Search in sources :

Example 1 with AuthorizationService

use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.

the class PortletRendererImpl method enforceConfigPermission.

/**
     * Enforces config mode access control. If requesting user does not have CONFIG permission, and
     * the PortletWindow specifies config mode, throws AuthorizationException. Otherwise does
     * nothing.
     *
     * @param httpServletRequest the non-null current HttpServletRequest (for determining requesting
     *     user)
     * @param portletWindow a non-null portlet window that might be in config mode
     * @throws AuthorizationException if the user is not permitted to access config mode yet portlet
     *     window specifies config mode
     * @throws java.lang.IllegalArgumentException if the request or window are null
     * @since 4.0.13.1, 4.0.14, 4.1.
     */
protected void enforceConfigPermission(final HttpServletRequest httpServletRequest, final IPortletWindow portletWindow) {
    Validate.notNull(httpServletRequest, "Servlet request must not be null to determine remote user.");
    Validate.notNull(portletWindow, "Portlet window must not be null to determine its mode.");
    final PortletMode portletMode = portletWindow.getPortletMode();
    if (portletMode != null) {
        if (IPortletRenderer.CONFIG.equals(portletMode)) {
            final IPerson person = this.personManager.getPerson(httpServletRequest);
            final EntityIdentifier ei = person.getEntityIdentifier();
            final AuthorizationService authorizationService = AuthorizationService.instance();
            final IAuthorizationPrincipal ap = authorizationService.newPrincipal(ei.getKey(), ei.getType());
            final IPortletEntity portletEntity = portletWindow.getPortletEntity();
            final IPortletDefinition portletDefinition = portletEntity.getPortletDefinition();
            if (!ap.canConfigure(portletDefinition.getPortletDefinitionId().getStringId())) {
                logger.error("User {} attempted to use portlet {} in {} but lacks permission to use that mode.  " + "THIS MAY BE AN ATTEMPT TO EXPLOIT A HISTORICAL SECURITY FLAW.  " + "You should probably figure out who this user is and why they are trying to access " + "unauthorized portlet modes.", person.getUserName(), portletDefinition.getFName(), portletMode);
                throw new AuthorizationException(person.getUserName() + " does not have permission to render '" + portletDefinition.getFName() + "' in " + portletMode + " PortletMode.");
            }
        }
    }
}
Also used : IPerson(org.apereo.portal.security.IPerson) AuthorizationService(org.apereo.portal.services.AuthorizationService) IPortletEntity(org.apereo.portal.portlet.om.IPortletEntity) AuthorizationException(org.apereo.portal.AuthorizationException) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) EntityIdentifier(org.apereo.portal.EntityIdentifier) PortletMode(javax.portlet.PortletMode) IPortletDefinition(org.apereo.portal.portlet.om.IPortletDefinition)

Example 2 with AuthorizationService

use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.

the class GroupListHelperImpl method getPrincipalForEntity.

public IAuthorizationPrincipal getPrincipalForEntity(JsonEntityBean entity) {
    // attempt to determine the entity type class for this principal
    Class entityType;
    EntityEnum jsonType = entity.getEntityType();
    if (jsonType.isGroup()) {
        entityType = IEntityGroup.class;
    } else {
        entityType = jsonType.getClazz();
    }
    // construct an authorization principal for this JsonEntityBean
    AuthorizationService authService = AuthorizationService.instance();
    IAuthorizationPrincipal p = authService.newPrincipal(entity.getId(), entityType);
    return p;
}
Also used : EntityEnum(org.apereo.portal.portlets.groupselector.EntityEnum) AuthorizationService(org.apereo.portal.services.AuthorizationService) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal)

Example 3 with AuthorizationService

use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.

the class EntityService method getPrincipalForEntity.

public IAuthorizationPrincipal getPrincipalForEntity(Entity entity) {
    // attempt to determine the entity type class for this principal
    Class entityType;
    if (entity.getEntityType().equals(EntityEnum.GROUP.toString())) {
        entityType = IEntityGroup.class;
    } else {
        entityType = EntityEnum.getEntityEnum(entity.getEntityType()).getClazz();
    }
    // construct an authorization principal for this JsonEntityBean
    AuthorizationService authService = AuthorizationService.instance();
    IAuthorizationPrincipal p = authService.newPrincipal(entity.getId(), entityType);
    return p;
}
Also used : AuthorizationService(org.apereo.portal.services.AuthorizationService) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal)

Example 4 with AuthorizationService

use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.

the class SubscribableTabsRESTController method getSubscriptionList.

