revising role operation checks
This commit is contained in:
parent
847edc72ef
commit
e29a78cd2d
|
|
@ -744,12 +744,12 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
|
|||
setOperation(Operation.UPDATE);
|
||||
try {
|
||||
getElement();
|
||||
environment.isUserAllowed(operation);
|
||||
// TODO environment.isUserAllowed(operation);
|
||||
update = true;
|
||||
internalUpdate();
|
||||
} catch(NotFoundException e) {
|
||||
setOperation(Operation.CREATE);
|
||||
environment.isUserAllowed(operation);
|
||||
// TODO environment.isUserAllowed(operation);
|
||||
String calledMethod = CalledMethodProvider.instance.get();
|
||||
calledMethod = calledMethod.replace("update", "create");
|
||||
CalledMethodProvider.instance.set(calledMethod);
|
||||
|
|
@ -794,7 +794,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
|
|||
ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
||||
try {
|
||||
Environment environment = getWorkingEnvironment();
|
||||
environment.isUserAllowed(Operation.CREATE);
|
||||
// TODO environment.isUserAllowed(Operation.CREATE);
|
||||
oDatabaseDocument = environment.getDatabaseDocument(PermissionMode.WRITER);
|
||||
oDatabaseDocument.begin();
|
||||
setAsEntryPoint();
|
||||
|
|
@ -836,7 +836,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
|
|||
try {
|
||||
Environment environment = getWorkingEnvironment();
|
||||
setOperation(Operation.READ);
|
||||
environment.isUserAllowed(operation);
|
||||
// TODO environment.isUserAllowed(operation);
|
||||
oDatabaseDocument = environment.getDatabaseDocument(PermissionMode.READER);
|
||||
|
||||
setAsEntryPoint();
|
||||
|
|
@ -865,7 +865,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
|
|||
ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
||||
try {
|
||||
Environment environment = getWorkingEnvironment();
|
||||
environment.isUserAllowed(Operation.UPDATE);
|
||||
// TODO environment.isUserAllowed(Operation.UPDATE);
|
||||
oDatabaseDocument = environment.getDatabaseDocument(PermissionMode.WRITER);
|
||||
oDatabaseDocument.begin();
|
||||
|
||||
|
|
@ -909,7 +909,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
|
|||
try {
|
||||
Environment environment = getWorkingEnvironment();
|
||||
setOperation(Operation.DELETE);
|
||||
environment.isUserAllowed(operation);
|
||||
// TODO environment.isUserAllowed(operation);
|
||||
oDatabaseDocument = environment.getDatabaseDocument(PermissionMode.WRITER);
|
||||
oDatabaseDocument.begin();
|
||||
setAsEntryPoint();
|
||||
|
|
@ -952,7 +952,7 @@ public abstract class ElementManagement<El extends OElement, T extends Type> {
|
|||
try {
|
||||
AdminEnvironment adminEnvironment = AdminEnvironment.getInstance();
|
||||
setOperation(Operation.GET_METADATA);
|
||||
adminEnvironment.isUserAllowed(operation);
|
||||
// TODO adminEnvironment.isUserAllowed(operation);
|
||||
oDatabaseDocument = adminEnvironment.getDatabaseDocument(PermissionMode.READER);
|
||||
|
||||
setAsEntryPoint();
|
||||
|
|
|
|||
|
|
@ -8,7 +8,6 @@ import java.util.Map;
|
|||
import java.util.Set;
|
||||
import java.util.UUID;
|
||||
|
||||
import javax.ws.rs.ForbiddenException;
|
||||
import javax.ws.rs.NotAuthorizedException;
|
||||
|
||||
import org.gcube.com.fasterxml.jackson.core.JsonProcessingException;
|
||||
|
|
@ -38,7 +37,6 @@ import org.gcube.informationsystem.resourceregistry.contexts.relations.IsParentO
|
|||
import org.gcube.informationsystem.resourceregistry.environments.Environment;
|
||||
import org.gcube.informationsystem.resourceregistry.environments.contexts.ContextEnvironment;
|
||||
import org.gcube.informationsystem.resourceregistry.environments.instances.InstanceEnvironment;
|
||||
