Revision 9997
Added by Jing Tao about 8 years ago
| src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java | ||
|---|---|---|
| 72 | 72 |
import org.dataone.service.types.v1.Identifier; |
| 73 | 73 |
import org.dataone.service.types.v1.ObjectFormatIdentifier; |
| 74 | 74 |
import org.dataone.service.types.v1.ObjectList; |
| 75 |
import org.dataone.service.types.v1.SubjectInfo; |
|
| 75 | 76 |
import org.dataone.service.types.v2.Log; |
| 76 | 77 |
import org.dataone.service.types.v2.Node; |
| 77 | 78 |
import org.dataone.service.types.v2.OptionList; |
| ... | ... | |
| 1147 | 1148 |
* 1. Owner can have any permission. |
| 1148 | 1149 |
* 2. Access table allow the user has the permission |
| 1149 | 1150 |
*/ |
| 1150 |
public static boolean userHasPermission(Session userSession, Identifier pid, Permission permission ) throws NotFound{
|
|
| 1151 |
public static boolean userHasPermission(Session userSession, Identifier pid, Permission permission ) throws NotFound, ServiceFailure, NotImplemented, InvalidRequest, InvalidToken, NotAuthorized {
|
|
| 1151 | 1152 |
boolean allowed = false; |
| 1152 | 1153 |
// permissions are hierarchical |
| 1153 | 1154 |
List<Permission> expandedPermissions = null; |
| ... | ... | |
| 1197 | 1198 |
allowed = systemMetadata.getRightsHolder().equals(s); |
| 1198 | 1199 |
if (allowed) {
|
| 1199 | 1200 |
return allowed; |
| 1201 |
} else {
|
|
| 1202 |
//check if the rightHolder is a group name. If it is, any member of the group can be considered a the right holder. |
|
| 1203 |
allowed = expandRightsHolder(systemMetadata.getRightsHolder(), s); |
|
| 1204 |
if(allowed) {
|
|
| 1205 |
return allowed; |
|
| 1206 |
} |
|
| 1200 | 1207 |
} |
| 1201 | 1208 |
} |
| 1202 | 1209 |
|
| ... | ... | |
| 1230 | 1237 |
} |
| 1231 | 1238 |
return allowed; |
| 1232 | 1239 |
} |
| 1240 |
|
|
| 1241 |
|
|
| 1242 |
/** |
|
| 1243 |
* Check if the given userSession is the member of the right holder group (if the right holder is a group subject). |
|
| 1244 |
* If the right holder is not a group, it will be false of course. |
|
| 1245 |
* @param rightHolder the subject of the right holder. |
|
| 1246 |
* @param userSession the subject will be compared |
|
| 1247 |
* @return true if the user session is a member of the right holder group; false otherwise. |
|
| 1248 |
* @throws NotImplemented |
|
| 1249 |
* @throws ServiceFailure |
|
| 1250 |
* @throws NotAuthorized |
|
| 1251 |
* @throws InvalidToken |
|
| 1252 |
* @throws InvalidRequest |
|
| 1253 |
*/ |
|
| 1254 |
public static boolean expandRightsHolder(Subject rightHolder, Subject userSession) throws ServiceFailure, NotImplemented, InvalidRequest, InvalidToken, NotAuthorized {
|
|
| 1255 |
boolean is = false; |
|
| 1256 |
if(rightHolder != null && userSession != null && rightHolder.getValue() != null && !rightHolder.getValue().trim().equals("") && userSession.getValue() != null && !userSession.getValue().trim().equals("")) {
|
|
| 1257 |
CNode cn = D1Client.getCN(); |
|
| 1258 |
logMetacat.debug("D1NodeService.expandRightHolder - after getting the cn node and cn node is "+cn.getNodeBaseServiceUrl());
|
|
| 1259 |
String query= rightHolder.getValue(); |
|
| 1260 |
int start =0; |
|
| 1261 |
int count=-1; |
|
| 1262 |
String status = null; |
|
| 1263 |
Session session = null; |
|
| 1264 |
SubjectInfo subjects = cn.listSubjects(session, query, status, start, count); |
|
| 1265 |
if(subjects != null) {
|
|
| 1266 |
logMetacat.debug("D1NodeService.expandRightHolder - search the subject "+query+" in the cn and the returned result is not null");
|
|
| 1267 |
