/src/edu/ucsb/nceas/metacat/AccessControlList.java - Annotate - Metacat - Ecoinformatics Redmine

metacat/src/edu/ucsb/nceas/metacat/AccessControlList.java @ 774

-            bojilova
+/**
  *  '$RCSfile$'
  *    Purpose: A Class that loads eml-access.xml file containing ACL
  *             for a metadata document into relational DB
  *  Copyright: 2000 Regents of the University of California and the
  *             National Center for Ecological Analysis and Synthesis
  *    Authors: Jivka Bojilova
  *    Release: @release@
+ *
  *   '$Author$'
  *     '$Date$'
  * '$Revision$'
             jones
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
+ *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
+ *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-            bojilova
+ */
 package edu.ucsb.nceas.metacat;
 import java.io.*;
 import java.sql.*;
 import java.util.Stack;
 import java.util.Vector;
-            bojilova
+import java.util.Hashtable;
 import java.net.URL;
 import java.net.MalformedURLException;
             bojilova
 import org.xml.sax.Attributes;
 import org.xml.sax.InputSource;
-            bojilova
+import org.xml.sax.ContentHandler;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.ErrorHandler;
-            bojilova
+import org.xml.sax.SAXException;
 import org.xml.sax.SAXParseException;
 import org.xml.sax.XMLReader;
 import org.xml.sax.helpers.XMLReaderFactory;
 import org.xml.sax.helpers.DefaultHandler;
-            bojilova
+import edu.ucsb.nceas.dbadapter.DBAdapter;
-            bojilova
+/**
  * A Class that loads eml-access.xml file containing ACL for a metadata
  * document into relational DB. It extends DefaultHandler class to handle
  * SAX parsing events when processing the XML stream.
  */
 public class AccessControlList extends DefaultHandler {
-            bojilova
+  private static final int ALL = 1;
   private static final int WRITE = 2;
   private static final int READ = 4;
   private static String sysdate = MetaCatUtil.dbAdapter.getDateTimeFunction();
   private static String isnull = MetaCatUtil.dbAdapter.getIsNULLFunction();
             bojilova
-            bojilova
+  private Connection conn;
-            bojilova
+  private String parserName;
   private Stack elementStack;
-            bojilova
+  private String server;
             bojilova
-            bojilova
+  private boolean	processingDTD;
-            bojilova
+  private String  user;
   private String  group;
-            bojilova
+  private String  aclid;
-            bojilova
+  private String 	docname;
   private String 	doctype;
   private String 	systemid;
-            bojilova
+  private String docurl;
   private Vector resourceURL;
   private Vector resourceID;
-            bojilova
+  private Vector principal;
-            bojilova
+  private int    permission;
   private String permType;
   private String permOrder;
-            bojilova
+  private String publicAcc;
-            bojilova
+  private String beginTime;
   private String endTime;
   private int    ticketCount;
-            bojilova
+  private int    serverCode = 1;
             bojilova
-            bojilova
+  /**
    * Construct an instance of the AccessControlList class.
-            bojilova
+   * It is used by the permission check up from DBQuery or DocumentImpl
    * and from "getaccesscontrol" action
             bojilova
-            bojilova
+   * @param conn the JDBC connection where acl info is get
-            bojilova
+   */
-            bojilova
+  public AccessControlList(Connection conn) throws SQLException
             bojilova
-            bojilova
+    this.conn = conn;
             bojilova
   /**
    * Construct an instance of the AccessControlList class.
-            bojilova
+   * It parse acl file and loads acl data into db connection.
+   *
    * @param conn the JDBC connection where acl data are loaded
-            bojilova
+   * @param aclid the Accession# of the document with the acl data
-            bojilova
+   * @param acl the acl file containing acl data
-            bojilova
+   * @param user the user connected to MetaCat servlet and owns the document
    * @param group the group to which user belongs
    * @param serverCode the serverid from xml_replication on which this document
    *        resides.
-            bojilova
+   */
-            bojilova
+  public AccessControlList(Connection conn, String aclid, Reader acl,
-            bojilova
+                           String user, String group, int serverCode)
-            bojilova
+                  throws SAXException, IOException, ClassNotFoundException
+  {
     // Get an instance of the parser
     MetaCatUtil util = new MetaCatUtil();
     String parserName = util.getOption("saxparser");
-            bojilova
+    this.server = util.getOption("server");
             bojilova
     this.conn = conn;
     this.parserName = parserName;
-            bojilova
+    this.processingDTD = false;
-            bojilova
+    this.elementStack = new Stack();
-            bojilova
+    this.user = user;
     this.group = group;
-            bojilova
+    this.aclid = aclid;
-            bojilova
+    this.resourceURL = new Vector();
     this.resourceID = new Vector();
-            bojilova
+    this.principal = new Vector();
-            bojilova
+    this.permission = 0;
     this.ticketCount = 0;
-            bojilova
+    this.publicAcc = null;
-            bojilova
+    this.serverCode = serverCode;
             bojilova
-            bojilova
+    // Initialize the parser and read the queryspec
     XMLReader parser = initializeParser();
     parser.parse(new InputSource(acl));
+  }
-            bojilova
+  /**
    * Construct an instance of the AccessControlList class.
