Example 51 with AccessControlList
use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.
the class SeriesWorkflowOperationHandler method start.
/**
* {@inheritDoc}
*
* @see org.opencastproject.workflow.api.WorkflowOperationHandler#start(org.opencastproject.workflow.api.WorkflowInstance,
* JobContext)
*/
@Override
public WorkflowOperationResult start(final WorkflowInstance workflowInstance, JobContext context) throws WorkflowOperationException {
logger.debug("Running series workflow operation");
MediaPackage mediaPackage = workflowInstance.getMediaPackage();
Opt<String> optSeries = getOptConfig(workflowInstance.getCurrentOperation(), SERIES_PROPERTY);
Opt<String> optAttachFlavors = getOptConfig(workflowInstance.getCurrentOperation(), ATTACH_PROPERTY);
Boolean applyAcl = getOptConfig(workflowInstance.getCurrentOperation(), APPLY_ACL_PROPERTY).map(toBoolean).getOr(false);
Opt<String> optCopyMetadata = getOptConfig(workflowInstance.getCurrentOperation(), COPY_METADATA_PROPERTY);
String defaultNamespace = getOptConfig(workflowInstance.getCurrentOperation(), DEFAULT_NS_PROPERTY).getOr(DublinCore.TERMS_NS_URI);
logger.debug("Using default namespace: '{}'", defaultNamespace);
if (optSeries.isSome() && !optSeries.get().equals(mediaPackage.getSeries())) {
logger.info("Changing series id from '{}' to '{}'", StringUtils.trimToEmpty(mediaPackage.getSeries()), optSeries.get());
mediaPackage.setSeries(optSeries.get());
}
String seriesId = mediaPackage.getSeries();
if (seriesId == null) {
logger.info("No series set, skip operation");
return createResult(mediaPackage, Action.SKIP);
}
DublinCoreCatalog series;
try {
series = seriesService.getSeries(seriesId);
} catch (NotFoundException e) {
logger.info("No series with the identifier '{}' found, skip operation", seriesId);
return createResult(mediaPackage, Action.SKIP);
} catch (UnauthorizedException e) {
logger.warn("Not authorized to get series with identifier '{}' found, skip operation", seriesId);
return createResult(mediaPackage, Action.SKIP);
} catch (SeriesException e) {
logger.error("Unable to get series with identifier '{}', skip operation: {}", seriesId, ExceptionUtils.getStackTrace(e));
throw new WorkflowOperationException(e);
}
mediaPackage.setSeriesTitle(series.getFirst(DublinCore.PROPERTY_TITLE));
// Process extra metadata
HashSet<EName> extraMetadata = new HashSet<>();
if (optCopyMetadata.isSome()) {
for (String strEName : optCopyMetadata.get().split(",+\\s*")) try {
if (!strEName.isEmpty()) {
extraMetadata.add(EName.fromString(strEName, defaultNamespace));
}
} catch (IllegalArgumentException iae) {
logger.warn("Ignoring incorrect dublincore metadata property: '{}'", strEName);
}
}
// Update the episode catalog
for (Catalog episodeCatalog : mediaPackage.getCatalogs(MediaPackageElements.EPISODE)) {
DublinCoreCatalog episodeDublinCore = DublinCoreUtil.loadDublinCore(workspace, episodeCatalog);
// Make sure the MP catalog has bindings defined
episodeDublinCore.addBindings(XmlNamespaceContext.mk(XmlNamespaceBinding.mk(DublinCore.TERMS_NS_PREFIX, DublinCore.TERMS_NS_URI)));
episodeDublinCore.addBindings(XmlNamespaceContext.mk(XmlNamespaceBinding.mk(DublinCore.ELEMENTS_1_1_NS_PREFIX, DublinCore.ELEMENTS_1_1_NS_URI)));
episodeDublinCore.addBindings(XmlNamespaceContext.mk(XmlNamespaceBinding.mk(DublinCores.OC_PROPERTY_NS_PREFIX, DublinCores.OC_PROPERTY_NS_URI)));
episodeDublinCore.set(DublinCore.PROPERTY_IS_PART_OF, seriesId);
for (EName property : extraMetadata) {
if (!episodeDublinCore.hasValue(property) && series.hasValue(property)) {
episodeDublinCore.set(property, series.get(property));
}
}
try (InputStream in = IOUtils.toInputStream(episodeDublinCore.toXmlString(), "UTF-8")) {
String filename = FilenameUtils.getName(episodeCatalog.getURI().toString());
URI uri = workspace.put(mediaPackage.getIdentifier().toString(), episodeCatalog.getIdentifier(), filename, in);
episodeCatalog.setURI(uri);
// setting the URI to a new source so the checksum will most like be invalid
