/** * @param value the string value of a light administrator privilege as recorded in {@code Experimenter.config.name} * @return the corresponding privilege, or {@code null} if there is no privilege with that string value */ public AdminPrivilege getPrivilegeForConfigName(String value) { if (value.startsWith(USER_CONFIG_NAME_PREFIX)) { return getPrivilege(value.substring(USER_CONFIG_NAME_PREFIX.length())); } else { return null; } }
public BasicACLVoter(CurrentDetails cd, SystemTypes sysTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService, Roles roles, SessionProvider sessionProvider, ReadOnlyStatus readOnly) { this(cd, sysTypes, tokenHolder, securityFilter, policyService, roles, new LightAdminPrivileges(roles), sessionProvider, readOnly, new HashSet<String>(), new HashSet<String>(), UUID.randomUUID().toString()); }
/** * Determine the light administrator privileges associated with a session. * If the session originates via <q>sudo</q>, takes that into account. * Does <em>not</em> take account of if the relevant user is a member of <tt>system</tt>: * calculates assuming that the user is an administrator. * Assumes that <tt>root</tt> has all light administrator privileges. * @param session an OMERO session * @return the light administrator privileges associated with the session */ private ImmutableSet<AdminPrivilege> getPrivileges(Session session) { final Set<AdminPrivilege> privileges = new HashSet<>(getAllPrivileges()); removeUserPrivileges(session.getSudoer(), privileges); removeUserPrivileges(session.getOwner(), privileges); return ImmutableSet.copyOf(privileges); }
/** * Get a value suitable for {@link Experimenter#setConfig(List)} corresponding to the given light administrator privileges. * @param privileges the privileges that a light administrator should have, never {@code null} * @return the corresponding user configuration for that light administrator, never {@code null} * @throws ApiUsageException if unknown privileges are named */ private List<NamedValue> getRestrictedSystemUserConfig(Collection<AdminPrivilege> privileges) { assertKnownPrivileges(privileges); final List<NamedValue> userConfig = new ArrayList<>(); for (final AdminPrivilege privilege : LightAdminPrivileges.getAllPrivileges()) { if (!privileges.contains(privilege)) { userConfig.add(new NamedValue(adminPrivileges.getConfigNameForPrivilege(privilege), Boolean.toString(false))); } } return userConfig; }
@Override @RolesAllowed("user") public List<AdminPrivilege> getAdminPrivileges(Experimenter user) { if (!getMemberOfGroupIds(user).contains(getSecurityRoles().getSystemGroupId())) { return Collections.emptyList(); } final List<NamedValue> userConfig = userProxy(user.getId()).getConfig(); final List<AdminPrivilege> privileges = new ArrayList<AdminPrivilege>(LightAdminPrivileges.getAllPrivileges()); if (CollectionUtils.isNotEmpty(userConfig)) { for (final NamedValue configProperty : userConfig) { if (!Boolean.parseBoolean(configProperty.getValue())) { privileges.remove(adminPrivileges.getPrivilegeForConfigName(configProperty.getName())); } } } return privileges; }
privileges = adminPrivileges.getSessionPrivileges(session); } else { privileges = Collections.emptySet(); sessionQuery.append(" AND owner.id = :owner"); params.addLong("owner", session.getOwner().getId()); if (!privileges.contains(adminPrivileges.getPrivilege(AdminPrivilege.VALUE_READ_SESSION))) {
final Set<AdminPrivilege> targetUserPrivilegesBefore = ImmutableSet.copyOf(getAdminPrivileges(user)); final Set<AdminPrivilege> privilegesToRemove = new HashSet<AdminPrivilege>(LightAdminPrivileges.getAllPrivileges()); privilegesToRemove.removeAll(privileges); userConfig = user.getConfig(); for (final NamedValue configProperty : userConfig) { final AdminPrivilege currentPrivilege = adminPrivileges.getPrivilegeForConfigName(configProperty.getName()); if (currentPrivilege != null) { final boolean hasPrivilege = privileges.contains(currentPrivilege); userConfig.add(new NamedValue(adminPrivileges.getConfigNameForPrivilege(privilege), Boolean.toString(false)));