-            bojilova
+   * It parses eml-access file and loads acl data into db connection.
    * It is used from command line execution.
             bojilova
    * @param conn the JDBC connection where acl data are loaded
    * @param docid the Accession# of the document with the acl data
    * @param aclfilename the name of acl file containing acl data
-            bojilova
+   * @param user the user connected to MetaCat servlet and owns the document
    * @param group the group to which user belongs
-            bojilova
+   */
-            bojilova
+  public AccessControlList( Connection conn, String aclid, String aclfilename,
                            String user, String group )
-            bojilova
+                  throws SAXException, IOException, ClassNotFoundException
+  {
-            bojilova
+    this(conn, aclid, new FileReader(new File(aclfilename).toString()),
-            bojilova
+         user, group, 1);
             bojilova
             bojilova
-            bojilova
+  /* Set up the SAX parser for reading the XML serialized ACL */
-            bojilova
+  private XMLReader initializeParser() throws SAXException
+  {
     XMLReader parser = null;
     // Get an instance of the parser
     parser = XMLReaderFactory.createXMLReader(parserName);
-            bojilova
+    // Turn off validation
-            bojilova
+    parser.setFeature("http://xml.org/sax/features/validation", true);
             bojilova
     // Set Handlers in the parser
-            bojilova
+    // Set the ContentHandler to this instance
-            bojilova
+    parser.setContentHandler((ContentHandler)this);
             bojilova
-            bojilova
+    // make a DBEntityResolver instance
     // Set the EntityReslover to DBEntityResolver instance
     EntityResolver eresolver = new DBEntityResolver(conn,this,null);
     parser.setEntityResolver((EntityResolver)eresolver);
-            bojilova
+    // Set the ErrorHandler to this instance
-            bojilova
+    parser.setErrorHandler((ErrorHandler)this);
             bojilova
     return parser;
+  }
   /**
-            bojilova
+   * Callback method used by the SAX Parser when beginning of the document
-            bojilova
+   */
   public void startDocument() throws SAXException
+  {
     //delete all previously submitted permissions @ relations
     //this happens only on UPDATE of the access file
     try {
       if ( aclid != null ) {
         //first delete all permissions for resources related to @aclid if any
         deletePermissionsForRelatedResources(aclid);
         //then delete all relations with docid of @aclid if any
         deleteRelations(aclid);
+      }
     } catch (SQLException sqle) {
       throw new SAXException(sqle);
+    }
+  }
   /**
-            bojilova
+   * Callback method used by the SAX Parser when the start tag of an
-            bojilova
+   * element is detected. Used in this context to parse and store
    * the acl information in class variables.
    */
   public void startElement (String uri, String localName,
                             String qName, Attributes atts)
          throws SAXException
+  {
     BasicNode currentNode = new BasicNode(localName);
     if (atts != null) {
       int len = atts.getLength();
       for (int i = 0; i < len; i++) {
         currentNode.setAttribute(atts.getLocalName(i), atts.getValue(i));
+      }
+    }
-            bojilova
+    if ( currentNode.getTagName().equals("resource") ) {
       permOrder = currentNode.getAttribute("order");
-            bojilova
+      publicAcc = currentNode.getAttribute("public");
             bojilova
-            bojilova
+    elementStack.push(currentNode);
+  }
   /**
-            bojilova
+   * Callback method used by the SAX Parser when the text sequences of an
-            bojilova
+   * xml stream are detected. Used in this context to parse and store
    * the acl information in class variables.
