Revision 6194
Added by ben leinfelder over 13 years ago
| src/edu/ucsb/nceas/metacat/dataone/CNodeService.java | ||
|---|---|---|
| 25 | 25 |
|
| 26 | 26 |
import java.io.InputStream; |
| 27 | 27 |
import java.util.Date; |
| 28 |
import java.util.List; |
|
| 28 | 29 |
|
| 29 | 30 |
import org.apache.log4j.Logger; |
| 30 | 31 |
import org.dataone.service.cn.CNAuthorization; |
| 31 | 32 |
import org.dataone.service.cn.CNCore; |
| 32 |
import org.dataone.service.cn.CNIdentity; |
|
| 33 | 33 |
import org.dataone.service.cn.CNRead; |
| 34 | 34 |
import org.dataone.service.cn.CNRegister; |
| 35 | 35 |
import org.dataone.service.cn.CNReplication; |
| 36 | 36 |
import org.dataone.service.exceptions.IdentifierNotUnique; |
| 37 | 37 |
import org.dataone.service.exceptions.InsufficientResources; |
| 38 |
import org.dataone.service.exceptions.InvalidCredentials; |
|
| 39 | 38 |
import org.dataone.service.exceptions.InvalidRequest; |
| 40 | 39 |
import org.dataone.service.exceptions.InvalidSystemMetadata; |
| 41 | 40 |
import org.dataone.service.exceptions.InvalidToken; |
| ... | ... | |
| 45 | 44 |
import org.dataone.service.exceptions.ServiceFailure; |
| 46 | 45 |
import org.dataone.service.exceptions.UnsupportedType; |
| 47 | 46 |
import org.dataone.service.types.AccessPolicy; |
| 47 |
import org.dataone.service.types.AccessRule; |
|
| 48 | 48 |
import org.dataone.service.types.Checksum; |
| 49 | 49 |
import org.dataone.service.types.Event; |
| 50 | 50 |
import org.dataone.service.types.Identifier; |
| ... | ... | |
| 57 | 57 |
import org.dataone.service.types.ObjectFormatList; |
| 58 | 58 |
import org.dataone.service.types.ObjectList; |
| 59 | 59 |
import org.dataone.service.types.ObjectLocationList; |
| 60 |
import org.dataone.service.types.Person;
|
|
| 60 |
import org.dataone.service.types.Permission;
|
|
| 61 | 61 |
import org.dataone.service.types.QueryType; |
| 62 | 62 |
import org.dataone.service.types.ReplicationPolicy; |
| 63 | 63 |
import org.dataone.service.types.ReplicationStatus; |
| 64 | 64 |
import org.dataone.service.types.Session; |
| 65 | 65 |
import org.dataone.service.types.Subject; |
| 66 |
import org.dataone.service.types.SubjectList; |
|
| 67 | 66 |
import org.dataone.service.types.SystemMetadata; |
| 68 | 67 |
|
| 69 | 68 |
import edu.ucsb.nceas.metacat.EventLog; |
| 70 | 69 |
import edu.ucsb.nceas.metacat.IdentifierManager; |
| 70 |
import edu.ucsb.nceas.metacat.McdbDocNotFoundException; |
|
| 71 | 71 |
import edu.ucsb.nceas.metacat.replication.ForceReplicationSystemMetadataHandler; |
| 72 | 72 |
|
| 73 | 73 |
/** |
| ... | ... | |
| 568 | 568 |
} |
| 569 | 569 |
|
| 570 | 570 |
/** |
| 571 |
* Test if the user identified by the provided token has authorization |
|
| 572 |
* for operation on the specified object. |
|
| 573 |
* |
|
| 574 |
* @param session - the Session object containing the credentials for the Subject |
|
| 575 |
* @param pid - The identifer of the resource for which access is being checked |
|
| 576 |
* @param operation - The type of operation which is being requested for the given pid |
|
| 577 |
* |
|
| 578 |
* @return true if the operation is allowed |
|
| 579 |
* |
|
| 580 |
* @throws ServiceFailure |
|
| 581 |
* @throws InvalidToken |
|
| 582 |
* @throws NotFound |
