/ - Diff - Metacat - Ecoinformatics Redmine

« Previous | Next »

Revision 7330

Added by ben leinfelder over 12 years ago

check if the caller is the Node admin (the member node calling itself) as well as the existing check for the CN calling the service. Both of those callers should be given full admin rights.

         	// only admin of  the MN or the CN is allowed a full delete
             boolean allowed = false;
             allowed = isNodeAdmin(session);
             allowed = allowed || isAdminAuthorized(session);
             allowed = isAdminAuthorized(session);
             if (!allowed) {
                 throw new NotAuthorized("1320", "The provided identity does not have " + "permission to delete objects on the Node.");
+            }

           logMetacat.debug("In isAdminAuthorized(), checking CN or MN authorization for " +
                session.getSubject().getValue());
           // are we allowed to do this? only CNs are allowed
           CNode cn = D1Client.getCN();
           List<Node> nodes = cn.listNodes().getNodeList();
           // check if this is the node calling itself (MN)
           allowed = isNodeAdmin(session);
           if ( nodes == null ) {
               throw new ServiceFailure("4852", "Couldn't get node list.");
           // check the CN list
           if (!allowed) {
     	      // are we allowed to do this? only CNs are allowed
     	      CNode cn = D1Client.getCN();
     	      List<Node> nodes = cn.listNodes().getNodeList();
     	      if ( nodes == null ) {
     	          throw new ServiceFailure("4852", "Couldn't get node list.");
+    	      }
     	      // find the node in the node list
     	      for ( Node node : nodes ) {
     	          NodeReference nodeReference = node.getIdentifier();
     	          logMetacat.debug("In isAdminAuthorized(), Node reference is: " + nodeReference.getValue());
     	          Subject subject = session.getSubject();
     	          if (node.getType() == NodeType.CN) {
     	              List<Subject> nodeSubjects = node.getSubjectList();
     	              // check if the session subject is in the node subject list
     	              for (Subject nodeSubject : nodeSubjects) {
     	                  logMetacat.debug("In isAdminAuthorized(), comparing subjects: " +
     	                      nodeSubject.getValue() + " and " + subject.getValue());
     	                  if ( nodeSubject.equals(subject) ) {
     	                      allowed = true; // subject of session == target node subject
     	                      break;
+    	                  }
+    	              }
+    	          }
+    	      }
+          }
           // find the node in the node list
           for ( Node node : nodes ) {
               NodeReference nodeReference = node.getIdentifier();
               logMetacat.debug("In isAdminAuthorized(), Node reference is: " + nodeReference.getValue());
               Subject subject = session.getSubject();
               if (node.getType() == NodeType.CN) {
                   List<Subject> nodeSubjects = node.getSubjectList();
                   // check if the session subject is in the node subject list
                   for (Subject nodeSubject : nodeSubjects) {
                       logMetacat.debug("In isAdminAuthorized(), comparing subjects: " +
                           nodeSubject.getValue() + " and " + subject.getValue());
                       if ( nodeSubject.equals(subject) ) {
                           allowed = true; // subject of session == target node subject
                           break;
+                      }
+                  }
+              }
+          }
           return allowed;
+      }

Also available in: Unified diff

Project

General

Profile

Metacat

Revision 7330

Added by ben leinfelder over 12 years ago