/ - Diff - Metacat - Ecoinformatics Redmine

« Previous | Next »

Revision 7137

Added by ben leinfelder about 12 years ago

no not record EML access rules that use the "denyFirst" permOrder.
https://redmine.dataone.org/issues/2614

+    	}
     	/**
     	 * NOTE: as of Metacat 2.0.0, denyFirst permOrder is not supported.
     	 * Access rules with denyFirst are ignored and only the document owner
     	 * has access to the object (default).
+    	 *
     	 * Tests Tests a version 2.0.1 EML document when permission order is
     	 * denyFirst, the combination of allow and deny rules affect user to read,
     	 * update and delete a document. Here are test cases 1.An user inserts a
-...
     	 * failure
     	 */
     	public void test201DenyFirst() {
     		debug("\nRunning: test201DenyFirst()");
     		debug("\nRunning: test201DenyFirstIgnore()");
     		String emlVersion = EML2_0_1;
     		try {
     			newdocid = generateDocumentId();
     			// ====1 inserts a document with access rules (denyFirst) - allow
     			// READ rule for another user,
     			// deny READ rule for public.
     			// all are ignored
     			String accessRule1 = generateOneAccessRule(anotheruser, true, true, false,
     					false, false);
     			String accessRule2 = generateOneAccessRule("public", false, true, false,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".2", testdocument, FAILURE, true);
     			// fails to update access part
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".2", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".3", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".2", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".3", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".4", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".5", testdocument, SUCCESS, false);
     			// succeed to update access part
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".4", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".5", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
     					null, null, null, null, getAccessBlock(anotheruser, true, true, true,
     							true, true), null, null, null, null);
     			updateDocumentId(newdocid + ".6", testdocument, SUCCESS, false);
     			// succeeds to delete the document
     			deleteDocumentId(newdocid + ".6", SUCCESS, false);
     			updateDocumentId(newdocid + ".6", testdocument, FAILURE, true);
     			// fails to delete the document
     			deleteDocumentId(newdocid + ".6", FAILURE, true);
     			// logout
     			debug("logging out");
     			m.logout();
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".2", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".2", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".10", testdocument, SUCCESS, false);
     			// succeed to update this document
     			updateDocumentId(newdocid + ".11", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".10", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".11", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".13", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".13", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".14", testdocument, FAILURE, true);
     			// fails to update access part
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".14", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".15", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".14", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".15", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".16", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".17", testdocument, SUCCESS, false);
     			// succeeds to update access part
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".16", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".17", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
     					null, null, null, null, getAccessBlock(anotheruser, true, true, true,
     							true, true), null, null, null, null);
     			updateDocumentId(newdocid + ".18", testdocument, SUCCESS, false);
     			// succeeds to delete the document
     			deleteDocumentId(newdocid + ".18", SUCCESS, false);
     			updateDocumentId(newdocid + ".18", testdocument, FAILURE, true);
     			// fails to delete the document
     			deleteDocumentId(newdocid + ".18", FAILURE, true);
     			// logout
     			debug("logging out");
     			m.logout();
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeed to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".20", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".20", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".21", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".22", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".21", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".22", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
+    	}
     	/**
     	 * NOTE: as of Metacat 2.0.0, denyFirst permOrder is not supported.
     	 * Access rules with denyFirst are ignored and only the document owner
     	 * has access to the object (default).
+    	 *
     	 * Tests Tests a version 2.1.0 EML document when permission order is
     	 * denyFirst, the combination of allow and deny rules affect user to read,
     	 * update and delete a document. Here are test cases
-...
     	 * this document - failure.
     	 */
     	public void test210DenyFirst() {
     		debug("\nRunning: test210DenyFirst()");
     		debug("\nRunning: test210DenyFirstIgnore()");
     		String emlVersion = EML2_1_0;
     		try {
     			newdocid = generateDocumentId();
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".2", testdocument, FAILURE, true);
     			// fails to update access part
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".2", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".3", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".2", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".3", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".4", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".5", testdocument, SUCCESS, false);
     			// succeed to update access part
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".4", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".5", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
     					null, null, null, null, getAccessBlock(anotheruser, true, true, true,
     							true, true), null, null, null, null);
     			updateDocumentId(newdocid + ".6", testdocument, SUCCESS, false);
     			// succeeds to delete the document
     			deleteDocumentId(newdocid + ".6", SUCCESS, false);
     			updateDocumentId(newdocid + ".6", testdocument, FAILURE, true);
     			// fails to delete the document
     			deleteDocumentId(newdocid + ".6", FAILURE, true);
     			// logout
     			debug("logging out");
     			m.logout();
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".2", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".2", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".10", testdocument, SUCCESS, false);
     			// succeed to update this document
     			updateDocumentId(newdocid + ".11", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".10", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".11", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".13", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".13", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".14", testdocument, FAILURE, true);
     			// fails to update access part
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".14", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".15", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".14", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".15", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".16", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".17", testdocument, SUCCESS, false);
     			// succeeds to update access part
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".16", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".17", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
     					null, null, null, null, getAccessBlock(anotheruser, true, true, true,
     							true, true), null, null, null, null);
     			updateDocumentId(newdocid + ".18", testdocument, SUCCESS, false);
     			// succeeds to delete the document
     			deleteDocumentId(newdocid + ".18", SUCCESS, false);
     			updateDocumentId(newdocid + ".18", testdocument, FAILURE, true);
     			// fails to delete the document
     			deleteDocumentId(newdocid + ".18", FAILURE, true);
     			// logout
     			debug("logging out");
     			m.logout();
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeed to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".20", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".1", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".20", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,
-...
     			debug("logging in as: anotheruser=" + anotheruser + " anotherpassword="
     					+ anotherpassword);
     			m.login(anotheruser, anotherpassword);
     			// succeeds to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".21", testdocument, SUCCESS, false);
     			// succeeds to update this document
     			updateDocumentId(newdocid + ".22", testdocument, SUCCESS, false);
     			// fails to read this document
     			readDocumentIdWhichEqualsDoc(newdocid + ".21", testdocument, FAILURE, true);
     			// fails to update this document
     			updateDocumentId(newdocid + ".22", testdocument, FAILURE, true);
     			// fails to update access part
     			testdocument = getTestEmlDoc(
     					"Testing user can not read, write and delete a document", emlVersion,

