<name>Redback :: Authorization Providers</name>
<packaging>pom</packaging>
<modules>
+ <module>redback-authorization-rbac</module>
<module>redback-authorization-open</module>
<module>redback-authorization-ldap</module>
</modules>
--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.apache.archiva.redback</groupId>
+ <artifactId>redback-authorization-providers</artifactId>
+ <version>2.1-SNAPSHOT</version>
+ </parent>
+
+ <artifactId>redback-authorization-rbac</artifactId>
+ <packaging>bundle</packaging>
+ <name>Redback :: Authorization Provider :: RBAC</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.archiva.redback</groupId>
+ <artifactId>redback-users-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.archiva.redback</groupId>
+ <artifactId>redback-authorization-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.archiva.redback</groupId>
+ <artifactId>redback-rbac-cached</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.archiva.redback</groupId>
+ <artifactId>redback-rbac-memory</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.archiva.redback</groupId>
+ <artifactId>redback-users-configurable</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.archiva.redback</groupId>
+ <artifactId>redback-users-memory</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.archiva.redback</groupId>
+ <artifactId>redback-rbac-model</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-context-support</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>javax.annotation</groupId>
+ <artifactId>jsr250-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-simple</artifactId>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
--- /dev/null
+package org.apache.archiva.redback.authorization.rbac;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import org.apache.archiva.redback.authorization.AuthorizationDataSource;
+import org.apache.archiva.redback.authorization.AuthorizationException;
+import org.apache.archiva.redback.authorization.AuthorizationResult;
+import org.apache.archiva.redback.authorization.Authorizer;
+import org.apache.archiva.redback.authorization.NotAuthorizedException;
+import org.apache.archiva.redback.authorization.rbac.evaluator.PermissionEvaluationException;
+import org.apache.archiva.redback.authorization.rbac.evaluator.PermissionEvaluator;
+import org.apache.archiva.redback.rbac.Permission;
+import org.apache.archiva.redback.rbac.RBACManager;
+import org.apache.archiva.redback.rbac.RbacManagerException;
+import org.apache.archiva.redback.rbac.RbacObjectNotFoundException;
+import org.apache.archiva.redback.users.User;
+import org.apache.archiva.redback.users.UserManager;
+import org.apache.archiva.redback.users.UserManagerException;
+import org.apache.archiva.redback.users.UserNotFoundException;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.stereotype.Service;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * RbacAuthorizer:
+ *
+ * @author Jesse McConnell <jmcconnell@apache.org>
+ */
+@Service("authorizer#rbac")
+public class RbacAuthorizer
+ implements Authorizer
+{
+ private Logger log = LoggerFactory.getLogger( getClass() );
+
+ @Inject
+ @Named(value = "rbacManager#cached")
+ private RBACManager manager;
+
+ @Inject
+ @Named(value = "userManager#configurable")
+ private UserManager userManager;
+
+ @Inject
+ private PermissionEvaluator evaluator;
+
+ public String getId()
+ {
+ return "rbac";
+ }
+
+ /**
+ * @param source
+ * @return
+ * @throws AuthorizationException
+ */
+ public AuthorizationResult isAuthorized( AuthorizationDataSource source )
+ throws AuthorizationException
+ {
+ String principal = source.getPrincipal();
+ String operation = source.getPermission();
+ String resource = source.getResource();
+
+ try
+ {
+ if ( principal != null )
+ {
+ // Set permissions = manager.getAssignedPermissions( principal.toString(), operation );
+ Map<String, List<Permission>> permissionMap = manager.getAssignedPermissionMap( principal );
+
