Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-13 17:05:43 +01:00
Code Issues Packages Projects Releases Activity

start implementation of repository permissions

Browse Source
This commit is contained in:
Sebastian Sdorra
2015-07-09 20:29:07 +02:00
parent 480a188763
commit 6dd765e3be
22 changed files with 730 additions and 701 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
scm-core/src/main/java/sonia/scm/ScmStateFactory.java
View File

@@ -34,9 +34,7 @@ package sonia.scm;
//~--- non-JDK imports --------------------------------------------------------
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableList.Builder;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
@@ -47,7 +45,6 @@ import sonia.scm.security.AuthorizationCollector;
import sonia.scm.security.PermissionDescriptor;
import sonia.scm.security.Role;
import sonia.scm.security.SecuritySystem;
import sonia.scm.security.StringablePermission;
import sonia.scm.user.User;
import sonia.scm.user.UserManager;
@@ -144,19 +141,11 @@ public final class ScmStateFactory
ap = securitySystem.getAvailablePermissions();
}
Builder<String> builder = ImmutableList.builder();
List<String> permissions =
ImmutableList.copyOf(
authorizationCollector.collect().getStringPermissions());
for (Permission p : authorizationCollector.collect().getObjectPermissions())
{
if (p instanceof StringablePermission)
{
builder.add(((StringablePermission) p).getAsString());
}
}
return createState(user, groups.getCollection(), token, builder.build(),
ap);
return createState(user, groups.getCollection(), token, permissions, ap);
}
private ScmState createState(User user, Collection<String> groups,
@@ -164,8 +153,10 @@ public final class ScmStateFactory
List<PermissionDescriptor> availablePermissions)
{
User u = user.clone();
// do not return password on authentication
u.setPassword(null);
return new ScmState(contextProvider.getVersion(), u, groups, token,
repositoryManger.getConfiguredTypes(), userManager.getDefaultType(),
new ScmClientConfig(configuration), assignedPermissions,

31
scm-core/src/main/java/sonia/scm/repository/PermissionType.java
View File

@@ -34,7 +34,7 @@
package sonia.scm.repository;
/**
* Type of permission for a {@link Repository}.
* Type of permissionPrefix for a {@link Repository}.
*
* @author Sebastian Sdorra
*/
@@ -42,30 +42,42 @@ public enum PermissionType
{
/** read permision */
READ(0),
READ(0, "repository:read:"),
/** read and write permission */
WRITE(10),
/** read and write permissionPrefix */
WRITE(10, "repository:read,write:"),
/**
* read, write and
* also the ability to manage the properties and permissions
*/
OWNER(100);
OWNER(100, "repository:*:");
/**
* Constructs a new permission type
* Constructs a new permissionPrefix type
*
*
* @param value
*/
private PermissionType(int value)
private PermissionType(int value, String permissionPrefix)
{
this.value = value;
this.permissionPrefix = permissionPrefix;
}
//~--- get methods ----------------------------------------------------------
/**
*
* @return
*
* @since 2.0.0
*/
public String getPermissionPrefix()
{
return permissionPrefix;
}
/**
* Returns the integer representation of the {@link PermissionType}
*
@@ -80,5 +92,8 @@ public enum PermissionType
//~--- fields ---------------------------------------------------------------
/** Field description */
private int value;
private final String permissionPrefix;
/** Field description */
private final int value;
}

151
scm-core/src/main/java/sonia/scm/repository/PermissionUtil.java
View File

@@ -1,151 +0,0 @@
/**
* Copyright (c) 2010, Sebastian Sdorra
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. Neither the name of SCM-Manager; nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.repository;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.security.RepositoryPermission;
import sonia.scm.security.Role;
import sonia.scm.util.AssertUtil;
/**
*
* @author Sebastian Sdorra
*/
public final class PermissionUtil
{
/**
* the logger for PermissionUtil
*/
private static final Logger logger =
LoggerFactory.getLogger(PermissionUtil.class);
//~--- constructors ---------------------------------------------------------
/**
* Constructs ...
*
*/
private PermissionUtil() {}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param configuration
* @param repository
* @param pt
*
* @return
*
* @since 1.21
*/
public static boolean hasPermission(ScmConfiguration configuration,
Repository repository, PermissionType pt)
{
boolean result;
Subject subject = SecurityUtils.getSubject();
if (subject.isAuthenticated() || subject.isRemembered())
{
String username = subject.getPrincipal().toString();
AssertUtil.assertIsNotEmpty(username);
if (subject.hasRole(Role.ADMIN)
|| ((pt == PermissionType.READ) && repository.isPublicReadable()))
{
result = true;
}
else
{
result = subject.isPermitted(new RepositoryPermission(repository, pt));
}
}
else
{
// check anonymous access
result = (configuration != null)
&& configuration.isAnonymousAccessEnabled()
&& repository.isPublicReadable() && (pt == PermissionType.READ);
}
return result;
}
/**
* Returns true if the repository is writable.
*
*
* @param configuration SCM-Manager main configuration
* @param repository repository to check
*
* @return true if the repository is writable
* @since 1.21
*/
public static boolean isWritable(ScmConfiguration configuration,
Repository repository)
{
boolean permitted = false;
if (configuration.isEnableRepositoryArchive() && repository.isArchived())
{
if (logger.isWarnEnabled())
{
logger.warn("{} is archived and is not writeable",
repository.getName());
}
}
else
{
permitted = PermissionUtil.hasPermission(configuration, repository,
PermissionType.WRITE);
}
return permitted;
}
}

