From: Andreas Kohlbecker Date: Fri, 31 Aug 2012 16:13:33 +0000 (+0000) Subject: adding comments regarding permissions and authorities X-Git-Tag: cdmlib-parent-3.0.13~162 X-Git-Url: https://dev.e-taxonomy.eu/gitweb/cdmlib.git/commitdiff_plain/4ed386622e5a33b8124893174de9c8bcb1131638 adding comments regarding permissions and authorities --- diff --git a/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/AuthorityPermission.java b/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/AuthorityPermission.java index dfc6a59bab..efd4b1fcf7 100644 --- a/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/AuthorityPermission.java +++ b/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/AuthorityPermission.java @@ -3,54 +3,114 @@ package eu.etaxonomy.cdm.persistence.hibernate.permission; import java.util.UUID; +import eu.etaxonomy.cdm.model.common.GrantedAuthorityImpl; + +/** + * A AuthorityPermission consists of two parts which are separated + * by a dot character '.' in the permissionString which can retrieved by + * {@link #getPermissionString(String)}: + * + * + * The authority string syntax looks like:
+ * 
CLASSNAME.PERMISSION[{UUID}]
+ * Whereas the square brackets are indicating an optional element. + * + *

Examples for permissionStrings

+ * + * 
+ * TAXONBASE.CREATE
+ * TAXONBASE.READ
+ * TAXONBASE.UPDATE
+ * TAXONBASE.DELETE
+ * DESCRIPTIONBASE.UPDATE
+ * TAXONNODE.UPDATE{20c8f083-5870-4cbd-bf56-c5b2b98ab6a7}
+ *
+ * + * The method {@link #getPermissionString(String)} parses a full authority and returns permissionString and + * the {@link AuthorityPermission} from the authority. + * + * + * + * @author k.luther + */ public class AuthorityPermission{ - CdmPermissionClass className; - CdmPermission permission; - UUID targetUuid; - - public AuthorityPermission(Object targetDomainObject, CdmPermission permission, UUID uuid){ - this.className = CdmPermissionClass.getValueOf(targetDomainObject); - this.permission = permission; - targetUuid = uuid; - } - - public CdmPermissionClass getClassName(){ - return className; - } - - public CdmPermission getPermission(){ - return permission; - } - - public UUID getTargetUUID(){ - return targetUuid; - } - public AuthorityPermission (String authority){ - String permissionString; - int firstPoint = authority.indexOf("."); - if (firstPoint == -1){ - className = CdmPermissionClass.valueOf(authority); - }else{ - className = CdmPermissionClass.valueOf((authority.substring(0, firstPoint))); - int bracket = authority.indexOf("{"); - permissionString = getPermissionString(authority); - if (bracket != -1){ - int secondBracket = authority.indexOf("}"); - String uuid = authority.substring(bracket+1, secondBracket); - targetUuid = UUID.fromString(uuid); - } - permission = CdmPermission.valueOf(permissionString.toUpperCase()); - } - } - - private static String getPermissionString(String authority){ - int lastPoint = authority.lastIndexOf("."); - int bracket = authority.indexOf("{"); - if (bracket == -1){ - return authority.substring(lastPoint+1); - }else{ - return authority.substring(lastPoint+1, bracket); - } - } - + CdmPermissionClass className; + CdmPermission permission; + UUID targetUuid; + + public AuthorityPermission(Object targetDomainObject, CdmPermission permission, UUID uuid){ + this.className = CdmPermissionClass.getValueOf(targetDomainObject); + this.permission = permission; + targetUuid = uuid; + } + + public CdmPermissionClass getClassName(){ + return className; + } + + public CdmPermission getPermission(){ + return permission; + } + + public UUID getTargetUUID(){ + return targetUuid; + } + + /** + * Constructs a new AuthorityPermission by parsing the contents of an + * authority string. For details on the syntax please refer to the class + * documentation above. + * + * @param authority + */ + public AuthorityPermission (String authority){ + String permissionString; + int firstPoint = authority.indexOf("."); + if (firstPoint == -1){ + // no dot: the authorityString only holds a CdmPermissionClass + className = CdmPermissionClass.valueOf(authority); + }else{ + // has a dot: the authorityString only holds a CdmPermissionClass and