Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-14 09:25:43 +01:00
Code Issues Packages Projects Releases Activity

start implementation of repository permissions

Browse Source
This commit is contained in:
Sebastian Sdorra
2015-07-09 20:29:07 +02:00
parent 480a188763
commit 6dd765e3be
22 changed files with 730 additions and 701 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
View File

@@ -42,8 +42,6 @@ import com.google.inject.name.Names;
import com.google.inject.servlet.RequestScoped;
import com.google.inject.throwingproviders.ThrowingProviderBinder;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -86,7 +84,6 @@ import sonia.scm.security.CipherUtil;
import sonia.scm.security.DefaultKeyGenerator;
import sonia.scm.security.DefaultSecuritySystem;
import sonia.scm.security.KeyGenerator;
import sonia.scm.security.RepositoryPermissionResolver;
import sonia.scm.security.SecuritySystem;
import sonia.scm.store.BlobStoreFactory;
import sonia.scm.store.ConfigurationEntryStoreFactory;
@@ -265,7 +262,6 @@ public class ScmServletModule extends JerseyServletModule
pluginLoader.getExtensionProcessor().processAutoBindExtensions(binder());
// bind security stuff
bind(PermissionResolver.class, RepositoryPermissionResolver.class);
bind(SecuritySystem.class).to(DefaultSecuritySystem.class);
bind(AdministrationContext.class, DefaultAdministrationContext.class);

61
scm-webapp/src/main/java/sonia/scm/api/rest/AuthorizationExceptionMapper.java Normal file
View File

@@ -0,0 +1,61 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.api.rest;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.authz.AuthorizationException;
//~--- JDK imports ------------------------------------------------------------
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
/**
*
* @author Sebastian Sdorra
* @since 2.0.0
*/
@Provider
public class AuthorizationExceptionMapper
extends StatusExceptionMapper<AuthorizationException>
{
/**
* Constructs ...
*
*/
public AuthorizationExceptionMapper()
{
super(AuthorizationException.class, Response.Status.FORBIDDEN);
}
}

28
scm-webapp/src/main/java/sonia/scm/api/rest/resources/AbstractManagerResource.java
View File

@@ -36,6 +36,7 @@ package sonia.scm.api.rest.resources;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.commons.beanutils.BeanComparator;
import org.apache.shiro.authz.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -44,7 +45,6 @@ import sonia.scm.LastModifiedAware;
import sonia.scm.Manager;
import sonia.scm.ModelObject;
import sonia.scm.api.rest.RestExceptionResult;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.HttpUtil;
import sonia.scm.util.Util;
@@ -71,7 +71,7 @@ import javax.ws.rs.core.UriInfo;
* @param <E>
*/
public abstract class AbstractManagerResource<T extends ModelObject,
E extends Exception>
E extends Exception>
{
/** the logger for AbstractManagerResource */
@@ -102,7 +102,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
* @return
*/
protected abstract GenericEntity<Collection<T>> createGenericEntity(
Collection<T> items);
Collection<T> items);
//~--- get methods ----------------------------------------------------------
@@ -140,7 +140,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
{
preCreate(item);
Response response = null;
Response response;
try
{
@@ -153,7 +153,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
uriInfo.getAbsolutePath().resolve(
getPathPart().concat("/").concat(id))).build();
}
catch (ScmSecurityException ex)
catch (AuthorizationException ex)
{
logger.warn("create is not allowd", ex);
response = Response.status(Status.FORBIDDEN).build();
@@ -189,7 +189,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
manager.delete(item);
response = Response.noContent().build();
}
catch (ScmSecurityException ex)
catch (AuthorizationException ex)
{
logger.warn("delete not allowd", ex);
response = Response.status(Response.Status.FORBIDDEN).build();
@@ -228,7 +228,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
manager.modify(item);
response = Response.noContent().build();
}
catch (ScmSecurityException ex)
catch (AuthorizationException ex)
{
logger.warn("update not allowd", ex);
response = Response.status(Response.Status.FORBIDDEN).build();
@@ -293,7 +293,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
* @return
*/
public Response getAll(Request request, int start, int limit, String sortby,
boolean desc)
boolean desc)
{
Collection<T> items = fetchItems(sortby, desc, start, limit);
@@ -376,7 +376,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
protected Response createErrorResonse(Throwable throwable)
{
return createErrorResonse(Status.INTERNAL_SERVER_ERROR,
throwable.getMessage(), throwable);
throwable.getMessage(), throwable);
}
/**
@@ -404,10 +404,10 @@ public abstract class AbstractManagerResource<T extends ModelObject,
* @return
*/
protected Response createErrorResonse(Status status, String message,
Throwable throwable)
Throwable throwable)
{
return Response.status(status).entity(new RestExceptionResult(message,
throwable)).build();
throwable)).build();
}
/**
@@ -486,7 +486,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
* @return
*/
private <I> Response createCacheResponse(Request request,
LastModifiedAware timeItem, I item)
LastModifiedAware timeItem, I item)
{
return createCacheResponse(request, timeItem, item, item);
}
@@ -504,7 +504,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
* @return
*/
private <I> Response createCacheResponse(Request request,
LastModifiedAware timeItem, Object entityItem, I item)
LastModifiedAware timeItem, Object entityItem, I item)
{
Response.ResponseBuilder builder = null;
Date lastModified = getLastModified(timeItem);
@@ -568,7 +568,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
* @return
*/
private Collection<T> fetchItems(String sortby, boolean desc, int start,
int limit)
int limit)
{
AssertUtil.assertPositive(start);

