use of org.pentaho.platform.api.engine.PentahoAccessControlException in project data-access by pentaho.
the class MetadataDatasourceService method addLocalizationFile.
/**
* @param domainId
* Unique identifier for the metadata datasource
* @param locale
* String value of the locale
* @param propertiesFile
* Input stream of the properties file
*
* @return Response containing the success of the method
*
* @throws PentahoAccessControlException
* Thrown when validation of access fails
*/
@PUT
@Path("/addLocalizationFile")
@Consumes({ MediaType.APPLICATION_OCTET_STREAM, TEXT_PLAIN })
@Produces("text/plain")
@Facet(name = "Unsupported")
public Response addLocalizationFile(@QueryParam("domainId") String domainId, @QueryParam("locale") String locale, InputStream propertiesFile) throws PentahoAccessControlException {
try {
DatasourceService.validateAccess();
PentahoMetadataDomainRepository metadataImporter = new PentahoMetadataDomainRepository(PentahoSystem.get(IUnifiedRepository.class));
metadataImporter.addLocalizationFile(domainId, locale, propertiesFile, true);
return Response.ok("SUCCESS").type(MediaType.TEXT_PLAIN).build();
} catch (PentahoAccessControlException e) {
return Response.serverError().entity(e.toString()).build();
} catch (Exception e) {
return Response.serverError().entity(Messages.getString("MetadataDatasourceService.ERROR_001_METADATA_DATASOURCE_ERROR")).build();
}
}
use of org.pentaho.platform.api.engine.PentahoAccessControlException in project pentaho-platform by pentaho.
the class FileService method validateAccess.
protected void validateAccess(String importDir) throws PentahoAccessControlException {
IAuthorizationPolicy policy = getPolicy();
// check if we are admin or have publish permission
boolean isAdminOrPublish = policy.isAllowed(RepositoryReadAction.NAME) && policy.isAllowed(RepositoryCreateAction.NAME) && (policy.isAllowed(AdministerSecurityAction.NAME) || policy.isAllowed(PublishAction.NAME));
if (!isAdminOrPublish) {
// the user does not have admin or publish permission, so we will check if the user imports to their home folder
boolean usingHomeFolder = false;
String tenatedUserName = PentahoSessionHolder.getSession().getName();
// get user home home folder path
String userHomeFolderPath = ServerRepositoryPaths.getUserHomeFolderPath(JcrTenantUtils.getUserNameUtils().getTenant(tenatedUserName), JcrTenantUtils.getUserNameUtils().getPrincipleName(tenatedUserName));
if (userHomeFolderPath != null && userHomeFolderPath.length() > 0) {
// we pass the relative path so add serverside root folder for every home folder
usingHomeFolder = (ServerRepositoryPaths.getTenantRootFolderPath() + importDir).contains(userHomeFolderPath);
}
if (!(usingHomeFolder && policy.isAllowed(RepositoryCreateAction.NAME) && policy.isAllowed(RepositoryReadAction.NAME))) {
throw new PentahoAccessControlException("User is not authorized to perform this operation");
}
}
}
use of org.pentaho.platform.api.engine.PentahoAccessControlException in project pentaho-platform by pentaho.
the class PentahoXmlaServlet method createConnectionFactory.
@Override
protected ConnectionFactory createConnectionFactory(final ServletConfig servletConfig) throws ServletException {
final ConnectionFactory delegate = super.createConnectionFactory(servletConfig);
/*
* This wrapper for the connection factory allows us to
* override the list of roles with the ones defined in
* the IPentahoSession and filter it through the
* IConnectionUserRoleMapper.
*/
return new ConnectionFactory() {
public Map<String, Object> getPreConfiguredDiscoverDatasourcesResponse() {
return delegate.getPreConfiguredDiscoverDatasourcesResponse();
}
public OlapConnection getConnection(String databaseName, String catalogName, String roleName, Properties props) throws SQLException {
// What we do here is to filter the role names with the mapper.
// First, get a user role mapper, if one is configured.
final IPentahoSession session = PentahoSessionHolder.getSession();
final IConnectionUserRoleMapper mondrianUserRoleMapper = PentahoSystem.get(IConnectionUserRoleMapper.class, MDXConnection.MDX_CONNECTION_MAPPER_KEY, // Don't use the user session here yet.
null);
String[] effectiveRoles = new String[0];
/*
* If Catalog/Schema are null (this happens with high level metadata requests,
* like DISCOVER_DATASOURCES) we can't use the role mapper, even if it
* is present and configured.
*/
if (mondrianUserRoleMapper != null && catalogName != null) {
// Use the role mapper.
try {
effectiveRoles = mondrianUserRoleMapper.mapConnectionRoles(session, catalogName);
if (effectiveRoles == null) {
effectiveRoles = new String[0];
}
} catch (PentahoAccessControlException e) {
throw new SQLException(e);
}
}
// Now we tokenize that list.
boolean addComma = false;
// $NON-NLS-1$
roleName = "";
for (String role : effectiveRoles) {
if (addComma) {
// $NON-NLS-1$
roleName = roleName.concat(",");
}
roleName = roleName.concat(role);
addComma = true;
}
// Now let the delegate connection factory do its magic.
