Search in sources :

Example 1 with Permission

use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.

the class ReturnDatasetToAuthorCommandTest method setUp.

@Before
public void setUp() {
    dataset = new Dataset();
    HttpServletRequest aHttpServletRequest = null;
    dataverseRequest = new DataverseRequest(MocksFactory.makeAuthenticatedUser("First", "Last"), aHttpServletRequest);
    testEngine = new TestDataverseEngine(new TestCommandContext() {

        @Override
        public AuthenticationServiceBean authentication() {
            return new AuthenticationServiceBean() {

                @Override
                public AuthenticatedUser getAuthenticatedUser(String id) {
                    return MocksFactory.makeAuthenticatedUser("First", "Last");
                }
            };
        }

        @Override
        public IndexServiceBean index() {
            return new IndexServiceBean() {

                @Override
                public Future<String> indexDataset(Dataset dataset, boolean doNormalSolrDocCleanUp) {
                    return null;
                }
            };
        }

        @Override
        public EntityManager em() {
            return new NoOpTestEntityManager();
        }

        @Override
        public DatasetServiceBean datasets() {
            return new DatasetServiceBean() {

                {
                    em = new NoOpTestEntityManager();
                }

                @Override
                public DatasetVersionUser getDatasetVersionUser(DatasetVersion version, User user) {
                    return null;
                }

                @Override
                public WorkflowComment addWorkflowComment(WorkflowComment comment) {
                    return comment;
                }

                @Override
                public void removeDatasetLocks(Long datasetId, DatasetLock.Reason aReason) {
                }
            };
        }

        @Override
        public DataverseRoleServiceBean roles() {
            return new DataverseRoleServiceBean() {

                @Override
                public DataverseRole findBuiltinRoleByAlias(String alias) {
                    return new DataverseRole();
                }

                @Override
                public RoleAssignment save(RoleAssignment assignment) {
                    // no-op
                    return assignment;
                }
            };
        }

        @Override
        public PermissionServiceBean permissions() {
            return new PermissionServiceBean() {

                @Override
                public List<AuthenticatedUser> getUsersWithPermissionOn(Permission permission, DvObject dvo) {
                    // We only need permissions for notifications, which we are testing in InReviewWorkflowIT.
                    return Collections.emptyList();
                }
            };
        }
    });
}
Also used : DataverseRoleServiceBean(edu.harvard.iq.dataverse.DataverseRoleServiceBean) TestCommandContext(edu.harvard.iq.dataverse.engine.TestCommandContext) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) User(edu.harvard.iq.dataverse.authorization.users.User) DatasetVersionUser(edu.harvard.iq.dataverse.DatasetVersionUser) PermissionServiceBean(edu.harvard.iq.dataverse.PermissionServiceBean) DvObject(edu.harvard.iq.dataverse.DvObject) Dataset(edu.harvard.iq.dataverse.Dataset) WorkflowComment(edu.harvard.iq.dataverse.workflows.WorkflowComment) RoleAssignment(edu.harvard.iq.dataverse.RoleAssignment) NoOpTestEntityManager(edu.harvard.iq.dataverse.engine.NoOpTestEntityManager) DatasetVersion(edu.harvard.iq.dataverse.DatasetVersion) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) AuthenticationServiceBean(edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean) TestDataverseEngine(edu.harvard.iq.dataverse.engine.TestDataverseEngine) DataverseRole(edu.harvard.iq.dataverse.authorization.DataverseRole) HttpServletRequest(javax.servlet.http.HttpServletRequest) DataverseRequest(edu.harvard.iq.dataverse.engine.command.DataverseRequest) DatasetServiceBean(edu.harvard.iq.dataverse.DatasetServiceBean) Permission(edu.harvard.iq.dataverse.authorization.Permission) IndexServiceBean(edu.harvard.iq.dataverse.search.IndexServiceBean) Before(org.junit.Before)

Example 2 with Permission

use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.

the class EjbDataverseEngine method submit.

