From: Sanjay Dalal Date: Fri, 30 Apr 2010 23:26:29 +0000 (+0000) Subject: CSPACE-1482 a security resource is now tied to a tenant by tenant id. aces are now... X-Git-Url: https://git.aero2k.de/?a=commitdiff_plain;h=57423db1779551d3d355b7f2c0fa0b0006ac618d;p=tmp%2Fjakarta-migration.git CSPACE-1482 a security resource is now tied to a tenant by tenant id. aces are now tenant-qualified. test: authz local test, service tests M authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationSeedTest.java M authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationGen.java M authorization/service/src/test/resources/test-data/test-permissions.xml M authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java M authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResource.java M authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java M authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java M authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java M authorization/service/pom.xml M authentication/service/src/main/java/org/collectionspace/authentication/AuthN.java M authentication/service/src/main/java/org/collectionspace/authentication/spring/SpringAuthNContext.java M authentication/service/src/main/java/org/collectionspace/authentication/spi/AuthNContext.java M common/src/main/java/org/collectionspace/services/common/security/SecurityContextImpl.java --- diff --git a/services/authentication/service/src/main/java/org/collectionspace/authentication/AuthN.java b/services/authentication/service/src/main/java/org/collectionspace/authentication/AuthN.java index 0860e1951..29bca9518 100644 --- a/services/authentication/service/src/main/java/org/collectionspace/authentication/AuthN.java +++ b/services/authentication/service/src/main/java/org/collectionspace/authentication/AuthN.java @@ -99,6 +99,14 @@ public class AuthN { return authnContext.getTenantIds(); } + public String getCurrentTenantId() { + return authnContext.getCurrentTenantId(); + } + + public String getCurrentTenantName() { + return authnContext.getCurrentTenantName(); + } + /** * getTenants returns tenants associated with user * @see CSpaceTenant diff --git a/services/authentication/service/src/main/java/org/collectionspace/authentication/spi/AuthNContext.java b/services/authentication/service/src/main/java/org/collectionspace/authentication/spi/AuthNContext.java index 896f36bd5..2dc88742a 100644 --- a/services/authentication/service/src/main/java/org/collectionspace/authentication/spi/AuthNContext.java +++ b/services/authentication/service/src/main/java/org/collectionspace/authentication/spi/AuthNContext.java @@ -22,7 +22,6 @@ * limitations under the License. . */ - package org.collectionspace.authentication.spi; import javax.security.auth.Subject; @@ -39,7 +38,7 @@ public abstract class AuthNContext { * @return */ public abstract String getUserId(); - + /** * getTenantIds get tenant ids from the tenant context associated with the * security context @@ -47,6 +46,17 @@ public abstract class AuthNContext { */ public abstract String[] getTenantIds(); + /** + * getCurrentTenantId get id of the tenant associated with the authenticated user + * @return + */ + public abstract String getCurrentTenantId(); + + /** + * getCurrentTenantName get name of the tenant associated with the authenticated user + * @return + */ + public abstract String getCurrentTenantName(); /** * getTenants get tenant context associated with the security context @@ -55,7 +65,6 @@ public abstract class AuthNContext { */ public abstract CSpaceTenant[] getTenants(); - /** * getSubject retrieves security context as Subject * @see javax.security.auth.Subject diff --git a/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/SpringAuthNContext.java b/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/SpringAuthNContext.java index 48a6bab38..bd89269b3 100644 --- a/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/SpringAuthNContext.java +++ b/services/authentication/service/src/main/java/org/collectionspace/authentication/spring/SpringAuthNContext.java @@ -82,12 +82,22 @@ final public class SpringAuthNContext extends AuthNContext { ArrayList tenantList = new ArrayList(); CSpaceTenant[] tenants = getTenants(); - for(CSpaceTenant tenant : tenants) { + for (CSpaceTenant tenant : tenants) { tenantList.add(tenant.getId()); } return tenantList.toArray(new String[0]); } + @Override + public String getCurrentTenantId() { + //FIXME assumption in 1.0: each user is associated with a single tenant + String[] tenantIds = getTenantIds(); + if (tenantIds.length < 1) { + throw new IllegalStateException("No tenant associated with user=" + getUserId()); + } + return getTenantIds()[0]; + } + public CSpaceTenant[] getTenants() { List tenants = new ArrayList(); Subject caller = getSubject(); @@ -126,6 +136,16 @@ final public class SpringAuthNContext extends AuthNContext { return tenants.toArray(new CSpaceTenant[0]); } + @Override + public String getCurrentTenantName() { + //FIXME assumption in 1.0: each user is associated with a single tenant + CSpaceTenant[] tenants = getTenants(); + if (tenants.length < 1) { + throw new IllegalStateException("No tenant associated with user=" + getUserId()); + } + return getTenants()[0].getName(); + } + public