Revision 5098
Added by daigle about 15 years ago
src/edu/ucsb/nceas/metacat/accesscontrol/XMLAccessAccess.java | ||
---|---|---|
1 | 1 |
/** |
2 | 2 |
* '$RCSfile$' |
3 |
* Purpose: A Class that manages database access of scheduled task
|
|
3 |
* Purpose: A Class that manages database access of xml access
|
|
4 | 4 |
* information. |
5 | 5 |
* Copyright: 2009 Regents of the University of California and the |
6 | 6 |
* National Center for Ecological Analysis and Synthesis |
... | ... | |
259 | 259 |
} |
260 | 260 |
|
261 | 261 |
/** |
262 |
* Add permissions for a given prinicpal on a given document. If the
|
|
263 |
* prinicpal already exists, bitwise OR the permission to the existing
|
|
262 |
* Add permissions for a given principal on a given document. If the
|
|
263 |
* principal already exists, bitwise OR the permission to the existing
|
|
264 | 264 |
* permission and update. |
265 | 265 |
* |
266 | 266 |
* @param docId |
... | ... | |
310 | 310 |
} |
311 | 311 |
|
312 | 312 |
/** |
313 |
* Insert an xml access record |
|
313 |
* Set permissions for a given document. This means first removing all access control for the |
|
314 |
* document and then adding the given rules. |
|
315 |
* |
|
314 | 316 |
* @param docId |
315 | 317 |
* document id |
318 |
* @param xmlAccessList |
|
319 |
* list of xml access dao objects that hold new access for the document |
|
320 |
*/ |
|
321 |
public void setXMLAccess(String docId, Vector<XMLAccessDAO> xmlAccessList) throws AccessException { |
|
322 |
deleteXMLAccessForDoc(docId); |
|
323 |
|
|
324 |
// if more than one record exists for this principal on this document with the same |
|
325 |
// access type / access order combination, call cleanup to combine common access and then |
|
326 |
// re-retrieve the access list. |
|
327 |
for(XMLAccessDAO xmlAccessDAO : xmlAccessList) { |
|
328 |
insertXMLAccess(docId, xmlAccessDAO.getPrincipalName(), xmlAccessDAO.getPermission(), |
|
329 |
xmlAccessDAO.getPermType(), xmlAccessDAO.getPermOrder()); |
|
330 |
} |
|
331 |
} |
|
332 |
|
|
333 |
/** |
|
334 |
* Insert an xml access record. It is assumed that the checks have already been made to |
|
335 |
* make sure the principal does not already have an access record for this document. If |
|
336 |
* one does already exist, that record should be updated and this insert not called. |
|
337 |
* |
|
338 |
* @param docId |
|
339 |
* document id |
|
316 | 340 |
* @param principal |
317 | 341 |
* principal credentials |
318 | 342 |
* @param permission |
... | ... | |
389 | 413 |
} |
390 | 414 |
|
391 | 415 |
/** |
392 |
* Update existing xml access permissions in the db |
|
416 |
* Update existing xml access permissions in the db. The permission value should be the combined |
|
417 |
* value of pre-existing permissions plus new permissions. |
|
418 |
* |
|
393 | 419 |
* @param docId |
394 | 420 |
* document id |
395 | 421 |
* @param principalName |
... | ... | |
455 | 481 |
} |
456 | 482 |
|
457 | 483 |
/** |
458 |
* Delete xml access. This modifies the access in the database for a principal
|
|
484 |
* Remove xml access. This modifies the access in the database for a principal
|
|
459 | 485 |
* for a given document. If the provided permission is exactly the same as what |
460 |
* the principal has, the record is removed from the database. |
|
486 |
* the principal has, the record is deleted from the database. |
|
487 |
* |
|
461 | 488 |
* @param docId |
462 | 489 |
* document id |
463 | 490 |
* @param principalName |
464 | 491 |
* principal credentials |
465 | 492 |
*/ |
466 |
private void removeXMLAccessForPrincipal(String docId, String principalName, Long permission) throws AccessException {
|
|
493 |
public void removeXMLAccessForPrincipal(String docId, String principalName, Long permission) throws AccessException {
|
|
467 | 494 |
if (docId == null) { |
468 | 495 |
throw new AccessException("XMLAccessAccess.removeXMLAccessForPrincipal - docid is required when " + |
469 | 496 |
"removing XML access"); |
... | ... | |
504 | 531 |
} |
505 | 532 |
|
506 | 533 |
/** |
534 |
* Delete xml access. This removes all access records from the database for a given document |
|
535 |
* |
|
536 |
* @param docId |
|
537 |
* document id |
|
538 |
*/ |
|
539 |
private void deleteXMLAccessForDoc(String docId) throws AccessException { |
|
540 |
if (docId == null) { |
|
541 |
throw new AccessException("XMLAccessAccess.deleteXMLAccessForPrincipal - docid is required when " + |
|
542 |
"deleting XML access record"); |
|
543 |
} |
|
544 |
|
|
545 |
PreparedStatement pstmt = null; |
|
546 |
DBConnection conn = null; |
|
547 |
int serialNumber = -1; |
|
548 |
try { |
|
549 |
// check out DBConnection |
|
550 |
conn = DBConnectionPool.getDBConnection("XMLAccessAccess.deleteXMLAccessForDoc"); |
|
551 |
String sql = "DELETE FROM xml_access WHERE docid = ?"; |
|
552 |
pstmt = conn.prepareStatement(sql); |
|
553 |
|
|
554 |
// Bind the values to the query |
|
555 |
pstmt.setString(1, docId); |
|
556 |
|
|
557 |
String sqlReport = "XMLAccessAccess.deleteXMLAccessForDoc - SQL: " + sql; |
|
558 |
sqlReport += " [" + docId + "]"; |
|
559 |
|
|
560 |
logMetacat.info(sqlReport); |
|
561 |
|
|
562 |
pstmt.execute(); |
|
563 |
} catch (SQLException sqle) { |
|
564 |
throw new AccessException("XMLAccessAccess.deleteXMLAccessForDoc - SQL error when deleting" |
|
565 |
+ "xml access permissions for doc id: " + docId + ":" + sqle.getMessage()); |
|
566 |
} finally { |
|
567 |
try { |
|
568 |
if (pstmt != null) { |
|
569 |
pstmt.close(); |
|
570 |
} |
|
571 |
} catch (SQLException sqle) { |
|
572 |
logMetacat.error("XMLAccessAccess.deleteXMLAccessForDoc - SQL error when closing prepared " + |
|
573 |
"statement after deleting xml access permissions for doc id: " + ":" + sqle.getMessage()); |
|
574 |
} finally { |
|
575 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
576 |
} |
|
577 |
} |
|
578 |
} |
|
579 |
|
|
580 |
/** |
|
507 | 581 |
* Delete xml access. This removes all access records from the database for a principal |
508 | 582 |
* for a given document |
583 |
* |
|
509 | 584 |
* @param docId |
510 | 585 |
* document id |
511 | 586 |
* @param principal |
... | ... | |
628 | 703 |
} |
629 | 704 |
|
630 | 705 |
} |
631 |
|
|
706 |
|
|
707 |
/** |
|
708 |
* Make sure that only one record exists per principal/permType/document. If |
|
709 |
* more than one record exists, delete the existing records, consolidate the |
|
710 |
* permissions insert the new record. |
|
711 |
* |
|
712 |
* @param xmlAccessList |
|
713 |
* @throws AccessException |
|
714 |
*/ |
|
632 | 715 |
private void cleanupXMLAccessForPrincipal(Vector<XMLAccessDAO> xmlAccessList) throws AccessException{ |
633 | 716 |
|
634 |
long permissionMask = 0; |
|
717 |
int numAllowRecords = 0; |
|
718 |
int numDenyRecords = 0; |
|
719 |
long allowPermissionMask = 0; |
|
720 |
long denyPermissionMask = 0; |
|
635 | 721 |
String docId = null; |
636 | 722 |
String principalName = null; |
637 | 723 |
String permType = null; |
638 | 724 |
String permOrder = null; |
639 | 725 |
|
640 |
if (xmlAccessList.size() == 1) { |
|
641 |
return; |
|
642 |
} |
|
643 | 726 |
|
644 | 727 |
// iterate through the list of access dao objects and bttwise or the permissions. Most |
645 | 728 |
// of this is just doing some error checking to make sure each record is valid. |
... | ... | |
689 | 772 |
