gcube-app file updated

This commit is contained in:
lucio 2019-10-25 14:58:09 +02:00
parent 0508aa0e3a
commit 0f156c6637
7 changed files with 67 additions and 53 deletions

View File

@ -7,7 +7,7 @@
<dependent-module archiveName="authorization-control-library-1.1.0-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/authorization-control-library/authorization-control-library">
<dependency-type>uses</dependency-type>
</dependent-module>
<dependent-module archiveName="storagehub-model-1.0.5.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/storagehub-model/storagehub-model">
<dependent-module archiveName="storagehub-model-1.0.5-SNAPSHOT.jar" deploy-path="/WEB-INF/lib" handle="module:/resource/storagehub-model/storagehub-model">
<dependency-type>uses</dependency-type>
</dependent-module>
<property name="context-root" value="storagehub"/>

View File

@ -1,7 +1,7 @@
<application mode='online'>
<name>StorageHub</name>
<group>DataAccess</group>
<version>1.0.0-SNAPSHOT</version>
<version>${version}</version>
<description>Storage Hub webapp</description>
<local-persistence location='target' />
</application>

View File

@ -12,7 +12,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>org.gcube.data.access</groupId>
<artifactId>storagehub</artifactId>
<version>1.0.8</version>
<version>1.0.8-SNAPSHOT</version>
<name>storagehub</name>
<scm>

View File

@ -234,14 +234,14 @@ public class ACLManager {
*
*
* @param String user
* @param accessType accessType
*
*
* @exception {@link RepositoryException} when a generic jcr error occurs
* @exception {@link UserNotAuthorizedException} when the caller is not ADMINISTRATOR of the shared folder
* @exception {@link InvalidCallParameters} when the folder is not shared with the specified user
* @exception {@link InvalidItemException} when the folder is not share
*/
/*@DELETE
@DELETE
@Consumes(MediaType.TEXT_PLAIN)
@Path("{id}/acls/{user}")
public void removeACL(@PathParam("user") String user) {
@ -261,28 +261,26 @@ public class ACLManager {
SharedFolder folder = ((SharedFolder)item);
if (folder.isVreFolder()) {
AccessControlManager acm = ses.getAccessControlManager();
JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
AccessControlManager acm = ses.getAccessControlManager();
JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
AccessControlEntry entryToDelete= null;
for (AccessControlEntry ace :acls.getAccessControlEntries()) {
if (ace.getPrincipal().getName().equals(user)) {
entryToDelete = ace;
break;
}
AccessControlEntry entryToDelete= null;
for (AccessControlEntry ace :acls.getAccessControlEntries()) {
if (ace.getPrincipal().getName().equals(user)) {
entryToDelete = ace;
break;
}
if (entryToDelete!=null)
acls.removeAccessControlEntry(entryToDelete);
else return;
acm.setPolicy(folder.getPath(), acls);
ses.save();
log.debug("removed Access control entry for user {}",user);
}
if (entryToDelete!=null)
acls.removeAccessControlEntry(entryToDelete);
else return;
acm.setPolicy(folder.getPath(), acls);
ses.save();
log.debug("removed Access control entry for user {}",user);
} else throw new InvalidCallParameters("remove acl can be called only on VRE folder");
}catch(RepositoryException re){
log.error("jcr error extracting archive", re);
@ -294,7 +292,7 @@ public class ACLManager {
if (ses!=null)
ses.logout();
}
}*/
}
@GET
@Path("{id}/acls/write")