+ if ( permissionMap.keySet().contains( operation ) )
+ {
+ for ( Permission permission : permissionMap.get( operation ) )
+ {
+
+ log.debug( "checking permission {} for operation {} resource {}",
+ ( permission != null ? permission.getName() : "null" ), operation, resource );
+
+ if ( evaluator.evaluate( permission, operation, resource, principal ) )
+ {
+ return new AuthorizationResult( true, permission, null );
+ }
+ }
+
+ log.debug( "no permission found for operation {} resource {}", operation, resource );
+ }
+ else
+ {
+ log.debug( "permission map does not contain operation: {}", operation );
+ }
+ }
+ // check if guest user is enabled, if so check the global permissions
+ User guest = userManager.getGuestUser();
+
+ if ( !guest.isLocked() )
+ {
+ // Set permissions = manager.getAssignedPermissions( principal.toString(), operation );
+ Map<String, List<Permission>> permissionMap = manager.getAssignedPermissionMap( guest.getUsername() );
+
+ if ( permissionMap.keySet().contains( operation ) )
+ {
+ for ( Permission permission : permissionMap.get( operation ) )
+ {
+ log.debug( "checking permission {}", permission.getName() );
+
+ if ( evaluator.evaluate( permission, operation, resource, guest.getUsername() ) )
+ {
+ return new AuthorizationResult( true, permission, null );
+ }
+ }
+ }
+ }
+
+ return new AuthorizationResult( false, null, new NotAuthorizedException( "no matching permissions" ) );
+ }
+ catch ( PermissionEvaluationException pe )
+ {
+ return new AuthorizationResult( false, null, pe );
+ }
+ catch ( RbacObjectNotFoundException nfe )
+ {
+ return new AuthorizationResult( false, null, nfe );
+ }
+ catch ( UserNotFoundException ne )
+ {
+ return new AuthorizationResult( false, null,
+ new NotAuthorizedException( "no matching permissions, guest not found" ) );
+ }
+ catch ( RbacManagerException rme )
+ {
+ return new AuthorizationResult( false, null, rme );
+ }
+ catch ( UserManagerException e )
+ {
+ return new AuthorizationResult( false, null, e );
+ }
+ }
+
+ public RBACManager getManager()
+ {
+ return manager;
+ }
+
+ public void setManager( RBACManager manager )
+ {
+ this.manager = manager;
+ }
+
+ public UserManager getUserManager()
+ {
+ return userManager;
+ }
+
+ public void setUserManager( UserManager userManager )
+ {
+ this.userManager = userManager;
+ }
+
+ public PermissionEvaluator getEvaluator()
+ {
+ return evaluator;
+ }
+
+ public void setEvaluator( PermissionEvaluator evaluator )
+ {
+ this.evaluator = evaluator;
+ }
+
+ public boolean isFinalImplementation()
+ {
+ return true;
+ }
+
+ public String getDescriptionKey()
+ {
+ return "archiva.redback.authorizer.rbac";
+ }
+}
--- /dev/null
+package org.apache.archiva.redback.authorization.rbac.evaluator;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import org.apache.archiva.redback.rbac.Resource;
+import org.apache.archiva.redback.users.UserManager;
+import org.apache.archiva.redback.users.UserManagerException;
+import org.apache.archiva.redback.users.UserNotFoundException;
+import org.apache.archiva.redback.rbac.Permission;
+import org.springframework.stereotype.Service;
+
+import javax.inject.Inject;
+import javax.inject.Named;
+
+/**
+ * DefaultPermissionEvaluator:
+ * <p/>
+ * Currently only one expression is available for evaluation, ${username} will be replaced with the username
+ * of the person making the authorization check
+ *
+ * @author Jesse McConnell <jesse@codehaus.org>
+ */
+@Service("permissionEvaluator")
+public class DefaultPermissionEvaluator
+ implements PermissionEvaluator
+{
+ @Inject
+ @Named(value = "userManager#configurable")
+ private UserManager userManager;
+
+ public boolean evaluate( Permission permission, String operation, String resource, String principal )
+ throws PermissionEvaluationException
+ {
+ String permissionResource = permission.getResource().getIdentifier();
+
+ // expression evaluation checking
+ if ( permissionResource.startsWith( "${" ) )
+ {