285
scm-core/src/main/java/sonia/scm/repository/RepositoryPermissions.java Normal file
View File

@@ -0,0 +1,285 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.repository;
//~--- non-JDK imports --------------------------------------------------------
import sonia.scm.security.PermissionActionCheck;
import sonia.scm.security.PermissionCheck;
/**
*
* @author Sebastian Sdorra
* @since 2.0.0
*/
public final class RepositoryPermissions
{
/** Field description */
public static final String ACTION_CREATE = "create";
/** Field description */
public static final String ACTION_DELETE = "delete";
/** Field description */
public static final String ACTION_MODIFY = "modify";
/** Field description */
public static final String ACTION_HC = "hc,".concat(ACTION_MODIFY);
/** Field description */
public static final String ACTION_READ = "read";
/** Field description */
public static final String ACTION_WRITE = "write";
/** Field description */
public static final String SEPERATOR = ":";
public static final String SEPERATOR_ACTION = ",";
/** Field description */
public static final String TYPE = "repository";
//~--- constructors ---------------------------------------------------------
private RepositoryPermissions() {}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @return
*/
public static PermissionCheck create()
{
return check(ACTION_CREATE);
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck delete(Repository r)
{
return delete(r.getId());
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck delete(String id)
{
return check(ACTION_DELETE.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> delete()
{
return actionCheck(ACTION_DELETE);
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck healthCheck(String id)
{
return check(ACTION_HC.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> healthCheck()
{
return new PermissionActionCheck<>(
TYPE.concat(SEPERATOR).concat(ACTION_HC));
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck healthCheck(Repository r)
{
return healthCheck(r.getId());
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck modify(Repository r)
{
return modify(r.getId());
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck modify(String id)
{
return check(ACTION_MODIFY.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> modify()
{
return actionCheck(ACTION_MODIFY);
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck read(String id)
{
return check(ACTION_READ.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck read(Repository r)
{
return read(r.getId());
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> read()
{
return actionCheck(ACTION_READ);
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck write(String id)
{
return check(ACTION_WRITE.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck write(Repository r)
{
return write(r.getId());
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> write()
{
return actionCheck(ACTION_WRITE);
}
private static PermissionActionCheck<Repository> actionCheck(String action)
{
return new PermissionActionCheck<>(TYPE.concat(SEPERATOR).concat(action));
}
private static PermissionCheck check(String permission)
{
return new PermissionCheck(TYPE.concat(SEPERATOR).concat(permission));
}
}

12
scm-core/src/main/java/sonia/scm/repository/api/RepositoryServiceFactory.java
View File

@@ -55,8 +55,6 @@ import sonia.scm.repository.BlameResult;
import sonia.scm.repository.Branches;
import sonia.scm.repository.BrowserResult;
import sonia.scm.repository.ChangesetPagingResult;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.PermissionUtil;
import sonia.scm.repository.PostReceiveRepositoryHookEvent;
import sonia.scm.repository.PreProcessorUtil;
import sonia.scm.repository.Repository;
@@ -64,6 +62,7 @@ import sonia.scm.repository.RepositoryCacheKeyPredicate;
import sonia.scm.repository.RepositoryEvent;
import sonia.scm.repository.RepositoryManager;
import sonia.scm.repository.RepositoryNotFoundException;
import sonia.scm.repository.RepositoryPermissions;
import sonia.scm.repository.Tags;
import sonia.scm.repository.spi.RepositoryServiceProvider;
import sonia.scm.repository.spi.RepositoryServiceResolver;
@@ -251,11 +250,7 @@ public final class RepositoryServiceFactory
Preconditions.checkNotNull(repository, "repository is required");
// check for read permissions of current user
if (!PermissionUtil.hasPermission(configuration, repository,
PermissionType.READ))
{
throw new ScmSecurityException("read permission are required");
}
RepositoryPermissions.read(repository);
RepositoryService service = null;
@@ -311,7 +306,8 @@ public final class RepositoryServiceFactory
this.browseCache = cacheManager.getCache(BrowseCommandBuilder.CACHE_NAME);
this.logCache = cacheManager.getCache(LogCommandBuilder.CACHE_NAME);
this.tagsCache = cacheManager.getCache(TagsCommandBuilder.CACHE_NAME);
this.branchesCache =cacheManager.getCache(BranchesCommandBuilder.CACHE_NAME);
this.branchesCache =
cacheManager.getCache(BranchesCommandBuilder.CACHE_NAME);
}
//~--- methods ------------------------------------------------------------

121
scm-core/src/main/java/sonia/scm/security/PermissionActionCheck.java Normal file
View File