episodeCatalog.setChecksum(null);
} catch (Exception e) {
logger.error("Unable to update episode catalog isPartOf field: {}", ExceptionUtils.getStackTrace(e));
throw new WorkflowOperationException(e);
}
}
// Attach series catalogs
if (optAttachFlavors.isSome()) {
// Remove existing series catalogs
AbstractMediaPackageElementSelector<Catalog> catalogSelector = new CatalogSelector();
String[] seriesFlavors = StringUtils.split(optAttachFlavors.get(), ",");
for (String flavor : seriesFlavors) {
if ("*".equals(flavor)) {
catalogSelector.addFlavor("*/*");
} else {
catalogSelector.addFlavor(flavor);
}
}
for (Catalog c : catalogSelector.select(mediaPackage, false)) {
if (MediaPackageElements.SERIES.equals(c.getFlavor()) || "series".equals(c.getFlavor().getSubtype())) {
mediaPackage.remove(c);
}
}
List<SeriesCatalogUIAdapter> adapters = getSeriesCatalogUIAdapters();
for (String flavorString : seriesFlavors) {
MediaPackageElementFlavor flavor;
if ("*".equals(flavorString)) {
flavor = MediaPackageElementFlavor.parseFlavor("*/*");
} else {
flavor = MediaPackageElementFlavor.parseFlavor(flavorString);
}
for (SeriesCatalogUIAdapter a : adapters) {
MediaPackageElementFlavor adapterFlavor = MediaPackageElementFlavor.parseFlavor(a.getFlavor());
if (flavor.matches(adapterFlavor)) {
if (MediaPackageElements.SERIES.eq(a.getFlavor())) {
addDublinCoreCatalog(series, MediaPackageElements.SERIES, mediaPackage);
} else {
try {
Opt<byte[]> seriesElementData = seriesService.getSeriesElementData(seriesId, adapterFlavor.getType());
if (seriesElementData.isSome()) {
DublinCoreCatalog catalog = DublinCores.read(new ByteArrayInputStream(seriesElementData.get()));
addDublinCoreCatalog(catalog, adapterFlavor, mediaPackage);
} else {
logger.warn("No extended series catalog found for flavor '{}' and series '{}', skip adding catalog", adapterFlavor.getType(), seriesId);
}
} catch (SeriesException e) {
logger.error("Unable to load extended series metadata for flavor {}", adapterFlavor.getType());
throw new WorkflowOperationException(e);
}
}
}
}
}
}
if (applyAcl) {
try {
AccessControlList acl = seriesService.getSeriesAccessControl(seriesId);
if (acl != null)
authorizationService.setAcl(mediaPackage, AclScope.Series, acl);
} catch (Exception e) {
logger.error("Unable to update series ACL: {}", ExceptionUtils.getStackTrace(e));
throw new WorkflowOperationException(e);
}
}
return createResult(mediaPackage, Action.CONTINUE);
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
EName(org.opencastproject.mediapackage.EName)
NotFoundException(org.opencastproject.util.NotFoundException)
URI(java.net.URI)
UnauthorizedException(org.opencastproject.security.api.UnauthorizedException)
WorkflowOperationException(org.opencastproject.workflow.api.WorkflowOperationException)
CatalogSelector(org.opencastproject.mediapackage.selector.CatalogSelector)
HashSet(java.util.HashSet)
ByteArrayInputStream(java.io.ByteArrayInputStream)
InputStream(java.io.InputStream)
SeriesException(org.opencastproject.series.api.SeriesException)
SeriesCatalogUIAdapter(org.opencastproject.metadata.dublincore.SeriesCatalogUIAdapter)
MediaPackageElementFlavor(org.opencastproject.mediapackage.MediaPackageElementFlavor)
DublinCoreCatalog(org.opencastproject.metadata.dublincore.DublinCoreCatalog)
Catalog(org.opencastproject.mediapackage.Catalog)
WorkflowOperationException(org.opencastproject.workflow.api.WorkflowOperationException)
SeriesException(org.opencastproject.series.api.SeriesException)
UnauthorizedException(org.opencastproject.security.api.UnauthorizedException)
NotFoundException(org.opencastproject.util.NotFoundException)
IOException(java.io.IOException)
ByteArrayInputStream(java.io.ByteArrayInputStream)
MediaPackage(org.opencastproject.mediapackage.MediaPackage)
DublinCoreCatalog(org.opencastproject.metadata.dublincore.DublinCoreCatalog)
Example 52 with AccessControlList
use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.
the class WorkflowServiceImplAuthzTest method testWorkflowWithoutSecurityPolicy.
