1 |
7678ce2a
|
Andreas Müller
|
/**
|
2 |
|
|
* Copyright (C) 2009 EDIT
|
3 |
|
|
* European Distributed Institute of Taxonomy
|
4 |
|
|
* http://www.e-taxonomy.eu
|
5 |
|
|
*
|
6 |
|
|
* The contents of this file are subject to the Mozilla Public License Version 1.1
|
7 |
|
|
* See LICENSE.TXT at the top of this package for the full license terms.
|
8 |
4ed38662
|
Andreas Kohlbecker
|
*/
|
9 |
bce1dda8
|
Katja Luther
|
package eu.etaxonomy.cdm.persistence.hibernate.permission;
|
10 |
dd65a7ea
|
Katja Luther
|
|
11 |
|
|
import java.io.Serializable;
|
12 |
af113c74
|
Andreas Kohlbecker
|
import java.lang.reflect.Constructor;
|
13 |
|
|
import java.lang.reflect.InvocationTargetException;
|
14 |
dd65a7ea
|
Katja Luther
|
import java.util.Collection;
|
15 |
079268db
|
Andreas Kohlbecker
|
import java.util.EnumSet;
|
16 |
8e3d605b
|
Andreas Kohlbecker
|
import java.util.HashSet;
|
17 |
dd65a7ea
|
Katja Luther
|
|
18 |
a2239a81
|
Andreas Kohlbecker
|
import org.apache.log4j.Logger;
|
19 |
75d0aefd
|
Andreas Kohlbecker
|
import org.springframework.security.access.AccessDecisionManager;
|
20 |
5fb7d2db
|
Andreas Kohlbecker
|
import org.springframework.security.access.AccessDeniedException;
|
21 |
8e3d605b
|
Andreas Kohlbecker
|
import org.springframework.security.access.ConfigAttribute;
|
22 |
5fb7d2db
|
Andreas Kohlbecker
|
import org.springframework.security.authentication.InsufficientAuthenticationException;
|
23 |
dd65a7ea
|
Katja Luther
|
import org.springframework.security.core.Authentication;
|
24 |
|
|
import org.springframework.security.core.GrantedAuthority;
|
25 |
7b59c088
|
Andreas Kohlbecker
|
import org.springframework.stereotype.Component;
|
26 |
dd65a7ea
|
Katja Luther
|
|
27 |
|
|
import eu.etaxonomy.cdm.model.common.CdmBase;
|
28 |
7678ce2a
|
Andreas Müller
|
|
29 |
|
|
/**
|
30 |
|
|
* @author k.luther
|
31 |
5a845253
|
Andreas Kohlbecker
|
* @author a.kohlbecker
|
32 |
53db84af
|
Andreas Müller
|
* @since 06.07.2011
|
33 |
7678ce2a
|
Andreas Müller
|
*/
|
34 |
7b59c088
|
Andreas Kohlbecker
|
@Component
|
35 |
48ccf94a
|
Andreas Kohlbecker
|
public class CdmPermissionEvaluator implements ICdmPermissionEvaluator {
|
36 |
4ed38662
|
Andreas Kohlbecker
|
|
37 |
d5fe74be
|
Andreas Kohlbecker
|
protected static final Logger logger = Logger.getLogger(CdmPermissionEvaluator.class);
|
38 |
4ed38662
|
Andreas Kohlbecker
|
|
39 |
75d0aefd
|
Andreas Kohlbecker
|
private AccessDecisionManager accessDecisionManager;
|
40 |
|
|
|
41 |
|
|
public AccessDecisionManager getAccessDecisionManager() {
|
42 |
|
|
return accessDecisionManager;
|
43 |
|
|
}
|
44 |
|
|
|
45 |
12f13ee5
|
Cherian Mathew
|
public CdmPermissionEvaluator() {
|
46 |
ca5fe165
|
Andreas Kohlbecker
|
|
47 |
|
|
}
|
48 |
|
|
|
49 |
75d0aefd
|
Andreas Kohlbecker
|
public void setAccessDecisionManager(AccessDecisionManager accessDecisionManager) {
|
50 |
|
|
this.accessDecisionManager = accessDecisionManager;
|
51 |
|
|
}
|
52 |
|
|
|
53 |
5a845253
|
Andreas Kohlbecker
|
@Override
|
54 |
4ed38662
|
Andreas Kohlbecker
|
public boolean hasPermission(Authentication authentication,
|
55 |
|
|
Serializable targetId, String targetType, Object permission) {
|
56 |
e68c438e
|
Andreas Kohlbecker
|
