|
1
|
package eu.etaxonomy.cdm.permission;
|
|
2
|
|
|
3
|
import java.io.Serializable;
|
|
4
|
import java.util.Collection;
|
|
5
|
import java.util.HashSet;
|
|
6
|
import java.util.Set;
|
|
7
|
import java.util.UUID;
|
|
8
|
|
|
9
|
import org.apache.log4j.Logger;
|
|
10
|
import org.springframework.security.access.PermissionEvaluator;
|
|
11
|
import org.springframework.security.core.Authentication;
|
|
12
|
import org.springframework.security.core.GrantedAuthority;
|
|
13
|
|
|
14
|
import eu.etaxonomy.cdm.model.common.CdmBase;
|
|
15
|
import eu.etaxonomy.cdm.model.common.Group;
|
|
16
|
import eu.etaxonomy.cdm.model.common.User;
|
|
17
|
import eu.etaxonomy.cdm.model.taxon.TaxonNode;
|
|
18
|
public class CdmPermissionEvaluator implements PermissionEvaluator {
|
|
19
|
protected static final Logger logger = Logger.getLogger(CdmPermissionEvaluator.class);
|
|
20
|
|
|
21
|
private class AuthorityPermission{
|
|
22
|
CdmPermissionClass className;
|
|
23
|
CdmPermission permission;
|
|
24
|
UUID targetUuid;
|
|
25
|
|
|
26
|
public AuthorityPermission(String className, CdmPermission permission, UUID uuid){
|
|
27
|
this.className = CdmPermissionClass.valueOf(className);
|
|
28
|
this.permission = permission;
|
|
29
|
targetUuid = uuid;
|
|
30
|
}
|
|
31
|
|
|
32
|
public AuthorityPermission (String authority){
|
|
33
|
String permissionString;
|
|
34
|
int firstPoint = authority.indexOf(".");
|
|
35
|
if (firstPoint == -1){
|
|
36
|
className = CdmPermissionClass.valueOf(authority);
|
|
37
|
}else{
|
|
38
|
className = CdmPermissionClass.valueOf((authority.substring(0, firstPoint)));
|
|
39
|
int bracket = authority.indexOf("{");
|
|
40
|
if (bracket == -1){
|
|
41
|
permissionString = authority.substring(firstPoint+1);
|
|
42
|
}else{
|
|
43
|
permissionString = authority.substring(firstPoint+1, bracket);
|
|
44
|
int secondBracket = authority.indexOf("}");
|
|
45
|
String uuid = authority.substring(bracket+1, secondBracket);
|
|
46
|
targetUuid = UUID.fromString(uuid);
|
|
47
|
}
|
|
48
|
permission = CdmPermission.valueOf(permissionString.toUpperCase());
|
|
49
|
}
|
|
50
|
}
|
|
51
|
|
|
52
|
|
|
53
|
}
|
|
54
|
|
|
55
|
|
|
56
|
public boolean hasPermission(Authentication authentication,
|
|
57
|
Serializable targetId, String targetType, Object permission) {
|
|
58
|
logger.info("hasPermission returns false");
|
|
59
|
// TODO Auto-generated method stub
|
|
60
|
return false;
|
|
61
|
}
|
|
62
|
|
|
63
|
|
|
64
|
|
|
65
|
|
|
66
|
|
|
67
|
|
|
68
|
|
|
69
|
|
|
70
|
public boolean hasPermission(Authentication authentication,
|
|
71
|
Object targetDomainObject, Object permission) {
|
|
72
|
|
|
73
|
|
|
74
|
CdmPermission cdmPermission;
|
|
75
|
if (!(permission instanceof CdmPermission)){
|
|
76
|
String permissionString = (String)permission;
|
|
77
|
if (permissionString.equals("changePassword")){
|
|
78
|
return (targetDomainObject.equals(((User)authentication.getPrincipal()).getUsername()));
|
|
79
|
}
|
|
80
|
cdmPermission = CdmPermission.valueOf(permissionString);
|
|
81
|
}else {
|
|
82
|
cdmPermission = (CdmPermission)permission;
|
|
83
|
}
|
|
84
|
Collection<GrantedAuthority> authorities = ((User)authentication.getPrincipal()).getAuthorities();
|
|
85
|
/* FIXME this should not be necessary. See User.initAuthorities() and User.getAuthorities(); a User object should always
|
|
86
|
// return all GrantedAuthorities including its groups authorities. If that is not working correctly please fix it.