@@ -0,0 +1,121 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import sonia.scm.ModelObject;
/**
*
* @author Sebastian Sdorra
* @param <T>
*
* @since 2.0.0
*/
public final class PermissionActionCheck<T extends ModelObject>
{
/**
* Constructs ...
*
* @param typedAction
*/
public PermissionActionCheck(String typedAction)
{
this.prefix = typedAction.concat(":");
this.subject = SecurityUtils.getSubject();
}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param id
*/
public void check(String id)
{
subject.checkPermission(prefix.concat(id));
}
/**
* Method description
*
*
* @param item
*/
public void check(T item)
{
subject.checkPermission(prefix.concat(item.getId()));
}
//~--- get methods ----------------------------------------------------------
/**
* Method description
*
*
* @param id
*
* @return
*/
public boolean isPermitted(String id)
{
return subject.isPermitted(prefix.concat(id));
}
/**
* Method description
*
*
* @param item
*
* @return
*/
public boolean isPermitted(T item)
{
return subject.isPermitted(prefix.concat(item.getId()));
}
//~--- fields ---------------------------------------------------------------
/** Field description */
private final String prefix;
/** Field description */
private final Subject subject;
}

85
scm-core/src/main/java/sonia/scm/security/PermissionCheck.java Normal file
View File

@@ -0,0 +1,85 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.SecurityUtils;
/**
*
* @author Sebastian Sdorra
* @since 2.0.0
*/
public final class PermissionCheck
{
/**
* Constructs ...
*
*
* @param permission
*/
public PermissionCheck(String permission)
{
this.permission = permission;
}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*/
public void check()
{
SecurityUtils.getSubject().checkPermission(permission);
}
//~--- get methods ----------------------------------------------------------
/**
* Method description
*
*
* @return
*/
public boolean isPermitted()
{
return SecurityUtils.getSubject().isPermitted(permission);
}
//~--- fields ---------------------------------------------------------------
/** Field description */
private final String permission;
}

11
scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java
View File

@@ -46,9 +46,8 @@ import org.slf4j.LoggerFactory;
import sonia.scm.ArgumentIsInvalidException;
import sonia.scm.SCMContext;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.PermissionUtil;
import sonia.scm.repository.Repository;
import sonia.scm.repository.RepositoryPermissions;
import sonia.scm.security.Role;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.HttpUtil;
@@ -64,6 +63,7 @@ import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.authz.AuthorizationException;
/**
* Abstract http filter to check repository permissions.
@@ -191,7 +191,7 @@ public abstract class PermissionFilter extends HttpFilter
response.sendRedirect(getRepositoryRootHelpUrl(request));
}
catch (ScmSecurityException ex)
catch (ScmSecurityException | AuthorizationException ex)
{
if (logger.isWarnEnabled())
{
@@ -353,12 +353,11 @@ public abstract class PermissionFilter extends HttpFilter
if (writeRequest)
{
permitted = PermissionUtil.isWritable(configuration, repository);
permitted = RepositoryPermissions.write(repository).isPermitted();
}
else
{
permitted = PermissionUtil.hasPermission(configuration, repository,
PermissionType.READ);
permitted = RepositoryPermissions.read(repository).isPermitted();
}
return permitted;

10
scm-core/src/main/java/sonia/scm/web/filter/ProviderPermissionFilter.java
View File

@@ -38,6 +38,8 @@ package sonia.scm.web.filter;
import com.google.common.base.Throwables;
import com.google.inject.ProvisionException;
import org.apache.shiro.authz.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -101,14 +103,10 @@ public abstract class ProviderPermissionFilter extends PermissionFilter
}
catch (ProvisionException ex)
{
Throwables.propagateIfInstanceOf(ex.getCause(),
IllegalStateException.class);
if (logger.isErrorEnabled())
{
Throwables.propagateIfPossible(ex.getCause(),
IllegalStateException.class, AuthorizationException.class);
logger.error("could not get repository from request", ex);
}
}
return repository;
}

4
scm-webapp/src/main/java/sonia/scm/ScmServletModule.java
View File

@@ -42,8 +42,6 @@ import com.google.inject.name.Names;
import com.google.inject.servlet.RequestScoped;
import com.google.inject.throwingproviders.ThrowingProviderBinder;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -86,7 +84,6 @@ import sonia.scm.security.CipherUtil;
import sonia.scm.security.DefaultKeyGenerator;
import sonia.scm.security.DefaultSecuritySystem;
import sonia.scm.security.KeyGenerator;
import sonia.scm.security.RepositoryPermissionResolver;
import sonia.scm.security.SecuritySystem;
import sonia.scm.store.BlobStoreFactory;
import sonia.scm.store.ConfigurationEntryStoreFactory;
@@ -265,7 +262,6 @@ public class ScmServletModule extends JerseyServletModule
pluginLoader.getExtensionProcessor().processAutoBindExtensions(binder());
// bind security stuff
bind(PermissionResolver.class, RepositoryPermissionResolver.class);
bind(SecuritySystem.class).to(DefaultSecuritySystem.class);
bind(AdministrationContext.class, DefaultAdministrationContext.class);

61
scm-webapp/src/main/java/sonia/scm/api/rest/AuthorizationExceptionMapper.java Normal file
View File

