/src/edu/ucsb/nceas/metacat/PermissionController.java - Annotate - Metacat - Ecoinformatics Redmine

metacat/src/edu/ucsb/nceas/metacat/PermissionController.java @ 9988

-            tao
+/**
  *  '$RCSfile$'
  *    Purpose: A class that handles checking permssision for a document
-            sgarg
+               and subtree in a document
+ *
-            tao
+ *  Copyright: 2000 Regents of the University of California and the
  *             National Center for Ecological Analysis and Synthesis
  *    Authors: Chad Berkley
+ *
  *   '$Author$'
  *     '$Date$'
  * '$Revision$'
+ *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation; either version 2 of the License, or
  * (at your option) any later version.
+ *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU General Public License for more details.
+ *
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 package edu.ucsb.nceas.metacat;
             sgarg
-            leinfelder
+import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
-            leinfelder
+import java.util.Arrays;
-            tao
+import java.util.Enumeration;
-            tao
+import java.util.Hashtable;
-            tao
+import java.util.Vector;
-            sgarg
+import org.apache.log4j.Logger;
-            leinfelder
+import org.dataone.service.types.v1.Identifier;
 import org.dataone.service.types.v1.Permission;
 import org.dataone.service.types.v1.Session;
 import org.dataone.service.types.v1.Subject;
-            leinfelder
+import org.dataone.service.types.v2.SystemMetadata;
             sgarg
-            daigle
+import edu.ucsb.nceas.metacat.accesscontrol.AccessControlList;
-            daigle
+import edu.ucsb.nceas.metacat.database.DBConnection;
 import edu.ucsb.nceas.metacat.database.DBConnectionPool;
-            leinfelder
+import edu.ucsb.nceas.metacat.dataone.D1NodeService;
-            leinfelder
+import edu.ucsb.nceas.metacat.dataone.hazelcast.HazelcastService;
-            daigle
+import edu.ucsb.nceas.metacat.properties.PropertyService;
-            daigle
+import edu.ucsb.nceas.metacat.service.SessionService;
-            leinfelder
+import edu.ucsb.nceas.metacat.shared.MetacatUtilException;
-            leinfelder
+import edu.ucsb.nceas.metacat.util.AuthUtil;
-            daigle
+import edu.ucsb.nceas.metacat.util.DocumentUtil;
-            daigle
+import edu.ucsb.nceas.metacat.util.MetacatUtil;
-            daigle
+import edu.ucsb.nceas.metacat.util.SessionData;
-            daigle
+import edu.ucsb.nceas.utilities.PropertyNotFoundException;
-            leinfelder
+import edu.ucsb.nceas.utilities.access.AccessControlInterface;
             daigle
-            tao
+public class PermissionController
+{
-            leinfelder
+//   private String docId = null;
 //   private int rev = -1;
    private String guid = null;
-            tao
+   private boolean hasSubTreeAccessControl = false; // flag if has a subtree
                                                     // access for this docid
-            daigle
+   private Vector subTreeList = new Vector();
             sgarg
-            daigle
+   private static final long TOPLEVELSTARTNODEID = 0; //if start node is 0, means it is top
-            tao
+                                         //level document
             sgarg
-            sgarg
+   private static Logger logMetacat = Logger.getLogger(PermissionController.class);
             sgarg
-            tao
+   /**
-            leinfelder
+	 * Constructor for PermissionController
+	 *
 	 * @param myDocid the docid need to access
 	 */
 	public PermissionController(String myDocid) throws McdbException {
             sgarg
-            leinfelder
+		// find the guid if we can
 		String docId = null;
 		int rev = -1;
             sgarg
-            leinfelder
+		// get the parts
 		docId = DocumentUtil.getSmartDocId(myDocid);
 		rev = DocumentUtil.getRevisionFromAccessionNumber(myDocid);
 		// this is what we really want
 		guid = IdentifierManager.getInstance().getGUID(docId, rev);
+	}
-            sgarg
+   /**
-            tao
+    * Return if a document has subtree access control
     */
    public boolean hasSubTreeAccessControl()
+   {
      return hasSubTreeAccessControl;
+   }
             sgarg
-            daigle
+   public boolean hasPermission(String sessionId, String myPermission) throws SQLException {
-            berkley
+       SessionData sessionData = null;
        sessionData = SessionService.getInstance().getRegisteredSession(sessionId);
        if (sessionData == null) {
            return false;
+       }
             daigle
 	   return hasPermission(sessionData.getUserName(), sessionData.getGroupNames(), myPermission);
+   }
             sgarg
-            tao
+  /**
     * Check from db connection if at least one of the list of @principals
-            leinfelder
+    * Administrators are allowed all permission
-            tao
+    * @param user  the user name
     * @param groups  the groups which the use is in
     * @param myPermission  permission type to check for
     */
-            sgarg
+  public boolean hasPermission(String user, String[]groups, String myPermission)
-            daigle
+                              throws SQLException //, Exception
             tao
     boolean hasPermission=false;
     String [] userPackage=null;
-            berkley
+    int permission = AccessControlList.intValue(myPermission);
             sgarg
-            leinfelder
+    //for the command line invocation and replication
-            tao
+    if ((user==null) && (groups==null || groups.length==0))
