Revision 10370
Added by Chris Jones over 7 years ago
| src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java | ||
|---|---|---|
| 1159 | 1159 |
throw new InvalidRequest("1761", "Permission was not provided or is invalid");
|
| 1160 | 1160 |
} |
| 1161 | 1161 |
|
| 1162 |
// always allow CN access |
|
| 1163 |
if ( isAdminAuthorized(session) ) {
|
|
| 1164 |
allowed = true; |
|
| 1165 |
return allowed; |
|
| 1166 |
|
|
| 1167 |
} |
|
| 1168 |
|
|
| 1169 | 1162 |
String serviceFailureCode = "1760"; |
| 1170 | 1163 |
Identifier sid = getPIDForSID(pid, serviceFailureCode); |
| 1171 | 1164 |
if(sid != null) {
|
| 1172 | 1165 |
pid = sid; |
| 1173 | 1166 |
} |
| 1174 | 1167 |
|
| 1175 |
// the authoritative member node of the pid always has the access as well.
|
|
| 1176 |
if (isAuthoritativeMNodeAdmin(session, pid)) {
|
|
| 1177 |
allowed = true;
|
|
| 1178 |
return allowed;
|
|
| 1168 |
// Is it the owner of the object or the access rules allow the user?
|
|
| 1169 |
if ( userHasPermission(session, pid, permission ) ) {
|
|
| 1170 |
allowed = true;
|
|
| 1171 |
return allowed;
|
|
| 1179 | 1172 |
} |
| 1173 |
|
|
| 1174 |
// Allow the Coordinating Node Subject? |
|
| 1175 |
if ( ! allowed ) {
|
|
| 1176 |
if ( isAdminAuthorized(session) ) {
|
|
| 1177 |
allowed = true; |
|
| 1178 |
|
|
| 1179 |
} |
|
| 1180 |
} |
|
| 1180 | 1181 |
|
| 1181 |
//is it the owner of the object or the access rules allow the user? |
|
| 1182 |
allowed = userHasPermission(session, pid, permission ); |
|
| 1182 |
// Allow the Member Node Subject |
|
| 1183 |
if ( ! allowed ) {
|
|
| 1184 |
if (isAuthoritativeMNodeAdmin(session, pid)) {
|
|
| 1185 |
allowed = true; |
|
| 1186 |
} |
|
| 1187 |
} |
|
| 1183 | 1188 |
|
| 1184 |
// throw or return? |
|
| 1185 |
if (!allowed) {
|
|
| 1186 |
// track the identities we have checked against |
|
| 1187 |
StringBuffer includedSubjects = new StringBuffer(); |
|
| 1188 |
Set<Subject> subjects = AuthUtils.authorizedClientSubjects(session); |
|
| 1189 |
for (Subject s: subjects) {
|
|
| 1189 |
if ( ! allowed ) {
|
|
| 1190 |
// track the identities we have checked against |
|
| 1191 |
StringBuffer includedSubjects = new StringBuffer(); |
|
| 1192 |
Set<Subject> subjects = AuthUtils.authorizedClientSubjects(session); |
|
| 1193 |
for (Subject s: subjects) {
|
|
| 1190 | 1194 |
includedSubjects.append(s.getValue() + "; "); |
| 1191 | 1195 |
} |
| 1192 |
throw new NotAuthorized("1820", permission + " not allowed on " + pid.getValue() + " for subject[s]: " + includedSubjects.toString() );
|
|
| 1196 |
throw new NotAuthorized("1820", permission + " not allowed on " +
|
|
| 1197 |
pid.getValue() + " for subject[s]: " + includedSubjects.toString() ); |
|
| 1193 | 1198 |
} |
| 1194 | 1199 |
|
| 1195 | 1200 |
return allowed; |
Also available in: Unified diff
Change isAuthorized() to prioritize user authz
Re-order the calls to userHasPermission(), isAdminAuthorized(), and isAuthoritativeMNodeAdmin() such that the user authorization comes first. This should drastically reduce the calls to CN.listNodes() and the resulting NodeList unmarsalling involved in comparing CN and MN Node Subjects to token or certificate Subjects.
refs https://projects.ecoinformatics.org/ecoinfo/issues/7203