@@ -0,0 +1,61 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.api.rest;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.authz.AuthorizationException;
//~--- JDK imports ------------------------------------------------------------
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
/**
*
* @author Sebastian Sdorra
* @since 2.0.0
*/
@Provider
public class AuthorizationExceptionMapper
extends StatusExceptionMapper<AuthorizationException>
{
/**
* Constructs ...
*
*/
public AuthorizationExceptionMapper()
{
super(AuthorizationException.class, Response.Status.FORBIDDEN);
}
}

10
scm-webapp/src/main/java/sonia/scm/api/rest/resources/AbstractManagerResource.java
View File

@@ -36,6 +36,7 @@ package sonia.scm.api.rest.resources;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.commons.beanutils.BeanComparator;
import org.apache.shiro.authz.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -44,7 +45,6 @@ import sonia.scm.LastModifiedAware;
import sonia.scm.Manager;
import sonia.scm.ModelObject;
import sonia.scm.api.rest.RestExceptionResult;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.HttpUtil;
import sonia.scm.util.Util;
@@ -140,7 +140,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
{
preCreate(item);
Response response = null;
Response response;
try
{
@@ -153,7 +153,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
uriInfo.getAbsolutePath().resolve(
getPathPart().concat("/").concat(id))).build();
}
catch (ScmSecurityException ex)
catch (AuthorizationException ex)
{
logger.warn("create is not allowd", ex);
response = Response.status(Status.FORBIDDEN).build();
@@ -189,7 +189,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
manager.delete(item);
response = Response.noContent().build();
}
catch (ScmSecurityException ex)
catch (AuthorizationException ex)
{
logger.warn("delete not allowd", ex);
response = Response.status(Response.Status.FORBIDDEN).build();
@@ -228,7 +228,7 @@ public abstract class AbstractManagerResource<T extends ModelObject,
manager.modify(item);
response = Response.noContent().build();
}
catch (ScmSecurityException ex)
catch (AuthorizationException ex)
{
logger.warn("update not allowd", ex);
response = Response.status(Response.Status.FORBIDDEN).build();

56
scm-webapp/src/main/java/sonia/scm/api/rest/resources/RepositoryResource.java
View File

@@ -55,7 +55,6 @@ import sonia.scm.repository.Changeset;
import sonia.scm.repository.ChangesetPagingResult;
import sonia.scm.repository.HealthChecker;
import sonia.scm.repository.Permission;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.Repository;
import sonia.scm.repository.RepositoryException;
import sonia.scm.repository.RepositoryIsNotArchivedException;
@@ -71,8 +70,6 @@ import sonia.scm.repository.api.DiffFormat;
import sonia.scm.repository.api.LogCommandBuilder;
import sonia.scm.repository.api.RepositoryService;
import sonia.scm.repository.api.RepositoryServiceFactory;
import sonia.scm.security.RepositoryPermission;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.HttpUtil;
import sonia.scm.util.IOUtil;
@@ -103,6 +100,7 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.Response.Status;
import javax.ws.rs.core.StreamingOutput;
import javax.ws.rs.core.UriInfo;
import org.apache.shiro.authz.AuthorizationException;
/**
*
@@ -196,7 +194,7 @@ public class RepositoryResource
@Override
public Response delete(@PathParam("id") String id)
{
Response response = null;
Response response;
Repository repository = manager.get(id);
if (repository != null)
@@ -213,12 +211,12 @@ public class RepositoryResource
logger.warn("non archived repository could not be deleted", ex);
response = Response.status(Response.Status.PRECONDITION_FAILED).build();
}
catch (ScmSecurityException ex)
catch (AuthorizationException ex)
{
logger.warn("delete not allowed", ex);
response = Response.status(Response.Status.FORBIDDEN).build();
}
catch (Exception ex)
catch (RepositoryException | IOException ex)
{
logger.error("error during create", ex);
response = createErrorResonse(ex);
@@ -263,12 +261,7 @@ public class RepositoryResource
logger.warn("could not find repository ".concat(id), ex);
response = Response.status(Status.NOT_FOUND).build();
}
catch (RepositoryException ex)
{
logger.error("error occured during health check", ex);
response = Response.serverError().build();
}
catch (IOException ex)
catch (RepositoryException | IOException ex)
{
logger.error("error occured during health check", ex);
response = Response.serverError().build();
@@ -610,7 +603,7 @@ public class RepositoryResource
public Response getByTypeAndName(@PathParam("type") String type,
@PathParam("name") String name)
{
Response response = null;
Response response;
Repository repository = repositoryManager.get(type, name);
if (repository != null)
@@ -689,12 +682,8 @@ public class RepositoryResource
}
}
else
{
if (logger.isWarnEnabled())
{
logger.warn("id or revision is empty");
}
response = Response.status(Status.BAD_REQUEST).build();
}
@@ -745,7 +734,7 @@ public class RepositoryResource
try
{
ChangesetPagingResult changesets = null;
ChangesetPagingResult changesets;
service = servicefactory.create(id);
@@ -819,9 +808,9 @@ public class RepositoryResource
public Response getContent(@PathParam("id") String id,
@QueryParam("revision") String revision, @QueryParam("path") String path)
{
Response response = null;
StreamingOutput output = null;
RepositoryService service = null;
Response response;
StreamingOutput output;
RepositoryService service;
try
{
@@ -905,8 +894,8 @@ public class RepositoryResource
*/
HttpUtil.checkForCRLFInjection(revision);
RepositoryService service = null;
Response response = null;
RepositoryService service;
Response response;
try
{
@@ -1062,7 +1051,8 @@ public class RepositoryResource
@Override
protected Repository prepareForReturn(Repository repository)
{
if (isOwner(repository))
if (SecurityUtils.getSubject().isPermitted(
"repository:modify:".concat(repository.getId())))
{
if (repository.getPermissions() == null)
{
@@ -1070,12 +1060,9 @@ public class RepositoryResource
}
}
else
{
if (logger.isTraceEnabled())
{
logger.trace("remove properties and permissions from repository, "
+ "because the user is not privileged");
}
repository.setProperties(null);
repository.setPermissions(null);
@@ -1148,21 +1135,6 @@ public class RepositoryResource
return getContentDispositionName(name);
}
/**
* Method description
*
*
* @param repository
*
* @return
*/
private boolean isOwner(Repository repository)
{
return SecurityUtils.getSubject().isPermitted(
new RepositoryPermission(repository, PermissionType.OWNER));
}
//~--- fields ---------------------------------------------------------------
/** Field description */