64
scm-webapp/src/main/java/sonia/scm/api/rest/resources/RepositoryResource.java
View File

@@ -55,7 +55,6 @@ import sonia.scm.repository.Changeset;
import sonia.scm.repository.ChangesetPagingResult;
import sonia.scm.repository.HealthChecker;
import sonia.scm.repository.Permission;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.Repository;
import sonia.scm.repository.RepositoryException;
import sonia.scm.repository.RepositoryIsNotArchivedException;
@@ -71,8 +70,6 @@ import sonia.scm.repository.api.DiffFormat;
import sonia.scm.repository.api.LogCommandBuilder;
import sonia.scm.repository.api.RepositoryService;
import sonia.scm.repository.api.RepositoryServiceFactory;
import sonia.scm.security.RepositoryPermission;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.HttpUtil;
import sonia.scm.util.IOUtil;
@@ -103,6 +100,7 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.StreamingOutput;
import javax.ws.rs.core.UriInfo;
import org.apache.shiro.authz.AuthorizationException;
/**
*
@@ -196,7 +194,7 @@ public class RepositoryResource
@Override
public Response delete(@PathParam("id") String id)
{
Response response = null;
Response response;
Repository repository = manager.get(id);
if (repository != null)
@@ -213,12 +211,12 @@ public class RepositoryResource
logger.warn("non archived repository could not be deleted", ex);
response = Response.status(Response.Status.PRECONDITION_FAILED).build();
}
catch (ScmSecurityException ex)
catch (AuthorizationException ex)
{
logger.warn("delete not allowed", ex);
response = Response.status(Response.Status.FORBIDDEN).build();
}
catch (Exception ex)
catch (RepositoryException | IOException ex)
{
logger.error("error during create", ex);
response = createErrorResonse(ex);
@@ -263,12 +261,7 @@ public class RepositoryResource
logger.warn("could not find repository ".concat(id), ex);
response = Response.status(Status.NOT_FOUND).build();
}
catch (RepositoryException ex)
{
logger.error("error occured during health check", ex);
response = Response.serverError().build();
}
catch (IOException ex)
catch (RepositoryException | IOException ex)
{
logger.error("error occured during health check", ex);
response = Response.serverError().build();
@@ -610,7 +603,7 @@ public class RepositoryResource
public Response getByTypeAndName(@PathParam("type") String type,
@PathParam("name") String name)
{
Response response = null;
Response response;
Repository repository = repositoryManager.get(type, name);
if (repository != null)
@@ -690,11 +683,7 @@ public class RepositoryResource
}
else
{
if (logger.isWarnEnabled())
{
logger.warn("id or revision is empty");
}
logger.warn("id or revision is empty");
response = Response.status(Status.BAD_REQUEST).build();
}
@@ -745,7 +734,7 @@ public class RepositoryResource
try
{
ChangesetPagingResult changesets = null;
ChangesetPagingResult changesets;
service = servicefactory.create(id);
@@ -819,9 +808,9 @@ public class RepositoryResource
public Response getContent(@PathParam("id") String id,
@QueryParam("revision") String revision, @QueryParam("path") String path)
{
Response response = null;
StreamingOutput output = null;
RepositoryService service = null;
Response response;
StreamingOutput output;
RepositoryService service;
try
{
@@ -905,8 +894,8 @@ public class RepositoryResource
*/
HttpUtil.checkForCRLFInjection(revision);
RepositoryService service = null;
Response response = null;
RepositoryService service;
Response response;
try
{
@@ -1062,7 +1051,8 @@ public class RepositoryResource
@Override
protected Repository prepareForReturn(Repository repository)
{
if (isOwner(repository))
if (SecurityUtils.getSubject().isPermitted(
"repository:modify:".concat(repository.getId())))
{
if (repository.getPermissions() == null)
{
@@ -1071,11 +1061,8 @@ public class RepositoryResource
}
else
{
if (logger.isTraceEnabled())
{
logger.trace("remove properties and permissions from repository, "
+ "because the user is not privileged");
}
logger.trace("remove properties and permissions from repository, "
+ "because the user is not privileged");
repository.setProperties(null);
repository.setPermissions(null);
@@ -1147,22 +1134,7 @@ public class RepositoryResource
return getContentDispositionName(name);
}
/**
* Method description
*
*
* @param repository
*
* @return
*/
private boolean isOwner(Repository repository)
{
return SecurityUtils.getSubject().isPermitted(
new RepositoryPermission(repository, PermissionType.OWNER));
}
//~--- fields ---------------------------------------------------------------
/** Field description */

