gcube-app file updated

This commit is contained in:
lucio 2019-10-25 14:58:09 +02:00
parent 0508aa0e3a
commit 0f156c6637
7 changed files with 67 additions and 53 deletions

View File

@ -7,7 +7,7 @@
<dependent-module archiveName="authorization-control-library-1.1.0-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/authorization-control-library/authorization-control-library"> <dependent-module archiveName="authorization-control-library-1.1.0-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/authorization-control-library/authorization-control-library">
<dependency-type>uses</dependency-type> <dependency-type>uses</dependency-type>
</dependent-module> </dependent-module>
<dependent-module archiveName="storagehub-model-1.0.5.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/storagehub-model/storagehub-model"> <dependent-module archiveName="storagehub-model-1.0.5-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/storagehub-model/storagehub-model">
<dependency-type>uses</dependency-type> <dependency-type>uses</dependency-type>
</dependent-module> </dependent-module>
<property name="context-root" value="storagehub"/> <property name="context-root" value="storagehub"/>

View File

@ -1,7 +1,7 @@
<application mode='online'> <application mode='online'>
<name>StorageHub</name> <name>StorageHub</name>
<group>DataAccess</group> <group>DataAccess</group>
<version>1.0.0-SNAPSHOT</version> <version>${version}</version>
<description>Storage Hub webapp</description> <description>Storage Hub webapp</description>
<local-persistence location='target' /> <local-persistence location='target' />
</application> </application>

View File

@ -12,7 +12,7 @@
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<groupId>org.gcube.data.access</groupId> <groupId>org.gcube.data.access</groupId>
<artifactId>storagehub</artifactId> <artifactId>storagehub</artifactId>
<version>1.0.8</version> <version>1.0.8-SNAPSHOT</version>
<name>storagehub</name> <name>storagehub</name>
<scm> <scm>

View File

@ -234,14 +234,14 @@ public class ACLManager {
* *
* *
* @param String user * @param String user
* @param accessType accessType *
* *
* @exception {@link RepositoryException} when a generic jcr error occurs * @exception {@link RepositoryException} when a generic jcr error occurs
* @exception {@link UserNotAuthorizedException} when the caller is not ADMINISTRATOR of the shared folder * @exception {@link UserNotAuthorizedException} when the caller is not ADMINISTRATOR of the shared folder
* @exception {@link InvalidCallParameters} when the folder is not shared with the specified user * @exception {@link InvalidCallParameters} when the folder is not shared with the specified user
* @exception {@link InvalidItemException} when the folder is not share * @exception {@link InvalidItemException} when the folder is not share
*/ */
/*@DELETE @DELETE
@Consumes(MediaType.TEXT_PLAIN) @Consumes(MediaType.TEXT_PLAIN)
@Path("{id}/acls/{user}") @Path("{id}/acls/{user}")
public void removeACL(@PathParam("user") String user) { public void removeACL(@PathParam("user") String user) {
@ -261,28 +261,26 @@ public class ACLManager {
SharedFolder folder = ((SharedFolder)item); SharedFolder folder = ((SharedFolder)item);
if (folder.isVreFolder()) { AccessControlManager acm = ses.getAccessControlManager();
AccessControlManager acm = ses.getAccessControlManager(); JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
AccessControlEntry entryToDelete= null; AccessControlEntry entryToDelete= null;
for (AccessControlEntry ace :acls.getAccessControlEntries()) { for (AccessControlEntry ace :acls.getAccessControlEntries()) {
if (ace.getPrincipal().getName().equals(user)) { if (ace.getPrincipal().getName().equals(user)) {
entryToDelete = ace; entryToDelete = ace;
break; break;
}
} }
if (entryToDelete!=null)
acls.removeAccessControlEntry(entryToDelete);
else return;
acm.setPolicy(folder.getPath(), acls); }
ses.save(); if (entryToDelete!=null)
log.debug("removed Access control entry for user {}",user); acls.removeAccessControlEntry(entryToDelete);
else return;
acm.setPolicy(folder.getPath(), acls);
ses.save();
log.debug("removed Access control entry for user {}",user);
} else throw new InvalidCallParameters("remove acl can be called only on VRE folder");
}catch(RepositoryException re){ }catch(RepositoryException re){
log.error("jcr error extracting archive", re); log.error("jcr error extracting archive", re);
@ -294,7 +292,7 @@ public class ACLManager {
if (ses!=null) if (ses!=null)
ses.logout(); ses.logout();
} }
}*/ }
@GET @GET
@Path("{id}/acls/write") @Path("{id}/acls/write")

