From 61a94c93a5f307dfa40713691f128de82cc434cc Mon Sep 17 00:00:00 2001
From: Martin Stockhammer <martin_s@apache.org>
Date: Wed, 9 Sep 2020 12:51:02 +0200
Subject: [PATCH] Adapting for the privilege change regarding resource
 annotations in redback.

---
 .../archiva/security/common/ArchivaRoleConstants.java |  2 ++
 .../src/main/resources/META-INF/redback/redback.xml   | 11 +++++++++++
 .../archiva/rest/api/services/BrowseService.java      |  6 +++---
 .../rest/api/services/MergeRepositoriesService.java   |  4 ++--
 .../org/apache/archiva/web/api/FileUploadService.java |  8 ++++----
 5 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/archiva-modules/archiva-base/archiva-security-common/src/main/java/org/apache/archiva/security/common/ArchivaRoleConstants.java b/archiva-modules/archiva-base/archiva-security-common/src/main/java/org/apache/archiva/security/common/ArchivaRoleConstants.java
index 814fc3bbd..36ab17c6a 100644
--- a/archiva-modules/archiva-base/archiva-security-common/src/main/java/org/apache/archiva/security/common/ArchivaRoleConstants.java
+++ b/archiva-modules/archiva-base/archiva-security-common/src/main/java/org/apache/archiva/security/common/ArchivaRoleConstants.java
@@ -64,6 +64,8 @@ public class ArchivaRoleConstants
 
     public static final String OPERATION_REPOSITORY_UPLOAD = "archiva-upload-repository";
 
+    public static final String OPERATION_FILE_UPLOAD = "archiva-upload-file";
+
     public static final String OPERATION_REPOSITORY_DELETE = "archiva-delete-artifact";
 
     public static final String OPERATION_MERGE_REPOSITORY = "archiva-merge-repository";
diff --git a/archiva-modules/archiva-base/archiva-security-common/src/main/resources/META-INF/redback/redback.xml b/archiva-modules/archiva-base/archiva-security-common/src/main/resources/META-INF/redback/redback.xml
index e771f165c..3960314a4 100644
--- a/archiva-modules/archiva-base/archiva-security-common/src/main/resources/META-INF/redback/redback.xml
+++ b/archiva-modules/archiva-base/archiva-security-common/src/main/resources/META-INF/redback/redback.xml
@@ -83,6 +83,11 @@
           <name>archiva-upload-repository</name>
           <description>Upload Archiva Repository</description>
         </operation>
+        <operation>
+          <id>archiva-upload-file</id>
+          <name>archiva-upload-file</name>
+          <description>Upload File to Archiva</description>
+        </operation>
         <operation>
           <id>archiva-access-repository</id>
           <name>archiva-access-repository</name>
@@ -257,6 +262,12 @@
               <operation>archiva-upload-repository</operation>
               <resource>${resource}</resource>
             </permission>
+            <permission>
+              <id>archiva-upload-file</id>
+              <name>Archiva Upload File to Archiva</name>
+              <operation>archiva-upload-file</operation>
+              <resource>global</resource>
+            </permission>
             <permission>
               <id>archiva-view-audit-logs</id>
               <name>Archiva View Audit Logs</name>
diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/BrowseService.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/BrowseService.java
index c957c14fc..b59747c31 100644
--- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/BrowseService.java
+++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/BrowseService.java
@@ -149,7 +149,7 @@ public interface BrowseService
     @Path("metadata/{g}/{a}/{v}/{key}/{value}")
     @PUT
     @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
-    @RedbackAuthorization(noPermission = false, noRestriction = false, permissions = "archiva-add-metadata")
+    @RedbackAuthorization( permissions = "archiva-add-metadata", resource = "{repositoryId}")
     ActionStatus addMetadata( @PathParam("g") String groupId, @PathParam("a") String artifactId,
                               @PathParam("v") String version, @PathParam("key") String key, @PathParam("value") String value,
                               @QueryParam("repositoryId") String repositoryId )
@@ -158,7 +158,7 @@ public interface BrowseService
     @Path("metadata/{g}/{a}/{v}/{key}")
     @DELETE
     @Produces({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
-    @RedbackAuthorization(noPermission = false, noRestriction = false, permissions = "archiva-add-metadata")
+    @RedbackAuthorization( permissions = "archiva-add-metadata", resource = "{repositoryId}")
     ActionStatus deleteMetadata( @PathParam("g") String groupId, @PathParam("a") String artifactId,
                                  @PathParam("v") String version, @PathParam("key") String key,
                                  @QueryParam("repositoryId") String repositoryId )
@@ -166,7 +166,7 @@ public interface BrowseService
 
