From 08351b2005dbe3110e4c586d1f9813000e526688 Mon Sep 17 00:00:00 2001
From: lucio <lucio.lelii@isti.cnr.it>
Date: Thu, 9 Apr 2020 09:44:40 +0200
Subject: [PATCH] public folder check added on Authorization Checker

---
 .../storagehub/AuthorizationChecker.java      | 47 +++++++++++++++----
 .../gcube/data/access/storagehub/Utils.java   |  4 +-
 .../handlers/items/Node2ItemConverter.java    |  6 +++
 src/main/webapp/WEB-INF/README                |  2 +-
 4 files changed, 46 insertions(+), 13 deletions(-)

diff --git a/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java b/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java
index 927e942..890cdf2 100644
--- a/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java
+++ b/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java
@@ -19,6 +19,7 @@ import org.gcube.common.storagehub.model.acls.AccessType;
 import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
 import org.gcube.common.storagehub.model.exceptions.InvalidCallParameters;
 import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
+import org.gcube.common.storagehub.model.items.FolderItem;
 import org.gcube.common.storagehub.model.items.Item;
 import org.gcube.common.storagehub.model.items.SharedFolder;
 import org.gcube.data.access.storagehub.handlers.items.Node2ItemConverter;
@@ -42,8 +43,10 @@ public class AuthorizationChecker {
 
 		if (item==null) throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to read node with id "+id+": it's  not a valid StorageHub node");
 
-		//check for public items (if is public anyone can read it)
-		
+		if (!item.isShared() && item.getOwner()!=null && item.getOwner().equals(login)) return;
+
+		if (hasParentPublicFolder(session, item)) return;
+
 		if (item.isShared()) {
 			SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING);
 
@@ -56,12 +59,12 @@ public class AuthorizationChecker {
 			for (AccessControlEntry entry: entries) {
 				log.debug("checking access right for {} with compared with {}",login, entry.getPrincipal());
 				Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(entry.getPrincipal());
-				
+
 				if (authorizable==null) {
 					log.warn("{} doesn't have a correspondant auhtorizable object, check it ", entry.getPrincipal());
 					continue;
 				}
-				
+
 				try {
 					if (!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) return;
 					if (authorizable.isGroup() && ((Group) authorizable).isMember(userAuthorizable)) return;
@@ -71,9 +74,33 @@ public class AuthorizationChecker {
 			}
 			throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to read node with id "+id);
 
-		} else if (item.getOwner()==null || !item.getOwner().equals(login))
-			throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to read node with id "+id);
+		} 
 
+		throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to read node with id "+id);
+
+	}
+
+	private boolean hasParentPublicFolder(Session session, Item item) {
+		if (item.getParentPath().replaceAll("/Home/[^/]*/"+Constants.WORKSPACE_ROOT_FOLDER_NAME,"").isEmpty() || item.getParentPath().replaceAll(Constants.SHARED_FOLDER_PATH, "").isEmpty()) {
+			if (item instanceof FolderItem)
+				return ((FolderItem) item).isPublicItem();
+			else return false;
+		} else { 
+			if (item instanceof FolderItem)
+				try {
+					return ((FolderItem) item).isPublicItem() || hasParentPublicFolder(session, node2Item.getItem(item.getParentId(), session, Excludes.ALL));
+				}catch (Throwable e) {
+					log.warn("error checking public parents",e);
+					return false;
+				}
+			else 
+				try {
+					return hasParentPublicFolder(session, node2Item.getItem(item.getParentId(), session, Excludes.ALL));
+				}catch (Throwable e) {
+					log.warn("error checking public parents",e);
+					return false;
+				}
+		}
 	}
 
 	private Node retrieveSharedFolderParent(Node node, Session session) throws BackendGenericError, RepositoryException{
@@ -82,9 +109,9 @@ public class AuthorizationChecker {
 			return retrieveSharedFolderParent(node.getParent(), session);
 