View File

@ -56,6 +56,7 @@ public class GroupManager {
@Context ServletContext context; @Context ServletContext context;
private static final String VREMANAGER_ROLE = "VRE-Manager"; private static final String VREMANAGER_ROLE = "VRE-Manager";
private static final String INFRASTRUCTURE_MANAGER_ROLE = "Infrastructure-Manager";
private static final Logger log = LoggerFactory.getLogger(GroupManager.class); private static final Logger log = LoggerFactory.getLogger(GroupManager.class);
@ -100,7 +101,7 @@ public class GroupManager {
@POST @POST
@Path("") @Path("")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class) @AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String createGroup(@FormParam("group") String group, @FormParam("accessType") AccessType accessType){ public String createGroup(@FormParam("group") String group, @FormParam("accessType") AccessType accessType){
InnerMethodName.instance.set("createGroup"); InnerMethodName.instance.set("createGroup");
@ -109,7 +110,8 @@ public class GroupManager {
String groupId = null; String groupId = null;
try { try {
checkGroupValidity(group); if (!isValidGroupForContext(groupId))
throw new UserNotAuthorizedException("only VREManager can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context)); session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -134,7 +136,7 @@ public class GroupManager {
@DELETE @DELETE
@Path("{group}") @Path("{group}")
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class) @AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String deleteGroup(@PathParam("group") String group){ public String deleteGroup(@PathParam("group") String group){
InnerMethodName.instance.set("deleteGroup"); InnerMethodName.instance.set("deleteGroup");
@ -142,7 +144,9 @@ public class GroupManager {
JackrabbitSession session = null; JackrabbitSession session = null;
try { try {
checkGroupValidity(group); if (!isValidGroupForContext(group))
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context)); session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager(); org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@ -163,14 +167,17 @@ public class GroupManager {
if (session!=null) if (session!=null)
session.logout(); session.logout();
} }
return group; return group;
} }
public boolean isAdmin() { return AuthorizationProvider.instance.get().getClient().getRoles().contains(INFRASTRUCTURE_MANAGER_ROLE); }
@PUT @PUT
@Path("{id}") @Path("{id}")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class) @AuthorizationControl(allowedRoles={VREMANAGER_ROLE, INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public boolean addUserToGroup(@PathParam("id") String groupId, @FormParam("userId") String userId){ public boolean addUserToGroup(@PathParam("id") String groupId, @FormParam("userId") String userId){
InnerMethodName.instance.set("addUserToGroup"); InnerMethodName.instance.set("addUserToGroup");
@ -179,7 +186,8 @@ public class GroupManager {
boolean success = false; boolean success = false;
try { try {
checkGroupValidity(groupId); if (!isValidGroupForContext(groupId) && !isAdmin())
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context)); session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -214,7 +222,7 @@ public class GroupManager {
@DELETE @DELETE
@Path("{groupId}/users/{userId}") @Path("{groupId}/users/{userId}")
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class) @AuthorizationControl(allowedRoles={VREMANAGER_ROLE, INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public boolean removeUserFromGroup(@PathParam("groupId") String groupId, @PathParam("userId") String userId){ public boolean removeUserFromGroup(@PathParam("groupId") String groupId, @PathParam("userId") String userId){
InnerMethodName.instance.set("removeUserFromGroup"); InnerMethodName.instance.set("removeUserFromGroup");
@ -223,7 +231,8 @@ public class GroupManager {
boolean success = false; boolean success = false;
try { try {
checkGroupValidity(groupId); if (!isValidGroupForContext(groupId) && !isAdmin())
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context)); session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -274,7 +283,8 @@ public class GroupManager {
List<String> users = new ArrayList<>(); List<String> users = new ArrayList<>();
try { try {
checkGroupValidity(groupId); if (!isValidGroupForContext(groupId))
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context)); session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -350,12 +360,10 @@ public class GroupManager {
return vreFolder; return vreFolder;
} }
private void checkGroupValidity(String group) throws UserNotAuthorizedException{ private boolean isValidGroupForContext(String group){
String currentContext = ScopeProvider.instance.get(); String currentContext = ScopeProvider.instance.get();
String expectedGroupId= currentContext.replace("/", "-").substring(1); String expectedGroupId= currentContext.replace("/", "-").substring(1);
if (!group.equals(expectedGroupId)) return group.equals(expectedGroupId);
throw new UserNotAuthorizedException("only VREManager can execute this operation");
} }
} }