Subject getSubject() { Subject caller = null; //if Spring was not used.... diff --git a/services/authorization/service/pom.xml b/services/authorization/service/pom.xml index 1d2cd6aed..da17e0845 100644 --- a/services/authorization/service/pom.xml +++ b/services/authorization/service/pom.xml @@ -149,6 +149,12 @@ test + + org.collectionspace.services + org.collectionspace.services.authentication.service + ${project.version} + provided + org.collectionspace.services org.collectionspace.services.authorization.jaxb @@ -178,4 +184,4 @@ - \ No newline at end of file + diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java index 6d33d83d6..059c5e89f 100644 --- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java +++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/AuthZ.java @@ -75,11 +75,12 @@ public class AuthZ { } /** - * addPermissions add permissions from given permission configuration + * addUriPermissions add permissions from given permission configuration + * with assumption that resource is of type URI * @param permission configuration */ //FIXME this method should be in the restful web service resource of authz - public void addPermissions(Permission perm, + public void addUriPermissions(Permission perm, PermissionRole permRole) throws PermissionException { List principals = new ArrayList(); if (!perm.getCsid().equals(permRole.getPermissions().get(0).getPermissionId())) { @@ -93,7 +94,8 @@ public class AuthZ { } List permActions = perm.getActions(); for (PermissionAction permAction : permActions) { - URIResourceImpl uriRes = new URIResourceImpl(perm.getResourceName(), + URIResourceImpl uriRes = new URIResourceImpl(perm.getTenantId(), + perm.getResourceName(), permAction.getName()); addPermission(uriRes, principals.toArray(new String[0])); } @@ -158,17 +160,6 @@ public class AuthZ { */ public boolean isAccessAllowed(CSpaceResource res) { CSpaceAction action = res.getAction(); - return isAccessAllowed(res, action); - } - - /** - * isAccessAllowed check if authenticated principal is allowed to access - * given resource per given permission - * @param res - * @param perm - * @return - */ - public boolean isAccessAllowed(CSpaceResource res, CSpaceAction action) { return provider.getPermissionEvaluator().hasPermission(res, action); } } diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResource.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResource.java index 1cab88eba..f9599afd7 100644 --- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResource.java +++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResource.java @@ -38,10 +38,24 @@ public interface CSpaceResource { OBJECT, ATTRIBUTE } + + /** + * getId get tenant-qualified id of this resource + * @return + */ public String getId(); + /** + * getType get type of the resource + */ public TYPE getType(); + /** + * getTenantId get the id of the tenant to which this resource is associated + * @return + */ + public String getTenantId(); + /** * getAction is a conveneniece method to get corresponding action to be invoked * on the resource for which permission is sought diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java index 366ce9bf9..07d0c04ad 100644 --- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java +++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/CSpaceResourceImpl.java @@ -23,29 +23,69 @@ */ package org.collectionspace.services.authorization; +import org.collectionspace.authentication.AuthN; + /** * CSpaceResourceImpl abstract resource implementation * @author */ public abstract class CSpaceResourceImpl implements CSpaceResource { + final protected static String SEPARATOR_HASH = "#"; + final protected static String SEPARATOR_COLON = ":"; private String id; private TYPE type; + private CSpaceAction action; + private String tenantId; + + private CSpaceResourceImpl() { + } - public CSpaceResourceImpl() { + /** + * constructor that uses logged in user's tenant context to associate resource with + * @param id + * @param action + * @param type + */ + public CSpaceResourceImpl(String id, CSpaceAction action, TYPE type) { + setup(id, action, type); + tenantId = AuthN.get().getCurrentTenantId(); } - public CSpaceResourceImpl(String id, TYPE type) { - if (id == null || id.isEmpty() || type == null) { - throw new IllegalArgumentException("id and/or type cannot be null or empty"); + /** + * constructor that uses given tenant id to associate the resource with + * @param tenantId + * @param id + * @param action + * @param type + */ + public CSpaceResourceImpl(String tenantId, String id, CSpaceAction action, TYPE type) { + setup(id, action, type); + if (tenantId == null) { + throw new IllegalArgumentException("tenantId cannot be null"); + } + this.tenantId = tenantId; + } + + private void setup(String id, CSpaceAction action, TYPE type) { + if (id == null || id.isEmpty()) { + throw new IllegalArgumentException("id cannot be null or empty"); } this.id = id; + if (type == null) { + throw new IllegalArgumentException("type cannot be null"); + } + this.action = action; + if (action == null) { + throw new IllegalArgumentException("action cannot be null"); + } this.type = type; } @Override public String getId() { - return id; + //tenant-qualified id + return