From b03cfa85a7764eeb899ee53bee1f5103b38e3ff5 Mon Sep 17 00:00:00 2001
From: Lucio Lelii <lucio.lelii@isti.cnr.it>
Date: Fri, 28 Dec 2018 16:58:08 +0000
Subject: [PATCH] git-svn-id:
 https://svn.d4science-ii.research-infrastructures.eu/gcube/branches/data-access/storagehub-webapp/1.0@176270
 82a268e6-3cf1-43bd-a215-b396298e98cf

---
 .../storagehub/AuthorizationChecker.java      | 12 ++-
 .../data/access/storagehub/StorageHub.java    |  2 +
 .../gcube/data/access/storagehub/Utils.java   |  6 ++
 .../storagehub/services/GroupManager.java     | 77 ++++++++++++++++++-
 .../storagehub/services/WorkspaceManager.java |  1 +
 .../org/gcube/data/access/fs/Expressions.java |  7 ++
 6 files changed, 100 insertions(+), 5 deletions(-)

diff --git a/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java b/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java
index 9d5204e..bf73e4d 100644
--- a/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java
+++ b/src/main/java/org/gcube/data/access/storagehub/AuthorizationChecker.java
@@ -37,8 +37,14 @@ public class AuthorizationChecker {
 				
 		if (item.isShared()) {
 			SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING);
-			if (!parentShared.getUsers().getMap().containsKey(login))
-				throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
+			
+			//CHECKING ACL FOR VREFOLDER AND SHARED FOLDER
+			JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentShared.getPath());
+			AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
+			for (AccessControlEntry entry: entries) 
+				if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle()))) 
+					return;
+			throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
 		} else if (item.getOwner()==null || !item.getOwner().equals(login))
 			throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
 
@@ -82,9 +88,9 @@ public class AuthorizationChecker {
 								return;
 						
 					}
-					throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id);
 				}
 			}
+			throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id);
 			
 		} else 
 			if(item.getOwner().equals(login))
diff --git a/src/main/java/org/gcube/data/access/storagehub/StorageHub.java b/src/main/java/org/gcube/data/access/storagehub/StorageHub.java
index 1f66db9..342d99a 100644
--- a/src/main/java/org/gcube/data/access/storagehub/StorageHub.java
+++ b/src/main/java/org/gcube/data/access/storagehub/StorageHub.java
@@ -7,6 +7,7 @@ import javax.ws.rs.Path;
 import javax.ws.rs.core.Application;
 
 import org.gcube.data.access.storagehub.services.ACLManager;
+import org.gcube.data.access.storagehub.services.GroupManager;
 import org.gcube.data.access.storagehub.services.ItemSharing;
 import org.gcube.data.access.storagehub.services.ItemsCreator;
 import org.gcube.data.access.storagehub.services.ItemsManager;
@@ -28,6 +29,7 @@ public class StorageHub extends Application {
         classes.add(ACLManager.class);
         classes.add(ItemSharing.class);
         classes.add(UserManager.class);
+        classes.add(GroupManager.class); 
         //classes.add(AuthorizationExceptionMapper.class);
         return classes;
     }
diff --git a/src/main/java/org/gcube/data/access/storagehub/Utils.java b/src/main/java/org/gcube/data/access/storagehub/Utils.java
index f7a2354..eeef0d9 100644
--- a/src/main/java/org/gcube/data/access/storagehub/Utils.java
+++ b/src/main/java/org/gcube/data/access/storagehub/Utils.java
@@ -81,6 +81,8 @@ public class Utils {
 
 	public static <T extends Item> List<T> getItemList(Node parent, List<String> excludes, Range range, boolean showHidden, Class<? extends Item> nodeTypeToInclude) throws RepositoryException, BackendGenericError{
 
