From 44767cfa41e2d51153ad358a2c54580a284260f5 Mon Sep 17 00:00:00 2001 From: Lucio Lelii Date: Fri, 12 Apr 2019 14:35:33 +0000 Subject: [PATCH] git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@179019 82a268e6-3cf1-43bd-a215-b396298e98cf --- .../storagehub/AuthorizationChecker.java | 74 ++++++++++--------- src/main/webapp/WEB-INF/README | 2 +- 2 files changed, 41 insertions(+), 35 deletions(-) diff --git a/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java b/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java index bf73e4d..a503f6e 100644 --- a/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java +++ b/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java @@ -1,5 +1,7 @@ package org.gcube.data.access.storagehub; +import java.security.acl.Group; + import javax.inject.Inject; import javax.inject.Singleton; import javax.jcr.Node; @@ -8,7 +10,9 @@ import javax.jcr.Session; import javax.jcr.security.AccessControlEntry; import javax.jcr.security.Privilege; +import org.apache.jackrabbit.api.JackrabbitSession; import org.apache.jackrabbit.api.security.JackrabbitAccessControlList; +import org.apache.jackrabbit.api.security.user.Authorizable; import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils; import org.gcube.common.authorization.library.provider.AuthorizationProvider; import org.gcube.common.storagehub.model.Excludes; @@ -25,26 +29,30 @@ public class AuthorizationChecker { @Inject Node2ItemConverter node2Item; - + public void checkReadAuthorizationControl(Session session, String id) throws UserNotAuthorizedException , BackendGenericError, RepositoryException{ Node node = session.getNodeByIdentifier(id); String login = AuthorizationProvider.instance.get().getClient().getId(); - + Item item = node2Item.getItem(node, Excludes.ALL); if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id+": it's not a valid StorageHub node"); - + if (item.isShared()) { SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING); - + //CHECKING ACL FOR VREFOLDER AND SHARED FOLDER JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentShared.getPath()); AccessControlEntry[] entries = accessControlList.getAccessControlEntries(); - for (AccessControlEntry entry: entries) - if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle()))) - return; + + for (AccessControlEntry entry: entries) { + Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(id); + if (!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) return; + if (authorizable.isGroup() && ((Group) authorizable).isMember(entry.getPrincipal())) return; + } throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id); + } else if (item.getOwner()==null || !item.getOwner().equals(login)) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id); @@ -62,86 +70,84 @@ public class AuthorizationChecker { Node node = session.getNodeByIdentifier(id); Item item = node2Item.getItem(node, Excludes.ALL); - + String login = AuthorizationProvider.instance.get().getClient().getId(); - + if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id+": it's not a valid StorageHub node"); - + if (Constants.WRITE_PROTECTED_FOLDER.contains(item.getName()) || Constants.WRITE_PROTECTED_FOLDER.contains(item.getTitle())) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id+": it's a protected folder"); - + if (item.isShared()) { Node parentSharedNode = retrieveSharedFolderParent(node, session); JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentSharedNode.getPath()); AccessControlEntry[] entries = accessControlList.getAccessControlEntries(); - //put it in a different method - SharedFolder parentShared = node2Item.getItem(parentSharedNode, Excludes.EXCLUDE_ACCOUNTING); + //put it in a different method for (AccessControlEntry entry: entries) { - if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle()))) { + Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(id); + if ((!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) || (authorizable.isGroup() && ((Group) authorizable).isMember(entry.getPrincipal()))){ for (Privilege privilege : entry.getPrivileges()){ AccessType access = AccessType.fromValue(privilege.getName()); if (isNewItem && access!=AccessType.READ_ONLY) return; else if (!isNewItem && - (access==AccessType.ADMINISTRATOR || access==AccessType.WRITE_ALL || (access==AccessType.WRITE_OWNER && item.getOwner().equals(login)))) + (access==AccessType.ADMINISTRATOR || access==AccessType.WRITE_ALL || (access==AccessType.WRITE_OWNER && item.getOwner().equals(login)))) return; - + } + } } - throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id); - } else if(item.getOwner().equals(login)) return; - throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id); - } - + + public void checkMoveOpsForProtectedFolders(Session session, String id) throws InvalidCallParameters, BackendGenericError, RepositoryException { Node node = session.getNodeByIdentifier(id); Item item = node2Item.getItem(node, Excludes.ALL); if (Constants.PROTECTED_FOLDER.contains(item.getName()) || Constants.PROTECTED_FOLDER.contains(item.getTitle())) throw new InvalidCallParameters("protected folder cannot be moved or deleted"); } - - + + public void checkAdministratorControl(Session session, SharedFolder item) throws UserNotAuthorizedException, BackendGenericError, RepositoryException { //TODO: riguardare questo pezzo di codice String login = AuthorizationProvider.instance.get().getClient().getId(); - + if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+": it's not a valid StorageHub node"); - + Node node = session.getNodeByIdentifier(item.getId()); - + if (item.isShared()) { Node parentSharedNode = retrieveSharedFolderParent(node, session); JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentSharedNode.getPath()); AccessControlEntry[] entries = accessControlList.getAccessControlEntries(); - //put it in a different method - + //put it in a different method + SharedFolder parentShared = node2Item.getItem(parentSharedNode, Excludes.EXCLUDE_ACCOUNTING); for (AccessControlEntry entry: entries) { if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle()))) { for (Privilege privilege : entry.getPrivileges()){ AccessType access = AccessType.fromValue(privilege.getName()); if (access==AccessType.ADMINISTRATOR) - return; - + return; + } throw new UserNotAuthorizedException("The user "+login+" is not an administrator of node with id "+item.getId()); } } - + } - + throw new UserNotAuthorizedException("The user "+login+" is not an administrator of node with id "+item.getId()); - + } - + /* private String retrieveOwner(Node node) { Node nodeOwner; diff --git a/src/main/webapp/WEB-INF/README b/src/main/webapp/WEB-INF/README index caa4a03..c6e8c12 100644 --- a/src/main/webapp/WEB-INF/README +++ b/src/main/webapp/WEB-INF/README @@ -25,7 +25,7 @@ no. 654119), SoBigData (grant no. 654024), AGINFRA PLUS (grant no. 731001). Version -------------------------------------------------- -1.0.5-SNAPSHOT (2019-04-09) +1.0.5-SNAPSHOT (2019-04-11) Please see the file named "changelog.xml" in this directory for the release notes.