Search in sources :

Example 6 with AclEvalResult

use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.

the class AtomService method checkReplaceAllowed.

private void checkReplaceAllowed(Dataset atomContent, URI atomUri, WonAclEvaluator evaluator, OperationRequest request) {
    Iterator<String> graphNames = atomContent.listNames();
    URI aclGraphUri = WonRelativeUriHelper.createAclGraphURIForAtomURI(atomUri);
    URI keyGraphUri = WonRelativeUriHelper.createKeyGraphURIForAtomURI(atomUri);
    OperationRequest or = AuthUtils.cloneShallow(request);
    or.setReqPosition(POSITION_ATOM_GRAPH);
    while (graphNames.hasNext()) {
        String graphName = graphNames.next();
        if (graphName.endsWith(WonMessage.SIGNATURE_URI_GRAPHURI_SUFFIX)) {
            // don't check permissions for signatures
            continue;
        }
        URI graphUri = URI.create(graphName);
        if (aclGraphUri.equals(graphUri)) {
            or.addReqGraphType(GraphType.ACL_GRAPH);
        } else if (keyGraphUri.equals(graphUri)) {
            or.addReqGraphType(GraphType.KEY_GRAPH);
        } else {
            or.addReqGraphType(GraphType.CONTENT_GRAPH);
        }
        or.addReqGraph(graphUri);
    }
    AclEvalResult result = evaluator.decide(or);
    if (DecisionValue.ACCESS_DENIED.equals(result.getDecision())) {
        throw new ForbiddenMessageException("Replace operation is not allowed");
    }
}
Also used : OperationRequest(won.auth.model.OperationRequest) AclEvalResult(won.auth.model.AclEvalResult) URI(java.net.URI)

Example 7 with AclEvalResult

use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.

the class LinkedDataWebController method showDeepAtomPage.

/**
 * This request URL should be protected by WebID filter because the result
 * contains events data - which is data with restricted access. See
 * filterChainProxy in node-context.xml.
 *
 * @param identifier
 * @param model
 * @param response
 * @return
 */
// webmvc controller method
@RequestMapping("${uri.path.page}/atom/{identifier}/deep")
public String showDeepAtomPage(@PathVariable String identifier, Model model, HttpServletRequest request, HttpServletResponse response, @RequestParam(value = "layer-size", required = false) Integer layerSize) {
    try {
        URI atomURI = uriService.createAtomURIForId(identifier);
        WonAclEvalContext waeCtx = WonAclRequestHelper.getWonAclEvaluationContext(request);
        Dataset rdfDataset = linkedDataService.getAtomDataset(atomURI, true, layerSize, waeCtx);
        // TODO AUTH: extract acl graph and interpret
        // TODO AUTH: Research how to handle lower layers
        logger.warn("TODO: apply ACLs to atom/{identifier}/deep request!");
        if (rdfDataset == null || rdfDataset.isEmpty()) {
            Optional<AclEvalResult> result = waeCtx.getCombinedResults();
            if (result.isPresent()) {
                WonAclRequestHelper.setAuthInfoAsResponseHeader(response, result.get());
                response.setStatus(WonAclRequestHelper.getHttpStatusCodeForAclEvaluationResult(result.get()));
            }
        }
        model.addAttribute("rdfDataset", rdfDataset);
        model.addAttribute("resourceURI", atomURI.toString());
        model.addAttribute("dataURI", uriService.toDataURIIfPossible(atomURI).toString());
        return "rdfDatasetView";
    } catch (NoSuchAtomException | NoSuchConnectionException | NoSuchMessageException e) {
        response.setStatus(HttpServletResponse.SC_NOT_FOUND);
        return "notFoundView";
    }
}
Also used : NoSuchMessageException(org.springframework.context.NoSuchMessageException) NoSuchConnectionException(won.protocol.exception.NoSuchConnectionException) WonAclEvalContext(won.node.springsecurity.acl.WonAclEvalContext) Dataset(org.apache.jena.query.Dataset) NoSuchAtomException(won.protocol.exception.NoSuchAtomException) AclEvalResult(won.auth.model.AclEvalResult) URI(java.net.URI) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 8 with AclEvalResult

use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.

the class LinkedDataWebController method readConnectionsOfAtom.

