diff --git a/.settings/org.eclipse.wst.common.component b/.settings/org.eclipse.wst.common.component
index 2275b5a..1314f66 100644
--- a/.settings/org.eclipse.wst.common.component
+++ b/.settings/org.eclipse.wst.common.component
@@ -7,7 +7,7 @@
uses
-
+
uses
diff --git a/distro/gcube-app.xml b/distro/gcube-app.xml
index 4f0d8e1..aa6e541 100644
--- a/distro/gcube-app.xml
+++ b/distro/gcube-app.xml
@@ -1,7 +1,7 @@
StorageHub
DataAccess
- 1.0.0-SNAPSHOT
+ ${version}
Storage Hub webapp
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 474122e..3aa3b2d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,7 +12,7 @@
4.0.0
org.gcube.data.access
storagehub
- 1.0.8
+ 1.0.8-SNAPSHOT
storagehub
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/ACLManager.java b/src/main/java/org/gcube/data/access/storagehub/services/ACLManager.java
index 9227378..15224cf 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/ACLManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/ACLManager.java
@@ -143,19 +143,19 @@ public class ACLManager {
InnerMethodName.instance.set("setACLById");
Session ses = null;
try{
-
+
ses = repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
-
+
Node node = ses.getNodeByIdentifier(id);
Item item = node2Item.getItem(node, Excludes.ALL);
-
+
if (!(item instanceof SharedFolder))
throw new InvalidItemException("the item is not a shared folder");
-
+
if (item.getOwner().equals(user))
throw new UserNotAuthorizedException("owner acl cannot be changed");
-
+
authChecker.checkAdministratorControl(ses, (SharedFolder) item);
SharedFolder folder = ((SharedFolder)item);
@@ -234,14 +234,14 @@ public class ACLManager {
*
*
* @param String user
- * @param accessType accessType
+ *
*
* @exception {@link RepositoryException} when a generic jcr error occurs
* @exception {@link UserNotAuthorizedException} when the caller is not ADMINISTRATOR of the shared folder
* @exception {@link InvalidCallParameters} when the folder is not shared with the specified user
* @exception {@link InvalidItemException} when the folder is not share
*/
- /*@DELETE
+ @DELETE
@Consumes(MediaType.TEXT_PLAIN)
@Path("{id}/acls/{user}")
public void removeACL(@PathParam("user") String user) {
@@ -261,28 +261,26 @@ public class ACLManager {
SharedFolder folder = ((SharedFolder)item);
- if (folder.isVreFolder()) {
- AccessControlManager acm = ses.getAccessControlManager();
- JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
+ AccessControlManager acm = ses.getAccessControlManager();
+ JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
- AccessControlEntry entryToDelete= null;
- for (AccessControlEntry ace :acls.getAccessControlEntries()) {
- if (ace.getPrincipal().getName().equals(user)) {
- entryToDelete = ace;
- break;
- }
-
+ AccessControlEntry entryToDelete= null;
+ for (AccessControlEntry ace :acls.getAccessControlEntries()) {
+ if (ace.getPrincipal().getName().equals(user)) {
+ entryToDelete = ace;
+ break;
}
- if (entryToDelete!=null)
- acls.removeAccessControlEntry(entryToDelete);
- else return;
-
- acm.setPolicy(folder.getPath(), acls);
- ses.save();
- log.debug("removed Access control entry for user {}",user);
- } else throw new InvalidCallParameters("remove acl can be called only on VRE folder");
+ }
+ if (entryToDelete!=null)
+ acls.removeAccessControlEntry(entryToDelete);
+ else return;
+
+ acm.setPolicy(folder.getPath(), acls);
+ ses.save();
+ log.debug("removed Access control entry for user {}",user);
+
}catch(RepositoryException re){
log.error("jcr error extracting archive", re);
@@ -294,7 +292,7 @@ public class ACLManager {
if (ses!=null)
ses.logout();
}
- }*/
+ }
@GET
@Path("{id}/acls/write")
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
index 037e2cf..4abdae8 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
@@ -56,6 +56,7 @@ public class GroupManager {
@Context ServletContext context;
private static final String VREMANAGER_ROLE = "VRE-Manager";
+ private static final String INFRASTRUCTURE_MANAGER_ROLE = "Infrastructure-Manager";
private static final Logger log = LoggerFactory.getLogger(GroupManager.class);
@@ -100,7 +101,7 @@ public class GroupManager {
@POST
@Path("")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String createGroup(@FormParam("group") String group, @FormParam("accessType") AccessType accessType){
InnerMethodName.instance.set("createGroup");
@@ -109,7 +110,8 @@ public class GroupManager {
String groupId = null;
try {
- checkGroupValidity(group);
+ if (!isValidGroupForContext(groupId))
+ throw new UserNotAuthorizedException("only VREManager can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@@ -134,7 +136,7 @@ public class GroupManager {
@DELETE
@Path("{group}")
- @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String deleteGroup(@PathParam("group") String group){
InnerMethodName.instance.set("deleteGroup");
@@ -142,7 +144,9 @@ public class GroupManager {
JackrabbitSession session = null;
try {
- checkGroupValidity(group);
+ if (!isValidGroupForContext(group))
+ throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
+
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -163,14 +167,17 @@ public class GroupManager {
if (session!=null)
session.logout();
}
-
return group;
}
+