@Test
public void testWorkflowWithoutSecurityPolicy() throws Exception {
// Mock up an authorization service that always returns "false" for hasPermission()
AuthorizationService authzService = EasyMock.createNiceMock(AuthorizationService.class);
EasyMock.expect(authzService.getActiveAcl((MediaPackage) EasyMock.anyObject())).andReturn(Tuple.tuple(new AccessControlList(), AclScope.Series)).anyTimes();
EasyMock.expect(authzService.hasPermission((MediaPackage) EasyMock.anyObject(), (String) EasyMock.anyObject())).andReturn(false).anyTimes();
EasyMock.replay(authzService);
service.setAuthorizationService(authzService);
dao.setAuthorizationService(authzService);
// Create the workflow and its dependent object graph
WorkflowDefinitionImpl def = new WorkflowDefinitionImpl();
def.add(new WorkflowOperationDefinitionImpl("op1", "op1", null, true));
MediaPackage mp = MediaPackageBuilderFactory.newInstance().newMediaPackageBuilder().createNew();
// As an instructor, create a workflow
userResponder.setResponse(instructor1);
WorkflowInstance workflow = service.start(def, mp);
service.suspend(workflow.getId());
// Ensure that this instructor can access the workflow
try {
service.getWorkflowById(workflow.getId());
assertEquals(1, service.countWorkflowInstances());
} catch (Exception e) {
fail(e.getMessage());
}
// Ensure the organization admin can access that workflow
userResponder.setResponse(DEFAULT_ORG_ADMIN);
try {
service.getWorkflowById(workflow.getId());
assertEquals(1, service.countWorkflowInstances());
} catch (Exception e) {
fail(e.getMessage());
}
// Ensure the global admin can access that workflow
userResponder.setResponse(globalAdmin);
try {
service.getWorkflowById(workflow.getId());
assertEquals(1, service.countWorkflowInstances());
} catch (Exception e) {
fail(e.getMessage());
}
// Ensure the other instructor can not see the workflow, since there is no security policy granting access
userResponder.setResponse(instructor2);
try {
service.getWorkflowById(workflow.getId());
fail();
} catch (UnauthorizedException e) {
// expected
}
assertEquals(0, service.countWorkflowInstances());
// Ensure the instructor from a different org can not see the workflow, even though they share a role
organizationResponder.setResponse(otherOrganization);
userResponder.setResponse(instructorFromDifferentOrg);
try {
service.getWorkflowById(workflow.getId());
fail();
} catch (Exception e) {
// expected
}
assertEquals(0, service.countWorkflowInstances());
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
WorkflowOperationDefinitionImpl(org.opencastproject.workflow.api.WorkflowOperationDefinitionImpl)
WorkflowDefinitionImpl(org.opencastproject.workflow.api.WorkflowDefinitionImpl)
AuthorizationService(org.opencastproject.security.api.AuthorizationService)
MediaPackage(org.opencastproject.mediapackage.MediaPackage)
UnauthorizedException(org.opencastproject.security.api.UnauthorizedException)
WorkflowInstance(org.opencastproject.workflow.api.WorkflowInstance)
UnauthorizedException(org.opencastproject.security.api.UnauthorizedException)
Test(org.junit.Test)
Example 53 with AccessControlList
use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.
the class LiveScheduleServiceImplTest method testReplaceAndDistributeAcl.
@Test
public void testReplaceAndDistributeAcl() throws Exception {
URI mpURI = LiveScheduleServiceImplTest.class.getResource("/live-mp.xml").toURI();
MediaPackage mp = MediaPackageBuilderFactory.newInstance().newMediaPackageBuilder().loadFromXml(mpURI.toURL().openStream());
Job job = createJob(1L, "anything", "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" + "<attachment id=\"security-policy-episode\" type=\"security/xacml+episode\" xmlns=\"http://mediapackage.opencastproject.org\">" + "<mimetype>text/xml</mimetype><url>http://host/security-policy-episode.xml</url></attachment>");
EasyMock.expect(downloadDistributionService.distribute(EasyMock.anyString(), EasyMock.anyObject(MediaPackage.class), EasyMock.anyObject(String.class), EasyMock.anyBoolean())).andReturn(job).once();
EasyMock.expect(serviceRegistry.getJob(1L)).andReturn(job).anyTimes();
replayServices();
service.setDownloadDistributionService(downloadDistributionService);
AccessControlList acl = new AccessControlList(new AccessControlEntry("user", "read", true));
MediaPackage mp1 = service.replaceAndDistributeAcl(mp, acl);
Attachment[] atts = mp1.getAttachments(MediaPackageElements.XACML_POLICY_EPISODE);
Assert.assertNotNull(atts);
Assert.assertEquals(1, atts.length);
Attachment att = atts[0];
Assert.assertEquals("http://host/security-policy-episode.xml", att.getURI().toString());
Assert.assertEquals("security/xacml+episode", att.getFlavor().toString());
EasyMock.verify(downloadDistributionService);
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
MediaPackage(org.opencastproject.mediapackage.MediaPackage)
AccessControlEntry(org.opencastproject.security.api.AccessControlEntry)
Attachment(org.opencastproject.mediapackage.Attachment)
Job(org.opencastproject.job.api.Job)
URI(java.net.URI)
Test(org.junit.Test)
Example 54 with AccessControlList
use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.
the class SchedulerMigrationService method transform.
