use of won.protocol.model.Atom in project webofneeds by researchstudio-sat.
the class SocketAclService method addTargetSocketAcls.
/**
* Adds the target socket's <code>targetAuth</code> authorizations to the atom's
* acl, i.e., the authorizations the target socket of an atom's connection
* specifies for the atom's ACL.
* <p>
* This operation should be executed when establishing a connection.
* </p>
*/
public void addTargetSocketAcls(Connection con) {
URI atomUri = con.getAtomURI();
URI socketAclGraphUri = WonRelativeUriHelper.createSocketAclGraphURIForAtomURI(atomUri);
Atom atom = atomService.lockAtomRequired(atomUri);
Dataset atomDataset = atom.getDatatsetHolder().getDataset();
Graph socketAcls = atomDataset.containsNamedModel(socketAclGraphUri.toString()) ? atomDataset.getNamedModel(socketAclGraphUri.toString()).getGraph() : GraphFactory.createDefaultGraph();
Optional<URI> targetSocketType = socketService.getSocketType(con.getTargetSocketURI());
Optional<SocketAuthorizations> sa = socketAuthorizationSource.getSocketAuthorizations(targetSocketType.get());
if (sa.isPresent()) {
socketAcls = socketAuthorizationAclModifierAlgorithms.addAuthorizationsForSocket(socketAcls, sa.get().getTargetAuths(), con.getSocketURI(), con.getTargetAtomURI());
}
atomDataset.addNamedModel(socketAclGraphUri.toString(), ModelFactory.createModelForGraph(socketAcls));
}
use of won.protocol.model.Atom in project webofneeds by researchstudio-sat.
the class SocketAclService method removeTargetSocketAcls.
/**
* Removes the target socket's <code>targetAuth</code> authorizations from the
* atom's acls i.e., the authorizations the target socket of an atom's
* connection specifies for the atom's ACL.
* <p>
* This operation should be executed when closing an established connection.
* </p>
*/
public void removeTargetSocketAcls(Connection con) {
URI atomUri = con.getAtomURI();
URI socketAclGraphUri = WonRelativeUriHelper.createSocketAclGraphURIForAtomURI(atomUri);
Atom atom = atomService.lockAtomRequired(atomUri);
Dataset atomDataset = atom.getDatatsetHolder().getDataset();
Graph socketAcls = atomDataset.containsNamedModel(socketAclGraphUri.toString()) ? atomDataset.getNamedModel(socketAclGraphUri.toString()).getGraph() : GraphFactory.createDefaultGraph();
boolean removeAsRequestingSocket = connectionService.hasEstablishedConnections(con.getSocketURI());
socketAcls = socketAuthorizationAclModifierAlgorithms.removeAuthorizationsForSocket(socketAcls, con.getSocketURI(), con.getTargetAtomURI(), removeAsRequestingSocket);
atomDataset.addNamedModel(socketAclGraphUri.toString(), ModelFactory.createModelForGraph(socketAcls));
}
use of won.protocol.model.Atom in project webofneeds by researchstudio-sat.
the class WonAclAccessDecisionVoter method voteForNonMessageRequest.
public int voteForNonMessageRequest(String webId, AuthToken authToken, URI resourceUri, FilterInvocation filterInvocation, Supplier<Integer> legacyImpl) {
URI atomUri = uriService.getAtomURIofSubURI(resourceUri);
if (atomUri == null) {
logger.debug("Cannot process ACL for resource {}", resourceUri);
return ACCESS_DENIED;
}
if (!uriService.isAtomURI(atomUri)) {
logger.debug("Not an atom URI: {}", atomUri);
return ACCESS_DENIED;
}
Optional<Atom> atom = atomService.getAtom(atomUri);
if (!atom.isPresent()) {
return ACCESS_DENIED;
}
Optional<Graph> aclGraph = atom.get().getAclGraph();
if (aclGraph.isEmpty()) {
// fall back to legacy implementation
WonAclRequestHelper.setWonAclEvaluationContext(filterInvocation.getRequest(), WonAclEvalContext.allowAll());
return legacyImpl.get();
}
WonAclEvaluator wonAclEvaluator = wonAclEvaluatorFactory.create(aclGraph.get());
// set up request object
OperationRequest request = new OperationRequest();
request.setReqAtom(atomUri);
if (authToken != null) {
request.addBearsToken(authToken);
}
request.setReqAtomState(toAuthAtomState(atom.get().getState()));
if (webId != null) {
request.setRequestor(URI.create(webId));
}
request.setOperationSimpleOperationExpression(OP_READ);
if (uriService.isAtomURI(resourceUri)) {
request.setReqPosition(POSITION_ROOT);
// we are going to need the acl evaluator to choose the graphs we can show
// this can only be done by the logic that assembles the response dataset
// approach: allow the request for now, then check acl for each subgraph
WonAclRequestHelper.setWonAclEvaluationContext(filterInvocation.getRequest(), WonAclEvalContext.contentFilter(request, wonAclEvaluator));
return ACCESS_GRANTED;
} else if (uriService.isAtomMessagesURI(resourceUri)) {
request.setReqPosition(POSITION_ATOM_MESSAGES);
} else if (uriService.isConnectionMessagesURI(resourceUri)) {
request.setReqPosition(POSITION_CONNECTION_MESSAGES);
