Search in sources :

Example 21 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class MemberV3ApiServiceDelegator_ServicesTest method testReadPublicScope_Services.

@Test
public void testReadPublicScope_Services() {
    SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
    Response r = serviceDelegator.viewService(ORCID, 47L);
    assertNotNull(r);
    assertEquals(Service.class.getName(), r.getEntity().getClass().getName());
    r = serviceDelegator.viewServiceSummary(ORCID, 47L);
    assertNotNull(r);
    assertEquals(ServiceSummary.class.getName(), r.getEntity().getClass().getName());
    // Limited that am the source of should work
    serviceDelegator.viewService(ORCID, 48L);
    serviceDelegator.viewServiceSummary(ORCID, 48L);
    // Private that am the source of should work
    serviceDelegator.viewService(ORCID, 49L);
    serviceDelegator.viewServiceSummary(ORCID, 49L);
    // Limited that am not the source of should fail
    try {
        serviceDelegator.viewService(ORCID, 50L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    try {
        serviceDelegator.viewServiceSummary(ORCID, 50L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    // Private that am not the source of should fails
    try {
        serviceDelegator.viewService(ORCID, 50L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    try {
        serviceDelegator.viewServiceSummary(ORCID, 50L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
}
Also used : Response(javax.ws.rs.core.Response) Service(org.orcid.jaxb.model.v3.dev1.record.Service) ServiceSummary(org.orcid.jaxb.model.v3.dev1.record.summary.ServiceSummary) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) NoResultException(javax.persistence.NoResultException) VisibilityMismatchException(org.orcid.core.exception.VisibilityMismatchException) WrongSourceException(org.orcid.core.exception.WrongSourceException) OrcidDuplicatedActivityException(org.orcid.core.exception.OrcidDuplicatedActivityException) OrcidValidationException(org.orcid.core.exception.OrcidValidationException) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) OrcidVisibilityException(org.orcid.core.exception.OrcidVisibilityException) OrcidUnauthorizedException(org.orcid.core.exception.OrcidUnauthorizedException) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test)

Example 22 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class OrcidSecurityManagerImpl method checkAndFilter.

/**
 * Check the permissions of a request over an element. Private
 * implementation that will also include a parameter that indicates if we
 * should check the token or, if it was already checked previously
 *
 * @param orcid
 *            The user owner of the element
 * @param element
 *            The element to check
 * @param requiredScope
 *            The required scope to access this element
 * @param tokenAlreadyChecked
 *            Indicates if the token was already checked previously, so, we
 *            don't expend time checking it again
 * @throws OrcidUnauthorizedException
 *             In case the token used was not issued for the owner of the
 *             element
 * @throws OrcidAccessControlException
 *             In case the request doesn't have the required scopes
 * @throws OrcidVisibilityException
 *             In case the element is not visible due the visibility
 */
private void checkAndFilter(String orcid, VisibilityType element, ScopePathType requiredScope, boolean tokenAlreadyChecked) {
    if (element == null) {
        return;
    }
    // Check the token was issued for this user
    if (!tokenAlreadyChecked) {
        isMyToken(orcid);
    }
    // Check if the client is the source of the element
    if (element instanceof Filterable) {
        Filterable filterable = (Filterable) element;
        OAuth2Authentication oAuth2Authentication = getOAuth2Authentication();
        if (oAuth2Authentication != null) {
            OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
            String clientId = authorizationRequest.getClientId();
            if (clientId.equals(filterable.retrieveSourcePath())) {
                // The client doing the request is the source of the element
                return;
            }
        }
    }
    // /read-public scope
    if (Visibility.PUBLIC.equals(element.getVisibility())) {
        try {
            checkScopes(ScopePathType.READ_PUBLIC);
            // can return it
            return;
        } catch (OrcidAccessControlException e) {
        // Just continue filtering
        }
    }
    // Filter
    filter(element, requiredScope);
}
Also used : OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) Filterable(org.orcid.jaxb.model.v3.dev1.common.Filterable) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException)

Example 23 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class OrcidSecurityManagerImpl method checkScopes.

@Override
public void checkScopes(ScopePathType... requiredScopes) {
    // Verify the client is not a public client
    checkClientType();
    OAuth2Authentication oAuth2Authentication = getOAuth2Authentication();
    OAuth2Request authorizationRequest = oAuth2Authentication.getOAuth2Request();
    Set<ScopePathType> requestedScopes = ScopePathType.getScopesFromStrings(authorizationRequest.getScope());
    for (ScopePathType scope : requestedScopes) {
        for (ScopePathType requiredScope : requiredScopes) if (scope.hasScope(requiredScope)) {
            return;
        }
    }
    throw new OrcidAccessControlException();
}
Also used : OAuth2Request(org.springframework.security.oauth2.provider.OAuth2Request) ScopePathType(org.orcid.jaxb.model.message.ScopePathType) OAuth2Authentication(org.springframework.security.oauth2.provider.OAuth2Authentication) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException)

Example 24 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class MemberV3ApiServiceDelegator_AddressesTest method testReadPublicScope_Address.