+    {
       return true;
+    }
             leinfelder
     // for administrators
     //see http://bugzilla.ecoinformatics.org/show_bug.cgi?id=4728
     try {
 		if (AuthUtil.isAdministrator(user, groups)) {
 			return true;
+		}
 	} catch (MetacatUtilException e) {
 		// not much we can do here, except treat them as normal
 		logMetacat.warn("Error checking for administrator: " + e.getMessage(), e);
+	}
             leinfelder
     // for DataONE rightsHolder permission
     boolean isOwner = false;
     try {
 		Session userSession = new Session();
 		Subject subject = new Subject();
 		subject.setValue(user);
 		userSession.setSubject(subject);
 		Identifier pid = new Identifier();
 		pid.setValue(guid);
-            leinfelder
+		//isOwner = D1NodeService.userHasPermission(userSession, pid, Permission.CHANGE_PERMISSION);
 		SystemMetadata sysMeta = HazelcastService.getInstance().getSystemMetadataMap().get(pid);
 		isOwner = (sysMeta.getRightsHolder().equals(subject));
-            leinfelder
+    } catch (Exception e) {
 		logMetacat.warn("Error checking for DataONE permissions: " + e.getMessage(), e);
 		isOwner = false;
+    }
     if (isOwner) {
     	return true;
+    }
             sgarg
-            leinfelder
+    logMetacat.debug("Checking permission on " + this.guid + " for user: " + user + " and groups: " + Arrays.toString(groups));
-            tao
+    //create a userpackage including user, public and group member
     userPackage=createUsersPackage(user, groups);
             sgarg
-            tao
+    //if the requested document is access documents and requested permission
     //is "write", the user should have "all" right
             sgarg
-            leinfelder
+    if (isAccessDocument() && (permission == AccessControlInterface.WRITE))
             tao
             sgarg
-            leinfelder
+      hasPermission = hasPermission(userPackage, 7);// 7 is all permission
-            tao
+    }//if
     else //in other situation, just check the request permission
+    {
       // Check for @permission on @docid for @user and/or @groups
-            leinfelder
+      hasPermission = hasPermission(userPackage, permission);
-            tao
+    }//else
             sgarg
-            tao
+    return hasPermission;
+  }
             sgarg
-            tao
+  /**
     * Check from db connection if the users in String array @principals has
-            sgarg
+    * @permission on @docid*
-            tao
+    * @param principals, names in userPakcage need to check for @permission
     * @param docid, document identifier to check on
-            sgarg
+    * @param permission, permission (write or all...) to check for
-            tao
+    */
-            leinfelder
+  private boolean hasPermission(String [] principals, int permission)
-            tao
+                         throws SQLException
+  {
-            tao
+    long startId = TOPLEVELSTARTNODEID;// this is for top level, so startid is 0
-            sgarg
+    try
             tao
       //first, if there is a docid owner in user package, return true
-            sgarg
+      //because doc owner has all permssion
-            leinfelder
+      if (containDocumentOwner(principals))
             tao
             sgarg
-            tao
+          return true;
+      }
             sgarg
-            tao
+      //If there is no owner in user package, checking the table
       //check perm_order
-            leinfelder
+      if (isAllowFirst(principals, startId))
             tao
             sgarg
-            leinfelder
+        if (hasExplicitDenyRule(principals, permission, startId))
             tao
           //if it is allowfirst and has deny rule(either explicit )
           //deny access
             sgarg
-            tao
+          return false;
         }//if
-            leinfelder
+        else if ( hasAllowRule(principals, permission, startId))
             tao
           //if it is allowfirst and hasn't deny rule and has allow rule
           //allow access
             sgarg
-            tao
+          return true;
         }//else if
         else
+        {
           //other situation deny access
             sgarg
-            tao
+          return false;
         }//else
      }//if isAllowFirst
      else //denyFirst
+     {
-            leinfelder
+       if (hasAllowRule(principals, permission, startId))
             tao
          //if it is denyFirst and has allow rule, allow access
          return true;
+       }
        else
+       {
          //if it is denyfirst but no allow rule, deny access
          return false;
+       }
      }//else denyfirst
     }//try
     catch (Exception e)
+    {
-            daigle
+      logMetacat.warn("PermissionController.hasPermission - There is a exception in hasPermission method: "
-            sgarg
+                         +e.getMessage());
             tao
             sgarg
-            tao
+    return false;
   }//hasPermission
             sgarg
-            tao
+  /**
-            sgarg
+   *  Method to check if a person has permission to a inline data file
    * @param user String
    * @param groups String[]
    * @param myPermission String
    * @param inlineDataId String
    * @throws McdbException
    * @return boolean
    */
   private boolean hasPermissionForInlineData(String user, String[] groups,
                                       String myPermission, String inlineDataId)
-            jones
+      throws McdbException
             sgarg
      // this method can call the public method - hasPermission(...)
