Search in sources :

Example 1 with MessageEvent

use of won.protocol.model.MessageEvent in project webofneeds by researchstudio-sat.

the class WonAclAccessDecisionVoter method voteForMessageRequest.

public int voteForMessageRequest(String webId, AuthToken authToken, URI resourceUri, FilterInvocation filterInvocation, Supplier<Integer> legacyImpl) {
    // if we're requesting a message, we have to check access for each message
    // container
    // that it is in
    Map<URI, Set<OperationRequest>> opReqs = new HashMap<>();
    Map<URI, Graph> aclGraphs = new HashMap<>();
    Map<URI, Integer> legacyResults = new HashMap<>();
    URI messageUri = WonMessageUriHelper.toGenericMessageURI(resourceUri, uriService.getMessageResourceURIPrefix());
    List<MessageEvent> msgs = messageEventRepository.findByMessageURI(messageUri);
    for (MessageEvent msg : msgs) {
        URI parent = msg.getParentURI();
        URI atomUri = uriService.getAtomURIofSubURI(parent);
        Optional<Atom> atom = atomService.getAtom(atomUri);
        if (!atom.isPresent()) {
            return ACCESS_DENIED;
        }
        if (!aclGraphs.containsKey(atomUri)) {
            Optional<Graph> aclGraph = atom.get().getAclGraph();
            if (aclGraph.isEmpty()) {
                legacyResults.put(atomUri, legacyImpl.get());
                continue;
            }
            aclGraphs.put(atomUri, aclGraph.get());
        }
        if (!atom.isPresent()) {
            continue;
        }
        OperationRequest operationRequest = new OperationRequest();
        if (authToken != null) {
            operationRequest.addBearsToken(authToken);
        }
        operationRequest.setRequestor(URI.create(webId));
        operationRequest.setReqAtomState(toAuthAtomState(atom.get().getState()));
        operationRequest.setReqAtom(atomUri);
        operationRequest.setOperationSimpleOperationExpression(OP_READ);
        if (uriService.isConnectionURI(parent)) {
            Optional<Connection> con = connectionRepository.findOneByConnectionURI(parent);
            if (con == null) {
                continue;
            }
            operationRequest.setReqPosition(POSITION_CONNECTION_MESSAGE);
            operationRequest.setReqConnectionMessage(msg.getMessageURI());
            operationRequest.setReqConnection(con.get().getConnectionURI());
            operationRequest.setReqSocket(con.get().getSocketURI());
            operationRequest.setReqSocketType(con.get().getTypeURI());
            operationRequest.setReqConnectionState(toAuthConnectionState(con.get().getState()));
            operationRequest.setReqConnectionTargetAtom(con.get().getTargetAtomURI());
        } else if (uriService.isAtomURI(parent)) {
            operationRequest.setReqPosition(POSITION_ATOM_MESSAGE);
        } else {
            legacyResults.put(atomUri, legacyImpl.get());
            continue;
        }
        if (!opReqs.containsKey(atomUri)) {
            Set<OperationRequest> ors = new HashSet<>();
            ors.add(operationRequest);
            opReqs.put(atomUri, ors);
        } else {
            opReqs.get(atomUri).add(operationRequest);
        }
    }
    Set<AclEvalResult> aclEvalResults = new HashSet<>();
    for (URI atomUri : aclGraphs.keySet()) {
        Graph aclGraph = aclGraphs.get(atomUri);
        for (OperationRequest opReq : opReqs.get(atomUri)) {
            aclEvalResults.add(wonAclEvaluatorFactory.create(aclGraph).decide(opReq));
        }
    }
    Optional<AclEvalResult> aclEvalResult = aclEvalResults.stream().reduce(WonAclEvaluator::mergeAclEvalResults);
    Integer legacyResult = legacyResults.values().stream().reduce((left, right) -> {
        if (left.equals(right)) {
            return left;
        }
        if (left.equals(ACCESS_GRANTED) || right.equals(ACCESS_GRANTED)) {