if (LightAdminPrivileges.getAllPrivileges().equals(privileges)) { for (int i = 0; i < scopes.length; i++) { if (scopes[i] != null) { if (repo != null) { if (managedRepoUuids.contains(repo)) { if (privileges.contains(adminPrivileges.getPrivilege(scope == Scope.DELETE ? AdminPrivilege.VALUE_DELETE_MANAGED_REPO : AdminPrivilege.VALUE_WRITE_MANAGED_REPO))) { hasLightAdminPrivilege = true; if (privileges.contains(adminPrivileges.getPrivilege(scope == Scope.DELETE ? AdminPrivilege.VALUE_DELETE_SCRIPT_REPO : AdminPrivilege.VALUE_WRITE_SCRIPT_REPO))) { hasLightAdminPrivilege = true; if (privileges.contains(adminPrivileges.getPrivilege(scope == Scope.DELETE ? AdminPrivilege.VALUE_DELETE_FILE : AdminPrivilege.VALUE_WRITE_FILE))) { hasLightAdminPrivilege = true; if (privileges.contains(adminPrivileges.getPrivilege(scope == Scope.DELETE ? AdminPrivilege.VALUE_DELETE_FILE : AdminPrivilege.VALUE_WRITE_FILE))) { hasLightAdminPrivilege = true; if (privileges.contains(adminPrivileges.getPrivilege(scope == Scope.DELETE ? AdminPrivilege.VALUE_DELETE_OWNED : AdminPrivilege.VALUE_WRITE_OWNED))) { hasLightAdminPrivilege = true; if (privileges.contains(adminPrivileges.getPrivilege(AdminPrivilege.VALUE_MODIFY_USER))) { hasLightAdminPrivilege = true;
/** * Initialization method called by the Spring run-time to acquire an initial * {@link Session}. */ public void init() { try { asroot = new Principal(internal_uuid, "system", "Sessions"); // Create a basic session Session session = new Session(); define(session, internal_uuid, "Session Manager internal", System.currentTimeMillis(), Long.MAX_VALUE, 0L, "Sessions", "Internal", null); session = sessionProvider.executeInternalSession(internal_uuid, session); internalSession = new InternalSessionContext(session, LightAdminPrivileges.getAllPrivileges(), roles); cache.putSession(internal_uuid, internalSession); } catch (UncategorizedSQLException uncat) { log.warn("Assuming that this is read-only"); } catch (DataAccessException dataAccess) { throw new RuntimeException( " " + "=====================================================\n" + "Data access exception: Did you create your database? \n" + "=====================================================\n", dataAccess); } }
/** * Determine the light administrator privileges associated with a session. * If the session originates via <q>sudo</q>, takes that into account. * Does <em>not</em> take account of if the relevant user is a member of <tt>system</tt>: * calculates assuming that the user is an administrator. * Caches newly fetched privileges for future lookups. * @param session an OMERO session * @return the light administrator privileges associated with the session */ public ImmutableSet<AdminPrivilege> getSessionPrivileges(Session session) { return getSessionPrivileges(session, true); }
/** * Determine the light administrator privileges associated with a session. * If the session originates via <q>sudo</q>, takes that into account. * Does <em>not</em> take account of if the relevant user is a member of <tt>system</tt>: * calculates assuming that the user is an administrator. * @param session an OMERO session * @param isCache if newly fetched privileges should be cached for future lookups * @return the light administrator privileges associated with the session */ private ImmutableSet<AdminPrivilege> getSessionPrivileges(Session session, boolean isCache) { final SessionEqualById wrappedSession = new SessionEqualById(session); try { if (isCache) { return PRIVILEGE_CACHE.get(wrappedSession); } else { final ImmutableSet<AdminPrivilege> privileges = PRIVILEGE_CACHE.getIfPresent(wrappedSession); if (privileges != null) { return privileges; } else { return getPrivileges(session); } } } catch (ExecutionException ee) { LOGGER.warn("failed to check privileges for session " + session.getId(), ee.getCause()); return ImmutableSet.of(); } }
