attempt at simplifying authorization check for each requested service method

git-svn-id: https://svn.apache.org/repos/asf/archiva/branches@703379 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/ServiceMethodsPermissionsMapping.java b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/ServiceMethodsPermissionsMapping.java
new file mode 100644 (file)
index 0000000..9a61db2
--- /dev/null
+++ b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/ServiceMethodsPermissionsMapping.java
@@ -0,0 +1,68 @@
+package org.apache.archiva.web.xmlrpc.security;
+
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * ServiceMethodsPermissionsMapping
+ * 
+ * Used by the XmlRpcAuthenticationHandler to check the permissions specific to the requested service method.
+ * New methods in exposed services must be registered in the appropriate operation below. 
+ * 
+ * @version $Id: ServiceMethodsPermissionsMapping.java
+ */
+public class ServiceMethodsPermissionsMapping
+{   
+    public static final List<String> SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION = new ArrayList<String>()
+    {
+        {
+            add( "AdministrationService.configureRepositoryConsumer" );
+            add( "AdministrationService.configureDatabaseConsumer" );
+            add( "AdministrationService.executeDatabaseScanner" );
+            add( "AdministrationService.getAllManagedRepositories" );
+            add( "AdministrationService.getAllRemoteRepositories" );
+            add( "AdministrationService.getAllDatabaseConsumers" );
+            add( "AdministrationService.getAllRepositoryConsumers" );
+        }
+    };
+
+    public static final List<String> SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER = new ArrayList<String>() 
+    { 
+        {
+            add( "AdministrationService.executeRepositoryScanner"); 
+        }
+    };    
+    
+    public static final List<String> SERVICE_METHODS_FOR_OPERATION_ACCESS_REPORT = new ArrayList<String>();
+    
+    public static final List<String> SERVICE_METHODS_FOR_OPERATION_REPOSITORY_ACCESS = new ArrayList<String>();
+    
+    public static final List<String> SERVICE_METHODS_FOR_OPERATION_ADD_REPOSITORY = new ArrayList<String>();
+    
+    public static final List<String> SERVICE_METHODS_FOR_OPERATION_DELETE_REPOSITORY = new ArrayList<String>();
+    
+    public static final List<String> SERVICE_METHODS_FOR_OPERATION_EDIT_REPOSITORY = new ArrayList<String>();
+    
+    public static final List<String> SERVICE_METHODS_FOR_OPERATION_REPOSITORY_UPLOAD = new ArrayList<String>();
+    
+}

diff --git a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/XmlRpcAuthenticator.java b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/XmlRpcAuthenticator.java
index f12b28378bc33c705a1ca8b8bd362bcf08e4ee31..40ee2fd6fd690f2a8c898c7d6414c873da96d60b 100644 (file)
--- a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/XmlRpcAuthenticator.java
+++ b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/XmlRpcAuthenticator.java
@@ -33,6 +33,13 @@ import org.codehaus.plexus.redback.system.SecuritySession;
 import org.codehaus.plexus.redback.system.SecuritySystem;\r
 import org.codehaus.plexus.redback.users.UserNotFoundException;\r
 \r
+/**\r
+ * XmlRpcAuthenticator\r
+ * \r
+ * Custom authentication and authorization handler for xmlrpc requests.\r
+ * \r
+ * @version $Id \r
+ */\r
 public class XmlRpcAuthenticator\r
     implements AuthenticationHandler\r
 {\r
@@ -45,14 +52,16 @@ public class XmlRpcAuthenticator
 \r
     public boolean isAuthorized( XmlRpcRequest pRequest )\r
         throws XmlRpcException\r
-    {\r
+    {   \r
         if ( pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl )\r
         {\r
             XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl) pRequest.getConfig();\r
             SecuritySession session =\r
                 authenticate( new PasswordBasedAuthenticationDataSource( config.getBasicUserName(),\r
                                                                          config.getBasicPassword() ) );\r
-            AuthorizationResult result = authorize( session );\r
+            String method = pRequest.getMethodName();            \r
+            AuthorizationResult result = authorize( session, method );\r
+            \r
             return result.isAuthorized();\r
         }\r
 \r
@@ -80,14 +89,25 @@ public class XmlRpcAuthenticator
         }\r
     }\r
 \r
-    private AuthorizationResult authorize( SecuritySession session )\r
+    private AuthorizationResult authorize( SecuritySession session, String methodName )\r
         throws XmlRpcException\r
-    {\r
+    {   \r
         try\r
-        {\r
-            //TODO authorization/permissions should be checked depending on the service being accessed\r
-            \r
-            return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );\r
+        {     \r
+            // sample attempt at simplifying authorization checking of requested service method\r
+            // TODO test with a sample client to see if this would work!\r
+            if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION.contains( methodName ) )\r
+            {                \r
+                return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );\r
+            }\r
+            else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER.contains( methodName ) )\r
+            {                \r
+                return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_RUN_INDEXER );\r
+            }\r
+            else\r
+            {\r
+                return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );\r
+            }\r
         }\r
         catch ( AuthorizationException e )\r
         {\r

diff --git a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/test/java/org/apache/archiva/xmlrpc/security/XmlRpcAuthenticatorTest.java b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/test/java/org/apache/archiva/xmlrpc/security/XmlRpcAuthenticatorTest.java
index 55fbd33604f1ec0d4d5cbf342874f4806a10cd6f..721aa828deec41311e731164a7d247fa6e2beb2c 100644 (file)
--- a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/test/java/org/apache/archiva/xmlrpc/security/XmlRpcAuthenticatorTest.java
+++ b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/test/java/org/apache/archiva/xmlrpc/security/XmlRpcAuthenticatorTest.java
@@ -130,6 +130,9 @@ public class XmlRpcAuthenticatorTest
         \r
         configControl.expectAndReturn( config.getBasicPassword(), PASSWORD );\r
         \r
+        xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(),\r
+                                              "AdministrationService.getAllManagedRepositories" );\r
+        \r
         xmlRpcRequestControl.replay();\r
         configControl.replay();\r
         \r
@@ -167,6 +170,9 @@ public class XmlRpcAuthenticatorTest
         \r
         configControl.expectAndReturn( config.getBasicPassword(), PASSWORD );\r
         \r
+        xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(),\r
+                                              "AdministrationService.getAllManagedRepositories" );\r
+        \r
         xmlRpcRequestControl.replay();\r
         configControl.replay();\r
         \r
@@ -198,6 +204,9 @@ public class XmlRpcAuthenticatorTest
         \r
         configControl.expectAndReturn( config.getBasicPassword(), PASSWORD );\r
         \r
+        xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(),\r
+                                              "AdministrationService.getAllManagedRepositories" );\r
+        \r
         xmlRpcRequestControl.replay();\r
         configControl.replay();\r
         \r