122
scm-webapp/src/main/java/sonia/scm/repository/DefaultRepositoryManager.java
View File

@@ -41,9 +41,7 @@ import com.google.common.util.concurrent.ThreadFactoryBuilder;
import com.google.inject.Inject;
import com.google.inject.Singleton;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.concurrent.SubjectAwareExecutorService;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -55,7 +53,7 @@ import sonia.scm.SCMContextProvider;
import sonia.scm.Type;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.security.KeyGenerator;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.security.PermissionActionCheck;
import sonia.scm.util.AssertUtil;
import sonia.scm.util.CollectionAppender;
import sonia.scm.util.HttpUtil;
@@ -81,6 +79,7 @@ import java.util.concurrent.ThreadFactory;
import javax.servlet.http.HttpServletRequest;
/**
* Default implementation of {@link RepositoryManager}.
*
* @author Sebastian Sdorra
*/
@@ -123,8 +122,8 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
);
//J+
handlerMap = new HashMap<String, RepositoryHandler>();
types = new HashSet<Type>();
handlerMap = new HashMap<>();
types = new HashSet<>();
for (RepositoryHandler handler : handlerSet)
{
@@ -156,21 +155,18 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
*
*
* @param repository
* @param createRepository
* @param initRepository
*
* @throws IOException
* @throws RepositoryException
*/
public void create(Repository repository, boolean createRepository)
public void create(Repository repository, boolean initRepository)
throws RepositoryException, IOException
{
if (logger.isInfoEnabled())
{
logger.info("create repository {} of type {}", repository.getName(),
repository.getType());
}
assertIsAdmin();
RepositoryPermissions.create().check();
AssertUtil.assertIsValid(repository);
if (repositoryDAO.contains(repository))
@@ -181,7 +177,7 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
repository.setId(keyGenerator.createKey());
repository.setCreationDate(System.currentTimeMillis());
if (createRepository)
if (initRepository)
{
getHandler(repository).create(repository);
}
@@ -226,7 +222,7 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
repository.getType());
}
assertIsOwner(repository);
RepositoryPermissions.delete(repository).check();
if (configuration.isEnableRepositoryArchive() &&!repository.isArchived())
{
@@ -299,7 +295,7 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
if (oldRepository != null)
{
assertIsOwner(oldRepository);
RepositoryPermissions.modify(oldRepository).check();
fireEvent(HandlerEventType.BEFORE_MODIFY, repository, oldRepository);
repository.setLastModified(System.currentTimeMillis());
getHandler(repository).modify(repository);
@@ -327,7 +323,7 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
throws RepositoryException, IOException
{
AssertUtil.assertIsNotNull(repository);
assertIsReader(repository);
RepositoryPermissions.read(repository).check();
Repository fresh = repositoryDAO.get(repository.getType(),
repository.getName());
@@ -358,11 +354,12 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
{
AssertUtil.assertIsNotEmpty(id);
RepositoryPermissions.read(id).check();
Repository repository = repositoryDAO.get(id);
if (repository != null)
{
assertIsReader(repository);
repository = repository.clone();
}
@@ -388,15 +385,9 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
if (repository != null)
{
if (isReader(repository))
{
RepositoryPermissions.read(repository).check();
repository = repository.clone();
}
else
{
throw new ScmSecurityException("not enaugh permissions");
}
}
return repository;
}
@@ -414,9 +405,12 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
{
List<Repository> repositories = Lists.newArrayList();
PermissionActionCheck<Repository> check = RepositoryPermissions.read();
for (Repository repository : repositoryDAO.getAll())
{
if (handlerMap.containsKey(repository.getType()) && isReader(repository))
if (handlerMap.containsKey(repository.getType())
&& check.isPermitted(repository))
{
Repository r = repository.clone();
@@ -459,14 +453,20 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
public Collection<Repository> getAll(Comparator<Repository> comparator,
int start, int limit)
{
final PermissionActionCheck<Repository> check =
RepositoryPermissions.read();
return Util.createSubCollection(repositoryDAO.getAll(), comparator,
new CollectionAppender<Repository>()
{
@Override
public void append(Collection<Repository> collection, Repository item)
{
if (check.isPermitted(item))
{
collection.add(item.clone());
}
}
}, start, limit);
}
@@ -554,11 +554,13 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
{
Collection<Repository> repositories = repositoryDAO.getAll();
PermissionActionCheck<Repository> check = RepositoryPermissions.read();
for (Repository r : repositories)
{
if (type.equals(r.getType()) && isNameMatching(r, uri))
{
assertIsReader(r);
check.check(r);
repository = r.clone();
break;
@@ -681,49 +683,6 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
types.add(type);
}
/**
* Method description
*
*/
private void assertIsAdmin()
{
if (!SecurityUtils.getSubject().hasRole("admin"))
{
throw new ScmSecurityException("admin role is required");
}
}
/**
* TODO use {@link Subject#checkPermission(org.apache.shiro.authz.Permission)}
* in version 2.x.
*
*
* @param repository
*/
private void assertIsOwner(Repository repository)
{
if (!isPermitted(repository, PermissionType.OWNER))
{
throw new ScmSecurityException(
"owner permission is required, access denied");
}
}
/**
* TODO use {@link Subject#checkPermission(org.apache.shiro.authz.Permission)}
* in version 2.x.
*
* @param repository
*/
private void assertIsReader(Repository repository)
{
if (!isReader(repository))
{
throw new ScmSecurityException(
"reader permission is required, access denied");
}
}
//~--- get methods ----------------------------------------------------------
/**
@@ -780,33 +739,6 @@ public class DefaultRepositoryManager extends AbstractRepositoryManager
return result;
}
/**
* Method description
*
*
* @param repository
* @param type
*
* @return
*/
private boolean isPermitted(Repository repository, PermissionType type)
{
return PermissionUtil.hasPermission(configuration, repository, type);
}
/**
* Method description
*
*
* @param repository
*
* @return
*/
private boolean isReader(Repository repository)
{
return isPermitted(repository, PermissionType.READ);
}
//~--- fields ---------------------------------------------------------------
/** Field description */

