git-svn-id: https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@179019 82a268e6-3cf1-43bd-a215-b396298e98cf
This commit is contained in:
parent
e39371b8aa
commit
44767cfa41
|
|
@ -1,5 +1,7 @@
|
||||||
package org.gcube.data.access.storagehub;
|
package org.gcube.data.access.storagehub;
|
||||||
|
|
||||||
|
import java.security.acl.Group;
|
||||||
|
|
||||||
import javax.inject.Inject;
|
import javax.inject.Inject;
|
||||||
import javax.inject.Singleton;
|
import javax.inject.Singleton;
|
||||||
import javax.jcr.Node;
|
import javax.jcr.Node;
|
||||||
|
|
@ -8,7 +10,9 @@ import javax.jcr.Session;
|
||||||
import javax.jcr.security.AccessControlEntry;
|
import javax.jcr.security.AccessControlEntry;
|
||||||
import javax.jcr.security.Privilege;
|
import javax.jcr.security.Privilege;
|
||||||
|
|
||||||
|
import org.apache.jackrabbit.api.JackrabbitSession;
|
||||||
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
|
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
|
||||||
|
import org.apache.jackrabbit.api.security.user.Authorizable;
|
||||||
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
|
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
|
||||||
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
|
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
|
||||||
import org.gcube.common.storagehub.model.Excludes;
|
import org.gcube.common.storagehub.model.Excludes;
|
||||||
|
|
@ -25,26 +29,30 @@ public class AuthorizationChecker {
|
||||||
|
|
||||||
@Inject
|
@Inject
|
||||||
Node2ItemConverter node2Item;
|
Node2ItemConverter node2Item;
|
||||||
|
|
||||||
public void checkReadAuthorizationControl(Session session, String id) throws UserNotAuthorizedException , BackendGenericError, RepositoryException{
|
public void checkReadAuthorizationControl(Session session, String id) throws UserNotAuthorizedException , BackendGenericError, RepositoryException{
|
||||||
Node node = session.getNodeByIdentifier(id);
|
Node node = session.getNodeByIdentifier(id);
|
||||||
|
|
||||||
String login = AuthorizationProvider.instance.get().getClient().getId();
|
String login = AuthorizationProvider.instance.get().getClient().getId();
|
||||||
|
|
||||||
Item item = node2Item.getItem(node, Excludes.ALL);
|
Item item = node2Item.getItem(node, Excludes.ALL);
|
||||||
|
|
||||||
if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id+": it's not a valid StorageHub node");
|
if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id+": it's not a valid StorageHub node");
|
||||||
|
|
||||||
if (item.isShared()) {
|
if (item.isShared()) {
|
||||||
SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING);
|
SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING);
|
||||||
|
|
||||||
//CHECKING ACL FOR VREFOLDER AND SHARED FOLDER
|
//CHECKING ACL FOR VREFOLDER AND SHARED FOLDER
|
||||||
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentShared.getPath());
|
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentShared.getPath());
|
||||||
AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
|
AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
|
||||||
for (AccessControlEntry entry: entries)
|
|
||||||
if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle())))
|
for (AccessControlEntry entry: entries) {
|
||||||
return;
|
Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(id);
|
||||||
|
if (!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) return;
|
||||||
|
if (authorizable.isGroup() && ((Group) authorizable).isMember(entry.getPrincipal())) return;
|
||||||
|
}
|
||||||
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
|
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
|
||||||
|
|
||||||
} else if (item.getOwner()==null || !item.getOwner().equals(login))
|
} else if (item.getOwner()==null || !item.getOwner().equals(login))
|
||||||
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
|
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
|
||||||
|
|
||||||
|
|
@ -62,86 +70,84 @@ public class AuthorizationChecker {
|
||||||
Node node = session.getNodeByIdentifier(id);
|
Node node = session.getNodeByIdentifier(id);
|
||||||
|
|
||||||
Item item = node2Item.getItem(node, Excludes.ALL);
|
Item item = node2Item.getItem(node, Excludes.ALL);
|
||||||
|
|
||||||
String login = AuthorizationProvider.instance.get().getClient().getId();
|
String login = AuthorizationProvider.instance.get().getClient().getId();
|
||||||
|
|
||||||
if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id+": it's not a valid StorageHub node");
|
if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id+": it's not a valid StorageHub node");
|
||||||
|
|
||||||
if (Constants.WRITE_PROTECTED_FOLDER.contains(item.getName()) || Constants.WRITE_PROTECTED_FOLDER.contains(item.getTitle()))
|
if (Constants.WRITE_PROTECTED_FOLDER.contains(item.getName()) || Constants.WRITE_PROTECTED_FOLDER.contains(item.getTitle()))
|
||||||
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id+": it's a protected folder");
|
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id+": it's a protected folder");
|
||||||
|
|
||||||
if (item.isShared()) {
|
if (item.isShared()) {
|
||||||
Node parentSharedNode = retrieveSharedFolderParent(node, session);
|
Node parentSharedNode = retrieveSharedFolderParent(node, session);
|
||||||
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentSharedNode.getPath());
|
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentSharedNode.getPath());
|
||||||
AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
|
AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
|
||||||
//put it in a different method
|
//put it in a different method
|
||||||
SharedFolder parentShared = node2Item.getItem(parentSharedNode, Excludes.EXCLUDE_ACCOUNTING);
|
|
||||||
for (AccessControlEntry entry: entries) {
|
for (AccessControlEntry entry: entries) {
|
||||||
if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle()))) {