logger.warn("UNINMPLEMENTED: hasPermission always returns false");
|
57 |
4ed38662
|
Andreas Kohlbecker
|
// TODO Auto-generated method stub
|
58 |
|
|
return false;
|
59 |
|
|
}
|
60 |
a2239a81
|
Andreas Kohlbecker
|
|
61 |
5a845253
|
Andreas Kohlbecker
|
@Override
|
62 |
7b59c088
|
Andreas Kohlbecker
|
public boolean hasPermission(Authentication authentication, Object targetDomainObject, Object permission) {
|
63 |
4ed38662
|
Andreas Kohlbecker
|
|
64 |
08582061
|
Andreas Kohlbecker
|
|
65 |
af113c74
|
Andreas Kohlbecker
|
EnumSet<CRUD> requiredOperation = null;
|
66 |
7b59c088
|
Andreas Kohlbecker
|
|
67 |
8f51ee96
|
Andreas Kohlbecker
|
TargetEntityStates cdmEntitiyStates;
|
68 |
|
|
if(targetDomainObject instanceof CdmBase){
|
69 |
|
|
cdmEntitiyStates = new TargetEntityStates((CdmBase)targetDomainObject);
|
70 |
|
|
} else {
|
71 |
|
|
cdmEntitiyStates = (TargetEntityStates)targetDomainObject;
|
72 |
|
|
}
|
73 |
8f2ded7b
|
Andreas Kohlbecker
|
|
74 |
d5fe74be
|
Andreas Kohlbecker
|
if(logger.isDebugEnabled()){
|
75 |
72ce5ca1
|
Andreas Kohlbecker
|
String targteDomainObjText = " Object: " + (targetDomainObject == null? "null":cdmEntitiyStates.getEntity().instanceToString());
|
76 |
af113c74
|
Andreas Kohlbecker
|
logUserAndRequirement(authentication, permission.toString(), targteDomainObjText);
|
77 |
4ed38662
|
Andreas Kohlbecker
|
}
|
78 |
079268db
|
Andreas Kohlbecker
|
try {
|
79 |
af113c74
|
Andreas Kohlbecker
|
requiredOperation = operationFrom(permission);
|
80 |
079268db
|
Andreas Kohlbecker
|
|
81 |
|
|
} catch (IllegalArgumentException e) {
|
82 |
|
|
logger.debug("permission string '"+ permission.toString() + "' not parsable => true");
|
83 |
f0aad502
|
Andreas Kohlbecker
|
return false;
|
84 |
08582061
|
Andreas Kohlbecker
|
}
|
85 |
4ed38662
|
Andreas Kohlbecker
|
|
86 |
72ce5ca1
|
Andreas Kohlbecker
|
return hasPermission(authentication, cdmEntitiyStates, requiredOperation);
|
87 |
f0aad502
|
Andreas Kohlbecker
|
|
88 |
|
|
}
|
89 |
|
|
|
90 |
|
|
/**
|
91 |
|
|
* @param authentication
|
92 |
|
|
* @param targetDomainObject
|
93 |
|
|
* @param requiredOperation
|
94 |
|
|
* @return
|
95 |
|
|
*/
|
96 |
|
|
@Override
|
97 |
72ce5ca1
|
Andreas Kohlbecker
|
public boolean hasPermission(Authentication authentication, CdmBase targetEntity, EnumSet<CRUD> requiredOperation) {
|
98 |
|
|
return hasPermission(authentication, new TargetEntityStates(targetEntity), requiredOperation);
|
99 |
|
|
}
|
100 |
|
|
|
101 |
|
|
/**
|
102 |
|
|
* @param authentication
|
103 |
|
|
* @param targetDomainObject
|
104 |
|
|
* @param requiredOperation
|
105 |
|
|
* @return
|
106 |
|
|
*/
|
107 |
|
|
@Override
|
108 |
|
|
public boolean hasPermission(Authentication authentication, TargetEntityStates targetEntityStates, EnumSet<CRUD> requiredOperation) {
|
109 |
f0aad502
|
Andreas Kohlbecker
|
|
110 |
|
|
if(authentication == null) {
|
111 |
|
|
return false;
|
112 |
|
|
}
|
113 |
|
|
|
114 |
72ce5ca1
|
Andreas Kohlbecker
|
CdmAuthority evalPermission = authorityRequiredFor(targetEntityStates.getEntity(), requiredOperation);
|
115 |
4ed38662
|
Andreas Kohlbecker
|
|
116 |
3e53ce69
|
Andreas Müller
|
if (evalPermission.getPermissionClass() != null) {
|
117 |
8e3d605b
|
Andreas Kohlbecker
|