+ String tempStr = permissionResource.substring( 2, permissionResource.indexOf( '}' ) );
+
+ if ( "username".equals( tempStr ) )
+ {
+ try
+ {
+ permissionResource = userManager.findUser( principal ).getUsername();
+ }
+ catch ( UserNotFoundException e )
+ {
+ throw new PermissionEvaluationException( "unable to locate user to retrieve username", e );
+ }
+ catch ( UserManagerException e )
+ {
+ throw new PermissionEvaluationException( "trouble finding user: " + e.getMessage(), e );
+ }
+ }
+ }
+
+ // check if this permission applies to the operation at all
+ if ( permission.getOperation().getName().equals( operation ) )
+ {
+ // check if it is a global resource, if it is then since the operations match we return true
+ if ( Resource.GLOBAL.equals( permission.getResource().getIdentifier() ) )
+ {
+ return true;
+ }
+
+ // if we are not checking a specific resource, the operation is enough
+ if ( resource == null )
+ {
+ return true;
+ }
+
+ // check if the resource identifier of the permission matches the resource we are checking against
+ // if it does then return true
+ if ( permissionResource.equals( resource ) )
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ public UserManager getUserManager()
+ {
+ return userManager;
+ }
+
+ public void setUserManager( UserManager userManager )
+ {
+ this.userManager = userManager;
+ }
+}
--- /dev/null
+package org.apache.archiva.redback.authorization.rbac.evaluator;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+/**
+ * PermissionEvaluationException:
+ *
+ * @author Jesse McConnell <jmcconnell@apache.org>
+ *
+ */
+public class PermissionEvaluationException
+ extends Exception
+{
+ public PermissionEvaluationException( String string )
+ {
+ super( string );
+ }
+
+ public PermissionEvaluationException( String string, Throwable throwable )
+ {
+ super( string, throwable );
+ }
+
+}
--- /dev/null
+package org.apache.archiva.redback.authorization.rbac.evaluator;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import org.apache.archiva.redback.rbac.Permission;
+
+
+/**
+ * PermissionEvaluator:
+ *
+ * @author Jesse McConnell <jmcconnell@apache.org>
+ *
+ */
+public interface PermissionEvaluator
+{
+ boolean evaluate( Permission permission, String operation, String resource, String principal )
+ throws PermissionEvaluationException;
+}
--- /dev/null
+<?xml version="1.0"?>
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:context="http://www.springframework.org/schema/context"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+ http://www.springframework.org/schema/context
+ http://www.springframework.org/schema/context/spring-context-3.0.xsd"
+ default-lazy-init="true">
+
+ <context:annotation-config />
+ <context:component-scan
+ base-package="org.apache.archiva.redback.authorization.rbac"/>
+
+</beans>
\ No newline at end of file
--- /dev/null
+package org.apache.archiva.redback.authorization.rbac.evaluator;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import junit.framework.TestCase;
+import org.apache.archiva.redback.rbac.Permission;
+import org.apache.archiva.redback.rbac.Operation;
+import org.apache.archiva.redback.rbac.Resource;
+import org.apache.archiva.redback.rbac.memory.MemoryOperation;
+import org.apache.archiva.redback.rbac.memory.MemoryPermission;
+import org.apache.archiva.redback.rbac.memory.MemoryResource;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+
+import javax.inject.Inject;
+
+@RunWith( SpringJUnit4ClassRunner.class )
+@ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context.xml" } )
+public class PermissionEvaluatorTest
+ extends TestCase
+{
+
+ @Inject
+ PermissionEvaluator permissionEvaluator;
+
+ @Test
+ public void testNullResource()
+ throws PermissionEvaluationException
+ {
+ // null resources should be considered as matching if any resource is obtained.
+ // we do this instead of using "global" as that is the inverse - you are allocated global rights,
+ // which is right to everything. null is the right to anything.
