From 20b3d982cff0b4f5c80b0a57e3ae247866035de1 Mon Sep 17 00:00:00 2001 From: Brett Porter Date: Wed, 18 Mar 2009 20:47:20 +0000 Subject: [PATCH] [MRM-913] bring delete artifact security into line with uploading an artifact git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@755726 13f79535-47bb-0310-9956-ffa450edef68 --- .../security/ArchivaRoleConstants.java | 2 + .../security/DefaultUserRepositories.java | 138 +++++++----------- .../archiva/security/UserRepositories.java | 9 +- .../web/action/DeleteArtifactAction.java | 23 +-- .../security/UserRepositoriesStub.java | 8 - 5 files changed, 70 insertions(+), 110 deletions(-) diff --git a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java index 67d480c52..7c6f7b76d 100644 --- a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java +++ b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java @@ -64,6 +64,8 @@ public class ArchivaRoleConstants public static final String OPERATION_REPOSITORY_UPLOAD = "archiva-upload-repository"; + public static final String OPERATION_REPOSITORY_DELETE = "archiva-delete-artifact"; + // Role templates public static final String TEMPLATE_REPOSITORY_MANAGER = "archiva-repository-manager"; diff --git a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/DefaultUserRepositories.java b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/DefaultUserRepositories.java index 47029880e..02285c2c2 100644 --- a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/DefaultUserRepositories.java +++ b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/DefaultUserRepositories.java @@ -20,17 +20,12 @@ package org.apache.maven.archiva.security; */ import java.util.ArrayList; -import java.util.Collection; import java.util.List; import org.apache.maven.archiva.configuration.ArchivaConfiguration; import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; import org.codehaus.plexus.redback.authentication.AuthenticationResult; import org.codehaus.plexus.redback.authorization.AuthorizationException; -import org.codehaus.plexus.redback.rbac.RBACManager; -import org.codehaus.plexus.redback.rbac.RbacManagerException; -import org.codehaus.plexus.redback.rbac.RbacObjectNotFoundException; -import org.codehaus.plexus.redback.rbac.Role; import org.codehaus.plexus.redback.role.RoleManager; import org.codehaus.plexus.redback.role.RoleManagerException; import org.codehaus.plexus.redback.system.DefaultSecuritySession; @@ -38,6 +33,8 @@ import org.codehaus.plexus.redback.system.SecuritySession; import org.codehaus.plexus.redback.system.SecuritySystem; import org.codehaus.plexus.redback.users.User; import org.codehaus.plexus.redback.users.UserNotFoundException; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * DefaultUserRepositories @@ -53,11 +50,6 @@ public class DefaultUserRepositories */ private SecuritySystem securitySystem; - /** - * @plexus.requirement role-hint="cached" - */ - private RBACManager rbacManager; - /** * @plexus.requirement role-hint="default" */ @@ -67,6 +59,8 @@ public class DefaultUserRepositories * @plexus.requirement */ private ArchivaConfiguration archivaConfiguration; + + private Logger log = LoggerFactory.getLogger( DefaultUserRepositories.class ); public List getObservableRepositoryIds( String principal ) throws PrincipalNotFoundException, AccessDeniedException, ArchivaSecurityException @@ -87,49 +81,59 @@ public class DefaultUserRepositories private List getAccessibleRepositoryIds( String principal, String operation ) throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException { - try + SecuritySession securitySession = createSession( principal ); + + List repoIds = new ArrayList(); + + List repos = + archivaConfiguration.getConfiguration().getManagedRepositories(); + + for ( ManagedRepositoryConfiguration repo : repos ) { - User user = securitySystem.getUserManager().findUser( principal ); - if ( user == null ) + try { - throw new ArchivaSecurityException( "The security system had an internal error - please check your system logs" ); + String repoId = repo.getId(); + if ( securitySystem.isAuthorized( securitySession, operation, repoId ) ) + { + repoIds.add( repoId ); + } } - - if ( user.isLocked() ) + catch ( AuthorizationException e ) { - throw new AccessDeniedException( "User " + principal + "(" + user.getFullName() + ") is locked." ); + // swallow. + log.debug( "Not authorizing '" + principal + "' for repository '" + repo.getId() + "': " + + e.getMessage() ); } + } - AuthenticationResult authn = new