4
scm-webapp/src/main/java/sonia/scm/repository/DefaultRepositoryProvider.java
View File

@@ -111,8 +111,8 @@ public class DefaultRepositoryProvider implements RepositoryProvider
//~--- fields ---------------------------------------------------------------
/** Field description */
private RepositoryManager manager;
private final RepositoryManager manager;
/** Field description */
private Provider<HttpServletRequest> requestProvider;
private final Provider<HttpServletRequest> requestProvider;
}

75
scm-webapp/src/main/java/sonia/scm/repository/HealthChecker.java
View File

@@ -36,18 +36,14 @@ package sonia.scm.repository;
import com.google.common.collect.ImmutableList;
import com.google.inject.Inject;
import org.apache.shiro.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.security.Role;
//~--- JDK imports ------------------------------------------------------------
import java.io.IOException;
import java.util.Set;
import sonia.scm.security.PermissionActionCheck;
/**
*
@@ -95,7 +91,7 @@ public final class HealthChecker
public void check(String id)
throws RepositoryNotFoundException, RepositoryException, IOException
{
SecurityUtils.getSubject().checkRole(Role.ADMIN);
RepositoryPermissions.healthCheck(id);
Repository repository = repositoryManager.get(id);
@@ -105,7 +101,7 @@ public final class HealthChecker
"could not find repository with id ".concat(id));
}
check(repository);
doCheck(repository);
}
/**
@@ -119,9 +115,49 @@ public final class HealthChecker
*/
public void check(Repository repository)
throws RepositoryException, IOException
{
RepositoryPermissions.healthCheck(repository);
doCheck(repository);
}
/**
* Method description
*
*
*/
public void checkAll()
{
logger.debug("check health of all repositories");
PermissionActionCheck<Repository> check = RepositoryPermissions.healthCheck();
for (Repository repository : repositoryManager.getAll())
{
if (check.isPermitted(repository))
{
try
{
check(repository);
}
catch (RepositoryException | IOException ex)
{
logger.error("health check ends with exception", ex);
}
}
else
{
logger.debug(
"no permissions to execute health check for repository {}",
repository.getId());
}
}
}
private void doCheck(Repository repository)
throws RepositoryException, IOException
{
logger.info("start health check for repository {}", repository.getName());
SecurityUtils.getSubject().checkRole(Role.ADMIN);
HealthCheckResult result = HealthCheckResult.healthy();
@@ -152,29 +188,6 @@ public final class HealthChecker
}
}
/**
* Method description
*
*
*/
public void checkAll()
{
logger.debug("check health of all repositories");
SecurityUtils.getSubject().checkRole(Role.ADMIN);
for (Repository repository : repositoryManager.getAll())
{
try
{
check(repository);
}
catch (Exception ex)
{
logger.error("health check ends with exception", ex);
}
}
}
//~--- fields ---------------------------------------------------------------
/** Field description */