      // the only difference is about the ownership, you couldn't find the owner
      // from inlinedataId directly. You should get it from eml document itself
      String []userPackage = createUsersPackage(user, groups);
-            jones
+     try {
-            leinfelder
+        if (containDocumentOwner(userPackage))
             jones
            return true;
+         }
          else
+         {
-            leinfelder
+        	 // is a funky inline data id with the extra part, so we set it manually
              PermissionController controller = new PermissionController(guid);
              controller.guid = inlineDataId;
-            jones
+             return controller.hasPermission(user, groups, myPermission);
+         }
     } catch (SQLException e) {
         throw new McdbException(e.getMessage());
+    }
             sgarg
   /**
-            tao
+   * The method to determine of a node can be access by a user just by subtree
    * access control
    */
   public boolean hasPermissionForSubTreeNode(String user, String[] groups,
                                              String myPermission, long nodeId)
                                              throws McdbException
+  {
-            tao
+    boolean flag = true;
-            tao
+    // Get unaccessble subtree for this user
-            daigle
+    Hashtable unaccessableSubTree = hasUnaccessableSubTree(user, groups,
-            tao
+                                                           myPermission);
-            daigle
+    Enumeration en = unaccessableSubTree.elements();
-            tao
+    while (en.hasMoreElements())
+    {
       SubTree tree = (SubTree)en.nextElement();
       long start = tree.getStartNodeId();
       long stop  = tree.getEndNodeId();
-            tao
+      // nodeid in unaccessablesubtree, return false
-            tao
+      if ( nodeId >= start && nodeId <= stop)
+      {
-            tao
+        flag = false;
-            tao
+        break;
+      }
+    }
     return flag;
+  }
   /**
-            sgarg
+   * This method will return a hasTable of subtree which user doesn't has the
-            tao
+   * permssion to access
    * @param user  the user name
    * @param groups  the groups which the use is in
    * @param myPermission  permission type to check for
    */
-            daigle
+  public Hashtable hasUnaccessableSubTree(String user, String[] groups,
-            tao
+                                       String myPermission) throws McdbException
+  {
-            daigle
+    Hashtable resultUnaccessableSubTree = new Hashtable();
-            tao
+    String [] principals=null;
     int permission =AccessControlList.intValue(myPermission);
             sgarg
-            tao
+    //for the commnad line invocation return null(no unaccessable subtree)
     if ((user==null) && (groups==null || groups.length==0))
+    {
       return resultUnaccessableSubTree;
+    }
             sgarg
-            tao
+    //create a userpackage including user, public and group member
     principals=createUsersPackage(user, groups);
     //for the document owner return null(no unaccessable subtree)
     try
+    {
-            leinfelder
+      if (containDocumentOwner(principals))
             tao
        return resultUnaccessableSubTree;
+      }
+    }
     catch (SQLException ee)
+    {
       throw new McdbException(ee);
+    }
             sgarg
-            tao
+    // go through every subtree which has access control
     for (int i = 0; i< subTreeList.size(); i++)
+    {
       SubTree tree = (SubTree)subTreeList.elementAt(i);
-            tao
+      long startId = tree.getStartNodeId();
             sgarg
-            tao
+        try
+        {
-            leinfelder
+          if (isAllowFirst(principals, startId))
             tao
             sgarg
-            leinfelder
+            if (hasExplicitDenyRule(principals, permission, startId ))
             tao
             sgarg
-            tao
+             //if it is allowfirst and has deny rule
               // put the subtree into unaccessable vector
-            tao
+              if (!resultUnaccessableSubTree.containsKey(new Long(startId)))
             tao
-            tao
+                resultUnaccessableSubTree.put(new Long(startId), tree);
             tao
             }//if
-            leinfelder
+            else if ( hasAllowRule(principals, permission, startId))
             tao
               //if it is allowfirst and hasn't deny rule and has allow rule
               //allow access do nothing
             sgarg
-            tao
+            }//else if
             else
+            {
               //other situation deny access
-            tao
+              if (!resultUnaccessableSubTree.containsKey(new Long(startId)))
             tao
-            tao
+                resultUnaccessableSubTree.put(new Long(startId), tree);
             tao
             sgarg
-            tao
+            }//else
           }//if isAllowFirst
           else //denyFirst
+          {
-            leinfelder
+            if (hasAllowRule(principals, permission,startId))
             tao
               //if it is denyFirst and has allow rule, allow access, do nothing
             sgarg
             tao
             else
+            {
               //if it is denyfirst but no allow rule, deny access
               // add into vector
-            tao
+              if (!resultUnaccessableSubTree.containsKey(new Long(startId)))
             tao
-            tao
+                resultUnaccessableSubTree.put(new Long(startId), tree);
             tao
+            }
           }//else denyfirst
         }//try
         catch( Exception e)
+        {
-            daigle
+          logMetacat.error("PermissionController.hasUnaccessableSubTree - error in PermissionControl.has" +
-            sgarg
+                                   "UnaccessableSubTree "+e.getMessage());
-            tao
+          throw new McdbException(e);
+        }
             sgarg
-            tao
+    }//for
-            sgarg
+    // merge the subtree if a subtree is another subtree'subtree
-            tao
+    resultUnaccessableSubTree = mergeEquivalentSubtree(resultUnaccessableSubTree);
-            tao
+    return resultUnaccessableSubTree;
   }//hasUnaccessableSubtree
             sgarg
   /*
-            tao
+   * A method to merge nested subtree into bigger one. For example subtree b
    * is a subtree of subtree a. And user doesn't have read permission for both
    * so we only use subtree a is enough.
