Search in sources :

Example 1 with ForbiddenMessageException

use of won.protocol.exception.ForbiddenMessageException in project webofneeds by researchstudio-sat.

the class AclChecker method process.

@Override
public void process(Exchange exchange) throws Exception {
    URI recipientAtomUri = WonCamelHelper.getRecipientAtomURIRequired(exchange);
    WonMessage message = WonCamelHelper.getMessageRequired(exchange);
    if (message.getMessageType().isCreateAtom()) {
        // no checks required for a create message
        return;
    }
    if (message.getMessageType().isHintMessage()) {
        // no checks required for a hint message
        return;
    }
    URI signer = message.getSignerURIRequired();
    URI sender = message.getSenderAtomURIRequired();
    URI senderNode = message.getSenderNodeURIRequired();
    WonMessageDirection direction = WonCamelHelper.getDirectionRequired(exchange);
    if (direction.isFromExternal() || direction.isFromSystem()) {
        if (signer.equals(senderNode)) {
            // nodes are allowed to messages on behalf of an atom (for now)
            return;
        }
    }
    Atom atom = atomService.getAtomForMessageRequired(message, direction);
    Optional<Graph> aclGraph = atom.getAclGraph();
    if (aclGraph.isEmpty()) {
        // no checks if no acl present
        if (!sender.equals(signer)) {
            throw new IllegalMessageSignerException(String.format("%s must not be signer of %s message %s", signer, message.getMessageTypeRequired(), message.getMessageURIRequired()));
        }
        return;
    }
    boolean isMessageOnBehalf = false;
    URI requestor = sender;
    if (direction.isFromOwner()) {
        if (signer.equals(sender)) {
            // no checks if the owner is the signer
            return;
        } else {
            isMessageOnBehalf = true;
            requestor = signer;
        }
    }
    OperationRequest operationRequest = OperationRequest.builder().setReqAtom(atom.getAtomURI()).setReqAtomState(AuthUtils.toAuthAtomState(atom.getState())).setRequestor(requestor).build();
    if (message.getMessageType().isConnectionSpecificMessage()) {
        if (direction.isFromOwner() || direction.isFromSystem()) {
            Optional<Socket> s = socketService.getSocket(message.getSenderSocketURIRequired());
            operationRequest.setReqSocketType(s.get().getTypeURI());
            operationRequest.setReqSocket(s.get().getSocketURI());
        } else if (direction.isFromExternal()) {
            Optional<Socket> s = socketService.getSocket(message.getRecipientSocketURIRequired());
            operationRequest.setReqSocketType(s.get().getTypeURI());
            operationRequest.setReqSocket(s.get().getSocketURI());
        }
    } else {
        operationRequest.setReqPosition(POSITION_ROOT);
    }
    Optional<Connection> con = WonCamelHelper.getConnection(exchange, connectionService);
    if (con.isPresent()) {
        operationRequest.setReqPosition(POSITION_CONNECTION);
        Connection c = con.get();
        operationRequest.setReqConnection(c.getConnectionURI());
        operationRequest.setReqConnectionTargetAtom(c.getTargetAtomURI());
        operationRequest.setReqConnectionState(AuthUtils.toAuthConnectionState(c.getState()));
        // we already set these values, but now that we know we have a connection, make
        // sure these values match the connection's
        operationRequest.setReqSocketType(c.getTypeURI());
        operationRequest.setReqSocket(c.getSocketURI());
    } else {
        operationRequest.setReqPosition(POSITION_SOCKET);
    }
    if (isMessageOnBehalf) {
        operationRequest.setOperationMessageOperationExpression(MessageOperationExpression.builder().addMessageOnBehalfsMessageType(AuthUtils.toAuthMessageType(message.getMessageType())).build());
    } else {
        operationRequest.setOperationMessageOperationExpression(MessageOperationExpression.builder().addMessageTosMessageType(AuthUtils.toAuthMessageType(message.getMessageType())).build());
    }
    WonAclEvaluator evaluator = wonAclEvaluatorFactory.create(aclGraph.get());
    if (message.getMessageType().isReplace()) {
    // decision for replace messages is deferred to where replacement actually
    // happens
    } else {
        AclEvalResult result = evaluator.decide(operationRequest);
        if (DecisionValue.ACCESS_DENIED.equals(result.getDecision())) {
            throw new ForbiddenMessageException(String.format("Message not allowed"));
        }
    }
    WonCamelHelper.putWonAclEvaluator(exchange, evaluator);
    WonCamelHelper.putWonAclOperationRequest(exchange, operationRequest);
}
Also used : Optional(java.util.Optional) OperationRequest(won.auth.model.OperationRequest) Connection(won.protocol.model.Connection) WonAclEvaluator(won.auth.WonAclEvaluator) AclEvalResult(won.auth.model.AclEvalResult) URI(java.net.URI) Atom(won.protocol.model.Atom) Graph(org.apache.jena.graph.Graph) ForbiddenMessageException(won.protocol.exception.ForbiddenMessageException) WonMessage(won.protocol.message.WonMessage) IllegalMessageSignerException(won.protocol.exception.IllegalMessageSignerException) WonMessageDirection(won.protocol.message.WonMessageDirection) Socket(won.protocol.model.Socket)

Aggregations

URI (java.net.URI)1 Optional (java.util.Optional)1 Graph (org.apache.jena.graph.Graph)1 WonAclEvaluator (won.auth.WonAclEvaluator)1 AclEvalResult (won.auth.model.AclEvalResult)1 OperationRequest (won.auth.model.OperationRequest)1 ForbiddenMessageException (won.protocol.exception.ForbiddenMessageException)1 IllegalMessageSignerException (won.protocol.exception.IllegalMessageSignerException)1 WonMessage (won.protocol.message.WonMessage)1 WonMessageDirection (won.protocol.message.WonMessageDirection)1 Atom (won.protocol.model.Atom)1 Connection (won.protocol.model.Connection)1 Socket (won.protocol.model.Socket)1