Search in sources :

Example 1 with GuestUser

use of edu.harvard.iq.dataverse.authorization.users.GuestUser in project dataverse by IQSS.

the class RoleAssigneeServiceBean method setup.

@PostConstruct
protected void setup() {
    GuestUser gu = GuestUser.get();
    predefinedRoleAssignees.put(gu.getIdentifier(), gu);
    predefinedRoleAssignees.put(AuthenticatedUsers.get().getIdentifier(), AuthenticatedUsers.get());
    predefinedRoleAssignees.put(AllUsers.get().getIdentifier(), AllUsers.get());
}
Also used : GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser) PostConstruct(javax.annotation.PostConstruct)

Example 2 with GuestUser

use of edu.harvard.iq.dataverse.authorization.users.GuestUser in project dataverse by IQSS.

the class SearchServiceBean method getPermissionFilterQuery.

/**
 * Moved this logic out of the "search" function
 *
 * @return
 */
private String getPermissionFilterQuery(DataverseRequest dataverseRequest, SolrQuery solrQuery, Dataverse dataverse, boolean onlyDatatRelatedToMe) {
    User user = dataverseRequest.getUser();
    if (user == null) {
        throw new NullPointerException("user cannot be null");
    }
    if (solrQuery == null) {
        throw new NullPointerException("solrQuery cannot be null");
    }
    /**
     * @todo For people who are not logged in, should we show stuff indexed
     * with "AllUsers" group or not? If so, uncomment the allUsersString
     * stuff below.
     */
    // String allUsersString = IndexServiceBean.getGroupPrefix() + AllUsers.get().getAlias();
    // String publicOnly = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + " OR " + allUsersString + ")";
    String publicOnly = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + ")";
    // String publicOnly = "{!join from=" + SearchFields.GROUPS + " to=" + SearchFields.PERMS + "}id:" + IndexServiceBean.getPublicGroupString();
    // initialize to public only to be safe
    String dangerZoneNoSolrJoin = null;
    if (user instanceof PrivateUrlUser) {
        user = GuestUser.get();
    }
    // ----------------------------------------------------
    if (user instanceof GuestUser) {
        String groupsFromProviders = "";
        Set<Group> groups = groupService.collectAncestors(groupService.groupsFor(dataverseRequest));
        StringBuilder sb = new StringBuilder();
        for (Group group : groups) {
            logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
            String groupAlias = group.getAlias();
            if (groupAlias != null && !groupAlias.isEmpty()) {
                sb.append(" OR ");
                // i.e. group_builtIn/all-users, ip/ipGroup3
                sb.append(IndexServiceBean.getGroupPrefix()).append(groupAlias);
            }
        }
        groupsFromProviders = sb.toString();
        logger.fine("groupsFromProviders:" + groupsFromProviders);
        String guestWithGroups = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + groupsFromProviders + ")";
        logger.fine(guestWithGroups);
        return guestWithGroups;
    }
    // ----------------------------------------------------
    if (!(user instanceof AuthenticatedUser)) {
        logger.severe("Should never reach here. A User must be an AuthenticatedUser or a Guest");
        throw new IllegalStateException("A User must be an AuthenticatedUser or a Guest");
    }
    AuthenticatedUser au = (AuthenticatedUser) user;
    // Logged in user, has publication status facet
    // 
    solrQuery.addFacetField(SearchFields.PUBLICATION_STATUS);
    // ----------------------------------------------------
    if (au.isSuperuser()) {
        return dangerZoneNoSolrJoin;