    */
-            daigle
+  private Hashtable mergeEquivalentSubtree(Hashtable unAccessSubTree)
             tao
-            daigle
+    Hashtable newSubTreeHash = new Hashtable();
-            tao
+    boolean   needDelete = false;
     // check the parameters
     if (unAccessSubTree == null || unAccessSubTree.isEmpty())
+    {
       return newSubTreeHash;
+    }
     else
+    {
       // look every subtree start point and stop point, to see if it is embedded
       // in another one. If embedded, they are equavelent and we can use bigger
       // one to replace smaller one
-            daigle
+      Enumeration en = unAccessSubTree.elements();
-            tao
+      while (en.hasMoreElements())
+      {
         SubTree tree    = (SubTree)en.nextElement();
         String  treeId  = tree.getSubTreeId();
         long    startId = tree.getStartNodeId();
         long    endId   = tree.getEndNodeId();
             sgarg
-            daigle
+        Enumeration enu = unAccessSubTree.elements();
-            tao
+        while (enu.hasMoreElements())
+        {
           SubTree subTree = (SubTree)enu.nextElement();
-            daigle
+          String subTreeId= subTree.getSubTreeId();
-            tao
+          long   subTreeStartId = subTree.getStartNodeId();
           long   subTreeEndId   = subTree.getEndNodeId();
           //compare and if the first subtree is a subtree of the second
           // one, set neeDelete true
           if (startId > subTreeStartId && endId < subTreeEndId)
+          {
             needDelete = true;
-            daigle
+            logMetacat.info("PermissionController.mergeEquivalentSubtree - the subtree: "+ treeId +
-            tao
+                                     " need to be get rid of from unaccessable"+
                                      " subtree list becuase it is a subtree of"+
-            sgarg
+                                     " another subtree in the list");
-            tao
+            break;
           }//if
         }//while
         // if not need to delete, put the subtree into hash
         if (!needDelete)
+        {
-            tao
+          newSubTreeHash.put(new Long(startId), tree);
             tao
         //reset needDelete
         needDelete = false;
       }//while
       return newSubTreeHash;
     }//else
+  }
             sgarg
-            tao
+  /**
-            daigle
+	 * Check if a document id is a access document. Access document need user
 	 * has "all" permission to access it.
+	 *
 	 * @param docId,
 	 *            the document id need to be checked
 	 */
-            leinfelder
+	private boolean isAccessDocument() throws SQLException {
 		// get the docid from the guid
 		String docId = null;
 		try {
 			docId = IdentifierManager.getInstance().getLocalId(guid);
 		} catch (McdbDocNotFoundException e) {
 			return false;
 			//throw new SQLException(e);
+		}
-            daigle
+		docId = DocumentUtil.getDocIdFromString(docId);
-            daigle
+		PreparedStatement pStmt = null;
 		DBConnection conn = null;
 		int serialNumber = -1;
 		try {
 			// check out DBConnection
 			conn = DBConnectionPool.getDBConnection("PermissionControl.isAccessDoc");
 			serialNumber = conn.getCheckOutSerialNumber();
-            leinfelder
+			pStmt = conn.prepareStatement("select doctype from xml_documents where docid like ? ");
 			pStmt.setString(1, docId);
-            daigle
+			pStmt.execute();
 			ResultSet rs = pStmt.getResultSet();
 			boolean hasRow = rs.next();
 			String doctype = null;
 			if (hasRow) {
 				doctype = rs.getString(1);
             sgarg
             daigle
 			pStmt.close();
             sgarg
-            daigle
+			// if it is an access document
 			if (doctype != null
-            daigle
+					&& ((MetacatUtil.getOptionList(PropertyService
-            daigle
+							.getProperty("xml.accessdoctype")).contains(doctype)))) {
             sgarg
-            daigle
+				return true;
+			}
             sgarg
-            daigle
+		} catch (SQLException e) {
 			throw new SQLException("PermissionControl.isAccessDocument "
 					+ "Error checking" + " on document " + docId + ". " + e.getMessage());
 		} catch (PropertyNotFoundException pnfe) {
 			throw new SQLException("PermissionControl.isAccessDocument "
 					+ "Error checking" + " on document " + docId + ". " + pnfe.getMessage());
 		} finally {
 			try {
 				pStmt.close();
 			} finally {
 				DBConnectionPool.returnDBConnection(conn, serialNumber);
+			}
+		}
             sgarg
-            daigle
+		return false;
 	}// isAccessDocument
             sgarg
-            tao
+  /**
-            daigle
+	 * Check if a stirng array contains a given documents' owner
+	 *
 	 * @param principals,
 	 *            a string array storing the username, groups name and public.