"principalName " + principalName + ". Database intervention required "); |
690 | 773 |
} |
691 | 774 |
} |
692 |
permissionMask |= xmlAccessDAO.getPermission(); |
|
775 |
if (permType.equals(AccessControlInterface.ALLOW)) { |
|
776 |
numAllowRecords++; |
|
777 |
allowPermissionMask |= xmlAccessDAO.getPermission(); |
|
778 |
} else if (permType.equals(AccessControlInterface.DENY)) { |
|
779 |
numDenyRecords++; |
|
780 |
denyPermissionMask |= xmlAccessDAO.getPermission(); |
|
781 |
} |
|
693 | 782 |
} |
694 | 783 |
|
695 |
// remove all records for this user on this doc with this perm type and perm order |
|
696 |
// then insert a single record |
|
697 |
deleteXMLAccessForPrincipal(docId, principalName, permType, permOrder); |
|
698 |
insertXMLAccess(docId, principalName, permissionMask, permType, permOrder); |
|
784 |
// if there was more than one allow record, remove all allow records for this user on this doc |
|
785 |
// with this perm type and perm order then insert a single record |
|
786 |
if (numAllowRecords > 1) { |
|
787 |
deleteXMLAccessForPrincipal(docId, principalName, AccessControlInterface.ALLOW, permOrder); |
|
788 |
insertXMLAccess(docId, principalName, allowPermissionMask, AccessControlInterface.ALLOW, permOrder); |
|
789 |
} |
|
790 |
// if there was more than one deny record, remove all deny records for this user on this doc |
|
791 |
// with this perm type and perm order then insert a single record |
|
792 |
if (numDenyRecords > 1) { |
|
793 |
deleteXMLAccessForPrincipal(docId, principalName, AccessControlInterface.DENY, permOrder); |
|
794 |
insertXMLAccess(docId, principalName, denyPermissionMask, AccessControlInterface.DENY, permOrder); |
|
795 |
} |
|
699 | 796 |
} |
700 | 797 |
|
798 |
/** |
|
799 |
* |
|
800 |
* @param xmlAccessList |
|
801 |
* @throws PermOrderException |
|
802 |
*/ |
|
701 | 803 |
private void validateDocXMLAccessList(Vector<XMLAccessDAO> xmlAccessList) throws PermOrderException { |
702 | 804 |
String permOrder = null; |
703 | 805 |
for(XMLAccessDAO xmlAccessDAO : xmlAccessList) { |
... | ... | |
769 | 871 |
". Database intervention required "); |
770 | 872 |
} |
771 | 873 |
} |
772 |
|
|
773 |
/** |
|
774 |
* Check if the given list of XML access DAOs has redundant access. This occurs if there is |
|
775 |
* more than one instance of any combination of access type and access order. Note that we |
|
776 |
* assume that the list contains access records for one principal on one document. |
|
777 |
* @param xmlAccessList |
|
778 |
* @return |
|
779 |
* @throws AccessException |
|
780 |
*/ |
|
781 |
private boolean hasRedundantPrincipalAccess(Vector<XMLAccessDAO> xmlAccessList) throws AccessException { |
|
782 |
|
|
783 |
// These will hold counts of all combinations of access DAOs with different permission |
|
784 |
// orders and permission types. |
|
785 |
int allowFirstAllows = 0; |
|
786 |
int allowFirstDenys = 0; |
|
787 |
int denyFirstAllows = 0; |
|
788 |
int denyFirstDenys = 0; |
|
789 |
|
|
790 |
for(XMLAccessDAO xmlAccessDAO : xmlAccessList) { |
|
791 |
if (xmlAccessDAO.getPermOrder().equals(AccessControlInterface.ALLOWFIRST)) { |
|
792 |
if (xmlAccessDAO.getPermType().equals(AccessControlInterface.ALLOW)) { |
|
793 |
allowFirstAllows++; |
|
794 |
} else if (xmlAccessDAO.getPermType().equals(AccessControlInterface.DENY)) { |
|
795 |
allowFirstDenys++; |
|
796 |
} else { |
|
797 |
throw new AccessException("XMLAccessAccess.validatePrincipalXMLAccessList - " + |
|
798 |
"Invalid permission type: "+ xmlAccessDAO.getPermType() + " for document " + |
|
799 |
xmlAccessDAO.getDocId() + ". Database intervention required "); |
|
800 |
} |
|
801 |
} else if (xmlAccessDAO.getPermOrder().equals(AccessControlInterface.DENYFIRST)) { |
|
802 |
if (xmlAccessDAO.getPermType().equals(AccessControlInterface.ALLOW)) { |
|
803 |
denyFirstAllows++; |
|
804 |
} else if (xmlAccessDAO.getPermType().equals(AccessControlInterface.DENY)) { |
|
805 |
denyFirstDenys++; |
|
806 |
} else { |
|
807 |
throw new AccessException("XMLAccessAccess.validatePrincipalXMLAccessList - " + |
|
808 |
"Invalid permission type: " + xmlAccessDAO.getPermType() + " for document "+ |
|
809 |
xmlAccessDAO.getDocId() + ". Database intervention required "); |
|
810 |
} |
|
811 |
} |
|
812 |
} |
|
813 |
return (allowFirstAllows > 1) || (allowFirstDenys > 1) || (denyFirstAllows > 1) |
|
814 |
|| (denyFirstDenys > 1); |
|
815 |
} |
|
816 | 874 |
|
817 | 875 |
/** |
818 | 876 |
* Populate a job data object with the current row in a resultset |
src/edu/ucsb/nceas/metacat/accesscontrol/XMLAccessDAO.java | ||
---|---|---|
57 | 57 |
} |
58 | 58 |
|
59 | 59 |
public void setDocId(String docId) { |
60 |
_docId = docId; |
|
60 |
if (docId != null && docId.equals("")) { |
|
61 |
docId = null; |
|
62 |
} else { |
|
63 |
_docId = docId; |
|
64 |
} |
|
61 | 65 |
} |
62 | 66 |
|
63 | 67 |
public String getAccessFileId() { |
... | ... | |
65 | 69 |
} |
66 | 70 |
|
67 | 71 |
public void setAccessFileId(String accessFileId) { |
68 |
_accessFileId = accessFileId; |
|
72 |
if(accessFileId != null && accessFileId.equals("")) { |
|
73 |
_accessFileId = null; |
|
74 |
} else { |
|
75 |
_accessFileId = accessFileId; |
|
76 |
} |
|
69 | 77 |
} |
70 | 78 |
|
71 | 79 |
public String getPrincipalName() { |
... | ... | |
73 | 81 |
} |
74 | 82 |
|
75 | 83 |
public void setPrincipalName(String principalName) { |
76 |
_principalName = principalName; |
|
84 |
if (principalName != null && principalName.equals("")) { |
|
85 |
_principalName = null; |
|
86 |
} else { |
|
87 |
_principalName = principalName; |
|
88 |
} |
|
77 | 89 |
} |
78 | 90 |
|
79 | 91 |
public Long getPermission() { |
... | ... | |
89 | 101 |
} |
90 | 102 |
|
91 | 103 |
public void setPermType(String permType) { |
92 |
_permType = permType; |
|
104 |
if (permType != null && permType.equals("")) { |
|
105 |
_permType = null; |
|
106 |
} else { |
|
107 |
_permType = permType; |
|
108 |
} |
|
93 | 109 |
} |
94 | 110 |
|
95 | 111 |
public String getPermOrder() { |
... | ... | |
97 | 113 |
} |
98 | 114 |
|
99 | 115 |
public void setPermOrder(String permOrder) { |
100 |
_permOrder = permOrder; |
|
116 |
if (permOrder != null && permOrder.equals("")) { |
|
117 |
_permOrder = null; |
|
118 |
} else { |
|
119 |
_permOrder = permOrder; |
|
120 |
} |
|
101 | 121 |
} |
102 | 122 |
|
103 | 123 |
public Date getBeginTime() { |
... | ... | |
129 | 149 |
} |
130 | 150 |
|
131 | 151 |
public void setSubTreeId(String subTreeId) { |
132 |
_subTreeId = subTreeId; |
|
152 |
if (subTreeId != null && subTreeId.equals("")) { |
|
153 |
_subTreeId = null; |
|
154 |
} else { |
|
155 |
_subTreeId = subTreeId; |
|
156 |
} |
|
133 | 157 |
} |
134 | 158 |
|
135 | 159 |
public String getStartNodeId() { |
... | ... | |
137 | 161 |
} |
138 | 162 |
|
139 | 163 |
public void setStartNodeId(String startNodeId) { |
140 |
_startNodeId = startNodeId; |
|
164 |
if (startNodeId != null && startNodeId.equals("")) { |
|
165 |
_startNodeId = null; |
|
166 |
} else { |
|
167 |
_startNodeId = startNodeId; |
|
168 |
} |
|
141 | 169 |
} |
142 | 170 |
|
143 | 171 |
public String getEndNodeId() { |
... | ... | |
145 | 173 |
} |
146 | 174 |
|
147 | 175 |
public void setEndNodeId(String endNodeId) { |
148 |
_endNodeId = endNodeId; |
|
176 |
if (endNodeId != null && endNodeId.equals("")) { |
|
177 |
endNodeId = null; |
|
178 |