130
scm-webapp/src/main/java/sonia/scm/repository/DefaultRepositoryManager.java
View File

@@ -41,9 +41,7 @@ import com.google.common.util.concurrent.ThreadFactoryBuilder;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.concurrent.SubjectAwareExecutorService;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -55,7 +53,7 @@ import sonia.scm.SCMContextProvider;
import sonia.scm.Type;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.security.KeyGenerator;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.security.PermissionActionCheck;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.CollectionAppender;
import sonia.scm.util.HttpUtil;
@@ -81,6 +79,7 @@ import java.util.concurrent.ThreadFactory;
import javax.servlet.http.HttpServletRequest;
/**
* Default implementation of {@link RepositoryManager}.
*
* @author Sebastian Sdorra
*/
@@ -123,8 +122,8 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
);
//J+
handlerMap = new HashMap<String, RepositoryHandler>();
types = new HashSet<Type>();
handlerMap = new HashMap<>();
types = new HashSet<>();
for (RepositoryHandler handler : handlerSet)
{
@@ -156,21 +155,18 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
*
*
* @param repository
* @param createRepository
* @param initRepository
*
* @throws IOException
* @throws RepositoryException
*/
public void create(Repository repository, boolean createRepository)
public void create(Repository repository, boolean initRepository)
throws RepositoryException, IOException
{
if (logger.isInfoEnabled())
{
logger.info("create repository {} of type {}", repository.getName(),
repository.getType());
}
logger.info("create repository {} of type {}", repository.getName(),
repository.getType());
assertIsAdmin();
RepositoryPermissions.create().check();
AssertUtil.assertIsValid(repository);
if (repositoryDAO.contains(repository))
@@ -181,7 +177,7 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
repository.setId(keyGenerator.createKey());
repository.setCreationDate(System.currentTimeMillis());
if (createRepository)
if (initRepository)
{
getHandler(repository).create(repository);
}
@@ -226,7 +222,7 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
repository.getType());
}
assertIsOwner(repository);
RepositoryPermissions.delete(repository).check();
if (configuration.isEnableRepositoryArchive() &&!repository.isArchived())
{
@@ -299,7 +295,7 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
if (oldRepository != null)
{
assertIsOwner(oldRepository);
RepositoryPermissions.modify(oldRepository).check();
fireEvent(HandlerEventType.BEFORE_MODIFY, repository, oldRepository);
repository.setLastModified(System.currentTimeMillis());
getHandler(repository).modify(repository);
@@ -327,7 +323,7 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
throws RepositoryException, IOException
{
AssertUtil.assertIsNotNull(repository);
assertIsReader(repository);
RepositoryPermissions.read(repository).check();
Repository fresh = repositoryDAO.get(repository.getType(),
repository.getName());
@@ -358,11 +354,12 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
{
AssertUtil.assertIsNotEmpty(id);
RepositoryPermissions.read(id).check();
Repository repository = repositoryDAO.get(id);
if (repository != null)
{
assertIsReader(repository);
repository = repository.clone();
}
@@ -388,14 +385,8 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
if (repository != null)
{
if (isReader(repository))
{
repository = repository.clone();
}
else
{
throw new ScmSecurityException("not enaugh permissions");
}
RepositoryPermissions.read(repository).check();
repository = repository.clone();
}
return repository;
@@ -414,9 +405,12 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
{
List<Repository> repositories = Lists.newArrayList();
PermissionActionCheck<Repository> check = RepositoryPermissions.read();
for (Repository repository : repositoryDAO.getAll())
{
if (handlerMap.containsKey(repository.getType()) && isReader(repository))
if (handlerMap.containsKey(repository.getType())
&& check.isPermitted(repository))
{
Repository r = repository.clone();
@@ -459,13 +453,19 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
public Collection<Repository> getAll(Comparator<Repository> comparator,
int start, int limit)
{
final PermissionActionCheck<Repository> check =
RepositoryPermissions.read();
return Util.createSubCollection(repositoryDAO.getAll(), comparator,
new CollectionAppender<Repository>()
{
@Override
public void append(Collection<Repository> collection, Repository item)
{
collection.add(item.clone());
if (check.isPermitted(item))
{
collection.add(item.clone());
}
}
}, start, limit);
}
@@ -554,11 +554,13 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
{
Collection<Repository> repositories = repositoryDAO.getAll();
PermissionActionCheck<Repository> check = RepositoryPermissions.read();
for (Repository r : repositories)
{
if (type.equals(r.getType()) && isNameMatching(r, uri))
{
assertIsReader(r);
check.check(r);
repository = r.clone();
break;
@@ -681,49 +683,6 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
types.add(type);
}
/**
* Method description
*
*/
private void assertIsAdmin()
{
if (!SecurityUtils.getSubject().hasRole("admin"))
{
throw new ScmSecurityException("admin role is required");
}
}
/**
* TODO use {@link Subject#checkPermission(org.apache.shiro.authz.Permission)}
* in version 2.x.
*
*
* @param repository
*/
private void assertIsOwner(Repository repository)
{
if (!isPermitted(repository, PermissionType.OWNER))
{
throw new ScmSecurityException(
"owner permission is required, access denied");
}
}
/**
* TODO use {@link Subject#checkPermission(org.apache.shiro.authz.Permission)}
* in version 2.x.
*
* @param repository
*/
private void assertIsReader(Repository repository)
{
if (!isReader(repository))
{
throw new ScmSecurityException(
"reader permission is required, access denied");
}
}
//~--- get methods ----------------------------------------------------------
/**
@@ -780,33 +739,6 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
return result;
}
/**
* Method description
*
*
* @param repository
* @param type
*
* @return
*/
private boolean isPermitted(Repository repository, PermissionType type)
{
return PermissionUtil.hasPermission(configuration, repository, type);
}
/**
* Method description
*
*
* @param repository
*
* @return
*/
private boolean isReader(Repository repository)
{
return isPermitted(repository, PermissionType.READ);
}
//~--- fields ---------------------------------------------------------------
/** Field description */

4
scm-webapp/src/main/java/sonia/scm/repository/DefaultRepositoryProvider.java
View File

@@ -111,8 +111,8 @@ public class DefaultRepositoryProvider implements RepositoryProvider
//~--- fields ---------------------------------------------------------------
/** Field description */
private RepositoryManager manager;
private final RepositoryManager manager;
/** Field description */
private Provider<HttpServletRequest> requestProvider;
private final Provider<HttpServletRequest> requestProvider;
}

