public static void throwExceptionIfWriteIsNotAllowed() throws AuthorizationDeniedException { throw new AuthorizationDeniedException("Cannot execute non read-only method in read-only instance"); }
public AuthorizationDeniedException(String message, List<String> missingRoles) { super(message); setMissingRoles(missingRoles); }
public static void checkRoles(final User rsu, final List<String> rolesToCheck) throws AuthorizationDeniedException { // INFO 20170220 nvieira containsAll changed to set intersection (contain at // least one role) if (!rolesToCheck.isEmpty() && Sets.intersection(rsu.getAllRoles(), new HashSet<>(rolesToCheck)).isEmpty()) { final List<String> missingRoles = new ArrayList<>(rolesToCheck); missingRoles.removeAll(rsu.getAllRoles()); throw new AuthorizationDeniedException("The user '" + rsu.getId() + "' does not have all needed permissions", missingRoles); } }
public static void checkGroup(final User rsu, final String group) throws AuthorizationDeniedException { if (!rsu.getGroups().contains(group)) { LOGGER.debug("User '{}' groups: {} vs. group to check: {}", rsu.getId(), rsu.getGroups(), group); throw new AuthorizationDeniedException( "The user '" + rsu.getId() + "' does not belong to the group '" + group + "'"); } }
public static void checkRoles(final User user, final Class<?> invokingMethodInnerClass, final Class<?> classToReturn) throws AuthorizationDeniedException { final Method method = invokingMethodInnerClass.getEnclosingMethod(); final String classParam = (classToReturn == null) ? "" : "(" + classToReturn.getSimpleName() + ")"; final String configKey = String.format("core.roles.%s.%s%s", method.getDeclaringClass().getName(), method.getName(), classParam); if (RodaCoreFactory.getRodaConfiguration().containsKey(configKey)) { LOGGER.trace("Testing if user '{}' has permissions to '{}'", user.getName(), configKey); final List<String> roles = RodaCoreFactory.getRodaConfigurationAsList(configKey); checkRoles(user, roles); } else { LOGGER.error("Unable to determine which roles the user '{}' needs because the config. key '{}' is not defined", user.getName(), configKey); throw new AuthorizationDeniedException( "Unable to determine which roles the user needs because the config. key '" + configKey + "' is not defined"); } }
"Unable to determine which permissions the user '{}' needs because the config value '{}' is not a permission type", user.getName(), configValue); throw new AuthorizationDeniedException( "Unable to determine which permissions the user needs because the config value '" + configValue + "' is not a permission type"); "Unable to determine which permissions the user '{}' needs because the config key '{}' is not defined", user.getName(), configKey); throw new AuthorizationDeniedException( "Unable to determine which permissions the user needs because the config key '" + configKey + "' is not defined");
"Unable to determine which permissions the user '{}' needs because the config value '{}' is not a permission type", user.getName(), configValue); throw new AuthorizationDeniedException( "Unable to determine which permissions the user needs because the config value '" + configValue + "' is not a permission type"); "Unable to determine which permissions the user '{}' needs because the config. key '{}' is not defined", user.getName(), configKey); throw new AuthorizationDeniedException( "Unable to determine which permissions the user needs because the config. key '" + configKey + "' is not defined");
public static void checkDIPPermissions(User user, IndexedDIP dip, PermissionType permissionType) throws AuthorizationDeniedException { if (isAdministrator(user)) { return; } Set<String> users = dip.getPermissions().getUsers().get(permissionType); Set<String> groups = dip.getPermissions().getGroups().get(permissionType); LOGGER.debug("Checking if user '{}' has permissions to {} dip {} (object read permissions: {} & {})", user.getId(), permissionType, dip.getId(), users, groups); if (!users.contains(user.getId()) && iterativeDisjoint(groups, user.getGroups())) { throw new AuthorizationDeniedException( "The user '" + user.getId() + "' does not have permissions to " + permissionType); } }