Optional<Connection> con = connectionRepository.findOneByConnectionURI(uriService.getConnectionURIofConnectionMessagesURI(resourceUri));
if (!con.isPresent()) {
return ACCESS_DENIED;
}
request.setReqSocketType(con.get().getTypeURI());
request.setReqSocket(con.get().getSocketURI());
request.setReqConnection(con.get().getConnectionURI());
request.setReqConnectionState(toAuthConnectionState(con.get().getState()));
request.setReqConnectionTargetAtom(con.get().getTargetAtomURI());
} else if (uriService.isConnectionURI(resourceUri)) {
request.setReqPosition(POSITION_CONNECTION);
Optional<Connection> con = connectionRepository.findOneByConnectionURI(uriService.getConnectionURIofConnectionMessagesURI(resourceUri));
if (!con.isPresent()) {
if (logger.isDebugEnabled()) {
logger.debug("request to inexistent connection denied: {}", resourceUri);
}
return ACCESS_DENIED;
}
request.setReqSocketType(con.get().getTypeURI());
request.setReqSocket(con.get().getSocketURI());
request.setReqConnection(con.get().getConnectionURI());
request.setReqConnectionState(toAuthConnectionState(con.get().getState()));
request.setReqConnectionTargetAtom(con.get().getTargetAtomURI());
} else if (uriService.isConnectionContainerURI(resourceUri)) {
// We want to enable requesting connections per socket but haven't got
// the LD service implementation for that, yet. Moreover, a lot of code relies
// on the legacy implementation. So, we'll process requests
// to the atom's connection container as a special case: prepare the
// operationRequest now but evaluate it only when we are processing the
// results. Then, we have to group the connections by socket/socket type,
// generate the corresponding operationRequests, evaluate them and
// remove all connections the requestor is not allowed to read.
request.setReqPosition(POSITION_CONNECTIONS);
// consequence: allow now, check later
WonAclRequestHelper.setWonAclEvaluationContext(filterInvocation.getRequest(), WonAclEvalContext.contentFilter(request, wonAclEvaluator));
return ACCESS_GRANTED;
} else if (uriService.isTokenEndpointURI(resourceUri)) {
// token request
request.setReqPosition(POSITION_ROOT);
String scopeParam = WonAclRequestHelper.getRequestParamScope(filterInvocation.getRequest());
Set<OperationRequest> opReqs = new HashSet<>();
if (scopeParam == null || scopeParam.trim().length() == 0) {
TokenSpecification tokenSpec = new TokenSpecification();
TokenOperationExpression opex = new TokenOperationExpression();
opex.setRequestToken(tokenSpec);
request.setOperationSimpleOperationExpression(null);
request.setOperationTokenOperationExpression(opex);
opReqs.add(request);
} else {
String[] scopes = scopeParam.split("\\s+");
for (int i = 0; i < scopes.length; i++) {
TokenSpecification tokenSpec = new TokenSpecification();
URI tokenScopeUri = null;
try {
tokenScopeUri = new URI(scopes[i]);
} catch (URISyntaxException e) {
}
if (tokenScopeUri != null && tokenScopeUri.getScheme() != null) {
tokenSpec.setTokenScopeURI(tokenScopeUri);
} else {
tokenSpec.setTokenScopeString(scopes[i]);
}
TokenOperationExpression opex = new TokenOperationExpression();
opex.setRequestToken(tokenSpec);
OperationRequest clonedRequest = cloneShallow(request);
clonedRequest.setOperationTokenOperationExpression(opex);
clonedRequest.setOperationSimpleOperationExpression(null);
opReqs.add(clonedRequest);
}
Set<AclEvalResult> evalResults = new HashSet<>();
for (OperationRequest req : opReqs) {
AclEvalResult result = wonAclEvaluator.decide(req);
evalResults.add(result);
}
AclEvalResult finalResult = evalResults.stream().reduce(WonAclEvaluator::mergeAclEvalResults).get();
if (DecisionValue.ACCESS_GRANTED.equals(finalResult.getDecision())) {
Set<String> tokens = finalResult.getIssueTokens().stream().map(token -> AuthUtils.toJWT(token, cryptographyService.getDefaultPrivateKey(), cryptographyService.getDefaultPrivateKeyAlias())).collect(Collectors.toSet());
WonAclRequestHelper.setGrantedTokens(filterInvocation.getRequest(), tokens);
}
setAuthInfoIfDenied(filterInvocation, finalResult);
return toAccessDecisionVote(finalResult);
}
} else if (uriService.isGrantsEndpointURI(resourceUri)) {
// the LinkedDataWebController will return the grants
WonAclRequestHelper.setWonAclEvaluationContext(filterInvocation.getRequest(), WonAclEvalContext.contentFilter(request, wonAclEvaluator));
return ACCESS_GRANTED;
} else {
// default
request.setReqPosition(POSITION_ROOT);
}
AclEvalResult result = wonAclEvaluator.decide(request);
setAuthInfoIfDenied(filterInvocation, result);
return toAccessDecisionVote(result);
}
use of won.protocol.model.Atom in project webofneeds by researchstudio-sat.