75
scm-webapp/src/main/java/sonia/scm/repository/HealthChecker.java
View File

@@ -36,18 +36,14 @@ package sonia.scm.repository;
import com.google.common.collect.ImmutableList;
import com.google.inject.Inject;
import org.apache.shiro.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.security.Role;
//~--- JDK imports ------------------------------------------------------------
import java.io.IOException;
import java.util.Set;
import sonia.scm.security.PermissionActionCheck;
/**
*
@@ -95,7 +91,7 @@ public final class HealthChecker
public void check(String id)
throws RepositoryNotFoundException, RepositoryException, IOException
{
SecurityUtils.getSubject().checkRole(Role.ADMIN);
RepositoryPermissions.healthCheck(id);
Repository repository = repositoryManager.get(id);
@@ -105,7 +101,7 @@ public final class HealthChecker
"could not find repository with id ".concat(id));
}
check(repository);
doCheck(repository);
}
/**
@@ -119,9 +115,49 @@ public final class HealthChecker
*/
public void check(Repository repository)
throws RepositoryException, IOException
{
RepositoryPermissions.healthCheck(repository);
doCheck(repository);
}
/**
* Method description
*
*
*/
public void checkAll()
{
logger.debug("check health of all repositories");
PermissionActionCheck<Repository> check = RepositoryPermissions.healthCheck();
for (Repository repository : repositoryManager.getAll())
{
if (check.isPermitted(repository))
{
try
{
check(repository);
}
catch (RepositoryException | IOException ex)
{
logger.error("health check ends with exception", ex);
}
}
else
{
logger.debug(
"no permissions to execute health check for repository {}",
repository.getId());
}
}
}
private void doCheck(Repository repository)
throws RepositoryException, IOException
{
logger.info("start health check for repository {}", repository.getName());
SecurityUtils.getSubject().checkRole(Role.ADMIN);
HealthCheckResult result = HealthCheckResult.healthy();
@@ -152,29 +188,6 @@ public final class HealthChecker
}
}
/**
* Method description
*
*
*/
public void checkAll()
{
logger.debug("check health of all repositories");
SecurityUtils.getSubject().checkRole(Role.ADMIN);
for (Repository repository : repositoryManager.getAll())
{
try
{
check(repository);
}
catch (Exception ex)
{
logger.error("health check ends with exception", ex);
}
}
}
//~--- fields ---------------------------------------------------------------
/** Field description */

6
scm-webapp/src/main/java/sonia/scm/repository/LastModifiedUpdateListener.java
View File

@@ -154,11 +154,7 @@ public final class LastModifiedUpdateListener
{
repositoryManager.modify(dbr);
}
catch (RepositoryException ex)
{
logger.error("could not modify repository", ex);
}
catch (IOException ex)
catch (RepositoryException | IOException ex)
{
logger.error("could not modify repository", ex);
}

65
scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java
View File

@@ -47,9 +47,7 @@ import com.google.inject.Singleton;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
@@ -61,7 +59,6 @@ import sonia.scm.cache.CacheManager;
import sonia.scm.group.GroupEvent;
import sonia.scm.group.GroupNames;
import sonia.scm.plugin.Extension;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.Repository;
import sonia.scm.repository.RepositoryDAO;
import sonia.scm.repository.RepositoryEvent;
@@ -83,6 +80,9 @@ import java.util.Set;
public class DefaultAuthorizationCollector implements AuthorizationCollector
{
/** Field description */
private static final String ADMIN_PERMISSION = "*";
/** Field description */
private static final String CACHE_NAME = "sonia.cache.authorizing";
@@ -102,17 +102,14 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