a permissionString + className = CdmPermissionClass.valueOf((authority.substring(0, firstPoint))); + int bracket = authority.indexOf("{"); + permissionString = getPermissionString(authority); + if (bracket != -1){ + // having a bracket means the permissionString contains a uuid !!! + int secondBracket = authority.indexOf("}"); + String uuid = authority.substring(bracket+1, secondBracket); + targetUuid = UUID.fromString(uuid); + } + permission = CdmPermission.valueOf(permissionString.toUpperCase()); + } + } + + /** + * The method {@link #getPermissionString(String)} parses a full authority + * string like + * "TAXONNODE.READ{20c8f083-5870-4cbd-bf56-c5b2b98ab6a7}"and + * returns the string representation of the CdmPermission "READ" + * contained in the authority string + * + * @param authority + * @return + */ + private static String getPermissionString(String authority){ + int lastPoint = authority.lastIndexOf("."); + int bracket = authority.indexOf("{"); + if (bracket == -1){ + return authority.substring(lastPoint+1); + }else{ + return authority.substring(lastPoint+1, bracket); + } + } + } \ No newline at end of file diff --git a/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/CdmPermissionEvaluator.java b/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/CdmPermissionEvaluator.java index 5fb2bdaa1d..b46de885a1 100644 --- a/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/CdmPermissionEvaluator.java +++ b/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/CdmPermissionEvaluator.java @@ -5,7 +5,7 @@ * * The contents of this file are subject to the Mozilla Public License Version 1.1 * See LICENSE.TXT at the top of this package for the full license terms. -*/ +*/ package eu.etaxonomy.cdm.persistence.hibernate.permission; import java.io.Serializable; @@ -30,57 +30,56 @@ import eu.etaxonomy.cdm.model.taxon.TaxonNode; public class CdmPermissionEvaluator implements PermissionEvaluator { protected static final Logger logger = Logger.getLogger(CdmPermissionEvaluator.class); - - - public boolean hasPermission(Authentication authentication, - Serializable targetId, String targetType, Object permission) { - logger.info("hasPermission returns false"); - // TODO Auto-generated method stub - return false; - } + + + public boolean hasPermission(Authentication authentication, + Serializable targetId, String targetType, Object permission) { + logger.info("hasPermission returns false"); + // TODO Auto-generated method stub + return false; + } public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) { - - - AuthorityPermission evalPermission; + + + AuthorityPermission evalPermission; CdmPermission cdmPermission; - if (!(permission instanceof CdmPermission)){ - String permissionString = (String)permission; - if (permissionString.equals("changePassword")){ - if (targetDomainObject.equals(((User)authentication.getPrincipal()))){ - return true; - }else{ - cdmPermission = CdmPermission.ADMIN; - } - }else{ - cdmPermission = CdmPermission.valueOf(permissionString); - } - }else { - cdmPermission = (CdmPermission)permission; - } - + if (!(permission instanceof CdmPermission)){ + String permissionString = (String)permission; + if (permissionString.equals("changePassword")){ + if (targetDomainObject.equals(((User)authentication.getPrincipal()))){ + return true; + }else{ + cdmPermission = CdmPermission.ADMIN; + } + }else{ + cdmPermission = CdmPermission.valueOf(permissionString); + } + }else { + cdmPermission = (CdmPermission)permission; + } + Collection authorities = ((User)authentication.getPrincipal()).getAuthorities(); - + try{ - //evalPermission = new AuthorityPermission(targetDomainObject.getClass().getSimpleName().toUpperCase(), cdmPermission, ((CdmBase)targetDomainObject).getUuid()); - evalPermission = new AuthorityPermission(targetDomainObject, cdmPermission, ((CdmBase)targetDomainObject).getUuid()); + //evalPermission = new AuthorityPermission(targetDomainObject.getClass().getSimpleName().toUpperCase(), cdmPermission, ((CdmBase)targetDomainObject).getUuid()); + evalPermission = new AuthorityPermission(targetDomainObject, cdmPermission, ((CdmBase)targetDomainObject).getUuid()); }catch(NullPointerException