Example 6 with AclEvalResult
use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.
the class AtomService method checkReplaceAllowed.
private void checkReplaceAllowed(Dataset atomContent, URI atomUri, WonAclEvaluator evaluator, OperationRequest request) {
Iterator<String> graphNames = atomContent.listNames();
URI aclGraphUri = WonRelativeUriHelper.createAclGraphURIForAtomURI(atomUri);
URI keyGraphUri = WonRelativeUriHelper.createKeyGraphURIForAtomURI(atomUri);
OperationRequest or = AuthUtils.cloneShallow(request);
or.setReqPosition(POSITION_ATOM_GRAPH);
while (graphNames.hasNext()) {
String graphName = graphNames.next();
if (graphName.endsWith(WonMessage.SIGNATURE_URI_GRAPHURI_SUFFIX)) {
// don't check permissions for signatures
continue;
}
URI graphUri = URI.create(graphName);
if (aclGraphUri.equals(graphUri)) {
or.addReqGraphType(GraphType.ACL_GRAPH);
} else if (keyGraphUri.equals(graphUri)) {
or.addReqGraphType(GraphType.KEY_GRAPH);
} else {
or.addReqGraphType(GraphType.CONTENT_GRAPH);
}
or.addReqGraph(graphUri);
}
AclEvalResult result = evaluator.decide(or);
if (DecisionValue.ACCESS_DENIED.equals(result.getDecision())) {
throw new ForbiddenMessageException("Replace operation is not allowed");
}
}
Also used :
OperationRequest(won.auth.model.OperationRequest)
AclEvalResult(won.auth.model.AclEvalResult)
URI(java.net.URI)
Example 7 with AclEvalResult
use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.
the class LinkedDataWebController method showDeepAtomPage.
/**
* This request URL should be protected by WebID filter because the result
* contains events data - which is data with restricted access. See
* filterChainProxy in node-context.xml.
*
* @param identifier
* @param model
* @param response
* @return
*/
// webmvc controller method
@RequestMapping("${uri.path.page}/atom/{identifier}/deep")
public String showDeepAtomPage(@PathVariable String identifier, Model model, HttpServletRequest request, HttpServletResponse response, @RequestParam(value = "layer-size", required = false) Integer layerSize) {
try {
URI atomURI = uriService.createAtomURIForId(identifier);
WonAclEvalContext waeCtx = WonAclRequestHelper.getWonAclEvaluationContext(request);
Dataset rdfDataset = linkedDataService.getAtomDataset(atomURI, true, layerSize, waeCtx);
// TODO AUTH: extract acl graph and interpret
// TODO AUTH: Research how to handle lower layers
logger.warn("TODO: apply ACLs to atom/{identifier}/deep request!");
if (rdfDataset == null || rdfDataset.isEmpty()) {
Optional<AclEvalResult> result = waeCtx.getCombinedResults();
if (result.isPresent()) {
WonAclRequestHelper.setAuthInfoAsResponseHeader(response, result.get());
response.setStatus(WonAclRequestHelper.getHttpStatusCodeForAclEvaluationResult(result.get()));
}
}
model.addAttribute("rdfDataset", rdfDataset);
model.addAttribute("resourceURI", atomURI.toString());
model.addAttribute("dataURI", uriService.toDataURIIfPossible(atomURI).toString());
return "rdfDatasetView";
} catch (NoSuchAtomException | NoSuchConnectionException | NoSuchMessageException e) {
response.setStatus(HttpServletResponse.SC_NOT_FOUND);
return "notFoundView";
}
}
Also used :
NoSuchMessageException(org.springframework.context.NoSuchMessageException)
NoSuchConnectionException(won.protocol.exception.NoSuchConnectionException)
WonAclEvalContext(won.node.springsecurity.acl.WonAclEvalContext)
Dataset(org.apache.jena.query.Dataset)
NoSuchAtomException(won.protocol.exception.NoSuchAtomException)
AclEvalResult(won.auth.model.AclEvalResult)
URI(java.net.URI)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Example 8 with AclEvalResult
use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.
the class LinkedDataWebController method readConnectionsOfAtom.
/**
* Get the RDF for the connections of the specified atom.
*
* @param request
* @param identifier
* @param deep If true, connection data is added to the model (not only
* connection URIs). Default: false.