public static void checkAIPPermissions(User user, IndexedAIP aip, PermissionType permissionType) throws AuthorizationDeniedException { if (isAdministrator(user)) { return; } Set<String> users = aip.getPermissions().getUsers().get(permissionType); Set<String> groups = aip.getPermissions().getGroups().get(permissionType); LOGGER.debug("Checking if user '{}' has permissions to {} object {} (object read permissions: {} & {})", user.getId(), permissionType, aip.getId(), users, groups); if (!users.contains(user.getId()) && iterativeDisjoint(groups, user.getGroups())) { throw new AuthorizationDeniedException( "The user '" + user.getId() + "' does not have permissions to " + permissionType); } }
private static <T extends IsIndexed> void checkAIPObjectPermissions(User user, T obj, Function<T, String> toAIP, PermissionType permissionType) throws AuthorizationDeniedException { if (isAdministrator(user)) { return; } String aipId = toAIP.apply(obj); IndexedAIP aip; try { aip = RodaCoreFactory.getIndexService().retrieve(IndexedAIP.class, aipId, RodaConstants.AIP_PERMISSIONS_FIELDS_TO_RETURN); } catch (NotFoundException | GenericException e) { throw new AuthorizationDeniedException("Could not check permissions of object " + obj, e); } Set<String> users = aip.getPermissions().getUsers().get(permissionType); Set<String> groups = aip.getPermissions().getGroups().get(permissionType); LOGGER.debug("Checking if user '{}' has permissions to {} object {} (object read permissions: {} & {})", user.getId(), permissionType, aip.getId(), users, groups); if (!users.contains(user.getId()) && iterativeDisjoint(groups, user.getGroups())) { throw new AuthorizationDeniedException( "The user '" + user.getId() + "' does not have permissions to " + permissionType); } }
private static <T extends IsIndexed> void checkDIPObjectPermissions(User user, T obj, Function<T, String> toDIP, PermissionType permissionType) throws AuthorizationDeniedException { if (isAdministrator(user)) { return; } String dipId = toDIP.apply(obj); IndexedDIP dip; try { dip = RodaCoreFactory.getIndexService().retrieve(IndexedDIP.class, dipId, RodaConstants.DIP_PERMISSIONS_FIELDS_TO_RETURN); } catch (NotFoundException | GenericException e) { throw new AuthorizationDeniedException("Could not check permissions of object " + obj, e); } Set<String> users = dip.getPermissions().getUsers().get(permissionType); Set<String> groups = dip.getPermissions().getGroups().get(permissionType); LOGGER.debug("Checking if user '{}' has permissions to {} object {} (object read permissions: {} & {})", user.getId(), permissionType, dip.getId(), users, groups); if (!users.contains(user.getId()) && iterativeDisjoint(groups, user.getGroups())) { throw new AuthorizationDeniedException( "The user '" + user.getId() + "' does not have permissions to " + permissionType); } }
} catch (NotFoundException e) { throw new AuthorizationDeniedException( "Could not verify permissions of object [" + classToReturn.getSimpleName() + "] " + obj.getUUID(), e); } catch (NotFoundException e) { throw new AuthorizationDeniedException( "Could not verify permissions of object [" + classToReturn.getSimpleName() + "] " + uuid, e);
public void deleteUser(String id, boolean notify, boolean isHandlingEvent) throws GenericException, AuthorizationDeniedException { boolean writeIsAllowed = RodaCoreFactory.checkIfWriteIsAllowed(nodeType); try { UserUtility.getLdapUtility().removeUser(id); if (notify && writeIsAllowed) { notifyUserDeleted(id).failOnError(); } if (!isHandlingEvent) { eventsManager.notifyUserDeleted(this, id); } } catch (IllegalOperationException e) { throw new AuthorizationDeniedException("Illegal operation", e); } }