 	 * @param docid,
 	 *            the id of given documents
 	 */
-            leinfelder
+  private boolean containDocumentOwner(String[] principals)
-            tao
+                    throws SQLException
+  {
             leinfelder
 	// get the docid
 	String docId = null;
 	try {
 		docId = IdentifierManager.getInstance().getLocalId(guid);
 		docId = DocumentUtil.getDocIdFromString(docId);
 	} catch (McdbDocNotFoundException e) {
 		// should be true if we own the parent doc, but likely won't be checked in that case
 		return false;
+	}
-            tao
+    int lengthOfArray=principals.length;
-            sgarg
+    boolean hasRow;
-            tao
+    PreparedStatement pStmt=null;
     DBConnection conn = null;
     int serialNumber = -1;
             sgarg
-            tao
+    try
+    {
       //check out DBConnection
-            tao
+     conn=DBConnectionPool.getDBConnection("PermissionControl.containDocOnwer");
-            tao
+      serialNumber=conn.getCheckOutSerialNumber();
       pStmt = conn.prepareStatement(
                 "SELECT 'x' FROM xml_documents " +
-            leinfelder
+                "WHERE docid = ? AND lower(user_owner) = ? " +
                 "UNION ALL " +
                 "SELECT 'x' FROM xml_revisions " +
                 "WHERE docid = ? AND lower(user_owner) = ? ");
-            tao
+      //check every element in the string array too see if it conatains
       //the owner of document
       for (int i=0; i<lengthOfArray; i++)
+      {
             sgarg
-            tao
+        // Bind the values to the query
         pStmt.setString(1, docId);
         pStmt.setString(2, principals[i]);
-            leinfelder
+        pStmt.setString(3, docId);
         pStmt.setString(4, principals[i]);
-            daigle
+        logMetacat.info("PermissionController.containDocumentOwner - the principle stack is : " +
-            sgarg
+                                  principals[i]);
             tao
         pStmt.execute();
         ResultSet rs = pStmt.getResultSet();
         hasRow = rs.next();
-            sgarg
+        if (hasRow)
             tao
           pStmt.close();
-            daigle
+           logMetacat.info("PermissionController.containDocumentOwner - find the owner");
-            tao
+          return true;
-            sgarg
+        }//if
-            tao
+      }//for
     }//try
-            sgarg
+    catch (SQLException e)
             tao
         pStmt.close();
             sgarg
         throw new
-            daigle
+        SQLException("PermissionControl.hasPermission - " +
-            tao
+                     "Error checking ownership for " + principals[0] +
                      " on document #" + docId + ". " + e.getMessage());
     }//catch
     finally
+    {
       try
+      {
         pStmt.close();
+      }
       finally
+      {
         DBConnectionPool.returnDBConnection(conn, serialNumber);
+      }
+    }
-            sgarg
+    return false;
-            tao
+  }//containDocumentOwner
             sgarg
-            tao
+  /**
     * Check if the permission order for user at that documents is allowFirst
-            sgarg
+    * @param principals, list of names of principals to check for
-            tao
+    * @param docid, document identifier to check for
     */
-            leinfelder
+  private boolean isAllowFirst(String [] principals, long startId)
-            tao
+                  throws SQLException, Exception
+  {
     int lengthOfArray=principals.length;
     boolean hasRow;
     PreparedStatement pStmt = null;
     DBConnection conn = null;
     int serialNumber = -1;
-            tao
+    String sql = null;
     boolean topLever =false;
-            tao
+    if (startId == TOPLEVELSTARTNODEID)
             tao
       //top level
       topLever = true;
-            leinfelder
+      sql =
     	  "SELECT perm_order FROM xml_access " +
 		    "WHERE lower(principal_name) = ? " +
 		    "AND guid = ? " +
 		    "AND startnodeid is NULL";
             tao
     else
+    {
       //sub tree level
       sql = "SELECT perm_order FROM xml_access " +
-            leinfelder
+        "WHERE lower(principal_name) = ? " +
         "AND guid = ? " +
         "AND startnodeid = ?";
             tao
             sgarg
-            tao
+    try
+    {
       //check out DBConnection
       conn=DBConnectionPool.getDBConnection("AccessControlList.isAllowFirst");
       serialNumber=conn.getCheckOutSerialNumber();
             sgarg
-            tao
+      //select permission order from database
-            tao
+      pStmt = conn.prepareStatement(sql);
             sgarg
-            tao
+      //check every name in the array
       for (int i=0; i<lengthOfArray;i++)
+      {
         //bind value
         pStmt.setString(1, principals[i]);//user name
-            leinfelder
+        pStmt.setString(2, guid);//guid
-            sgarg
+        // if subtree, we need set subtree id
-            tao
+        if (!topLever)
+        {
-            tao
+          pStmt.setLong(3, startId);
             tao
             sgarg
-            tao
+        pStmt.execute();
         ResultSet rs = pStmt.getResultSet();
         hasRow=rs.next();
         if (hasRow)
+        {
           //get the permission order from data base
           String permissionOrder=rs.getString(1);
           //if the permission order is "allowFirst
           if (permissionOrder.equalsIgnoreCase(AccessControlInterface.ALLOWFIRST))
+          {
             pStmt.close();
             return true;
+          }
           else
+          {
             pStmt.close();
             return false;
+          }
         }//if
       }//for
     }//try
     catch (SQLException e)
+    {
       throw e;
+    }
     finally
+    {
       try
+      {
         pStmt.close();
+      }
       finally
+      {
         DBConnectionPool.returnDBConnection(conn, serialNumber);
+      }
+    }
             sgarg
     //if reach here, means there is no permssion record for given names and
-            tao
+    //docid. So throw a exception.
             sgarg
-            daigle
+    throw new Exception("PermissionController.isAllowFirst - There is no permission record for user "+ principals[0] +
-            leinfelder
+                        " at document " + guid);
             sgarg
-            tao
+  }//isAllowFirst
             sgarg
-            tao
+  /**
-            sgarg
+    * Check if the users array has allow rules for given users, docid and
-            tao
+    * permission.