    */
   public void characters(char ch[], int start, int length)
          throws SAXException
+  {
     String inputString = new String(ch, start, length);
     BasicNode currentNode = (BasicNode)elementStack.peek();
     String currentTag = currentNode.getTagName();
-            bojilova
+    if (currentTag.equals("resourceIdentifier")) {
             bojilova
-            bojilova
+      // docid of the current resource
       String docid = getDocid(inputString);
       // URL string of the current resource
       // docurl is declared in the class
       try {
         docurl = (new URL(inputString)).toString();
       } catch (MalformedURLException murle) {
         throw new SAXException(murle.getMessage());
+      }
       // collect them in Vector variables
       resourceID.addElement(docid);
       resourceURL.addElement(docurl);
             bojilova
       // if it is the local server (originator of the document),
       // check for permission for @user on resource is needed
-            bojilova
+      // @user must have permission "all" on it(docid)
-            bojilova
+      if ( serverCode == 1 ) {
         boolean hasPermission = false;
         try {
           hasPermission = hasPermission("ALL",user,docid);
           if ( !hasPermission && group != null ) {
             hasPermission = hasPermission("ALL",group,docid);
+          }
         } catch (SQLException e) {
           throw new SAXException(e.getMessage());
             bojilova
-            bojilova
+        if ( !hasPermission ) {
           throw new SAXException(
           "Permission denied for setting access control on " + docid);
+        }
             bojilova
-            bojilova
+      // end of check for "all" perm on docid
             bojilova
-            bojilova
+    } else if (currentTag.equals("principal")) {
             bojilova
-            bojilova
+      principal.addElement(inputString);
             bojilova
-            bojilova
+    } else if (currentTag.equals("permission")) {
             bojilova
-            bojilova
+      if ( inputString.trim().toUpperCase().equals("READ") ) {
         permission = permission | READ;
       } else if ( inputString.trim().toUpperCase().equals("WRITE") ) {
         permission = permission | WRITE;
       } else if ( inputString.trim().toUpperCase().equals("ALL") ) {
         permission = permission | ALL;
-            bojilova
+      } else {
         throw new SAXException("Unknown permission type: " + inputString);
             bojilova
             bojilova
-            bojilova
+    } else if (currentTag.equals("duration") &&
-            bojilova
+               beginTime == null && endTime == null ) {
-            bojilova
+      try {
-            bojilova
+        beginTime = inputString.substring(0, inputString.indexOf(" "));
         endTime = inputString.substring(inputString.indexOf(" ")+1);
-            bojilova
+      } catch (StringIndexOutOfBoundsException se) {
-            bojilova
+        beginTime = inputString;
             bojilova
             bojilova
-            bojilova
+    } else if (currentTag.equals("ticketCount") && ticketCount == 0 ) {
-            bojilova
+      try {
         ticketCount = (new Integer(inputString.trim())).intValue();
       } catch (NumberFormatException nfe) {
         throw new SAXException("Wrong integer format for:" + inputString);
+      }
             bojilova
+  }
   /**
-            bojilova
+   * Callback method used by the SAX Parser when the end tag of an
-            bojilova
+   * element is detected. Used in this context to parse and store
    * the acl information in class variables.
    */
   public void endElement (String uri, String localName, String qName)
          throws SAXException
+  {
-            bojilova
+    BasicNode leaving = (BasicNode)elementStack.pop();
     String leavingTagName = leaving.getTagName();
     if ( leavingTagName.equals("resourceIdentifier") ) {
             bojilova
-            bojilova
+      try {
-            bojilova
+        // make a relationship for @aclid on the current resource(docurl)
-            bojilova
+        if ( aclid != null ) {
-            bojilova
+          insertRelation(aclid, docurl);
             bojilova
       } catch (SQLException sqle) {
         throw new SAXException(sqle);
+      }
-            bojilova
+    } else if ( leavingTagName.equals("allow") ||
                 leavingTagName.equals("deny")    ) {
             bojilova
-            bojilova
+      if ( permission > 0 ) {
             bojilova
-            bojilova
+        // insert into db calculated permission for the list of principals
         try {
-            bojilova
+          insertPermissions(leavingTagName);
-            bojilova
+        } catch (SQLException sqle) {
           throw new SAXException(sqle);
+        }
+      }
-            bojilova
+      // reset the allow/deny permission
-            bojilova
+      principal = new Vector();
-            bojilova
+      permission = 0;
-            bojilova
+      beginTime = null;
       endTime = null;
       ticketCount = 0;
             bojilova
-            bojilova
+    } else if ( leavingTagName.equals("resource") ) {
             bojilova
-            bojilova
+      // update public access for the list of resources
       if ( publicAcc != null ) {
-            bojilova
+        try {
-            bojilova
+          updatePublicAccess(publicAcc);
-            bojilova
+        } catch (SQLException sqle) {
           throw new SAXException(sqle);
             bojilova
+      }
             bojilova
       // reset the resource
-            bojilova
+      resourceID = new Vector();
       resourceURL = new Vector();
-            bojilova
+      permOrder = null;
-            bojilova
+      publicAcc = null;
             bojilova
             bojilova
+  }
             bojilova
-            bojilova
+  /**
     * SAX Handler that receives notification of DOCTYPE. Sets the DTD.
     * @param name name of the DTD
     * @param publicId Public Identifier of the DTD
     * @param systemId System Identifier of the DTD
     */
-            bojilova
+  public void startDTD(String name, String publicId, String systemId)
               throws SAXException {
     docname = name;
     doctype = publicId;
     systemid = systemId;
 //    processingDTD = true;
+  }
   /**
-            bojilova
+   * SAX Handler that receives notification of the start of entities.
    * @param name name of the entity
-            bojilova
+   */
   public void startEntity(String name) throws SAXException {
     if (name.equals("[dtd]")) {
       processingDTD = true;
+    }
+  }
   /**
-            bojilova
+   * SAX Handler that receives notification of the end of entities.
    * @param name name of the entity
-            bojilova
+   */
   public void endEntity(String name) throws SAXException {
     if (name.equals("[dtd]")) {
       processingDTD = false;
+    }
+  }
   /**
-            bojilova
+   * Get the document name.