|
| 583 |
* @throws NotAuthorized |
|
| 584 |
* @throws NotImplemented |
|
| 585 |
* @throws InvalidRequest |
|
| 586 |
*/ |
|
| 587 |
@Override |
|
| 588 |
public boolean isAuthorized(Session session, Identifier pid, Event action) |
|
| 589 |
throws ServiceFailure, InvalidToken, NotFound, NotAuthorized, |
|
| 590 |
NotImplemented, InvalidRequest {
|
|
| 591 |
|
|
| 592 |
return false; |
|
| 593 |
} |
|
| 594 |
|
|
| 595 |
/** |
|
| 596 |
* Sets the access permissions for an object identified by pid |
|
| 597 |
* |
|
| 598 |
* @param session - the Session object containing the credentials for the Subject |
|
| 599 |
* @param pid - The identifer of the resource to set access on |
|
| 600 |
* @param accessPolicy - The access policy to be applied for the object |
|
| 601 |
* |
|
| 602 |
* @return true if the operation is allowed |
|
| 603 |
* |
|
| 604 |
* @throws ServiceFailure |
|
| 605 |
* @throws InvalidToken |
|
| 606 |
* @throws NotFound |
|
| 607 |
* @throws NotAuthorized |
|
| 608 |
* @throws NotImplemented |
|
| 609 |
* @throws InvalidRequest |
|
| 610 |
*/ |
|
| 611 |
@Override |
|
| 612 |
public boolean setAccessPolicy(Session session, Identifier pid, |
|
| 613 |
AccessPolicy accessPolicy) throws InvalidToken, NotFound, NotImplemented, |
|
| 614 |
NotAuthorized, ServiceFailure, InvalidRequest {
|
|
| 615 |
|
|
| 616 |
return super.setAccessPolicy(session, pid, accessPolicy); |
|
| 617 |
} |
|
| 618 |
|
|
| 619 |
/** |
|
| 620 | 571 |
* Changes ownership (RightsHolder) of the specified object to the |
| 621 | 572 |
* subject specified by userId |
| 622 | 573 |
* |
| ... | ... | |
| 637 | 588 |
public Identifier setOwner(Session session, Identifier pid, Subject userId) |
| 638 | 589 |
throws InvalidToken, ServiceFailure, NotFound, NotAuthorized, |
| 639 | 590 |
NotImplemented, InvalidRequest {
|
| 591 |
|
|
| 592 |
// get the subject |
|
| 593 |
Subject subject = session.getSubject(); |
|
| 594 |
// get the system metadata |
|
| 595 |
String guid = pid.getValue(); |
|
| 596 |
|
|
| 597 |
// are we allowed to do this? |
|
| 598 |
if (!hasPermission(session, pid, Permission.CHANGE_PERMISSION)) {
|
|
| 599 |
throw new NotAuthorized("4440", "not allowed by " + subject.getValue() + " on " + guid);
|
|
| 600 |
} |
|
| 601 |
|
|
| 602 |
SystemMetadata systemMetadata = null; |
|
| 603 |
try {
|
|
| 604 |
systemMetadata = IdentifierManager.getInstance().getSystemMetadata(guid); |
|
| 605 |
} catch (McdbDocNotFoundException e) {
|
|
| 606 |
throw new NotFound("4460", "No record found for: " + guid);
|
|
| 607 |
} |
|
| 608 |
|
|
| 609 |
// set the new rights holder |
|
| 610 |
systemMetadata.setRightsHolder(userId); |
|
| 611 |
|
|
| 612 |
// update the metadata |
|
| 613 |
try {
|
|
| 614 |
IdentifierManager.getInstance().updateSystemMetadata(systemMetadata); |
|
| 615 |
} catch (McdbDocNotFoundException e) {
|
|
| 616 |
throw new ServiceFailure("4490", e.getMessage());
|
|
| 617 |
} |
|
| 640 | 618 |
|
| 641 |
return null;
|
|
| 619 |
return pid;
|
|
| 642 | 620 |
} |
| 643 | 621 |
|
| 644 | 622 |
} |
| src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java | ||
|---|---|---|
| 26 | 26 |
import java.io.InputStream; |
| 27 | 27 |
import java.util.Calendar; |
| 28 | 28 |
import java.util.Date; |
