001package org.apache.archiva.security; 002 003/* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022import org.apache.archiva.redback.rbac.RBACManager; 023import org.apache.archiva.redback.rbac.RbacManagerException; 024import org.apache.archiva.redback.system.check.EnvironmentCheck; 025import org.apache.archiva.security.common.ArchivaRoleConstants; 026import org.slf4j.Logger; 027import org.slf4j.LoggerFactory; 028import org.springframework.stereotype.Service; 029 030import javax.inject.Inject; 031import javax.inject.Named; 032import java.util.List; 033 034/** 035 * ArchivaStandardRolesCheck tests for the existance of expected / standard roles and permissions. 036 */ 037@Service("environmentCheck#archiva-required-roles") 038public class ArchivaStandardRolesCheck 039 implements EnvironmentCheck 040{ 041 private Logger log = LoggerFactory.getLogger( ArchivaStandardRolesCheck.class ); 042 043 /** 044 * 045 */ 046 @Inject 047 @Named(value = "rbacManager#cached") 048 private RBACManager rbacManager; 049 050 /** 051 * boolean detailing if this environment check has been executed 052 */ 053 private boolean checked = false; 054 055 @Override 056 public void validateEnvironment( List<String> violations ) 057 { 058 if ( !checked ) 059 { 060 String expectedRoles[] = new String[]{ ArchivaRoleConstants.SYSTEM_ADMINISTRATOR_ROLE, 061 ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE, 062 ArchivaRoleConstants.GLOBAL_REPOSITORY_OBSERVER_ROLE, ArchivaRoleConstants.GUEST_ROLE, 063 ArchivaRoleConstants.REGISTERED_USER_ROLE, ArchivaRoleConstants.USER_ADMINISTRATOR_ROLE }; 064 065 log.info( "Checking the existance of required roles." ); 066 067 for ( String roleName : expectedRoles ) 068 { 069 try 070 { 071 if ( !rbacManager.roleExists( roleName ) ) 072 { 073 violations.add( "Unable to validate the existances of the '" + roleName + "' role." ); 074 } 075 } 076 catch ( RbacManagerException e ) 077 { 078 log.warn( "fail to verify existence of role '{}'", roleName ); 079 violations.add( "Unable to validate the existances of the '" + roleName + "' role." ); 080 } 081 } 082 083 String expectedOperations[] = new String[]{ ArchivaRoleConstants.OPERATION_MANAGE_USERS, 084 ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION, ArchivaRoleConstants.OPERATION_REGENERATE_INDEX, 085 ArchivaRoleConstants.OPERATION_RUN_INDEXER, ArchivaRoleConstants.OPERATION_ACCESS_REPORT, 086 ArchivaRoleConstants.OPERATION_ADD_REPOSITORY, ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY, 087 ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS, ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY, 088 ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS, 089 "archiva-guest" }; 090 091 log.info( "Checking the existance of required operations." ); 092 093 for ( String operation : expectedOperations ) 094 { 095 if ( !rbacManager.operationExists( operation ) ) 096 { 097 violations.add( "Unable to validate the existances of the '" + operation + "' operation." ); 098 } 099 } 100 101 checked = true; 102 } 103 104 } 105 106}