]> source.dussan.org Git - archiva.git/blob
2a72ab6be1d83932f611b0a79d1e6d93f2179e68
[archiva.git] /
1 package org.apache.archiva.web.xmlrpc.security;\r
2 \r
3 /*\r
4  * Licensed to the Apache Software Foundation (ASF) under one\r
5  * or more contributor license agreements.  See the NOTICE file\r
6  * distributed with this work for additional information\r
7  * regarding copyright ownership.  The ASF licenses this file\r
8  * to you under the Apache License, Version 2.0 (the\r
9  * "License"); you may not use this file except in compliance\r
10  * with the License.  You may obtain a copy of the License at\r
11  *\r
12  *  http://www.apache.org/licenses/LICENSE-2.0\r
13  *\r
14  * Unless required by applicable law or agreed to in writing,\r
15  * software distributed under the License is distributed on an\r
16  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY\r
17  * KIND, either express or implied.  See the License for the\r
18  * specific language governing permissions and limitations\r
19  * under the License.\r
20  */\r
21 \r
22 import java.util.List;\r
23 \r
24 import org.apache.maven.archiva.security.ArchivaRoleConstants;\r
25 import org.apache.maven.archiva.security.ArchivaSecurityException;\r
26 import org.apache.maven.archiva.security.UserRepositories;\r
27 import org.apache.xmlrpc.XmlRpcException;\r
28 import org.apache.xmlrpc.XmlRpcRequest;\r
29 import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;\r
30 import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping.AuthenticationHandler;\r
31 import org.codehaus.plexus.redback.authentication.AuthenticationException;\r
32 import org.codehaus.plexus.redback.authentication.PasswordBasedAuthenticationDataSource;\r
33 import org.codehaus.plexus.redback.authorization.AuthorizationException;\r
34 import org.codehaus.plexus.redback.authorization.AuthorizationResult;\r
35 import org.codehaus.plexus.redback.policy.AccountLockedException;\r
36 import org.codehaus.plexus.redback.system.SecuritySession;\r
37 import org.codehaus.plexus.redback.system.SecuritySystem;\r
38 import org.codehaus.plexus.redback.users.UserNotFoundException;\r
39 \r
40 /**\r
41  * XmlRpcAuthenticator\r
42  * \r
43  * Custom authentication and authorization handler for xmlrpc requests.\r
44  * \r
45  * @version $Id \r
46  */\r
47 public class XmlRpcAuthenticator\r
48     implements AuthenticationHandler\r
49 {\r
50     private final SecuritySystem securitySystem;\r
51     \r
52     private UserRepositories userRepositories;\r
53     \r
54     private String username;\r
55         \r
56     public XmlRpcAuthenticator( SecuritySystem securitySystem, UserRepositories userRepositories )\r
57     {\r
58         this.securitySystem = securitySystem;\r
59         this.userRepositories = userRepositories;\r
60     }\r
61     \r
62     public boolean isAuthorized( XmlRpcRequest pRequest )\r
63         throws XmlRpcException\r
64     {   \r
65         if ( pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl )\r
66         {\r
67             XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl) pRequest.getConfig();\r
68             username = config.getBasicUserName();\r
69             SecuritySession session =\r
70                 authenticate( new PasswordBasedAuthenticationDataSource( username,\r
71                                                                          config.getBasicPassword() ) );\r
72             \r
73             String method = pRequest.getMethodName();            \r
74             AuthorizationResult result = authorize( session, method, username );\r
75             \r
76             return result.isAuthorized();\r
77         }\r
78 \r
79         throw new XmlRpcException( "Unsupported transport (must be http)" );\r
80     }\r
81 \r
82     private SecuritySession authenticate( PasswordBasedAuthenticationDataSource authenticationDataSource )\r
83         throws XmlRpcException\r
84     {\r
85         try\r
86         {\r
87             return securitySystem.authenticate( authenticationDataSource );\r
88         }\r
89         catch ( AccountLockedException e )\r
90         {\r
91             throw new XmlRpcException( 401, e.getMessage(), e );\r
92         }\r
93         catch ( AuthenticationException e )\r
94         {\r
95             throw new XmlRpcException( 401, e.getMessage(), e );\r
96         }\r
97         catch ( UserNotFoundException e )\r
98         {\r
99             throw new XmlRpcException( 401, e.getMessage(), e );\r
100         }\r
101     }\r
102 \r
103     private AuthorizationResult authorize( SecuritySession session, String methodName, String username )\r
104         throws XmlRpcException\r
105     {   \r
106         try\r
107         {   \r
108             // sample attempt at simplifying authorization checking of requested service method\r
109             if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION.contains( methodName ) )\r
110             {                \r
111                 return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );\r
112             }\r
113             else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER.contains( methodName ) )\r
114             {                \r
115                 return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_RUN_INDEXER );\r
116             }\r
117             else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_REPOSITORY_ACCESS.contains( methodName ) )\r
118             {   \r
119                 try\r
120                 {\r
121                     List<String> observableRepos = userRepositories.getObservableRepositoryIds( username );\r
122                     if( observableRepos != null && observableRepos.size() > 1 )\r
123                     {\r
124                         return new AuthorizationResult( true, username, null );\r
125                     }\r
126                     else\r
127                     {\r
128                         return new AuthorizationResult( false, username, null );\r
129                     }\r
130                 }\r
131                 catch ( ArchivaSecurityException e )\r
132                 {\r
133                     throw new XmlRpcException( 401, e.getMessage() );\r
134                 }\r
135             }   \r
136             else\r
137             {\r
138                 return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );\r
139             }\r
140         }\r
141         catch ( AuthorizationException e )\r
142         {\r
143             throw new XmlRpcException( 401, e.getMessage(), e );\r
144         }\r
145     }\r
146     \r
147     public String getActiveUser()\r
148     {\r
149         return username;\r
150     }\r
151 }\r