-            bojilova
+   */
   public String getDocname() {
     return docname;
+  }
   /**
-            bojilova
+   * Get the document processing state.
-            bojilova
+   */
   public boolean processingDTD() {
     return processingDTD;
+  }
-            bojilova
+  /* Delete from db all permission for resources related to @aclid if any.*/
-            bojilova
+  private void deletePermissionsForRelatedResources(String aclid)
-            bojilova
+          throws SQLException
+  {
-            bojilova
+    // delete all acl records for resources related to @aclid if any
-            bojilova
+    Statement stmt = conn.createStatement();
-            bojilova
+    stmt.execute("DELETE FROM xml_access WHERE accessfileid = '" + aclid + "'");
-            bojilova
+    stmt.close();
+  }
-            bojilova
+  /* Delete all of the relations with a docid of @docid from db connection.*/
   private void deleteRelations(String docid)
-            bojilova
+          throws SQLException
+  {
-            bojilova
+    Statement stmt = conn.createStatement();
     stmt.execute("DELETE FROM xml_relation WHERE docid='" + docid + "'");
     stmt.close();
+  }
-            bojilova
+  /* Insert relationship for @aclid on @resourceURL into db connection.*/
-            bojilova
+  private void insertRelation(String aclid, String resourceURL)
           throws SQLException
+  {
     String aclURL = "metacat://" + server + "/?docid=" + aclid;
             bojilova
     // insert relationship
     PreparedStatement pstmt;
     pstmt = conn.prepareStatement(
             "INSERT INTO xml_relation (docid,subject,relationship,object) " +
             "VALUES (?, ?, ?, ?)");
     pstmt.setString(1, aclid);
     pstmt.setString(2, aclURL);
     pstmt.setString(3, "isaclfor");
     pstmt.setString(4, resourceURL);
     pstmt.execute();
     pstmt.close();
+  }
-            bojilova
+  /* Insert into db calculated permission for the list of principals */
-            bojilova
+  private void insertPermissions( String permType )
-            bojilova
+          throws SQLException
+  {
-            bojilova
+    PreparedStatement pstmt;
             bojilova
-            bojilova
+    try {
       pstmt = conn.prepareStatement(
               "INSERT INTO xml_access " +
-            bojilova
+              "(docid, principal_name, permission, perm_type, perm_order," +
               "begin_time,end_time,ticket_count, accessfileid) VALUES " +
               "(?,?,?,?,?,to_date(?,'mm/dd/yy'),to_date(?,'mm/dd/yy'),?,?)");
-            bojilova
+      // Bind the values to the query
-            bojilova
+      pstmt.setInt(3, permission);
       pstmt.setString(4, permType);
       pstmt.setString(5, permOrder);
       pstmt.setString(6, beginTime);
       pstmt.setString(7, endTime);
-            bojilova
+      pstmt.setString(9, aclid);
-            bojilova
+      if ( ticketCount > 0 ) {
         pstmt.setString(8, "" + ticketCount);
       } else {
-            bojilova
+        pstmt.setString(8, "");
             bojilova
-            bojilova
+      String docid;
       String prName;
-            bojilova
+      for ( int i = 0; i < resourceID.size(); i++ ) {
-            bojilova
+        docid = (String)resourceID.elementAt(i);
         pstmt.setString(1, docid);
-            bojilova
+        for ( int j = 0; j < principal.size(); j++ ) {
-            bojilova
+          prName = (String)principal.elementAt(j);
           pstmt.setString(2, prName);
-            bojilova
+          pstmt.execute();
             bojilova
           // check if there are conflict with permission's order
           String permOrderOpos = permOrder;
           int perm = getPermissions(permission, prName, docid, permOrder);
           if (  perm != 0 ) {
             if ( permOrder.equals("allowFirst") ) {
               permOrderOpos = "denyFirst";
             } else if ( permOrder.equals("denyFirst") ) {
               permOrderOpos = "allowFirst";
+            }
             throw new SQLException("Permission(s) " + txtValue(perm) +
                       " for \"" + prName + "\" on document #" + docid +
                       " has/have been used with \"" + permOrderOpos + "\"");
+          }
             bojilova
             bojilova
-            bojilova
+      pstmt.close();
             bojilova
-            bojilova
+    } catch (SQLException e) {
       throw new
       SQLException("AccessControlList.insertPermissions(): " + e.getMessage());
             bojilova
+  }
-            bojilova
+  /* Update into db public "read" access for the list of resources. */
-            bojilova
+  private void updatePublicAccess(String publicAcc)
           throws SQLException
+  {
     try {
       PreparedStatement pstmt;
       pstmt = conn.prepareStatement(
               "UPDATE xml_documents SET public_access = ?" +
-            bojilova
+              " WHERE docid = ?");
-            bojilova
+      // Bind the values to the query
-            bojilova
+      if ( publicAcc == null ) {
         pstmt.setString(1, null);
       } else if ( publicAcc.toUpperCase().equals("YES") ) {
-            bojilova
+        pstmt.setInt(1, 1);
       } else {
