use of org.mycore.common.MCRUserInformation in project mycore by MyCoRe-Org.
the class MCRRestAPIUtil method checkRestAPIAccess.
/**
* checks if the given REST API operation is allowed
* @param request - the HTTP request
* @param permission "read" or "write"
* @param path - the REST API path, e.g. /v1/messages
*
* @throws MCRRestAPIException if access is restricted
*/
public static void checkRestAPIAccess(HttpServletRequest request, MCRRestAPIACLPermission permission, String path) throws MCRRestAPIException {
// save the current user and set REST API user into session,
// because ACL System can only validate the current user in session.
MCRUserInformation oldUser = MCRSessionMgr.getCurrentSession().getUserInformation();
try {
String userID = MCRJSONWebTokenUtil.retrieveUsernameFromAuthenticationToken(request);
if (userID != null) {
if (MCRSystemUserInformation.getGuestInstance().getUserID().equals(userID)) {
MCRSessionMgr.getCurrentSession().setUserInformation(MCRSystemUserInformation.getGuestInstance());
} else {
MCRSessionMgr.getCurrentSession().setUserInformation(MCRUserManager.getUser(userID));
}
}
MCRIPAddress theIP = new MCRIPAddress(MCRFrontendUtil.getRemoteAddr(request));
String thePath = path.startsWith("/") ? path : "/" + path;
boolean hasAPIAccess = ((MCRAccessControlSystem) MCRAccessControlSystem.instance()).checkAccess("restapi:/", permission.toString(), userID, theIP);
if (hasAPIAccess) {
MCRAccessRule rule = (MCRAccessRule) MCRAccessControlSystem.instance().getAccessRule("restapi:" + thePath, permission.toString());
if (rule != null) {
if (rule.checkAccess(userID, new Date(), theIP)) {
return;
}
} else {
return;
}
}
} catch (UnknownHostException e) {
// ignore
} finally {
MCRSessionMgr.getCurrentSession().setUserInformation(oldUser);
}
throw new MCRRestAPIException(Status.FORBIDDEN, new MCRRestAPIError(MCRRestAPIError.CODE_ACCESS_DENIED, "REST-API action is not allowed.", "Check access right '" + permission + "' on ACLs 'restapi:/' and 'restapi:" + path + "'!"));
}
use of org.mycore.common.MCRUserInformation in project mycore by MyCoRe-Org.
the class MCRCreatorRuleStrategy method isCreatorRuleAvailable.
public boolean isCreatorRuleAvailable(String id, String permission) {
if (MCRAccessManager.PERMISSION_WRITE.equals(permission)) {
MCRObjectID mcrObjectId = null;
try {
mcrObjectId = MCRObjectID.getInstance(id);
MCRUserInformation currentUser = MCRSessionMgr.getCurrentSession().getUserInformation();
if (currentUser.isUserInRole(CREATOR_ROLE) && objectStatusIsSubmitted(mcrObjectId)) {
if (isCurrentUserCreator(mcrObjectId, currentUser)) {
return true;
}
}
} catch (RuntimeException e) {
if (mcrObjectId == null) {
LOGGER.debug("id is not a valid object ID", e);
} else {
LOGGER.warn("Eror while checking permission.", e);
}
}
}
return false;
}
use of org.mycore.common.MCRUserInformation in project mycore by MyCoRe-Org.
the class MCRUserAttributeMapperTest method testUserUpdate.
@Test
public void testUserUpdate() throws Exception {
Map<String, Object> attributes = new HashMap<>();
attributes.put("eduPersonPrincipalName", mcrUser.getUserName() + "@" + realmId);
attributes.put("displayName", mcrUser.getRealName());
attributes.put("mail", mcrUser.getEMailAddress());
attributes.put("eduPersonAffiliation", roles);
MCRUserInformation userInfo = new MCRShibbolethUserInformation(mcrUser.getUserName(), realmId, attributes);
MCRTransientUser user = new MCRTransientUser(userInfo);
assertEquals(mcrUser.getUserName(), user.getUserName());
assertEquals(mcrUser.getRealName(), user.getRealName());
assertTrue(user.isUserInRole("editor"));
Map<String, String> extraAttribs = new HashMap<>();
extraAttribs.put("attrib1", "test123");
extraAttribs.put("attrib2", "test321");
user.setAttributes(extraAttribs);
MCRUserManager.createUser(user);
startNewTransaction();
attributes = new HashMap<>();
attributes.put("eduPersonPrincipalName", mcrUser.getUserName() + "@" + realmId);
attributes.put("displayName", mcrUser.getRealName());
attributes.put("mail", "new@mycore.de");
attributes.put("eduPersonAffiliation", "admin");
MCRUser storedUser = MCRUserManager.getUser(user.getUserName(), realmId);
MCRUserAttributeMapper attributeMapper = MCRRealmFactory.getAttributeMapper(realmId);
boolean changed = attributeMapper.mapAttributes(storedUser, attributes);
assertTrue("should changed", changed);
assertNotEquals(user.getEMailAddress(), storedUser.getEMailAddress());
Document exportableXML = MCRUserTransformer.buildExportableXML(storedUser);
new XMLOutputter(Format.getPrettyFormat()).output(exportableXML, System.out);
}
use of org.mycore.common.MCRUserInformation in project mycore by MyCoRe-Org.
the class MCRFixedUserCallable method call.
@Override
public V call() throws Exception {
final boolean hasSession = MCRSessionMgr.hasCurrentSession();
this.session = MCRSessionMgr.getCurrentSession();
try {
MCRUserInformation currentUser = this.session.getUserInformation();
if (hasSession) {
if (!currentUser.equals(userInfo)) {
throw new MCRException("MCRFixedUserCallable is bound to " + currentUser.getUserID() + " and not to " + userInfo.getUserID() + ".");
}
} else {
this.session.setUserInformation(userInfo);
}
return super.call();
} finally {
if (!hasSession && this.session != null) {
this.session.close();
}
}
}
use of org.mycore.common.MCRUserInformation in project mycore by MyCoRe-Org.
the class MCRGroupClauseTest method setUp.
@Before
public void setUp() throws Exception {
super.setUp();
MCRUserInformation userInfo = new MCRUserInformation() {
@Override
public boolean isUserInRole(String role) {
return INGROUP_NAME.equals(role);
}
@Override
public String getUserID() {
return "junit";
}
@Override
public String getUserAttribute(String attribute) {
// TODO Auto-generated method stub
return null;
}
};
MCRSessionMgr.getCurrentSession().setUserInformation(userInfo);
}
Aggregations