            return ACCESS_GRANTED;
        } else if (left.equals(ACCESS_ABSTAIN) || right.equals(ACCESS_ABSTAIN)) {
            return ACCESS_ABSTAIN;
        }
        return ACCESS_DENIED;
    }).orElse(ACCESS_ABSTAIN);
    if (legacyResult.equals(ACCESS_GRANTED) || (aclEvalResult.isPresent() && aclEvalResult.get().getDecision().equals(DecisionValue.ACCESS_GRANTED))) {
        return ACCESS_GRANTED;
    } else {
        if (aclEvalResult.isPresent()) {
            setAuthInfoIfDenied(filterInvocation, aclEvalResult.get());
        }
        return ACCESS_DENIED;
    }
}
Also used : AtomNodeChecker(won.auth.check.AtomNodeChecker) java.util(java.util) Connection(won.protocol.model.Connection) WonMessageUriHelper(won.protocol.util.WonMessageUriHelper) URISyntaxException(java.net.URISyntaxException) LoggerFactory(org.slf4j.LoggerFactory) won.auth.model(won.auth.model) Autowired(org.springframework.beans.factory.annotation.Autowired) Supplier(java.util.function.Supplier) Graph(org.apache.jena.graph.Graph) WonAclEvaluator(won.auth.WonAclEvaluator) WonAclEvaluatorFactory(won.auth.WonAclEvaluatorFactory) AuthUtils(won.auth.AuthUtils) AccessDecisionVoter(org.springframework.security.access.AccessDecisionVoter) MessageEventRepository(won.protocol.repository.MessageEventRepository) WebIdUserDetails(won.node.springsecurity.userdetails.WebIdUserDetails) Individuals(won.auth.model.Individuals) WonDefaultAccessControlRules(won.node.springsecurity.WonDefaultAccessControlRules) WebIdKeyLoader(won.cryptography.rdfsign.WebIdKeyLoader) URI(java.net.URI) ConnectionRepository(won.protocol.repository.ConnectionRepository) URIService(won.node.service.nodeconfig.URIService) ConfigAttribute(org.springframework.security.access.ConfigAttribute) Atom(won.protocol.model.Atom) Logger(org.slf4j.Logger) Transactional(javax.transaction.Transactional) MethodHandles(java.lang.invoke.MethodHandles) ConnectionTargetCheckEvaluator(won.auth.check.ConnectionTargetCheckEvaluator) DatasetHolderRepository(won.protocol.repository.DatasetHolderRepository) StopWatch(org.springframework.util.StopWatch) Collectors(java.util.stream.Collectors) CryptographyService(won.cryptography.service.CryptographyService) GrantedAuthority(org.springframework.security.core.GrantedAuthority) PreAuthenticatedAuthenticationToken(org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken) FilterInvocation(org.springframework.security.web.FilterInvocation) MessageEvent(won.protocol.model.MessageEvent) Authentication(org.springframework.security.core.Authentication) AtomService(won.node.service.persistence.AtomService) MessageEvent(won.protocol.model.MessageEvent) Connection(won.protocol.model.Connection) WonAclEvaluator(won.auth.WonAclEvaluator) URI(java.net.URI) Atom(won.protocol.model.Atom) Graph(org.apache.jena.graph.Graph)

Aggregations

MethodHandles (java.lang.invoke.MethodHandles)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 java.util (java.util)1 Supplier (java.util.function.Supplier)1 Collectors (java.util.stream.Collectors)1 Transactional (javax.transaction.Transactional)1 Graph (org.apache.jena.graph.Graph)1 Logger (org.slf4j.Logger)1 LoggerFactory (org.slf4j.LoggerFactory)1 Autowired (org.springframework.beans.factory.annotation.Autowired)1 AccessDecisionVoter (org.springframework.security.access.AccessDecisionVoter)1 ConfigAttribute (org.springframework.security.access.ConfigAttribute)1 Authentication (org.springframework.security.core.Authentication)1 GrantedAuthority (org.springframework.security.core.GrantedAuthority)1 FilterInvocation (org.springframework.security.web.FilterInvocation)1 PreAuthenticatedAuthenticationToken (org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken)1 StopWatch (org.springframework.util.StopWatch)1 AuthUtils (won.auth.AuthUtils)1 WonAclEvaluator (won.auth.WonAclEvaluator)1