} else { |
|
179 |
_endNodeId = endNodeId; |
|
180 |
} |
|
149 | 181 |
} |
150 | 182 |
|
151 | 183 |
} |
src/edu/ucsb/nceas/metacat/accesscontrol/AccessControlForSingleFile.java | ||
---|---|---|
27 | 27 |
|
28 | 28 |
package edu.ucsb.nceas.metacat.accesscontrol; |
29 | 29 |
|
30 |
import java.sql.*; |
|
30 |
import java.io.IOException; |
|
31 |
import java.io.StringReader; |
|
32 |
import java.sql.PreparedStatement; |
|
33 |
import java.sql.ResultSet; |
|
34 |
import java.sql.SQLException; |
|
35 |
import java.util.Vector; |
|
31 | 36 |
|
32 | 37 |
import org.apache.log4j.Logger; |
38 |
import org.xml.sax.ContentHandler; |
|
39 |
import org.xml.sax.ErrorHandler; |
|
40 |
import org.xml.sax.InputSource; |
|
41 |
import org.xml.sax.SAXException; |
|
42 |
import org.xml.sax.XMLReader; |
|
43 |
import org.xml.sax.helpers.XMLReaderFactory; |
|
33 | 44 |
|
45 |
import edu.ucsb.nceas.metacat.DocInfoHandler; |
|
46 |
import edu.ucsb.nceas.metacat.DocumentImpl; |
|
47 |
import edu.ucsb.nceas.metacat.McdbException; |
|
48 |
import edu.ucsb.nceas.metacat.PermissionController; |
|
34 | 49 |
import edu.ucsb.nceas.metacat.database.DBConnection; |
35 | 50 |
import edu.ucsb.nceas.metacat.database.DBConnectionPool; |
51 |
import edu.ucsb.nceas.metacat.properties.PropertyService; |
|
36 | 52 |
import edu.ucsb.nceas.metacat.shared.AccessException; |
37 | 53 |
import edu.ucsb.nceas.metacat.util.DocumentUtil; |
54 |
import edu.ucsb.nceas.utilities.PropertyNotFoundException; |
|
38 | 55 |
|
39 | 56 |
|
40 | 57 |
/** |
... | ... | |
45 | 62 |
public class AccessControlForSingleFile implements AccessControlInterface |
46 | 63 |
{ |
47 | 64 |
|
48 |
|
|
49 |
|
|
50 | 65 |
private String docId; |
51 |
private String principal; |
|
52 |
private int permission; |
|
53 |
private String permType; |
|
54 |
private String permOrder; |
|
55 | 66 |
private Logger logMetacat = Logger.getLogger(AccessControlForSingleFile.class); |
56 | 67 |
|
57 | 68 |
|
58 | 69 |
/** |
59 | 70 |
* Construct an instance of the AccessControlForSingleFile class. |
60 | 71 |
* @param myAccessNumber the docid or docid with dev will be controlled |
61 |
* @param myprincipal the principal will have permission |
|
62 |
* @param myPermission the permission will be given |
|
63 |
* @param myPermType the permsission type, allow or deny |
|
64 |
* @param myPermOrder the permission order, allowFirst or denyFirst |
|
65 | 72 |
*/ |
66 |
public AccessControlForSingleFile(String myAccessionNumber, |
|
67 |
String myPrincipalName, |
|
68 |
String myPermission, |
|
69 |
String myPermType, |
|
70 |
String myPermOrder) |
|
71 |
throws Exception |
|
73 |
public AccessControlForSingleFile(String accessionNumber) throws AccessControlException |
|
72 | 74 |
{ |
73 |
try |
|
74 |
{ |
|
75 | 75 |
//Get rid of dev if myaccessNumber has one; |
76 |
docId = DocumentUtil.getDocIdFromString(myAccessionNumber);
|
|
76 |
docId = DocumentUtil.getDocIdFromString(accessionNumber);
|
|
77 | 77 |
if (docId == null || docId.equals("")) |
78 | 78 |
{ |
79 |
throw new Exception("Docid couldn't be null"); |
|
79 |
throw new AccessControlException("AccessControlForSingleFile() - Accession number " + |
|
80 |
"can't be null in constructor"); |
|
80 | 81 |
} |
81 |
// Check principal |
|
82 |
principal = myPrincipalName; |
|
83 |
if (principal == null || principal.equals("")) |
|
84 |
{ |
|
85 |
throw new Exception("principal couldn't be null"); |
|
86 |
} |
|
87 |
// get permission value |
|
88 |
permission = AccessControlList.intValue(myPermission); |
|
89 |
if (permission == -1) |
|
90 |
{ |
|
91 |
throw new Exception("permission "+ myPermission + " is not valid"); |
|
92 |
} |
|
93 |
// check permission type |
|
94 |
permType = myPermType; |
|
95 |
// if permtype is not allow or deny, throw a exception |
|
96 |
if (permType == null |
|
97 |
|| (!permType.equals(AccessControlInterface.ALLOW) |
|
98 |
&& !permType.equals(AccessControlInterface.DENY))) |
|
99 |
{ |
|
100 |
throw new Exception("permtype should be "+AccessControlInterface.ALLOW+ |
|
101 |
" or " +AccessControlInterface.DENY); |
|
102 |
} |
|
103 |
// check permission order |
|
104 |
permOrder = myPermOrder; |
|
105 | 82 |
|
106 |
// If permission order is not allowFirst or denyFirst, default to denyFirst. |
|
107 |
if (permOrder == null || !permOrder.equals(AccessControlInterface.DENYFIRST)) { |
|
108 |
permOrder = AccessControlInterface.ALLOWFIRST; |
|
109 |
} |
|
110 |
|
|
111 |
//debugMessage |
|
112 |
logMetacat.info("docid in AccessControlForSingleFiel: " + |
|
113 |
docId); |
|
114 |
logMetacat.info("principal in AccessControlForSingleFiel: " + |
|
115 |
principal); |
|
116 |
logMetacat.info("permission in AccessControlForSingleFiel: " + |
|
117 |
permission); |
|
118 |
logMetacat.info("permType in AccessControlForSingleFiel: " + |
|
119 |
permType); |
|
120 |
logMetacat.info("permOrder in AccessControlForSingleFiel: " + |
|
121 |
permOrder); |
|
122 |
} |
|
123 |
catch (Exception e) |
|
124 |
{ |
|
125 |
logMetacat.error("Error in construct of AccessControlForSingle" + |
|
126 |
"File for docid: " + docId + " : " + e.getMessage()); |
|
127 |
throw e; |
|
128 |
} |
|
83 |
logMetacat.debug("AccessControlForSingleFile() - docid: " + docId); |
|
84 |
|
|
129 | 85 |
} |
130 | 86 |
|
87 |
/** |
|
88 |
* Insert a single access record into the database based on access DAO |
|
89 |
* object |
|
90 |
* |
|
91 |
* @param xmlAccessDAO |
|
92 |
* dao object holding info to insert |
|
93 |
*/ |
|
94 |
public void insertPermissions(XMLAccessDAO xmlAccessDAO) throws AccessControlException{ |
|
95 |
insertPermissions(xmlAccessDAO.getPrincipalName(), xmlAccessDAO.getPermission(), |
|
96 |
xmlAccessDAO.getPermType(), xmlAccessDAO.getPermOrder()); |
|
97 |
} |
|
131 | 98 |
|
132 |
|
|
133 |
|
|
134 |
|
|
135 |
|
|
136 |
|
|
137 |
/**
|
|
138 |
* Method to insert records into xml_access table
|
|
139 |
*/
|
|
140 |
|
|
141 |
public void insertPermissions() throws AccessControlException {
|
|
99 |
/** |
|
100 |
* Insert a single access record into the database. |
|
101 |
* |
|
102 |
* @param principalName |
|
103 |
* @param permission |
|
104 |
* @param permType
|
|
105 |
* @param permOrder
|
|
106 |
* @throws AccessControlException
|
|
107 |
*/ |
|
108 |
public void insertPermissions(String principalName, Long permission, String permType, String permOrder) throws AccessControlException {
|
|
142 | 109 |
try { |
143 | 110 |
// The addXMLAccess method will create the permission record if it does not exist. |
144 | 111 |
// It will bitwise OR to permissions if the principal already has a record for this |
145 | 112 |
// doc id. |
146 | 113 |
XMLAccessAccess xmlAccessAccess = new XMLAccessAccess(); |
147 |
xmlAccessAccess.addXMLAccess(docId, principal, new Long(permission), permType, permOrder); |
|
114 |
xmlAccessAccess.addXMLAccess(docId, principalName, new Long(permission), permType, permOrder);
|
|
148 | 115 |
} catch (AccessException ae) { |
149 | 116 |
throw new AccessControlException("AccessControlForSingleFile.insertPermissions - " |
150 | 117 |
+ "DB access error when inserting permissions: " + ae.getMessage()); |
151 | 118 |
} |
152 | 119 |
} |
153 | 120 |
|
154 |
/** |
|
121 |
/** |
|
122 |
* Replace existing permissions with a given block of permissions for this |
|
123 |
* document. |
|
155 | 124 |
* |
125 |
* @param accessBlock |
|
126 |
