Search in sources :

Example 16 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class MemberV2ApiServiceDelegator_WorksTest method testReadPublicScope_Works.

@Test
public void testReadPublicScope_Works() {
    SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
    // Public works
    Response r = serviceDelegator.viewWork(ORCID, 11L);
    assertNotNull(r);
    assertEquals(Work.class.getName(), r.getEntity().getClass().getName());
    r = serviceDelegator.viewWorkSummary(ORCID, 11L);
    assertNotNull(r);
    assertEquals(WorkSummary.class.getName(), r.getEntity().getClass().getName());
    // Limited where source is me, should work
    serviceDelegator.viewWork(ORCID, 12L);
    serviceDelegator.viewWorkSummary(ORCID, 12L);
    // Limited with other source should fail
    try {
        serviceDelegator.viewWork(ORCID, 14L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    try {
        serviceDelegator.viewWorkSummary(ORCID, 14L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    // Private where am the source should work
    serviceDelegator.viewWork(ORCID, 13L);
    serviceDelegator.viewWorkSummary(ORCID, 13L);
    // Private with other source should fail
    try {
        serviceDelegator.viewWork(ORCID, 15L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    try {
        serviceDelegator.viewWork(ORCID, 15L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
}
Also used : Response(javax.ws.rs.core.Response) WorkSummary(org.orcid.jaxb.model.record.summary_v2.WorkSummary) Work(org.orcid.jaxb.model.record_v2.Work) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) ExceedMaxNumberOfPutCodesException(org.orcid.core.exception.ExceedMaxNumberOfPutCodesException) NoResultException(javax.persistence.NoResultException) VisibilityMismatchException(org.orcid.core.exception.VisibilityMismatchException) OrcidNoResultException(org.orcid.core.exception.OrcidNoResultException) WrongSourceException(org.orcid.core.exception.WrongSourceException) ActivityIdentifierValidationException(org.orcid.core.exception.ActivityIdentifierValidationException) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) OrcidVisibilityException(org.orcid.core.exception.OrcidVisibilityException) OrcidUnauthorizedException(org.orcid.core.exception.OrcidUnauthorizedException) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test)

Example 17 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class MemberV2ApiServiceDelegator_OtherNamesTest method testReadPublicScope_OtherNames.

@Test
public void testReadPublicScope_OtherNames() {
    SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
    // Public works
    Response r = serviceDelegator.viewOtherNames(ORCID);
    assertNotNull(r);
    assertEquals(OtherNames.class.getName(), r.getEntity().getClass().getName());
    OtherNames o = (OtherNames) r.getEntity();
    assertNotNull(o);
    Utils.verifyLastModified(o.getLastModifiedDate());
    assertEquals(3, o.getOtherNames().size());
    boolean found1 = false, found2 = false, found3 = false;
    for (OtherName element : o.getOtherNames()) {
        Utils.verifyLastModified(element.getLastModifiedDate());
        if (element.getPutCode() == 13) {
            found1 = true;
        } else if (element.getPutCode() == 14) {
            found2 = true;
        } else if (element.getPutCode() == 15) {
            found3 = true;
        } else {
            fail("Invalid put code " + element.getPutCode());
        }
    }
    assertTrue(found1);
    assertTrue(found2);
    assertTrue(found3);
    r = serviceDelegator.viewOtherName(ORCID, 13L);
    assertNotNull(r);
    assertEquals(OtherName.class.getName(), r.getEntity().getClass().getName());
    // Limited where am the source should work
    serviceDelegator.viewOtherName(ORCID, 14L);
    // Limited where am not the source of should fail
    try {
        serviceDelegator.viewOtherName(ORCID, 16L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    // Private where am the source should work
    serviceDelegator.viewOtherName(ORCID, 15L);
    // Private where am not the source should work
    try {
        serviceDelegator.viewOtherName(ORCID, 17L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
}
Also used : Response(javax.ws.rs.core.Response) OtherNames(org.orcid.jaxb.model.record_v2.OtherNames) OtherName(org.orcid.jaxb.model.record_v2.OtherName) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) NoResultException(javax.persistence.NoResultException) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) VisibilityMismatchException(org.orcid.core.exception.VisibilityMismatchException) OrcidVisibilityException(org.orcid.core.exception.OrcidVisibilityException) OrcidUnauthorizedException(org.orcid.core.exception.OrcidUnauthorizedException) WrongSourceException(org.orcid.core.exception.WrongSourceException) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test)

Example 18 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class OrcidSecurityManagerImpl method checkAndFilter.

