public folder check added on Authorization Checker
This commit is contained in:
parent
4c13f4098e
commit
08351b2005
|
@ -19,6 +19,7 @@ import org.gcube.common.storagehub.model.acls.AccessType;
|
|||
import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
|
||||
import org.gcube.common.storagehub.model.exceptions.InvalidCallParameters;
|
||||
import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
|
||||
import org.gcube.common.storagehub.model.items.FolderItem;
|
||||
import org.gcube.common.storagehub.model.items.Item;
|
||||
import org.gcube.common.storagehub.model.items.SharedFolder;
|
||||
import org.gcube.data.access.storagehub.handlers.items.Node2ItemConverter;
|
||||
|
@ -42,8 +43,10 @@ public class AuthorizationChecker {
|
|||
|
||||
if (item==null) throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to read node with id "+id+": it's not a valid StorageHub node");
|
||||
|
||||
//check for public items (if is public anyone can read it)
|
||||
|
||||
if (!item.isShared() && item.getOwner()!=null && item.getOwner().equals(login)) return;
|
||||
|
||||
if (hasParentPublicFolder(session, item)) return;
|
||||
|
||||
if (item.isShared()) {
|
||||
SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING);
|
||||
|
||||
|
@ -56,12 +59,12 @@ public class AuthorizationChecker {
|
|||
for (AccessControlEntry entry: entries) {
|
||||
log.debug("checking access right for {} with compared with {}",login, entry.getPrincipal());
|
||||
Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(entry.getPrincipal());
|
||||
|
||||
|
||||
if (authorizable==null) {
|
||||
log.warn("{} doesn't have a correspondant auhtorizable object, check it ", entry.getPrincipal());
|
||||
continue;
|
||||
}
|
||||
|
||||
|
||||
try {
|
||||
if (!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) return;
|
||||
if (authorizable.isGroup() && ((Group) authorizable).isMember(userAuthorizable)) return;
|
||||
|
@ -71,9 +74,33 @@ public class AuthorizationChecker {
|
|||
}
|
||||
throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to read node with id "+id);
|
||||
|
||||
} else if (item.getOwner()==null || !item.getOwner().equals(login))
|
||||
throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to read node with id "+id);
|
||||
}
|
||||
|
||||
throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to read node with id "+id);
|
||||
|
||||
}
|
||||
|
||||
private boolean hasParentPublicFolder(Session session, Item item) {
|
||||
if (item.getParentPath().replaceAll("/Home/[^/]*/"+Constants.WORKSPACE_ROOT_FOLDER_NAME,"").isEmpty() || item.getParentPath().replaceAll(Constants.SHARED_FOLDER_PATH, "").isEmpty()) {
|
||||
if (item instanceof FolderItem)
|
||||
return ((FolderItem) item).isPublicItem();
|
||||
else return false;
|
||||
} else {
|
||||
if (item instanceof FolderItem)
|
||||
try {
|
||||
return ((FolderItem) item).isPublicItem() || hasParentPublicFolder(session, node2Item.getItem(item.getParentId(), session, Excludes.ALL));
|
||||
}catch (Throwable e) {
|
||||
log.warn("error checking public parents",e);
|
||||
return false;
|
||||
}
|
||||
else
|
||||
try {
|
||||
return hasParentPublicFolder(session, node2Item.getItem(item.getParentId(), session, Excludes.ALL));
|
||||
}catch (Throwable e) {
|
||||
log.warn("error checking public parents",e);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private Node retrieveSharedFolderParent(Node node, Session session) throws BackendGenericError, RepositoryException{
|
||||
|
@ -82,9 +109,9 @@ public class AuthorizationChecker {
|
|||
return retrieveSharedFolderParent(node.getParent(), session);
|
||||
|
||||
}
|
||||
|
||||
|
||||
public void checkWriteAuthorizationControl(Session session, Item item, Node node, boolean isNewItem) throws UserNotAuthorizedException, BackendGenericError, RepositoryException {
|
||||
|
||||
|
||||
String login = AuthorizationProvider.instance.get().getClient().getId();
|
||||
|
||||
if (item==null) throw new UserNotAuthorizedException("Not valid StorageHub node");
|
||||
|
@ -119,13 +146,13 @@ public class AuthorizationChecker {
|
|||
return;
|
||||
throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to write into node with id "+item.getId());
|
||||
}
|
||||
|
||||
|
||||
public void checkWriteAuthorizationControl(Session session, String id, boolean isNewItem) throws UserNotAuthorizedException, BackendGenericError, RepositoryException {
|
||||
//in case of newItem the id is the parent otherwise the old node to replace
|
||||
Node node = session.getNodeByIdentifier(id);
|
||||
Item item = node2Item.getItem(node, Excludes.ALL);
|
||||
checkWriteAuthorizationControl(session, item, node, isNewItem);
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -183,11 +183,11 @@ public class Utils {
|
|||
}
|
||||
|
||||
public static org.gcube.common.storagehub.model.Path getWorkspacePath(){
|
||||
return Paths.getPath(String.format("/Home/%s/Workspace",AuthorizationProvider.instance.get().getClient().getId()));
|
||||
return Paths.getPath(String.format("/Home/%s/%s",AuthorizationProvider.instance.get().getClient().getId(), Constants.WORKSPACE_ROOT_FOLDER_NAME));
|
||||
}
|
||||
|
||||
public static org.gcube.common.storagehub.model.Path getWorkspacePath(String login){
|
||||
return Paths.getPath(String.format("/Home/%s/Workspace",login));
|
||||
return Paths.getPath(String.format("/Home/%s/%s",login,Constants.WORKSPACE_ROOT_FOLDER_NAME));
|
||||
}
|
||||
|
||||
public static org.gcube.common.storagehub.model.Path getHome(String login){
|
||||
|
|
|
@ -21,6 +21,7 @@ import javax.jcr.Property;
|
|||
import javax.jcr.PropertyIterator;
|
||||
import javax.jcr.PropertyType;
|
||||
import javax.jcr.RepositoryException;
|
||||
import javax.jcr.Session;
|
||||
import javax.jcr.Value;
|
||||
|
||||
import org.apache.commons.io.IOUtils;
|
||||
|
@ -56,6 +57,11 @@ public class Node2ItemConverter {
|
|||
else return retrieveItem(node, excludes, classToHandle);
|
||||
}
|
||||
|
||||
public <T extends Item> T getItem(String nodeIdentifier, Session session, List<String> excludes) throws RepositoryException, BackendGenericError{
|
||||
Node node = session.getNodeByIdentifier(nodeIdentifier);
|
||||
return getItem(node, excludes);
|
||||
}
|
||||
|
||||
public <T extends Item> T getItem(Node node, List<String> excludes) throws RepositoryException, BackendGenericError{
|
||||
@SuppressWarnings("unchecked")
|
||||
Class<T> classToHandle = (Class<T>)ClassHandler.instance().get(node.getPrimaryNodeType().getName());
|
||||
|
|
|
@ -25,7 +25,7 @@ The projects leading to this software have received funding from a series of
|
|||
Version
|
||||
--------------------------------------------------
|
||||
|
||||
1.1.1-SNAPSHOT (2020-04-08)
|
||||
1.1.1-SNAPSHOT (2020-04-09)
|
||||
|
||||
Please see the file named "changelog.xml" in this directory for the release notes.
|
||||
|
||||
|
|
Loading…
Reference in New Issue