + " can delete the root Context.");
+			}
+		}else {
+			if(uuid.compareTo(parentInstanceEnvironment.getUUID())==0) {
+				Set<String> allowedRoles = requestEnvironment.getAllowedRoles();
+				if(!parentInstanceEnvironment.isUserAllowed(allowedRoles)) {
+					throw new NotAuthorizedException("Only user with one of the following roles " + allowedRoles + " can delete a child Context.");
+				}
+			}else {
+				Set<String> allowedRoles = Environment.getAllOperationsAllowedRoles();
+				if(!requestEnvironment.isUserAllowed(allowedRoles)) {
+					throw new NotAuthorizedException("Only user with one of the following roles " + allowedRoles + " can delete a Context requesting the operation from a Context which is not the parent.");
+				}
+			}
 		}
 		
 		Iterable<OEdge> iterable = getElement().getEdges(ODirection.OUT);
@@ -505,7 +503,11 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 			throw new ContextException("Cannot remove a " + Context.NAME + " having children");
 		}
 
-		// TODO Move the vertex to the ShadowContextEnvironment (i.e the cemetery)
+		/* TODO Move the vertex to the ShadowContextEnvironment (i.e the cemetery)
+		 * We do NOT have to create the parent in ShadowContextEnvironment
+		 * Infact, the context itself it enough to identify the full path
+		 * of the context when deleted because the full path is logged.
+		 */
 		element.delete();
 
 		ContextUtility contextUtility = ContextUtility.getInstance();
@@ -635,14 +637,6 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
 			return readFromServer();
 		}
 	}
-	
-	@Override
-	public String createOrUpdate() throws NotFoundException, AvailableInAnotherContextException, ResourceRegistryException {
-		if(workingEnvironment.isUserAllowed(Operation.CREATE)) {
-			return super.createOrUpdate();
-		}
-		throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + Environment.getAllOperationsAllowedRoles());
-	}
 
 	@Override
 	public void sanityCheck() throws SchemaViolationException, ResourceRegistryException {
diff --git a/src/main/java/org/gcube/informationsystem/resourceregistry/environments/Environment.java b/src/main/java/org/gcube/informationsystem/resourceregistry/environments/Environment.java
index a86fbb3..21b675d 100644
--- a/src/main/java/org/gcube/informationsystem/resourceregistry/environments/Environment.java
+++ b/src/main/java/org/gcube/informationsystem/resourceregistry/environments/Environment.java
@@ -17,7 +17,6 @@ import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegis
 import org.gcube.informationsystem.resourceregistry.contexts.ContextUtility;
 import org.gcube.informationsystem.resourceregistry.dbinitialization.DatabaseEnvironment;
 import org.gcube.informationsystem.resourceregistry.environments.administration.AdminEnvironment;
-import org.gcube.informationsystem.resourceregistry.instances.model.Operation;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -288,19 +287,6 @@ public abstract class Environment {
 		
 	}
 	
-	private static boolean isUserAllowed(Set<String> allowedRoles) {
-		boolean allowed = false;
-		SecretManager secretManager = SecretManagerProvider.instance.get();
-		User user = secretManager.getUser();
-		Collection<String> roles = new HashSet<>(user.getRoles());
-		roles.retainAll(allowedRoles);
-		if(roles.size()>0) {
-			allowed = true;
-		}
-		return allowed;
-	}
-	
-	
 	public boolean isUserAllowed(Collection<String> allowedRoles) {
 		boolean allowed = false;
 		SecretManager secretManager = SecretManagerProvider.instance.get();
@@ -313,41 +299,41 @@ public abstract class Environment {
 		return allowed;
 	}
 	
-	public boolean isUserAllowed(Operation operation) {
-		switch (operation) {
-			case CREATE:
-				break;
-				
-			case READ:
-				break;
-				
-			case EXISTS:
-				break;
-				
-			case UPDATE:
-				break;
-				
-			case DELETE:
-				break;
-				
-			case ADD_TO_CONTEXT:
-				break;
-	
-			case REMOVE_FROM_CONTEXT:
-				break;
-		
-			case QUERY:
-				break;
-				
-			case GET_METADATA:
-				return isUserAllowed(allOperationAllowedRoles);
-				
-			default:
-				break;
-		}
-		
-		return true;
-	}
+//	public boolean isUserAllowed(Operation operation) {
+//		switch (operation) {
+//			case CREATE:
+//				break;
+//				
+//			case READ:
+//				break;
+//				
+//			case EXISTS:
+//				break;
+//				
+//			case UPDATE:
+//				break;
+//				
+//			case DELETE:
+//				break;
+//				
+//			case ADD_TO_CONTEXT:
+//				break;
+//	
+//			case REMOVE_FROM_CONTEXT:
+//				break;
+//		
+//			case QUERY:
+//				break;
+//				
+//			case GET_METADATA:
+//				return isUserAllowed(allOperationAllowedRoles);
+//				
+//			default:
+//				break;
+//		}
+//		
+//		return true;
+//	}
 	
 	public void create() throws ResourceRegistryException {
 		ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();