storagehub/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java

package org.gcube.data.access.storagehub;

import java.util.Arrays;

import javax.inject.Singleton;
import javax.jcr.Node;
import javax.jcr.Session;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.Privilege;

import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.storagehub.model.acls.AccessType;
import org.gcube.common.storagehub.model.items.Item;
import org.gcube.common.storagehub.model.items.SharedFolder;
import org.gcube.data.access.storagehub.handlers.ItemHandler;

@Singleton
public class AuthorizationChecker {

	public void checkReadAuthorizationControl(Session session, String id) throws Exception{
		Node node = session.getNodeByIdentifier(id);

		Item item  = ItemHandler.getItem(node, Arrays.asList("hl:accounting","jcr:content"));

		if (item.isShared()) {
			SharedFolder parentShared = retrieveSharedFolderParent(item, session);
			if (!parentShared.getUsers().getValues().containsKey(AuthorizationProvider.instance.get().getClient().getId()))
				throw new IllegalAccessException("Insufficent Provileges to read node with id "+id);
		} else if (!node.getProperty("hl:portalLogin").getString().equals(AuthorizationProvider.instance.get().getClient().getId()))
			throw new IllegalAccessException("Insufficent Provileges to read node with id "+id);

	}

	private SharedFolder retrieveSharedFolderParent(Item item, Session session) throws Exception{
		if (item instanceof SharedFolder) return (SharedFolder)item;
		else 
			return retrieveSharedFolderParent(ItemHandler.getItem(session.getNodeByIdentifier(item.getParentId()), Arrays.asList("hl:accounting","jcr:content")), session);

	}

	public void checkWriteAuthorizationControl(Session session, String id) throws Exception {

		Node node = session.getNodeByIdentifier(id);

		Item item  = ItemHandler.getItem(node, Arrays.asList("hl:accounting","jcr:content"));

		if (item.isShared()) {
			//put it in a different method
			JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, node.getPath());
			AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
			for (AccessControlEntry entry: entries) {
				if (entry.getPrincipal().equals(AuthorizationProvider.instance.get().getClient().getId())) {
					for (Privilege privilege : entry.getPrivileges()){
						AccessType access = AccessType.valueOf(privilege.getName());
						if (access==AccessType.ADMINISTRATOR || access==AccessType.WRITE_ALL || (access==AccessType.WRITE_OWNER && item.getOwner().equals(AuthorizationProvider.instance.get().getClient().getId()))) 
							return;
						else throw new IllegalAccessException("Insufficent Provileges to write node with id "+id);
					}
				}
			}
			throw new IllegalAccessException("Insufficent Provileges to write node with id "+id);
		} else 
			if(!item.getOwner().equals(AuthorizationProvider.instance.get().getClient().getId()))
					throw new IllegalAccessException("Insufficent Provileges to write node with id "+id);
		
	}


}
merge for relese 4.11.1 git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167555 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-17 12:51:56 +02:00			`package org.gcube.data.access.storagehub;`

			`import java.util.Arrays;`

			`import javax.inject.Singleton;`
			`import javax.jcr.Node;`
			`import javax.jcr.Session;`
git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167790 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-28 12:01:01 +02:00			`import javax.jcr.security.AccessControlEntry;`
			`import javax.jcr.security.Privilege;`
merge for relese 4.11.1 git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167555 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-17 12:51:56 +02:00
git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167790 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-28 12:01:01 +02:00			`import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;`
			`import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;`
merge for relese 4.11.1 git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167555 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-17 12:51:56 +02:00			`import org.gcube.common.authorization.library.provider.AuthorizationProvider;`
git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167790 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-28 12:01:01 +02:00			`import org.gcube.common.storagehub.model.acls.AccessType;`
merge for relese 4.11.1 git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167555 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-17 12:51:56 +02:00			`import org.gcube.common.storagehub.model.items.Item;`
			`import org.gcube.common.storagehub.model.items.SharedFolder;`
			`import org.gcube.data.access.storagehub.handlers.ItemHandler;`

			`@Singleton`
			`public class AuthorizationChecker {`

			`public void checkReadAuthorizationControl(Session session, String id) throws Exception{`
			`Node node = session.getNodeByIdentifier(id);`

			`Item item = ItemHandler.getItem(node, Arrays.asList("hl:accounting","jcr:content"));`

			`if (item.isShared()) {`
			`SharedFolder parentShared = retrieveSharedFolderParent(item, session);`
git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167790 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-28 12:01:01 +02:00			`if (!parentShared.getUsers().getValues().containsKey(AuthorizationProvider.instance.get().getClient().getId()))`
merge for relese 4.11.1 git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167555 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-17 12:51:56 +02:00			`throw new IllegalAccessException("Insufficent Provileges to read node with id "+id);`
			`} else if (!node.getProperty("hl:portalLogin").getString().equals(AuthorizationProvider.instance.get().getClient().getId()))`
			`throw new IllegalAccessException("Insufficent Provileges to read node with id "+id);`

			`}`
git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167790 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-28 12:01:01 +02:00
merge for relese 4.11.1 git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167555 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-17 12:51:56 +02:00			`private SharedFolder retrieveSharedFolderParent(Item item, Session session) throws Exception{`
			`if (item instanceof SharedFolder) return (SharedFolder)item;`
			`else`
			`return retrieveSharedFolderParent(ItemHandler.getItem(session.getNodeByIdentifier(item.getParentId()), Arrays.asList("hl:accounting","jcr:content")), session);`
git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167790 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-28 12:01:01 +02:00
			`}`

			`public void checkWriteAuthorizationControl(Session session, String id) throws Exception {`

			`Node node = session.getNodeByIdentifier(id);`

			`Item item = ItemHandler.getItem(node, Arrays.asList("hl:accounting","jcr:content"));`

			`if (item.isShared()) {`
			`//put it in a different method`
			`JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, node.getPath());`
			`AccessControlEntry[] entries = accessControlList.getAccessControlEntries();`
			`for (AccessControlEntry entry: entries) {`
			`if (entry.getPrincipal().equals(AuthorizationProvider.instance.get().getClient().getId())) {`
			`for (Privilege privilege : entry.getPrivileges()){`
			`AccessType access = AccessType.valueOf(privilege.getName());`
			`if (access==AccessType.ADMINISTRATOR \|\| access==AccessType.WRITE_ALL \|\| (access==AccessType.WRITE_OWNER && item.getOwner().equals(AuthorizationProvider.instance.get().getClient().getId())))`
			`return;`
			`else throw new IllegalAccessException("Insufficent Provileges to write node with id "+id);`
			`}`
			`}`
			`}`
			`throw new IllegalAccessException("Insufficent Provileges to write node with id "+id);`
			`} else`
			`if(!item.getOwner().equals(AuthorizationProvider.instance.get().getClient().getId()))`
			`throw new IllegalAccessException("Insufficent Provileges to write node with id "+id);`
merge for relese 4.11.1 git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167555 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-17 12:51:56 +02:00
			`}`
git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167790 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-28 12:01:01 +02:00


merge for relese 4.11.1 git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@167555 82a268e6-3cf1-43bd-a215-b396298e98cf 2018-05-17 12:51:56 +02:00			`}`