         pstmt.setInt(1, 0);
+      }
       for ( int i = 0; i < resourceID.size(); i++ ) {
         pstmt.setString(2, (String)resourceID.elementAt(i));
         pstmt.execute();
+      }
-            berkley
+      pstmt.close();
             bojilova
     } catch (SQLException e) {
       throw new
       SQLException("AccessControlList.updatePublicAccess(): " + e.getMessage());
             bojilova
+  }
-            bojilova
+  /* Get permissions with permission order different than @permOrder. */
   private int getPermissions(int permission, String principal,
                              String docid, String permOrder)
           throws SQLException
+  {
     PreparedStatement pstmt;
     pstmt = conn.prepareStatement(
             "SELECT permission FROM xml_access " +
-            bojilova
+            "WHERE docid = ? " +
             "AND principal_name = ? " +
             "AND perm_order NOT = ?");
-            bojilova
+    pstmt.setString(1, docid);
     pstmt.setString(2, principal);
     pstmt.setString(3, permOrder);
     pstmt.execute();
     ResultSet rs = pstmt.getResultSet();
     boolean hasRow = rs.next();
     int perm = 0;
     while ( hasRow ) {
       perm = rs.getInt(1);
       perm = permission & perm;
       if ( perm != 0 ) {
         pstmt.close();
         return perm;
+      }
       hasRow = rs.next();
+    }
     pstmt.close();
     return 0;
+  }
   /* Get the int value of READ, WRITE or ALL. */
   private int intValue ( String permission )
+  {
     if ( permission.equals("READ") ) {
       return READ;
     } else if ( permission.equals("WRITE") ) {
       return WRITE;
     } else if ( permission.equals("ALL") ) {
       return ALL;
+    }
     return -1;
+  }
   /* Get the text value of READ, WRITE or ALL. */
   private String txtValue ( int permission )
+  {
     StringBuffer txtPerm = new StringBuffer("\"");
     if ( (permission & READ) != 0 ) {
       txtPerm.append("read");
+    }
     if ( (permission & WRITE) != 0 ) {
       if ( txtPerm.length() > 0 ) txtPerm.append(",");
       txtPerm.append("write");
+    }
     if ( (permission & ALL) != 0 ) {
       if ( txtPerm.length() > 0 ) txtPerm.append(",");
       txtPerm.append("all");
+    }
     return txtPerm.append("\"").toString();
+  }
   /* Read docid from @url. */
   private String getDocid ( String url ) throws SAXException
+  {
     MetaCatUtil util = new MetaCatUtil();
     try {
       URL urlobj = new URL(url);
       Hashtable urlParams = util.parseQuery(urlobj.getQuery());
       if ( urlParams.containsKey("docid") ) {
         return (String)urlParams.get("docid"); // return the docid value
       } else {
         throw new
         SAXException("\"docid\" not specified within " + url);
+      }
     } catch (MalformedURLException e) {
       throw new SAXException(e.getMessage());
+    }
+  }
   /**
     * Check from db connection if @principal has @permission on @resourceID.
     * @param permission permission type to check for
     * @param principal name of principal to check for @permission
     * @param resourceID resource identifier to check on
     */
-            bojilova
+  public boolean hasPermission ( String permission,
-            bojilova
+                                 String principal, String resourceID )
-            bojilova
+                 throws SQLException
+  {
     PreparedStatement pstmt;
-            bojilova
+    // check public access to @resourceID from xml_documents table
-            bojilova
+    if ( permission.equals("READ") ) {
       try {
-            bojilova
+        pstmt = conn.prepareStatement(
-            bojilova
+                "SELECT 'x' FROM xml_documents " +
-            bojilova
+                "WHERE docid = ? AND public_access = 1");
-            bojilova
+        // Bind the values to the query
-            bojilova
+        pstmt.setString(1, resourceID);
             bojilova
-            bojilova
+        pstmt.execute();
-            bojilova
+        ResultSet rs = pstmt.getResultSet();
         boolean hasRow = rs.next();
         pstmt.close();
         if (hasRow) {
           return true;
+        }
 //System.out.println("Passed the check for public access");
       } catch (SQLException e) {
         throw new
-            bojilova
+        SQLException("AccessControlList.hasPermission(). " +
                      "Error checking public access for document #"+resourceID+
                      ". " + e.getMessage());
             bojilova
             bojilova
     // since owner of resource has all permission on it,
-            bojilova
+    // check if @principal is owner of @resourceID in xml_documents table
-            bojilova
+    if ( principal != null ) {
       try {
-            bojilova
+        pstmt = conn.prepareStatement(
-            bojilova
+                "SELECT 'x' FROM xml_documents " +
-            bojilova
+                "WHERE docid = ? AND user_owner = ?");
-            bojilova
+        // Bind the values to the query
-            bojilova
+        pstmt.setString(1, resourceID);
-            bojilova
+        pstmt.setString(2, principal);
             bojilova
-            bojilova
+        pstmt.execute();
         ResultSet rs = pstmt.getResultSet();
