Examples with UnauthorizedException org.opencastproject.security.api.UnauthorizedException used on opensource projects

Example 21 with UnauthorizedException

use of org.opencastproject.security.api.UnauthorizedException in project opencast by opencast.

the class JpaGroupRoleProvider method createGroup.

@POST
@Path("")
@RestQuery(name = "createGroup", description = "Add a group", returnDescription = "Return the status codes", restParameters = { @RestParameter(name = "name", description = "The group name", isRequired = true, type = Type.STRING), @RestParameter(name = "description", description = "The group description", isRequired = false, type = Type.STRING), @RestParameter(name = "roles", description = "A comma seperated string of additional group roles", isRequired = false, type = Type.TEXT), @RestParameter(name = "users", description = "A comma seperated string of group members", isRequired = false, type = Type.TEXT) }, reponses = { @RestResponse(responseCode = SC_CREATED, description = "Group created"), @RestResponse(responseCode = SC_BAD_REQUEST, description = "Name too long"), @RestResponse(responseCode = SC_FORBIDDEN, description = "Not enough permissions to create a group with the admin role."), @RestResponse(responseCode = SC_CONFLICT, description = "An group with this name already exists.") })
public Response createGroup(@FormParam("name") String name, @FormParam("description") String description, @FormParam("roles") String roles, @FormParam("users") String users) {
    JpaOrganization organization = (JpaOrganization) securityService.getOrganization();
    HashSet<JpaRole> roleSet = new HashSet<JpaRole>();
    if (roles != null) {
        for (String role : StringUtils.split(roles, ",")) {
            roleSet.add(new JpaRole(StringUtils.trim(role), organization));
        }
    }
    HashSet<String> members = new HashSet<String>();
    if (users != null) {
        for (String member : StringUtils.split(users, ",")) {
            members.add(StringUtils.trim(member));
        }
    }
    final String groupId = name.toLowerCase().replaceAll("\\W", "_");
    JpaGroup existingGroup = UserDirectoryPersistenceUtil.findGroup(groupId, organization.getId(), emf);
    if (existingGroup != null)
        return Response.status(SC_CONFLICT).build();
    try {
        addGroup(new JpaGroup(groupId, organization, name, description, roleSet, members));
    } catch (IllegalArgumentException e) {
        logger.warn(e.getMessage());
        return Response.status(Status.BAD_REQUEST).build();
    } catch (UnauthorizedException e) {
        return Response.status(SC_FORBIDDEN).build();
    }
    return Response.status(Status.CREATED).build();
}

Example 22 with UnauthorizedException

use of org.opencastproject.security.api.UnauthorizedException in project opencast by opencast.

the class JpaGroupRoleProvider method updateGroupMembershipFromRoles.

/**
 * Updates a user's group membership
 *
 * @param userName
 *          the username
 * @param orgId
 *          the user's organization
 * @param roleList
 *          the list of group role names
 */
public void updateGroupMembershipFromRoles(String userName, String orgId, List<String> roleList) {
    logger.debug("updateGroupMembershipFromRoles({}, size={})", userName, roleList.size());
    // The list of groups for this user represented by the roleList is considered authoritative,
    // so remove the user from any groups which aren't represented in the roleList, and add the
    // user to all groups which are in the roleList.
    Set<String> membershipRoles = new HashSet<String>();
    // List of the user's groups
    List<JpaGroup> membership = UserDirectoryPersistenceUtil.findGroupsByUser(userName, orgId, emf);
    for (JpaGroup group : membership) {
        try {
            if (roleList.contains(group.getRole())) {
                // record this membership
                membershipRoles.add(group.getRole());
            } else {
                // remove user from this group
                logger.debug("Removing user {} from group {}", userName, group.getRole());
                group.getMembers().remove(userName);
                addGroup(group);
            }
        } catch (UnauthorizedException e) {
            logger.warn("Unable to add or remove user {} from group {} - unauthorized", userName, group.getRole());
        }
    }
    // Now add the user to any groups that they are not already a member of
    for (String rolename : roleList) {
        if (!membershipRoles.contains(rolename)) {
            JpaGroup group = UserDirectoryPersistenceUtil.findGroupByRole(rolename, orgId, emf);
            try {
                if (group != null) {
                    logger.debug("Adding user {} to group {}", userName, rolename);
                    group.getMembers().add(userName);
                    addGroup(group);
                } else {
                    logger.warn("Cannot add user {} to group {} - no group found with that role", userName, rolename);
                }
            } catch (UnauthorizedException e) {
                logger.warn("Unable to add user {} to group {} - unauthorized", userName, group.getRole());
            }
        }
    }
}

Example 23 with UnauthorizedException

use of org.opencastproject.security.api.UnauthorizedException in project opencast by opencast.

the class JpaGroupRoleProviderTest method testUpdateGroupNotAllowedAsNonAdminUser.