* the xml access block. This is the same structure as that |
|
127 |
* returned by the getdocumentinfo action in metacat. |
|
128 |
*/ |
|
129 |
public void insertPermissions(String accessBlock) throws AccessControlException { |
|
130 |
try { |
|
131 |
XMLReader parser = null; |
|
132 |
DocInfoHandler docInfoHandler = new DocInfoHandler(); |
|
133 |
ContentHandler chandler = docInfoHandler; |
|
134 |
|
|
135 |
// Get an instance of the parser |
|
136 |
String parserName = PropertyService.getProperty("xml.saxparser"); |
|
137 |
parser = XMLReaderFactory.createXMLReader(parserName); |
|
138 |
|
|
139 |
// Turn off validation |
|
140 |
parser.setFeature("http://xml.org/sax/features/validation", false); |
|
141 |
parser.setContentHandler((ContentHandler)chandler); |
|
142 |
parser.setErrorHandler((ErrorHandler)chandler); |
|
143 |
|
|
144 |
parser.parse(new InputSource(new StringReader(accessBlock))); |
|
145 |
|
|
146 |
Vector<XMLAccessDAO> accessControlList = docInfoHandler.getAccessControlList(); |
|
147 |
if (accessControlList != null) { |
|
148 |
for (XMLAccessDAO xmlAccessDAO : accessControlList) { |
|
149 |
insertPermissions(xmlAccessDAO); |
|
150 |
logMetacat.debug("AccessControlForSingleFile.insertPermissions - document " + docId |
|
151 |
+ " permissions added to DB"); |
|
152 |
} |
|
153 |
} |
|
154 |
} catch (PropertyNotFoundException pnfe) { |
|
155 |
throw new AccessControlException("AccessControlForSingleFile.insertPermissions - " |
|
156 |
+ "property error when inserting permissions: " + pnfe.getMessage()); |
|
157 |
} catch (SAXException se) { |
|
158 |
throw new AccessControlException("AccessControlForSingleFile.insertPermissions - " |
|
159 |
+ "SAX error when inserting permissions: " + se.getMessage()); |
|
160 |
} catch(IOException ioe) { |
|
161 |
throw new AccessControlException("AccessControlForSingleFile.insertPermissions - " |
|
162 |
+ "I/O error when inserting permissions: " + ioe.getMessage()); |
|
163 |
} |
|
164 |
} |
|
165 |
|
|
166 |
/** |
|
167 |
* |
|
156 | 168 |
* @return true if the Access Control for this file already exists in the DB |
157 | 169 |
* @throws SQLException |
158 | 170 |
*/ |
159 |
public boolean accessControlExists() throws SQLException |
|
160 |
{ |
|
161 |
boolean exists = false; |
|
162 |
PreparedStatement pstmt = null; |
|
163 |
DBConnection conn = null; |
|
164 |
int serialNumber = -1; |
|
165 |
try |
|
166 |
{ |
|
167 |
//check out DBConnection |
|
168 |
conn=DBConnectionPool.getDBConnection |
|
171 |
public boolean accessControlExists(XMLAccessDAO xmlAccessDAO) throws AccessControlException { |
|
172 |
boolean exists = false; |
|
173 |
PreparedStatement pstmt = null; |
|
174 |
DBConnection conn = null; |
|
175 |
int serialNumber = -1; |
|
176 |
try { |
|
177 |
//check out DBConnection |
|
178 |
conn=DBConnectionPool.getDBConnection |
|
169 | 179 |
("AccessControlForSingleFiel.accessControlExists"); |
170 |
serialNumber=conn.getCheckOutSerialNumber();
|
|
171 |
pstmt = conn.prepareStatement(
|
|
172 |
"SELECT * FROM xml_access " +
|
|
173 |
"WHERE docid = ? " +
|
|
174 |
"AND principal_name = ? " +
|
|
175 |
"AND permission = ? " +
|
|
176 |
"AND perm_type = ? " +
|
|
177 |
"AND perm_order =? ");
|
|
180 |
serialNumber=conn.getCheckOutSerialNumber();
|
|
181 |
pstmt = conn.prepareStatement(
|
|
182 |
"SELECT * FROM xml_access " +
|
|
183 |
"WHERE docid = ? " +
|
|
184 |
"AND principal_name = ? " +
|
|
185 |
"AND permission = ? " +
|
|
186 |
"AND perm_type = ? " +
|
|
187 |
"AND perm_order =? ");
|
|
178 | 188 |
|
179 |
// Bind the values to the query
|
|
180 |
pstmt.setString(1, docId);
|
|
181 |
pstmt.setString(2, principal);
|
|
182 |
pstmt.setInt(3, permission);
|
|
183 |
pstmt.setString(4, permType);
|
|
184 |
pstmt.setString(5, permOrder);
|
|
189 |
// Bind the values to the query
|
|
190 |
pstmt.setString(1, docId);
|
|
191 |
pstmt.setString(2, xmlAccessDAO.getPrincipalName());
|
|
192 |
pstmt.setLong(3, xmlAccessDAO.getPermission());
|
|
193 |
pstmt.setString(4, xmlAccessDAO.getPermType());
|
|
194 |
pstmt.setString(5, xmlAccessDAO.getPermOrder());
|
|
185 | 195 |
|
186 |
pstmt.execute();
|
|
187 |
ResultSet rs = pstmt.getResultSet();
|
|
188 |
exists = rs.next();
|
|
196 |
pstmt.execute();
|
|
197 |
ResultSet rs = pstmt.getResultSet();
|
|
198 |
exists = rs.next();
|
|
189 | 199 |
|
190 |
}//try |
|
191 |
catch (SQLException e) |
|
192 |
{ |
|
193 |
logMetacat.error("Error in AccessControlForSingleFile.accessControlExists: " |
|
194 |
+ e.getMessage()); |
|
195 |
throw e; |
|
196 |
} |
|
197 |
finally |
|
198 |
{ |
|
199 |
try |
|
200 |
{ |
|
201 |
pstmt.close(); |
|
202 |
} |
|
203 |
finally |
|
204 |
{ |
|
205 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
206 |
} |
|
207 |
} |
|
200 |
} catch (SQLException sqle){ |
|
201 |
throw new AccessControlException("AccessControlForSingleFile.accessControlExists - SQL error when " + |
|
202 |
"checking if access control exists: " + sqle.getMessage()); |
|
203 |
} finally { |
|
204 |
try { |
|
205 |
if(pstmt != null) { |
|
206 |
pstmt.close(); |
|
207 |
} |
|
208 |
} catch (SQLException sqle) { |
|
209 |
logMetacat.error("AccessControlForSingleFile.accessControlExists - Could not close " + |
|
210 |
"prepared statement: " +sqle.getMessage()); |
|
211 |
} finally { |
|
212 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
213 |
} |
|
214 |
} |
|
208 | 215 |
|
209 |
return exists; |
|
210 |
|
|
211 |
} |
|
216 |
return exists; |
|
217 |
} |
|
212 | 218 |
|
213 |
public String getAccessString() { |
|
214 |
StringBuffer sb = new StringBuffer(); |
|
215 |
sb.append("<access>"); |
|
216 |
|
|
217 |
sb.append("<permOrder>"); |
|
218 |
sb.append(this.permOrder); |
|
219 |
sb.append("</permOrder>"); |
|
220 |
|
|
221 |
sb.append("<permType>"); |
|
222 |
sb.append(this.permType); |
|
223 |
sb.append("</permType>"); |
|
224 |
|
|
225 |
sb.append("<permission>"); |
|
226 |
sb.append(AccessControlList.txtValue(this.permission)); |
|
227 |
sb.append("</permission>"); |
|
228 |
|
|
229 |
sb.append("<principal>"); |
|
230 |
sb.append(this.principal); |
|
231 |
sb.append("</principal>"); |
|
219 |
/** |
|
220 |
* Get Access Control List information for document from db connetion. User |
|
221 |
* or Group should have permissions for reading access control information |
|
222 |
* for a document specified by |
|
223 |
* |
|
224 |
* @docid. |
|
225 |
* @param docid |
|
226 |
* document identifier which acl info to get |
|
227 |
* @param user |
|
228 |
* name of user connected to Metacat system |
|
229 |
* @param groups |
|
230 |
* names of user's groups to which user belongs |
|
231 |
*/ |
|
232 |
public String getACL(String user, String[] groups, boolean emlCompliant) |
|
233 |
throws AccessControlException { |
|
234 |
StringBuffer output = new StringBuffer(); |
|
235 |
boolean hasPermission = false; |
|
232 | 236 |
|
233 |
sb.append("</access>"); |
|
234 |
|
|
235 |
return sb.toString(); |
|
236 |
|
|
237 |
} |
|
237 |
try { |
|
238 |
// Get a list of all access dao objects for this docid |
|
239 |
XMLAccessAccess xmlAccessAccess = new XMLAccessAccess(); |
|
240 |
Vector<XMLAccessDAO> xmlAccessDAOList = xmlAccessAccess.getXMLAccessForDoc(docId); |
|
241 |
|
|
242 |
hasPermission = isOwned(docId, user); |
|
243 |
if (!hasPermission) { |
|
244 |
PermissionController controller = new PermissionController(docId); |
|
245 |