     @Path("importMetadata")
     @POST
-    @RedbackAuthorization(noPermission = false, noRestriction = false, permissions = "archiva-add-metadata")
+    @RedbackAuthorization( permissions = "archiva-add-metadata", resource = "{repository}")
     ActionStatus importMetadata( MetadataAddRequest metadataAddRequest, @QueryParam("repository") String repository )
         throws ArchivaRestServiceException;
 
diff --git a/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/MergeRepositoriesService.java b/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/MergeRepositoriesService.java
index 0d38133ba..9c83812b2 100644
--- a/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/MergeRepositoriesService.java
+++ b/archiva-modules/archiva-web/archiva-rest/archiva-rest-api/src/main/java/org/apache/archiva/rest/api/services/MergeRepositoriesService.java
@@ -48,7 +48,7 @@ public interface MergeRepositoriesService
     @Path ("mergeConflictedArtifacts/{sourceRepositoryId}/{targetRepositoryId}")
     @GET
     @Produces ({ MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML })
-    @RedbackAuthorization (permissions = ArchivaRoleConstants.OPERATION_MERGE_REPOSITORY)
+    @RedbackAuthorization (permissions = ArchivaRoleConstants.OPERATION_MERGE_REPOSITORY, resource = "{sourceRepositoryId}")
     List<Artifact> getMergeConflictedArtifacts( @PathParam ("sourceRepositoryId") String sourceRepositoryId,
                                                 @PathParam ("targetRepositoryId") String targetRepositoryId )
         throws ArchivaRestServiceException;
@@ -59,7 +59,7 @@ public interface MergeRepositoriesService
      */
     @Path ("mergeRepositories/{sourceRepositoryId}/{targetRepositoryId}/{skipConflicts}")
     @GET
-    @RedbackAuthorization (permissions = ArchivaRoleConstants.OPERATION_MERGE_REPOSITORY)
+    @RedbackAuthorization (permissions = ArchivaRoleConstants.OPERATION_MERGE_REPOSITORY, resource = "{sourceRepositoryId}")
     void mergeRepositories( @PathParam ("sourceRepositoryId") String sourceRepositoryId,
                             @PathParam ("targetRepositoryId") String targetRepositoryId,
                             @PathParam ("skipConflicts") boolean skipConflicts )
diff --git a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/FileUploadService.java b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/FileUploadService.java
index a846381f3..215bda188 100644
--- a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/FileUploadService.java
+++ b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/FileUploadService.java
@@ -48,14 +48,14 @@ public interface FileUploadService
     @POST
     @Consumes( MediaType.MULTIPART_FORM_DATA )
     @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML } )
-    @RedbackAuthorization( permissions = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD )
+    @RedbackAuthorization( permissions = ArchivaRoleConstants.OPERATION_FILE_UPLOAD )
     FileMetadata post( MultipartBody multipartBody )
         throws ArchivaRestServiceException;
 
     @Path( "{fileName}" )
     @DELETE
     @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML } )
-    @RedbackAuthorization( permissions = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD )
+    @RedbackAuthorization( permissions = ArchivaRoleConstants.OPERATION_FILE_UPLOAD )
     Boolean deleteFile( @PathParam( "fileName" ) String fileName )
         throws ArchivaRestServiceException;
 
@@ -63,7 +63,7 @@ public interface FileUploadService
     @Path( "sessionFileMetadatas" )
     @GET
     @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML } )
-    @RedbackAuthorization( permissions = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD )
+    @RedbackAuthorization( permissions = ArchivaRoleConstants.OPERATION_FILE_UPLOAD )
     List<FileMetadata> getSessionFileMetadatas()
         throws ArchivaRestServiceException;
 
@@ -80,7 +80,7 @@ public interface FileUploadService
     @Path( "clearUploadedFiles" )
     @GET
     @Produces( { MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML } )
-    @RedbackAuthorization( permissions = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD )
+    @RedbackAuthorization( permissions = ArchivaRoleConstants.OPERATION_FILE_UPLOAD )
     Boolean clearUploadedFiles()
         throws ArchivaRestServiceException;
 
-- 
2.39.5