tenantId + SEPARATOR_COLON + id; } @Override @@ -54,7 +94,17 @@ public abstract class CSpaceResourceImpl implements CSpaceResource { } @Override - public abstract CSpaceAction getAction(); + public String getTenantId() { + return tenantId; + } + + /** + * getAction a convenience method to get action invoked on the resource + */ + @Override + public CSpaceAction getAction() { + return action; + } @Override public String toString() { @@ -64,9 +114,11 @@ public abstract class CSpaceResourceImpl implements CSpaceResource { builder.append(id); builder.append(", type="); builder.append(type); + builder.append(", tenantId="); + builder.append(tenantId); + builder.append(", action="); + builder.append(action.toString()); builder.append("]"); return builder.toString(); } - - } diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java index 91c3e2853..4415611d4 100644 --- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java +++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/URIResourceImpl.java @@ -15,28 +15,6 @@ * https://source.collectionspace.org/collection-space/LICENSE.txt - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *//** - * This document is a part of the source code and related artifacts - * for CollectionSpace, an open source collections management system - * for museums and related institutions: - - * http://www.collectionspace.org - * http://wiki.collectionspace.org - - * Copyright 2009 University of California at Berkeley - - * Licensed under the Educational Community License (ECL), Version 2.0. - * You may not use this file except in compliance with this License. - - * You may obtain a copy of the ECL 2.0 License at - - * https://source.collectionspace.org/collection-space/LICENSE.txt - * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -55,43 +33,61 @@ public class URIResourceImpl extends CSpaceResourceImpl { private String uri; private String method; - private CSpaceAction action; /** * constructor that is usually called from service runtime + * uses current tenant id from the context * @param uri * @param method an http method */ public URIResourceImpl(String uri, String method) { - super(getParent(uri) + "#" + getAction(method).toString(), TYPE.URI); - action = getAction(method); + super(buildId(getParent(uri), getAction(method)), + getAction(method), TYPE.URI); + this.uri = uri; + this.method = method; + } + + /** + * constructor that is usually called from service runtime + * @param tenantId id of the tenant to which this resource is associated + * @param uri + * @param method an http method + */ + public URIResourceImpl(String tenantId, String uri, String method) { + super(tenantId, buildId(getParent(uri), getAction(method)), + getAction(method), TYPE.URI); this.uri = uri; this.method = method; } /** * constructor that is usually called from administrative interface + * uses current tenant id from the context * @param resourceName * @param actionType */ public URIResourceImpl(String resourceName, ActionType actionType) { //FIXME more validation might be needed - super(resourceName + "#" + getAction(actionType).toString(), TYPE.URI); - action = getAction(actionType); + super(buildId(resourceName, getAction(actionType)), + getAction(actionType), TYPE.URI); } /** - * @return the uri + * constructor that is usually called from administrative interface + * @param tenantId id of the tenant to which this resource is associated + * @param resourceName + * @param actionType */ - public String getUri() { - return uri; + public URIResourceImpl(String tenantId, String resourceName, ActionType actionType) { + super(tenantId, buildId(resourceName, getAction(actionType)), + getAction(actionType), TYPE.URI); } /** - * @param uri the uri to set + * @return the uri */ - public void setUri(String uri) { - this.uri = uri; + public String getUri() { + return uri; } /** @@ -101,19 +97,8 @@ public class URIResourceImpl extends CSpaceResourceImpl { return method; } - /** - * @param method the method to set - */ - public void setMethod(String method) { - this.method = method; - } - - /** - * getAction a convenience method to get action invoked on the resource - */ - @Override - public CSpaceAction getAction() { - return action; + private static String buildId(String resourceName, CSpaceAction action) { + return resourceName + SEPARATOR_HASH + action.toString(); } private static String getParent(String uri) { @@ -173,8 +158,6 @@ public class URIResourceImpl extends CSpaceResourceImpl { public String toString() { StringBuilder builder = new StringBuilder(); builder.append("URIResourceImpl ["); - builder.append("action="); - builder.append(action); builder.append(", method="); builder.append(method); builder.append(", uri="); @@ -182,6 +165,4 @@ public class URIResourceImpl extends CSpaceResourceImpl { builder.append("]"); return builder.toString() + " " + super.toString(); } - - } diff --git a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java index b986bd686..6d7bbe70b 100644 --- a/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java +++ b/services/authorization/service/src/main/java/org/collectionspace/services/authorization/spring/SpringAuthorizationProvider.java @@ -20,32 +20,6 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. - *//** - * This