6
scm-webapp/src/main/java/sonia/scm/repository/LastModifiedUpdateListener.java
View File

@@ -154,11 +154,7 @@ public final class LastModifiedUpdateListener
{
repositoryManager.modify(dbr);
}
catch (RepositoryException ex)
{
logger.error("could not modify repository", ex);
}
catch (IOException ex)
catch (RepositoryException | IOException ex)
{
logger.error("could not modify repository", ex);
}

61
scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java
View File

@@ -47,9 +47,7 @@ import com.google.inject.Singleton;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
@@ -61,7 +59,6 @@ import sonia.scm.cache.CacheManager;
import sonia.scm.group.GroupEvent;
import sonia.scm.group.GroupNames;
import sonia.scm.plugin.Extension;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.Repository;
import sonia.scm.repository.RepositoryDAO;
import sonia.scm.repository.RepositoryEvent;
@@ -83,6 +80,9 @@ import java.util.Set;
public class DefaultAuthorizationCollector implements AuthorizationCollector
{
/** Field description */
private static final String ADMIN_PERMISSION = "*";
/** Field description */
private static final String CACHE_NAME = "sonia.cache.authorizing";
@@ -102,17 +102,14 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
* @param cacheManager
* @param repositoryDAO
* @param securitySystem
* @param resolver
*/
@Inject
public DefaultAuthorizationCollector(CacheManager cacheManager,
RepositoryDAO repositoryDAO, SecuritySystem securitySystem,
PermissionResolver resolver)
RepositoryDAO repositoryDAO, SecuritySystem securitySystem)
{
this.cache = cacheManager.getCache(CACHE_NAME);
this.repositoryDAO = repositoryDAO;
this.securitySystem = securitySystem;
this.resolver = resolver;
}
//~--- methods --------------------------------------------------------------
@@ -271,7 +268,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
return info;
}
private void collectGlobalPermissions(Builder<Permission> builder,
private void collectGlobalPermissions(Builder<String> builder,
final User user, final GroupNames groups)
{
if (logger.isTraceEnabled())
@@ -292,23 +289,15 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
for (StoredAssignedPermission gp : globalPermissions)
{
if (logger.isTraceEnabled())
{
logger.trace("add permission {} for user {}", gp.getPermission(),
user.getName());
}
String permission = gp.getPermission();
Permission permission = resolver.resolvePermission(gp.getPermission());
if (permission != null)
{
logger.trace("add permission {} for user {}", permission, user.getName());
builder.add(permission);
}
}
}
private void collectRepositoryPermissions(Builder<Permission> builder,
User user, GroupNames groups)
private void collectRepositoryPermissions(Builder<String> builder, User user,
GroupNames groups)
{
for (Repository repository : repositoryDAO.getAll())
{
@@ -322,7 +311,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
}
}
private void collectRepositoryPermissions(Builder<Permission> builder,
private void collectRepositoryPermissions(Builder<String> builder,
Repository repository, User user, GroupNames groups)
{
List<sonia.scm.repository.Permission> repositoryPermissions =
@@ -335,16 +324,14 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
{
if (isUserPermission(user, groups, permission))
{
RepositoryPermission rp = new RepositoryPermission(repository,
permission.getType());
if (logger.isTraceEnabled())
{
logger.trace("add repository permission {} for user {}", rp,
String perm = permission.getType().getPermissionPrefix().concat(
repository.getId());
logger.trace("add repository permission {} for user {}", perm,
user.getName());
}
builder.add(rp);
builder.add(perm);
}
}
}
@@ -359,7 +346,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
GroupNames groups)
{
Set<String> roles;
Set<Permission> permissions;
Set<String> permissions;
if (user.isAdmin())
{
@@ -370,20 +357,13 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
roles = ImmutableSet.of(Role.USER, Role.ADMIN);
//J-
Permission adminPermission = new RepositoryPermission(
RepositoryPermission.WILDCARD,
PermissionType.OWNER
);
//J+
permissions = ImmutableSet.of(adminPermission);
permissions = ImmutableSet.of(ADMIN_PERMISSION);
}
else
{
roles = ImmutableSet.of(Role.USER);
Builder<Permission> builder = ImmutableSet.builder();
Builder<String> builder = ImmutableSet.builder();
collectGlobalPermissions(builder, user, groups);
collectRepositoryPermissions(builder, user, groups);
@@ -392,7 +372,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
SimpleAuthorizationInfo info = new SimpleAuthorizationInfo(roles);
info.addObjectPermissions(permissions);
info.addStringPermissions(permissions);
return info;
}
@@ -472,9 +452,6 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
/** repository dao */
private final RepositoryDAO repositoryDAO;
/** permission resolver */
private final PermissionResolver resolver;
/** security system */
private final SecuritySystem securitySystem;
}

157
scm-webapp/src/main/java/sonia/scm/security/RepositoryPermissionResolver.java
View File