     * If it has permission rule and ticket count is greater than 0, the ticket
     * number will decrease one for every allow rule
-            sgarg
+    * @param principals, list of names of principals to check for
-            tao
+    * @param docid, document identifier to check for
     * @param permission, the permssion need to check
     */
-            leinfelder
+  private boolean hasAllowRule(String [] principals, int permission, long startId)
-            tao
+                  throws SQLException, Exception
+ {
    int lengthOfArray=principals.length;
    boolean allow=false;//initial value is no allow rule
    ResultSet rs;
    PreparedStatement pStmt = null;
    int permissionValue=permission;
    int permissionValueInTable;
    DBConnection conn = null;
    int serialNumber = -1;
-            tao
+   boolean topLever = false;
    String sql = null;
-            tao
+   if (startId == TOPLEVELSTARTNODEID)
             tao
      // for toplevel
      topLever = true;
-            leinfelder
+     sql = "SELECT permission " +
 		"FROM xml_access " +
  		"WHERE guid = ? " +
  		"AND lower(principal_name) = ? " +
  		"AND perm_type = ? " +
  		"AND startnodeid is NULL";
             tao
    else
+   {
      topLever =false;
-            leinfelder
+     sql = "SELECT permission " +
      		"FROM xml_access " +
      		"WHERE guid = ? " +
      		"AND lower(principal_name) = ? " +
      		"AND perm_type = ? " +
      		"AND startnodeid = ?";
             tao
-            tao
+   try
+   {
      //check out DBConnection
      conn=DBConnectionPool.getDBConnection("AccessControlList.hasAllowRule");
      serialNumber=conn.getCheckOutSerialNumber();
-            sgarg
+    //This sql statement will select entry with
-            tao
+    //begin_time<=currentTime<=end_time in xml_access table
     //If begin_time or end_time is null in table, isnull(begin_time, sysdate)
     //function will assign begin_time=sysdate
-            tao
+    pStmt = conn.prepareStatement(sql);
-            tao
+    //bind docid, perm_type
-            leinfelder
+    pStmt.setString(1, guid);
-            tao
+    pStmt.setString(3, AccessControlInterface.ALLOW);
             sgarg
-            tao
+    // if subtree lever, need to set subTreeId
     if (!topLever)
+    {
-            tao
+      pStmt.setLong(4, startId);
             tao
             sgarg
-            tao
+    //bind every elenment in user name array
     for (int i=0;i<lengthOfArray; i++)
+    {
-            leinfelder
+        logMetacat.debug("Checking permission for principal: " + principals[i] );
         logMetacat.debug("SQL: " + pStmt.toString());
-            tao
+      pStmt.setString(2, principals[i]);
       pStmt.execute();
       rs=pStmt.getResultSet();
       while (rs.next())//check every entry for one user
+      {
         permissionValueInTable=rs.getInt(1);
             sgarg
         //permission is ok
-            tao
+        //the user have a permission to access the file
         if (( permissionValueInTable & permissionValue )== permissionValue )
+        {
             sgarg
-            tao
+           allow=true;//has allow rule entry
         }//if
       }//while
     }//for
    }//try
    catch (SQLException sqlE)
+   {
      throw sqlE;
+   }
    catch (Exception e)
+   {
      throw e;
+   }
    finally
+   {
      try
+     {
        pStmt.close();
+     }
      finally
+     {
        DBConnectionPool.returnDBConnection(conn, serialNumber);
+     }
+   }
     return allow;
  }//hasAllowRule
             sgarg
-            tao
+   /**
-            sgarg
+    * Check if the users array has explicit deny rules for given users, docid
-            tao
+    * and permission. That means the perm_type is deny and current time is
     * less than end_time and greater than begin time, or no time limit.