document is a part of the source code and related artifacts - * for CollectionSpace, an open source collections management system - * for museums and related institutions: - - * http://www.collectionspace.org - * http://wiki.collectionspace.org - - * Copyright 2009 University of California at Berkeley - - * Licensed under the Educational Community License (ECL), Version 2.0. - * You may not use this file except in compliance with this License. - - * You may obtain a copy of the ECL 2.0 License at - - * https://source.collectionspace.org/collection-space/LICENSE.txt - - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -/* - * To change this template, choose Tools | Templates - * and open the template in the editor. */ package org.collectionspace.services.authorization.spring; @@ -130,7 +104,8 @@ public class SpringAuthorizationProvider implements CSpaceAuthorizationProvider } static ObjectIdentity mapResource(CSpaceResource res) { - return new ObjectIdentityImpl(res.getType().toString(), Long.valueOf(res.getId().hashCode())); + return new ObjectIdentityImpl(res.getType().toString(), + Long.valueOf(res.getId().hashCode())); } static Sid[] mapPrincipal(String[] principals) { diff --git a/services/authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationGen.java b/services/authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationGen.java index 8599a76ca..aa03956af 100644 --- a/services/authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationGen.java +++ b/services/authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationGen.java @@ -89,7 +89,7 @@ public class AuthorizationGen { perm.setCsid(id); perm.setResourceName(resourceName); perm.setEffect(EffectType.PERMIT); - + perm.setTenantId("1"); ArrayList pas = new ArrayList(); perm.setActions(pas); @@ -142,7 +142,7 @@ public class AuthorizationGen { rv2.setRoleId("2"); roleValues.add(rv2); pr.setRoles(roleValues); - + return pr; } diff --git a/services/authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationSeedTest.java b/services/authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationSeedTest.java index 8f5d285d5..a5660580f 100644 --- a/services/authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationSeedTest.java +++ b/services/authorization/service/src/test/java/org/collectionspace/services/authorization/test/AuthorizationSeedTest.java @@ -15,28 +15,6 @@ * https://source.collectionspace.org/collection-space/LICENSE.txt - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - *//** - * This document is a part of the source code and related artifacts - * for CollectionSpace, an open source collections management system - * for museums and related institutions: - - * http://www.collectionspace.org - * http://wiki.collectionspace.org - - * Copyright 2009 University of California at Berkeley - - * Licensed under the Educational Community License (ECL), Version 2.0. - * You may not use this file except in compliance with this License. - - * You may obtain a copy of the ECL 2.0 License at - - * https://source.collectionspace.org/collection-space/LICENSE.txt - * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -105,7 +83,7 @@ public class AuthorizationSeedTest extends AbstractAuthorizationTestImpl { } for (PermissionRole pr : pcrList.getPermissionRoles()) { if (pr.getPermissions().get(0).getPermissionId().equals(p.getCsid())) { - authZ.addPermissions(p, pr); + authZ.addUriPermissions(p, pr); } } } diff --git a/services/authorization/service/src/test/resources/test-data/test-permissions.xml b/services/authorization/service/src/test/resources/test-data/test-permissions.xml index 4d1becb26..512f2127c 100644 --- a/services/authorization/service/src/test/resources/test-data/test-permissions.xml +++ b/services/authorization/service/src/test/resources/test-data/test-permissions.xml @@ -15,6 +15,7 @@ DELETE PERMIT + 1 collectionobjects @@ -31,5 +32,6 @@ DELETE PERMIT + 1 diff --git a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityContextImpl.java b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityContextImpl.java index fb6d38298..f7de2c781 100644 --- a/services/common/src/main/java/org/collectionspace/services/common/security/SecurityContextImpl.java +++ b/services/common/src/main/java/org/collectionspace/services/common/security/SecurityContextImpl.java @@ -40,13 +40,13 @@ public class SecurityContextImpl implements SecurityContext { final Logger logger = LoggerFactory.getLogger(SecurityContextImpl.class); private String userId; - private CSpaceTenant[] tenants = new CSpaceTenant[0]; - private String[] tenantIds = new String[0]; + private String currentTenantName; + private String currentTenantId; public SecurityContextImpl() { userId = AuthN.get().getUserId(); - tenantIds = AuthN.get().getTenantIds(); - tenants = AuthN.get().getTenants(); + currentTenantId = AuthN.get().getCurrentTenantId(); + currentTenantName = AuthN.get().getCurrentTenantName(); } @Override @@ -56,11 +56,11 @@ public class SecurityContextImpl implements SecurityContext { @Override public String getCurrentTenantId() { - return tenantIds[0]; + return currentTenantId; } @Override public String getCurrentTenantName() { - return tenants[0].getName(); + return currentTenantName; } }