* @param cacheManager
* @param repositoryDAO
* @param securitySystem
* @param resolver
*/
@Inject
public DefaultAuthorizationCollector(CacheManager cacheManager,
RepositoryDAO repositoryDAO, SecuritySystem securitySystem,
PermissionResolver resolver)
RepositoryDAO repositoryDAO, SecuritySystem securitySystem)
{
this.cache = cacheManager.getCache(CACHE_NAME);
this.repositoryDAO = repositoryDAO;
this.securitySystem = securitySystem;
this.resolver = resolver;
}
//~--- methods --------------------------------------------------------------
@@ -271,7 +268,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
return info;
}
private void collectGlobalPermissions(Builder<Permission> builder,
private void collectGlobalPermissions(Builder<String> builder,
final User user, final GroupNames groups)
{
if (logger.isTraceEnabled())
@@ -292,23 +289,15 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
for (StoredAssignedPermission gp : globalPermissions)
{
if (logger.isTraceEnabled())
{
logger.trace("add permission {} for user {}", gp.getPermission(),
user.getName());
}
String permission = gp.getPermission();
Permission permission = resolver.resolvePermission(gp.getPermission());
if (permission != null)
{
builder.add(permission);
}
logger.trace("add permission {} for user {}", permission, user.getName());
builder.add(permission);
}
}
private void collectRepositoryPermissions(Builder<Permission> builder,
User user, GroupNames groups)
private void collectRepositoryPermissions(Builder<String> builder, User user,
GroupNames groups)
{
for (Repository repository : repositoryDAO.getAll())
{
@@ -322,7 +311,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
}
}
private void collectRepositoryPermissions(Builder<Permission> builder,
private void collectRepositoryPermissions(Builder<String> builder,
Repository repository, User user, GroupNames groups)
{
List<sonia.scm.repository.Permission> repositoryPermissions =
@@ -335,16 +324,14 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
{
if (isUserPermission(user, groups, permission))
{
RepositoryPermission rp = new RepositoryPermission(repository,
permission.getType());
if (logger.isTraceEnabled())
{
logger.trace("add repository permission {} for user {}", rp,
user.getName());
}
String perm = permission.getType().getPermissionPrefix().concat(
repository.getId());
builder.add(rp);
logger.trace("add repository permission {} for user {}", perm,
user.getName());
builder.add(perm);
}
}
}
@@ -359,7 +346,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
GroupNames groups)
{
Set<String> roles;
Set<Permission> permissions;
Set<String> permissions;
if (user.isAdmin())
{
@@ -370,20 +357,13 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
roles = ImmutableSet.of(Role.USER, Role.ADMIN);
//J-
Permission adminPermission = new RepositoryPermission(
RepositoryPermission.WILDCARD,
PermissionType.OWNER
);
//J+
permissions = ImmutableSet.of(adminPermission);
permissions = ImmutableSet.of(ADMIN_PERMISSION);
}
else
{
roles = ImmutableSet.of(Role.USER);
Builder<Permission> builder = ImmutableSet.builder();
Builder<String> builder = ImmutableSet.builder();
collectGlobalPermissions(builder, user, groups);
collectRepositoryPermissions(builder, user, groups);
@@ -392,7 +372,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
info.addObjectPermissions(permissions);
info.addStringPermissions(permissions);
return info;
}
@@ -472,9 +452,6 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
/** repository dao */
private final RepositoryDAO repositoryDAO;
/** permission resolver */
private final PermissionResolver resolver;
/** security system */
private final SecuritySystem securitySystem;
}

