import org.collectionspace.services.authorization.AccountRoleRel;
import org.collectionspace.services.authorization.Permission;
import org.collectionspace.services.authorization.Role;
+import org.collectionspace.services.authorization.RoleValue;
import org.collectionspace.services.authorization.SubjectType;
import org.collectionspace.services.common.AbstractCollectionSpaceResourceImpl;
// extends AbstractCollectionSpaceResourceImpl<AccountRole, AccountRolesList> {
extends AbstractCollectionSpaceResourceImpl<AccountRole, AccountRole> {
+ //FIXME: These belong in an Authorization class, not here
+ private static String ROLE_SPRING_ADMIN_ID = "-1";
+ private static String ROLE_SPRING_ADMIN_NAME = "ROLE_SPRING_ADMIN";
+
final public static String ACCOUNT_ACCOUNTROLE_SERVICE = "accounts/accountroles";
final public static String ROLE_ACCOUNTROLE_SERVICE = "authorization/roles/accountroles";
//this service is never exposed as standalone RESTful service...just use unique
*/
public String createAccountRole(AccountRole input, SubjectType subject)
throws Exception {
+
+ //
+ // We need to associate every new account with the Spring Security Admin role so we can make
+ // changes to the Spring Security ACL tables. The Spring Security Admin role has NO CollectionSpace
+ // specific permissions. It is an internal/private role that service consumers and end-users NEVER see.
+ //
+ RoleValue springAdminRole = new RoleValue();
+ springAdminRole.setRoleId(ROLE_SPRING_ADMIN_ID);
+ springAdminRole.setRoleName(ROLE_SPRING_ADMIN_NAME);
+ List<RoleValue> roleValues = input.getRoles();
+ roleValues.add(springAdminRole);
ServiceContext<AccountRole, AccountRole> ctx = createServiceContext(input, subject);
- DocumentHandler handler = createDocumentHandler(ctx);
-
+ DocumentHandler handler = createDocumentHandler(ctx);
String bogusCsid = getStorageClient(ctx).create(ctx, handler);
return bogusCsid;
Role output = (Role) res.getEntity();
Assert.assertNotNull(output);
- String roleNameToVerify = "ROLE_" + verifyRoleName.toUpperCase();
+ //FIXME: Tenant ID of "1" should not be hard coded
+ String roleNameToVerify = "ROLE_" + "1_" + verifyRoleName.toUpperCase();
Assert.assertEquals(output.getRoleName(), roleNameToVerify,
"RoleName fix did not work!");
}
}
private void login() {
- GrantedAuthority gauth = new GrantedAuthorityImpl("ROLE_ADMINISTRATOR");
+ GrantedAuthority cspace_admin = new GrantedAuthorityImpl("ROLE_ADMINISTRATOR");
+ GrantedAuthority spring_security_admin = new GrantedAuthorityImpl("ROLE_SPRING_ADMIN");
HashSet<GrantedAuthority> gauths = new HashSet<GrantedAuthority>();
- gauths.add(gauth);
+ gauths.add(cspace_admin);
+ gauths.add(spring_security_admin);
Authentication authRequest = new UsernamePasswordAuthenticationToken(user, password, gauths);
SecurityContextHolder.getContext().setAuthentication(authRequest);
if (logger.isDebugEnabled()) {
*/
public class AuthorizationGen {
- final public static String ROLE_ADMINISTRATOR = "ROLE_ADMINISTRATOR";
- final public static String ROLE_TENANT_ADMINISTRATOR = "ROLE_TENANT_ADMINISTRATOR";
- final public static String ROLE_TENANT_READER = "ROLE_TENANT_READER";
+ final public static String ROLE_PREFIX = "ROLE_";
+ final public static String ROLE_ADMINISTRATOR = "ADMINISTRATOR";
+ final public static String ROLE_TENANT_ADMINISTRATOR = "TENANT_ADMINISTRATOR";
+ final public static String ROLE_TENANT_READER = "TENANT_READER";
final public static String ROLE_ADMINISTRATOR_ID = "0";
//
// ActionGroup labels/constants
private Role buildTenantAdminRole(String tenantId) {
Role role = new Role();
role.setCreatedAtItem(new Date());
- role.setRoleName(ROLE_TENANT_ADMINISTRATOR);
+ role.setRoleName(ROLE_PREFIX +
+ tenantId + "_" +
+ ROLE_TENANT_ADMINISTRATOR);
String id = UUID.randomUUID().toString();
role.setCsid(id);
role.setDescription("generated tenant admin role");
private Role buildTenantReaderRole(String tenantId) {
Role role = new Role();
role.setCreatedAtItem(new Date());
- role.setRoleName(ROLE_TENANT_READER);
+ role.setRoleName(ROLE_PREFIX +
+ tenantId + "_" +
+ ROLE_TENANT_READER);
String id = UUID.randomUUID().toString();
role.setCsid(id);
role.setDescription("generated tenant read only role");
}
public void associateDefaultPermissionsRoles() {
- List<Role> roles = new ArrayList<Role>();
- roles.add(cspaceAdminRole);
for (Permission p : adminPermList) {
PermissionRole permAdmRole = associatePermissionRoles(p, adminRoles);
adminPermRoleList.add(permAdmRole);
-