e){ - //evalPermission = new AuthorityPermission(targetDomainObject.getClass().getSimpleName().toUpperCase(), cdmPermission, null); - evalPermission = new AuthorityPermission(targetDomainObject, cdmPermission, null); + //evalPermission = new AuthorityPermission(targetDomainObject.getClass().getSimpleName().toUpperCase(), cdmPermission, null); + evalPermission = new AuthorityPermission(targetDomainObject, cdmPermission, null); + } + + + if (evalPermission.className != null) { + return evalPermission(authorities, evalPermission, (CdmBase) targetDomainObject); + + }else{ + return true; } - - - if (evalPermission.className != null) { - return evalPermission(authorities, evalPermission, - (CdmBase) targetDomainObject); - - }else{ - return true; - } - + } private TaxonNode findTargetUuidInTree(UUID targetUuid, TaxonNode node){ @@ -95,55 +94,50 @@ public class CdmPermissionEvaluator implements PermissionEvaluator { public boolean evalPermission(Collection authorities, AuthorityPermission evalPermission, CdmBase targetDomainObject){ - //if user has administrator rights return true; - for (GrantedAuthority authority: authorities){ - if (authority.getAuthority().equals("ALL.ADMIN"))return true; - } - - //if targetDomainObject is instance of DescriptionBase or DescriptionElementBase use the DescriptionPermissionEvaluator - if (targetDomainObject instanceof DescriptionElementBase || targetDomainObject instanceof DescriptionBase){ - return DescriptionPermissionEvaluator.hasPermission(authorities, targetDomainObject, evalPermission); - } - - - - - - + //if user has administrator rights return true; + for (GrantedAuthority authority: authorities){ + if (authority.getAuthority().equals("ALL.ADMIN"))return true; + } + + //if targetDomainObject is instance of DescriptionBase or DescriptionElementBase use the DescriptionPermissionEvaluator + if (targetDomainObject instanceof DescriptionElementBase || targetDomainObject instanceof DescriptionBase){ + return DescriptionPermissionEvaluator.hasPermission(authorities, targetDomainObject, evalPermission); + } + for (GrantedAuthority authority: authorities){ AuthorityPermission authorityPermission= new AuthorityPermission(authority.getAuthority()); //evaluate authorities - //if classnames match or the authorityClassName is ALL, AND the permission matches or is ADMIN the evaluation is successful + //if classnames match or the authorityClassName is ALL, AND the permission matches or is ADMIN the evaluation is successful if ((authorityPermission.className.equals(evalPermission.className) || authorityPermission.className.equals(CdmPermissionClass.ALL)) - && (authorityPermission.permission.equals(evalPermission.permission)|| authorityPermission.permission.equals(CdmPermission.ADMIN))){ + && (authorityPermission.permission.equals(evalPermission.permission)|| authorityPermission.permission.equals(CdmPermission.ADMIN))){ /* if (authorityPermission.targetUuid != null){ //TODO }else{*/ - return true; + return true; //} } - //if authority is restricted to only one object (and the cascaded objects???) + //if authority is restricted to only one object (and the cascaded objects???) if (authorityPermission.targetUuid != null){ if (authorityPermission.targetUuid.equals(((CdmBase)targetDomainObject).getUuid())){ if (authorityPermission.permission.equals(evalPermission.permission)){ - return true; + return true; } } } //if the user has the rights for a subtree if (authorityPermission.className.equals(CdmPermissionClass.TAXONBASE) && targetDomainObject.getClass().getSimpleName().toUpperCase().equals("TaxonNode")){ - + TaxonNode node = (TaxonNode)targetDomainObject; TaxonNode targetNode = findTargetUuidInTree(authorityPermission.targetUuid, node); if (targetNode != null){ if (evalPermission.permission.equals(authorityPermission.permission) ){ - return true; + return true; } } } - + } return false; diff --git a/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/DescriptionPermissionEvaluator.java b/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/DescriptionPermissionEvaluator.java index 03a92e6be3..ac625c67b4 100644 --- a/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/DescriptionPermissionEvaluator.java +++ b/cdmlib-persistence/src/main/java/eu/etaxonomy/cdm/persistence/hibernate/permission/DescriptionPermissionEvaluator.java @@ -5,7 +5,7 @@ * * The contents of this file are subject to the Mozilla Public License Version 1.1 * See LICENSE.TXT at the top of this package for the full license terms. -*/ +*/ package eu.etaxonomy.cdm.persistence.hibernate.permission; import java.util.Collection; @@ -21,92 +21,94 @@ import eu.etaxonomy.cdm.model.description.DescriptionElementBase; import eu.etaxonomy.cdm.model.description.Feature; /** + * Evaluates permissions ... + * * @author k.luther * @date 06.07.2011 * */ public class DescriptionPermissionEvaluator { - - public static boolean hasPermission(Collection authorities, - Object targetDomainObject, AuthorityPermission evalPermission) { - Feature feature = null; - String authorityString; - AuthorityPermission authorityPermission; - - - if (targetDomainObject instanceof DescriptionElementBase){ - feature = ((DescriptionElementBase)targetDomainObject).getFeature(); - } - - for (GrantedAuthority authority: authorities){ - - authorityString = authority.getAuthority(); - authorityPermission = new AuthorityPermission(authorityString); - - if (targetDomainObject instanceof DescriptionElementBase){ - try{ - //check for a special feature - if (feature != null){ - if (authorityString.contains(feature.getLabel()) && (evalPermission.permission.equals(authorityPermission.permission) || authorityPermission.equals(CdmPermission.ADMIN))){ - return true; - } else if (authorityPermission.className.equals(CdmPermissionClass.DESCRIPTIONBASE)) { - if (evalPermission.permission.equals(authorityPermission.permission) ){ - return true; - } else if (authorityPermission.permission.equals(CdmPermission.ADMIN)){ - return true; - } - } - } - }catch(Exception e){ - //in tests the initialisation of terms like features fails... - if (org.hibernate.ObjectNotFoundException.class.isInstance(e)){ - if (evalPermission.permission.equals(authorityPermission.permission)|| authorityPermission.permission.equals(CdmPermission.ADMIN)){ - return true; - } - }else { - return false; - } - - } - //the user has the general right for descriptions - if (authorityPermission.className.equals(CdmPermissionClass.DESCRIPTIONBASE)){ - //no special feature - if (authority.getAuthority().lastIndexOf(".") == authority.getAuthority().indexOf(".") && (authorityPermission.className.equals(evalPermission.permission) || authorityPermission.equals(CdmPermission.ADMIN))){ - return true; - } - } - } else{ - if (authorityPermission.getClassName().equals(CdmPermissionClass.DESCRIPTIONBASE) && authorityPermission.permission.equals(evalPermission.permission)){ - return true; - } - } - } - - return false; - } - - - /*public static boolean hasPermission (Collection authorities, - DescriptionBase targetDomainObject, AuthorityPermission evalPermission){ - Set elements = targetDomainObject.getElements(); - - for (GrantedAuthority authority :authorities){ - if (authority.getAuthority().contains(CdmPermissionClass.DESCRIPTIONBASE.toString())){ - if (authority.getAuthority().lastIndexOf(".") == authority.getAuthority().indexOf(".") && authority.getAuthority().contains(evalPermission.permission.toString())){ - return true; - }else{ - //TODO: das stimmt noch nicht so ganz!!! - for (DescriptionElementBase element: elements){ - if (authority.getAuthority().contains(element.getFeature().getLabel()) && authority.getAuthority().contains(evalPermission.permission.toString())){ - return true; - } - } - } - } - } - - - return false; - - }*/ + + public static boolean hasPermission(Collection authorities, + Object targetDomainObject, AuthorityPermission evalPermission) { + Feature feature = null; + String authorityString; + AuthorityPermission authorityPermission; + + + if (targetDomainObject instanceof DescriptionElementBase){ + feature = ((DescriptionElementBase)targetDomainObject).getFeature(); + } + + for (GrantedAuthority authority: authorities){ + + authorityString = authority.getAuthority(); + authorityPermission = new