logger.debug("starting evaluation => ...");
|
118 |
72ce5ca1
|
Andreas Kohlbecker
|
return evalPermission(authentication, evalPermission, targetEntityStates);
|
119 |
4ed38662
|
Andreas Kohlbecker
|
}else{
|
120 |
8e3d605b
|
Andreas Kohlbecker
|
logger.debug("skipping evaluation => true");
|
121 |
4ed38662
|
Andreas Kohlbecker
|
return true;
|
122 |
f8271faa
|
Katja Luther
|
}
|
123 |
a2239a81
|
Andreas Kohlbecker
|
}
|
124 |
|
|
|
125 |
af113c74
|
Andreas Kohlbecker
|
|
126 |
|
|
@Override
|
127 |
|
|
public <T extends CdmBase> boolean hasPermission(Authentication authentication, Class<T> targetDomainObjectClass,
|
128 |
|
|
EnumSet<CRUD> requiredOperations) {
|
129 |
|
|
|
130 |
|
|
if(authentication == null) {
|
131 |
|
|
return false;
|
132 |
|
|
}
|
133 |
|
|
|
134 |
|
|
if(logger.isDebugEnabled()){
|
135 |
|
|
String targteDomainObjClassText = " Cdm-Type: " + targetDomainObjectClass.getSimpleName();
|
136 |
|
|
logUserAndRequirement(authentication, requiredOperations.toString(), targteDomainObjClassText);
|
137 |
|
|
}
|
138 |
|
|
|
139 |
|
|
CdmAuthority evalPermission = new CdmAuthority(CdmPermissionClass.getValueOf(targetDomainObjectClass), null, requiredOperations, null);
|
140 |
|
|
|
141 |
|
|
T instance;
|
142 |
|
|
try {
|
143 |
|
|
Constructor<T> c = targetDomainObjectClass.getDeclaredConstructor();
|
144 |
|
|
c.setAccessible(true);
|
145 |
|
|
instance = c.newInstance();
|
146 |
|
|
} catch (InstantiationException | IllegalAccessException | NoSuchMethodException | SecurityException | IllegalArgumentException | InvocationTargetException e) {
|
147 |
|
|
logger.error("Error while creating permission test instance ==> will deny", e);
|
148 |
|
|
return false;
|
149 |
|
|
}
|
150 |
|
|
|
151 |
72ce5ca1
|
Andreas Kohlbecker
|
return evalPermission(authentication, evalPermission, new TargetEntityStates(instance));
|
152 |
af113c74
|
Andreas Kohlbecker
|
}
|
153 |
|
|
|
154 |
|
|
/**
|
155 |
|
|
* @param authentication
|
156 |
|
|
* @param permission
|
157 |
|
|
* @param targteDomainObjText
|
158 |
|
|
*/
|
159 |
|
|
protected void logUserAndRequirement(Authentication authentication, String permissions, String targteDomainObjText) {
|
160 |
|
|
StringBuilder grantedAuthoritiesTxt = new StringBuilder();
|
161 |
|
|
for(GrantedAuthority ga : authentication.getAuthorities()){
|
162 |
|
|
grantedAuthoritiesTxt.append(" - ").append(ga.getAuthority()).append("\n");
|
163 |
|
|
}
|
164 |
|
|
if(grantedAuthoritiesTxt.length() == 0){
|
165 |
|
|
grantedAuthoritiesTxt.append(" - ").append("<No GrantedAuthority given>").append("\n");
|
166 |
|
|
}
|
167 |
|
|
logger.debug("hasPermission()\n"
|
168 |
|
|
+ " User '" + authentication.getName() + "':\n"
|
169 |
|
|
+ grantedAuthoritiesTxt
|
170 |
|
|
+ targteDomainObjText + "\n"
|
171 |
|
|
+ " Permission: " + permissions);
|
172 |
|
|
}
|
173 |
|
|
|
174 |
|
|
/**
|
175 |
|
|
* @param permission
|
176 |
|
|
* @return
|
177 |
|
|
*/
|
178 |
|
|
protected EnumSet<CRUD> operationFrom(Object permission) {
|
179 |
|
|
EnumSet<CRUD> requiredOperation;
|
180 |
|
|
// FIXME refactor into Operation ======
|
181 |
|
|
if (Operation.isOperation(permission)){
|
182 |
|
|
requiredOperation = (EnumSet<CRUD>)permission;
|
183 |
|
|
