start implementation of a new security system to allow global permissions for repositories

2025-11-13 17:05:43 +01:00 · 2013-04-14 15:13:27 +02:00
parent a3751853f5
commit 24ee483562
10 changed files with 725 additions and 8 deletions
--- a/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
+++ b/scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
@@ -143,6 +143,8 @@ import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
 import sonia.scm.cache.GuavaCacheManager;
+import sonia.scm.security.DefaultSecuritySystem;
+import sonia.scm.security.SecuritySystem;

 /**
 *
@@ -271,6 +273,7 @@ public class ScmServletModule extends ServletModule
    bind(AuthenticationManager.class, ChainAuthenticatonManager.class);
    bind(SecurityContext.class).to(BasicSecurityContext.class);
    bind(WebSecurityContext.class).to(BasicSecurityContext.class);
+    bind(SecuritySystem.class).to(DefaultSecuritySystem.class);
    bind(AdministrationContext.class, DefaultAdministrationContext.class);

    // bind cache
--- a/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultSecuritySystem.java
@@ -0,0 +1,132 @@
+/**
+ * Copyright (c) 2010, Sebastian Sdorra All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer. 2. Redistributions in
+ * binary form must reproduce the above copyright notice, this list of
+ * conditions and the following disclaimer in the documentation and/or other
+ * materials provided with the distribution. 3. Neither the name of SCM-Manager;
+ * nor the names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+ * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * http://bitbucket.org/sdorra/scm-manager
+ *
+ */
+
+
+
+package sonia.scm.security;
+
+//~--- non-JDK imports --------------------------------------------------------
+
+import com.google.inject.Inject;
+import com.google.inject.Singleton;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.PrincipalCollection;
+
+import sonia.scm.event.ScmEventBus;
+import sonia.scm.store.Store;
+import sonia.scm.store.StoreFactory;
+
+/**
+ *
+ * @author Sebastian Sdorra
+ * @since 1.31
+ */
+@Singleton
+public class DefaultSecuritySystem implements SecuritySystem
+{
+
+  /** Field description */
+  private static final String NAME = "security";
+
+  //~--- constructors ---------------------------------------------------------
+
+  /**
+   * Constructs ...
+   *
+   *
+   * @param storeFactory
+   */
+  @Inject
+  public DefaultSecuritySystem(StoreFactory storeFactory)
+  {
+    store = storeFactory.getStore(SecurityConfiguration.class, NAME);
+  }
+
+  //~--- get methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @return
+   */
+  @Override
+  public SecurityConfiguration getConfiguration()
+  {
+    SecurityConfiguration configuration = store.get();
+
+    if (configuration == null)
+    {
+      configuration = new SecurityConfiguration();
+    }
+
+    return configuration;
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @return
+   */
+  @Override
+  public PrincipalCollection getSystemAccount()
+  {
+    throw new UnsupportedOperationException("Not supported yet.");    // To change body of generated methods, choose Tools | Templates.
+  }
+
+  //~--- set methods ----------------------------------------------------------
+
+  /**
+   * Method description
+   *
+   *
+   * @param newConfiguration
+   */
+  @Override
+  public void setConfiguration(SecurityConfiguration newConfiguration)
+  {
+    SecurityUtils.getSubject().checkRole(Role.ADMIN);
+
+    SecurityConfiguration oldConfiguration = store.get();
+
+    store.set(newConfiguration);
+    //J-
+    ScmEventBus.getInstance().post(
+      new SecurityConfigurationChangedEvent(oldConfiguration, newConfiguration)
+    );
+    //J+
+  }
+
+  //~--- fields ---------------------------------------------------------------
+
+  /** Field description */
+  private Store<SecurityConfiguration> store;
+}
--- a/scm-webapp/src/main/java/sonia/scm/security/ScmRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ScmRealm.java
@@ -74,6 +74,7 @@ import sonia.scm.repository.PermissionType;
 import sonia.scm.repository.Repository;
 import sonia.scm.repository.RepositoryDAO;
 import sonia.scm.repository.RepositoryEvent;
+import sonia.scm.repository.RepositoryManager;
 import sonia.scm.user.User;
 import sonia.scm.user.UserDAO;
 import sonia.scm.user.UserEvent;
@@ -95,7 +96,6 @@ import java.util.Set;