    }
    // ----------------------------------------------------
    if (onlyDatatRelatedToMe == true) {
        if (systemConfig.myDataDoesNotUsePermissionDocs()) {
            logger.fine("old 4.2 behavior: MyData is not using Solr permission docs");
            return dangerZoneNoSolrJoin;
        } else {
            logger.fine("new post-4.2 behavior: MyData is using Solr permission docs");
        }
    }
    // ----------------------------------------------------
    // (5) Work with Authenticated User who is not a Superuser
    // ----------------------------------------------------
    /**
     * @todo all this code needs cleanup and clarification.
     */
    /**
     * Every AuthenticatedUser is part of a "User Private Group" (UGP), a
     * concept we borrow from RHEL:
     * https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/ch-Managing_Users_and_Groups.html#s2-users-groups-private-groups
     */
    /**
     * @todo rename this from publicPlusUserPrivateGroup. Confusing
     */
    // safe default: public only
    String publicPlusUserPrivateGroup = publicOnly;
    // + (onlyDatatRelatedToMe ? "" : (publicOnly + " OR "))
    // + "{!join from=" + SearchFields.GROUPS + " to=" + SearchFields.PERMS + "}id:" + IndexServiceBean.getGroupPerUserPrefix() + au.getId() + ")";
    // /**
    // * @todo add onlyDatatRelatedToMe option into the experimental JOIN
    // * before enabling it.
    // */
    /**
     * From a search perspective, we don't care about if the group was
     * created within one dataverse or another. We just want a list of *all*
     * the groups the user is part of. We are greedy. We want all BuiltIn
     * Groups, Shibboleth Groups, IP Groups, "system" groups, everything.
     *
     * A JOIN on "permission documents" will determine if the user can find
     * a given "content document" (dataset version, etc) in Solr.
     */
    String groupsFromProviders = "";
    Set<Group> groups = groupService.collectAncestors(groupService.groupsFor(dataverseRequest));
    StringBuilder sb = new StringBuilder();
    for (Group group : groups) {
        logger.fine("found group " + group.getIdentifier() + " with alias " + group.getAlias());
        String groupAlias = group.getAlias();
        if (groupAlias != null && !groupAlias.isEmpty()) {
            sb.append(" OR ");
            // i.e. group_builtIn/all-users, group_builtIn/authenticated-users, group_1-explictGroup1, group_shib/2
            sb.append(IndexServiceBean.getGroupPrefix() + groupAlias);
        }
    }
    groupsFromProviders = sb.toString();
    logger.fine(groupsFromProviders);
    if (true) {
        /**
         * @todo get rid of "experimental" in name
         */
        String experimentalJoin = "{!join from=" + SearchFields.DEFINITION_POINT + " to=id}" + SearchFields.DISCOVERABLE_BY + ":(" + IndexServiceBean.getPublicGroupString() + " OR " + IndexServiceBean.getGroupPerUserPrefix() + au.getId() + groupsFromProviders + ")";
        publicPlusUserPrivateGroup = experimentalJoin;
    }
    // permissionFilterQuery = publicPlusUserPrivateGroup;
    logger.fine(publicPlusUserPrivateGroup);
    return publicPlusUserPrivateGroup;
}
Also used : GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser) Group(edu.harvard.iq.dataverse.authorization.groups.Group) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) User(edu.harvard.iq.dataverse.authorization.users.User) PrivateUrlUser(edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser) GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser) PrivateUrlUser(edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)