         boolean hasRow = rs.next();
         pstmt.close();
         if (hasRow) {
           return true;
             bojilova
-            bojilova
+//System.out.println("Passed the check for ownership");
       } catch (SQLException e) {
         throw new
-            bojilova
+        SQLException("AccessControlList.hasPermission(). " +
                      "Error checking ownership for " + principal +
                      " on document #" + resourceID + ". " + e.getMessage());
             bojilova
-            bojilova
+      // check @principal's @permission on @resourceID from xml_access table
-            bojilova
+      int accessValue = 0;
       int ticketCount = 0;
       String permOrder = "";
       try {
-            bojilova
+        pstmt = conn.prepareStatement(
-            bojilova
+                "SELECT permission, perm_order, ticket_count " +
                 "FROM xml_access " +
-            bojilova
+                "WHERE docid = ? " +
                 "AND principal_name = ? " +
                 "AND perm_type = ? " +
-            bojilova
+                "AND " + sysdate +
                 " BETWEEN " + isnull + "(begin_time," + sysdate + ") " +
                      "AND " + isnull + "(end_time," + sysdate + ")");
-            bojilova
+        // check if it is "deny" with "allowFirst" first
-            bojilova
+        // Bind the values to the query
-            bojilova
+        pstmt.setString(1, resourceID);
-            bojilova
+        pstmt.setString(2, principal);
-            bojilova
+        pstmt.setString(3, "deny");
             bojilova
         pstmt.execute();
         ResultSet rs = pstmt.getResultSet();
         boolean hasRows = rs.next();
         while ( hasRows ) {
           accessValue = rs.getInt(1);
           permOrder = rs.getString(2);
           ticketCount = rs.getInt(3);
           if ( ( accessValue & intValue(permission) ) == intValue(permission) &&
-            bojilova
+               ( permOrder.equals("allowFirst") ) &&
-            bojilova
+               ( rs.wasNull() || ticketCount > 0 ) ) {
             if ( !rs.wasNull() && ticketCount > 0 ) {
-            bojilova
+              decreaseNumberOfAccess(accessValue,principal,resourceID,"deny","allowFirst");
             bojilova
             pstmt.close();
             return false;
+          }
           hasRows = rs.next();
             bojilova
-            bojilova
+//System.out.println("Passed the check for \"deny\" access with \"allowFirst\"");
             bojilova
-            bojilova
+        // it is not denied then check if it is "allow"
-            bojilova
+        // Bind the values to the query
-            bojilova
+        pstmt.setString(1, resourceID);
-            bojilova
+        pstmt.setString(2, principal);
-            bojilova
+        pstmt.setString(3, "allow");
             bojilova
-            bojilova
+        pstmt.execute();
-            bojilova
+        rs = pstmt.getResultSet();
         hasRows = rs.next();
         while ( hasRows ) {
           accessValue = rs.getInt(1);
-            bojilova
+          permOrder = rs.getString(2);
-            bojilova
+          ticketCount = rs.getInt(3);
           if ( ( accessValue & intValue(permission) )==intValue(permission) &&
                ( rs.wasNull() || ticketCount > 0 ) ) {
             if ( !rs.wasNull() && ticketCount > 0 ) {
-            bojilova
+              decreaseNumberOfAccess(accessValue,principal,resourceID,"allow",permOrder);
             bojilova
             pstmt.close();
             return true;
+          }
           hasRows = rs.next();
+        }
-            bojilova
+//System.out.println("Passed the check for \"allow\" access");
             bojilova
-            bojilova
+        // it is not allowed then check if it is "deny" with "denyFirst"
         // Bind the values to the query
         pstmt.setString(1, resourceID);
         pstmt.setString(2, principal);
         pstmt.setString(3, "deny");
         pstmt.execute();
         rs = pstmt.getResultSet();
         hasRows = rs.next();
         while ( hasRows ) {
           accessValue = rs.getInt(1);
           permOrder = rs.getString(2);
           ticketCount = rs.getInt(3);
           if ( ( accessValue & intValue(permission) ) == intValue(permission) &&
                ( permOrder.equals("denyFirst") ) &&
                ( rs.wasNull() || ticketCount > 0 ) ) {
             if ( !rs.wasNull() && ticketCount > 0 ) {
               decreaseNumberOfAccess(accessValue,principal,resourceID,"deny","denyFirst");
+            }
             pstmt.close();
             return false;
+          }
           hasRows = rs.next();
+        }
 //System.out.println("Passed the check for \"deny\" access wirh \"denyFirst\"");
             bojilova
         pstmt.close();
         return false;
       } catch (SQLException e) {
         throw new
-            bojilova
+        SQLException("AccessControlList.hasPermission(). " +
                      "Error checking " + permission + " permission for " +
                      principal + " on document #" + resourceID + ". " +
                      e.getMessage());
             bojilova