+
+ Resource resource = new MemoryResource();
+ resource.setIdentifier( "Resource" );
+
+ Operation operation = new MemoryOperation();
+ operation.setName( "Operation" );
+
+ Permission permission = new MemoryPermission();
+ permission.setName( "Permission" );
+ permission.setOperation( operation );
+ permission.setResource( resource );
+
+ assertTrue( permissionEvaluator.evaluate( permission, "Operation", null, "brett" ) );
+ }
+}
--- /dev/null
+<?xml version="1.0"?>
+
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<beans xmlns="http://www.springframework.org/schema/beans"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://www.springframework.org/schema/beans
+ http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"
+ default-lazy-init="true">
+
+ <bean name="userManager#cached" class="org.apache.archiva.redback.users.cached.CachedUserManager">
+ <property name="userImpl" ref="userManager#memory"/>
+ <property name="usersCache" ref="cache#users"/>
+ </bean>
+
+ <alias name="userManager#memory" alias="userManager#jdo"/>
+
+ <bean name="cache#users" class="org.apache.archiva.redback.components.cache.ehcache.EhcacheCache"
+ init-method="initialize">
+ <property name="diskPersistent" value="false"/>
+ <property name="eternal" value="false"/>
+ <property name="maxElementsInMemory" value="1000"/>
+ <property name="memoryEvictionPolicy" value="LRU"/>
+ <property name="name" value="usersCache"/>
+ <property name="timeToIdleSeconds" value="1800"/>
+ <property name="timeToLiveSeconds" value="14400"/>
+ </bean>
+
+
+ <alias name="userConfiguration#redback" alias="userConfiguration#default"/>
+</beans>
\ No newline at end of file
<module>redback-rbac-providers</module>
<module>redback-rbac-role-manager</module>
<module>redback-rbac-tests</module>
- <module>redback-authorization-rbac</module>
</modules>
</project>
+++ /dev/null
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
- ~ Licensed to the Apache Software Foundation (ASF) under one
- ~ or more contributor license agreements. See the NOTICE file
- ~ distributed with this work for additional information
- ~ regarding copyright ownership. The ASF licenses this file
- ~ to you under the Apache License, Version 2.0 (the
- ~ "License"); you may not use this file except in compliance
- ~ with the License. You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
-
- <modelVersion>4.0.0</modelVersion>
-
- <parent>
- <groupId>org.apache.archiva.redback</groupId>
- <artifactId>redback-authorization-providers</artifactId>
- <version>2.1-SNAPSHOT</version>
- <relativePath>../../redback-authorization/redback-authorization-providers/pom.xml</relativePath>
- </parent>
-
- <artifactId>redback-authorization-rbac</artifactId>
- <packaging>bundle</packaging>
- <name>Redback :: Authorization Provider :: RBAC</name>
-
- <dependencies>
- <dependency>
- <groupId>org.apache.archiva.redback</groupId>
- <artifactId>redback-users-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.archiva.redback</groupId>
- <artifactId>redback-authorization-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.archiva.redback</groupId>
- <artifactId>redback-rbac-cached</artifactId>
- </dependency>
- <dependency>
- <groupId>org.apache.archiva.redback</groupId>
- <artifactId>redback-rbac-memory</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.archiva.redback</groupId>
- <artifactId>redback-users-configurable</artifactId>
- <scope>runtime</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.archiva.redback</groupId>
- <artifactId>redback-users-memory</artifactId>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.archiva.redback</groupId>
- <artifactId>redback-rbac-model</artifactId>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-context-support</artifactId>
- </dependency>
- <dependency>
- <groupId>javax.annotation</groupId>
- <artifactId>jsr250-api</artifactId>
- </dependency>
- <dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-simple</artifactId>
- <scope>test</scope>
- </dependency>
- </dependencies>
-
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.felix</groupId>
- <artifactId>maven-bundle-plugin</artifactId>
- </plugin>
- </plugins>
- </build>
-
-</project>
+++ /dev/null
-package org.apache.archiva.redback.authorization.rbac;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import org.apache.archiva.redback.authorization.AuthorizationDataSource;