if (catalogName == null) {
return delegate.getConnection(databaseName, catalogName, roleName.equals("") ? null : roleName, props);
} else {
// We create a connection differently so we can ensure that
// the XMLA servlet shares the same MondrianServer instance as the rest
// of the platform
IMondrianCatalogService mcs = PentahoSystem.get(IMondrianCatalogService.class);
MondrianCatalog mc = mcs.getCatalog(catalogName, PentahoSessionHolder.getSession());
if (mc == null) {
throw new XmlaException(CLIENT_FAULT_FC, HSB_BAD_RESTRICTION_LIST_CODE, HSB_BAD_RESTRICTION_LIST_FAULT_FS, new MondrianException("No such catalog: " + catalogName));
}
Connection con = DriverManager.getConnection(mc.getDataSourceInfo() + ";Catalog=" + mc.getDefinition(), catalogLocator);
try {
final MondrianServer server = MondrianServer.forConnection(con);
FileRepository fr = new FileRepository(makeContentFinder(makeDataSourcesUrl(servletConfig)), catalogLocator);
OlapConnection connection = fr.getConnection(server, databaseName, catalogName, roleName, props);
fr.shutdown();
return connection;
} finally {
con.close();
}
}
}
};
}
use of org.pentaho.platform.api.engine.PentahoAccessControlException in project pentaho-platform by pentaho.
the class FileServiceTest method testDoGetFileOrDirAsDownloadException.
@Test
public void testDoGetFileOrDirAsDownloadException() {
// Test 1
IAuthorizationPolicy mockAuthPolicy = mock(IAuthorizationPolicy.class);
doReturn(false).when(mockAuthPolicy).isAllowed(anyString());
doReturn(mockAuthPolicy).when(fileService).getPolicy();
try {
fileService.doGetFileOrDirAsDownload("", "mock:path:fileName", "true");
fail();
} catch (PentahoAccessControlException e) {
// Expected
} catch (Throwable t) {
fail();
}
// Test 2
doReturn(true).when(mockAuthPolicy).isAllowed(anyString());
try {
fileService.doGetFileOrDirAsDownload("", "", "true");
fail();
} catch (InvalidParameterException e) {
// Expected
} catch (Throwable e) {
fail();
}
// Test 3
doReturn(false).when(fileService).isPathValid(anyString());
try {
fileService.doGetFileOrDirAsDownload("", "mock:path:fileName", "true");
fail();
} catch (IllegalSelectorException e) {
// Expected
} catch (Throwable t) {
fail();
}
/*
* Test 4
*/
doReturn(true).when(fileService).isPathValid(anyString());
doReturn(null).when(fileService.repository).getFile(anyString());
try {
fileService.doGetFileOrDirAsDownload("", "mock:path:fileName", "true");
fail();
} catch (FileNotFoundException e) {
// Expected
} catch (Throwable t) {
}
}
use of org.pentaho.platform.api.engine.PentahoAccessControlException in project pentaho-platform by pentaho.
the class FileServiceTest method testDoGetFileOrDirAsDownloadNonAdminUserHomeFolder.
@Test
public void testDoGetFileOrDirAsDownloadNonAdminUserHomeFolder() throws Throwable {
IAuthorizationPolicy mockAuthPolicy = mock(IAuthorizationPolicy.class);
doReturn(true).when(mockAuthPolicy).isAllowed(RepositoryReadAction.NAME);
/* user has 'Read Content' */
doReturn(true).when(mockAuthPolicy).isAllowed(RepositoryCreateAction.NAME);
/* user has 'Create Content' */
/* non-admin user */
doReturn(false).when(mockAuthPolicy).isAllowed(AdministerSecurityAction.NAME);
doReturn(mockAuthPolicy).when(fileService).getPolicy();
// Test 1: in the home-folder
try {
fileService.doGetFileOrDirAsDownload("", "home:testUser:test_file", "true");
fail();
} catch (FileNotFoundException ex) {
/* expected; this is a mock test, we don't actually have a 'test_file' to download :) */
} catch (Throwable t) {
fail();
}
// Test 2: in some home-folder sub-folders
try {
fileService.doGetFileOrDirAsDownload("", "home:testUser:subFolder1:subFolder2:test_file", "true");
fail();
} catch (FileNotFoundException ex) {
/* expected; this is a mock test, we don't actually have a 'test_file' to download :) */
} catch (Throwable t) {
fail();
}
// Test 3: while still being on the user's home folder, user loses 'Read Content' permission
try {
doReturn(false).when(mockAuthPolicy).isAllowed(RepositoryReadAction.NAME);
fileService.doGetFileOrDirAsDownload("", "home:testUser:test_file", "true");
fail();
} catch (PentahoAccessControlException e) {
/* expected */
} catch (Throwable t) {
fail();
} finally {
doReturn(true).when(mockAuthPolicy).isAllowed(RepositoryReadAction.NAME);
}
// Test 4: while still being on the user's home folder, user loses 'Create Content' permission
try {
doReturn(false).when(mockAuthPolicy).isAllowed(RepositoryCreateAction.NAME);
fileService.doGetFileOrDirAsDownload("", "home:testUser:test_file", "true");
fail();
} catch (PentahoAccessControlException e) {
/* expected */
} catch (Throwable t) {
fail();
} finally {
doReturn(true).when(mockAuthPolicy).isAllowed(RepositoryCreateAction.NAME);
}
}
Aggregations