| 29 |
import java.util.List; |
|
| 29 | 30 |
import java.util.Vector; |
| 30 | 31 |
|
| 31 |
import org.apache.commons.logging.LogFactory; |
|
| 32 | 32 |
import org.apache.log4j.Logger; |
| 33 | 33 |
import org.dataone.service.exceptions.InvalidRequest; |
| 34 | 34 |
import org.dataone.service.exceptions.InvalidToken; |
| ... | ... | |
| 37 | 37 |
import org.dataone.service.exceptions.NotImplemented; |
| 38 | 38 |
import org.dataone.service.exceptions.ServiceFailure; |
| 39 | 39 |
import org.dataone.service.types.AccessPolicy; |
| 40 |
import org.dataone.service.types.Checksum;
|
|
| 40 |
import org.dataone.service.types.AccessRule;
|
|
| 41 | 41 |
import org.dataone.service.types.Event; |
| 42 | 42 |
import org.dataone.service.types.Identifier; |
| 43 | 43 |
import org.dataone.service.types.Log; |
| ... | ... | |
| 50 | 50 |
|
| 51 | 51 |
import edu.ucsb.nceas.metacat.EventLog; |
| 52 | 52 |
import edu.ucsb.nceas.metacat.IdentifierManager; |
| 53 |
import edu.ucsb.nceas.metacat.McdbDocNotFoundException; |
|
| 53 | 54 |
|
| 54 | 55 |
public abstract class D1NodeService {
|
| 55 | 56 |
|
| 56 |
private static Logger logMetacat = Logger.getLogger(CNCoreImpl.class);
|
|
| 57 |
private static Logger logMetacat = Logger.getLogger(D1NodeService.class);
|
|
| 57 | 58 |
|
| 58 | 59 |
|
| 59 | 60 |
/* Methods common to CNCore and MNCore APIs */ |
| ... | ... | |
| 262 | 263 |
throws InvalidToken, ServiceFailure, NotFound, NotAuthorized, |
| 263 | 264 |
NotImplemented, InvalidRequest {
|
| 264 | 265 |
|
| 265 |
return false; |
|
| 266 |
boolean success = false; |
|
| 267 |
|
|
| 268 |
// get the subject |
|
| 269 |
Subject subject = session.getSubject(); |
|
| 270 |
// get the system metadata |
|
| 271 |
String guid = pid.getValue(); |
|
| 272 |
|
|
| 273 |
// are we allowed to do this? |
|
| 274 |
if (!hasPermission(session, pid, Permission.CHANGE_PERMISSION)) {
|
|
| 275 |
throw new NotAuthorized("4420", "not allowed by " + subject.getValue() + " on " + guid);
|
|
| 276 |
} |
|
| 277 |
|
|
| 278 |
SystemMetadata systemMetadata = null; |
|
| 279 |
try {
|
|
| 280 |
systemMetadata = IdentifierManager.getInstance().getSystemMetadata(guid); |
|
| 281 |
} catch (McdbDocNotFoundException e) {
|
|
| 282 |
throw new NotFound("4400", "No record found for: " + guid);
|
|
| 283 |
} |
|
| 284 |
|
|
| 285 |
// set the access policy |
|
| 286 |
systemMetadata.setAccessPolicy(accessPolicy); |
|
| 287 |
|
|
| 288 |
// update the metadata |
|
| 289 |
try {
|
|
| 290 |
IdentifierManager.getInstance().updateSystemMetadata(systemMetadata); |
|
| 291 |
success = true; |
|
| 292 |
} catch (McdbDocNotFoundException e) {
|
|
| 293 |
throw new ServiceFailure("4430", e.getMessage());
|
|
| 294 |
} |
|
| 295 |
|
|
| 296 |
return success; |
|
| 266 | 297 |
} |
| 298 |
|
|
| 299 |
/** |
|
| 300 |
* Test if the user identified by the provided token has authorization |
|
| 301 |
* for operation on the specified object. |
|
| 302 |
* |
|
| 303 |
* @param session - the Session object containing the credentials for the Subject |
|
| 304 |
* @param pid - The identifer of the resource for which access is being checked |
|
| 305 |
* @param operation - The type of operation which is being requested for the given pid |
|
| 306 |
* |
|
| 307 |