import org.gcube.informationsystem.resourceregistry.instances.model.Operation;
|
||||
import org.gcube.informationsystem.resourceregistry.queries.operators.ComparisonOperator;
|
||||
import org.gcube.informationsystem.resourceregistry.queries.operators.LogicalOperator;
|
||||
import org.gcube.informationsystem.resourceregistry.rest.requests.RequestUtility;
|
||||
|
|
@ -249,27 +247,6 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
|
|||
return context;
|
||||
}
|
||||
|
||||
// public boolean isUserAllowed() {
|
||||
// switch (operation) {
|
||||
// case CREATE:
|
||||
// break;
|
||||
//
|
||||
// case UPDATE:
|
||||
// break;
|
||||
//
|
||||
// case DELETE:
|
||||
// break;
|
||||
//
|
||||
// default:
|
||||
// break;
|
||||
// }
|
||||
//
|
||||
// return true;
|
||||
// }
|
||||
|
||||
|
||||
|
||||
|
||||
/*
|
||||
* The Context-Manager is allowed to delete a context
|
||||
* only if he is the Context-Manager of the parent context
|
||||
|
|
@ -375,6 +352,8 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
|
|||
@Override
|
||||
protected OVertex reallyUpdate() throws NotFoundException, ResourceRegistryException {
|
||||
|
||||
// TODO Add role check
|
||||
|
||||
boolean parentChanged = false;
|
||||
boolean nameChanged = false;
|
||||
|
||||
|
|
@ -495,8 +474,27 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
|
|||
@Override
|
||||
protected void reallyDelete() throws NotFoundException, ResourceRegistryException {
|
||||
|
||||
if(workingEnvironment.isUserAllowed(Operation.CREATE)) {
|
||||
throw new ForbiddenException("You are not allowed to delete the Contexts. Allowed roles are " + Environment.getAllOperationsAllowedRoles());
|
||||
InstanceEnvironment requestEnvironment = ContextUtility.getCurrentRequestEnvironment();
|
||||
InstanceEnvironment parentInstanceEnvironment = (InstanceEnvironment) requestEnvironment.getParentEnvironment();
|
||||
|
||||
if(parentInstanceEnvironment==null) {
|
||||
// We are trying to delete the root
|
||||
Set<String> allowedRoles = Environment.getAllOperationsAllowedRoles();
|
||||
if(!requestEnvironment.isUserAllowed(allowedRoles)) {
|
||||
throw new NotAuthorizedException("Only user with one of the following roles " + allowedRoles + " can delete the root Context.");
|
||||
}
|
||||
}else {
|
||||
if(uuid.compareTo(parentInstanceEnvironment.getUUID())==0) {
|
||||
Set<String> allowedRoles = requestEnvironment.getAllowedRoles();
|
||||
if(!parentInstanceEnvironment.isUserAllowed(allowedRoles)) {
|
||||
throw new NotAuthorizedException("Only user with one of the following roles " + allowedRoles + " can delete a child Context.");
|
||||
}
|
||||
}else {
|
||||
Set<String> allowedRoles = Environment.getAllOperationsAllowedRoles();
|
||||
if(!requestEnvironment.isUserAllowed(allowedRoles)) {
|
||||
throw new NotAuthorizedException("Only user with one of the following roles " + allowedRoles + " can delete a Context requesting the operation from a Context which is not the parent.");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Iterable<OEdge> iterable = getElement().getEdges(ODirection.OUT);
|
||||
|
|
@ -505,7 +503,11 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
|
|||
throw new ContextException("Cannot remove a " + Context.NAME + " having children");
|
||||
}
|
||||
|
||||
// TODO Move the vertex to the ShadowContextEnvironment (i.e the cemetery)
|
||||
/* TODO Move the vertex to the ShadowContextEnvironment (i.e the cemetery)
|
||||
* We do NOT have to create the parent in ShadowContextEnvironment
|
||||
* Infact, the context itself it enough to identify the full path
|
||||
* of the context when deleted because the full path is logged.