List<Group> groups = subjects.getGroupList(); |
|
| 1268 |
if(groups != null) {
|
|
| 1269 |
logMetacat.debug("D1NodeService.expandRightHolder - search the subject "+query+" in the cn and the returned result does include groups and the size of groups is "+groups.size());
|
|
| 1270 |
for(Group group : groups) {
|
|
| 1271 |
//logMetacat.debug("D1NodeService.expandRightHolder - group has the subject "+group.getSubject().getValue());
|
|
| 1272 |
if(group != null && group.getSubject() != null && group.getSubject().equals(rightHolder)) {
|
|
| 1273 |
logMetacat.debug("D1NodeService.expandRightHolder - there is a group in the list having the subjecct "+group.getSubject().getValue()+" which matches the right holder's subject "+rightHolder.getValue());
|
|
| 1274 |
List<Subject> members = group.getHasMemberList(); |
|
| 1275 |
if(members != null ){
|
|
| 1276 |
logMetacat.debug("D1NodeService.expandRightHolder - the group "+group.getSubject().getValue()+" in the cn has members");
|
|
| 1277 |
for(Subject member : members) {
|
|
| 1278 |
logMetacat.debug("D1NodeService.expandRightHolder - compare the member "+member.getValue()+" with the user "+userSession.getValue());
|
|
| 1279 |
if(member.getValue() != null && !member.getValue().trim().equals("") && userSession.getValue() != null && member.getValue().equals(userSession.getValue())) {
|
|
| 1280 |
logMetacat.debug("D1NodeService.expandRightHolder - Find it! The member "+member.getValue()+" in the group "+group.getSubject().getValue()+" matches the user "+userSession.getValue());
|
|
| 1281 |
is = true; |
|
| 1282 |
return is; |
|
| 1283 |
} |
|
| 1284 |
} |
|
| 1285 |
} |
|
| 1286 |
break;//we found the group but can't find the member matches the user. so break it. |
|
| 1287 |
} |
|
| 1288 |
} |
|
| 1289 |
} else {
|
|
| 1290 |
logMetacat.debug("D1NodeService.expandRightHolder - search the subject "+query+" in the cn and the returned result does NOT have a group");
|
|
| 1291 |
} |
|
| 1292 |
} else {
|
|
| 1293 |
logMetacat.debug("D1NodeService.expandRightHolder - search the subject "+query+" in the cn and the returned result is null");
|
|
| 1294 |
} |
|
| 1295 |
if(!is) {
|
|
| 1296 |
logMetacat.debug("D1NodeService.expandRightHolder - We can NOT find any member in the group "+query+" (if it is a group) matches the user "+userSession.getValue());
|
|
| 1297 |
} |
|
| 1298 |
} else {
|
|
| 1299 |
logMetacat.debug("D1NodeService.expandRightHolder - We can't determine if the use subject is a member of the right holder group since one of them is null or blank");
|
|
| 1300 |
} |
|
| 1301 |
|
|
| 1302 |
return is; |
|
| 1303 |
} |
|
| 1233 | 1304 |
/* |
| 1234 | 1305 |
* parse a logEntry and get the relevant field from it |
| 1235 | 1306 |
* |
| src/edu/ucsb/nceas/metacat/dataone/MNodeService.java | ||
|---|---|---|
| 62 | 62 |
import javax.xml.transform.stream.StreamResult; |
| 63 | 63 |
|
| 64 | 64 |
import org.apache.commons.io.IOUtils; |
| 65 |
import org.apache.commons.lang.NotImplementedException; |
|
| 65 | 66 |
import org.apache.log4j.Logger; |
| 66 | 67 |
import org.dataone.client.v2.CNode; |
| 67 | 68 |
import org.dataone.client.v2.itk.D1Client; |
| ... | ... | |
| 394 | 395 |
// does the subject have WRITE ( == update) priveleges on the pid? |
| 395 | 396 |
//allowed = isAuthorized(session, pid, Permission.WRITE); |
| 396 | 397 |
//CN having the permission is allowed; user with the write permission and calling on the authoritative node is allowed. |
| 397 |
allowed = allowUpdating(session, pid, Permission.WRITE); |
|
| 398 |
try {
|
|
| 399 |