public User updateMyUser(User user, String password, boolean notify, boolean isHandlingEvent) throws GenericException, AlreadyExistsException, NotFoundException, AuthorizationDeniedException { boolean writeIsAllowed = RodaCoreFactory.checkIfWriteIsAllowed(nodeType); try { User updatedUser = UserUtility.getLdapUtility().modifySelfUser(user, password); if (notify && writeIsAllowed) { notifyUserUpdated(updatedUser).failOnError(); } if (!isHandlingEvent) { // FIXME 20180813 hsilva: user is not the previous state of the user eventsManager.notifyUserUpdated(this, user, updatedUser, password); } return updatedUser; } catch (IllegalOperationException e) { throw new AuthorizationDeniedException("Illegal operation", e); } }
public void deleteGroup(String id, boolean notify, boolean isHandlingEvent) throws GenericException, AuthorizationDeniedException { boolean writeIsAllowed = RodaCoreFactory.checkIfWriteIsAllowed(nodeType); if (!writeIsAllowed && !isHandlingEvent) { RodaCoreFactory.throwExceptionIfWriteIsNotAllowed(); } try { UserUtility.getLdapUtility().removeGroup(id); if (notify && writeIsAllowed) { notifyGroupDeleted(id).failOnError(); } if (!isHandlingEvent) { eventsManager.notifyGroupDeleted(this, id); } } catch (IllegalOperationException e) { throw new AuthorizationDeniedException("Illegal operation", e); } }
public Group updateGroup(final Group group, boolean notify, boolean isHandlingEvent) throws GenericException, NotFoundException, AuthorizationDeniedException { boolean writeIsAllowed = RodaCoreFactory.checkIfWriteIsAllowed(nodeType); if (!writeIsAllowed && !isHandlingEvent) { RodaCoreFactory.throwExceptionIfWriteIsNotAllowed(); } try { Group updatedGroup = UserUtility.getLdapUtility().modifyGroup(group); if (notify && writeIsAllowed) { notifyGroupUpdated(updatedGroup).failOnError(); } if (!isHandlingEvent) { // FIXME 20180813 hsilva: group is not the previous state of the group eventsManager.notifyGroupUpdated(this, group, updatedGroup); } return updatedGroup; } catch (IllegalOperationException e) { throw new AuthorizationDeniedException("Illegal operation", e); } }
/** * @param isHandlingEvent * this should only be set to true if invoked from EventsManager * related methods */ public User updateUser(User user, String password, boolean notify, boolean isHandlingEvent) throws GenericException, AlreadyExistsException, NotFoundException, AuthorizationDeniedException { boolean writeIsAllowed = RodaCoreFactory.checkIfWriteIsAllowed(nodeType); try { if (password != null) { UserUtility.getLdapUtility().setUserPassword(user.getId(), password); } User updatedUser = UserUtility.getLdapUtility().modifyUser(user); if (notify && writeIsAllowed) { notifyUserUpdated(updatedUser).failOnError(); } if (!isHandlingEvent) { // FIXME 20180813 hsilva: user is not the previous state of the user eventsManager.notifyUserUpdated(this, user, updatedUser, password); } return updatedUser; } catch (IllegalOperationException e) { throw new AuthorizationDeniedException("Illegal operation", e); } }
public User deActivateUser(String id, boolean activate, boolean notify, boolean isHandlingEvent) throws GenericException, AlreadyExistsException, NotFoundException, AuthorizationDeniedException { boolean writeIsAllowed = RodaCoreFactory.checkIfWriteIsAllowed(nodeType); try { User user = UserUtility.getLdapUtility().getUser(id); if (user.isActive() != activate) { user.setActive(activate); User updatedUser = UserUtility.getLdapUtility().modifyUser(user); if (notify && writeIsAllowed) { notifyUserUpdated(updatedUser).failOnError(); } if (!isHandlingEvent) { // FIXME 20180813 hsilva: user is not the previous state of the user eventsManager.notifyUserUpdated(this, user, updatedUser, null); } return updatedUser; } else { return user; } } catch (IllegalOperationException e) { throw new AuthorizationDeniedException("Illegal operation", e); } }