View File

@ -28,8 +28,10 @@ import org.apache.jackrabbit.api.security.user.QueryBuilder;
import org.apache.jackrabbit.api.security.user.User; import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl; import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.gcube.common.authorization.control.annotations.AuthorizationControl; import org.gcube.common.authorization.control.annotations.AuthorizationControl;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse; import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse;
import org.gcube.common.storagehub.model.exceptions.BackendGenericError; import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
import org.gcube.common.storagehub.model.types.NodeProperty; import org.gcube.common.storagehub.model.types.NodeProperty;
import org.gcube.data.access.storagehub.Constants; import org.gcube.data.access.storagehub.Constants;
import org.gcube.data.access.storagehub.Utils; import org.gcube.data.access.storagehub.Utils;
@ -42,6 +44,8 @@ import org.slf4j.LoggerFactory;
@Path("users") @Path("users")
public class UserManager { public class UserManager {
private static final String INFRASTRUCTURE_MANAGER_ROLE = "Infrastructure-Manager";
@Context ServletContext context; @Context ServletContext context;
private static final Logger log = LoggerFactory.getLogger(UserManager.class); private static final Logger log = LoggerFactory.getLogger(UserManager.class);
@ -88,7 +92,7 @@ public class UserManager {
@POST @POST
@Path("") @Path("")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED) @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class) @AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String createUser(@FormParam("user") String user, @FormParam("password") String password){ public String createUser(@FormParam("user") String user, @FormParam("password") String password){
JackrabbitSession session = null; JackrabbitSession session = null;
@ -96,6 +100,7 @@ public class UserManager {
try { try {
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context)); session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager(); org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
User createdUser = usrManager.createUser(user, password); User createdUser = usrManager.createUser(user, password);
@ -125,18 +130,21 @@ public class UserManager {
@DELETE @DELETE
@Path("{id}") @Path("{user}")
@AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class) @AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String deleteUser(@PathParam("id") String id){ public String deleteUser(@PathParam("user") String user){
JackrabbitSession session = null; JackrabbitSession session = null;
String userId = null; String userId = null;
try { try {
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context)); session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager(); org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
org.gcube.common.storagehub.model.Path path = Utils.getWorkspacePath(id); org.gcube.common.storagehub.model.Path path = Utils.getWorkspacePath(user);
String sql2Query = String.format("SELECT * FROM [nthl:workspaceSharedItem] AS node WHERE ISDESCENDANTNODE('%s')", path.toPath()); String sql2Query = String.format("SELECT * FROM [nthl:workspaceSharedItem] AS node WHERE ISDESCENDANTNODE('%s')", path.toPath());
@ -152,12 +160,12 @@ public class UserManager {
Node rNode = nodeIt.nextNode(); Node rNode = nodeIt.nextNode();
String title = rNode.hasProperty(NodeProperty.TITLE.toString()) ? rNode.getProperty(NodeProperty.TITLE.toString()).getString():"unknown"; String title = rNode.hasProperty(NodeProperty.TITLE.toString()) ? rNode.getProperty(NodeProperty.TITLE.toString()).getString():"unknown";
log.debug("removing sharing for folder name {} with title {} and path {} ",rNode.getName(), title, rNode.getPath()); log.debug("removing sharing for folder name {} with title {} and path {} ",rNode.getName(), title, rNode.getPath());
unshareHandler.unshare(session, Collections.singleton(id), rNode, id); unshareHandler.unshare(session, Collections.singleton(user), rNode, user);
} }
Authorizable authorizable = usrManager.getAuthorizable(new PrincipalImpl(id)); Authorizable authorizable = usrManager.getAuthorizable(new PrincipalImpl(user));
if (!authorizable.isGroup()) { if (!authorizable.isGroup()) {
log.info("removing user {}", id); log.info("removing user {}", user);
authorizable.remove(); authorizable.remove();
} }
session.save(); session.save();

View File

@ -1,7 +1,7 @@
<application mode='online'> <application mode='online'>
<name>StorageHub</name> <name>StorageHub</name>
<group>DataAccess</group> <group>DataAccess</group>
<version>1.0.0-SNAPSHOT</version> <version>1.0.8-SNAPSHOT</version>
<description>Storage Hub webapp</description> <description>Storage Hub webapp</description>
<local-persistence location='target' /> <local-persistence location='target' />
</application> </application>