001package org.apache.archiva.redback.authorization.rbac.evaluator; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.archiva.redback.rbac.Resource; 023import org.apache.archiva.redback.users.UserManager; 024import org.apache.archiva.redback.users.UserManagerException; 025import org.apache.archiva.redback.users.UserNotFoundException; 026import org.apache.archiva.redback.rbac.Permission; 027import org.apache.commons.lang3.StringUtils; 028import org.springframework.stereotype.Service; 029 030import javax.inject.Inject; 031import javax.inject.Named; 032 033/** 034 * DefaultPermissionEvaluator: 035 * 036 * Currently only one expression is available for evaluation, ${username} will be replaced with the username 037 * of the person making the authorization check 038 * 039 * @author Jesse McConnell 040 */ 041@Service("permissionEvaluator") 042public class DefaultPermissionEvaluator 043 implements PermissionEvaluator 044{ 045 @Inject 046 @Named(value = "userManager#default") 047 private UserManager userManager; 048 049 public boolean evaluate( Permission permission, String operation, String resource, String principal ) 050 throws PermissionEvaluationException 051 { 052 String permissionResource = permission.getResource().getIdentifier(); 053 054 // expression evaluation checking 055 if ( permissionResource.startsWith( "${" ) ) 056 { 057 String tempStr = permissionResource.substring( 2, permissionResource.indexOf( '}' ) ); 058 059 if ( "username".equals( tempStr ) ) 060 { 061 try 062 { 063 permissionResource = userManager.findUser( principal ).getUsername(); 064 } 065 catch ( UserNotFoundException e ) 066 { 067 throw new PermissionEvaluationException( "unable to locate user to retrieve username", e ); 068 } 069 catch ( UserManagerException e ) 070 { 071 throw new PermissionEvaluationException( "trouble finding user: " + e.getMessage(), e ); 072 } 073 } 074 } 075 076 // check if this permission applies to the operation at all 077 if ( permission.getOperation().getName().equals( operation ) ) 078 { 079 // check if it is a global resource, if it is then since the operations match we return true 080 if ( Resource.GLOBAL.equals( permission.getResource().getIdentifier() ) ) 081 { 082 return true; 083 } 084 085 // Resource settings on the permission object and on the annotation 086 // should be in line. If not, we use the least privilege, which means 087 // if one of both is set, we will check for equality. 088 if ( StringUtils.isEmpty( permissionResource ) && resource == null ) 089 { 090 return true; 091 } 092 093 // check if the resource identifier of the permission matches the resource we are checking against 094 // if it does then return true 095 if ( permissionResource.equals( resource ) ) 096 { 097 return true; 098 } 099 } 100 101 return false; 102 } 103 104 public UserManager getUserManager() 105 { 106 return userManager; 107 } 108 109 public void setUserManager( UserManager userManager ) 110 { 111 this.userManager = userManager; 112 } 113}