public <R> R submit(Command<R> aCommand) throws CommandException {
    final ActionLogRecord logRec = new ActionLogRecord(ActionLogRecord.ActionType.Command, aCommand.getClass().getCanonicalName());
    try {
        logRec.setUserIdentifier(aCommand.getRequest().getUser().getIdentifier());
        // Check permissions - or throw an exception
        Map<String, ? extends Set<Permission>> requiredMap = aCommand.getRequiredPermissions();
        if (requiredMap == null) {
            throw new RuntimeException("Command " + aCommand + " does not define required permissions.");
        }
        DataverseRequest dvReq = aCommand.getRequest();
        Map<String, DvObject> affectedDvObjects = aCommand.getAffectedDvObjects();
        logRec.setInfo(aCommand.describe());
        for (Map.Entry<String, ? extends Set<Permission>> pair : requiredMap.entrySet()) {
            String dvName = pair.getKey();
            if (!affectedDvObjects.containsKey(dvName)) {
                throw new RuntimeException("Command instance " + aCommand + " does not have a DvObject named '" + dvName + "'");
            }
            DvObject dvo = affectedDvObjects.get(dvName);
            Set<Permission> granted = (dvo != null) ? permissionService.permissionsFor(dvReq, dvo) : EnumSet.allOf(Permission.class);
            Set<Permission> required = requiredMap.get(dvName);
            if (!granted.containsAll(required)) {
                required.removeAll(granted);
                logRec.setActionResult(ActionLogRecord.Result.PermissionError);
                /**
                 * @todo Is there any harm in showing the "granted" set
                 * since we already show "required"? It would help people
                 * reason about the mismatch.
                 */
                throw new PermissionException("Can't execute command " + aCommand + ", because request " + aCommand.getRequest() + " is missing permissions " + required + " on Object " + dvo.accept(DvObject.NamePrinter), aCommand, required, dvo);
            }
        }
        try {
            return aCommand.execute(getContext());
        } catch (EJBException ejbe) {
            logRec.setActionResult(ActionLogRecord.Result.InternalError);
            throw new CommandException("Command " + aCommand.toString() + " failed: " + ejbe.getMessage(), ejbe.getCausedByException(), aCommand);
        }
    } catch (RuntimeException re) {
        logRec.setActionResult(ActionLogRecord.Result.InternalError);
        logRec.setInfo(re.getMessage());
        Throwable cause = re;
        while (cause != null) {
            if (cause instanceof ConstraintViolationException) {
                StringBuilder sb = new StringBuilder();
                sb.append("Unexpected bean validation constraint exception:");
                ConstraintViolationException constraintViolationException = (ConstraintViolationException) cause;
                for (ConstraintViolation<?> violation : constraintViolationException.getConstraintViolations()) {
                    sb.append(" Invalid value: <<<").append(violation.getInvalidValue()).append(">>> for ").append(violation.getPropertyPath()).append(" at ").append(violation.getLeafBean()).append(" - ").append(violation.getMessage());
                }
                logger.log(Level.SEVERE, sb.toString());
                // set this more detailed info in action log
                logRec.setInfo(sb.toString());
            }
            cause = cause.getCause();
        }
        throw re;
    } finally {
        if (logRec.getActionResult() == null) {
            logRec.setActionResult(ActionLogRecord.Result.OK);
        }
        logRec.setEndTime(new java.util.Date());
        logSvc.log(logRec);
    }
}
Also used : PermissionException(edu.harvard.iq.dataverse.engine.command.exception.PermissionException) CommandException(edu.harvard.iq.dataverse.engine.command.exception.CommandException) ActionLogRecord(edu.harvard.iq.dataverse.actionlogging.ActionLogRecord) DataverseRequest(edu.harvard.iq.dataverse.engine.command.DataverseRequest) ConstraintViolation(javax.validation.ConstraintViolation) Permission(edu.harvard.iq.dataverse.authorization.Permission) ConstraintViolationException(javax.validation.ConstraintViolationException) EJBException(javax.ejb.EJBException) Map(java.util.Map)

Example 3 with Permission

use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.

the class ManagePermissionsPage method setRole.

public void setRole(DataverseRole role) {
    this.role = role;
    selectedPermissions = new LinkedList<>();
    if (role != null) {
        for (Permission p : role.permissions()) {
            selectedPermissions.add(p.name());
        }
    }
}
Also used : Permission(edu.harvard.iq.dataverse.authorization.Permission)

Example 4 with Permission

use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.

the class PermissionServiceBean method permissionsFor.