Example 3 with GuestUser

use of edu.harvard.iq.dataverse.authorization.users.GuestUser in project dataverse by IQSS.

the class WorldMapPermissionHelper method canUserSeeExploreWorldMapButton.

/**
 *  WARNING: Before calling this, make sure the user has download
 *  permission for the file!!  (See DatasetPage.canDownloadFile())
 *
 * Should there be a Explore WorldMap Button for this file?
 *   See table in: https://github.com/IQSS/dataverse/issues/1618
 *
 *  (1) Does the file have MapLayerMetadata?
 *  (2) Are the proper settings in place
 *
 * @param fm FileMetadata
 * @return boolean
 */
private boolean canUserSeeExploreWorldMapButton(FileMetadata fm, boolean permissionsChecked) {
    if (fm == null) {
        return false;
    }
    // This is only here to make the public method users think...
    if (!permissionsChecked) {
        return false;
    }
    if (this.fileMetadataWorldMapExplore.containsKey(fm.getId())) {
        // logger.info("using cached result for candownloadfile on filemetadata "+fid);
        return this.fileMetadataWorldMapExplore.get(fm.getId());
    }
    /* -----------------------------------------------------
           Does a Map Exist?
         ----------------------------------------------------- */
    if (!(this.hasMapLayerMetadata(fm))) {
        // See if it does
        MapLayerMetadata layer_metadata = mapLayerMetadataService.findMetadataByDatafile(fm.getDataFile());
        if (layer_metadata != null) {
            if (mapLayerMetadataLookup == null) {
                loadMapLayerMetadataLookup(fm.getDataFile().getOwner());
            }
            // yes: keep going...
            mapLayerMetadataLookup.put(layer_metadata.getDataFile().getId(), layer_metadata);
        } else {
            // Nope: no button
            this.fileMetadataWorldMapExplore.put(fm.getId(), false);
            return false;
        }
    }
    /*
            Is setting for GeoconnectViewMaps true?
            Nope? no button
        */
    if (!settingsWrapper.isTrueForKey(SettingsServiceBean.Key.GeoconnectViewMaps, false)) {
        this.fileMetadataWorldMapExplore.put(fm.getId(), false);
        return false;
    }
    if (fm.getDatasetVersion().isDeaccessioned()) {
        if (this.doesSessionUserHavePermission(Permission.EditDataset, fm)) {
            // Yes, save answer and return true
            this.fileMetadataWorldMapExplore.put(fm.getId(), true);
            return true;
        } else {
            this.fileMetadataWorldMapExplore.put(fm.getId(), false);
            return false;
        }
    }
    // Check for restrictions
    boolean isRestrictedFile = fm.isRestricted();
    // --------------------------------------------------------------------
    if (!isRestrictedFile) {
        // Yes, save answer and return true
        this.fileMetadataWorldMapExplore.put(fm.getId(), true);
        return true;
    }
    if (session.getUser() instanceof GuestUser) {
        this.fileMetadataWorldMapExplore.put(fm.getId(), false);
        return false;
    }
    if (!this.doesSessionUserHavePermission(Permission.DownloadFile, fm)) {
        // Yes, save answer and return true
        this.fileMetadataWorldMapExplore.put(fm.getId(), false);
        return false;
    }
    /* -----------------------------------------------------
             Yes: User can view button!
         ----------------------------------------------------- */
    this.fileMetadataWorldMapExplore.put(fm.getId(), true);
    return true;
}
Also used : MapLayerMetadata(edu.harvard.iq.dataverse.MapLayerMetadata) GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser)

Example 4 with GuestUser

use of edu.harvard.iq.dataverse.authorization.users.GuestUser in project dataverse by IQSS.

the class Access method isAccessAuthorized.