- //CSpace Administrator has all access
- PermissionRole permCAdmRole = associatePermissionRoles(p, roles);
- adminPermRoleList.add(permCAdmRole);
}
for (Permission p : readerPermList) {
PermissionRole permRdrRole = associatePermissionRoles(p, readerRoles);
readerPermRoleList.add(permRdrRole);
}
+
+ //CSpace Administrator has all access
+ List<Role> roles = new ArrayList<Role>();
+ roles.add(cspaceAdminRole);
+ for (Permission p : adminPermList) {
+ PermissionRole permCAdmRole = associatePermissionRoles(p, roles);
+ adminPermRoleList.add(permCAdmRole);
+ }
}
public List<PermissionRole> associatePermissionsRoles(List<Permission> perms, List<Role> roles) {
private Role buildCSpaceAdminRole() {
Role role = new Role();
- role.setRoleName(ROLE_ADMINISTRATOR);
+ role.setRoleName(ROLE_PREFIX + ROLE_ADMINISTRATOR);
role.setCsid(ROLE_ADMINISTRATOR_ID);
return role;
}
<constructor-arg>
<list>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ <constructor-arg value="ROLE_SPRING_ADMIN"/>
</bean>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ <constructor-arg value="ROLE_SPRING_ADMIN"/>
</bean>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ <constructor-arg value="ROLE_SPRING_ADMIN"/>
</bean>
</list>
</constructor-arg>
<property name="dialect">@DB_DIALECT@</property>
<property name="transaction.factory_class">org.hibernate.transaction.JDBCTransactionFactory</property>
<property name="current_session_context_class">thread</property>
- <property name="hibernate.show_sql">true</property>
+ <property name="hibernate.show_sql">false</property>
</session-factory>
</hibernate-configuration>
URIResourceImpl uriRes = new URIResourceImpl(perm.getTenantId(),
perm.getResourceName(), action);
permAction.setObjectIdentity(uriRes.getHashedId().toString());
+ permAction.setObjectIdentityResource(uriRes.getId());
//PermissionActionUtil.update(perm, permAction);
}
} catch (Exception x) {
public void handleCreate(DocumentWrapper<Role> wrapDoc) throws Exception {
String id = UUID.randomUUID().toString();
Role role = wrapDoc.getWrappedObject();
- role.setRoleName(fixRoleName(role.getRoleName()));
- role.setCsid(id);
setTenant(role);
+ role.setRoleName(fixRoleName(role.getRoleName(),
+ role.getTenantId()));
+ role.setCsid(id);
}
@Override
public void handleUpdate(DocumentWrapper<Role> wrapDoc) throws Exception {
Role roleFound = wrapDoc.getWrappedObject();
Role roleReceived = getCommonPart();
- roleReceived.setRoleName(fixRoleName(roleReceived.getRoleName()));
+ roleReceived.setRoleName(fixRoleName(roleReceived.getRoleName(),
+ roleFound.getTenantId()));
merge(roleReceived, roleFound);
}
}
}
- private String fixRoleName(String role) {
+ private String fixRoleName(String role, String tenantId) {
String roleName = role.toUpperCase();
- String rolePrefix = "ROLE_";
+ String rolePrefix = "ROLE_" + tenantId + "_";
if (!roleName.startsWith(rolePrefix)) {
roleName = rolePrefix + roleName;
}
</xs:appinfo>
</xs:annotation>
</xs:element>
+ <xs:element name="objectIdentityResource" type="xs:string" minOccurs="1">
+ <xs:annotation>
+ <xs:appinfo>
+ <hj:basic>
+ <orm:column name="objectIdentityResource" length="128" nullable="false"/>
+ </hj:basic>
+ </xs:appinfo>
+ </xs:annotation>
+ </xs:element>
</xs:sequence>
</xs:complexType>
drop table if exists roles;
create table accounts_roles (HJID bigint not null auto_increment, account_id varchar(128) not null, created_at datetime not null, role_id varchar(128) not null, role_name varchar(255), screen_name varchar(255), user_id varchar(128) not null, primary key (HJID), unique (account_id, role_id));
create table permissions (csid varchar(128) not null, action_group varchar(128), attribute_name varchar(128), created_at datetime not null, description varchar(255), effect varchar(32) not null, resource_name varchar(128) not null, tenant_id varchar(128) not null, updated_at datetime, primary key (csid));
-create table permissions_actions (HJID bigint not null auto_increment, name varchar(128) not null, objectIdentity varchar(128) not null, ACTIONS_PERMISSION_CSID varchar(128), primary key (HJID));
+create table permissions_actions (HJID bigint not null auto_increment, name varchar(128) not null, objectIdentity varchar(128) not null, objectIdentityResource varchar(128) not null, ACTIONS_PERMISSION_CSID varchar(128), primary key (HJID));
create table permissions_roles (HJID bigint not null auto_increment, actionGroup varchar(255), created_at datetime not null, permission_id varchar(128) not null, permission_resource varchar(255), role_id varchar(128) not null, role_name varchar(255), primary key (HJID), unique (permission_id, role_id));