@@ -1,157 +0,0 @@
/**
* Copyright (c) 2010, Sebastian Sdorra
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. Neither the name of SCM-Manager; nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import org.apache.shiro.authz.permission.PermissionResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.repository.PermissionType;
//~--- JDK imports ------------------------------------------------------------
import java.util.Iterator;
import java.util.Locale;
/**
*
* @author Sebastian Sdorra
*/
public class RepositoryPermissionResolver implements PermissionResolver
{
/**
* the logger for RepositoryPermissionResolver
*/
private static final Logger logger =
LoggerFactory.getLogger(RepositoryPermissionResolver.class);
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param permissionString
*
* @return
*/
@Override
public RepositoryPermission resolvePermission(String permissionString)
{
RepositoryPermission permission = null;
if (!Strings.isNullOrEmpty(permissionString))
{
Iterator<String> permissionIt =
Splitter.on(':').omitEmptyStrings().trimResults().split(
permissionString).iterator();
if (permissionIt.hasNext())
{
String type = permissionIt.next();
if (type.equals(RepositoryPermission.TYPE))
{
permission = createRepositoryPermission(permissionIt);
}
else if (logger.isWarnEnabled())
{
logger.warn("permission '{}' is not a repository permission",
permissionString);
}
}
}
else
{
logger.warn(
"permision string is empty, could not resolve empty permission");
}
return permission;
}
/**
* Method description
*
*
* @param permissionIt
*
* @return
*/
private RepositoryPermission createRepositoryPermission(
Iterator<String> permissionIt)
{
RepositoryPermission permission = null;
if (permissionIt.hasNext())
{
String repositoryId = permissionIt.next();
if (permissionIt.hasNext())
{
try
{
String typeString = permissionIt.next();
typeString = typeString.trim().toUpperCase(Locale.ENGLISH);
PermissionType type = PermissionType.valueOf(typeString);
permission = new RepositoryPermission(repositoryId, type);
}
catch (IllegalArgumentException ex)
{
logger.warn("type is not a valid permission type", ex);
}
}
else if (logger.isWarnEnabled())
{
logger.warn("permission type is missing");
}
}
else if (logger.isWarnEnabled())
{
logger.warn("repository id and permission type is missing");
}
return permission;
}
}

4
scm-webapp/src/test/java/sonia/scm/it/AnonymousAccessITCase.java
View File

@@ -70,6 +70,7 @@ import java.io.File;
import java.io.IOException;
import java.util.Collection;
import org.junit.Ignore;
/**
*
@@ -187,11 +188,12 @@ public class AnonymousAccessITCase
/**
* Method description
*
* TODO fix test case
*
* @throws IOException
* @throws RepositoryClientException
*/
@Test
@Test @Ignore
public void testAnonymousClone() throws RepositoryClientException, IOException
{
testSimpleAdminPush();

1
scm-webapp/src/test/java/sonia/scm/it/IntegrationTestUtil.java
View File

@@ -49,6 +49,7 @@ import static org.junit.Assert.*;
import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import com.sun.jersey.api.client.WebResource;
import com.sun.jersey.api.client.filter.LoggingFilter;
import com.sun.jersey.client.apache.ApacheHttpClient;
import com.sun.jersey.client.apache.config.ApacheHttpClientConfig;
import com.sun.jersey.client.apache.config.DefaultApacheHttpClientConfig;

103
scm-webapp/src/test/java/sonia/scm/security/RepositoryPermissionResolverTest.java
View File

@@ -1,103 +0,0 @@
/**
* Copyright (c) 2010, Sebastian Sdorra
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. Neither the name of SCM-Manager; nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import org.junit.Test;
import sonia.scm.repository.PermissionType;
import static org.junit.Assert.*;
/**
*
* @author Sebastian Sdorra
*/
public class RepositoryPermissionResolverTest
{
/**
* Method description
*
*/
@Test
public void testResolvePermission()
{
RepositoryPermissionResolver resolver = new RepositoryPermissionResolver();
RepositoryPermission p = resolver.resolvePermission("repository:scm:read");
assertNotNull(p);
assertEquals("scm", p.getRepositoryId());
assertEquals(PermissionType.READ, p.getPermissionType());
p = resolver.resolvePermission("repository:asd:wRitE");
assertNotNull(p);
assertEquals("asd", p.getRepositoryId());
assertEquals(PermissionType.WRITE, p.getPermissionType());
p = resolver.resolvePermission("repository:*:OWNER");
assertNotNull(p);
assertEquals("*", p.getRepositoryId());
assertEquals(PermissionType.OWNER, p.getPermissionType());
}
/**
* Method description
*
*/
@Test
public void testResolveUnknownPermission()
{
RepositoryPermissionResolver resolver = new RepositoryPermissionResolver();
RepositoryPermission p = resolver.resolvePermission("user:scm:read");
assertNull(p);
p = resolver.resolvePermission("group:asd:wRitE");
assertNull(p);
}
/**
* Method description
*
*/
@Test
public void testResolveUnknownTypePermission()
{
RepositoryPermissionResolver resolver = new RepositoryPermissionResolver();
RepositoryPermission p = resolver.resolvePermission("repository:scm:asd");
assertNull(p);
}
}