+		logger.debug("getting children of node {}", parent.getIdentifier());
+		
 		List<T> returnList = new ArrayList<T>();
 		long start = System.currentTimeMillis();
 		NodeIterator iterator = parent.getNodes();
@@ -92,9 +94,13 @@ public class Utils {
 		while (iterator.hasNext()){
 			Node current = iterator.nextNode();
 
+			logger.debug("current node "+current.getName());
+			
 			if (isToExclude(current, showHidden))
 				continue;
 			
+			logger.debug("current node not excluded "+current.getName());
+			
 			if (range==null || (count>=range.getStart() && returnList.size()<range.getLimit())) {
 				T item = node2Item.getFilteredItem(current, excludes, nodeTypeToInclude);
 				if (item==null) continue;
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
index f9a1b0e..209d1ed 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/GroupManager.java
@@ -5,6 +5,9 @@ import java.util.Iterator;
 import java.util.List;
 
 import javax.inject.Inject;
+import javax.jcr.Node;
+import javax.jcr.security.AccessControlManager;
+import javax.jcr.security.Privilege;
 import javax.servlet.ServletContext;
 import javax.ws.rs.DELETE;
 import javax.ws.rs.FormParam;
@@ -16,16 +19,25 @@ import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.Response;
 
 import org.apache.jackrabbit.api.JackrabbitSession;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.user.Authorizable;
 import org.apache.jackrabbit.api.security.user.Group;
 import org.apache.jackrabbit.api.security.user.Query;
 import org.apache.jackrabbit.api.security.user.QueryBuilder;
 import org.apache.jackrabbit.api.security.user.User;
+import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
 import org.gcube.common.authorization.control.annotations.AuthorizationControl;
+import org.gcube.common.authorization.library.provider.AuthorizationProvider;
 import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse;
+import org.gcube.common.storagehub.model.acls.AccessType;
 import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
+import org.gcube.common.storagehub.model.types.NodeProperty;
+import org.gcube.common.storagehub.model.types.PrimaryNodeType;
+import org.gcube.data.access.storagehub.Constants;
+import org.gcube.data.access.storagehub.Utils;
 import org.gcube.data.access.storagehub.exception.MyAuthException;
 import org.gcube.data.access.storagehub.handlers.CredentialHandler;
 import org.slf4j.Logger;
@@ -66,7 +78,7 @@ public class GroupManager {
 				groups.add(group.getPrincipal().getName());
 			}
 		}catch(Exception e) {
-			log.error("jcr error getting users", e);
+			log.error("jcr error getting groups", e);
 			GXOutboundErrorResponse.throwException(new BackendGenericError(e));
 		} finally {
 			if (session!=null)
@@ -89,6 +101,9 @@ public class GroupManager {
 
 			Group createdGroup = usrManager.createGroup(group);
 			groupId = createdGroup.getID();
+			
+			//TODO: A VREFolder must be created
+			
 			session.save();
 		}catch(Exception e) {
 			log.error("jcr error creating group {}", group, e);
@@ -113,6 +128,8 @@ public class GroupManager {
 
 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
 
+			//TODO: the VREFolder must be deleted
+			
 			Authorizable authorizable = usrManager.getAuthorizable(id);
 			if (authorizable.isGroup())
 				authorizable.remove();
@@ -199,7 +216,7 @@ public class GroupManager {
 			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
 
 			Group group = (Group)usrManager.getAuthorizable(groupId);
-			
+						
 			Iterator<Authorizable> it = group.getMembers();
 			
 			while (it.hasNext()) {
@@ -219,4 +236,60 @@ public class GroupManager {
 		return users;
 	}
 	
+	@POST
+	@Path("{groupId}/createVREFolder")
+	@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
+	public Response createVreFolder(@PathParam("groupId") String groupId){
+
+		JackrabbitSession session = null;
+		try {
+			session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
+
+			org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
+
+			Group group = (Group)usrManager.getAuthorizable(groupId);
+			
+			Node sharedRootNode = session.getNode(Constants.SHARED_FOLDER_PATH);
+			
+			String name = groupId;
+			
+			String title = groupId.substring(groupId.lastIndexOf("-")+1);
+			
+			Node folder= Utils.createFolderInternally(session, sharedRootNode, name, "VREFolder for "+groupId, false, AuthorizationProvider.instance.get().getClient().getId(), null);
+			folder.setPrimaryType(PrimaryNodeType.NT_WORKSPACE_SHARED_FOLDER);
+			folder.setProperty(NodeProperty.IS_VRE_FOLDER.toString(), true);
+			folder.setProperty(NodeProperty.TITLE.toString(), name);
+			folder.setProperty(NodeProperty.DISPLAY_NAME.toString(), title);
+			session.save();
+			
+			AccessControlManager acm = session.getAccessControlManager();
+			JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
+			Privilege[] adminPrivileges = new Privilege[] { acm.privilegeFromName(AccessType.ADMINISTRATOR.getValue()) };
+			acls.addAccessControlEntry(AccessControlUtils.getPrincipal(session, AuthorizationProvider.instance.get().getClient().getId()), adminPrivileges );
+			
+			
+			Privilege[] usersPrivileges = new Privilege[] { acm.privilegeFromName(AccessType.WRITE_OWNER.getValue()) };
+			
+			Iterator<Authorizable> it = group.getMembers();
+			
+			while (it.hasNext()) {
+				Authorizable user = it.next();
+				String userPath = String.format("%s%s/%s",Utils.getWorkspacePath(user.getPrincipal().getName()).toPath(),Constants.VRE_FOLDER_PARENT_NAME, name);
+				log.debug("creating folder in user path {}", userPath );
+				session.getWorkspace().clone(session.getWorkspace().getName(), folder.getPath(),userPath , false);
+			}
+			acls.addAccessControlEntry(group.getPrincipal(), usersPrivileges );
+			acm.setPolicy(folder.getPath(), acls);
+			session.save();
+			
+		}catch(Exception e) {
+			log.error("jcr error creating vreFolder {}", groupId, e);
+			GXOutboundErrorResponse.throwException(new BackendGenericError(e));
+		} finally {
+			if (session!=null)
+				session.logout();
+		}
+		return Response.ok().build();
+	}
+	
 }
diff --git a/src/main/java/org/gcube/data/access/storagehub/services/WorkspaceManager.java b/src/main/java/org/gcube/data/access/storagehub/services/WorkspaceManager.java
index 05ffbba..2efb41b 100644
--- a/src/main/java/org/gcube/data/access/storagehub/services/WorkspaceManager.java
+++ b/src/main/java/org/gcube/data/access/storagehub/services/WorkspaceManager.java
@@ -310,6 +310,7 @@ public class WorkspaceManager {
 		org.gcube.common.storagehub.model.Path vrePath = Paths.append(Utils.getWorkspacePath(), Constants.VRE_FOLDER_PARENT_NAME);
 		List<? extends Item> toReturn = null;
 		try{
+			log.info("vres folder path is {}",vrePath.toPath());
 			ses = repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
 			toReturn = Utils.getItemList(ses.getNode(vrePath.toPath()) , excludes, null, false, null);
 		}catch(RepositoryException re ){
diff --git a/src/test/java/org/gcube/data/access/fs/Expressions.java b/src/test/java/org/gcube/data/access/fs/Expressions.java
index d71cc64..2c2054a 100644
--- a/src/test/java/org/gcube/data/access/fs/Expressions.java
+++ b/src/test/java/org/gcube/data/access/fs/Expressions.java
@@ -36,5 +36,12 @@ public class Expressions {
 		
 	}
 	
+	@Test
+	public void test2() {
+		String groupId ="/gcube/devsec/devVre";
+		String title = groupId.substring(groupId.lastIndexOf("/")+1);
+		System.out.println(title);
+	}
+	
 	
 }