hasPermission = |
|
246 |
controller.hasPermission(user, groups, READSTRING); |
|
247 |
} |
|
238 | 248 |
|
249 |
if (hasPermission) { |
|
250 |
output.append(getAccessString(xmlAccessDAOList, emlCompliant)); |
|
251 |
} |
|
239 | 252 |
|
253 |
return output.toString(); |
|
254 |
|
|
255 |
} catch (SQLException sqle) { |
|
256 |
throw new AccessControlException("AccessControlForSingleFile.getACL() - SQL error when " + |
|
257 |
"getting ACL: " + sqle.getMessage()); |
|
258 |
} catch (AccessException ae) { |
|
259 |
throw new AccessControlException("AccessControlForSingleFile.getACL() - DB access error when " + |
|
260 |
"getting ACL: " + ae.getMessage()); |
|
261 |
} catch (McdbException mcdb) { |
|
262 |
throw new AccessControlException("AccessControlForSingleFile.getACL() - MCDB error when " + |
|
263 |
"getting ACL: " + mcdb.getMessage()); |
|
264 |
} |
|
265 |
} |
|
266 |
|
|
267 |
public String getAccessString() throws AccessControlException { |
|
268 |
Vector<XMLAccessDAO> xmlAccessDAOList = null; |
|
269 |
|
|
270 |
try { |
|
271 |
// Get a list of all access dao objects for this docid |
|
272 |
XMLAccessAccess xmlAccessAccess = new XMLAccessAccess(); |
|
273 |
xmlAccessDAOList = xmlAccessAccess.getXMLAccessForDoc(docId); |
|
274 |
} catch (AccessException ae) { |
|
275 |
throw new AccessControlException("AccessControlForSingleFile.getAccessString() - DB access error when " + |
|
276 |
"getting access string: " + ae.getMessage()); |
|
277 |
} |
|
278 |
|
|
279 |
return getAccessString(xmlAccessDAOList, false); |
|
280 |
} |
|
281 |
|
|
282 |
public String getAccessString(Vector<XMLAccessDAO> xmlAccessDAOList, boolean emlCompliant) throws AccessControlException { |
|
283 |
|
|
284 |
StringBuffer output = new StringBuffer(); |
|
285 |
StringBuffer tmpOutput = new StringBuffer(); |
|
286 |
StringBuffer allowOutput = new StringBuffer(); |
|
287 |
StringBuffer denyOutput = new StringBuffer(); |
|
288 |
|
|
289 |
String principal = null; |
|
290 |
int permission = -1; |
|
291 |
String permOrder = ALLOWFIRST; |
|
292 |
String permType = null; |
|
293 |
|
|
294 |
// We assume that all the records will have the same permission order, so we can just |
|
295 |
// grab the perm order from the first one. |
|
296 |
if (xmlAccessDAOList.size() > 0) { |
|
297 |
permOrder = xmlAccessDAOList.get(0).getPermOrder(); |
|
298 |
} |
|
299 |
|
|
300 |
if (emlCompliant) { |
|
301 |
output.append("<?xml version=\"1.0\"?>\n<acc:access"); |
|
302 |
} else { |
|
303 |
output.append("<access "); |
|
304 |
} |
|
305 |
|
|
306 |
output.append(" authSystem=\"knb\" order=\"" + permOrder + "\" id=\"" + docId + "\" scope=\"document\""); |
|
307 |
|
|
308 |
if (emlCompliant) { |
|
309 |
output.append(" xmlns:acc=\"" + DocumentImpl.EML2_1_0NAMESPACE + "\""); |
|
310 |
} |
|
311 |
|
|
312 |
output.append(">\n"); |
|
313 |
|
|
314 |
if (xmlAccessDAOList.size() > 0) { |
|
315 |
// Since there should only be one permission order allowed per document, |
|
316 |
// we can just grab the order off of the first xml access dao object |
|
317 |
permOrder = xmlAccessDAOList.get(0).getPermOrder(); |
|
318 |
} |
|
319 |
|
|
320 |
for (XMLAccessDAO xmlAccessDAO : xmlAccessDAOList) { |
|
321 |
principal = xmlAccessDAO.getPrincipalName(); |
|
322 |
permission = xmlAccessDAO.getPermission().intValue(); |
|
323 |
permType = xmlAccessDAO.getPermType(); |
|
324 |
|
|
325 |
tmpOutput.append(" <" + permType + ">\n"); |
|
326 |
tmpOutput.append(" <principal>" + principal + "</principal>\n"); |
|
327 |
|
|
328 |
if ((permission & READ) == READ) { |
|
329 |
tmpOutput.append(" <permission>read</permission>\n"); |
|
330 |
} |
|
331 |
if ((permission & WRITE) == WRITE) { |
|
332 |
tmpOutput.append(" <permission>write</permission>\n"); |
|
333 |
} |
|
334 |
if ((permission & ALL) == ALL) { |
|
335 |
tmpOutput.append(" <permission>all</permission>\n"); |
|
336 |
} |
|
337 |
if ((permission & CHMOD) == CHMOD) { |
|
338 |
tmpOutput.append(" <permission>chmod</permission>\n"); |
|
339 |
} |
|
340 |
|
|
341 |
tmpOutput.append(" </" + permType + ">\n"); |
|
342 |
|
|
343 |
if (permType.equals(ALLOW)) { |
|
344 |
allowOutput.append(tmpOutput); |
|
345 |
} else if (permType.equals(DENY)) { |
|
346 |
denyOutput.append(tmpOutput); |
|
347 |
} |
|
348 |
tmpOutput = new StringBuffer(); |
|
349 |
} |
|
350 |
|
|
351 |
// This just orders the allow/deny sections based on the permOrder. Not |
|
352 |
// required, but convenient later when parsing the output. |
|
353 |
if (permOrder.equals(ALLOWFIRST)) { |
|
354 |
output.append(allowOutput); |
|
355 |
output.append(denyOutput); |
|
356 |
} else if (permOrder.equals(DENYFIRST)) { |
|
357 |
output.append(denyOutput); |
|
358 |
output.append(allowOutput); |
|
359 |
} |
|
360 |
|
|
361 |
if (emlCompliant) { |
|
362 |
output.append("</acc:access>"); |
|
363 |
} else { |
|
364 |
output.append("</access>"); |
|
365 |
} |
|
366 |
|
|
367 |
return output.toString(); |
|
368 |
} |
|
369 |
|
|
370 |
/* Check if @user is owner of @docid from db conn. */ |
|
371 |
private boolean isOwned(String docid, String user) throws SQLException { |
|
372 |
PreparedStatement pstmt = null; |
|
373 |
DBConnection conn = null; |
|
374 |
int serialNumber = -1; |
|
375 |
try { |
|
376 |
// check out DBConnection |
|
377 |
conn = DBConnectionPool.getDBConnection("AccessControlList.isOwned"); |
|
378 |
serialNumber = conn.getCheckOutSerialNumber(); |
|
379 |
pstmt = conn.prepareStatement("SELECT 'x' FROM xml_documents " |
|
380 |
+ "WHERE docid = ? " + "AND user_owner = ?"); |
|
381 |
pstmt.setString(1, docid); |
|
382 |
pstmt.setString(2, user); |
|
383 |
pstmt.execute(); |
|
384 |
ResultSet rs = pstmt.getResultSet(); |
|
385 |
boolean hasRow = rs.next(); |
|
386 |
return hasRow; |
|
387 |
} finally { |
|
388 |
try { |
|
389 |
if (pstmt != null) { |
|
390 |
pstmt.close(); |
|
391 |
} |
|
392 |
} finally { |
|
393 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
394 |
} |
|
395 |
} |
|
396 |
} |
|
397 |
|
|
398 |
|
|
399 |
|
|
400 |
// public String getAccessString() throws AccessControlException { |
|
401 |
// Vector<XMLAccessDAO> xmlAccessDAOList = null; |
|
402 |
// try { |
|
403 |
// XMLAccessAccess xmlAccessAccess = new XMLAccessAccess(); |
|
404 |
// xmlAccessDAOList = xmlAccessAccess.getXMLAccessForDoc(docId); |
|
405 |
// } catch (AccessException ae) { |
|
406 |
// throw new AccessControlException("AccessControlForSingleFile.getAccessString - error when getting " + |
|
407 |
// "access DAO list: " + ae.getMessage()); |
|
408 |
// } |
|
409 |
// |
|
410 |
// StringBuffer sb = new StringBuffer(); |
|
411 |
// |
|
412 |
// for (XMLAccessDAO xmlAccessDAO : xmlAccessDAOList) { |
|
413 |
// sb.append("<access>"); |
|
414 |
// |
|
415 |
// sb.append("<permOrder>"); |
|
416 |
// sb.append(xmlAccessDAO.getPermOrder()); |
|
417 |
// sb.append("</permOrder>"); |
|
418 |
// |
|
419 |
// sb.append("<permType>"); |
|
420 |
// sb.append(xmlAccessDAO.getPermType()); |
|
421 |
// sb.append("</permType>"); |
|
422 |
// |
|
423 |
// sb.append("<permission>"); |
|
424 |
// sb.append(xmlAccessDAO.getPermission()); |
|
425 |
// sb.append("</permission>"); |
|
426 |
// |
|
427 |
// sb.append("<principal>"); |
|
428 |
// sb.append(xmlAccessDAO.getPrincipalName()); |
|
429 |
// sb.append("</principal>"); |
|
430 |
// |
|
431 |
// sb.append("</access>"); |
|
432 |
// } |
|
433 |
// |
|