private boolean isAccessAuthorized(DataFile df, String apiToken) {
    // First, check if the file belongs to a released Dataset version:
    boolean published = false;
    if (df.getOwner().getReleasedVersion() != null) {
        // logger.fine("file belongs to a dataset with a released version.");
        if (df.getOwner().getReleasedVersion().getFileMetadatas() != null) {
            // logger.fine("going through the list of filemetadatas that belong to the released version.");
            for (FileMetadata fm : df.getOwner().getReleasedVersion().getFileMetadatas()) {
                if (df.equals(fm.getDataFile())) {
                    // logger.fine("found a match!");
                    published = true;
                }
            }
        }
    }
    // TODO: (IMPORTANT!)
    // Business logic like this should NOT be maintained in individual
    // application fragments.
    // At the moment it is duplicated here, and inside the Dataset page.
    // There are also stubs for file-level permission lookups and caching
    // inside Gustavo's view-scoped PermissionsWrapper.
    // All this logic needs to be moved to the PermissionServiceBean where it will be
    // centrally maintained; with the PermissionsWrapper providing
    // efficient cached lookups to the pages (that often need to make
    // repeated lookups on the same files). Care will need to be taken
    // to preserve the slight differences in logic utilized by the page and
    // this Access call (the page checks the restriction flag on the
    // filemetadata, not the datafile - as it needs to reflect the permission
    // status of the file in the version history).
    // I will open a 4.[34] ticket.
    // 
    // -- L.A. 4.2.1
    // We don't need to check permissions on files that are
    // from released Dataset versions and not restricted:
    boolean restricted = false;
    if (df.isRestricted()) {
        restricted = true;
    } else {
        // !df.isReleased() really means just this: new file, only exists in a Draft version!
        if (!df.isReleased()) {
            if (df.getFileMetadata().isRestricted()) {
                restricted = true;
            }
        }
    }
    if (!restricted) {
        // be handled below)
        if (published) {
            return true;
        }
    }
    User user = null;
    if (session != null) {
        if (session.getUser() != null) {
            if (session.getUser().isAuthenticated()) {
                user = session.getUser();
            } else {
                logger.fine("User associated with the session is not an authenticated user.");
                if (session.getUser() instanceof PrivateUrlUser) {
                    logger.fine("User associated with the session is a PrivateUrlUser user.");
                    user = session.getUser();
                }
                if (session.getUser() instanceof GuestUser) {
                    logger.fine("User associated with the session is indeed a guest user.");
                }
            }
        } else {
            logger.fine("No user associated with the session.");
        }
    } else {
        logger.fine("Session is null.");
    }
    User apiTokenUser = null;
    if ((apiToken != null) && (apiToken.length() != 64)) {
        try {
            logger.fine("calling apiTokenUser = findUserOrDie()...");
            apiTokenUser = findUserOrDie();
        } catch (WrappedResponse wr) {
            logger.log(Level.FINE, "Message from findUserOrDie(): {0}", wr.getMessage());
        }
        if (apiTokenUser == null) {
            logger.warning("API token-based auth: Unable to find a user with the API token provided.");
        }
    }
    if (!restricted) {
        if (user != null) {
            // used in JSF context
            if (permissionService.requestOn(dvRequestService.getDataverseRequest(), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
                // it's not unthinkable, that a null user (i.e., guest user) could be given
                // the ViewUnpublished permission!
                logger.log(Level.FINE, "Session-based auth: user {0} has access rights on the non-restricted, unpublished datafile.", user.getIdentifier());
                return true;
            }
        }
        if (apiTokenUser != null) {
            // used in an API context
            if (permissionService.requestOn(createDataverseRequest(apiTokenUser), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
                logger.log(Level.FINE, "Session-based auth: user {0} has access rights on the non-restricted, unpublished datafile.", apiTokenUser.getIdentifier());
                return true;
            }
        }
        // Guset user is impled by the code above.
        if (permissionService.requestOn(dvRequestService.getDataverseRequest(), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
            return true;
        }
    // We don't want to return false just yet.
    // If all else fails, we'll want to use the special WorldMapAuth
    // token authentication before we give up.
    // return false;
    } else {
        // OK, this is a restricted file.
        boolean hasAccessToRestrictedBySession = false;
        boolean hasAccessToRestrictedByToken = false;
        if (permissionService.on(df).has(Permission.DownloadFile)) {
            // Note: PermissionServiceBean.on(Datafile df) will obtain the
            // User from the Session object, just like in the code fragment
            // above. That's why it's not passed along as an argument.
            hasAccessToRestrictedBySession = true;
        } else if (apiTokenUser != null && permissionService.requestOn(createDataverseRequest(apiTokenUser), df).has(Permission.DownloadFile)) {
            hasAccessToRestrictedByToken = true;
        }
        if (hasAccessToRestrictedBySession || hasAccessToRestrictedByToken) {
            if (published) {
                if (hasAccessToRestrictedBySession) {
                    if (user != null) {
                        logger.log(Level.FINE, "Session-based auth: user {0} is granted access to the restricted, published datafile.", user.getIdentifier());
                    } else {
                        logger.fine("Session-based auth: guest user is granted access to the restricted, published datafile.");
                    }
                } else {
                    logger.log(Level.FINE, "Token-based auth: user {0} is granted access to the restricted, published datafile.", apiTokenUser.getIdentifier());
                }
                return true;
            } else {
                // user with the ViewUnpublished permission, or vice versa!
                if (hasAccessToRestrictedBySession) {
                    if (permissionService.on(df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
                        if (user != null) {
                            logger.log(Level.FINE, "Session-based auth: user {0} is granted access to the restricted, unpublished datafile.", user.getIdentifier());
                        } else {
                            logger.fine("Session-based auth: guest user is granted access to the restricted, unpublished datafile.");
                        }
                        return true;
                    }
                } else {
                    if (apiTokenUser != null && permissionService.requestOn(createDataverseRequest(apiTokenUser), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
                        logger.log(Level.FINE, "Token-based auth: user {0} is granted access to the restricted, unpublished datafile.", apiTokenUser.getIdentifier());
                        return true;
                    }
                }
            }
        }
    }
    if ((apiToken != null) && (apiToken.length() == 64)) {
        /* 
                WorldMap token check
                - WorldMap tokens are 64 chars in length
            