-import org.apache.archiva.redback.authorization.AuthorizationException;
-import org.apache.archiva.redback.authorization.AuthorizationResult;
-import org.apache.archiva.redback.authorization.Authorizer;
-import org.apache.archiva.redback.authorization.NotAuthorizedException;
-import org.apache.archiva.redback.authorization.rbac.evaluator.PermissionEvaluationException;
-import org.apache.archiva.redback.authorization.rbac.evaluator.PermissionEvaluator;
-import org.apache.archiva.redback.rbac.Permission;
-import org.apache.archiva.redback.rbac.RBACManager;
-import org.apache.archiva.redback.rbac.RbacManagerException;
-import org.apache.archiva.redback.rbac.RbacObjectNotFoundException;
-import org.apache.archiva.redback.users.User;
-import org.apache.archiva.redback.users.UserManager;
-import org.apache.archiva.redback.users.UserManagerException;
-import org.apache.archiva.redback.users.UserNotFoundException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.stereotype.Service;
-
-import javax.inject.Inject;
-import javax.inject.Named;
-import java.util.List;
-import java.util.Map;
-
-/**
- * RbacAuthorizer:
- *
- * @author Jesse McConnell <jmcconnell@apache.org>
- */
-@Service("authorizer#rbac")
-public class RbacAuthorizer
- implements Authorizer
-{
- private Logger log = LoggerFactory.getLogger( getClass() );
-
- @Inject
- @Named(value = "rbacManager#cached")
- private RBACManager manager;
-
- @Inject
- @Named(value = "userManager#configurable")
- private UserManager userManager;
-
- @Inject
- private PermissionEvaluator evaluator;
-
- public String getId()
- {
- return "rbac";
- }
-
- /**
- * @param source
- * @return
- * @throws AuthorizationException
- */
- public AuthorizationResult isAuthorized( AuthorizationDataSource source )
- throws AuthorizationException
- {
- String principal = source.getPrincipal();
- String operation = source.getPermission();
- String resource = source.getResource();
-
- try
- {
- if ( principal != null )
- {
- // Set permissions = manager.getAssignedPermissions( principal.toString(), operation );
- Map<String, List<Permission>> permissionMap = manager.getAssignedPermissionMap( principal );
-
- if ( permissionMap.keySet().contains( operation ) )
- {
- for ( Permission permission : permissionMap.get( operation ) )
- {
-
- log.debug( "checking permission {} for operation {} resource {}",
- ( permission != null ? permission.getName() : "null" ), operation, resource );
-
- if ( evaluator.evaluate( permission, operation, resource, principal ) )
- {
- return new AuthorizationResult( true, permission, null );
- }
- }
-
- log.debug( "no permission found for operation {} resource {}", operation, resource );
- }
- else
- {
- log.debug( "permission map does not contain operation: {}", operation );
- }
- }
- // check if guest user is enabled, if so check the global permissions
- User guest = userManager.getGuestUser();
-
- if ( !guest.isLocked() )
- {
- // Set permissions = manager.getAssignedPermissions( principal.toString(), operation );
- Map<String, List<Permission>> permissionMap = manager.getAssignedPermissionMap( guest.getUsername() );
-
- if ( permissionMap.keySet().contains( operation ) )
- {
- for ( Permission permission : permissionMap.get( operation ) )
- {
- log.debug( "checking permission {}", permission.getName() );
-
- if ( evaluator.evaluate( permission, operation, resource, guest.getUsername() ) )
- {
- return new AuthorizationResult( true, permission, null );
- }
- }
- }
- }
-
- return new AuthorizationResult( false, null, new NotAuthorizedException( "no matching permissions" ) );
- }
- catch ( PermissionEvaluationException pe )
- {
- return new AuthorizationResult( false, null, pe );
- }
- catch ( RbacObjectNotFoundException nfe )
- {
- return new AuthorizationResult( false, null, nfe );
- }
- catch ( UserNotFoundException ne )
- {
- return new AuthorizationResult( false, null,
- new NotAuthorizedException( "no matching permissions, guest not found" ) );
- }
- catch ( RbacManagerException rme )
- {
- return new AuthorizationResult( false, null, rme );
- }
- catch ( UserManagerException e )
- {
- return new AuthorizationResult( false, null, e );
- }
- }
-
- public RBACManager getManager()
- {
- return manager;
- }
-
- public void setManager( RBACManager manager )
- {
- this.manager = manager;
- }
-
- public UserManager getUserManager()
- {
- return userManager;
- }
-