/**
* Transform the event result set into {@link Event}s.
*/
List<Event> transform(ResultSet resultSet) {
try {
List<Event> events = new ArrayList<>();
while (resultSet.next()) {
DublinCoreCatalog dc = readDublinCoreSilent(resultSet.getString(5));
dc.setIdentifier(UUID.randomUUID().toString());
dc.setFlavor(MediaPackageElements.EPISODE);
dc.remove(DublinCore.PROPERTY_IDENTIFIER);
Properties properties = parseProperties(resultSet.getString(4));
AccessControlList acl = resultSet.getString(2) != null ? AccessControlParser.parseAclSilent(resultSet.getString(2)) : null;
events.add(new Event(resultSet.getLong(1), resultSet.getString(6), dc, properties, acl, resultSet.getBoolean(7), ReviewStatus.valueOf(resultSet.getString(9)), resultSet.getDate(8)));
}
return events;
} catch (Exception e) {
return chuck(e);
}
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
ArrayList(java.util.ArrayList)
DublinCoreCatalog(org.opencastproject.metadata.dublincore.DublinCoreCatalog)
Properties(java.util.Properties)
SchedulerException(org.opencastproject.scheduler.api.SchedulerException)
ConfigurationException(org.osgi.service.cm.ConfigurationException)
MediaPackageException(org.opencastproject.mediapackage.MediaPackageException)
SAXException(org.xml.sax.SAXException)
SQLException(java.sql.SQLException)
UnauthorizedException(org.opencastproject.security.api.UnauthorizedException)
NotFoundException(org.opencastproject.util.NotFoundException)
IOException(java.io.IOException)
ParserConfigurationException(javax.xml.parsers.ParserConfigurationException)
Example 55 with AccessControlList
use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.
the class TestRestService method newAuthorizationService.
private static AuthorizationService newAuthorizationService() {
AccessControlList acl = new AccessControlList();
Attachment attachment = new AttachmentImpl();
MediaPackage mediapackage;
try {
mediapackage = new MediaPackageBuilderImpl().createNew();
} catch (MediaPackageException e) {
throw new RuntimeException(e);
}
AuthorizationService authorizationService = EasyMock.createNiceMock(AuthorizationService.class);
EasyMock.expect(authorizationService.getActiveAcl((MediaPackage) EasyMock.anyObject())).andReturn(Tuple.tuple(acl, AclScope.Series)).anyTimes();
EasyMock.expect(authorizationService.setAcl((MediaPackage) EasyMock.anyObject(), (AclScope) EasyMock.anyObject(), (AccessControlList) EasyMock.anyObject())).andReturn(Tuple.tuple(mediapackage, attachment));
EasyMock.replay(authorizationService);
return authorizationService;
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
MediaPackageException(org.opencastproject.mediapackage.MediaPackageException)
AuthorizationService(org.opencastproject.security.api.AuthorizationService)
MediaPackageBuilderImpl(org.opencastproject.mediapackage.MediaPackageBuilderImpl)
MediaPackage(org.opencastproject.mediapackage.MediaPackage)
Attachment(org.opencastproject.mediapackage.Attachment)
AttachmentImpl(org.opencastproject.mediapackage.attachment.AttachmentImpl)
Aggregations
AccessControlList (org.opencastproject.security.api.AccessControlList)108
NotFoundException (org.opencastproject.util.NotFoundException)46
UnauthorizedException (org.opencastproject.security.api.UnauthorizedException)38
AccessControlEntry (org.opencastproject.security.api.AccessControlEntry)30
MediaPackage (org.opencastproject.mediapackage.MediaPackage)27
Test (org.junit.Test)26
IOException (java.io.IOException)22
Organization (org.opencastproject.security.api.Organization)22
User (org.opencastproject.security.api.User)21
DublinCoreCatalog (org.opencastproject.metadata.dublincore.DublinCoreCatalog)19
ArrayList (java.util.ArrayList)18
SeriesException (org.opencastproject.series.api.SeriesException)18
ManagedAcl (org.opencastproject.authorization.xacml.manager.api.ManagedAcl)16
MediaPackageException (org.opencastproject.mediapackage.MediaPackageException)16
Date (java.util.Date)15
SchedulerException (org.opencastproject.scheduler.api.SchedulerException)14
Path (javax.ws.rs.Path)13
RestQuery (org.opencastproject.util.doc.rest.RestQuery)13
WebApplicationException (javax.ws.rs.WebApplicationException)12
File (java.io.File)10