-            sgarg
+    * @param principals, list of names of principals to check for
-            tao
+    * @param docid, document identifier to check for
     * @param permission, the permssion need to check
     */
-            leinfelder
+  private boolean hasExplicitDenyRule(String [] principals,
-            tao
+                                      int permission, long startId)
-            tao
+                  throws SQLException
+ {
    int lengthOfArray=principals.length;
    ResultSet rs;
    PreparedStatement pStmt = null;
    int permissionValue=permission;
    int permissionValueInTable;
    DBConnection conn = null;
    int serialNumber = -1;
-            tao
+   String sql = null;
    boolean topLevel = false;
             sgarg
-            tao
+   // decide top level or subtree level
-            tao
+   if (startId == TOPLEVELSTARTNODEID)
             tao
      topLevel = true;
-            leinfelder
+     sql = "SELECT permission " +
      		"FROM xml_access " +
      		"WHERE guid = ? " +
 	     	"AND lower(principal_name) = ? " +
 	     	"AND perm_type = ? " +
 	     	"AND startnodeid is NULL";
             tao
    else
+   {
      topLevel = false;
-            leinfelder
+     sql = "SELECT permission " +
 		"FROM xml_access " +
 		"WHERE guid = ? " +
 	  	"AND lower(principal_name) = ? " +
 	  	"AND perm_type = ? " +
 	  	"AND startnodeid = ?";
             tao
             sgarg
-            tao
+   try
+   {
      //check out DBConnection
-            tao
+     conn=DBConnectionPool.getDBConnection("PermissionControl.hasExplicitDeny");
-            tao
+     serialNumber=conn.getCheckOutSerialNumber();
             sgarg
-            tao
+     pStmt = conn.prepareStatement(sql);
-            tao
+    //bind docid, perm_type
-            leinfelder
+    pStmt.setString(1, guid);
-            tao
+    pStmt.setString(3, AccessControlInterface.DENY);
             sgarg
-            tao
+    // subtree level need to set up subtreeid
     if (!topLevel)
+    {
-            tao
+      pStmt.setLong(4, startId);
             tao
             sgarg
-            tao
+    //bind every elenment in user name array
     for (int i=0;i<lengthOfArray; i++)
+    {
       pStmt.setString(2, principals[i]);
       pStmt.execute();
       rs=pStmt.getResultSet();
       while (rs.next())//check every entry for one user
+      {
         permissionValueInTable=rs.getInt(1);
             sgarg
-            tao
+        //permission is ok the user doesn't have permission to access the file
         if (( permissionValueInTable & permissionValue )== permissionValue )
             sgarg
             tao
            pStmt.close();
            return true;
          }//if
       }//while
     }//for
    }//try
    catch (SQLException e)
+   {
      throw e;
    }//catch
    finally
+   {
      try
+     {
        pStmt.close();
+     }
      finally
+     {
        DBConnectionPool.returnDBConnection(conn, serialNumber);
+     }
    }//finally
    return false;//no deny rule
-            sgarg
+  }//hasExplicitDenyRule
             tao
             sgarg
-            tao
+  /**
     * Creat a users pakages to check permssion rule, user itself, public and
     * the gourps the user belong will be include in this package
     * @param user, the name of user
     * @param groups, the string array of the groups that user belong to
     */
   private String[] createUsersPackage(String user, String [] groups)
+  {
     String [] usersPackage=null;
     int lengthOfPackage;
             sgarg
-            tao
+    if (groups!=null)
+    {
-            sgarg
+      //if gouprs is not null and user is not public, we should create a array
       //to store the groups and user and public.
-            tao
+      //So the length of userPackage is the length of group plus two
       if (!user.equalsIgnoreCase(AccessControlInterface.PUBLIC))
+      {
         lengthOfPackage=(groups.length)+2;
         usersPackage=new String [lengthOfPackage];
         //the first two elements is user self and public
-            tao
+        //in order to ignore case sensitive, we transfer user to lower case
         if (user != null)
+        {
           usersPackage[0]= user.toLowerCase();
-            daigle
+          logMetacat.info("PermissionController.createUsersPackage - after transfer to lower case(not null): "+
-            sgarg
+                                     usersPackage[0]);
             tao
         else
+        {
           usersPackage[0] = user;
           usersPackage[0]= user.toLowerCase();
-            daigle
+          logMetacat.info("PermissionController.createUsersPackage - after transfer to lower case(null): "+
-            sgarg
+                                     usersPackage[0]);
             tao
-            tao
+        usersPackage[1]=AccessControlInterface.PUBLIC;
         //put groups element from index 0 to lengthOfPackage-3 into userPackage
         //from index 2 to lengthOfPackage-1
         for (int i=2; i<lengthOfPackage; i++)
+        {
-            tao
+          //tansfer group to lower case too
           if (groups[i-2] != null)
+          {
             usersPackage[i]=groups[i-2].toLowerCase();
+          }
-            tao
+        } //for
       }//if user!=public
       else//use=public
+      {
         lengthOfPackage=(groups.length)+1;
         usersPackage=new String [lengthOfPackage];
         //the first lements is public
         usersPackage[0]=AccessControlInterface.PUBLIC;
         //put groups element from index 0 to lengthOfPackage-2 into userPackage
         //from index 1 to lengthOfPackage-1
         for (int i=1; i<lengthOfPackage; i++)
+        {
-            tao
+          if (groups[i-1] != null)
+          {
             usersPackage[i]=groups[i-1].toLowerCase();
+          }
-            tao
+        } //for
       }//else user=public
             sgarg
-            tao
+    }//if groups!=null
     else
+    {
       //because no groups, the userPackage only need two elements
       //one is for user, the other is for public
       if (!user.equalsIgnoreCase(AccessControlInterface.PUBLIC))
+      {
         lengthOfPackage=2;
         usersPackage=new String [lengthOfPackage];
-            tao
+        if (user != null)
+        {
           usersPackage[0]=user.toLowerCase();
+        }
         else
+        {
           usersPackage[0]=user;
+        }
-            tao
+        usersPackage[1]=AccessControlInterface.PUBLIC;
       }//if user!=public
       else //user==public
+      {
         //only put public into array
         lengthOfPackage=1;
         usersPackage=new String [lengthOfPackage];
         usersPackage[0]=AccessControlInterface.PUBLIC;
+      }
     }//else groups==null
     return usersPackage;
   }//createUsersPackage
             sgarg
-            tao
+  /**
-            sgarg
+   * A static method to get Hashtable which cointains a inlinedata object list that
    * user can't read it. The key is subtree id of inlinedata, the data is
    * internal file name for the inline data which is stored as docid
    * in xml_access table or data object doc id.