@RequestMapping(value = "/subscribableTabs.json", method = RequestMethod.GET)
public ModelAndView getSubscriptionList(HttpServletRequest request) {
    Map<String, Object> model = new HashMap<String, Object>();
    /** Retrieve the IPerson and IAuthorizationPrincipal for the currently authenticated user */
    IUserInstance userInstance = userInstanceManager.getUserInstance(request);
    IPerson person = userInstance.getPerson();
    AuthorizationService authService = AuthorizationService.instance();
    IAuthorizationPrincipal principal = authService.newPrincipal(person.getUserName(), IPerson.class);
    /**
         * Build a collection of owner IDs for the fragments to which the authenticated user is
         * subscribed
         */
    // get the list of current subscriptions for this user
    List<IUserFragmentSubscription> subscriptions = userFragmentSubscriptionDao.getUserFragmentInfo(person);
    // transform it into the set of owners
    Set<String> subscribedOwners = new HashSet<String>();
    for (IUserFragmentSubscription subscription : subscriptions) {
        if (subscription.isActive()) {
            subscribedOwners.add(subscription.getFragmentOwner());
        }
    }
    /**
         * Iterate through the list of all currently defined DLM fragments and determine if the
         * current user has permissions to subscribe to each. Any subscribable fragments will be
         * transformed into a JSON-friendly bean and added to the model.
         */
    final List<SubscribableFragment> jsonFragments = new ArrayList<SubscribableFragment>();
    // get the list of fragment definitions from DLM
    final List<FragmentDefinition> fragmentDefinitions = configurationLoader.getFragments();
    final Locale locale = RequestContextUtils.getLocale(request);
    // iterate through the list
    for (FragmentDefinition fragmentDefinition : fragmentDefinitions) {
        if (isSubscribable(fragmentDefinition, principal)) {
            String owner = fragmentDefinition.getOwnerId();
            // this fragment
            if (principal.hasPermission("UP_FRAGMENT", "FRAGMENT_SUBSCRIBE", owner)) {
                // create a JSON fragment bean and add it to our list
                boolean subscribed = subscribedOwners.contains(owner);
                final String name = getMessage("fragment." + owner + ".name", fragmentDefinition.getName(), locale);
                final String description = getMessage("fragment." + owner + ".description", fragmentDefinition.getDescription(), locale);
                SubscribableFragment jsonFragment = new SubscribableFragment(name, description, owner, subscribed);
                jsonFragments.add(jsonFragment);
            }
        }
    }
    model.put("fragments", jsonFragments);
    return new ModelAndView("json", model);
}
Also used : Locale(java.util.Locale) FragmentDefinition(org.apereo.portal.layout.dlm.FragmentDefinition) HashMap(java.util.HashMap) ArrayList(java.util.ArrayList) ModelAndView(org.springframework.web.servlet.ModelAndView) IUserFragmentSubscription(org.apereo.portal.fragment.subscribe.IUserFragmentSubscription) IUserInstance(org.apereo.portal.user.IUserInstance) IPerson(org.apereo.portal.security.IPerson) AuthorizationService(org.apereo.portal.services.AuthorizationService) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) HashSet(java.util.HashSet) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 5 with AuthorizationService

use of org.apereo.portal.services.AuthorizationService in project uPortal by Jasig.

the class PortletDefinitionImporterExporter method savePortletDefinition.