             bojilova
     return false;
+  }
             bojilova
-            bojilova
+  /* Decrease the number of access to @resourceID for @principal in db. */
-            bojilova
+  private void decreaseNumberOfAccess(int permission, String principal,
-            bojilova
+                                      String resourceID, String permType,
                                       String permOrder)
-            bojilova
+               throws SQLException
+  {
     PreparedStatement pstmt;
     pstmt = conn.prepareStatement(
             "UPDATE xml_access SET ticket_count = ticket_count - 1 " +
-            bojilova
+            "WHERE docid = ? " +
             "AND principal_name = ? " +
             "AND permission = ? " +
             "AND perm_type = ? " +
             "AND perm_order = ? " +
-            bojilova
+            "AND " + sysdate +
             " BETWEEN " + isnull + "(begin_time," + sysdate + ") " +
                  "AND " + isnull + "(end_time," + sysdate + ")");
-            bojilova
+    // Bind the values to the query
-            bojilova
+    pstmt.setString(1, resourceID);
-            bojilova
+    pstmt.setString(2, principal);
     pstmt.setInt(3, permission);
     pstmt.setString(4, permType);
-            bojilova
+    pstmt.setString(5, permOrder);
             bojilova
     pstmt.execute();
     pstmt.close();
+  }
             bojilova
   /**
     * Get Access Control List information for document from db connetion.
     * User or Group should have permissions for reading
     * access control information for a document specified by @docid.
     * @param docid document identifier which acl info to get
     * @param user name of user connected to Metacat system
     * @param group name of user's group to which user belongs
     */
   public String getACL(String docid, String user, String group)
           throws SQLException
             bojilova
-            bojilova
+    StringBuffer output = new StringBuffer();
     StringBuffer outTemp = new StringBuffer();
     MetaCatUtil util = new MetaCatUtil();
     String accDoctype = util.getOption("accessdoctype");
     String server = util.getOption("server");
     String docurl = "metacat://" + server + "/?docid=" + docid;
     String systemID;
     boolean isOwned = false;
     boolean hasPermission = false;
     String publicAcc;
             bojilova
-            bojilova
+    String acfid = "";
     String acfid_prev = "";
     String principal;
     Vector principalArr = new Vector();
     int permission;
     int perm_prev = -1;
     String permType;
     String permOrder = "";
     String permOrder_prev = "";
     String beginTime = "";
     String begin_prev = "";
     String endTime = "";
     String end_prev = "";
     int ticketCount = -1;
     int ticket_prev = -1;
-            bojilova
+    try {
             bojilova
       isOwned = isOwned(docid, user);
       systemID = getSystemID(accDoctype);
       publicAcc = getPublicAccess(docid);
       output.append("<?xml version=\"1.0\"?>\n");
       output.append("<!DOCTYPE acl PUBLIC \"" + accDoctype + "\" \"" +
                     systemID + "\">\n");
       output.append("<acl authSystem=\"\">\n");
       PreparedStatement pstmt;
       pstmt = conn.prepareStatement(
               "SELECT distinct accessfileid, principal_name, permission, " +
               "perm_type, perm_order, to_char(begin_time,'mm/dd/yyyy'), " +
               "to_char(end_time,'mm/dd/yyyy'), ticket_count " +
-            bojilova
+              "FROM xml_access WHERE docid = ? " +
-            bojilova
+              "ORDER BY accessfileid, perm_order, perm_type, permission");
       // Bind the values to the query
       pstmt.setString(1, docid);
       pstmt.execute();
       ResultSet rs = pstmt.getResultSet();
       boolean hasRows = rs.next();
       while (hasRows) {
         acfid = rs.getString(1);
         principal = rs.getString(2);
         permission = rs.getInt(3);
         permType = rs.getString(4);
         permOrder = rs.getString(5);
         beginTime = rs.getString(6);
         endTime = rs.getString(7);
         ticketCount = rs.getInt(8);
         // if @docid is not owned by @user, only ACL info from that
         // access files to which @user/@group has "read" permission
         // is extracted
         if ( !isOwned ) {
           if ( !acfid.equals(acfid_prev) ) {
             acfid_prev = acfid;
             hasPermission = hasPermission("READ",user,acfid);
             if ( !hasPermission && group != null ) {
               hasPermission = hasPermission("READ",group,acfid);
+            }
+          }
           if ( !hasPermission ) {
             rs.next();
             continue;
+          }
+        }
         // open <resource> tag
         if ( !permOrder.equals(permOrder_prev) ) {
           // close </resource> tag if any was opened
           output.append(outTemp.toString());
           outTemp = new StringBuffer();
           if ( !permOrder_prev.equals("") ) {
             output.append("  </resource>\n");
+          }
           output.append("  <resource order=\"" + permOrder + "\" public=\"" +
                         publicAcc + "\">\n");
