Examples with PentahoAccessControlException org.pentaho.platform.api.engine.PentahoAccessControlException used on opensource projects

Example 21 with PentahoAccessControlException

use of org.pentaho.platform.api.engine.PentahoAccessControlException in project data-access by pentaho.

the class MetadataDatasourceService method addLocalizationFile.

/**
 * @param domainId
 *          Unique identifier for the metadata datasource
 * @param locale
 *          String value of the locale
 * @param propertiesFile
 *          Input stream of the properties file
 *
 * @return Response containing the success of the method
 *
 * @throws PentahoAccessControlException
 *           Thrown when validation of access fails
 */
@PUT
@Path("/addLocalizationFile")
@Consumes({ MediaType.APPLICATION_OCTET_STREAM, TEXT_PLAIN })
@Produces("text/plain")
@Facet(name = "Unsupported")
public Response addLocalizationFile(@QueryParam("domainId") String domainId, @QueryParam("locale") String locale, InputStream propertiesFile) throws PentahoAccessControlException {
    try {
        DatasourceService.validateAccess();
        PentahoMetadataDomainRepository metadataImporter = new PentahoMetadataDomainRepository(PentahoSystem.get(IUnifiedRepository.class));
        metadataImporter.addLocalizationFile(domainId, locale, propertiesFile, true);
        return Response.ok("SUCCESS").type(MediaType.TEXT_PLAIN).build();
    } catch (PentahoAccessControlException e) {
        return Response.serverError().entity(e.toString()).build();
    } catch (Exception e) {
        return Response.serverError().entity(Messages.getString("MetadataDatasourceService.ERROR_001_METADATA_DATASOURCE_ERROR")).build();
    }
}

Example 22 with PentahoAccessControlException

use of org.pentaho.platform.api.engine.PentahoAccessControlException in project pentaho-platform by pentaho.

the class FileService method validateAccess.

protected void validateAccess(String importDir) throws PentahoAccessControlException {
    IAuthorizationPolicy policy = getPolicy();
    // check if we are admin or have publish permission
    boolean isAdminOrPublish = policy.isAllowed(RepositoryReadAction.NAME) && policy.isAllowed(RepositoryCreateAction.NAME) && (policy.isAllowed(AdministerSecurityAction.NAME) || policy.isAllowed(PublishAction.NAME));
    if (!isAdminOrPublish) {
        // the user does not have admin or publish permission, so we will check if the user imports to their home folder
        boolean usingHomeFolder = false;
        String tenatedUserName = PentahoSessionHolder.getSession().getName();
        // get user home home folder path
        String userHomeFolderPath = ServerRepositoryPaths.getUserHomeFolderPath(JcrTenantUtils.getUserNameUtils().getTenant(tenatedUserName), JcrTenantUtils.getUserNameUtils().getPrincipleName(tenatedUserName));
        if (userHomeFolderPath != null && userHomeFolderPath.length() > 0) {
            // we pass the relative path so add serverside root folder for every home folder
            usingHomeFolder = (ServerRepositoryPaths.getTenantRootFolderPath() + importDir).contains(userHomeFolderPath);
        }
        if (!(usingHomeFolder && policy.isAllowed(RepositoryCreateAction.NAME) && policy.isAllowed(RepositoryReadAction.NAME))) {
            throw new PentahoAccessControlException("User is not authorized to perform this operation");
        }
    }
}

Example 23 with PentahoAccessControlException

use of org.pentaho.platform.api.engine.PentahoAccessControlException in project pentaho-platform by pentaho.

the class PentahoXmlaServlet method createConnectionFactory.

@Override
protected ConnectionFactory createConnectionFactory(final ServletConfig servletConfig) throws ServletException {
    final ConnectionFactory delegate = super.createConnectionFactory(servletConfig);
    /*
     * This wrapper for the connection factory allows us to
     * override the list of roles with the ones defined in
     * the IPentahoSession and filter it through the
     * IConnectionUserRoleMapper.
     */
    return new ConnectionFactory() {

        public Map<String, Object> getPreConfiguredDiscoverDatasourcesResponse() {
            return delegate.getPreConfiguredDiscoverDatasourcesResponse();
        }

        public OlapConnection getConnection(String databaseName, String catalogName, String roleName, Properties props) throws SQLException {
            // What we do here is to filter the role names with the mapper.
            // First, get a user role mapper, if one is configured.
            final IPentahoSession session = PentahoSessionHolder.getSession();
            final IConnectionUserRoleMapper mondrianUserRoleMapper = PentahoSystem.get(IConnectionUserRoleMapper.class, MDXConnection.MDX_CONNECTION_MAPPER_KEY, // Don't use the user session here yet.
            null);
            String[] effectiveRoles = new String[0];
            /*
         * If Catalog/Schema are null (this happens with high level metadata requests,
         * like DISCOVER_DATASOURCES) we can't use the role mapper, even if it
         * is present and configured.
         */
            if (mondrianUserRoleMapper != null && catalogName != null) {
                // Use the role mapper.
                try {
                    effectiveRoles = mondrianUserRoleMapper.mapConnectionRoles(session, catalogName);
                    if (effectiveRoles == null) {
                        effectiveRoles = new String[0];
                    }
                } catch (PentahoAccessControlException e) {
                    throw new SQLException(e);
                }
            }
            // Now we tokenize that list.
            boolean addComma = false;
            // $NON-NLS-1$
            roleName = "";
            for (String role : effectiveRoles) {
                if (addComma) {
                    // $NON-NLS-1$
                    roleName = roleName.concat(",");
                }
                roleName = roleName.concat(role);
                addComma = true;
            }
            // Now let the delegate connection factory do its magic.
            if (catalogName == null) {
                return delegate.getConnection(databaseName, catalogName, roleName.equals("") ? null : roleName, props);
            } else {
                // We create a connection differently so we can ensure that
                // the XMLA servlet shares the same MondrianServer instance as the rest
                // of the platform
                IMondrianCatalogService mcs = PentahoSystem.get(IMondrianCatalogService.class);
                MondrianCatalog mc = mcs.getCatalog(catalogName, PentahoSessionHolder.getSession());
                if (mc == null) {
                    throw new XmlaException(CLIENT_FAULT_FC, HSB_BAD_RESTRICTION_LIST_CODE, HSB_BAD_RESTRICTION_LIST_FAULT_FS, new MondrianException("No such catalog: " + catalogName));
                }
                Connection con = DriverManager.getConnection(mc.getDataSourceInfo() + ";Catalog=" + mc.getDefinition(), catalogLocator);
                try {
                    final MondrianServer server = MondrianServer.forConnection(con);
                    FileRepository fr = new FileRepository(makeContentFinder(makeDataSourcesUrl(servletConfig)), catalogLocator);
                    OlapConnection connection = fr.getConnection(server, databaseName, catalogName, roleName, props);
                    fr.shutdown();
                    return connection;
                } finally {
                    con.close();
                }
            }
        }
    };
}