create table roles (csid varchar(128) not null, created_at datetime not null, description varchar(255), rolegroup varchar(255), rolename varchar(200) not null, tenant_id varchar(128) not null, updated_at datetime, primary key (csid), unique (rolename, tenant_id));
alter table permissions_actions add index FK85F82042E2DC84FD (ACTIONS_PERMISSION_CSID), add constraint FK85F82042E2DC84FD foreign key (ACTIONS_PERMISSION_CSID) references permissions (csid);
--\r
use cspace;\r
\r
+insert into `roles` (`csid`, `rolename`, `rolegroup`, `created_at`, `tenant_id`) values ('-1', 'ROLE_SPRING_ADMIN', 'Spring Security Administrator', now(), '0');\r
insert into `roles` (`csid`, `rolename`, `rolegroup`, `created_at`, `tenant_id`) values ('0', 'ROLE_ADMINISTRATOR', 'CollectionSpace Administrator', now(), '0');\r
\r
-- for default test account --\r
+insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('eeca40d7-dc77-4cc5-b489-16a53c75525a', 'test', '-1', 'ROLE_SPRING_ADMIN', now());\r
insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('eeca40d7-dc77-4cc5-b489-16a53c75525a', 'test', '0', 'ROLE_ADMINISTRATOR', now());\r
\r
-- Additional account introduced during integration on release 0.6, and currently relied upon by the Application Layer.\r
+insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('251f98f3-0292-4f3e-aa95-455314050e1b', 'test@collectionspace.org', '-1', 'ROLE_SPRING_ADMIN', now());\r
insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('251f98f3-0292-4f3e-aa95-455314050e1b', 'test@collectionspace.org', '0', 'ROLE_ADMINISTRATOR', now());\r
\r
-- test account for pahma --\r
+insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('ff2b4440-ed0d-4892-adb4-b6999eba3ae7', 'test-pahma', '-1', 'ROLE_SPRING_ADMIN', now());\r
insert into `accounts_roles`(`account_id`, `user_id`, `role_id`, `role_name`, `created_at`) values ('ff2b4440-ed0d-4892-adb4-b6999eba3ae7', 'test-pahma', '0', 'ROLE_ADMINISTRATOR', now());\r
\r
-- todo: barney is created in security test but accountrole is not yet created there, so add fake account id\r
perm.getResourceName(), action);\r
pa.setName(actionType);\r
pa.setObjectIdentity(uriRes.getHashedId().toString());\r
+ pa.setObjectIdentityResource(uriRes.getId());\r
\r
return pa;\r
}\r
URIResourceImpl uriRes = new URIResourceImpl(perm.getTenantId(),\r
perm.getResourceName(), action);\r
pa.setObjectIdentity(uriRes.getHashedId().toString());\r
+ pa.setObjectIdentityResource(uriRes.getId());\r
\r
return pa;\r
}\r
*/
package org.collectionspace.services.authorization.spring;
+import java.util.List;
import java.io.Serializable;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.acls.model.Permission;
import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
/**
Serializable objectIdId = SpringAuthorizationProvider.getObjectIdentityIdentifier(res);
String objectIdType = SpringAuthorizationProvider.getObjectIdentityType(res);
PermissionEvaluator eval = provider.getProviderPermissionEvaluator();
+
+ debug(res, authToken, objectIdId, objectIdType, perm);
return eval.hasPermission(authToken,
objectIdId, objectIdType, perm);
}
+
+ private void debug(CSpaceResource res,
+ Authentication authToken,
+ Serializable objectIdId,
+ String objectIdType,
+ Permission perm) {
+ if (log.isDebugEnabled() == true) {
+ log.debug(this.getClass().getCanonicalName() + ":" + this);
+ String resourceTarget = "[" + res.getId() + "]" + " | " +
+ "[" + "objectIdId: " + objectIdType + "(" + objectIdId + ")]";
+ System.out.println("PERMISSION CHECK FOR: " + resourceTarget);
+ System.out.println("\tPrincipal: " + authToken.getName() +
+ "\tTenant ID: " + res.getTenantId());
+ System.out.println("\tRoles: " + authToken.getAuthorities());
+ System.out.println("\tPermission Mask: " + perm.getMask() +
+ " - Permission Pattern: " + perm.getPattern());
+ System.out.println("");
+ }
+ }
}
<constructor-arg>
<list>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ <constructor-arg value="ROLE_SPRING_ADMIN"/>
</bean>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ <constructor-arg value="ROLE_SPRING_ADMIN"/>
</bean>
<bean class="org.springframework.security.core.authority.GrantedAuthorityImpl">
- <constructor-arg value="ROLE_ADMINISTRATOR"/>
+ <constructor-arg value="ROLE_SPRING_ADMIN"/>
</bean>
</list>
</constructor-arg>
projects / tmp / jakarta-migration.git / commitdiff