use of won.protocol.exception.ForbiddenMessageException in project webofneeds by researchstudio-sat.
the class AclChecker method process.
@Override
public void process(Exchange exchange) throws Exception {
URI recipientAtomUri = WonCamelHelper.getRecipientAtomURIRequired(exchange);
WonMessage message = WonCamelHelper.getMessageRequired(exchange);
if (message.getMessageType().isCreateAtom()) {
// no checks required for a create message
return;
}
if (message.getMessageType().isHintMessage()) {
// no checks required for a hint message
return;
}
URI signer = message.getSignerURIRequired();
URI sender = message.getSenderAtomURIRequired();
URI senderNode = message.getSenderNodeURIRequired();
WonMessageDirection direction = WonCamelHelper.getDirectionRequired(exchange);
if (direction.isFromExternal() || direction.isFromSystem()) {
if (signer.equals(senderNode)) {
// nodes are allowed to messages on behalf of an atom (for now)
return;
}
}
Atom atom = atomService.getAtomForMessageRequired(message, direction);
Optional<Graph> aclGraph = atom.getAclGraph();
if (aclGraph.isEmpty()) {
// no checks if no acl present
if (!sender.equals(signer)) {
throw new IllegalMessageSignerException(String.format("%s must not be signer of %s message %s", signer, message.getMessageTypeRequired(), message.getMessageURIRequired()));
}
return;
}
boolean isMessageOnBehalf = false;
URI requestor = sender;
if (direction.isFromOwner()) {
if (signer.equals(sender)) {
// no checks if the owner is the signer
return;
} else {
isMessageOnBehalf = true;
requestor = signer;
}
}
OperationRequest operationRequest = OperationRequest.builder().setReqAtom(atom.getAtomURI()).setReqAtomState(AuthUtils.toAuthAtomState(atom.getState())).setRequestor(requestor).build();
if (message.getMessageType().isConnectionSpecificMessage()) {
if (direction.isFromOwner() || direction.isFromSystem()) {
Optional<Socket> s = socketService.getSocket(message.getSenderSocketURIRequired());
operationRequest.setReqSocketType(s.get().getTypeURI());
operationRequest.setReqSocket(s.get().getSocketURI());
} else if (direction.isFromExternal()) {
Optional<Socket> s = socketService.getSocket(message.getRecipientSocketURIRequired());
operationRequest.setReqSocketType(s.get().getTypeURI());
operationRequest.setReqSocket(s.get().getSocketURI());
}
} else {
operationRequest.setReqPosition(POSITION_ROOT);
}
Optional<Connection> con = WonCamelHelper.getConnection(exchange, connectionService);
if (con.isPresent()) {
operationRequest.setReqPosition(POSITION_CONNECTION);
Connection c = con.get();
operationRequest.setReqConnection(c.getConnectionURI());
operationRequest.setReqConnectionTargetAtom(c.getTargetAtomURI());
operationRequest.setReqConnectionState(AuthUtils.toAuthConnectionState(c.getState()));
// we already set these values, but now that we know we have a connection, make
// sure these values match the connection's
operationRequest.setReqSocketType(c.getTypeURI());
operationRequest.setReqSocket(c.getSocketURI());
} else {
operationRequest.setReqPosition(POSITION_SOCKET);
}
if (isMessageOnBehalf) {
operationRequest.setOperationMessageOperationExpression(MessageOperationExpression.builder().addMessageOnBehalfsMessageType(AuthUtils.toAuthMessageType(message.getMessageType())).build());
} else {
operationRequest.setOperationMessageOperationExpression(MessageOperationExpression.builder().addMessageTosMessageType(AuthUtils.toAuthMessageType(message.getMessageType())).build());
}
WonAclEvaluator evaluator = wonAclEvaluatorFactory.create(aclGraph.get());
if (message.getMessageType().isReplace()) {
// decision for replace messages is deferred to where replacement actually
// happens
} else {
AclEvalResult result = evaluator.decide(operationRequest);
if (DecisionValue.ACCESS_DENIED.equals(result.getDecision())) {
throw new ForbiddenMessageException(String.format("Message not allowed"));
}
}
WonCamelHelper.putWonAclEvaluator(exchange, evaluator);
WonCamelHelper.putWonAclOperationRequest(exchange, operationRequest);
}
Aggregations