Examples with AccessControlList org.opencastproject.security.api.AccessControlList used on opensource projects

Example 76 with AccessControlList

use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.

the class XACMLAuthorizationService method getAcl.

/**
 * Get the ACL of the given flavor from a media package.
 */
private Option<AccessControlList> getAcl(final MediaPackage mp, final List<MediaPackageElementFlavor> flavors) {
    Option<AccessControlList> result = Option.none();
    Set<Attachment> attachments = new HashSet<>();
    for (MediaPackageElementFlavor flavor : flavors) {
        Attachment[] attachmentsArray = mp.getAttachments(flavor);
        attachments.addAll(Arrays.asList(attachmentsArray));
    }
    if (attachments.size() == 1) {
        logger.debug("One security attachment found for media package {} with flavors {}", mp.getIdentifier(), flavors);
        for (Attachment attachment : attachments) {
            result = loadAcl(attachment.getURI());
        }
    } else if (attachments.size() < 1) {
        logger.debug("No security attachment found for media package {} with flavors {}", mp.getIdentifier(), flavors);
    } else if (attachments.size() > 1) {
        logger.warn("More than one security attachment found for media package {} with flavors {}", mp.getIdentifier(), flavors);
    }
    return result;
}

Example 77 with AccessControlList

use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.

the class XACMLUtils method parseXacml.

/**
 * Parses a XACML into an {@link AccessControlList}.
 * <p>
 * Only rules which follow the structure of those created by {@link #getXacml(MediaPackage, AccessControlList)} may be
 * successfully parsed. All other rules are ignored.
 *
 * @param xacml
 *          the XACML to parse
 * @return the ACL, never {@code null}
 * @throws XACMLParsingException
 *           if parsing fails
 */
public static AccessControlList parseXacml(InputStream xacml) throws XACMLParsingException {
    try {
        @SuppressWarnings("unchecked") final AccessControlList acl = new AccessControlList();
        final List<AccessControlEntry> entries = acl.getEntries();
        final PolicyType policy = ((JAXBElement<PolicyType>) XACMLUtils.jBossXacmlJaxbContext.createUnmarshaller().unmarshal(xacml)).getValue();
        for (Object object : policy.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition()) {
            if (!(object instanceof RuleType)) {
                throw new XACMLParsingException("Object " + object + " of policy " + policy + " is not of type RuleType");
            }
            RuleType rule = (RuleType) object;
            if (rule.getTarget() == null) {
                if (rule.getRuleId().equals("DenyRule")) {
                    logger.trace("Skipping global deny rule");
                    continue;
                }
                throw new XACMLParsingException("Empty rule " + rule + " in policy " + policy);
            }
            String role = null;
            String actionForAce = null;
            try {
                ActionType action = rule.getTarget().getActions().getAction().get(0);
                actionForAce = (String) action.getActionMatch().get(0).getAttributeValue().getContent().get(0);
                @SuppressWarnings("unchecked") JAXBElement<ApplyType> apply = (JAXBElement<ApplyType>) rule.getCondition().getExpression();
                for (JAXBElement<?> element : apply.getValue().getExpression()) {
                    if (element.getValue() instanceof AttributeValueType) {
                        role = (String) ((AttributeValueType) element.getValue()).getContent().get(0);
                        break;
                    }
                }
            } catch (Exception e) {
                throw new XACMLParsingException("Rule " + rule + " of policy " + policy + " could not be parsed", e);
            }
            if (role == null) {
                throw new XACMLParsingException("Unable to find role in rule " + rule + " of policy " + policy);
            }
            AccessControlEntry ace = new AccessControlEntry(role, actionForAce, rule.getEffect().equals(EffectType.PERMIT));
            entries.add(ace);
        }
        return acl;
    } catch (Exception e) {
        if (e instanceof XACMLParsingException) {
            throw (XACMLParsingException) e;
        }
        throw new XACMLParsingException("XACML could not be parsed", e);
    }
}

Example 78 with AccessControlList

use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.

the class IndexServiceImpl method getAccessControlList.