* @return true if the operation is allowed |
|
| 308 |
* |
|
| 309 |
* @throws ServiceFailure |
|
| 310 |
* @throws InvalidToken |
|
| 311 |
* @throws NotFound |
|
| 312 |
* @throws NotAuthorized |
|
| 313 |
* @throws NotImplemented |
|
| 314 |
* @throws InvalidRequest |
|
| 315 |
*/ |
|
| 316 |
public boolean isAuthorized(Session session, Identifier pid, Event action) |
|
| 317 |
throws ServiceFailure, InvalidToken, NotFound, NotAuthorized, |
|
| 318 |
NotImplemented, InvalidRequest {
|
|
| 267 | 319 |
|
| 320 |
boolean allowed = false; |
|
| 321 |
|
|
| 322 |
// get the subject |
|
| 323 |
Subject subject = session.getSubject(); |
|
| 324 |
|
|
| 325 |
// get the system metadata |
|
| 326 |
String guid = pid.getValue(); |
|
| 327 |
SystemMetadata systemMetadata = null; |
|
| 328 |
try {
|
|
| 329 |
systemMetadata = IdentifierManager.getInstance().getSystemMetadata(guid); |
|
| 330 |
} catch (McdbDocNotFoundException e) {
|
|
| 331 |
throw new NotFound("1800", "No record found for: " + guid);
|
|
| 332 |
} |
|
| 333 |
List<AccessRule> allows = systemMetadata.getAccessPolicy().getAllowList(); |
|
| 334 |
for (AccessRule accessRule: allows) {
|
|
| 335 |
if (accessRule.getSubjectList().contains(subject)) {
|
|
| 336 |
List<Permission> permissions = accessRule.getPermissionList(); |
|
| 337 |
for (Permission permission: permissions) {
|
|
| 338 |
// TODO: something better than string comparison |
|
| 339 |
// TODO: reconcile Event vs Permission type |
|
| 340 |
allowed = permission.toString().equals(action.toString()); |
|
| 341 |
if (allowed) {
|
|
| 342 |
break; |
|
| 343 |
} |
|
| 344 |
} |
|
| 345 |
} |
|
| 346 |
} |
|
| 347 |
|
|
| 348 |
// TODO: throw or return? |
|
| 349 |
if (!allowed) {
|
|
| 350 |
throw new NotAuthorized("1820", action + "not allowed by " + subject.getValue() + " on " + guid);
|
|
| 351 |
} |
|
| 352 |
return allowed; |
|
| 353 |
} |
|
| 354 |
|
|
| 355 |
protected boolean hasPermission(Session session, Identifier pid, Permission permission) |
|
| 356 |
throws ServiceFailure, InvalidToken, NotFound, NotAuthorized, |
|
| 357 |
NotImplemented, InvalidRequest {
|
|
| 358 |
|
|
| 359 |
boolean allowed = false; |
|
| 360 |
|
|
| 361 |
// get the subject |
|
| 362 |
Subject subject = session.getSubject(); |
|
| 363 |
|
|
| 364 |
// get the system metadata |
|
| 365 |
String guid = pid.getValue(); |
|
| 366 |
SystemMetadata systemMetadata = null; |
|
| 367 |
try {
|
|
| 368 |
systemMetadata = IdentifierManager.getInstance().getSystemMetadata(guid); |
|
| 369 |
} catch (McdbDocNotFoundException e) {
|
|
| 370 |
throw new NotFound("1800", "No record found for: " + guid);
|
|
| 371 |
} |
|
| 372 |
List<AccessRule> allows = systemMetadata.getAccessPolicy().getAllowList(); |
|
| 373 |
for (AccessRule accessRule: allows) {
|
|
| 374 |
if (accessRule.getSubjectList().contains(subject)) {
|
|
| 375 |
allowed = accessRule.getPermissionList().contains(permission); |
|
| 376 |
if (allowed) {
|
|
| 377 |
break; |
|
| 378 |
} |
|
| 379 |
} |
|
| 380 |
} |
|
| 381 |
|
|
| 382 |
return allowed; |
|
| 383 |
} |
|
| 384 |
|
|
| 268 | 385 |
/* End methods common to CNAuthorization and MNAuthorization APIs */ |
| 269 | 386 |
|
| 270 | 387 |
/** |
Also available in: Unified diff
implement CNAuthorization