|
|
87
|
Set<Group> groups =((User)authentication.getPrincipal()).getGroups();
|
|
88
|
Set<GrantedAuthority> groupAuthorities = new HashSet<GrantedAuthority>();
|
|
89
|
for (Group group: groups){
|
|
90
|
groupAuthorities.addAll(group.getGrantedAuthorities());
|
|
91
|
}
|
|
92
|
groupAuthorities.addAll(authorities);
|
|
93
|
// FIXME END
|
|
94
|
*/
|
|
95
|
AuthorityPermission evalPermission = new AuthorityPermission(targetDomainObject.getClass().getSimpleName().toUpperCase(), cdmPermission, ((CdmBase)targetDomainObject).getUuid());
|
|
96
|
|
|
97
|
return evalPermission(authorities, evalPermission, (CdmBase)targetDomainObject);
|
|
98
|
|
|
99
|
|
|
100
|
}
|
|
101
|
|
|
102
|
private TaxonNode findTargetUuidInTree(UUID targetUuid, TaxonNode node){
|
|
103
|
if (targetUuid.equals(node.getUuid()))
|
|
104
|
return node;
|
|
105
|
else if (node.getParent()!= null){
|
|
106
|
findTargetUuidInTree(targetUuid, node.getParent());
|
|
107
|
}
|
|
108
|
return null;
|
|
109
|
}
|
|
110
|
|
|
111
|
|
|
112
|
public boolean evalPermission(Collection<GrantedAuthority> authorities, AuthorityPermission evalPermission, CdmBase targetDomainObject){
|
|
113
|
|
|
114
|
for (GrantedAuthority authority: authorities){
|
|
115
|
AuthorityPermission authorityPermission= new AuthorityPermission(authority.getAuthority());
|
|
116
|
//evaluate authorities
|
|
117
|
if (authorityPermission.className.equals(evalPermission.className) && authorityPermission.permission.equals(evalPermission.permission)){
|
|
118
|
if (authorityPermission.targetUuid != null){
|
|
119
|
//TODO
|
|
120
|
|
|
121
|
}else{
|
|
122
|
return true;
|
|
123
|
}
|
|
124
|
|
|
125
|
}
|
|
126
|
|
|
127
|
if (authorityPermission.targetUuid != null){
|
|
128
|
if (authorityPermission.targetUuid.equals(((CdmBase)targetDomainObject).getUuid())){
|
|
129
|
if (authorityPermission.permission.equals(evalPermission.permission)){
|
|
130
|
return true;
|
|
131
|
}
|
|
132
|
}
|
|
133
|
}
|
|
134
|
|
|
135
|
if (authorityPermission.className.equals(CdmPermissionClass.TAXONNODE) && targetDomainObject.getClass().getSimpleName().equals(CdmPermissionClass.TAXONNODE)){
|
|
136
|
//TODO: walk through the tree and look for the uuid
|
|
137
|
TaxonNode node = (TaxonNode)targetDomainObject;
|
|
138
|
TaxonNode targetNode = findTargetUuidInTree(authorityPermission.targetUuid, node);
|
|
139
|
if (targetNode != null){
|
|
140
|
if (evalPermission.permission.equals(authorityPermission.permission)){
|
|
141
|
return true;
|
|
142
|
}
|
|
143
|
}
|
|
144
|
}
|
|
145
|
|
|
146
|
}
|
|
147
|
return false;
|
|
148
|
}
|
|
149
|
|
|
150
|
}
|