@Test
public void testReadPublicScope_Address() {
    SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
    // Public works
    Response r = serviceDelegator.viewAddresses(ORCID);
    assertNotNull(r);
    assertEquals(Addresses.class.getName(), r.getEntity().getClass().getName());
    Addresses a = (Addresses) r.getEntity();
    assertNotNull(a);
    assertEquals("/0000-0000-0000-0003/address", a.getPath());
    Utils.verifyLastModified(a.getLastModifiedDate());
    assertEquals(3, a.getAddress().size());
    boolean found9 = false, found10 = false, found11 = false;
    for (Address address : a.getAddress()) {
        if (address.getPutCode() == 9) {
            found9 = true;
        } else if (address.getPutCode() == 10) {
            found10 = true;
        } else if (address.getPutCode() == 11) {
            found11 = true;
        } else {
            fail("Invalid put code " + address.getPutCode());
        }
    }
    assertTrue(found9);
    assertTrue(found10);
    assertTrue(found11);
    r = serviceDelegator.viewAddress(ORCID, 9L);
    assertNotNull(r);
    assertEquals(Address.class.getName(), r.getEntity().getClass().getName());
    // Limited where am the source should work
    serviceDelegator.viewAddress(ORCID, 10L);
    try {
        // Limited am not the source should fail
        serviceDelegator.viewAddress(ORCID, 12L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    // Private where am the source should work
    serviceDelegator.viewAddress(ORCID, 11L);
    try {
        // Private am not the source should fail
        serviceDelegator.viewAddress(ORCID, 13L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
}
Also used : Response(javax.ws.rs.core.Response) Addresses(org.orcid.jaxb.model.v3.dev1.record.Addresses) Address(org.orcid.jaxb.model.v3.dev1.record.Address) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) NoResultException(javax.persistence.NoResultException) VisibilityMismatchException(org.orcid.core.exception.VisibilityMismatchException) WrongSourceException(org.orcid.core.exception.WrongSourceException) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) OrcidVisibilityException(org.orcid.core.exception.OrcidVisibilityException) OrcidUnauthorizedException(org.orcid.core.exception.OrcidUnauthorizedException) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test)

Example 25 with OrcidAccessControlException

use of org.orcid.core.exception.OrcidAccessControlException in project ORCID-Source by ORCID.

the class MemberV3ApiServiceDelegator_EducationsTest method testReadPublicScope_Educations.

@Test
public void testReadPublicScope_Educations() {
    SecurityContextTestUtils.setUpSecurityContext(ORCID, ScopePathType.READ_PUBLIC);
    Response r = serviceDelegator.viewEducation(ORCID, 20L);
    assertNotNull(r);
    assertEquals(Education.class.getName(), r.getEntity().getClass().getName());
    r = serviceDelegator.viewEducationSummary(ORCID, 20L);
    assertNotNull(r);
    assertEquals(EducationSummary.class.getName(), r.getEntity().getClass().getName());
    // Limited that am the source of should work
    serviceDelegator.viewEducation(ORCID, 21L);
    serviceDelegator.viewEducationSummary(ORCID, 21L);
    // Limited that am not the source of should fail
    try {
        serviceDelegator.viewEducation(ORCID, 25L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    try {
        serviceDelegator.viewEducationSummary(ORCID, 25L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    // Private that am the source of should work
    serviceDelegator.viewEducation(ORCID, 22L);
    serviceDelegator.viewEducationSummary(ORCID, 22L);
    // Private that am not the source of should fails
    try {
        serviceDelegator.viewEducation(ORCID, 26L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
    try {
        serviceDelegator.viewEducationSummary(ORCID, 26L);
        fail();
    } catch (OrcidAccessControlException e) {
    } catch (Exception e) {
        fail();
    }
}
Also used : Response(javax.ws.rs.core.Response) Education(org.orcid.jaxb.model.v3.dev1.record.Education) EducationSummary(org.orcid.jaxb.model.v3.dev1.record.summary.EducationSummary) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) NoResultException(javax.persistence.NoResultException) VisibilityMismatchException(org.orcid.core.exception.VisibilityMismatchException) WrongSourceException(org.orcid.core.exception.WrongSourceException) OrcidDuplicatedActivityException(org.orcid.core.exception.OrcidDuplicatedActivityException) OrcidValidationException(org.orcid.core.exception.OrcidValidationException) OrcidAccessControlException(org.orcid.core.exception.OrcidAccessControlException) OrcidVisibilityException(org.orcid.core.exception.OrcidVisibilityException) OrcidUnauthorizedException(org.orcid.core.exception.OrcidUnauthorizedException) DBUnitTest(org.orcid.test.DBUnitTest) Test(org.junit.Test)

Aggregations

OrcidAccessControlException (org.orcid.core.exception.OrcidAccessControlException)31 NoResultException (javax.persistence.NoResultException)25 Response (javax.ws.rs.core.Response)25 Test (org.junit.Test)25 OrcidUnauthorizedException (org.orcid.core.exception.OrcidUnauthorizedException)25 OrcidVisibilityException (org.orcid.core.exception.OrcidVisibilityException)25 VisibilityMismatchException (org.orcid.core.exception.VisibilityMismatchException)25 WrongSourceException (org.orcid.core.exception.WrongSourceException)25 DBUnitTest (org.orcid.test.DBUnitTest)25 OrcidDuplicatedActivityException (org.orcid.core.exception.OrcidDuplicatedActivityException)9 OrcidValidationException (org.orcid.core.exception.OrcidValidationException)7 ActivityIdentifierValidationException (org.orcid.core.exception.ActivityIdentifierValidationException)6 OAuth2Authentication (org.springframework.security.oauth2.provider.OAuth2Authentication)4 OAuth2Request (org.springframework.security.oauth2.provider.OAuth2Request)4 ArrayList (java.util.ArrayList)2 List (java.util.List)2 ExceedMaxNumberOfPutCodesException (org.orcid.core.exception.ExceedMaxNumberOfPutCodesException)2 OrcidNoResultException (org.orcid.core.exception.OrcidNoResultException)2 ScopePathType (org.orcid.jaxb.model.message.ScopePathType)2 Filterable (org.orcid.jaxb.model.common_v2.Filterable)1