Example 24 with PentahoAccessControlException

use of org.pentaho.platform.api.engine.PentahoAccessControlException in project pentaho-platform by pentaho.

the class FileServiceTest method testDoGetFileOrDirAsDownloadException.

@Test
public void testDoGetFileOrDirAsDownloadException() {
    // Test 1
    IAuthorizationPolicy mockAuthPolicy = mock(IAuthorizationPolicy.class);
    doReturn(false).when(mockAuthPolicy).isAllowed(anyString());
    doReturn(mockAuthPolicy).when(fileService).getPolicy();
    try {
        fileService.doGetFileOrDirAsDownload("", "mock:path:fileName", "true");
        fail();
    } catch (PentahoAccessControlException e) {
    // Expected
    } catch (Throwable t) {
        fail();
    }
    // Test 2
    doReturn(true).when(mockAuthPolicy).isAllowed(anyString());
    try {
        fileService.doGetFileOrDirAsDownload("", "", "true");
        fail();
    } catch (InvalidParameterException e) {
    // Expected
    } catch (Throwable e) {
        fail();
    }
    // Test 3
    doReturn(false).when(fileService).isPathValid(anyString());
    try {
        fileService.doGetFileOrDirAsDownload("", "mock:path:fileName", "true");
        fail();
    } catch (IllegalSelectorException e) {
    // Expected
    } catch (Throwable t) {
        fail();
    }
    /*
     * Test 4
     */
    doReturn(true).when(fileService).isPathValid(anyString());
    doReturn(null).when(fileService.repository).getFile(anyString());
    try {
        fileService.doGetFileOrDirAsDownload("", "mock:path:fileName", "true");
        fail();
    } catch (FileNotFoundException e) {
    // Expected
    } catch (Throwable t) {
    }
}

Example 25 with PentahoAccessControlException

use of org.pentaho.platform.api.engine.PentahoAccessControlException in project pentaho-platform by pentaho.

the class FileServiceTest method testDoGetFileOrDirAsDownloadNonAdminUserHomeFolder.

@Test
public void testDoGetFileOrDirAsDownloadNonAdminUserHomeFolder() throws Throwable {
    IAuthorizationPolicy mockAuthPolicy = mock(IAuthorizationPolicy.class);
    doReturn(true).when(mockAuthPolicy).isAllowed(RepositoryReadAction.NAME);
    /* user has 'Read Content' */
    doReturn(true).when(mockAuthPolicy).isAllowed(RepositoryCreateAction.NAME);
    /* user has 'Create Content' */
    /* non-admin user */
    doReturn(false).when(mockAuthPolicy).isAllowed(AdministerSecurityAction.NAME);
    doReturn(mockAuthPolicy).when(fileService).getPolicy();
    // Test 1: in the home-folder
    try {
        fileService.doGetFileOrDirAsDownload("", "home:testUser:test_file", "true");
        fail();
    } catch (FileNotFoundException ex) {
    /* expected; this is a mock test, we don't actually have a 'test_file' to download :) */
    } catch (Throwable t) {
        fail();
    }
    // Test 2: in some home-folder sub-folders
    try {
        fileService.doGetFileOrDirAsDownload("", "home:testUser:subFolder1:subFolder2:test_file", "true");
        fail();
    } catch (FileNotFoundException ex) {
    /* expected; this is a mock test, we don't actually have a 'test_file' to download :) */
    } catch (Throwable t) {
        fail();
    }
    // Test 3: while still being on the user's home folder, user loses 'Read Content' permission
    try {
        doReturn(false).when(mockAuthPolicy).isAllowed(RepositoryReadAction.NAME);
        fileService.doGetFileOrDirAsDownload("", "home:testUser:test_file", "true");
        fail();
    } catch (PentahoAccessControlException e) {
    /* expected */
    } catch (Throwable t) {
        fail();
    } finally {
        doReturn(true).when(mockAuthPolicy).isAllowed(RepositoryReadAction.NAME);
    }
    // Test 4: while still being on the user's home folder, user loses 'Create Content' permission
    try {
        doReturn(false).when(mockAuthPolicy).isAllowed(RepositoryCreateAction.NAME);
        fileService.doGetFileOrDirAsDownload("", "home:testUser:test_file", "true");
        fail();
    } catch (PentahoAccessControlException e) {
    /* expected */
    } catch (Throwable t) {
        fail();
    } finally {
        doReturn(true).when(mockAuthPolicy).isAllowed(RepositoryCreateAction.NAME);
    }
}