AuthenticationResult( true, principal, null ); - SecuritySession securitySession = new DefaultSecuritySession( authn, user ); - - List repoIds = new ArrayList(); - - List repos = - archivaConfiguration.getConfiguration().getManagedRepositories(); + return repoIds; + } - for ( ManagedRepositoryConfiguration repo : repos ) + private SecuritySession createSession( String principal ) + throws ArchivaSecurityException, AccessDeniedException + { + User user; + try + { + user = securitySystem.getUserManager().findUser( principal ); + if ( user == null ) { - try - { - String repoId = repo.getId(); - if ( securitySystem.isAuthorized( securitySession, operation, repoId ) ) - { - repoIds.add( repoId ); - } - } - catch ( AuthorizationException e ) - { - // swallow. - } + throw new ArchivaSecurityException( + "The security system had an internal error - please check your system logs" ); } - - return repoIds; } catch ( UserNotFoundException e ) { throw new PrincipalNotFoundException( "Unable to find principal " + principal + "" ); } + + if ( user.isLocked() ) + { + throw new AccessDeniedException( "User " + principal + "(" + user.getFullName() + ") is locked." ); + } + + AuthenticationResult authn = new AuthenticationResult( true, principal, null ); + return new DefaultSecuritySession( authn, user ); } public void createMissingRepositoryRoles( String repoId ) @@ -160,28 +164,12 @@ public class DefaultUserRepositories { try { - User user = securitySystem.getUserManager().findUser( principal ); - if ( user == null ) - { - throw new ArchivaSecurityException( "The security system had an internal error - please check your system logs" ); - } - - if ( user.isLocked() ) - { - throw new AccessDeniedException( "User " + principal + "(" + user.getFullName() + ") is locked." ); - } - - AuthenticationResult authn = new AuthenticationResult( true, principal, null ); - SecuritySession securitySession = new DefaultSecuritySession( authn, user ); + SecuritySession securitySession = createSession( principal ); return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD, repoId ); } - catch ( UserNotFoundException e ) - { - throw new PrincipalNotFoundException( "Unable to find principal " + principal + "" ); - } catch ( AuthorizationException e ) { throw new ArchivaSecurityException( e.getMessage() ); @@ -189,41 +177,19 @@ public class DefaultUserRepositories } public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) - throws RbacManagerException, RbacObjectNotFoundException + throws AccessDeniedException, ArchivaSecurityException { - boolean isAuthorized = false; - String delimiter = " - "; - try { - Collection roleList = rbacManager.getEffectivelyAssignedRoles( principal ); - - for ( Role role : roleList ) - { - String roleName = role.getName(); - - if ( roleName.startsWith( ArchivaRoleConstants.REPOSITORY_MANAGER_ROLE_PREFIX ) ) - { - int delimiterIndex = roleName.indexOf( delimiter ); - String resourceName = roleName.substring( delimiterIndex + delimiter.length() ); - - if ( resourceName.equals( repoId ) ) - { - isAuthorized = true; - break; - } - } - } - } - catch ( RbacObjectNotFoundException e ) - { - throw new RbacObjectNotFoundException( "Unable to find user " + principal + "" ); + SecuritySession securitySession = createSession( principal ); + + return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_DELETE, + repoId ); + } - catch ( RbacManagerException e ) + catch ( AuthorizationException e ) { - throw new RbacManagerException( "Unable to get roles for user " + principal + "" ); + throw new ArchivaSecurityException( e.getMessage() ); } - - return isAuthorized; } } diff --git a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/UserRepositories.java b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/UserRepositories.java index b1d48b2c4..a26c8b5a7 100644 --- a/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/UserRepositories.java +++ b/archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/UserRepositories.java @@ -19,9 +19,6 @@ package org.apache.maven.archiva.security; * under the License. */ -import org.codehaus.plexus.redback.rbac.RbacObjectNotFoundException; -import org.codehaus.plexus.redback.rbac.RbacManagerException; - import java.util.List; /** @@ -82,10 +79,10 @@ public interface UserRepositories * @param principal * @param repoId * @return - * @throws RbacManagerException - * @throws RbacObjectNotFoundException + * @throws ArchivaSecurityException + * @throws AccessDeniedException */ public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) - throws