use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.
the class MemberV3ApiServiceDelegator_ServicesTest method testReadPublicScope_Services.
@Test
public void testReadPublicScope_Services() {
SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
Response r = serviceDelegator.viewService(ORCID, 47L);
assertNotNull(r);
assertEquals(Service.class.getName(), r.getEntity().getClass().getName());
r = serviceDelegator.viewServiceSummary(ORCID, 47L);
assertNotNull(r);
assertEquals(ServiceSummary.class.getName(), r.getEntity().getClass().getName());
// Limited that am the source of should work
serviceDelegator.viewService(ORCID, 48L);
serviceDelegator.viewServiceSummary(ORCID, 48L);
// Private that am the source of should work
serviceDelegator.viewService(ORCID, 49L);
serviceDelegator.viewServiceSummary(ORCID, 49L);
// Limited that am not the source of should fail
try {
serviceDelegator.viewService(ORCID, 50L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
try {
serviceDelegator.viewServiceSummary(ORCID, 50L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
// Private that am not the source of should fails
try {
serviceDelegator.viewService(ORCID, 50L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
try {
serviceDelegator.viewServiceSummary(ORCID, 50L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
}
use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.
the class OrcidSecurityManagerImpl method checkAndFilter.
/**
* Check the permissions of a request over an element. Private
* implementation that will also include a parameter that indicates if we
* should check the token or, if it was already checked previously
*
* @param orcid
* The user owner of the element
* @param element
* The element to check
* @param requiredScope
* The required scope to access this element
* @param tokenAlreadyChecked
* Indicates if the token was already checked previously, so, we
* don't expend time checking it again
* @throws OrcidUnauthorizedException
* In case the token used was not issued for the owner of the
* element
* @throws OrcidAccessControlException
* In case the request doesn't have the required scopes
* @throws OrcidVisibilityException
* In case the element is not visible due the visibility
*/
private void checkAndFilter(String orcid, VisibilityType element, ScopePathType requiredScope, boolean tokenAlreadyChecked) {
if (element == null) {
return;
}
// Check the token was issued for this user
if (!tokenAlreadyChecked) {
isMyToken(orcid);
}
// Check if the client is the source of the element
if (element instanceof Filterable) {
Filterable filterable = (Filterable) element;
OAuth2Authentication oAuth2Authentication = getOAuth2Authentication();
if (oAuth2Authentication != null) {
OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
String clientId = authorizationRequest.getClientId();
if (clientId.equals(filterable.retrieveSourcePath())) {
// The client doing the request is the source of the element
return;
}
}
}
// /read-public scope
if (Visibility.PUBLIC.equals(element.getVisibility())) {
try {
checkScopes(ScopePathType.READ_PUBLIC);
// can return it
return;
} catch (OrcidAccessControlException e) {
// Just continue filtering
}
}
// Filter
filter(element, requiredScope);
}
use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.
the class OrcidSecurityManagerImpl method checkScopes.
@Override
public void checkScopes(ScopePathType... requiredScopes) {
// Verify the client is not a public client
checkClientType();
OAuth2Authentication oAuth2Authentication = getOAuth2Authentication();
OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
Set<ScopePathType> requestedScopes = ScopePathType.getScopesFromStrings(authorizationRequest.getScope());
for (ScopePathType scope : requestedScopes) {
for (ScopePathType requiredScope : requiredScopes) if (scope.hasScope(requiredScope)) {
return;
}
}
throw new OrcidAccessControlException();
}
use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.
the class MemberV3ApiServiceDelegator_AddressesTest method testReadPublicScope_Address.
@Test
public void testReadPublicScope_Address() {
SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
// Public works
Response r = serviceDelegator.viewAddresses(ORCID);
assertNotNull(r);
assertEquals(Addresses.class.getName(), r.getEntity().getClass().getName());
Addresses a = (Addresses) r.getEntity();
assertNotNull(a);
assertEquals("/0000-0000-0000-0003/address", a.getPath());
Utils.verifyLastModified(a.getLastModifiedDate());
assertEquals(3, a.getAddress().size());
boolean found9 = false, found10 = false, found11 = false;
for (Address address : a.getAddress()) {
if (address.getPutCode() == 9) {
found9 = true;
} else if (address.getPutCode() == 10) {
found10 = true;
} else if (address.getPutCode() == 11) {
found11 = true;
} else {
fail("Invalid put code " + address.getPutCode());
}
}
assertTrue(found9);
assertTrue(found10);
assertTrue(found11);
r = serviceDelegator.viewAddress(ORCID, 9L);
assertNotNull(r);
assertEquals(Address.class.getName(), r.getEntity().getClass().getName());
// Limited where am the source should work
serviceDelegator.viewAddress(ORCID, 10L);
try {
// Limited am not the source should fail
serviceDelegator.viewAddress(ORCID, 12L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
// Private where am the source should work
serviceDelegator.viewAddress(ORCID, 11L);
try {
// Private am not the source should fail
serviceDelegator.viewAddress(ORCID, 13L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
}
use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.
the class MemberV3ApiServiceDelegator_EducationsTest method testReadPublicScope_Educations.
@Test
public void testReadPublicScope_Educations() {
SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
Response r = serviceDelegator.viewEducation(ORCID, 20L);
assertNotNull(r);
assertEquals(Education.class.getName(), r.getEntity().getClass().getName());
r = serviceDelegator.viewEducationSummary(ORCID, 20L);
assertNotNull(r);
assertEquals(EducationSummary.class.getName(), r.getEntity().getClass().getName());
// Limited that am the source of should work
serviceDelegator.viewEducation(ORCID, 21L);
serviceDelegator.viewEducationSummary(ORCID, 21L);
// Limited that am not the source of should fail
try {
serviceDelegator.viewEducation(ORCID, 25L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
try {
serviceDelegator.viewEducationSummary(ORCID, 25L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
// Private that am the source of should work
serviceDelegator.viewEducation(ORCID, 22L);
serviceDelegator.viewEducationSummary(ORCID, 22L);
// Private that am not the source of should fails
try {
serviceDelegator.viewEducation(ORCID, 26L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
try {
serviceDelegator.viewEducationSummary(ORCID, 26L);
fail();
} catch (OrcidAccessControlException e) {
} catch (Exception e) {
fail();
}
}
Aggregations