* @param page taken into account only if client supports paging; in that case
* the specified page is returned
* @param resumeBefore taken into account only if client supports paging; in
* that case the page with connections URIs that precede the connection having
* resumeBefore is returned
* @param resumeAfter taken into account only if client supports paging; in that
* case the page with connections URIs that follow the connection having
* resumeAfter are returned
* @param type only connection events of the given type are considered when
* ordering returned connections. Default: all event types.
* @param timestamp only connection events that where created before the given
* time are considered when ordering returned connections. Default: current
* time.
* @return
*/
@RequestMapping(value = "${uri.path.data}/atom/{identifier}/c", method = RequestMethod.GET, produces = { "application/ld+json", "application/trig", "application/n-quads" })
public ResponseEntity<Dataset> readConnectionsOfAtom(HttpServletRequest request, HttpServletResponse response, @PathVariable(value = "identifier") String identifier, @RequestParam(value = "socket", required = false) String socket, @RequestParam(value = "targetSocket", required = false) String targetSocket, @RequestParam(value = "deep", defaultValue = "false") boolean deep, @RequestParam(value = "p", required = false) Integer page, @RequestParam(value = "resumebefore", required = false) String resumeBefore, @RequestParam(value = "resumeafter", required = false) String resumeAfter, @RequestParam(value = "type", required = false) String type, @RequestParam(value = "timeof", required = false) String timestamp, @RequestParam(value = "state", required = false) String state) {
logger.debug("readConnectionsOfAtom() called");
// TODO: pass aclevaluator and operationRequest down to linkeddataservice as an
// additional filter
URI atomUri = uriService.createAtomURIForId(identifier);
Dataset rdfDataset;
HttpHeaders headers = new HttpHeaders();
Integer preferedSize = getPreferredSize(request);
URI connectionsURI = URI.create(atomUri.toString() + "/c");
try {
ConnectionState connectionState = getConnectionState(state);
WonMessageType eventsType = getMessageType(type);
DateParameter dateParam = new DateParameter(timestamp);
String passableQuery = getPassableQueryMap("type", type, "timeof", dateParam.getTimestamp(), "deep", Boolean.toString(deep));
// paging, return everything:
if (socket != null && targetSocket != null) {
rdfDataset = linkedDataService.listConnection(URI.create(socket), URI.create(targetSocket), deep);
} else if (preferedSize == null) {
// does not support date and type filtering for clients that do not support
// paging
rdfDataset = linkedDataService.listConnections(atomUri, deep, true, connectionState).getContent();
// if no page or resume parameter is specified, display the latest connections:
} else if (page == null && resumeBefore == null && resumeAfter == null) {
AtomInformationService.PagedResource<Dataset, Connection> resource = linkedDataService.listConnections(1, atomUri, preferedSize, eventsType, dateParam.getDate(), deep, true, connectionState);
rdfDataset = resource.getContent();
addPagedConnectionResourceInSequenceHeader(headers, connectionsURI, resource, passableQuery);
} else if (page != null) {
AtomInformationService.PagedResource<Dataset, Connection> resource = linkedDataService.listConnections(page, atomUri, preferedSize, eventsType, dateParam.getDate(), deep, true, connectionState);
rdfDataset = resource.getContent();
addPagedConnectionResourceInSequenceHeader(headers, connectionsURI, resource, page, passableQuery);
} else {
// before the specified event id:
if (resumeBefore != null) {
URI resumeConnURI;
try {
resumeConnURI = new URI(resumeBefore);
} catch (URISyntaxException e) {
throw new IllegalArgumentException("resumeBefore must be a full, valid connection URI");
}
AtomInformationService.PagedResource<Dataset, Connection> resource = linkedDataService.listConnectionsAfter(atomUri, resumeConnURI, preferedSize, eventsType, dateParam.getDate(), deep, true, connectionState);