|
||||
*/
|
||||
element.delete();
|
||||
|
||||
ContextUtility contextUtility = ContextUtility.getInstance();
|
||||
|
|
@ -635,14 +637,6 @@ public class ContextManagement extends EntityElementManagement<Context, EntityTy
|
|||
return readFromServer();
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public String createOrUpdate() throws NotFoundException, AvailableInAnotherContextException, ResourceRegistryException {
|
||||
if(workingEnvironment.isUserAllowed(Operation.CREATE)) {
|
||||
return super.createOrUpdate();
|
||||
}
|
||||
throw new ForbiddenException("You are not allowed to manipulate Contexts. Allowed roles are " + Environment.getAllOperationsAllowedRoles());
|
||||
}
|
||||
|
||||
@Override
|
||||
public void sanityCheck() throws SchemaViolationException, ResourceRegistryException {
|
||||
|
|
|
|||
|
|
@ -17,7 +17,6 @@ import org.gcube.informationsystem.resourceregistry.api.exceptions.ResourceRegis
|
|||
import org.gcube.informationsystem.resourceregistry.contexts.ContextUtility;
|
||||
import org.gcube.informationsystem.resourceregistry.dbinitialization.DatabaseEnvironment;
|
||||
import org.gcube.informationsystem.resourceregistry.environments.administration.AdminEnvironment;
|
||||
import org.gcube.informationsystem.resourceregistry.instances.model.Operation;
|
||||
import org.slf4j.Logger;
|
||||
import org.slf4j.LoggerFactory;
|
||||
|
||||
|
|
@ -288,19 +287,6 @@ public abstract class Environment {
|
|||
|
||||
}
|
||||
|
||||
private static boolean isUserAllowed(Set<String> allowedRoles) {
|
||||
boolean allowed = false;
|
||||
SecretManager secretManager = SecretManagerProvider.instance.get();
|
||||
User user = secretManager.getUser();
|
||||
Collection<String> roles = new HashSet<>(user.getRoles());
|
||||
roles.retainAll(allowedRoles);
|
||||
if(roles.size()>0) {
|
||||
allowed = true;
|
||||
}
|
||||
return allowed;
|
||||
}
|
||||
|
||||
|
||||
public boolean isUserAllowed(Collection<String> allowedRoles) {
|
||||
boolean allowed = false;
|
||||
SecretManager secretManager = SecretManagerProvider.instance.get();
|
||||
|
|
@ -313,41 +299,41 @@ public abstract class Environment {
|
|||
return allowed;
|
||||
}
|
||||
|
||||
public boolean isUserAllowed(Operation operation) {
|
||||
switch (operation) {
|
||||
case CREATE:
|
||||
break;
|
||||
|
||||
case READ:
|
||||
break;
|
||||
|
||||
case EXISTS:
|
||||
break;
|
||||
|
||||
case UPDATE:
|
||||
break;
|
||||
|
||||
case DELETE:
|
||||
break;
|
||||
|
||||
case ADD_TO_CONTEXT:
|
||||
break;
|
||||
|
||||
case REMOVE_FROM_CONTEXT:
|
||||
break;
|
||||
|
||||
case QUERY:
|
||||
break;
|
||||
|
||||
case GET_METADATA:
|
||||
return isUserAllowed(allOperationAllowedRoles);
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
// public boolean isUserAllowed(Operation operation) {
|
||||
// switch (operation) {
|
||||
// case CREATE:
|
||||
// break;
|
||||
//
|
||||
// case READ:
|
||||
// break;
|
||||
//
|
||||
// case EXISTS:
|
||||
// break;
|
||||
//
|
||||
// case UPDATE:
|
||||
// break;
|
||||
//
|
||||
// case DELETE:
|
||||
// break;
|
||||
//
|
||||
// case ADD_TO_CONTEXT:
|
||||
// break;
|
||||
//
|
||||
// case REMOVE_FROM_CONTEXT:
|
||||
// break;
|
||||
//
|
||||
// case QUERY:
|
||||
// break;
|
||||
//
|
||||
// case GET_METADATA:
|
||||
// return isUserAllowed(allOperationAllowedRoles);
|
||||
//
|
||||
// default:
|
||||
// break;
|
||||
// }
|
||||
//
|
||||
// return true;
|
||||
// }
|
||||
|
||||
public void create() throws ResourceRegistryException {
|
||||
ODatabaseDocument current = ContextUtility.getCurrentODatabaseDocumentFromThreadLocal();
|
||||
|
|
|
|||
Loading…
Reference in New Issue