} else {
|
184 |
|
|
// try to treat as string
|
185 |
|
|
requiredOperation = Operation.fromString(permission.toString());
|
186 |
|
|
}
|
187 |
|
|
// =======================================
|
188 |
|
|
return requiredOperation;
|
189 |
|
|
}
|
190 |
|
|
|
191 |
dbf39472
|
Andreas Kohlbecker
|
/**
|
192 |
|
|
* @param targetEntity
|
193 |
|
|
* @param requiredOperation
|
194 |
|
|
* @return
|
195 |
|
|
*/
|
196 |
|
|
private CdmAuthority authorityRequiredFor(CdmBase targetEntity, EnumSet<CRUD> requiredOperation) {
|
197 |
f0aad502
|
Andreas Kohlbecker
|
CdmAuthority evalPermission = new CdmAuthority(targetEntity, requiredOperation);
|
198 |
dbf39472
|
Andreas Kohlbecker
|
return evalPermission;
|
199 |
|
|
}
|
200 |
|
|
|
201 |
a2239a81
|
Andreas Kohlbecker
|
|
202 |
75d0aefd
|
Andreas Kohlbecker
|
/**
|
203 |
|
|
* @param authorities
|
204 |
|
|
* @param evalPermission
|
205 |
|
|
* @param targetDomainObject
|
206 |
|
|
* @return
|
207 |
|
|
*/
|
208 |
72ce5ca1
|
Andreas Kohlbecker
|
private boolean evalPermission(Authentication authentication, CdmAuthority evalPermission, TargetEntityStates targetEntityStates){
|
209 |
a2239a81
|
Andreas Kohlbecker
|
|
210 |
4ed38662
|
Andreas Kohlbecker
|
//if user has administrator rights return true;
|
211 |
5a845253
|
Andreas Kohlbecker
|
if( hasOneOfRoles(authentication, Role.ROLE_ADMIN)){
|
212 |
|
|
return true;
|
213 |
|
|
}
|
214 |
4ed38662
|
Andreas Kohlbecker
|
|
215 |
8e3d605b
|
Andreas Kohlbecker
|
// === run voters
|
216 |
|
|
Collection<ConfigAttribute> attributes = new HashSet<ConfigAttribute>();
|
217 |
|
|
attributes.add(evalPermission);
|
218 |
adfc2cab
|
Andreas Kohlbecker
|
|
219 |
8e3d605b
|
Andreas Kohlbecker
|
logger.debug("AccessDecisionManager will decide ...");
|
220 |
5fb7d2db
|
Andreas Kohlbecker
|
try {
|
221 |
72ce5ca1
|
Andreas Kohlbecker
|
accessDecisionManager.decide(authentication, targetEntityStates, attributes);
|
222 |
5fb7d2db
|
Andreas Kohlbecker
|
} catch (InsufficientAuthenticationException e) {
|
223 |
|
|
logger.debug("AccessDecisionManager denied by " + e, e);
|
224 |
|
|
return false;
|
225 |
|
|
} catch (AccessDeniedException e) {
|
226 |
|
|
logger.debug("AccessDecisionManager denied by " + e, e);
|
227 |
|
|
return false;
|
228 |
|
|
}
|
229 |
adfc2cab
|
Andreas Kohlbecker
|
|
230 |
8e3d605b
|
Andreas Kohlbecker
|
return true;
|
231 |
a2239a81
|
Andreas Kohlbecker
|
}
|
232 |
dd65a7ea
|
Katja Luther
|
|
233 |
5a845253
|
Andreas Kohlbecker
|
/**
|
234 |
|
|
* @param authentication
|
235 |
|
|
*/
|
236 |
48ccf94a
|
Andreas Kohlbecker
|
@Override
|
237 |
5a845253
|
Andreas Kohlbecker
|
public boolean hasOneOfRoles(Authentication authentication, Role ... roles) {
|
238 |
|
|
for (GrantedAuthority authority: authentication.getAuthorities()){
|
239 |
|
|
for(Role role : roles){
|
240 |
6c86c7c2
|
Andreas Kohlbecker
|
if (role != null && authority.getAuthority().equals(role.getAuthority())){
|
241 |
5a845253
|
Andreas Kohlbecker
|
if(logger.isDebugEnabled()){
|
242 |
|
|
logger.debug(role.getAuthority() + " found => true");
|
243 |
|
|
}
|
244 |
|
|
return true;
|
245 |
|
|
}
|
246 |
|
|
}
|
247 |
|
|
}
|
248 |
|
|
return false;
|
249 |
|
|
}
|
250 |
|
|
|
251 |
dd65a7ea
|
Katja Luther
|
}
|