001package org.apache.archiva.redback.authorization.rbac; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.archiva.redback.authorization.AuthorizationDataSource; 023import org.apache.archiva.redback.authorization.AuthorizationException; 024import org.apache.archiva.redback.authorization.AuthorizationResult; 025import org.apache.archiva.redback.authorization.Authorizer; 026import org.apache.archiva.redback.authorization.NotAuthorizedException; 027import org.apache.archiva.redback.authorization.rbac.evaluator.PermissionEvaluationException; 028import org.apache.archiva.redback.authorization.rbac.evaluator.PermissionEvaluator; 029import org.apache.archiva.redback.rbac.Permission; 030import org.apache.archiva.redback.rbac.RBACManager; 031import org.apache.archiva.redback.rbac.RbacManagerException; 032import org.apache.archiva.redback.rbac.RbacObjectNotFoundException; 033import org.apache.archiva.redback.users.User; 034import org.apache.archiva.redback.users.UserManager; 035import org.apache.archiva.redback.users.UserManagerException; 036import org.apache.archiva.redback.users.UserNotFoundException; 037import org.slf4j.Logger; 038import org.slf4j.LoggerFactory; 039import org.springframework.stereotype.Service; 040 041import javax.inject.Inject; 042import javax.inject.Named; 043import java.util.List; 044import java.util.Map; 045 046/** 047 * RbacAuthorizer: 048 * 049 * @author Jesse McConnell 050 */ 051@Service("authorizer#rbac") 052public class RbacAuthorizer 053 implements Authorizer 054{ 055 private Logger log = LoggerFactory.getLogger( getClass() ); 056 057 @Inject 058 @Named(value = "rbacManager#default") 059 private RBACManager manager; 060 061 @Inject 062 @Named(value = "userManager#default") 063 private UserManager userManager; 064 065 @Inject 066 private PermissionEvaluator evaluator; 067 068 public String getId() 069 { 070 return "rbac"; 071 } 072 073 /** 074 * @param source 075 * @return 076 * @throws AuthorizationException 077 */ 078 public AuthorizationResult isAuthorized( AuthorizationDataSource source ) 079 throws AuthorizationException 080 { 081 String principal = source.getPrincipal(); 082 String operation = source.getPermission(); 083 String resource = source.getResource(); 084 085 try 086 { 087 if ( principal != null ) 088 { 089 // Set permissions = manager.getAssignedPermissions( principal.toString(), operation ); 090 Map<String, List<? extends Permission>> permissionMap = manager.getAssignedPermissionMap( principal ); 091 092 if ( permissionMap.keySet().contains( operation ) ) 093 { 094 for ( Permission permission : permissionMap.get( operation ) ) 095 { 096 097 log.debug( "checking permission {} for operation {} resource {}", 098 ( permission != null ? permission.getName() : "null" ), operation, resource ); 099 100 if ( evaluator.evaluate( permission, operation, resource, principal ) ) 101 { 102 return new AuthorizationResult( true, permission, null ); 103 } 104 } 105 106 log.debug( "no permission found for operation {} resource {}", operation, resource ); 107 } 108 else 109 { 110 log.debug( "permission map does not contain operation: {}", operation ); 111 } 112 } 113 // check if guest user is enabled, if so check the global permissions 114 User guest = userManager.getGuestUser(); 115 116 if ( !guest.isLocked() ) 117 { 118 // Set permissions = manager.getAssignedPermissions( principal.toString(), operation ); 119 Map<String, List<? extends Permission>> permissionMap = manager.getAssignedPermissionMap( guest.getUsername() ); 120 121 if ( permissionMap.keySet().contains( operation ) ) 122 { 123 for ( Permission permission : permissionMap.get( operation ) ) 124 { 125 log.debug( "checking permission {}", permission.getName() ); 126 127 if ( evaluator.evaluate( permission, operation, resource, guest.getUsername() ) ) 128 { 129 return new AuthorizationResult( true, permission, null ); 130 } 131 } 132 } 133 } 134 135 return new AuthorizationResult( false, null, new NotAuthorizedException( "no matching permissions" ) ); 136 } 137 catch ( PermissionEvaluationException pe ) 138 { 139 return new AuthorizationResult( false, null, pe ); 140 } 141 catch ( RbacObjectNotFoundException nfe ) 142 { 143 return new AuthorizationResult( false, null, nfe ); 144 } 145 catch ( UserNotFoundException ne ) 146 { 147 return new AuthorizationResult( false, null, 148 new NotAuthorizedException( "no matching permissions, guest not found" ) ); 149 } 150 catch ( RbacManagerException rme ) 151 { 152 return new AuthorizationResult( false, null, rme ); 153 } 154 catch ( UserManagerException e ) 155 { 156 return new AuthorizationResult( false, null, e ); 157 } 158 } 159 160 public RBACManager getManager() 161 { 162 return manager; 163 } 164 165 public void setManager( RBACManager manager ) 166 { 167 this.manager = manager; 168 } 169 170 public UserManager getUserManager() 171 { 172 return userManager; 173 } 174 175 public void setUserManager( UserManager userManager ) 176 { 177 this.userManager = userManager; 178 } 179 180 public PermissionEvaluator getEvaluator() 181 { 182 return evaluator; 183 } 184 185 public void setEvaluator( PermissionEvaluator evaluator ) 186 { 187 this.evaluator = evaluator; 188 } 189 190 public boolean isFinalImplementation() 191 { 192 return true; 193 } 194 195 public String getDescriptionKey() 196 { 197 return "archiva.redback.authorizer.rbac"; 198 } 199}