From: Maria Odea B. Ching Date: Fri, 10 Oct 2008 10:12:49 +0000 (+0000) Subject: attempt at simplifying authorization check for each requested service method X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=d068bee39c62b7d3694695a826a2bf9a5f4ac88c;p=archiva.git attempt at simplifying authorization check for each requested service method git-svn-id: https://svn.apache.org/repos/asf/archiva/branches@703379 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/ServiceMethodsPermissionsMapping.java b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/ServiceMethodsPermissionsMapping.java new file mode 100644 index 000000000..9a61db2f3 --- /dev/null +++ b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/ServiceMethodsPermissionsMapping.java @@ -0,0 +1,68 @@ +package org.apache.archiva.web.xmlrpc.security; + + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import java.util.ArrayList; +import java.util.List; + +/** + * ServiceMethodsPermissionsMapping + * + * Used by the XmlRpcAuthenticationHandler to check the permissions specific to the requested service method. + * New methods in exposed services must be registered in the appropriate operation below. + * + * @version $Id: ServiceMethodsPermissionsMapping.java + */ +public class ServiceMethodsPermissionsMapping +{ + public static final List SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION = new ArrayList() + { + { + add( "AdministrationService.configureRepositoryConsumer" ); + add( "AdministrationService.configureDatabaseConsumer" ); + add( "AdministrationService.executeDatabaseScanner" ); + add( "AdministrationService.getAllManagedRepositories" ); + add( "AdministrationService.getAllRemoteRepositories" ); + add( "AdministrationService.getAllDatabaseConsumers" ); + add( "AdministrationService.getAllRepositoryConsumers" ); + } + }; + + public static final List SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER = new ArrayList() + { + { + add( "AdministrationService.executeRepositoryScanner"); + } + }; + + public static final List SERVICE_METHODS_FOR_OPERATION_ACCESS_REPORT = new ArrayList(); + + public static final List SERVICE_METHODS_FOR_OPERATION_REPOSITORY_ACCESS = new ArrayList(); + + public static final List SERVICE_METHODS_FOR_OPERATION_ADD_REPOSITORY = new ArrayList(); + + public static final List SERVICE_METHODS_FOR_OPERATION_DELETE_REPOSITORY = new ArrayList(); + + public static final List SERVICE_METHODS_FOR_OPERATION_EDIT_REPOSITORY = new ArrayList(); + + public static final List SERVICE_METHODS_FOR_OPERATION_REPOSITORY_UPLOAD = new ArrayList(); + +} diff --git a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/XmlRpcAuthenticator.java b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/XmlRpcAuthenticator.java index f12b28378..40ee2fd6f 100644 --- a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/XmlRpcAuthenticator.java +++ b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/main/java/org/apache/archiva/web/xmlrpc/security/XmlRpcAuthenticator.java @@ -33,6 +33,13 @@ import org.codehaus.plexus.redback.system.SecuritySession; import org.codehaus.plexus.redback.system.SecuritySystem; import org.codehaus.plexus.redback.users.UserNotFoundException; +/** + * XmlRpcAuthenticator + * + * Custom authentication and authorization handler for xmlrpc requests. + * + * @version $Id + */ public class XmlRpcAuthenticator implements AuthenticationHandler { @@ -45,14 +52,16 @@ public class XmlRpcAuthenticator public boolean isAuthorized( XmlRpcRequest pRequest ) throws XmlRpcException - { + { if ( pRequest.getConfig() instanceof XmlRpcHttpRequestConfigImpl ) { XmlRpcHttpRequestConfigImpl config = (XmlRpcHttpRequestConfigImpl) pRequest.getConfig(); SecuritySession session = authenticate( new PasswordBasedAuthenticationDataSource( config.getBasicUserName(), config.getBasicPassword() ) ); - AuthorizationResult result = authorize( session ); + String method = pRequest.getMethodName(); + AuthorizationResult result = authorize( session, method ); + return result.isAuthorized(); } @@ -80,14 +89,25 @@ public class XmlRpcAuthenticator } } - private AuthorizationResult authorize( SecuritySession session ) + private AuthorizationResult authorize( SecuritySession session, String methodName ) throws XmlRpcException - { + { try - { - //TODO authorization/permissions should be checked depending on the service being accessed - - return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE ); + { + // sample attempt at simplifying authorization checking of requested service method + // TODO test with a sample client to see if this would work! + if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_MANAGE_CONFIGURATION.contains( methodName ) ) + { + return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION ); + } + else if ( ServiceMethodsPermissionsMapping.SERVICE_METHODS_FOR_OPERATION_RUN_INDEXER.contains( methodName ) ) + { + return securitySystem.authorize( session, ArchivaRoleConstants.OPERATION_RUN_INDEXER ); + } + else + { + return securitySystem.authorize( session, ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE ); + } } catch ( AuthorizationException e ) { diff --git a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/test/java/org/apache/archiva/xmlrpc/security/XmlRpcAuthenticatorTest.java b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/test/java/org/apache/archiva/xmlrpc/security/XmlRpcAuthenticatorTest.java index 55fbd3360..721aa828d 100644 --- a/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/test/java/org/apache/archiva/xmlrpc/security/XmlRpcAuthenticatorTest.java +++ b/MRM-124/archiva-modules/archiva-web/archiva-xmlrpc/archiva-xmlrpc-security/src/test/java/org/apache/archiva/xmlrpc/security/XmlRpcAuthenticatorTest.java @@ -130,6 +130,9 @@ public class XmlRpcAuthenticatorTest configControl.expectAndReturn( config.getBasicPassword(), PASSWORD ); + xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(), + "AdministrationService.getAllManagedRepositories" ); + xmlRpcRequestControl.replay(); configControl.replay(); @@ -167,6 +170,9 @@ public class XmlRpcAuthenticatorTest configControl.expectAndReturn( config.getBasicPassword(), PASSWORD ); + xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(), + "AdministrationService.getAllManagedRepositories" ); + xmlRpcRequestControl.replay(); configControl.replay(); @@ -198,6 +204,9 @@ public class XmlRpcAuthenticatorTest configControl.expectAndReturn( config.getBasicPassword(), PASSWORD ); + xmlRpcRequestControl.expectAndReturn( xmlRpcRequest.getMethodName(), + "AdministrationService.getAllManagedRepositories" ); + xmlRpcRequestControl.replay(); configControl.replay();