View File

@ -56,6 +56,7 @@ public class GroupManager {
@Context ServletContext context;
private static final String VREMANAGER_ROLE = "VRE-Manager";
private static final String INFRASTRUCTURE_MANAGER_ROLE = "Infrastructure-Manager";
private static final Logger log = LoggerFactory.getLogger(GroupManager.class);
@ -100,7 +101,7 @@ public class GroupManager {
@POST
@Path("")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
@AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String createGroup(@FormParam("group") String group, @FormParam("accessType") AccessType accessType){
InnerMethodName.instance.set("createGroup");
@ -109,7 +110,8 @@ public class GroupManager {
String groupId = null;
try {
checkGroupValidity(group);
if (!isValidGroupForContext(groupId))
throw new UserNotAuthorizedException("only VREManager can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -134,7 +136,7 @@ public class GroupManager {
@DELETE
@Path("{group}")
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
@AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String deleteGroup(@PathParam("group") String group){
InnerMethodName.instance.set("deleteGroup");
@ -142,7 +144,9 @@ public class GroupManager {
JackrabbitSession session = null;
try {
checkGroupValidity(group);
if (!isValidGroupForContext(group))
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@ -163,14 +167,17 @@ public class GroupManager {
if (session!=null)
session.logout();
}
return group;
}
public boolean isAdmin() { return AuthorizationProvider.instance.get().getClient().getRoles().contains(INFRASTRUCTURE_MANAGER_ROLE); }
@PUT
@Path("{id}")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE, INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public boolean addUserToGroup(@PathParam("id") String groupId, @FormParam("userId") String userId){
InnerMethodName.instance.set("addUserToGroup");
@ -179,7 +186,8 @@ public class GroupManager {
boolean success = false;
try {
checkGroupValidity(groupId);
if (!isValidGroupForContext(groupId) && !isAdmin())
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -214,7 +222,7 @@ public class GroupManager {
@DELETE
@Path("{groupId}/users/{userId}")
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
@AuthorizationControl(allowedRoles={VREMANAGER_ROLE, INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public boolean removeUserFromGroup(@PathParam("groupId") String groupId, @PathParam("userId") String userId){
InnerMethodName.instance.set("removeUserFromGroup");
@ -223,7 +231,8 @@ public class GroupManager {
boolean success = false;
try {
checkGroupValidity(groupId);
if (!isValidGroupForContext(groupId) && !isAdmin())
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -274,7 +283,8 @@ public class GroupManager {
List<String> users = new ArrayList<>();
try {
checkGroupValidity(groupId);
if (!isValidGroupForContext(groupId))
throw new UserNotAuthorizedException("only VREManager of the selected VRE can execute this operation");
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
@ -350,12 +360,10 @@ public class GroupManager {
return vreFolder;
}
private void checkGroupValidity(String group) throws UserNotAuthorizedException{
private boolean isValidGroupForContext(String group){
String currentContext = ScopeProvider.instance.get();
String expectedGroupId= currentContext.replace("/", "-").substring(1);
if (!group.equals(expectedGroupId))
throw new UserNotAuthorizedException("only VREManager can execute this operation");
return group.equals(expectedGroupId);
}
}

View File

@ -28,8 +28,10 @@ import org.apache.jackrabbit.api.security.user.QueryBuilder;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.gcube.common.authorization.control.annotations.AuthorizationControl;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse;
import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
import org.gcube.common.storagehub.model.types.NodeProperty;
import org.gcube.data.access.storagehub.Constants;
import org.gcube.data.access.storagehub.Utils;
@ -42,6 +44,8 @@ import org.slf4j.LoggerFactory;
@Path("users")
public class UserManager {
private static final String INFRASTRUCTURE_MANAGER_ROLE = "Infrastructure-Manager";
@Context ServletContext context;
private static final Logger log = LoggerFactory.getLogger(UserManager.class);
@ -88,7 +92,7 @@ public class UserManager {
@POST
@Path("")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
@AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String createUser(@FormParam("user") String user, @FormParam("password") String password){
JackrabbitSession session = null;
@ -96,6 +100,7 @@ public class UserManager {
try {
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
User createdUser = usrManager.createUser(user, password);
@ -125,18 +130,21 @@ public class UserManager {
@DELETE
@Path("{id}")
@AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
public String deleteUser(@PathParam("id") String id){
@Path("{user}")
@AuthorizationControl(allowedRoles={INFRASTRUCTURE_MANAGER_ROLE}, exception=MyAuthException.class)
public String deleteUser(@PathParam("user") String user){
JackrabbitSession session = null;
String userId = null;
try {
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
org.gcube.common.storagehub.model.Path path = Utils.getWorkspacePath(id);
org.gcube.common.storagehub.model.Path path = Utils.getWorkspacePath(user);
String sql2Query = String.format("SELECT * FROM [nthl:workspaceSharedItem] AS node WHERE ISDESCENDANTNODE('%s')", path.toPath());
@ -152,12 +160,12 @@ public class UserManager {
Node rNode = nodeIt.nextNode();
String title = rNode.hasProperty(NodeProperty.TITLE.toString()) ? rNode.getProperty(NodeProperty.TITLE.toString()).getString():"unknown";
log.debug("removing sharing for folder name {} with title {} and path {} ",rNode.getName(), title, rNode.getPath());
unshareHandler.unshare(session, Collections.singleton(id), rNode, id);
unshareHandler.unshare(session, Collections.singleton(user), rNode, user);
}
Authorizable authorizable = usrManager.getAuthorizable(new PrincipalImpl(id));
Authorizable authorizable = usrManager.getAuthorizable(new PrincipalImpl(user));
if (!authorizable.isGroup()) {
log.info("removing user {}", id);
log.info("removing user {}", user);
authorizable.remove();
}
session.save();

View File

@ -1,7 +1,7 @@
<application mode='online'>
<name>StorageHub</name>
<group>DataAccess</group>
<version>1.0.0-SNAPSHOT</version>
<version>1.0.8-SNAPSHOT</version>
<description>Storage Hub webapp</description>
<local-persistence location='target' />
</application>