@Test
public void testUpdateGroupNotAllowedAsNonAdminUser() throws UnauthorizedException {
    JpaGroup group = new JpaGroup("test", org1, "Test", "Test group", Collections.set(new JpaRole(SecurityConstants.GLOBAL_ADMIN_ROLE, org1)));
    try {
        provider.addGroup(group);
        Group loadGroup = provider.loadGroup(group.getGroupId(), group.getOrganization().getId());
        assertNotNull(loadGroup);
        assertEquals(loadGroup.getGroupId(), loadGroup.getGroupId());
    } catch (Exception e) {
        fail("The group schould be added");
    }
    JpaUser user = new JpaUser("user", "pass1", org1, "User", "user@localhost", "opencast", true, Collections.set(new JpaRole("ROLE_USER", org1)));
    // Set the security sevice
    SecurityService securityService = EasyMock.createNiceMock(SecurityService.class);
    EasyMock.expect(securityService.getUser()).andReturn(user).anyTimes();
    EasyMock.expect(securityService.getOrganization()).andReturn(org1).anyTimes();
    EasyMock.replay(securityService);
    provider.setSecurityService(securityService);
    try {
        // try add ROLE_USER
        Response updateGroupResponse = provider.updateGroup(group.getGroupId(), group.getName(), group.getDescription(), "ROLE_USER, " + SecurityConstants.GLOBAL_ADMIN_ROLE, null);
        assertNotNull(updateGroupResponse);
        assertEquals(HttpStatus.SC_FORBIDDEN, updateGroupResponse.getStatus());
        // try remove ROLE_ADMIN
        updateGroupResponse = provider.updateGroup(group.getGroupId(), group.getName(), group.getDescription(), "ROLE_USER", null);
        assertNotNull(updateGroupResponse);
        assertEquals(HttpStatus.SC_FORBIDDEN, updateGroupResponse.getStatus());
    } catch (NotFoundException e) {
        fail("The existing group isn't found");
    }
}

Example 24 with UnauthorizedException

use of org.opencastproject.security.api.UnauthorizedException in project opencast by opencast.

the class JpaUserProviderTest method testRolesForUser.

@Test
public void testRolesForUser() {
    JpaRole astroRole = new JpaRole("ROLE_ASTRO_105_SPRING_2013_STUDENT", org1, "Astro role");
    provider.addRole(astroRole);
    JpaUser userOne = createUserWithRoles(org1, "user1", "ROLE_ONE", "ROLE_TWO");
    try {
        provider.addUser(userOne);
    } catch (UnauthorizedException e) {
        fail("User should be created");
    }
    assertEquals("There should be three roles", 3, IteratorUtils.toList(provider.getRoles()).size());
    List<Role> rolesForUser = provider.getRolesForUser("user1");
    assertEquals("There should be two roles", 2, rolesForUser.size());
    assertEquals("ROLE_ONE", rolesForUser.get(0).getName());
    assertEquals("ROLE_TWO", rolesForUser.get(1).getName());
}

Example 25 with UnauthorizedException

use of org.opencastproject.security.api.UnauthorizedException in project opencast by opencast.

the class JpaUserProviderTest method testUpdateUserForbiddenForNonAdminUsers.

@Test
public void testUpdateUserForbiddenForNonAdminUsers() throws Exception {
    JpaUser adminUser = createUserWithRoles(org1, "admin", SecurityConstants.GLOBAL_ADMIN_ROLE);
    JpaUser user = createUserWithRoles(org1, "user", "ROLE_USER");
    provider.addUser(adminUser);
    provider.addUser(user);
    provider.setSecurityService(mockSecurityServiceWithUser(user));
    // try to add ROLE_USER
    Set<JpaRole> updatedRoles = Collections.set(new JpaRole("ROLE_USER", org1), new JpaRole(SecurityConstants.GLOBAL_ADMIN_ROLE, org1));
    try {
        provider.updateUser(new JpaUser(adminUser.getUsername(), adminUser.getPassword(), org1, adminUser.getName(), true, updatedRoles));
        fail("The current user may not edit an admin user");
    } catch (UnauthorizedException e) {
    // pass
    }
    // try to remove ROLE_ADMIN
    updatedRoles = Collections.set(new JpaRole("ROLE_USER", org1));
    try {
        provider.updateUser(new JpaUser(adminUser.getUsername(), adminUser.getPassword(), org1, adminUser.getName(), true, updatedRoles));
        fail("The current user may not remove the admin role on other user");
    } catch (UnauthorizedException e) {
    // pass
    }
}