allowed = allowUpdating(session, pid, Permission.WRITE); |
|
| 400 |
} catch (NotFound e) {
|
|
| 401 |
throw new NotFound("1280", "Can't determine if the client has the permission to update the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 402 |
} catch(ServiceFailure e) {
|
|
| 403 |
throw new ServiceFailure("1310", "Can't determine if the client has the permission to update the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 404 |
} catch(NotAuthorized e) {
|
|
| 405 |
throw new NotAuthorized("1200", "Can't determine if the client has the permission to update the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 406 |
} catch(NotImplemented e) {
|
|
| 407 |
throw new NotImplemented("1201","Can't determine if the client has the permission to update he object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 408 |
} catch(InvalidRequest e) {
|
|
| 409 |
throw new InvalidRequest("1202", "Can't determine if the client has the permission to update the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 410 |
} catch(InvalidToken e) {
|
|
| 411 |
throw new InvalidToken("1210", "Can't determine if the client has the permission to update the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 412 |
} |
|
| 413 |
|
|
| 398 | 414 |
if (allowed) {
|
| 399 | 415 |
|
| 400 | 416 |
// check quality of SM |
| ... | ... | |
| 2584 | 2600 |
} |
| 2585 | 2601 |
} catch (NotFound e) {
|
| 2586 | 2602 |
throw new InvalidRequest("4869", "Can't determine if the client has the permission to update the system metacat of the object with id "+pid.getValue()+" since "+e.getDescription());
|
| 2603 |
} catch(ServiceFailure e) {
|
|
| 2604 |
throw new ServiceFailure("4868", "Can't determine if the client has the permission to update the system metacat of the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 2605 |
} catch(NotAuthorized e) {
|
|
| 2606 |
throw new NotAuthorized("4861", "Can't determine if the client has the permission to update the system metacat of the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 2607 |
} catch(NotImplemented e) {
|
|
| 2608 |
throw new NotImplemented("4866","Can't determine if the client has the permission to update the system metacat of the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 2609 |
} catch(InvalidRequest e) {
|
|
| 2610 |
throw new InvalidRequest("4869", "Can't determine if the client has the permission to update the system metacat of the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 2611 |
} catch(InvalidToken e) {
|
|
| 2612 |
throw new InvalidToken("4957", "Can't determine if the client has the permission to update the system metacat of the object with id "+pid.getValue()+" since "+e.getDescription());
|
|
| 2587 | 2613 |
} |
| 2588 | 2614 |
|
| 2589 | 2615 |
} |
| ... | ... | |
| 2680 | 2706 |
* 2. If it is not a cn object, the client should have approperate permission and it should also happen on the authorative node. |
| 2681 | 2707 |
* 3. If it's the authoritative node, the MN Admin Subject is allowed. |
| 2682 | 2708 |
*/ |
| 2683 |
private boolean allowUpdating(Session session, Identifier pid, Permission permission) throws NotAuthorized, NotFound, InvalidRequest {
|
|
| 2709 |
private boolean allowUpdating(Session session, Identifier pid, Permission permission) throws NotAuthorized, NotFound, InvalidRequest, ServiceFailure, NotImplemented, InvalidToken {
|
|
| 2684 | 2710 |
boolean allow = false; |
| 2685 | 2711 |
|
| 2686 | 2712 |
if( isCNAdmin (session) ) {
|
Also available in: Unified diff
Add the code to expand the rights holder if it is a group.