434 |
// return sb.toString(); |
|
435 |
// |
|
436 |
// } |
|
437 |
|
|
438 |
|
|
240 | 439 |
} |
src/edu/ucsb/nceas/metacat/accesscontrol/AccessControlList.java | ||
---|---|---|
51 | 51 |
import edu.ucsb.nceas.metacat.database.DBConnection; |
52 | 52 |
import edu.ucsb.nceas.metacat.database.DBConnectionPool; |
53 | 53 |
import edu.ucsb.nceas.metacat.properties.PropertyService; |
54 |
import edu.ucsb.nceas.metacat.shared.AccessException; |
|
54 | 55 |
import edu.ucsb.nceas.metacat.util.MetacatUtil; |
55 | 56 |
import edu.ucsb.nceas.metacat.util.SystemUtil; |
56 | 57 |
import edu.ucsb.nceas.utilities.PropertyNotFoundException; |
... | ... | |
90 | 91 |
private int permission; |
91 | 92 |
private String permType; |
92 | 93 |
private String permOrder; |
93 |
// private String publicAcc; |
|
94 | 94 |
private String beginTime; |
95 | 95 |
private String endTime; |
96 | 96 |
private int ticketCount; |
... | ... | |
680 | 680 |
return txtPerm.toString(); |
681 | 681 |
} |
682 | 682 |
|
683 |
// /* Get the text value of READ, WRITE or ALL. */ |
|
684 |
// public static String txtValue ( int permission ) |
|
685 |
// { |
|
686 |
// StringBuffer txtPerm = new StringBuffer(); |
|
687 |
// if (permission == READ) { |
|
688 |
// txtPerm.append("READ"); |
|
689 |
// } |
|
690 |
// if (permission == WRITE) { |
|
691 |
// txtPerm.append("WRITE"); |
|
692 |
// } |
|
693 |
// if (permission == ALL) { |
|
694 |
// txtPerm.append("ALL"); |
|
695 |
// } |
|
696 |
// |
|
697 |
// return txtPerm.toString(); |
|
698 |
// } |
|
699 |
|
|
700 |
/** |
|
701 |
* Get Access Control List information for document from db connetion. |
|
702 |
* User or Group should have permissions for reading |
|
703 |
* access control information for a document specified by @docid. |
|
704 |
* @param docid document identifier which acl info to get |
|
705 |
* @param user name of user connected to Metacat system |
|
706 |
* @param groups names of user's groups to which user belongs |
|
707 |
*/ |
|
708 |
public String getACL(String docid, String user, String[] groups) |
|
709 |
throws SQLException, Exception |
|
710 |
{ |
|
711 |
StringBuffer output = new StringBuffer(); |
|
712 |
StringBuffer outTemp = new StringBuffer(); |
|
713 |
String accDoctype = PropertyService.getProperty("xml.accessdoctype"); |
|
714 |
String server = PropertyService.getProperty("server.name"); |
|
715 |
String docurl = "metacat://" + server + "/?docid=" + docid; |
|
716 |
String systemID; |
|
717 |
boolean isOwned = false; |
|
718 |
boolean hasPermission = false; |
|
719 |
String publicAcc; |
|
720 |
|
|
721 |
String acfid = ""; |
|
722 |
String acfid_prev = ""; |
|
723 |
String principal; |
|
724 |
Vector principalArr = new Vector(); |
|
725 |
int permission; |
|
726 |
int perm_prev = -1; |
|
727 |
String permType; |
|
728 |
String permOrder = ""; |
|
729 |
String permOrder_prev = ""; |
|
730 |
String beginTime = ""; |
|
731 |
String begin_prev = ""; |
|
732 |
String endTime = ""; |
|
733 |
String end_prev = ""; |
|
734 |
int ticketCount = -1; |
|
735 |
int ticket_prev = -1; |
|
736 |
DBConnection conn = null; |
|
737 |
int serialNumber = -1; |
|
738 |
PreparedStatement pstmt = null; |
|
739 |
try { |
|
740 |
|
|
741 |
//check out DBConnection |
|
742 |
conn=DBConnectionPool.getDBConnection("AccessControlList.getACL"); |
|
743 |
serialNumber=conn.getCheckOutSerialNumber(); |
|
744 |
|
|
745 |
isOwned = isOwned(docid, user); |
|
746 |
systemID = getSystemID((String)MetacatUtil. |
|
747 |
getOptionList(accDoctype).elementAt(0)); |
|
748 |
publicAcc = getPublicAccess(docid); |
|
749 |
|
|
750 |
output.append("<?xml version=\"1.0\"?>\n"); |
|
751 |
output.append("<!DOCTYPE acl PUBLIC \"" + accDoctype + "\" \"" + |
|
752 |
systemID + "\">\n"); |
|
753 |
output.append("<acl authSystem=\"\">\n"); |
|
754 |
|
|
755 |
|
|
756 |
pstmt = conn.prepareStatement( |
|
757 |
"SELECT distinct accessfileid, principal_name, permission, " + |
|
758 |
"perm_type, perm_order, to_char(begin_time,'mm/dd/yyyy'), " + |
|
759 |
"to_char(end_time,'mm/dd/yyyy'), ticket_count " + |
|
760 |
"FROM xml_access WHERE docid = ? " + |
|
761 |
"ORDER BY accessfileid, perm_order, perm_type, permission"); |
|
762 |
// Bind the values to the query |
|
763 |
pstmt.setString(1, docid); |
|
764 |
logMetacat.debug("running sql: " + pstmt.toString()); |
|
765 |
pstmt.execute(); |
|
766 |
ResultSet rs = pstmt.getResultSet(); |
|
767 |
boolean hasRows = rs.next(); |
|
768 |
while (hasRows) { |
|
769 |
|
|
770 |
acfid = rs.getString(1); |
|
771 |
principal = rs.getString(2); |
|
772 |
permission = rs.getInt(3); |
|
773 |
permType = rs.getString(4); |
|
774 |
permOrder = rs.getString(5); |
|
775 |
beginTime = rs.getString(6); |
|
776 |
endTime = rs.getString(7); |
|
777 |
ticketCount = rs.getInt(8); |
|
778 |
|
|
779 |
// if @docid is not owned by @user, only ACL info from that |
|
780 |
// access files to which @user/@groups has "read" permission |
|
781 |
// is extracted |
|
782 |
if ( !isOwned ) { |
|
783 |
if ( !acfid.equals(acfid_prev) ) { |
|
784 |
acfid_prev = acfid; |
|
785 |
//hasPermission = this.hasPermission("READ",user,groups,acfid); |
|
786 |
PermissionController controller = new PermissionController(acfid); |
|
787 |
hasPermission = controller.hasPermission(user,groups, |
|
788 |
AccessControlInterface.READSTRING); |
|
789 |
} |
|
790 |
if ( !hasPermission ) { |
|
791 |
rs.next(); |
|
792 |
continue; |
|
793 |
} |
|
794 |
} |
|
795 |
|
|
796 |
// open <resource> tag |
|
797 |
if ( !permOrder.equals(permOrder_prev) ) { |
|
798 |
// close </resource> tag if any was opened |
|
799 |
output.append(outTemp.toString()); |
|
800 |
outTemp = new StringBuffer(); |
|
801 |
if ( !permOrder_prev.equals("") ) { |
|
802 |
output.append(" </resource>\n"); |
|
803 |
} |
|
804 |
output.append(" <resource order=\"" + permOrder + "\" public=\"" + |
|
805 |
publicAcc + "\">\n"); |
|
806 |
output.append(" <resourceIdentifier>" + docurl + |
|
807 |
"</resourceIdentifier>\n"); |
|
808 |
permOrder_prev = permOrder; |
|
809 |
} |
|
810 |
|
|
811 |
// close </allow> or </deny> tag then open new one |
|
812 |
if ( permission != perm_prev || |
|
813 |
(endTime == null) && (end_prev != null) || |
|
814 |
(beginTime == null) && (begin_prev != null) || |
|
815 |
endTime != null && !endTime.equals(end_prev) || |
|
816 |
beginTime != null && !beginTime.equals(begin_prev) || |
|
817 |
ticketCount != ticket_prev ) { |
|
818 |
output.append(outTemp.toString()); |
|
819 |
outTemp = new StringBuffer(); |
|
820 |
principalArr.removeAllElements(); |
|
821 |
output.append(" <" + permType + ">\n"); |
|
822 |
} |
|
823 |
|
|
824 |
// put all principals here for the same |
|
825 |
// permission, duration and ticket_count |
|
826 |
if ( !principalArr.contains(principal) ) { |
|
827 |
principalArr.addElement(principal); |
|
828 |
output.append(" <principal>" + principal + "</principal>\n"); |
|
829 |
} |
|
830 |
|
|
831 |
// prepare <permission> tags, <duration> and <ticketCount> |
|
832 |
// if any to put within <allow> (<deny>) by next cicle |
|
833 |
if ( permission != perm_prev || |
|
834 |
(endTime == null) && (end_prev != null) || |
|
835 |
(beginTime == null) && (begin_prev != null) || |
|
836 |
endTime != null && !endTime.equals(end_prev) || |
|
837 |
beginTime != null && !beginTime.equals(begin_prev) || |
|
838 |
ticketCount != ticket_prev ) { |
|
839 |