/**
 * Get the RDF for the connections of the specified atom.
 *
 * @param request
 * @param identifier
 * @param deep If true, connection data is added to the model (not only
 * connection URIs). Default: false.
 * @param page taken into account only if client supports paging; in that case
 * the specified page is returned
 * @param resumeBefore taken into account only if client supports paging; in
 * that case the page with connections URIs that precede the connection having
 * resumeBefore is returned
 * @param resumeAfter taken into account only if client supports paging; in that
 * case the page with connections URIs that follow the connection having
 * resumeAfter are returned
 * @param type only connection events of the given type are considered when
 * ordering returned connections. Default: all event types.
 * @param timestamp only connection events that where created before the given
 * time are considered when ordering returned connections. Default: current
 * time.
 * @return
 */
@RequestMapping(value = "${uri.path.data}/atom/{identifier}/c", method = RequestMethod.GET, produces = { "application/ld+json", "application/trig", "application/n-quads" })
public ResponseEntity<Dataset> readConnectionsOfAtom(HttpServletRequest request, HttpServletResponse response, @PathVariable(value = "identifier") String identifier, @RequestParam(value = "socket", required = false) String socket, @RequestParam(value = "targetSocket", required = false) String targetSocket, @RequestParam(value = "deep", defaultValue = "false") boolean deep, @RequestParam(value = "p", required = false) Integer page, @RequestParam(value = "resumebefore", required = false) String resumeBefore, @RequestParam(value = "resumeafter", required = false) String resumeAfter, @RequestParam(value = "type", required = false) String type, @RequestParam(value = "timeof", required = false) String timestamp, @RequestParam(value = "state", required = false) String state) {
    logger.debug("readConnectionsOfAtom() called");
    // TODO: pass aclevaluator and operationRequest down to linkeddataservice as an
    // additional filter
    URI atomUri = uriService.createAtomURIForId(identifier);
    Dataset rdfDataset;
    HttpHeaders headers = new HttpHeaders();
    Integer preferedSize = getPreferredSize(request);
    URI connectionsURI = URI.create(atomUri.toString() + "/c");
    try {
        ConnectionState connectionState = getConnectionState(state);
        WonMessageType eventsType = getMessageType(type);
        DateParameter dateParam = new DateParameter(timestamp);
        String passableQuery = getPassableQueryMap("type", type, "timeof", dateParam.getTimestamp(), "deep", Boolean.toString(deep));
        // paging, return everything:
        if (socket != null && targetSocket != null) {
            rdfDataset = linkedDataService.listConnection(URI.create(socket), URI.create(targetSocket), deep);
        } else if (preferedSize == null) {
            // does not support date and type filtering for clients that do not support
            // paging
            rdfDataset = linkedDataService.listConnections(atomUri, deep, true, connectionState).getContent();
        // if no page or resume parameter is specified, display the latest connections:
        } else if (page == null && resumeBefore == null && resumeAfter == null) {
            AtomInformationService.PagedResource<Dataset, Connection> resource = linkedDataService.listConnections(1, atomUri, preferedSize, eventsType, dateParam.getDate(), deep, true, connectionState);
            rdfDataset = resource.getContent();
            addPagedConnectionResourceInSequenceHeader(headers, connectionsURI, resource, passableQuery);
        } else if (page != null) {
            AtomInformationService.PagedResource<Dataset, Connection> resource = linkedDataService.listConnections(page, atomUri, preferedSize, eventsType, dateParam.getDate(), deep, true, connectionState);
            rdfDataset = resource.getContent();
            addPagedConnectionResourceInSequenceHeader(headers, connectionsURI, resource, page, passableQuery);
        } else {
            // before the specified event id:
            if (resumeBefore != null) {
                URI resumeConnURI;
                try {
                    resumeConnURI = new URI(resumeBefore);
                } catch (URISyntaxException e) {
                    throw new IllegalArgumentException("resumeBefore must be a full, valid connection URI");
                }
                AtomInformationService.PagedResource<Dataset, Connection> resource = linkedDataService.listConnectionsAfter(atomUri, resumeConnURI, preferedSize, eventsType, dateParam.getDate(), deep, true, connectionState);