the class DeleteAtomMessageProcessor method process.
@Override
public void process(final Exchange exchange) throws Exception {
WonMessage wonMessage = (WonMessage) exchange.getIn().getHeader(WonCamelConstants.RESPONSE_HEADER);
WonMessage focalMessage = wonMessage.getFocalMessage();
if (focalMessage.getMessageType() == WonMessageType.SUCCESS_RESPONSE && focalMessage.getRespondingToMessageType() == WonMessageType.DELETE) {
URI recipientAtomURI = focalMessage.getRecipientAtomURI();
if (recipientAtomURI == null) {
throw new WonMessageProcessingException("recipientAtomURI is not set");
}
Atom atom = DataAccessUtils.loadAtom(atomRepository, recipientAtomURI);
if (atom.getState() == AtomState.DELETED) {
// Delete Atom
logger.debug("Set atom to state DELETED. atomURI:{}", recipientAtomURI);
Collection<Connection> conns = connectionRepository.findByAtomURIAndNotState(atom.getAtomURI(), ConnectionState.CLOSED);
if (conns.size() > 0) {
// Still not closed connections
logger.debug("Still open connections for atom. atomURI{}", recipientAtomURI);
// TODO: Handle!
}
messageEventRepository.deleteByParentURI(atom.getAtomURI());
atom.resetAllAtomData();
} else {
// First Step: Delete message to set atom in DELETED state and start delete
// process
logger.debug("DELETING atom. atomURI:{}", recipientAtomURI);
atom.setState(AtomState.DELETED);
}
atomRepository.save(atom);
}
}
use of won.protocol.model.Atom in project webofneeds by researchstudio-sat.
the class LockMessageParentWonMessageProcessor method lockParent.
private void lockParent(WonMessage message, WonMessageDirection direction) {
// try to lock the message's connection first
// * if the message is connection-specific
// * and one exists already
WonMessageType type = message.getMessageTypeRequired().isResponseMessage() ? message.getRespondingToMessageTypeRequired() : message.getMessageTypeRequired();
if (type.isConnectionSpecificMessage()) {
logger.debug("Attempting to lock connection for message {} {}", message.getMessageURI(), direction);
Optional<URI> conURI = messageService.getConnectionofMessage(message, direction);
if (conURI.isPresent()) {
logger.debug("Locking connection {} for message {} {}", new Object[] { conURI.get(), message.getMessageURI(), direction });
Optional<Connection> con = connectionRepository.findOneByConnectionURIForUpdate(conURI.get());
if (con.isPresent()) {
entityManager.refresh(con.get());
logger.debug("Locked connection {} for message {} {}", new Object[] { conURI.get(), message.getMessageURI(), direction });
logger.debug("connection: {}", con.get());
return;
} else {
logger.debug("Did not lock connection {} for message {} {}", new Object[] { conURI.get(), message.getMessageURI(), direction });
}
} else {
logger.debug("Did not find connection to lock for message {} {}", message.getMessageURI(), direction);
}
} else {
logger.debug("Not attempting to lock connection for message {} {}", message.getMessageURI(), direction);
}
logger.debug("Attempting to lock atom for message {}", message.getMessageURI());
// no connection found to lock or wanting to lock the atom too
Optional<URI> atomURI = messageService.getAtomOfMessage(message, direction);
if (atomURI.isPresent()) {
Optional<Atom> atom = atomRepository.findOneByAtomURIForUpdate(atomURI.get());
if (atom.isPresent()) {
entityManager.refresh(atom.get());
logger.debug("Locked atom {} for message {} {}", new Object[] { atom.get().getAtomURI(), message.getMessageURI(), direction });
} else {
logger.debug("Did not find atom {} to lock for message {} {}", new Object[] { atomURI.get(), message.getMessageURI(), direction });
}
} else {
logger.debug("Did not find atom to lock for message {} {}", message.getMessageURI(), direction);
}
// it's possible that we did not lock anything because
// * the message is neither atom- nor conneciton-specific
// * the message is a CREATE message - the atom doesn't exist yet
}
Aggregations