/**
 * Get the access control list from a JSON representation
 *
 * @param metadataJson
 *          The {@link JSONObject} that has the access json
 * @return An {@link AccessControlList}
 * @throws IllegalArgumentException
 *           Thrown if unable to parse the access control list
 */
private AccessControlList getAccessControlList(JSONObject metadataJson) {
    AccessControlList acl = new AccessControlList();
    JSONObject accessJson = (JSONObject) metadataJson.get("access");
    if (accessJson != null) {
        try {
            acl = AccessControlParser.parseAcl(accessJson.toJSONString());
        } catch (Exception e) {
            logger.warn("Unable to parse access control list: {}", accessJson.toJSONString());
            throw new IllegalArgumentException("Unable to parse access control list!");
        }
    }
    return acl;
}

Example 79 with AccessControlList

use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.

the class IndexServiceImpl method createSeries.

@Override
public String createSeries(MetadataList metadataList, Map<String, String> options, Opt<AccessControlList> optAcl, Opt<Long> optThemeId) throws IndexServiceException {
    DublinCoreCatalog dc = DublinCores.mkOpencastSeries().getCatalog();
    dc.set(PROPERTY_IDENTIFIER, UUID.randomUUID().toString());
    dc.set(DublinCore.PROPERTY_CREATED, EncodingSchemeUtils.encodeDate(new Date(), Precision.Second));
    for (Entry<String, String> entry : options.entrySet()) {
        dc.set(new EName(DublinCores.OC_PROPERTY_NS_URI, entry.getKey()), entry.getValue());
    }
    Opt<MetadataCollection> seriesMetadata = metadataList.getMetadataByFlavor(MediaPackageElements.SERIES.toString());
    if (seriesMetadata.isSome()) {
        DublinCoreMetadataUtil.updateDublincoreCatalog(dc, seriesMetadata.get());
    }
    AccessControlList acl;
    if (optAcl.isSome()) {
        acl = optAcl.get();
    } else {
        acl = new AccessControlList();
    }
    String seriesId;
    try {
        DublinCoreCatalog createdSeries = seriesService.updateSeries(dc);
        seriesId = createdSeries.getFirst(PROPERTY_IDENTIFIER);
        seriesService.updateAccessControl(seriesId, acl);
        for (Long id : optThemeId) seriesService.updateSeriesProperty(seriesId, THEME_PROPERTY_NAME, Long.toString(id));
    } catch (Exception e) {
        logger.error("Unable to create new series: {}", getStackTrace(e));
        throw new IndexServiceException("Unable to create new series");
    }
    updateSeriesMetadata(seriesId, metadataList);
    return seriesId;
}

Example 80 with AccessControlList

use of org.opencastproject.security.api.AccessControlList in project opencast by opencast.

the class EventHttpServletRequest method deserializeJsonToAcl.

/**
 * De-serialize an JSON into an {@link AccessControlList}.
 *
 * @param json
 *          The {@link AccessControlList} to serialize.
 * @param assumeAllow
 *          Assume that all entries are allows.
 * @return An {@link AccessControlList} representation of the Json
 * @throws ParseException
 */
protected static AccessControlList deserializeJsonToAcl(String json, boolean assumeAllow) throws ParseException {
    JSONParser parser = new JSONParser();
    JSONArray aclJson = (JSONArray) parser.parse(json);
    @SuppressWarnings("unchecked") ListIterator<Object> iterator = aclJson.listIterator();
    JSONObject aceJson;
    List<AccessControlEntry> entries = new ArrayList<AccessControlEntry>();
    while (iterator.hasNext()) {
        aceJson = (JSONObject) iterator.next();
        String action = aceJson.get(ACTION_JSON_KEY) != null ? aceJson.get(ACTION_JSON_KEY).toString() : "";
        String allow;
        if (assumeAllow) {
            allow = "true";
        } else {
            allow = aceJson.get(ALLOW_JSON_KEY) != null ? aceJson.get(ALLOW_JSON_KEY).toString() : "";
        }
        String role = aceJson.get(ROLE_JSON_KEY) != null ? aceJson.get(ROLE_JSON_KEY).toString() : "";
        if (StringUtils.trimToNull(action) != null && StringUtils.trimToNull(allow) != null && StringUtils.trimToNull(role) != null) {
            AccessControlEntry ace = new AccessControlEntry(role, action, Boolean.parseBoolean(allow));
            entries.add(ace);
        } else {
            throw new IllegalArgumentException(String.format("One of the access control elements is missing a property. The action was '%s', allow was '%s' and the role was '%s'", action, allow, role));
        }
    }
    return new AccessControlList(entries);
}