if ( (permission & READ) == READ ) { |
|
840 |
outTemp.append(" <permission>read</permission>\n"); |
|
841 |
} |
|
842 |
if ( (permission & WRITE) == WRITE ) { |
|
843 |
outTemp.append(" <permission>write</permission>\n"); |
|
844 |
} |
|
845 |
if ( (permission & ALL) == ALL ) { |
|
846 |
outTemp.append(" <permission>all</permission>\n"); |
|
847 |
} |
|
848 |
if ( (permission & CHMOD) == CHMOD ) { |
|
849 |
outTemp.append(" <permission>chmod</permission>\n"); |
|
850 |
} |
|
851 |
if ( (beginTime != null) || (endTime != null) ) { |
|
852 |
outTemp.append(" <duration>" + beginTime + " " + endTime + |
|
853 |
"</duration>\n"); |
|
854 |
} |
|
855 |
if ( ticketCount > 0 ) { |
|
856 |
outTemp.append(" <ticketCount>" + ticketCount + |
|
857 |
"</ticketCount>\n"); |
|
858 |
} |
|
859 |
outTemp.append(" </" + permType + ">\n"); |
|
860 |
perm_prev = permission; |
|
861 |
ticket_prev = ticketCount; |
|
862 |
begin_prev = beginTime; |
|
863 |
end_prev = endTime; |
|
864 |
} |
|
865 |
|
|
866 |
hasRows = rs.next(); |
|
867 |
} |
|
868 |
|
|
869 |
// close <allow> or <deny> if anything left in outTemp var |
|
870 |
output.append(outTemp.toString()); |
|
871 |
|
|
872 |
// If there are no any acl info for @docid accessible by @user/@group, |
|
873 |
// extract only the following information |
|
874 |
if ( permOrder.equals("") ) { |
|
875 |
output.append(" <resource public=\"" + publicAcc + "\">\n"); |
|
876 |
output.append(" <resourceIdentifier>" + docurl + |
|
877 |
"</resourceIdentifier>\n"); |
|
878 |
} |
|
879 |
|
|
880 |
// always close them |
|
881 |
output.append(" </resource>\n"); |
|
882 |
output.append("</acl>\n"); |
|
883 |
|
|
884 |
pstmt.close(); |
|
885 |
|
|
886 |
return output.toString(); |
|
887 |
|
|
888 |
} catch (SQLException e) { |
|
889 |
throw new |
|
890 |
SQLException("AccessControlList.getACL(). " + e.getMessage()); |
|
891 |
} |
|
892 |
finally |
|
893 |
{ |
|
894 |
try |
|
895 |
{ |
|
896 |
pstmt.close(); |
|
897 |
} |
|
898 |
finally |
|
899 |
{ |
|
900 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
901 |
} |
|
902 |
} |
|
903 |
} |
|
904 |
|
|
905 |
/* Check if @user is owner of @docid from db conn. */ |
|
906 |
private boolean isOwned(String docid, String user) throws SQLException { |
|
907 |
|
|
908 |
PreparedStatement pstmt = null; |
|
909 |
DBConnection conn = null; |
|
910 |
int serialNumber = -1; |
|
911 |
try |
|
912 |
{ |
|
913 |
//check out DBConnection |
|
914 |
conn=DBConnectionPool.getDBConnection("AccessControlList.isOwned"); |
|
915 |
serialNumber=conn.getCheckOutSerialNumber(); |
|
916 |
pstmt = conn.prepareStatement("SELECT 'x' FROM xml_documents " + |
|
917 |
"WHERE docid = ? " + |
|
918 |
"AND user_owner = ?"); |
|
919 |
pstmt.setString(1, docid); |
|
920 |
pstmt.setString(2, user); |
|
921 |
pstmt.execute(); |
|
922 |
ResultSet rs = pstmt.getResultSet(); |
|
923 |
boolean hasRow = rs.next(); |
|
924 |
return hasRow; |
|
925 |
} |
|
926 |
finally |
|
927 |
{ |
|
928 |
try |
|
929 |
{ |
|
930 |
pstmt.close(); |
|
931 |
} |
|
932 |
finally |
|
933 |
{ |
|
934 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
935 |
} |
|
936 |
} |
|
937 |
} |
|
938 |
|
|
939 | 683 |
/* Get the flag for public "read" access for @docid from db conn. */ |
940 | 684 |
private String getPublicAccess(String docid) throws SQLException { |
941 | 685 |
|
src/edu/ucsb/nceas/metacat/MetaCatServlet.java | ||
---|---|---|
73 | 73 |
import com.oreilly.servlet.multipart.ParamPart; |
74 | 74 |
import com.oreilly.servlet.multipart.Part; |
75 | 75 |
|
76 |
import edu.ucsb.nceas.metacat.accesscontrol.AccessControlException; |
|
76 | 77 |
import edu.ucsb.nceas.metacat.accesscontrol.AccessControlForSingleFile; |
77 | 78 |
import edu.ucsb.nceas.metacat.accesscontrol.AccessControlInterface; |
78 | 79 |
import edu.ucsb.nceas.metacat.accesscontrol.AccessControlList; |
... | ... | |
89 | 90 |
import edu.ucsb.nceas.metacat.service.ServiceService; |
90 | 91 |
import edu.ucsb.nceas.metacat.service.SessionService; |
91 | 92 |
import edu.ucsb.nceas.metacat.service.XMLSchemaService; |
93 |
import edu.ucsb.nceas.metacat.shared.ServiceException; |
|
92 | 94 |
import edu.ucsb.nceas.metacat.shared.BaseException; |
93 | 95 |
import edu.ucsb.nceas.metacat.shared.HandlerException; |
94 | 96 |
import edu.ucsb.nceas.metacat.shared.MetacatUtilException; |
95 |
import edu.ucsb.nceas.metacat.shared.ServiceException;
|
|
97 |
//import edu.ucsb.nceas.metacat.shared.AccessException;
|
|
96 | 98 |
import edu.ucsb.nceas.metacat.spatial.SpatialHarvester; |
97 | 99 |
import edu.ucsb.nceas.metacat.spatial.SpatialQuery; |
98 | 100 |
import edu.ucsb.nceas.metacat.util.AuthUtil; |
... | ... | |
2722 | 2724 |
} |
2723 | 2725 |
|
2724 | 2726 |
try { |
2725 |
|
|
2726 |
// get connection from the pool |
|
2727 |
dbConn = DBConnectionPool |
|
2728 |
.getDBConnection("MetaCatServlet.handleGetAccessControlAction"); |
|
2729 |
serialNumber = dbConn.getCheckOutSerialNumber(); |
|
2730 |
AccessControlList aclobj = new AccessControlList(dbConn); |
|
2731 |
String acltext = aclobj.getACL(docid, username, groupnames); |
|
2727 |
AccessControlForSingleFile acfsf = new AccessControlForSingleFile(docid); |
|
2728 |
String acltext = acfsf.getACL(username, groupnames, true); |
|
2732 | 2729 |
if (qformat.equals("xml")) { |
2733 | 2730 |
response.setContentType("text/xml"); |
2734 | 2731 |
out.println(acltext); |
... | ... | |
3508 | 3505 |
private void handleSetAccessAction(PrintWriter out, Hashtable<String, String[]> params, |
3509 | 3506 |
String username, HttpServletRequest request, HttpServletResponse response) { |
3510 | 3507 |
Logger logMetacat = Logger.getLogger(MetaCatServlet.class); |
3511 |
String[] docList = null; |
|
3512 |
String[] principalList = null; |
|
3513 |
String[] permissionList = null; |
|
3514 |
String[] permTypeList = null; |
|
3515 |
String[] permOrderList = null; |
|
3516 |
String[] qformatList = null; |
|
3508 |
|
|
3517 | 3509 |
String permission = null; |
3518 | 3510 |
String permType = null; |
3519 | 3511 |
String permOrder = null; |
... | ... | |
3523 | 3515 |
String success = null; |
3524 | 3516 |
boolean isEmlPkgMember = false; |
3525 | 3517 |
|
3526 |
// Get parameters |
|
3527 |
if (params.containsKey("docid")) { |
|
3528 |
docList = params.get("docid"); |
|
3529 |
} |
|
3530 |
if (params.containsKey("principal")) { |
|
3531 |
principalList = params.get("principal"); |
|
3532 |
} |
|
3533 |
if (params.containsKey("permission")) { |
|
3534 |
permissionList = params.get("permission"); |
|
3535 |
|
|
3536 |
} |
|
3537 |
if (params.containsKey("permType")) { |
|
3538 |
permTypeList = params.get("permType"); |
|
3539 |
|
|
3540 |
} |
|
3541 |
if (params.containsKey("permOrder")) { |
|
3542 |
permOrderList = params.get("permOrder"); |
|
3543 |
|
|
3544 |
} |
|
3518 |
String[] docList = params.get("docid"); |
|
3519 |
String[] principalList = params.get("principal"); |
|
3520 |
String[] permissionList = params.get("permission"); |
|
3521 |
String[] permTypeList = params.get("permType"); |
|
3522 |
String[] permOrderList = params.get("permOrder"); |
|
3523 |
String[] qformatList = params.get("qformat"); |
|
3524 |
String[] accessBlock = params.get("accessBlock"); |
|
3545 | 3525 |
|
3546 |
if (params.containsKey("qformat")) { |
|
3547 |
qformatList = params.get("qformat"); |
|
3548 |
|
|
3526 |
if(accessBlock != null) { |
|
