This project has retired. For details please refer to its Attic page.
PermissionsInterceptor xref
View Javadoc

1   package org.apache.archiva.redback.rest.services.interceptors;
2   
3   /*
4    * Licensed to the Apache Software Foundation (ASF) under one
5    * or more contributor license agreements.  See the NOTICE file
6    * distributed with this work for additional information
7    * regarding copyright ownership.  The ASF licenses this file
8    * to you under the Apache License, Version 2.0 (the
9    * "License"); you may not use this file except in compliance
10   * with the License.  You may obtain a copy of the License at
11   *
12   * http://www.apache.org/licenses/LICENSE-2.0
13   *
14   * Unless required by applicable law or agreed to in writing,
15   * software distributed under the License is distributed on an
16   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17   * KIND, either express or implied.  See the License for the
18   * specific language governing permissions and limitations
19   * under the License.
20   */
21  
22  import org.apache.archiva.redback.authentication.AuthenticationResult;
23  import org.apache.archiva.redback.authorization.AuthorizationException;
24  import org.apache.archiva.redback.authorization.RedbackAuthorization;
25  import org.apache.archiva.redback.integration.filter.authentication.basic.HttpBasicAuthentication;
26  import org.apache.archiva.redback.system.SecuritySession;
27  import org.apache.archiva.redback.system.SecuritySystem;
28  import org.apache.commons.lang.StringUtils;
29  import org.apache.cxf.jaxrs.ext.RequestHandler;
30  import org.apache.cxf.jaxrs.model.ClassResourceInfo;
31  import org.apache.cxf.message.Message;
32  import org.slf4j.Logger;
33  import org.slf4j.LoggerFactory;
34  import org.springframework.stereotype.Service;
35  
36  import javax.inject.Inject;
37  import javax.inject.Named;
38  import javax.servlet.http.HttpServletRequest;
39  import javax.ws.rs.core.Response;
40  
41  /**
42   * @author Olivier Lamy
43   * @since 1.3
44   */
45  @Service ("permissionInterceptor#rest")
46  public class PermissionsInterceptor
47      extends AbstractInterceptor
48      implements RequestHandler
49  {
50  
51      @Inject
52      @Named (value = "securitySystem")
53      private SecuritySystem securitySystem;
54  
55      @Inject
56      @Named (value = "httpAuthenticator#basic")
57      private HttpBasicAuthentication httpAuthenticator;
58  
59      private Logger log = LoggerFactory.getLogger( getClass() );
60  
61      public Response handleRequest( Message message, ClassResourceInfo classResourceInfo )
62      {
63          RedbackAuthorization redbackAuthorization = getRedbackAuthorization( message );
64  
65          if ( redbackAuthorization != null )
66          {
67              if ( redbackAuthorization.noRestriction() )
68              {
69                  // we are fine this services is marked as non restrictive acces
70                  return null;
71              }
72              String[] permissions = redbackAuthorization.permissions();
73              //olamy: no value is an array with an empty String
74              if ( permissions != null && permissions.length > 0 && !( permissions.length == 1 && StringUtils.isEmpty(
75                  permissions[0] ) ) )
76              {
77                  HttpServletRequest request = getHttpServletRequest( message );
78                  SecuritySession session = httpAuthenticator.getSecuritySession( request.getSession() );
79                  AuthenticationResult authenticationResult = message.get( AuthenticationResult.class );
80                  if ( authenticationResult != null && authenticationResult.isAuthenticated() )
81                  {
82                      for ( String permission : permissions )
83                      {
84                          if ( StringUtils.isBlank( permission ) )
85                          {
86                              continue;
87                          }
88                          try
89                          {
90                              if ( securitySystem.isAuthorized( session, permission,
91                                                                StringUtils.isBlank( redbackAuthorization.resource() )
92                                                                    ? null
93                                                                    : redbackAuthorization.resource() ) )
94                              {
95                                  return null;
96                              }
97                              else
98                              {
99                                  log.debug( "user {} not authorized for permission {}", session.getUser().getUsername(),
100                                            permission );
101                             }
102                         }
103                         catch ( AuthorizationException e )
104                         {
105                             log.debug( e.getMessage(), e );
106                             return Response.status( Response.Status.FORBIDDEN ).build();
107                         }
108                     }
109 
110                 }
111                 else
112                 {
113                     log.debug( "user {} not authenticated", session.getUser().getUsername() );
114                 }
115             }
116             else
117             {
118                 if ( redbackAuthorization.noPermission() )
119                 {
120                     log.debug( "path {} doesn't need special permission", message.get( Message.REQUEST_URI ) );
121                     return null;
122                 }
123                 return Response.status( Response.Status.FORBIDDEN ).build();
124             }
125         }
126         log.warn( "http path {} doesn't contain any informations regarding permissions ",
127                   message.get( Message.REQUEST_URI ) );
128         // here we failed to authenticate so 403 as there is no detail on karma for this
129         // it must be marked as it's exposed
130         return Response.status( Response.Status.FORBIDDEN ).build();
131     }
132 }