start implementation of a new security system to allow global permissions for repositories

2025-11-10 15:35:49 +01:00 · 2013-04-14 15:13:27 +02:00
parent a3751853f5
commit 24ee483562
10 changed files with 725 additions and 8 deletions
--- a/scm-webapp/src/main/java/sonia/scm/security/ScmRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/ScmRealm.java
@@ -74,6 +74,7 @@ import sonia.scm.repository.PermissionType;
 import sonia.scm.repository.Repository;
 import sonia.scm.repository.RepositoryDAO;
 import sonia.scm.repository.RepositoryEvent;
+import sonia.scm.repository.RepositoryManager;
 import sonia.scm.user.User;
 import sonia.scm.user.UserDAO;
 import sonia.scm.user.UserEvent;
@@ -95,7 +96,6 @@ import java.util.Set;

 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import sonia.scm.repository.RepositoryManager;

 /**
 *
@@ -128,25 +128,28 @@ public class ScmRealm extends AuthorizingRealm
   *
   *
   * @param configuration
+   * @param securitySystem
   * @param cacheManager
   * @param userManager
   * @param groupManager
   * @param repositoryDAO
   * @param userDAO
   * @param authenticator
+   * @param manager
   * @param requestProvider
   * @param responseProvider
   */
  @Inject
-  public ScmRealm(ScmConfiguration configuration, CacheManager cacheManager,
+  public ScmRealm(ScmConfiguration configuration,
+    SecuritySystem securitySystem, CacheManager cacheManager,
    UserManager userManager, GroupManager groupManager,
    RepositoryDAO repositoryDAO, UserDAO userDAO,
-    AuthenticationManager authenticator,
-    RepositoryManager manager,
+    AuthenticationManager authenticator, RepositoryManager manager,
    Provider<HttpServletRequest> requestProvider,
    Provider<HttpServletResponse> responseProvider)
  {
    this.configuration = configuration;
+    this.securitySystem = securitySystem;
    this.userManager = userManager;
    this.groupManager = groupManager;
    this.repositoryDAO = repositoryDAO;
@@ -194,6 +197,23 @@ public class ScmRealm extends AuthorizingRealm
    }
  }

+  /**
+   * Method description
+   *
+   *
+   * @param event
+   */
+  @Subscribe
+  public void onEvent(SecurityConfigurationChangedEvent event)
+  {
+    if (logger.isDebugEnabled())
+    {
+      logger.debug("clear cache, because security configuration has changed");
+    }
+
+    cache.clear();
+  }
+
  /**
   * Method description
   *
@@ -474,6 +494,44 @@ public class ScmRealm extends AuthorizingRealm
    }
  }

+  /**
+   * Method description
+   *
+   *
+   * @param user
+   * @param groups
+   *
+   * @return
+   */
+  private List<String> collectGlobalPermissions(User user, GroupNames groups)
+  {
+    if (logger.isTraceEnabled())
+    {
+      logger.trace("collect global permissions for user {}", user.getName());
+    }
+
+    List<String> permissions = Lists.newArrayList();
+
+    List<GlobalPermission> globalPermissions =
+      securitySystem.getConfiguration().getGlobalPermissions();
+
+    for (GlobalPermission gp : globalPermissions)
+    {
+      if (isUserPermission(user, groups, gp))
+      {
+        if (logger.isTraceEnabled())
+        {
+          logger.trace("add permission {} for user {}", gp.getPermission(),
+            user.getName());
+        }
+
+        permissions.add(gp.getPermission());
+      }
+    }
+
+    return permissions;
+  }
+
  /**
   * Method description
   *
@@ -585,7 +643,8 @@ public class ScmRealm extends AuthorizingRealm
    GroupNames groups)
  {
    Set<String> roles = Sets.newHashSet();
-    List<org.apache.shiro.authz.Permission> permissions = null;
+    List<org.apache.shiro.authz.Permission> permissions;
+    List<String> globalPermissions = null;

    roles.add(Role.USER);

@@ -604,12 +663,18 @@ public class ScmRealm extends AuthorizingRealm
    else
    {
      permissions = collectRepositoryPermissions(user, groups);
+      globalPermissions = collectGlobalPermissions(user, groups);
    }

    SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);

    info.addObjectPermissions(permissions);

+    if (globalPermissions != null)
+    {
+      info.addStringPermissions(globalPermissions);
+    }
+
    return info;
  }

@@ -734,7 +799,7 @@ public class ScmRealm extends AuthorizingRealm
   * @return
   */
  private boolean isUserPermission(User user, GroupNames groups,
-    Permission perm)
+    PermissionObject perm)
  {
    //J-
    return (perm.isGroupPermission() && groups.contains(perm.getName())) 
@@ -765,6 +830,9 @@ public class ScmRealm extends AuthorizingRealm
  /** Field description */
  private Provider<HttpServletResponse> responseProvider;

+  /** Field description */
+  private SecuritySystem securitySystem;
+
  /** Field description */
  private UserDAO userDAO;