 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import sonia.scm.repository.RepositoryManager;

 /**
 *
@@ -128,25 +128,28 @@ public class ScmRealm extends AuthorizingRealm
   *
   *
   * @param configuration
+   * @param securitySystem
   * @param cacheManager
   * @param userManager
   * @param groupManager
   * @param repositoryDAO
   * @param userDAO
   * @param authenticator
+   * @param manager
   * @param requestProvider
   * @param responseProvider
   */
  @Inject
-  public ScmRealm(ScmConfiguration configuration, CacheManager cacheManager,
+  public ScmRealm(ScmConfiguration configuration,
+    SecuritySystem securitySystem, CacheManager cacheManager,
    UserManager userManager, GroupManager groupManager,
    RepositoryDAO repositoryDAO, UserDAO userDAO,
-    AuthenticationManager authenticator,
-    RepositoryManager manager,
+    AuthenticationManager authenticator, RepositoryManager manager,
    Provider<HttpServletRequest> requestProvider,
    Provider<HttpServletResponse> responseProvider)
  {
    this.configuration = configuration;
+    this.securitySystem = securitySystem;
    this.userManager = userManager;
    this.groupManager = groupManager;
    this.repositoryDAO = repositoryDAO;
@@ -194,6 +197,23 @@ public class ScmRealm extends AuthorizingRealm
    }
  }

+  /**
+   * Method description
+   *
+   *
+   * @param event
+   */
+  @Subscribe
+  public void onEvent(SecurityConfigurationChangedEvent event)
+  {
+    if (logger.isDebugEnabled())
+    {
+      logger.debug("clear cache, because security configuration has changed");
+    }
+
+    cache.clear();
+  }
+
  /**
   * Method description
   *
@@ -474,6 +494,44 @@ public class ScmRealm extends AuthorizingRealm
    }
  }

+  /**
+   * Method description
+   *
+   *
+   * @param user
+   * @param groups
+   *
+   * @return
+   */
+  private List<String> collectGlobalPermissions(User user, GroupNames groups)
+  {
+    if (logger.isTraceEnabled())
+    {
+      logger.trace("collect global permissions for user {}", user.getName());
+    }
+
+    List<String> permissions = Lists.newArrayList();
+
+    List<GlobalPermission> globalPermissions =
+      securitySystem.getConfiguration().getGlobalPermissions();
+
+    for (GlobalPermission gp : globalPermissions)
+    {
+      if (isUserPermission(user, groups, gp))
+      {
+        if (logger.isTraceEnabled())
+        {
+          logger.trace("add permission {} for user {}", gp.getPermission(),
+            user.getName());
+        }
+
+        permissions.add(gp.getPermission());
+      }
+    }
+
+    return permissions;
+  }
+
  /**
   * Method description
   *
@@ -585,7 +643,8 @@ public class ScmRealm extends AuthorizingRealm
    GroupNames groups)
  {
    Set<String> roles = Sets.newHashSet();
-    List<org.apache.shiro.authz.Permission> permissions = null;
+    List<org.apache.shiro.authz.Permission> permissions;
+    List<String> globalPermissions = null;

    roles.add(Role.USER);

@@ -604,12 +663,18 @@ public class ScmRealm extends AuthorizingRealm
    else
    {
      permissions = collectRepositoryPermissions(user, groups);
+      globalPermissions = collectGlobalPermissions(user, groups);
    }

    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);

    info.addObjectPermissions(permissions);

+    if (globalPermissions != null)
+    {
+      info.addStringPermissions(globalPermissions);
+    }
+
    return info;
  }

@@ -734,7 +799,7 @@ public class ScmRealm extends AuthorizingRealm
   * @return
   */
  private boolean isUserPermission(User user, GroupNames groups,
-    Permission perm)
+    PermissionObject perm)
  {
    //J-
    return (perm.isGroupPermission() && groups.contains(perm.getName())) 
@@ -765,6 +830,9 @@ public class ScmRealm extends AuthorizingRealm
  /** Field description */
  private Provider<HttpServletResponse> responseProvider;

+  /** Field description */
+  private SecuritySystem securitySystem;
+
  /** Field description */
  private UserDAO userDAO;