diff --git a/.settings/org.eclipse.wst.common.component b/.settings/org.eclipse.wst.common.component
index 56c3566..2275b5a 100644
--- a/.settings/org.eclipse.wst.common.component
+++ b/.settings/org.eclipse.wst.common.component
@@ -4,7 +4,7 @@
-
+
uses
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
index cbee116..04aaee4 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
@@ -34,9 +34,11 @@ import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils
import org.gcube.common.authorization.control.annotations.AuthorizationControl;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse;
+import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.common.storagehub.model.acls.AccessType;
import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
import org.gcube.common.storagehub.model.exceptions.InvalidItemException;
+import org.gcube.common.storagehub.model.exceptions.UserNotAuthorizedException;
import org.gcube.common.storagehub.model.types.NodeProperty;
import org.gcube.common.storagehub.model.types.PrimaryNodeType;
import org.gcube.data.access.storagehub.Constants;
@@ -51,6 +53,8 @@ public class GroupManager {
@Context ServletContext context;
+ private static final String VREMANAGER_ROLE = "VRE-Manager";
+
private static final Logger log = LoggerFactory.getLogger(GroupManager.class);
@Inject
@@ -59,7 +63,6 @@ public class GroupManager {
@GET
@Path("")
@Produces(MediaType.APPLICATION_JSON)
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
public List getGroups(){
JackrabbitSession session = null;
@@ -93,14 +96,18 @@ public class GroupManager {
@POST
@Path("")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
public String createGroup(@FormParam("group") String group, @FormParam("accessType") AccessType accessType){
+
JackrabbitSession session = null;
String groupId = null;
try {
+
+ checkGroupValidity(group);
+
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
-
+
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
Group createdGroup = usrManager.createGroup(group);
@@ -122,11 +129,13 @@ public class GroupManager {
@DELETE
@Path("{group}")
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
public String deleteGroup(@PathParam("group") String group){
JackrabbitSession session = null;
try {
+
+ checkGroupValidity(group);
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -154,12 +163,15 @@ public class GroupManager {
@PUT
@Path("{id}")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
public boolean addUserToGroup(@PathParam("id") String groupId, @FormParam("userId") String userId){
JackrabbitSession session = null;
boolean success = false;
try {
+
+ checkGroupValidity(groupId);
+
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -190,12 +202,15 @@ public class GroupManager {
@DELETE
@Path("{groupId}/users/{userId}")
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
public boolean removeUserFromGroup(@PathParam("groupId") String groupId, @PathParam("userId") String userId){
JackrabbitSession session = null;
boolean success = false;
try {
+
+ checkGroupValidity(groupId);
+
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -233,12 +248,15 @@ public class GroupManager {
@GET
@Path("{groupId}/users")
@Produces(MediaType.APPLICATION_JSON)
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedRoles={VREMANAGER_ROLE}, exception=MyAuthException.class)
public List getUsersOfGroup(@PathParam("groupId") String groupId){
JackrabbitSession session = null;
List users = new ArrayList<>();
try {
+
+ checkGroupValidity(groupId);
+
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
@@ -313,4 +331,12 @@ public class GroupManager {
return vreFolder;
}
+ private void checkGroupValidity(String group) throws UserNotAuthorizedException{
+ String currentContext = ScopeProvider.instance.get();
+ String expectedGroupId= currentContext.replace("/", "-").substring(1);
+ if (!group.equals(expectedGroupId))
+ throw new UserNotAuthorizedException("only VREManager can execute this operation");
+
+ }
+
}
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/ItemsManager.java b/src/main/java/org/gcube/data/access/storagehub/services/ItemsManager.java
index dce3abd..7444d7b 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/ItemsManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/ItemsManager.java
@@ -280,7 +280,7 @@ public class ItemsManager {
@GET
@Path("publiclink/{id}")
- @AuthorizationControl(allowed={"URIResolver"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedUsers={"URIResolver"}, exception=MyAuthException.class)
public Response resolvePublicLink() {
InnerMethodName.instance.set("resolvePubliclink");
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java b/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
index 4b59a63..7a86c6c 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/UserManager.java
@@ -43,7 +43,7 @@ import org.slf4j.LoggerFactory;
public class UserManager {
@Context ServletContext context;
-
+
private static final Logger log = LoggerFactory.getLogger(UserManager.class);
@Inject
@@ -55,7 +55,6 @@ public class UserManager {
@GET
@Path("")
@Produces(MediaType.APPLICATION_JSON)
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
public List getUsers(){
JackrabbitSession session = null;
@@ -89,7 +88,7 @@ public class UserManager {
@POST
@Path("")
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
public String createUser(@FormParam("user") String user, @FormParam("password") String password){
JackrabbitSession session = null;
@@ -127,7 +126,7 @@ public class UserManager {
@DELETE
@Path("{id}")
- @AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+ @AuthorizationControl(allowedUsers={"lucio.lelii"}, exception=MyAuthException.class)
public String deleteUser(@PathParam("id") String id){
JackrabbitSession session = null;
diff --git a/src/main/webapp/WEB-INF/gcube-app.xml b/src/main/webapp/WEB-INF/gcube-app.xml
index e69de29..4f0d8e1 100644
--- a/src/main/webapp/WEB-INF/gcube-app.xml
+++ b/src/main/webapp/WEB-INF/gcube-app.xml
@@ -0,0 +1,7 @@
+
+ StorageHub
+ DataAccess
+ 1.0.0-SNAPSHOT
+ Storage Hub webapp
+
+
\ No newline at end of file