                rdfDataset = resource.getContent();
                addPagedConnectionResourceInSequenceHeader(headers, connectionsURI, resource, passableQuery);
            // resume after parameter specified - display the connections with activities
            // after the specified event id:
            } else {
                // if (resumeAfter != null)
                URI resumeConnURI;
                try {
                    resumeConnURI = new URI(resumeAfter);
                } catch (URISyntaxException e) {
                    throw new IllegalArgumentException("resumeAfter must be a full, valid connection URI");
                }
                AtomInformationService.PagedResource<Dataset, Connection> resource = linkedDataService.listConnectionsBefore(atomUri, resumeConnURI, preferedSize, eventsType, dateParam.getDate(), deep, true, connectionState);
                rdfDataset = resource.getContent();
                addPagedConnectionResourceInSequenceHeader(headers, connectionsURI, resource, passableQuery);
            }
        }
        WonAclEvalContext ec = WonAclRequestHelper.getWonAclEvaluationContext(request);
        // check if the dataset contains any connections
        if (ec.isModeFilter() && !RdfUtils.toStatementStream(rdfDataset).anyMatch(p -> p.getPredicate().equals(RDFS.member))) {
            // the dataset may be empty because no connections are allowed
            // we don't have a position for all connections in the ACL, so we say: if the
            // user
            // is allowed to see the top level, we show the empty container, otherwise deny
            OperationRequest or = ec.getOperationRequest();
            or.setReqPosition(POSITION_ROOT);
            AclEvalResult result = ec.decideAndRemember(or);
            if (ACCESS_DENIED.equals(result.getDecision())) {
                int statusCode = HttpStatus.FORBIDDEN.value();
                Optional<AclEvalResult> accResult = WonAclRequestHelper.getWonAclEvaluationContext(request).getCombinedResults();
                if (accResult.isPresent()) {
                    WonAclRequestHelper.setAuthInfoAsResponseHeader(response, accResult.get());
                    statusCode = WonAclRequestHelper.getHttpStatusCodeForAclEvaluationResult(accResult.get());
                }
                HttpStatus status = HttpStatus.valueOf(statusCode);
                logger.debug("sending status {}", status);
                // append the required headers
                addMutableResourceHeaders(headers);
                addLocationHeaderIfNecessary(headers, URI.create(request.getRequestURI()), connectionsURI);
                return new ResponseEntity<>(null, headers, status);
            }
        }
        // append the required headers
        addMutableResourceHeaders(headers);
        addLocationHeaderIfNecessary(headers, URI.create(request.getRequestURI()), connectionsURI);
        addCORSHeader(headers);
        return new ResponseEntity<>(rdfDataset, headers, HttpStatus.OK);
    } catch (ParseException e) {
        logger.warn("could not parse timestamp into Date:{}", timestamp);
        return new ResponseEntity<>(HttpStatus.NOT_FOUND);
    } catch (NoSuchAtomException e) {
        logger.warn("did not find atom {}", e.getUnknownAtomURI());
        return new ResponseEntity<>(HttpStatus.NOT_FOUND);
    } catch (NoSuchConnectionException e) {
        logger.warn("did not find connection that should be connected to atom. connection:{}", e.getUnknownConnectionURI());
        return new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR);
    }
}
Also used : HttpHeaders(org.springframework.http.HttpHeaders) NoSuchAtomException(won.protocol.exception.NoSuchAtomException) URISyntaxException(java.net.URISyntaxException) AclEvalResult(won.auth.model.AclEvalResult) URI(java.net.URI) WonAclEvalContext(won.node.springsecurity.acl.WonAclEvalContext) AtomInformationService(won.node.service.persistence.AtomInformationService) HttpStatus(org.springframework.http.HttpStatus) NoSuchConnectionException(won.protocol.exception.NoSuchConnectionException) Dataset(org.apache.jena.query.Dataset) WonMessageType(won.protocol.message.WonMessageType) Connection(won.protocol.model.Connection) OperationRequest(won.auth.model.OperationRequest) ResponseEntity(org.springframework.http.ResponseEntity) ConnectionState(won.protocol.model.ConnectionState) ParseException(java.text.ParseException) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Example 9 with AclEvalResult