/**
     * Save a portlet definition.
     *
     * @param definition the portlet definition
     * @param publisher the person publishing the portlet
     * @param categories the list of categories for the portlet
     * @param permissionMap a map of permission name -> list of groups who are granted that
     *     permission (Note: for now, only grant is supported and only for the FRAMEWORK_OWNER perm
     *     manager)
     */
private IPortletDefinition savePortletDefinition(IPortletDefinition definition, IPerson publisher, List<PortletCategory> categories, Map<ExternalPermissionDefinition, Set<IGroupMember>> permissionMap) {
    boolean newChannel = (definition.getPortletDefinitionId() == null);
    // save the channel
    definition = portletDefinitionDao.savePortletDefinition(definition);
    definition = portletDefinitionDao.getPortletDefinitionByFname(definition.getFName());
    final String defId = definition.getPortletDefinitionId().getStringId();
    final IEntity portletDefEntity = GroupService.getEntity(defId, IPortletDefinition.class);
    //The groups service needs to deal with concurrent modification better.
    synchronized (this.groupUpdateLock) {
        // Delete existing category memberships for this channel
        if (!newChannel) {
            for (IEntityGroup group : portletDefEntity.getAncestorGroups()) {
                group.removeChild(portletDefEntity);
                group.update();
            }
        }
        // For each category ID, add channel to category
        for (PortletCategory category : categories) {
            final IEntityGroup categoryGroup = GroupService.findGroup(category.getId());
            categoryGroup.addChild(portletDefEntity);
            categoryGroup.updateMembers();
        }
        // Set groups
        final AuthorizationService authService = AuthorizationService.instance();
        final String target = PermissionHelper.permissionTargetIdForPortletDefinition(definition);
        // Loop over the affected permission managers...
        Map<String, Collection<ExternalPermissionDefinition>> permissionsBySystem = getPermissionsBySystem(permissionMap.keySet());
        for (String system : permissionsBySystem.keySet()) {
            Collection<ExternalPermissionDefinition> systemPerms = permissionsBySystem.get(system);
            // get the permission manager for this system...
            final IUpdatingPermissionManager upm = authService.newUpdatingPermissionManager(system);
            final List<IPermission> permissions = new ArrayList<>();
            // add activity grants for each permission..
            for (ExternalPermissionDefinition permissionDef : systemPerms) {
                Set<IGroupMember> members = permissionMap.get(permissionDef);
                for (final IGroupMember member : members) {
                    final IAuthorizationPrincipal authPrincipal = authService.newPrincipal(member);
                    final IPermission permEntity = upm.newPermission(authPrincipal);
                    permEntity.setType(IPermission.PERMISSION_TYPE_GRANT);
                    permEntity.setActivity(permissionDef.getActivity());
                    permEntity.setTarget(target);
                    permissions.add(permEntity);
                }
            }
            // If modifying the channel, remove the existing permissions before adding the new ones
            if (!newChannel) {
                for (ExternalPermissionDefinition permissionName : permissionMap.keySet()) {
                    IPermission[] oldPermissions = upm.getPermissions(permissionName.getActivity(), target);
                    upm.removePermissions(oldPermissions);
                }
            }
            upm.addPermissions(permissions.toArray(new IPermission[permissions.size()]));
        }
    }
    if (logger.isDebugEnabled()) {
        logger.debug("Portlet " + defId + " has been " + (newChannel ? "published" : "modified") + ".");
    }
    return definition;
}
Also used : IEntity(org.apereo.portal.groups.IEntity) ArrayList(java.util.ArrayList) IEntityGroup(org.apereo.portal.groups.IEntityGroup) IGroupMember(org.apereo.portal.groups.IGroupMember) AuthorizationService(org.apereo.portal.services.AuthorizationService) IPermission(org.apereo.portal.security.IPermission) IAuthorizationPrincipal(org.apereo.portal.security.IAuthorizationPrincipal) Collection(java.util.Collection) ExternalPermissionDefinition(org.apereo.portal.io.xml.portlettype.ExternalPermissionDefinition) PortletCategory(org.apereo.portal.portlet.om.PortletCategory) IUpdatingPermissionManager(org.apereo.portal.security.IUpdatingPermissionManager)

Aggregations

AuthorizationService (org.apereo.portal.services.AuthorizationService)12 IAuthorizationPrincipal (org.apereo.portal.security.IAuthorizationPrincipal)9 IEntity (org.apereo.portal.groups.IEntity)4 IEntityGroup (org.apereo.portal.groups.IEntityGroup)4 ArrayList (java.util.ArrayList)3 EntityIdentifier (org.apereo.portal.EntityIdentifier)3 IGroupMember (org.apereo.portal.groups.IGroupMember)3 IPortletDefinition (org.apereo.portal.portlet.om.IPortletDefinition)3 HashMap (java.util.HashMap)2 EntityEnum (org.apereo.portal.portlets.groupselector.EntityEnum)2 IPermission (org.apereo.portal.security.IPermission)2 IPerson (org.apereo.portal.security.IPerson)2 IUpdatingPermissionManager (org.apereo.portal.security.IUpdatingPermissionManager)2 Collection (java.util.Collection)1 HashSet (java.util.HashSet)1 Locale (java.util.Locale)1 PortletMode (javax.portlet.PortletMode)1 AuthorizationException (org.apereo.portal.AuthorizationException)1 AggregatedGroupMapping (org.apereo.portal.events.aggr.groups.AggregatedGroupMapping)1 PortletLayoutAggregation (org.apereo.portal.events.aggr.portletlayout.PortletLayoutAggregation)1