001package org.apache.archiva.security; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import java.util.List; 023 024import org.apache.archiva.redback.rbac.RbacManagerException; 025import org.apache.archiva.redback.system.check.EnvironmentCheck; 026import org.apache.archiva.security.common.ArchivaRoleConstants; 027import org.apache.archiva.redback.rbac.RBACManager; 028import org.slf4j.Logger; 029import org.slf4j.LoggerFactory; 030import org.springframework.stereotype.Service; 031 032import javax.inject.Inject; 033import javax.inject.Named; 034 035/** 036 * ArchivaStandardRolesCheck tests for the existance of expected / standard roles and permissions. 037 */ 038@Service("environmentCheck#archiva-required-roles") 039public class ArchivaStandardRolesCheck 040 implements EnvironmentCheck 041{ 042 private Logger log = LoggerFactory.getLogger( ArchivaStandardRolesCheck.class ); 043 044 /** 045 * 046 */ 047 @Inject 048 @Named(value = "rbacManager#cached") 049 private RBACManager rbacManager; 050 051 /** 052 * boolean detailing if this environment check has been executed 053 */ 054 private boolean checked = false; 055 056 @Override 057 public void validateEnvironment( List<String> violations ) 058 { 059 if ( !checked ) 060 { 061 String expectedRoles[] = new String[]{ ArchivaRoleConstants.SYSTEM_ADMINISTRATOR_ROLE, 062 ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE, 063 ArchivaRoleConstants.GLOBAL_REPOSITORY_OBSERVER_ROLE, ArchivaRoleConstants.GUEST_ROLE, 064 ArchivaRoleConstants.REGISTERED_USER_ROLE, ArchivaRoleConstants.USER_ADMINISTRATOR_ROLE }; 065 066 log.info( "Checking the existance of required roles." ); 067 068 for ( String roleName : expectedRoles ) 069 { 070 try 071 { 072 if ( !rbacManager.roleExists( roleName ) ) 073 { 074 violations.add( "Unable to validate the existances of the '" + roleName + "' role." ); 075 } 076 } 077 catch ( RbacManagerException e ) 078 { 079 log.warn( "fail to verify existence of role '{}'", roleName ); 080 violations.add( "Unable to validate the existances of the '" + roleName + "' role." ); 081 } 082 } 083 084 String expectedOperations[] = new String[]{ ArchivaRoleConstants.OPERATION_MANAGE_USERS, 085 ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION, ArchivaRoleConstants.OPERATION_REGENERATE_INDEX, 086 ArchivaRoleConstants.OPERATION_RUN_INDEXER, ArchivaRoleConstants.OPERATION_ACCESS_REPORT, 087 ArchivaRoleConstants.OPERATION_ADD_REPOSITORY, ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY, 088 ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS, ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY, 089 ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS, 090 "archiva-guest" }; 091 092 log.info( "Checking the existance of required operations." ); 093 094 for ( String operation : expectedOperations ) 095 { 096 if ( !rbacManager.operationExists( operation ) ) 097 { 098 violations.add( "Unable to validate the existances of the '" + operation + "' operation." ); 099 } 100 } 101 102 checked = true; 103 } 104 105 } 106 107}