157
scm-webapp/src/main/java/sonia/scm/security/RepositoryPermissionResolver.java
View File

@@ -1,157 +0,0 @@
/**
* Copyright (c) 2010, Sebastian Sdorra
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. Neither the name of SCM-Manager; nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.repository.PermissionType;
//~--- JDK imports ------------------------------------------------------------
import java.util.Iterator;
import java.util.Locale;
/**
*
* @author Sebastian Sdorra
*/
public class RepositoryPermissionResolver implements PermissionResolver
{
/**
* the logger for RepositoryPermissionResolver
*/
private static final Logger logger =
LoggerFactory.getLogger(RepositoryPermissionResolver.class);
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param permissionString
*
* @return
*/
@Override
public RepositoryPermission resolvePermission(String permissionString)
{
RepositoryPermission permission = null;
if (!Strings.isNullOrEmpty(permissionString))
{
Iterator<String> permissionIt =
Splitter.on(':').omitEmptyStrings().trimResults().split(
permissionString).iterator();
if (permissionIt.hasNext())
{
String type = permissionIt.next();
if (type.equals(RepositoryPermission.TYPE))
{
permission = createRepositoryPermission(permissionIt);
}
else if (logger.isWarnEnabled())
{
logger.warn("permission '{}' is not a repository permission",
permissionString);
}
}
}
else
{
logger.warn(
"permision string is empty, could not resolve empty permission");
}
return permission;
}
/**
* Method description
*
*
* @param permissionIt
*
* @return
*/
private RepositoryPermission createRepositoryPermission(
Iterator<String> permissionIt)
{
RepositoryPermission permission = null;
if (permissionIt.hasNext())
{
String repositoryId = permissionIt.next();
if (permissionIt.hasNext())
{
try
{
String typeString = permissionIt.next();
typeString = typeString.trim().toUpperCase(Locale.ENGLISH);
PermissionType type = PermissionType.valueOf(typeString);
permission = new RepositoryPermission(repositoryId, type);
}
catch (IllegalArgumentException ex)
{
logger.warn("type is not a valid permission type", ex);
}
}
else if (logger.isWarnEnabled())
{
logger.warn("permission type is missing");
}
}
else if (logger.isWarnEnabled())
{
logger.warn("repository id and permission type is missing");
}
return permission;
}
}