if (context.isCurrentUserAdmin()) { if (currentSession != null) { final Set<AdminPrivilege> privileges = adminPrivileges.getSessionPrivileges(currentSession); if (privileges.contains(adminPrivileges.getPrivilege(AdminPrivilege.VALUE_SUDO))) { groupsLed = null; } else {
/** * Construct a new instance of a graph traversal manager. * @param session the Hibernate session * @param eventContext the current event context * @param aclVoter ACL voter for permissions checking * @param graphPathBean the graph path bean * @param unnullable properties that, while nullable, may not be nulled by a graph traversal operation * @param policy how to determine which related objects to include in the operation * @param processor how to operate on the resulting target object graph */ public GraphTraversal(Session session, EventContext eventContext, ACLVoter aclVoter, GraphPathBean graphPathBean, SetMultimap<String, String> unnullable, GraphPolicy policy, Processor processor) { this.session = session; this.eventContext = eventContext; this.aclVoter = aclVoter; this.model = graphPathBean; this.unnullable = unnullable; this.planning = new Planning(); this.policy = policy; this.processor = log.isDebugEnabled() ? debugWrap(processor) : processor; this.isCheckUserPermissions = !LightAdminPrivileges.getAllPrivileges().equals(eventContext.getCurrentAdminPrivileges()); }
list.add(hasAdminPrivileges ? adminPrivileges.getSessionPrivileges(reloaded) : Collections.emptySet()); list.add(memberOfGroupsIds); list.add(leaderOfGroupsIds);
@RolesAllowed("user") @Transactional(readOnly = false) public void removeGroupOwners(final ExperimenterGroup group, final Experimenter... owner) { adminOrPiOfGroups(adminPrivileges.getPrivilege(AdminPrivilege.VALUE_MODIFY_GROUP_MEMBERSHIP), group); for (Experimenter o : owner) { toggleGroupOwner(group, o, Boolean.FALSE); } }
public BasicACLVoter(CurrentDetails cd, SystemTypes sysTypes, TokenHolder tokenHolder, SecurityFilter securityFilter, PolicyService policyService, Roles roles) { this(cd, sysTypes, tokenHolder, securityFilter, policyService, roles, new LightAdminPrivileges(roles), null, new ReadOnlyStatus(false, false), new HashSet<String>(), new HashSet<String>(), UUID.randomUUID().toString()); log.info("assuming read-write repository"); }
public Object doInHibernate(Session session) throws HibernateException, SQLException { BasicEventContext c = cd.current(); boolean wasAdmin = c.isCurrentUserAdmin(); final Set<AdminPrivilege> oldAdminPrivileges = c.getAdminPrivileges(); ExperimenterGroup oldGroup = c.getGroup(); try { c.setAdmin(true); c.setAdminPrivileges(LightAdminPrivileges.getAllPrivileges()); if (group != null) { c.setGroup(group, group.getDetails().getPermissions()); } disable(MergeEventListener.MERGE_EVENT); enableReadFilter(session); action.runAsAdmin(); } finally { c.setAdmin(wasAdmin); c.setAdminPrivileges(oldAdminPrivileges); if (group != null) { c.setGroup(oldGroup, oldGroup.getDetails().getPermissions()); } enable(MergeEventListener.MERGE_EVENT); enableReadFilter(session); // Now as non-admin } return null; } });
@RolesAllowed("user") @Transactional(readOnly = false) public void addGroupOwners(final ExperimenterGroup group, final Experimenter... owner) { adminOrPiOfGroups(adminPrivileges.getPrivilege(AdminPrivilege.VALUE_MODIFY_GROUP_MEMBERSHIP), group); for (Experimenter o : owner) { toggleGroupOwner(group, o, Boolean.TRUE); } }
public CurrentDetails(SessionCache cache) { this.cache = cache; this.roles = new Roles(); this.sysTypes = new SystemTypes(roles); this.adminPrivileges = new LightAdminPrivileges(roles); this.managedRepoUuids = Collections.emptySet(); this.scriptRepoUuids = Collections.emptySet(); }
@RolesAllowed("user") @Transactional(readOnly = false) public void setGroupOwner(final ExperimenterGroup group, final Experimenter owner) { adminOrPiOfGroups(adminPrivileges.getPrivilege(AdminPrivilege.VALUE_MODIFY_GROUP_MEMBERSHIP), group); toggleGroupOwner(group, owner, Boolean.TRUE); }