 	}
-	
+
 	public void checkWriteAuthorizationControl(Session session, Item item, Node node, boolean isNewItem) throws UserNotAuthorizedException, BackendGenericError, RepositoryException {
-		
+
 		String login = AuthorizationProvider.instance.get().getClient().getId();
 
 		if (item==null) throw new UserNotAuthorizedException("Not valid StorageHub node");
@@ -119,13 +146,13 @@ public class AuthorizationChecker {
 				return;
 		throw new UserNotAuthorizedException("Insufficent Privileges for user "+login+" to write into node with id "+item.getId());
 	}
-	
+
 	public void checkWriteAuthorizationControl(Session session, String id, boolean isNewItem) throws UserNotAuthorizedException, BackendGenericError, RepositoryException {
 		//in case of newItem the id is the parent otherwise the old node to replace
 		Node node = session.getNodeByIdentifier(id);
 		Item item  = node2Item.getItem(node, Excludes.ALL);
 		checkWriteAuthorizationControl(session, item, node, isNewItem);
-		
+
 	}
 
 
diff --git a/src/main/java/org/gcube/data/access/storagehub/Utils.java b/src/main/java/org/gcube/data/access/storagehub/Utils.java
index 3e6c1fb..a8bc699 100644
--- a/src/main/java/org/gcube/data/access/storagehub/Utils.java
+++ b/src/main/java/org/gcube/data/access/storagehub/Utils.java
@@ -183,11 +183,11 @@ public class Utils {
 	}
 
 	public static org.gcube.common.storagehub.model.Path getWorkspacePath(){
-		return Paths.getPath(String.format("/Home/%s/Workspace",AuthorizationProvider.instance.get().getClient().getId()));
+		return Paths.getPath(String.format("/Home/%s/%s",AuthorizationProvider.instance.get().getClient().getId(), Constants.WORKSPACE_ROOT_FOLDER_NAME));
 	}
 
 	public static org.gcube.common.storagehub.model.Path getWorkspacePath(String login){
-		return Paths.getPath(String.format("/Home/%s/Workspace",login));
+		return Paths.getPath(String.format("/Home/%s/%s",login,Constants.WORKSPACE_ROOT_FOLDER_NAME));
 	}
 
 	public static org.gcube.common.storagehub.model.Path getHome(String login){
diff --git a/src/main/java/org/gcube/data/access/storagehub/handlers/items/Node2ItemConverter.java b/src/main/java/org/gcube/data/access/storagehub/handlers/items/Node2ItemConverter.java
index 7a7885c..2682d41 100644
--- a/src/main/java/org/gcube/data/access/storagehub/handlers/items/Node2ItemConverter.java
+++ b/src/main/java/org/gcube/data/access/storagehub/handlers/items/Node2ItemConverter.java
@@ -21,6 +21,7 @@ import javax.jcr.Property;
 import javax.jcr.PropertyIterator;
 import javax.jcr.PropertyType;
 import javax.jcr.RepositoryException;
+import javax.jcr.Session;
 import javax.jcr.Value;
 
 import org.apache.commons.io.IOUtils;
@@ -56,6 +57,11 @@ public class Node2ItemConverter {
 		else return retrieveItem(node, excludes, classToHandle);
 	}
 
+	public <T extends Item> T getItem(String nodeIdentifier, Session session, List<String> excludes) throws RepositoryException, BackendGenericError{
+		Node node = session.getNodeByIdentifier(nodeIdentifier);
+		return getItem(node, excludes);
+	}	
+	
 	public <T extends Item> T getItem(Node node, List<String> excludes) throws RepositoryException, BackendGenericError{
 		@SuppressWarnings("unchecked")
 		Class<T> classToHandle = (Class<T>)ClassHandler.instance().get(node.getPrimaryNodeType().getName());
diff --git a/src/main/webapp/WEB-INF/README b/src/main/webapp/WEB-INF/README
index f36eff6..5be5c6f 100644
--- a/src/main/webapp/WEB-INF/README
+++ b/src/main/webapp/WEB-INF/README
@@ -25,7 +25,7 @@ The projects leading to this software have received funding from a series of
 Version
 --------------------------------------------------
  
-1.1.1-SNAPSHOT (2020-04-08)
+1.1.1-SNAPSHOT (2020-04-09)
  
 Please see the file named "changelog.xml" in this directory for the release notes.