3527 |
if (docList == null) { |
|
3528 |
errorList.addElement("MetaCatServlet.handleSetAccessAction - Please check your parameter list, it should look like: " |
|
3529 |
+ "?action=setaccess&docid=<doc_id>&accessBlock=<access_section>"); |
|
3530 |
outputResponse(successList, errorList, out); |
|
3531 |
return; |
|
3532 |
} |
|
3533 |
|
|
3534 |
try { |
|
3535 |
AccessControlForSingleFile accessControl = |
|
3536 |
new AccessControlForSingleFile(docList[0]); |
|
3537 |
accessControl.insertPermissions(accessBlock[0]); |
|
3538 |
} catch(AccessControlException ace) { |
|
3539 |
errorList.addElement("MetaCatServlet.handleSetAccessAction - access control error when setting " + |
|
3540 |
"access block: " + ace.getMessage()); |
|
3541 |
} |
|
3542 |
outputResponse(successList, errorList, out); |
|
3543 |
return; |
|
3549 | 3544 |
} |
3550 | 3545 |
|
3551 | 3546 |
// Make sure the parameter is not null |
... | ... | |
3606 | 3601 |
} catch (Exception e) { |
3607 | 3602 |
logMetacat.error("MetaCatServlet.handleSetAccessAction - Error in handleSetAccessAction: " |
3608 | 3603 |
+ e.getMessage()); |
3609 |
error = "Error in set access control for document - " |
|
3610 |
+ accessionNumber + e.getMessage(); |
|
3604 |
error = "Error in set access control for document - " + accessionNumber + e.getMessage(); |
|
3611 | 3605 |
errorList.addElement(error); |
3612 | 3606 |
continue; |
3613 | 3607 |
} |
3614 | 3608 |
//check if user is the owner. Only owner can do owner |
3615 | 3609 |
if (username == null || owner == null || !username.equals(owner)) { |
3616 |
error = "User - " + username |
|
3617 |
+ " does not have permission to set " |
|
3610 |
error = "User - " + username + " does not have permission to set " |
|
3618 | 3611 |
+ "access control for docid - " + accessionNumber; |
3619 | 3612 |
errorList.addElement(error); |
3620 | 3613 |
continue; |
... | ... | |
3626 | 3619 |
if (isEmlPkgMember == false) |
3627 | 3620 |
isEmlPkgMember = (DBUtil.findDataSetDocIdForGivenDocument(accessionNumber) != null); |
3628 | 3621 |
|
3629 |
// If docid publicid is BIN data file or other beta4, 6 package |
|
3630 |
// document |
|
3631 |
// we could not do set access control. Because we don't want |
|
3632 |
// inconsistent |
|
3622 |
// If docid publicid is BIN data file or other beta4, 6 package document |
|
3623 |
// we could not do set access control. Because we don't want inconsistent |
|
3633 | 3624 |
// to its access docuemnt |
3634 | 3625 |
if (publicId != null && packageSet != null |
3635 | 3626 |
&& packageSet.contains(publicId) && isEmlPkgMember) { |
3636 |
error = "Could not set access control to document " |
|
3637 |
+ accessionNumber |
|
3627 |
error = "Could not set access control to document " + accessionNumber |
|
3638 | 3628 |
+ "because it is in a pakcage and it has a access file for it"; |
3639 | 3629 |
errorList.addElement(error); |
3640 | 3630 |
continue; |
... | ... | |
3645 | 3635 |
String principal = principalList[j]; |
3646 | 3636 |
try { |
3647 | 3637 |
//insert permission |
3648 |
AccessControlForSingleFile accessControl = new AccessControlForSingleFile(
|
|
3649 |
accessionNumber, principal, permission, permType, permOrder);
|
|
3650 |
accessControl.insertPermissions(); |
|
3638 |
AccessControlForSingleFile accessControl = |
|
3639 |
new AccessControlForSingleFile(accessionNumber);
|
|
3640 |
accessControl.insertPermissions(principal, Long.valueOf(permission), permType, permOrder);
|
|
3651 | 3641 |
} catch (Exception ee) { |
3652 | 3642 |
logMetacat.error("MetaCatServlet.handleSetAccessAction - Error inserting permission: " |
3653 | 3643 |
+ ee.getMessage()); |
src/edu/ucsb/nceas/metacat/PermissionController.java | ||
---|---|---|
55 | 55 |
// access for this docid |
56 | 56 |
private Vector subTreeList = new Vector(); |
57 | 57 |
|
58 |
private long TOPLEVELSTARTNODEID = 0; //if start node is 0, means it is top |
|
58 |
private static final long TOPLEVELSTARTNODEID = 0; //if start node is 0, means it is top
|
|
59 | 59 |
//level document |
60 | 60 |
|
61 | 61 |
private static Logger logMetacat = Logger.getLogger(PermissionController.class); |
... | ... | |
663 | 663 |
|
664 | 664 |
}//isAllowFirst |
665 | 665 |
|
666 |
/** |
|
667 |
* Check if the permission order for user at that documents is allowFirst |
|
668 |
* @param principals, list of names of principals to check for |
|
669 |
* @param docid, document identifier to check for |
|
670 |
*/ |
|
671 |
public Vector<AccessControlForSingleFile> getAccessControl() |
|
672 |
throws SQLException, Exception |
|
673 |
{ |
|
674 |
Vector<AccessControlForSingleFile> accessControl = new Vector<AccessControlForSingleFile>(); |
|
675 |
boolean hasRow; |
|
676 |
PreparedStatement pStmt = null; |
|
677 |
DBConnection conn = null; |
|
678 |
int serialNumber = -1; |
|
679 |
String sql = null; |
|
680 |
boolean topLever =false; |
|
681 |
sql = "SELECT principal_name, permission, perm_type, perm_order FROM xml_access "; |
|
682 |
|
|
683 |
//TODO, need this? |
|
684 |
long startId = 0; |
|
685 |
if (startId == TOPLEVELSTARTNODEID) |
|
686 |
{ |
|
687 |
//top level |
|
688 |
topLever = true; |
|
689 |
sql += "WHERE docid = ? AND startnodeid is NULL"; |
|
690 |
} |
|
691 |
else |
|
692 |
{ |
|
693 |
//sub tree level |
|
694 |
sql += "WHERE docid = ? AND startnodeid = ?"; |
|
695 |
} |
|
696 |
|
|
697 |
try |
|
698 |
{ |
|
699 |
//check out DBConnection |
|
700 |
conn=DBConnectionPool.getDBConnection("AccessControlList.getPermissions"); |
|
701 |
serialNumber=conn.getCheckOutSerialNumber(); |
|
702 |
|
|
703 |
//select permission order from database |
|
704 |
pStmt = conn.prepareStatement(sql); |
|
705 |
|
|
706 |
//bind value |
|
707 |
pStmt.setString(1, docId);//docid |
|
708 |
|
|
709 |
// if subtree, we need set subtree id |
|
710 |
if (!topLever) |
|
711 |
{ |
|
712 |
pStmt.setLong(2, startId); |
|
713 |
} |
|
714 |
|
|
715 |
pStmt.execute(); |
|
716 |
ResultSet rs = pStmt.getResultSet(); |
|
717 |
while (rs.next()) |
|
718 |
{ |
|
719 |
//get the permission order from data base |
|
720 |
String principalName=rs.getString(1); |
|
721 |
String permission=rs.getString(2); |
|
722 |
String permType=rs.getString(3); |
|
723 |
String permOrder=rs.getString(4); |
|
724 |
|
|
725 |
//translate to string version |
|
726 |
String myPermission = AccessControlList.txtValue(Integer.parseInt(permission)); |
|
727 |
|
|
728 |
//make it into an object |
|
729 |
AccessControlForSingleFile acfsf = |
|
730 |
new AccessControlForSingleFile(docId, principalName, myPermission, permType, permOrder); |
|
731 |
accessControl.add(acfsf); |
|
732 |
} |
|
733 |
pStmt.close(); |
|
734 |
}//try |
|
735 |
catch (SQLException e) |
|
736 |
{ |
|
737 |
throw e; |
|
738 |
} |
|
739 |
finally |
|
740 |
{ |
|
741 |
try |
|
742 |
{ |
|
743 |
pStmt.close(); |
|
744 |
} |
|
745 |
finally |
|
746 |
{ |
|
747 |
DBConnectionPool.returnDBConnection(conn, serialNumber); |
|
748 |
} |
|
749 |
} |
|
750 |
|
|
751 |
return accessControl; |
|
752 |
|
|
753 |
}//getPermissions |
|
754 |
|
|
755 | 666 |
/** |
756 | 667 |
* Check if the users array has allow rules for given users, docid and |
757 | 668 |
* permission. |
Also available in: Unified diff
change AccessControlForSingleFile to only be instantiated for one file. move ACL methods to AccessControlForSingleFile. Change format of access sections returned to EML 2.1.0.