+ public boolean isAdmin() { return AuthorizationProvider.instance.get().getClient().getRoles().contains(INFRASTRUCTURE_MANAGER_ROLE); }
+
+
@PUT
@Path("{id}")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={VREMANAGER_ROLE, INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public boolean addUserToGroup(@PathParam("id") String groupId, @FormParam("userId") String userId){
InnerMethodName.instance.set("addUserToGroup");
@@ -179,7 +186,8 @@ public class GroupManager {
boolean success = false;
try {
- checkGroupValidity(groupId);
+ if (!isValidGroupForContext(groupId) && !isAdmin())
+ throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@@ -214,7 +222,7 @@ public class GroupManager {
@DELETE
@Path("{groupId}/users/{userId}")
- @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={VREMANAGER_ROLE, INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public boolean removeUserFromGroup(@PathParam("groupId") String groupId, @PathParam("userId") String userId){
InnerMethodName.instance.set("removeUserFromGroup");
@@ -223,7 +231,8 @@ public class GroupManager {
boolean success = false;
try {
- checkGroupValidity(groupId);
+ if (!isValidGroupForContext(groupId) && !isAdmin())
+ throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@@ -274,7 +283,8 @@ public class GroupManager {
List users = new ArrayList<>();
try {
- checkGroupValidity(groupId);
+ if (!isValidGroupForContext(groupId))
+ throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@@ -350,12 +360,10 @@ public class GroupManager {
return vreFolder;
}
- private void checkGroupValidity(String group) throws UserNotAuthorizedException{
+ private boolean isValidGroupForContext(String group){
String currentContext = ScopeProvider.instance.get();
String expectedGroupId= currentContext.replace("/", "-").substring(1);
- if (!group.equals(expectedGroupId))
- throw new UserNotAuthorizedException("only VREManager can execute this operation");
-
+ return group.equals(expectedGroupId);
}
}
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java b/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
index 7a86c6c..fcee912 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
@@ -28,8 +28,10 @@ import org.apache.jackrabbit.api.security.user.QueryBuilder;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.gcube.common.authorization.control.annotations.AuthorizationControl;
+import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse;
import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
+import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
import org.gcube.common.storagehub.model.types.NodeProperty;
import org.gcube.data.access.storagehub.Constants;
import org.gcube.data.access.storagehub.Utils;
@@ -42,6 +44,8 @@ import org.slf4j.LoggerFactory;
@Path("users")
public class UserManager {
+ private static final String INFRASTRUCTURE_MANAGER_ROLE = "Infrastructure-Manager";
+
@Context ServletContext context;
private static final Logger log = LoggerFactory.getLogger(UserManager.class);
@@ -88,14 +92,15 @@ public class UserManager {
@POST
@Path("")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String createUser(@FormParam("user") String user, @FormParam("password") String password){
JackrabbitSession session = null;
String userId = null;
try {
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
-
+
+
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
User createdUser = usrManager.createUser(user, password);
@@ -125,18 +130,21 @@ public class UserManager {
@DELETE
- @Path("{id}")
- @AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
- public String deleteUser(@PathParam("id") String id){
+ @Path("{user}")
+ @AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
+ public String deleteUser(@PathParam("user") String user){
+
+
JackrabbitSession session = null;
String userId = null;
try {
+
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
- org.gcube.common.storagehub.model.Path path = Utils.getWorkspacePath(id);
+ org.gcube.common.storagehub.model.Path path = Utils.getWorkspacePath(user);
String sql2Query = String.format("SELECT * FROM [nthl:workspaceSharedItem] AS node WHERE ISDESCENDANTNODE('%s')", path.toPath());
@@ -152,12 +160,12 @@ public class UserManager {
Node rNode = nodeIt.nextNode();
String title = rNode.hasProperty(NodeProperty.TITLE.toString()) ? rNode.getProperty(NodeProperty.TITLE.toString()).getString():"unknown";
log.debug("removing sharing for folder name {} with title {} and path {} ",rNode.getName(), title, rNode.getPath());
- unshareHandler.unshare(session, Collections.singleton(id), rNode, id);
+ unshareHandler.unshare(session, Collections.singleton(user), rNode, user);
}
- Authorizable authorizable = usrManager.getAuthorizable(new PrincipalImpl(id));
+ Authorizable authorizable = usrManager.getAuthorizable(new PrincipalImpl(user));
if (!authorizable.isGroup()) {
- log.info("removing user {}", id);
+ log.info("removing user {}", user);
authorizable.remove();
}
session.save();
diff --git a/src/main/webapp/WEB-INF/gcube-app.xml b/src/main/webapp/WEB-INF/gcube-app.xml
index 4f0d8e1..36e3d04 100644
--- a/src/main/webapp/WEB-INF/gcube-app.xml
+++ b/src/main/webapp/WEB-INF/gcube-app.xml
@@ -1,7 +1,7 @@
StorageHub
DataAccess
- 1.0.0-SNAPSHOT
+ 1.0.8-SNAPSHOT
Storage Hub webapp
\ No newline at end of file