source.dussan.org Git - archiva.git/blob

   1 package org.apache.archiva.web.xmlrpc.security;\r
   2 \r
   3 /*\r
   4  * Licensed to the Apache Software Foundation (ASF) under one\r
   5  * or more contributor license agreements.  See the NOTICE file\r
   6  * distributed with this work for additional information\r
   7  * regarding copyright ownership.  The ASF licenses this file\r
   8  * to you under the Apache License, Version 2.0 (the\r
   9  * "License"); you may not use this file except in compliance\r
  10  * with the License.  You may obtain a copy of the License at\r
  11  *\r
  12  *  http://www.apache.org/licenses/LICENSE-2.0\r
  13  *\r
  14  * Unless required by applicable law or agreed to in writing,\r
  15  * software distributed under the License is distributed on an\r
  16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\r
  17  * KIND, either express or implied.  See the License for the\r
  18  * specific language governing permissions and limitations\r
  19  * under the License.\r
  20  */\r
  21 \r
  22 import java.util.List;\r
  23 \r
  24 import org.apache.maven.archiva.security.ArchivaRoleConstants;\r
  25 import org.apache.maven.archiva.security.ArchivaSecurityException;\r
  26 import org.apache.maven.archiva.security.UserRepositories;\r
  27 import org.apache.xmlrpc.XmlRpcException;\r
  28 import org.apache.xmlrpc.XmlRpcRequest;\r
  29 import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;\r
  30 import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping.AuthenticationHandler;\r
  31 import org.codehaus.plexus.redback.authentication.AuthenticationException;\r
  32 import org.codehaus.plexus.redback.authentication.PasswordBasedAuthenticationDataSource;\r
  33 import org.codehaus.plexus.redback.authorization.AuthorizationException;\r
  34 import org.codehaus.plexus.redback.authorization.AuthorizationResult;\r
  35 import org.codehaus.plexus.redback.policy.PolicyViolationException;\r
  36 import org.codehaus.plexus.redback.system.SecuritySession;\r
  37 import org.codehaus.plexus.redback.system.SecuritySystem;\r
  38 import org.codehaus.plexus.redback.users.UserNotFoundException;\r
  39 \r
  40 /**\r
  41  * XmlRpcAuthenticator\r
  42  * \r
  43  * Custom authentication and authorization handler for xmlrpc requests.\r
  44  * \r
  45  * @version $Id \r
  46  */\r
  47 public class XmlRpcAuthenticator\r
  48     implements AuthenticationHandler\r
  49 {\r
  50     private final SecuritySystem securitySystem;\r
  51     \r
  52     private UserRepositories userRepositories;\r
  53     \r
  54     private String username;\r
  55         \r
  56     public XmlRpcAuthenticator( SecuritySystem securitySystem, UserRepositories userRepositories )\r
  57     {\r
  58         this.securitySystem = securitySystem;\r
  59         this.userRepositories = userRepositories;\r
  60     }\r
  61     \r
  62     public boolean isAuthorized( XmlRpcRequest pRequest )\r
  63         throws XmlRpcException\r
  64     {   \r
  65         if ( pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl )\r
  66         {\r
  67             XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl) pRequest.getConfig();\r
  68             username = config.getBasicUserName();\r
  69             SecuritySession session =\r
  70                 authenticate( new PasswordBasedAuthenticationDataSource( username,\r
  71                                                                          config.getBasicPassword() ) );\r
  72             \r
  73             String method = pRequest.getMethodName();            \r
  74             AuthorizationResult result = authorize( session, method, username );\r
  75             \r
  76             return result.isAuthorized();\r
  77         }\r
  78 \r
  79         throw new XmlRpcException( "Unsupported transport (must be http)" );\r
  80     }\r
  81 \r
  82     private SecuritySession authenticate( PasswordBasedAuthenticationDataSource authenticationDataSource )\r
  83         throws XmlRpcException\r
  84     {\r
  85         try\r
  86         {\r
  87             return securitySystem.authenticate( authenticationDataSource );\r
  88         }\r
  89         catch ( PolicyViolationException e )\r
  90         {\r
  91             throw new XmlRpcException( 401, e.getMessage(), e );\r
  92         }\r
  93         catch ( AuthenticationException e )\r
  94         {\r
  95             throw new XmlRpcException( 401, e.getMessage(), e );\r
  96         }\r
  97         catch ( UserNotFoundException e )\r
  98         {\r
  99             throw new XmlRpcException( 401, e.getMessage(), e );\r
 100         }\r
 101     }\r
 102 \r
 103     private AuthorizationResult authorize( SecuritySession session, String methodName, String username )\r
 104         throws XmlRpcException\r
 105     {   \r
 106         try\r
 107         {   \r
 108             // sample attempt at simplifying authorization checking of requested service method\r
 109             if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION.contains( methodName ) )\r
 110             {                \r
 111                 return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );\r
 112             }\r
 113             else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER.contains( methodName ) )\r
 114             {                \r
 115                 return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_RUN_INDEXER );\r
 116             }\r
 117             else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_REPOSITORY_ACCESS.contains( methodName ) )\r
 118             {   \r
 119                 try\r
 120                 {\r
 121                     List<String> observableRepos = userRepositories.getObservableRepositoryIds( username );\r
 122                     if( observableRepos != null && observableRepos.size() > 1 )\r
 123                     {\r
 124                         return new AuthorizationResult( true, username, null );\r
 125                     }\r
 126                     else\r
 127                     {\r
 128                         return new AuthorizationResult( false, username, null );\r
 129                     }\r
 130                 }\r
 131                 catch ( ArchivaSecurityException e )\r
 132                 {\r
 133                     throw new XmlRpcException( 401, e.getMessage() );\r
 134                 }\r
 135             }   \r
 136             else\r
 137             {\r
 138                 return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );\r
 139             }\r
 140         }\r
 141         catch ( AuthorizationException e )\r
 142         {\r
 143             throw new XmlRpcException( 401, e.getMessage(), e );\r
 144         }\r
 145     }\r
 146     \r
 147     public String getActiveUser()\r
 148     {\r
 149         return username;\r
 150     }\r
 151 }\r