/**
 * Finds all the permissions the {@link User} in {@code req} has over
 * {@code dvo}, in the context of {@code req}.
 * @param req
 * @param dvo
 * @return Permissions of {@code req.getUser()} over {@code dvo}.
 */
public Set<Permission> permissionsFor(DataverseRequest req, DvObject dvo) {
    Set<Permission> permissions = EnumSet.noneOf(Permission.class);
    // Add permissions specifically given to the user
    permissions.addAll(permissionsForSingleRoleAssignee(req.getUser(), dvo));
    Set<Group> groups = groupService.groupsFor(req, dvo);
    // Add permissions gained from groups
    for (Group g : groups) {
        final Set<Permission> groupPremissions = permissionsForSingleRoleAssignee(g, dvo);
        permissions.addAll(groupPremissions);
    }
    if (!req.getUser().isAuthenticated()) {
        permissions.removeAll(PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY);
    }
    return permissions;
}
Also used : Group(edu.harvard.iq.dataverse.authorization.groups.Group) Permission(edu.harvard.iq.dataverse.authorization.Permission)

Example 5 with Permission

use of edu.harvard.iq.dataverse.authorization.Permission in project dataverse by IQSS.

the class PermissionServiceBean method permissionsFor.

/**
 * Returns the set of permission a user/group has over a dataverse object.
 * This method takes into consideration group memberships as well, but does
 * not look into request-level groups.
 * @param ra The role assignee.
 * @param dvo The {@link DvObject} on which the user wants to operate
 * @return the set of permissions {@code ra} has over {@code dvo}.
 */
public Set<Permission> permissionsFor(RoleAssignee ra, DvObject dvo) {
    Set<Permission> permissions = EnumSet.noneOf(Permission.class);
    // Add permissions specifically given to the user
    permissions.addAll(permissionsForSingleRoleAssignee(ra, dvo));
    // Add permissions gained from groups
    Set<Group> groupsRaBelongsTo = groupService.groupsFor(ra, dvo);
    for (Group g : groupsRaBelongsTo) {
        permissions.addAll(permissionsForSingleRoleAssignee(g, dvo));
    }
    if ((ra instanceof User) && (!((User) ra).isAuthenticated())) {
        permissions.removeAll(PERMISSIONS_FOR_AUTHENTICATED_USERS_ONLY);
    }
    return permissions;
}
Also used : Group(edu.harvard.iq.dataverse.authorization.groups.Group) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) User(edu.harvard.iq.dataverse.authorization.users.User) GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser) Permission(edu.harvard.iq.dataverse.authorization.Permission)

Aggregations

Permission (edu.harvard.iq.dataverse.authorization.Permission)7 AuthenticatedUser (edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)3 User (edu.harvard.iq.dataverse.authorization.users.User)3 DataverseRequest (edu.harvard.iq.dataverse.engine.command.DataverseRequest)3 Dataset (edu.harvard.iq.dataverse.Dataset)2 DatasetServiceBean (edu.harvard.iq.dataverse.DatasetServiceBean)2 DatasetVersion (edu.harvard.iq.dataverse.DatasetVersion)2 DatasetVersionUser (edu.harvard.iq.dataverse.DatasetVersionUser)2 DataverseRoleServiceBean (edu.harvard.iq.dataverse.DataverseRoleServiceBean)2 DvObject (edu.harvard.iq.dataverse.DvObject)2 PermissionServiceBean (edu.harvard.iq.dataverse.PermissionServiceBean)2 RoleAssignment (edu.harvard.iq.dataverse.RoleAssignment)2 AuthenticationServiceBean (edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean)2 DataverseRole (edu.harvard.iq.dataverse.authorization.DataverseRole)2 Group (edu.harvard.iq.dataverse.authorization.groups.Group)2 NoOpTestEntityManager (edu.harvard.iq.dataverse.engine.NoOpTestEntityManager)2 TestCommandContext (edu.harvard.iq.dataverse.engine.TestCommandContext)2 TestDataverseEngine (edu.harvard.iq.dataverse.engine.TestDataverseEngine)2 IndexServiceBean (edu.harvard.iq.dataverse.search.IndexServiceBean)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2