           output.append("    <resourceIdentifier>" + docurl +
                         "</resourceIdentifier>\n");
           permOrder_prev = permOrder;
+        }
         // close </allow> or </deny> tag then open new one
         if ( permission != perm_prev ||
              (endTime == null) && (end_prev != null) ||
              (beginTime == null) && (begin_prev != null) ||
              endTime != null && !endTime.equals(end_prev)  ||
              beginTime != null && !beginTime.equals(begin_prev) ||
              ticketCount != ticket_prev )  {
           output.append(outTemp.toString());
           outTemp = new StringBuffer();
           principalArr.removeAllElements();
           output.append("    <" + permType + ">\n");
+        }
         // put all principals here for the same
         // permission, duration and ticket_count
         if ( !principalArr.contains(principal) ) {
           principalArr.addElement(principal);
           output.append("      <principal>" + principal + "</principal>\n");
+        }
         // prepare <permission> tags, <duration> and <ticketCount>
         // if any to put within <allow> (<deny>) by next cicle
         if ( permission != perm_prev ||
              (endTime == null) && (end_prev != null) ||
              (beginTime == null) && (begin_prev != null) ||
              endTime != null && !endTime.equals(end_prev)  ||
              beginTime != null && !beginTime.equals(begin_prev) ||
              ticketCount != ticket_prev )  {
           if ( (permission & READ) != 0 ) {
             outTemp.append("      <permission>read</permission>\n");
+          }
           if ( (permission & WRITE) != 0 ) {
             outTemp.append("      <permission>write</permission>\n");
+          }
           if ( (permission & ALL) != 0 ) {
             outTemp.append("      <permission>all</permission>\n");
+          }
           if ( (beginTime != null) || (endTime != null) ) {
             outTemp.append("      <duration>" + beginTime + " " + endTime +
                           "</duration>\n");
+          }
           if ( ticketCount > 0 ) {
             outTemp.append("      <ticketCount>" + ticketCount +
                           "</ticketCount>\n");
+          }
           outTemp.append("    </" + permType + ">\n");
           perm_prev = permission;
           ticket_prev = ticketCount;
           begin_prev = beginTime;
           end_prev = endTime;
+        }
         hasRows = rs.next();
             bojilova
             bojilova
       // close <allow> or <deny> if anything left in outTemp var
       output.append(outTemp.toString());
       // If there are no any acl info for @docid accessible by @user/@group,
       // extract only the following information
       if ( permOrder.equals("") ) {
         output.append("  <resource public=\"" + publicAcc + "\">\n");
         output.append("    <resourceIdentifier>" + docurl +
                       "</resourceIdentifier>\n");
+      }
       // always close them
       output.append("  </resource>\n");
       output.append("</acl>\n");
       pstmt.close();
       return output.toString();
     } catch (SQLException e) {
       throw new
       SQLException("AccessControlList.getACL(). " + e.getMessage());
             bojilova
             bojilova
   /* Check if @user is owner of @docid from db conn. */
   private boolean isOwned(String docid, String user) throws SQLException {
     PreparedStatement pstmt;
     pstmt = conn.prepareStatement("SELECT 'x' FROM xml_documents " +
-            bojilova
+                                  "WHERE docid = ? " +
                                   "AND user_owner = ?");
-            bojilova
+    pstmt.setString(1, docid);
     pstmt.setString(2, user);
     pstmt.execute();
     ResultSet rs = pstmt.getResultSet();
     boolean hasRow = rs.next();
     return hasRow;
+  }
             bojilova
-            bojilova
+  /* Get the flag for public "read" access for @docid from db conn. */
   private String getPublicAccess(String docid) throws SQLException {
     int publicAcc = 0;
     PreparedStatement pstmt;
     pstmt = conn.prepareStatement("SELECT public_access FROM xml_documents " +
-            bojilova
+                                  "WHERE docid = ?");
-            bojilova
+    pstmt.setString(1, docid);
     pstmt.execute();
     ResultSet rs = pstmt.getResultSet();
     boolean hasRow = rs.next();
     if ( hasRow ) {
       publicAcc = rs.getInt(1);
+    }
     return (publicAcc == 1) ? "yes" : "no";
+  }
   /* Get SystemID for @publicID from Metacat DB Catalog. */
   private String getSystemID(String publicID) throws SQLException {
     String systemID = "";
     PreparedStatement pstmt;
     pstmt = conn.prepareStatement("SELECT system_id FROM xml_catalog " +
                                   "WHERE entry_type = 'DTD' " +
-            bojilova
+                                  "AND public_id = ?");
-            bojilova
+    pstmt.setString(1, publicID);
     pstmt.execute();
     ResultSet rs = pstmt.getResultSet();
     boolean hasRow = rs.next();
     if ( hasRow ) {
       systemID = rs.getString(1);
+    }
     return systemID;
+  }
             bojilova

Project

General

Profile

Metacat