/**
 * Check the permissions of a request over an element. Private
 * implementation that will also include a parameter that indicates if we
 * should check the token or, if it was already checked previously
 *
 * @param orcid
 *            The user owner of the element
 * @param element
 *            The element to check
 * @param requiredScope
 *            The required scope to access this element
 * @param tokenAlreadyChecked
 *            Indicates if the token was already checked previously, so, we
 *            don't expend time checking it again
 * @throws OrcidUnauthorizedException
 *             In case the token used was not issued for the owner of the
 *             element
 * @throws OrcidAccessControlException
 *             In case the request doesn't have the required scopes
 * @throws OrcidVisibilityException
 *             In case the element is not visible due the visibility
 */
private void checkAndFilter(String orcid, VisibilityType element, ScopePathType requiredScope, boolean tokenAlreadyChecked) {
    if (element == null) {
        return;
    }
    // Check the token was issued for this user
    if (!tokenAlreadyChecked) {
        isMyToken(orcid);
    }
    // Check if the client is the source of the element
    if (element instanceof Filterable) {
        Filterable filterable = (Filterable) element;
        OAuth2Authentication oAuth2Authentication = getOAuth2Authentication();
        if (oAuth2Authentication != null) {
            OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
            String clientId = authorizationRequest.getClientId();
            if (clientId.equals(filterable.retrieveSourcePath())) {
                // The client doing the request is the source of the element
                return;
            }
        }
    }
    // /read-public scope
    if (Visibility.PUBLIC.equals(element.getVisibility())) {
        try {
            checkScopes(ScopePathType.READ_PUBLIC);
            // can return it
            return;
        } catch (OrcidAccessControlException e) {
        // Just continue filtering
        }
    }
    // Filter
    filter(element, requiredScope);
}
Also used : OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) Filterable(org.orcid.jaxb.model.common_v2.Filterable) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException)

Example 19 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class MemberV3ApiServiceDelegator_QualificationsTest method testReadPublicScope_Qualifications.

@Test
public void testReadPublicScope_Qualifications() {
    SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
    Response r = serviceDelegator.viewQualification(ORCID, 42L);
    assertNotNull(r);
    assertEquals(Qualification.class.getName(), r.getEntity().getClass().getName());
    r = serviceDelegator.viewQualificationSummary(ORCID, 42L);
    assertNotNull(r);
    assertEquals(QualificationSummary.class.getName(), r.getEntity().getClass().getName());
    // Limited that am the source of should work
    serviceDelegator.viewQualification(ORCID, 43L);
    serviceDelegator.viewQualificationSummary(ORCID, 43L);
    // Private that am the source of should work
    serviceDelegator.viewQualification(ORCID, 44L);
    serviceDelegator.viewQualificationSummary(ORCID, 44L);
    // Limited that am not the source of should fail
    try {
        serviceDelegator.viewQualification(ORCID, 45L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    try {
        serviceDelegator.viewQualificationSummary(ORCID, 45L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    // Private that am not the source of should fails
    try {
        serviceDelegator.viewQualification(ORCID, 45L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    try {
        serviceDelegator.viewQualificationSummary(ORCID, 45L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
}
Also used : Response(javax.ws.rs.core.Response) Qualification(org.orcid.jaxb.model.v3.dev1.record.Qualification) QualificationSummary(org.orcid.jaxb.model.v3.dev1.record.summary.QualificationSummary) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) NoResultException(javax.persistence.NoResultException) VisibilityMismatchException(org.orcid.core.exception.VisibilityMismatchException) WrongSourceException(org.orcid.core.exception.WrongSourceException) OrcidDuplicatedActivityException(org.orcid.core.exception.OrcidDuplicatedActivityException) OrcidValidationException(org.orcid.core.exception.OrcidValidationException) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) OrcidVisibilityException(org.orcid.core.exception.OrcidVisibilityException) OrcidUnauthorizedException(org.orcid.core.exception.OrcidUnauthorizedException) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test)

Example 20 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class MemberV3ApiServiceDelegator_ResearcherUrlsTest method testReadPublicScope_ResearcherUrls.