-            leinfelder
+   * @param docid (With Rev), metadata docid which should be the accessfileid
-            sgarg
+   *                         in the table
    * @param user , the name of user
    * @param groups, the group which the user belong to
-            tao
+   */
-            leinfelder
+   public static Hashtable<String, String> getUnReadableInlineDataIdList(String docid,
                                                    String user, String[] groups)
-            jones
+                                                throws McdbException
             sgarg
-            leinfelder
+     Hashtable<String, String> inlineDataList = getUnAccessableInlineDataIdList(docid,
                               user, groups, AccessControlInterface.READSTRING);
             sgarg
      return inlineDataList;
+   }
    /**
   * A static method to get Hashtable which cointains a inline  data object list that
   * user can't overwrite it. The key is subtree id of inline data distrubition,
   * the value is internal file name for the inline data which is stored as docid
   * in xml_access table or data object doc id.
   * @param docidWithoutRev, metadata docid which should be the accessfileid
   *                         in the table
   * @param user , the name of user
   * @param groups, the group which the user belong to
   */
-            daigle
+  public static Hashtable<String, String> getUnWritableInlineDataIdList(String docidWithoutRev,
-            sgarg
+                                                  String user, String[] groups,
                                                   boolean withRevision)
-            sgarg
+                                               throws Exception
             tao
-            daigle
+    Hashtable<String, String> inlineDataList = getUnAccessableInlineDataIdList(docidWithoutRev,
-            leinfelder
+                            user, groups, AccessControlInterface.WRITESTRING);
             sgarg
     return inlineDataList;
+  }
-            leinfelder
+   /**
-            sgarg
+    * This method will get hashtable which contains a unaccessable distribution
     * inlinedata object list
             sgarg
-            sgarg
+    */
-            daigle
+   private static Hashtable<String, String> getUnAccessableInlineDataIdList(String docid,
-            leinfelder
+                               String user, String[] groups, String permission)
-            jones
+                             throws McdbException
             sgarg
-            jones
+       Hashtable<String, String> unAccessibleIdList = new Hashtable();
        if (user == null) {
            return unAccessibleIdList;
+       }
        Hashtable allIdList;
        try {
            allIdList = getAllInlineDataIdList(docid);
        } catch (SQLException e) {
            throw new McdbException(e.getMessage());
+       }
        Enumeration<String> en = allIdList.keys();
-            sgarg
+      while (en.hasMoreElements())
             tao
-            sgarg
+        String subTreeId = (String) en.nextElement();
         String fileId = (String) allIdList.get(subTreeId);
-            leinfelder
+        //Here fileid is internal file id for line data. It stored in guid
         // field in xml_access table.
         PermissionController controller = new PermissionController(docid);
-            sgarg
+        if (!controller.hasPermissionForInlineData(user, groups, permission, fileId))
+        {
             leinfelder
             logMetacat.info("PermissionController.getUnAccessableInlineDataIdList - Put subtree id " + subTreeId +
                                      " and " + "inline data file name " +
                                      fileId + " into " + "un" + permission +
                                      " hash");
             unAccessibleIdList.put(subTreeId, fileId);
             sgarg
             leinfelder
             sgarg
             tao
-            daigle
+      return unAccessibleIdList;
             sgarg
    /*
     * This method will get a hash table from xml_access table for all records
     * about the inline data. The key is subtree id and data is a inline internal
     * file name
     */
-            daigle
+   private static Hashtable getAllInlineDataIdList(String docid) throws SQLException
             sgarg
-            daigle
+     Hashtable inlineDataList = new Hashtable();
-            leinfelder
+     String sql =
     	 "SELECT subtreeid, guid " +
     	 "FROM xml_access " +
     	 "WHERE accessfileid = ? " +
     	 "AND subtreeid IS NOT NULL";
-            sgarg
+     PreparedStatement pStmt=null;
      ResultSet rs=null;
      DBConnection conn=null;
      int serialNumber=-1;
      try
+     {
        //check out DBConnection
        conn=DBConnectionPool.getDBConnection("PermissionControl.getDataSetId");
        serialNumber=conn.getCheckOutSerialNumber();
        pStmt=conn.prepareStatement(sql);
        //bind the value to query
        pStmt.setString(1, docid);
        //execute the query
        pStmt.execute();
        rs=pStmt.getResultSet();
        //process the result
        while(rs.next())
+       {
          String subTreeId = rs.getString(1);
          String inlineDataId = rs.getString(2);
          if (subTreeId != null && !subTreeId.trim().equals("") &&
             inlineDataId != null && !inlineDataId.trim().equals(""))
+         {
            inlineDataList.put(subTreeId, inlineDataId);
+         }
       }//while
      }//try
      finally
+     {
        try
+       {
          pStmt.close();
+       }
        finally
+       {
          DBConnectionPool.returnDBConnection(conn, serialNumber);
+       }
      }//finally
      return inlineDataList;
    }//getAllInlineDataIdList
             tao

Project

General

Profile

Metacat