rdfDataset = resource.getContent();
addPagedConnectionResourceInSequenceHeader(headers, connectionsURI, resource, passableQuery);
// resume after parameter specified - display the connections with activities
// after the specified event id:
} else {
// if (resumeAfter != null)
URI resumeConnURI;
try {
resumeConnURI = new URI(resumeAfter);
} catch (URISyntaxException e) {
throw new IllegalArgumentException("resumeAfter must be a full, valid connection URI");
}
AtomInformationService.PagedResource<Dataset, Connection> resource = linkedDataService.listConnectionsBefore(atomUri, resumeConnURI, preferedSize, eventsType, dateParam.getDate(), deep, true, connectionState);
rdfDataset = resource.getContent();
addPagedConnectionResourceInSequenceHeader(headers, connectionsURI, resource, passableQuery);
}
}
WonAclEvalContext ec = WonAclRequestHelper.getWonAclEvaluationContext(request);
// check if the dataset contains any connections
if (ec.isModeFilter() && !RdfUtils.toStatementStream(rdfDataset).anyMatch(p -> p.getPredicate().equals(RDFS.member))) {
// the dataset may be empty because no connections are allowed
// we don't have a position for all connections in the ACL, so we say: if the
// user
// is allowed to see the top level, we show the empty container, otherwise deny
OperationRequest or = ec.getOperationRequest();
or.setReqPosition(POSITION_ROOT);
AclEvalResult result = ec.decideAndRemember(or);
if (ACCESS_DENIED.equals(result.getDecision())) {
int statusCode = HttpStatus.FORBIDDEN.value();
Optional<AclEvalResult> accResult = WonAclRequestHelper.getWonAclEvaluationContext(request).getCombinedResults();
if (accResult.isPresent()) {
WonAclRequestHelper.setAuthInfoAsResponseHeader(response, accResult.get());
statusCode = WonAclRequestHelper.getHttpStatusCodeForAclEvaluationResult(accResult.get());
}
HttpStatus status = HttpStatus.valueOf(statusCode);
logger.debug("sending status {}", status);
// append the required headers
addMutableResourceHeaders(headers);
addLocationHeaderIfNecessary(headers, URI.create(request.getRequestURI()), connectionsURI);
return new ResponseEntity<>(null, headers, status);
}
}
// append the required headers
addMutableResourceHeaders(headers);
addLocationHeaderIfNecessary(headers, URI.create(request.getRequestURI()), connectionsURI);
addCORSHeader(headers);
return new ResponseEntity<>(rdfDataset, headers, HttpStatus.OK);
} catch (ParseException e) {
logger.warn("could not parse timestamp into Date:{}", timestamp);
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
} catch (NoSuchAtomException e) {
logger.warn("did not find atom {}", e.getUnknownAtomURI());
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
} catch (NoSuchConnectionException e) {
logger.warn("did not find connection that should be connected to atom. connection:{}", e.getUnknownConnectionURI());
return new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR);
}
}
Also used :
HttpHeaders(org.springframework.http.HttpHeaders)
NoSuchAtomException(won.protocol.exception.NoSuchAtomException)
URISyntaxException(java.net.URISyntaxException)
AclEvalResult(won.auth.model.AclEvalResult)
URI(java.net.URI)
WonAclEvalContext(won.node.springsecurity.acl.WonAclEvalContext)
AtomInformationService(won.node.service.persistence.AtomInformationService)
HttpStatus(org.springframework.http.HttpStatus)
NoSuchConnectionException(won.protocol.exception.NoSuchConnectionException)
Dataset(org.apache.jena.query.Dataset)
WonMessageType(won.protocol.message.WonMessageType)
Connection(won.protocol.model.Connection)
OperationRequest(won.auth.model.OperationRequest)
ResponseEntity(org.springframework.http.ResponseEntity)
ConnectionState(won.protocol.model.ConnectionState)
ParseException(java.text.ParseException)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Example 9 with AclEvalResult
use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.
the class LinkedDataWebController method getResponseEntityForPossiblyNotModifiedResult.