AuthorityPermission(authorityString); + + if (targetDomainObject instanceof DescriptionElementBase){ + try{ + //check for a special feature + if (feature != null){ + if (authorityString.contains(feature.getLabel()) && (evalPermission.permission.equals(authorityPermission.permission) || authorityPermission.equals(CdmPermission.ADMIN))){ + return true; + } else if (authorityPermission.className.equals(CdmPermissionClass.DESCRIPTIONBASE)) { + if (evalPermission.permission.equals(authorityPermission.permission) ){ + return true; + } else if (authorityPermission.permission.equals(CdmPermission.ADMIN)){ + return true; + } + } + } + }catch(Exception e){ + //in tests the initialisation of terms like features fails... + if (org.hibernate.ObjectNotFoundException.class.isInstance(e)){ + if (evalPermission.permission.equals(authorityPermission.permission)|| authorityPermission.permission.equals(CdmPermission.ADMIN)){ + return true; + } + }else { + return false; + } + + } + //the user has the general right for descriptions + if (authorityPermission.className.equals(CdmPermissionClass.DESCRIPTIONBASE)){ + //no special feature + if (authority.getAuthority().lastIndexOf(".") == authority.getAuthority().indexOf(".") && (authorityPermission.className.equals(evalPermission.permission) || authorityPermission.equals(CdmPermission.ADMIN))){ + return true; + } + } + } else{ + if (authorityPermission.getClassName().equals(CdmPermissionClass.DESCRIPTIONBASE) && authorityPermission.permission.equals(evalPermission.permission)){ + return true; + } + } + } + + return false; + } + + + /*public static boolean hasPermission (Collection authorities, + DescriptionBase targetDomainObject, AuthorityPermission evalPermission){ + Set elements = targetDomainObject.getElements(); + + for (GrantedAuthority authority :authorities){ + if (authority.getAuthority().contains(CdmPermissionClass.DESCRIPTIONBASE.toString())){ + if (authority.getAuthority().lastIndexOf(".") == authority.getAuthority().indexOf(".") && authority.getAuthority().contains(evalPermission.permission.toString())){ + return true; + }else{ + //TODO: das stimmt noch nicht so ganz!!! + for (DescriptionElementBase element: elements){ + if (authority.getAuthority().contains(element.getFeature().getLabel()) && authority.getAuthority().contains(evalPermission.permission.toString())){ + return true; + } + } + } + } + } + + + return false; + + }*/ } diff --git a/cdmlib-services/src/test/java/eu/etaxonomy/cdm/api/service/SecurityWithTransaction.java b/cdmlib-services/src/test/java/eu/etaxonomy/cdm/api/service/SecurityWithTransaction.java index 261bf4f695..3999a395a8 100644 --- a/cdmlib-services/src/test/java/eu/etaxonomy/cdm/api/service/SecurityWithTransaction.java +++ b/cdmlib-services/src/test/java/eu/etaxonomy/cdm/api/service/SecurityWithTransaction.java @@ -50,8 +50,7 @@ import eu.etaxonomy.cdm.persistence.hibernate.permission.CdmPermissionEvaluator; @Transactional @Ignore public class SecurityWithTransaction { - private static final Logger logger = Logger - .getLogger(SecurityWithTransaction.class); + private static final Logger logger = Logger.getLogger(SecurityWithTransaction.class); @SpringBeanByName private ITaxonService taxonService; @@ -148,7 +147,9 @@ public class SecurityWithTransaction { CdmPermissionEvaluator permissionEvaluator = new CdmPermissionEvaluator(); assertFalse(permissionEvaluator.hasPermission(authentication, node, "UPDATE")); node = node.getChildNodes().iterator().next(); + System.err.println(node.getUuid()); + assertTrue(permissionEvaluator.hasPermission(authentication, node, "UPDATE")); node = node.getChildNodes().iterator().next(); assertTrue(permissionEvaluator.hasPermission(authentication, node, "UPDATE")); diff --git a/cdmlib-services/src/test/resources/eu/etaxonomy/cdm/api/service/SecurityTest.xml b/cdmlib-services/src/test/resources/eu/etaxonomy/cdm/api/service/SecurityTest.xml index c186064694..ecfea54813 100644 --- a/cdmlib-services/src/test/resources/eu/etaxonomy/cdm/api/service/SecurityTest.xml +++ b/cdmlib-services/src/test/resources/eu/etaxonomy/cdm/api/service/SecurityTest.xml @@ -14,18 +14,18 @@ - - - - + + + + - - + + - - - - + + + +