RbacManagerException, RbacObjectNotFoundException; + throws AccessDeniedException, ArchivaSecurityException; } diff --git a/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java b/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java index f571b4fc2..da2f1ebb7 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java +++ b/archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java @@ -35,33 +35,32 @@ import org.apache.maven.archiva.common.utils.VersionComparator; import org.apache.maven.archiva.common.utils.VersionUtil; import org.apache.maven.archiva.configuration.ArchivaConfiguration; import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; -import org.apache.maven.archiva.database.updater.DatabaseConsumers; import org.apache.maven.archiva.database.ArchivaDatabaseException; import org.apache.maven.archiva.database.ArtifactDAO; import org.apache.maven.archiva.database.constraints.ArtifactVersionsConstraint; +import org.apache.maven.archiva.database.updater.DatabaseConsumers; import org.apache.maven.archiva.model.ArchivaArtifact; import org.apache.maven.archiva.model.ArchivaRepositoryMetadata; import org.apache.maven.archiva.model.VersionedReference; -import org.apache.maven.archiva.repository.audit.Auditable; +import org.apache.maven.archiva.repository.ContentNotFoundException; +import org.apache.maven.archiva.repository.ManagedRepositoryContent; +import org.apache.maven.archiva.repository.RepositoryContentFactory; +import org.apache.maven.archiva.repository.RepositoryException; +import org.apache.maven.archiva.repository.RepositoryNotFoundException; import org.apache.maven.archiva.repository.audit.AuditEvent; import org.apache.maven.archiva.repository.audit.AuditListener; +import org.apache.maven.archiva.repository.audit.Auditable; import org.apache.maven.archiva.repository.metadata.MetadataTools; import org.apache.maven.archiva.repository.metadata.RepositoryMetadataException; import org.apache.maven.archiva.repository.metadata.RepositoryMetadataReader; import org.apache.maven.archiva.repository.metadata.RepositoryMetadataWriter; -import org.apache.maven.archiva.repository.ContentNotFoundException; -import org.apache.maven.archiva.repository.RepositoryException; -import org.apache.maven.archiva.repository.RepositoryNotFoundException; -import org.apache.maven.archiva.repository.ManagedRepositoryContent; -import org.apache.maven.archiva.repository.RepositoryContentFactory; import org.apache.maven.archiva.security.AccessDeniedException; import org.apache.maven.archiva.security.ArchivaSecurityException; import org.apache.maven.archiva.security.ArchivaXworkUser; import org.apache.maven.archiva.security.PrincipalNotFoundException; import org.apache.maven.archiva.security.UserRepositories; -import org.codehaus.plexus.redback.rbac.RbacManagerException; - import org.apache.struts2.ServletActionContext; + import com.opensymphony.xwork2.ActionContext; import com.opensymphony.xwork2.Preparable; import com.opensymphony.xwork2.Validateable; @@ -394,7 +393,11 @@ public class DeleteArtifactAction addActionError( "Invalid version." ); } } - catch ( RbacManagerException e ) + catch ( AccessDeniedException e ) + { + addActionError( e.getMessage() ); + } + catch ( ArchivaSecurityException e ) { addActionError( e.getMessage() ); } diff --git a/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/security/UserRepositoriesStub.java b/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/security/UserRepositoriesStub.java index 88971d44f..6558e38f9 100644 --- a/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/security/UserRepositoriesStub.java +++ b/archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/security/UserRepositoriesStub.java @@ -22,13 +22,6 @@ package org.apache.maven.archiva.security; import java.util.ArrayList; import java.util.List; -import org.apache.maven.archiva.security.AccessDeniedException; -import org.apache.maven.archiva.security.ArchivaSecurityException; -import org.apache.maven.archiva.security.PrincipalNotFoundException; -import org.apache.maven.archiva.security.UserRepositories; -import org.codehaus.plexus.redback.rbac.RbacObjectNotFoundException; -import org.codehaus.plexus.redback.rbac.RbacManagerException; - /** * UserRepositories stub used for testing. * @@ -62,7 +55,6 @@ public class UserRepositoriesStub } public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) - throws RbacManagerException, RbacObjectNotFoundException { return false; } -- 2.39.5