|
Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(id);
|
||||||
|
if ((!authorizable.isGroup() && entry.getPrincipal().getName().equals(login)) || (authorizable.isGroup() && ((Group) authorizable).isMember(entry.getPrincipal()))){
|
||||||
for (Privilege privilege : entry.getPrivileges()){
|
for (Privilege privilege : entry.getPrivileges()){
|
||||||
AccessType access = AccessType.fromValue(privilege.getName());
|
AccessType access = AccessType.fromValue(privilege.getName());
|
||||||
if (isNewItem && access!=AccessType.READ_ONLY)
|
if (isNewItem && access!=AccessType.READ_ONLY)
|
||||||
return;
|
return;
|
||||||
else
|
else
|
||||||
if (!isNewItem &&
|
if (!isNewItem &&
|
||||||
(access==AccessType.ADMINISTRATOR || access==AccessType.WRITE_ALL || (access==AccessType.WRITE_OWNER && item.getOwner().equals(login))))
|
(access==AccessType.ADMINISTRATOR || access==AccessType.WRITE_ALL || (access==AccessType.WRITE_OWNER && item.getOwner().equals(login))))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id);
|
|
||||||
|
|
||||||
} else
|
} else
|
||||||
if(item.getOwner().equals(login))
|
if(item.getOwner().equals(login))
|
||||||
return;
|
return;
|
||||||
|
|
||||||
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id);
|
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public void checkMoveOpsForProtectedFolders(Session session, String id) throws InvalidCallParameters, BackendGenericError, RepositoryException {
|
public void checkMoveOpsForProtectedFolders(Session session, String id) throws InvalidCallParameters, BackendGenericError, RepositoryException {
|
||||||
Node node = session.getNodeByIdentifier(id);
|
Node node = session.getNodeByIdentifier(id);
|
||||||
Item item = node2Item.getItem(node, Excludes.ALL);
|
Item item = node2Item.getItem(node, Excludes.ALL);
|
||||||
if (Constants.PROTECTED_FOLDER.contains(item.getName()) || Constants.PROTECTED_FOLDER.contains(item.getTitle()))
|
if (Constants.PROTECTED_FOLDER.contains(item.getName()) || Constants.PROTECTED_FOLDER.contains(item.getTitle()))
|
||||||
throw new InvalidCallParameters("protected folder cannot be moved or deleted");
|
throw new InvalidCallParameters("protected folder cannot be moved or deleted");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
public void checkAdministratorControl(Session session, SharedFolder item) throws UserNotAuthorizedException, BackendGenericError, RepositoryException {
|
public void checkAdministratorControl(Session session, SharedFolder item) throws UserNotAuthorizedException, BackendGenericError, RepositoryException {
|
||||||
//TODO: riguardare questo pezzo di codice
|
//TODO: riguardare questo pezzo di codice
|
||||||
String login = AuthorizationProvider.instance.get().getClient().getId();
|
String login = AuthorizationProvider.instance.get().getClient().getId();
|
||||||
|
|
||||||
if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+": it's not a valid StorageHub node");
|
if (item==null) throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+": it's not a valid StorageHub node");
|
||||||
|
|
||||||
Node node = session.getNodeByIdentifier(item.getId());
|
Node node = session.getNodeByIdentifier(item.getId());
|
||||||
|
|
||||||
if (item.isShared()) {
|
if (item.isShared()) {
|
||||||
Node parentSharedNode = retrieveSharedFolderParent(node, session);
|
Node parentSharedNode = retrieveSharedFolderParent(node, session);
|
||||||
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentSharedNode.getPath());
|
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentSharedNode.getPath());
|
||||||
AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
|
AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
|
||||||
//put it in a different method
|
//put it in a different method
|
||||||
|
|
||||||
SharedFolder parentShared = node2Item.getItem(parentSharedNode, Excludes.EXCLUDE_ACCOUNTING);
|
SharedFolder parentShared = node2Item.getItem(parentSharedNode, Excludes.EXCLUDE_ACCOUNTING);
|
||||||
for (AccessControlEntry entry: entries) {
|
for (AccessControlEntry entry: entries) {
|
||||||
if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle()))) {
|
if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle()))) {
|
||||||
for (Privilege privilege : entry.getPrivileges()){
|
for (Privilege privilege : entry.getPrivileges()){
|
||||||
AccessType access = AccessType.fromValue(privilege.getName());
|
AccessType access = AccessType.fromValue(privilege.getName());
|
||||||
if (access==AccessType.ADMINISTRATOR)
|
if (access==AccessType.ADMINISTRATOR)
|
||||||
return;
|
return;
|
||||||
|
|
||||||
}
|
}
|
||||||
throw new UserNotAuthorizedException("The user "+login+" is not an administrator of node with id "+item.getId());
|
throw new UserNotAuthorizedException("The user "+login+" is not an administrator of node with id "+item.getId());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
throw new UserNotAuthorizedException("The user "+login+" is not an administrator of node with id "+item.getId());
|
throw new UserNotAuthorizedException("The user "+login+" is not an administrator of node with id "+item.getId());
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
private String retrieveOwner(Node node) {
|
private String retrieveOwner(Node node) {
|
||||||
Node nodeOwner;
|
Node nodeOwner;
|
||||||
|
|
|
||||||
|
|
@ -25,7 +25,7 @@ no. 654119), SoBigData (grant no. 654024), AGINFRA PLUS (grant no. 731001).
|
||||||
Version
|
Version
|
||||||
--------------------------------------------------
|
--------------------------------------------------
|
||||||
|
|
||||||
1.0.5-SNAPSHOT (2019-04-09)
|
1.0.5-SNAPSHOT (2019-04-11)
|
||||||
|
|
||||||
Please see the file named "changelog.xml" in this directory for the release notes.
|
Please see the file named "changelog.xml" in this directory for the release notes.
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue