This commit is contained in:
Lucio Lelii 2018-12-28 16:58:08 +00:00
parent 16aa33f03c
commit b03cfa85a7
6 changed files with 100 additions and 5 deletions

View File

@ -37,7 +37,13 @@ public class AuthorizationChecker {
if (item.isShared()) {
SharedFolder parentShared = node2Item.getItem(retrieveSharedFolderParent(node, session), Excludes.EXCLUDE_ACCOUNTING);
if (!parentShared.getUsers().getMap().containsKey(login))
//CHECKING ACL FOR VREFOLDER AND SHARED FOLDER
JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, parentShared.getPath());
AccessControlEntry[] entries = accessControlList.getAccessControlEntries();
for (AccessControlEntry entry: entries)
if (entry.getPrincipal().getName().equals(login) || (parentShared.isVreFolder() && entry.getPrincipal().getName().equals(parentShared.getTitle())))
return;
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
} else if (item.getOwner()==null || !item.getOwner().equals(login))
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to read node with id "+id);
@ -82,9 +88,9 @@ public class AuthorizationChecker {
return;
}
}
}
throw new UserNotAuthorizedException("Insufficent Provileges for user "+login+" to write into node with id "+id);
}
}
} else
if(item.getOwner().equals(login))

View File

@ -7,6 +7,7 @@ import javax.ws.rs.Path;
import javax.ws.rs.core.Application;
import org.gcube.data.access.storagehub.services.ACLManager;
import org.gcube.data.access.storagehub.services.GroupManager;
import org.gcube.data.access.storagehub.services.ItemSharing;
import org.gcube.data.access.storagehub.services.ItemsCreator;
import org.gcube.data.access.storagehub.services.ItemsManager;
@ -28,6 +29,7 @@ public class StorageHub extends Application {
classes.add(ACLManager.class);
classes.add(ItemSharing.class);
classes.add(UserManager.class);
classes.add(GroupManager.class);
//classes.add(AuthorizationExceptionMapper.class);
return classes;
}

View File

@ -81,6 +81,8 @@ public class Utils {
public static <T extends Item> List<T> getItemList(Node parent, List<String> excludes, Range range, boolean showHidden, Class<? extends Item> nodeTypeToInclude) throws RepositoryException, BackendGenericError{
logger.debug("getting children of node {}", parent.getIdentifier());
List<T> returnList = new ArrayList<T>();
long start = System.currentTimeMillis();
NodeIterator iterator = parent.getNodes();
@ -92,9 +94,13 @@ public class Utils {
while (iterator.hasNext()){
Node current = iterator.nextNode();
logger.debug("current node "+current.getName());
if (isToExclude(current, showHidden))
continue;
logger.debug("current node not excluded "+current.getName());
if (range==null || (count>=range.getStart() && returnList.size()<range.getLimit())) {
T item = node2Item.getFilteredItem(current, excludes, nodeTypeToInclude);
if (item==null) continue;

View File

@ -5,6 +5,9 @@ import java.util.Iterator;
import java.util.List;
import javax.inject.Inject;
import javax.jcr.Node;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import javax.servlet.ServletContext;
import javax.ws.rs.DELETE;
import javax.ws.rs.FormParam;
@ -16,16 +19,25 @@ import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.Query;
import org.apache.jackrabbit.api.security.user.QueryBuilder;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.gcube.common.authorization.control.annotations.AuthorizationControl;
import org.gcube.common.authorization.library.provider.AuthorizationProvider;
import org.gcube.common.gxrest.response.outbound.GXOutboundErrorResponse;
import org.gcube.common.storagehub.model.acls.AccessType;
import org.gcube.common.storagehub.model.exceptions.BackendGenericError;
import org.gcube.common.storagehub.model.types.NodeProperty;
import org.gcube.common.storagehub.model.types.PrimaryNodeType;
import org.gcube.data.access.storagehub.Constants;
import org.gcube.data.access.storagehub.Utils;
import org.gcube.data.access.storagehub.exception.MyAuthException;
import org.gcube.data.access.storagehub.handlers.CredentialHandler;
import org.slf4j.Logger;
@ -66,7 +78,7 @@ public class GroupManager {
groups.add(group.getPrincipal().getName());
}
}catch(Exception e) {
log.error("jcr error getting users", e);
log.error("jcr error getting groups", e);
GXOutboundErrorResponse.throwException(new BackendGenericError(e));
} finally {
if (session!=null)
@ -89,6 +101,9 @@ public class GroupManager {
Group createdGroup = usrManager.createGroup(group);
groupId = createdGroup.getID();
//TODO: A VREFolder must be created
session.save();
}catch(Exception e) {
log.error("jcr error creating group {}", group, e);
@ -113,6 +128,8 @@ public class GroupManager {
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
//TODO: the VREFolder must be deleted
Authorizable authorizable = usrManager.getAuthorizable(id);
if (authorizable.isGroup())
authorizable.remove();
@ -219,4 +236,60 @@ public class GroupManager {
return users;
}
@POST
@Path("{groupId}/createVREFolder")
@AuthorizationControl(allowed={"lucio.lelii"}, exception=MyAuthException.class)
public Response createVreFolder(@PathParam("groupId") String groupId){
JackrabbitSession session = null;
try {
session = (JackrabbitSession) repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
org.apache.jackrabbit.api.security.user.UserManager usrManager = session.getUserManager();
Group group = (Group)usrManager.getAuthorizable(groupId);
Node sharedRootNode = session.getNode(Constants.SHARED_FOLDER_PATH);
String name = groupId;
String title = groupId.substring(groupId.lastIndexOf("-")+1);
Node folder= Utils.createFolderInternally(session, sharedRootNode, name, "VREFolder for "+groupId, false, AuthorizationProvider.instance.get().getClient().getId(), null);
folder.setPrimaryType(PrimaryNodeType.NT_WORKSPACE_SHARED_FOLDER);
folder.setProperty(NodeProperty.IS_VRE_FOLDER.toString(), true);
folder.setProperty(NodeProperty.TITLE.toString(), name);
folder.setProperty(NodeProperty.DISPLAY_NAME.toString(), title);
session.save();
AccessControlManager acm = session.getAccessControlManager();
JackrabbitAccessControlList acls = AccessControlUtils.getAccessControlList(acm, folder.getPath());
Privilege[] adminPrivileges = new Privilege[] { acm.privilegeFromName(AccessType.ADMINISTRATOR.getValue()) };
acls.addAccessControlEntry(AccessControlUtils.getPrincipal(session, AuthorizationProvider.instance.get().getClient().getId()), adminPrivileges );
Privilege[] usersPrivileges = new Privilege[] { acm.privilegeFromName(AccessType.WRITE_OWNER.getValue()) };
Iterator<Authorizable> it = group.getMembers();
while (it.hasNext()) {
Authorizable user = it.next();
String userPath = String.format("%s%s/%s",Utils.getWorkspacePath(user.getPrincipal().getName()).toPath(),Constants.VRE_FOLDER_PARENT_NAME, name);
log.debug("creating folder in user path {}", userPath );
session.getWorkspace().clone(session.getWorkspace().getName(), folder.getPath(),userPath , false);
}
acls.addAccessControlEntry(group.getPrincipal(), usersPrivileges );
acm.setPolicy(folder.getPath(), acls);
session.save();
}catch(Exception e) {
log.error("jcr error creating vreFolder {}", groupId, e);
GXOutboundErrorResponse.throwException(new BackendGenericError(e));
} finally {
if (session!=null)
session.logout();
}
return Response.ok().build();
}
}

View File

@ -310,6 +310,7 @@ public class WorkspaceManager {
org.gcube.common.storagehub.model.Path vrePath = Paths.append(Utils.getWorkspacePath(), Constants.VRE_FOLDER_PARENT_NAME);
List<? extends Item> toReturn = null;
try{
log.info("vres folder path is {}",vrePath.toPath());
ses = repository.getRepository().login(CredentialHandler.getAdminCredentials(context));
toReturn = Utils.getItemList(ses.getNode(vrePath.toPath()) , excludes, null, false, null);
}catch(RepositoryException re ){

View File

@ -36,5 +36,12 @@ public class Expressions {
}
@Test
public void test2() {
String groupId ="/gcube/devsec/devVre";
String title = groupId.substring(groupId.lastIndexOf("/")+1);
System.out.println(title);
}
}