- public void setUserManager( UserManager userManager )
- {
- this.userManager = userManager;
- }
-
- public PermissionEvaluator getEvaluator()
- {
- return evaluator;
- }
-
- public void setEvaluator( PermissionEvaluator evaluator )
- {
- this.evaluator = evaluator;
- }
-
- public boolean isFinalImplementation()
- {
- return true;
- }
-
- public String getDescriptionKey()
- {
- return "archiva.redback.authorizer.rbac";
- }
-}
+++ /dev/null
-package org.apache.archiva.redback.authorization.rbac.evaluator;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import org.apache.archiva.redback.rbac.Resource;
-import org.apache.archiva.redback.users.UserManager;
-import org.apache.archiva.redback.users.UserManagerException;
-import org.apache.archiva.redback.users.UserNotFoundException;
-import org.apache.archiva.redback.rbac.Permission;
-import org.springframework.stereotype.Service;
-
-import javax.inject.Inject;
-import javax.inject.Named;
-
-/**
- * DefaultPermissionEvaluator:
- * <p/>
- * Currently only one expression is available for evaluation, ${username} will be replaced with the username
- * of the person making the authorization check
- *
- * @author Jesse McConnell <jesse@codehaus.org>
- */
-@Service("permissionEvaluator")
-public class DefaultPermissionEvaluator
- implements PermissionEvaluator
-{
- @Inject
- @Named(value = "userManager#configurable")
- private UserManager userManager;
-
- public boolean evaluate( Permission permission, String operation, String resource, String principal )
- throws PermissionEvaluationException
- {
- String permissionResource = permission.getResource().getIdentifier();
-
- // expression evaluation checking
- if ( permissionResource.startsWith( "${" ) )
- {
- String tempStr = permissionResource.substring( 2, permissionResource.indexOf( '}' ) );
-
- if ( "username".equals( tempStr ) )
- {
- try
- {
- permissionResource = userManager.findUser( principal ).getUsername();
- }
- catch ( UserNotFoundException e )
- {
- throw new PermissionEvaluationException( "unable to locate user to retrieve username", e );
- }
- catch ( UserManagerException e )
- {
- throw new PermissionEvaluationException( "trouble finding user: " + e.getMessage(), e );
- }
- }
- }
-
- // check if this permission applies to the operation at all
- if ( permission.getOperation().getName().equals( operation ) )
- {
- // check if it is a global resource, if it is then since the operations match we return true
- if ( Resource.GLOBAL.equals( permission.getResource().getIdentifier() ) )
- {
- return true;
- }
-
- // if we are not checking a specific resource, the operation is enough
- if ( resource == null )
- {
- return true;
- }
-
- // check if the resource identifier of the permission matches the resource we are checking against
- // if it does then return true
- if ( permissionResource.equals( resource ) )
- {
- return true;
- }
- }
-
- return false;
- }
-
- public UserManager getUserManager()
- {
- return userManager;
- }
-
- public void setUserManager( UserManager userManager )
- {
- this.userManager = userManager;
- }
-}
+++ /dev/null
-package org.apache.archiva.redback.authorization.rbac.evaluator;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-/**
- * PermissionEvaluationException:
- *
- * @author Jesse McConnell <jmcconnell@apache.org>
- *
- */
-public class PermissionEvaluationException
- extends Exception
-{
- public PermissionEvaluationException( String string )
- {
- super( string );
- }
-
- public PermissionEvaluationException( String string, Throwable throwable )
- {
- super( string, throwable );
- }
-
-}
+++ /dev/null
-package org.apache.archiva.redback.authorization.rbac.evaluator;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import org.apache.archiva.redback.rbac.Permission;
-
-
-/**
- * PermissionEvaluator:
- *
- * @author Jesse McConnell <jmcconnell@apache.org>
- *
- */
-public interface PermissionEvaluator
-{
- boolean evaluate( Permission permission, String operation, String resource, String principal )
- throws PermissionEvaluationException;
-}
+++ /dev/null
-<?xml version="1.0"?>
-
-<!--
- ~ Licensed to the Apache Software Foundation (ASF) under one
- ~ or more contributor license agreements. See the NOTICE file
- ~ distributed with this work for additional information
- ~ regarding copyright ownership. The ASF licenses this file
- ~ to you under the Apache License, Version 2.0 (the