                - Use the worldMapTokenServiceBean to verify token 
                    and check permissions against the requested DataFile
            */
        if (!(this.worldMapTokenServiceBean.isWorldMapTokenAuthorizedForDataFileDownload(apiToken, df))) {
            return false;
        }
        // Yes! User may access file
        // 
        logger.fine("WorldMap token-based auth: Token is valid for the requested datafile");
        return true;
    } else if ((apiToken != null) && (apiToken.length() != 64)) {
        try {
            logger.fine("calling user = findUserOrDie()...");
            user = findUserOrDie();
        } catch (WrappedResponse wr) {
            logger.log(Level.FINE, "Message from findUserOrDie(): {0}", wr.getMessage());
        }
        if (user == null) {
            logger.warning("API token-based auth: Unable to find a user with the API token provided.");
            return false;
        }
        if (permissionService.requestOn(createDataverseRequest(user), df).has(Permission.DownloadFile)) {
            if (published) {
                logger.log(Level.FINE, "API token-based auth: User {0} has rights to access the datafile.", user.getIdentifier());
                return true;
            } else {
                // unpublished versions:
                if (permissionService.requestOn(createDataverseRequest(user), df.getOwner()).has(Permission.ViewUnpublishedDataset)) {
                    logger.log(Level.FINE, "API token-based auth: User {0} has rights to access the (unpublished) datafile.", user.getIdentifier());
                    return true;
                } else {
                    logger.log(Level.FINE, "API token-based auth: User {0} is not authorized to access the (unpublished) datafile.", user.getIdentifier());
                }
            }
        } else {
            logger.log(Level.FINE, "API token-based auth: User {0} is not authorized to access the datafile.", user.getIdentifier());
        }
        return false;
    }
    if (user != null) {
        logger.log(Level.FINE, "Session-based auth: user {0} has NO access rights on the requested datafile.", user.getIdentifier());
    }
    if (apiTokenUser != null) {
        logger.log(Level.FINE, "Token-based auth: user {0} has NO access rights on the requested datafile.", apiTokenUser.getIdentifier());
    }
    if (user == null && apiTokenUser == null) {
        logger.fine("Unauthenticated access: No guest access to the datafile.");
    }
    return false;
}
Also used : GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser) AuthenticatedUser(edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser) User(edu.harvard.iq.dataverse.authorization.users.User) PrivateUrlUser(edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser) GuestUser(edu.harvard.iq.dataverse.authorization.users.GuestUser) PrivateUrlUser(edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser) FileMetadata(edu.harvard.iq.dataverse.FileMetadata)

Aggregations

GuestUser (edu.harvard.iq.dataverse.authorization.users.GuestUser)4 AuthenticatedUser (edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser)2 PrivateUrlUser (edu.harvard.iq.dataverse.authorization.users.PrivateUrlUser)2 User (edu.harvard.iq.dataverse.authorization.users.User)2 FileMetadata (edu.harvard.iq.dataverse.FileMetadata)1 MapLayerMetadata (edu.harvard.iq.dataverse.MapLayerMetadata)1 Group (edu.harvard.iq.dataverse.authorization.groups.Group)1 PostConstruct (javax.annotation.PostConstruct)1