@Test
public void testReadPublicScope_ResearcherUrls() {
    SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
    // Public works
    Response r = serviceDelegator.viewResearcherUrls(ORCID);
    assertNotNull(r);
    ResearcherUrls ru = (ResearcherUrls) r.getEntity();
    assertNotNull(ru);
    assertEquals("/0000-0000-0000-0003/researcher-urls", ru.getPath());
    Utils.verifyLastModified(ru.getLastModifiedDate());
    assertEquals(3, ru.getResearcherUrls().size());
    boolean found13 = false, found14 = false, found15 = false;
    for (ResearcherUrl element : ru.getResearcherUrls()) {
        if (element.getPutCode() == 13) {
            found13 = true;
        } else if (element.getPutCode() == 14) {
            found14 = true;
        } else if (element.getPutCode() == 15) {
            found15 = true;
        } else {
            fail("Invalid put code " + element.getPutCode());
        }
    }
    assertTrue(found13);
    assertTrue(found14);
    assertTrue(found15);
    r = serviceDelegator.viewResearcherUrl(ORCID, 13L);
    assertNotNull(r);
    assertEquals(ResearcherUrl.class.getName(), r.getEntity().getClass().getName());
    // Limited am the source of should work
    serviceDelegator.viewResearcherUrl(ORCID, 14L);
    // Limited am not the source of should fail
    try {
        serviceDelegator.viewResearcherUrl(ORCID, 16L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    // Private am the source of should work
    serviceDelegator.viewResearcherUrl(ORCID, 15L);
    // Private am not the source of should fail
    try {
        serviceDelegator.viewResearcherUrl(ORCID, 17L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
}
Also used : Response(javax.ws.rs.core.Response) ResearcherUrls(org.orcid.jaxb.model.v3.dev1.record.ResearcherUrls) ResearcherUrl(org.orcid.jaxb.model.v3.dev1.record.ResearcherUrl) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) NoResultException(javax.persistence.NoResultException) VisibilityMismatchException(org.orcid.core.exception.VisibilityMismatchException) WrongSourceException(org.orcid.core.exception.WrongSourceException) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) OrcidVisibilityException(org.orcid.core.exception.OrcidVisibilityException) OrcidUnauthorizedException(org.orcid.core.exception.OrcidUnauthorizedException) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test)

Aggregations

OrcidAccessControlException (org.orcid.core.exception.OrcidAccessControlException)31 NoResultException (javax.persistence.NoResultException)25 Response (javax.ws.rs.core.Response)25 Test (org.junit.Test)25 OrcidUnauthorizedException (org.orcid.core.exception.OrcidUnauthorizedException)25 OrcidVisibilityException (org.orcid.core.exception.OrcidVisibilityException)25 VisibilityMismatchException (org.orcid.core.exception.VisibilityMismatchException)25 WrongSourceException (org.orcid.core.exception.WrongSourceException)25 DBUnitTest (org.orcid.test.DBUnitTest)25 OrcidDuplicatedActivityException (org.orcid.core.exception.OrcidDuplicatedActivityException)9 OrcidValidationException (org.orcid.core.exception.OrcidValidationException)7 ActivityIdentifierValidationException (org.orcid.core.exception.ActivityIdentifierValidationException)6 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)4 OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)4 ArrayList (java.util.ArrayList)2 List (java.util.List)2 ExceedMaxNumberOfPutCodesException (org.orcid.core.exception.ExceedMaxNumberOfPutCodesException)2 OrcidNoResultException (org.orcid.core.exception.OrcidNoResultException)2 ScopePathType (org.orcid.jaxb.model.message.ScopePathType)2 Filterable (org.orcid.jaxb.model.common_v2.Filterable)1