- ~ "License"); you may not use this file except in compliance
- ~ with the License. You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xmlns:context="http://www.springframework.org/schema/context"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
- http://www.springframework.org/schema/context
- http://www.springframework.org/schema/context/spring-context-3.0.xsd"
- default-lazy-init="true">
-
- <context:annotation-config />
- <context:component-scan
- base-package="org.apache.archiva.redback.authorization.rbac"/>
-
-</beans>
\ No newline at end of file
+++ /dev/null
-package org.apache.archiva.redback.authorization.rbac.evaluator;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import junit.framework.TestCase;
-import org.apache.archiva.redback.rbac.Permission;
-import org.apache.archiva.redback.rbac.Operation;
-import org.apache.archiva.redback.rbac.Resource;
-import org.apache.archiva.redback.rbac.memory.MemoryOperation;
-import org.apache.archiva.redback.rbac.memory.MemoryPermission;
-import org.apache.archiva.redback.rbac.memory.MemoryResource;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.springframework.test.context.ContextConfiguration;
-import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
-
-import javax.inject.Inject;
-
-@RunWith( SpringJUnit4ClassRunner.class )
-@ContextConfiguration( locations = { "classpath*:/META-INF/spring-context.xml", "classpath*:/spring-context.xml" } )
-public class PermissionEvaluatorTest
- extends TestCase
-{
-
- @Inject
- PermissionEvaluator permissionEvaluator;
-
- @Test
- public void testNullResource()
- throws PermissionEvaluationException
- {
- // null resources should be considered as matching if any resource is obtained.
- // we do this instead of using "global" as that is the inverse - you are allocated global rights,
- // which is right to everything. null is the right to anything.
-
- Resource resource = new MemoryResource();
- resource.setIdentifier( "Resource" );
-
- Operation operation = new MemoryOperation();
- operation.setName( "Operation" );
-
- Permission permission = new MemoryPermission();
- permission.setName( "Permission" );
- permission.setOperation( operation );
- permission.setResource( resource );
-
- assertTrue( permissionEvaluator.evaluate( permission, "Operation", null, "brett" ) );
- }
-}
+++ /dev/null
-<?xml version="1.0"?>
-
-<!--
- ~ Licensed to the Apache Software Foundation (ASF) under one
- ~ or more contributor license agreements. See the NOTICE file
- ~ distributed with this work for additional information
- ~ regarding copyright ownership. The ASF licenses this file
- ~ to you under the Apache License, Version 2.0 (the
- ~ "License"); you may not use this file except in compliance
- ~ with the License. You may obtain a copy of the License at
- ~
- ~ http://www.apache.org/licenses/LICENSE-2.0
- ~
- ~ Unless required by applicable law or agreed to in writing,
- ~ software distributed under the License is distributed on an
- ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- ~ KIND, either express or implied. See the License for the
- ~ specific language governing permissions and limitations
- ~ under the License.
- -->
-<beans xmlns="http://www.springframework.org/schema/beans"
- xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
- xsi:schemaLocation="http://www.springframework.org/schema/beans
- http://www.springframework.org/schema/beans/spring-beans-3.0.xsd"
- default-lazy-init="true">
-
- <bean name="userManager#cached" class="org.apache.archiva.redback.users.cached.CachedUserManager">
- <property name="userImpl" ref="userManager#memory"/>
- <property name="usersCache" ref="cache#users"/>
- </bean>
-
- <alias name="userManager#memory" alias="userManager#jdo"/>
-
- <bean name="cache#users" class="org.apache.archiva.redback.components.cache.ehcache.EhcacheCache"
- init-method="initialize">
- <property name="diskPersistent" value="false"/>
- <property name="eternal" value="false"/>
- <property name="maxElementsInMemory" value="1000"/>
- <property name="memoryEvictionPolicy" value="LRU"/>
- <property name="name" value="usersCache"/>
- <property name="timeToIdleSeconds" value="1800"/>
- <property name="timeToLiveSeconds" value="14400"/>
- </bean>
-
-
- <alias name="userConfiguration#redback" alias="userConfiguration#default"/>
-</beans>
\ No newline at end of file
projects / archiva.git / commitdiff