use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.

the class LinkedDataWebController method getResponseEntityForPossiblyNotModifiedResult.

private <T> ResponseEntity<T> getResponseEntityForPossiblyNotModifiedResult(final DataWithEtag<T> datasetWithEtag, final HttpHeaders headers, HttpServletRequest request, HttpServletResponse response) {
    if (datasetWithEtag != null) {
        if (datasetWithEtag.isDeleted()) {
            logger.debug("sending status 410 GONE");
            return new ResponseEntity<>(headers, HttpStatus.GONE);
        } else if (datasetWithEtag.isNotFound()) {
            logger.debug("sending status 404 NOT FOUND");
            return new ResponseEntity<>(headers, HttpStatus.NOT_FOUND);
        } else if (datasetWithEtag.isForbidden()) {
            int statusCode = HttpStatus.FORBIDDEN.value();
            Optional<AclEvalResult> accResult = WonAclRequestHelper.getWonAclEvaluationContext(request).getCombinedResults();
            if (accResult.isPresent()) {
                WonAclRequestHelper.setAuthInfoAsResponseHeader(response, accResult.get());
                statusCode = WonAclRequestHelper.getHttpStatusCodeForAclEvaluationResult(accResult.get());
            }
            HttpStatus status = HttpStatus.valueOf(statusCode);
            logger.debug("sending status {}", status);
            return new ResponseEntity<>(headers, status);
        } else if (datasetWithEtag.isChanged()) {
            logger.debug("sending status 200 OK");
            return new ResponseEntity<>(datasetWithEtag.getData(), headers, HttpStatus.OK);
        } else {
            logger.debug("sending status 304 NOT MODIFIED");
            return new ResponseEntity<>(headers, HttpStatus.NOT_MODIFIED);
        }
    } else {
        return new ResponseEntity<>(HttpStatus.NOT_FOUND);
    }
}
Also used : ResponseEntity(org.springframework.http.ResponseEntity) HttpStatus(org.springframework.http.HttpStatus) AclEvalResult(won.auth.model.AclEvalResult)

Example 10 with AclEvalResult

use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.

the class LinkedDataWebController method showAtomPage.

// webmvc controller method
@RequestMapping("${uri.path.page}/atom/{identifier}")
@PreAuthorize("hasRole('ROLE_WEBID')")
public String showAtomPage(@PathVariable String identifier, Model model, HttpServletRequest request, HttpServletResponse response) {
    URI atomURI = uriService.createAtomURIForId(identifier);
    WonAclEvalContext waeCtx = WonAclRequestHelper.getWonAclEvaluationContext(request);
    Dataset rdfDataset = linkedDataService.getAtomDataset(atomURI, null, waeCtx).getData();
    if (rdfDataset == null || rdfDataset.isEmpty()) {
        Optional<AclEvalResult> result = waeCtx.getCombinedResults();
        if (result.isPresent()) {
            WonAclRequestHelper.setAuthInfoAsResponseHeader(response, result.get());
            response.setStatus(WonAclRequestHelper.getHttpStatusCodeForAclEvaluationResult(result.get()));
        }
        return "forbiddenView";
    }
    model.addAttribute("rdfDataset", rdfDataset);
    model.addAttribute("resourceURI", atomURI.toString());
    model.addAttribute("dataURI", uriService.toDataURIIfPossible(atomURI).toString());
    return "rdfDatasetView";
}
Also used : WonAclEvalContext(won.node.springsecurity.acl.WonAclEvalContext) Dataset(org.apache.jena.query.Dataset) AclEvalResult(won.auth.model.AclEvalResult) URI(java.net.URI) PreAuthorize(org.springframework.security.access.prepost.PreAuthorize) RequestMapping(org.springframework.web.bind.annotation.RequestMapping)

Aggregations

AclEvalResult (won.auth.model.AclEvalResult)10 URI (java.net.URI)7 OperationRequest (won.auth.model.OperationRequest)7 Dataset (org.apache.jena.query.Dataset)5 RequestMapping (org.springframework.web.bind.annotation.RequestMapping)3 WonAclEvalContext (won.node.springsecurity.acl.WonAclEvalContext)3 NoSuchAtomException (won.protocol.exception.NoSuchAtomException)3 HttpStatus (org.springframework.http.HttpStatus)2 ResponseEntity (org.springframework.http.ResponseEntity)2 NoSuchConnectionException (won.protocol.exception.NoSuchConnectionException)2 Connection (won.protocol.model.Connection)2 URISyntaxException (java.net.URISyntaxException)1 ParseException (java.text.ParseException)1 Instant (java.time.Instant)1 Optional (java.util.Optional)1 Graph (org.apache.jena.graph.Graph)1 NoSuchMessageException (org.springframework.context.NoSuchMessageException)1 HttpHeaders (org.springframework.http.HttpHeaders)1 PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)1 Transactional (org.springframework.transaction.annotation.Transactional)1