private <T> ResponseEntity<T> getResponseEntityForPossiblyNotModifiedResult(final DataWithEtag<T> datasetWithEtag, final HttpHeaders headers, HttpServletRequest request, HttpServletResponse response) {
if (datasetWithEtag != null) {
if (datasetWithEtag.isDeleted()) {
logger.debug("sending status 410 GONE");
return new ResponseEntity<>(headers, HttpStatus.GONE);
} else if (datasetWithEtag.isNotFound()) {
logger.debug("sending status 404 NOT FOUND");
return new ResponseEntity<>(headers, HttpStatus.NOT_FOUND);
} else if (datasetWithEtag.isForbidden()) {
int statusCode = HttpStatus.FORBIDDEN.value();
Optional<AclEvalResult> accResult = WonAclRequestHelper.getWonAclEvaluationContext(request).getCombinedResults();
if (accResult.isPresent()) {
WonAclRequestHelper.setAuthInfoAsResponseHeader(response, accResult.get());
statusCode = WonAclRequestHelper.getHttpStatusCodeForAclEvaluationResult(accResult.get());
}
HttpStatus status = HttpStatus.valueOf(statusCode);
logger.debug("sending status {}", status);
return new ResponseEntity<>(headers, status);
} else if (datasetWithEtag.isChanged()) {
logger.debug("sending status 200 OK");
return new ResponseEntity<>(datasetWithEtag.getData(), headers, HttpStatus.OK);
} else {
logger.debug("sending status 304 NOT MODIFIED");
return new ResponseEntity<>(headers, HttpStatus.NOT_MODIFIED);
}
} else {
return new ResponseEntity<>(HttpStatus.NOT_FOUND);
}
}
Also used :
ResponseEntity(org.springframework.http.ResponseEntity)
HttpStatus(org.springframework.http.HttpStatus)
AclEvalResult(won.auth.model.AclEvalResult)
Example 10 with AclEvalResult
use of won.auth.model.AclEvalResult in project webofneeds by researchstudio-sat.
the class LinkedDataWebController method showAtomPage.
// webmvc controller method
@RequestMapping("${uri.path.page}/atom/{identifier}")
@PreAuthorize("hasRole('ROLE_WEBID')")
public String showAtomPage(@PathVariable String identifier, Model model, HttpServletRequest request, HttpServletResponse response) {
URI atomURI = uriService.createAtomURIForId(identifier);
WonAclEvalContext waeCtx = WonAclRequestHelper.getWonAclEvaluationContext(request);
Dataset rdfDataset = linkedDataService.getAtomDataset(atomURI, null, waeCtx).getData();
if (rdfDataset == null || rdfDataset.isEmpty()) {
Optional<AclEvalResult> result = waeCtx.getCombinedResults();
if (result.isPresent()) {
WonAclRequestHelper.setAuthInfoAsResponseHeader(response, result.get());
response.setStatus(WonAclRequestHelper.getHttpStatusCodeForAclEvaluationResult(result.get()));
}
return "forbiddenView";
}
model.addAttribute("rdfDataset", rdfDataset);
model.addAttribute("resourceURI", atomURI.toString());
model.addAttribute("dataURI", uriService.toDataURIIfPossible(atomURI).toString());
return "rdfDatasetView";
}
Also used :
WonAclEvalContext(won.node.springsecurity.acl.WonAclEvalContext)
Dataset(org.apache.jena.query.Dataset)
AclEvalResult(won.auth.model.AclEvalResult)
URI(java.net.URI)
PreAuthorize(org.springframework.security.access.prepost.PreAuthorize)
RequestMapping(org.springframework.web.bind.annotation.RequestMapping)
Aggregations
AclEvalResult (won.auth.model.AclEvalResult)10
URI (java.net.URI)7
OperationRequest (won.auth.model.OperationRequest)7
Dataset (org.apache.jena.query.Dataset)5
RequestMapping (org.springframework.web.bind.annotation.RequestMapping)3
WonAclEvalContext (won.node.springsecurity.acl.WonAclEvalContext)3
NoSuchAtomException (won.protocol.exception.NoSuchAtomException)3
HttpStatus (org.springframework.http.HttpStatus)2
ResponseEntity (org.springframework.http.ResponseEntity)2
NoSuchConnectionException (won.protocol.exception.NoSuchConnectionException)2
Connection (won.protocol.model.Connection)2
URISyntaxException (java.net.URISyntaxException)1
ParseException (java.text.ParseException)1
Instant (java.time.Instant)1
Optional (java.util.Optional)1
Graph (org.apache.jena.graph.Graph)1
NoSuchMessageException (org.springframework.context.NoSuchMessageException)1
HttpHeaders (org.springframework.http.HttpHeaders)1
PreAuthorize (org.springframework.security.access.prepost.PreAuthorize)1
Transactional (org.springframework.transaction.annotation.Transactional)1