         boolean hasTriple = false;
     	protected boolean writeAccessRules = true;
     	protected boolean writeAccessRules = true;
     	protected boolean ignoreDenyFirst = true;
         public static final String ECOGRID = "ecogrid://";
         private Logger logMetacat = Logger.getLogger(DBSAXHandler.class);

            // will be write into xml_accesssubtee table
            AccessSection newAccess = resolveAccessRuleReference(access);
            String permOrder = newAccess.getPermissionOrder();
            if (permOrder.equals(AccessControlInterface.DENYFIRST) && ignoreDenyFirst) {
         	   logMetacat.warn("Metacat no longer supports EML 'denyFirst' access rules - ignoring this access block");
         	   return;
+           }
            Vector accessRule = newAccess.getAccessRules();
            if (describeIdList == null || describeIdList.isEmpty())
-...
            AccessSection newAccess = resolveAccessRuleReference(topAccessSection);
            //System.out.println("permorder in new level" + newAccess.getPermissionOrder());
            String permOrder = newAccess.getPermissionOrder();
            if (permOrder.equals(AccessControlInterface.DENYFIRST) && ignoreDenyFirst) {
         	   logMetacat.warn("Metacat no longer supports EML 'denyFirst' access rules - ignoring this access block");
         	   return;
+           }
            Vector accessRule = newAccess.getAccessRules();
            String subtree     = null;

     			// if accessSection is not null and is not reference
     			if (accessSectionObj.getReferences() == null) {
     				// check for denyFirst permOrder
     				String permOrder = accessSectionObj.getPermissionOrder();
     				if (permOrder.equals(AccessControlInterface.DENYFIRST) && ignoreDenyFirst) {
     					logMetacat.warn("Metacat no longer supports EML 'denyFirst' access rules - ignoring this access block");
     			    	return;
+    			    }
     				// write the top level access module into xml_accesssubtree to
     				// store info and then when update to check if the user can
     				// update it or not
-...
     				for (int i = 0; i < accessObjectList.size(); i++) {
     					AccessSection accessObj = accessObjectList.elementAt(i);
     					String accessObjId = accessObj.getSubTreeId();
     					// check for denyFirst permOrder
     					String permOrder = accessObj.getPermissionOrder();
     					if (permOrder.equals(AccessControlInterface.DENYFIRST) && ignoreDenyFirst) {
     						logMetacat.warn("Metacat no longer supports EML 'denyFirst' access rules - ignoring this access block, subtree id: " + accessObjId);
     				    	continue;
+    				    }
     					if (referenceId != null && accessObj != null
     							&& referenceId.equals(accessObjId)) {
     						// make sure the user didn't change any thing in this
-...
     				// If the distribution doesn't have an access section, we continue.
     				if (accessSection == null) {
     					continue;
+    				}
+    				}
     				// check for denyFirst permOrder
     				String permOrder = accessSection.getPermissionOrder();
     				if (permOrder.equals(AccessControlInterface.DENYFIRST) && ignoreDenyFirst) {
     					logMetacat.warn("Metacat no longer supports EML 'denyFirst' access rules - ignoring this access block: " + distributionSection.getDataFileName());
     			    	continue;
+    			    }
     				// We want to check file permissions for all online data updates and inserts, or for
     				// inline updates.
     //				if (distributionType == DistributionSection.DATA_DISTRIBUTION

README
58	58	This major release includes support for DataONE.
59	59	*The DataONE v1.0.0 Member Node service APIs are now the preferred method for communicating with Metacat
60	60	*The existing EcoGrid and Metacat Servlet APIs are deprecated.
	61	*EML-embedded access control rules using permOrder="denyFirst" are no longer supported (https://redmine.dataone.org/issues/2614)
61	62	*Bugs fixed include:
62	63	<bugs here>
63	64

Also available in: Unified diff

Project

General

Profile

Metacat

Revision 7137

Added by ben leinfelder about 12 years ago