From eecc68356ee8f203f9cf142480dd399aff7b8889 Mon Sep 17 00:00:00 2001
From: Jesse McConnell <jmcconnell@apache.org>
Date: Thu, 1 Mar 2007 18:32:59 +0000
Subject: [PATCH] Security role changes, added global repository manager that
 is the role for administering all repositories configuration wise, the
 particular repository managers now administer content _in_ their assigned
 repositories, observers get read access to corresponding repository (or
 global access to add if they get the global observer) and I also removed the
 archiva-edit-configuration operation since it was duplicated by the
 archiva-manage-configuraiton operation

git-svn-id: https://svn.apache.org/repos/asf/maven/archiva/trunk@513431 13f79535-47bb-0310-9956-ffa450edef68
---
 .../security/ArchivaRoleConstants.java        |  5 +-
 .../security/ArchivaRoleProfileManager.java   |  7 ++-
 ...ArchivaSystemAdministratorRoleProfile.java |  1 -
 .../BaseRepositoryManagerRoleProfile.java     | 57 -------------------
 .../GlobalRepositoryManagerRoleProfile.java   | 14 ++++-
 .../GlobalRepositoryObserverRoleProfile.java  |  6 +-
 .../RepositoryManagerDynamicRoleProfile.java  | 46 +--------------
 .../RepositoryObserverDynamicRoleProfile.java | 30 ----------
 .../resources/META-INF/plexus/components.xml  | 18 +++++-
 archiva-webapp/pom.xml                        |  2 +-
 .../main/webapp/WEB-INF/jsp/admin/index.jsp   |  2 +-
 .../WEB-INF/jsp/admin/managedRepositories.jsp |  7 ++-
 .../WEB-INF/jsp/admin/proxiedRepositories.jsp | 13 ++++-
 13 files changed, 56 insertions(+), 152 deletions(-)
 delete mode 100644 archiva-security/src/main/java/org/apache/maven/archiva/security/BaseRepositoryManagerRoleProfile.java

diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java
index e21bd6834..45d19de28 100644
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java
@@ -36,8 +36,6 @@ public class ArchivaRoleConstants
 
     public static final String GUEST_ROLE = "Guest";
 
-    public static final String BASE_REPOSITORY_MANAGER = "Repository Manager Base";
-
     // dynamic role prefixes
     public static final String REPOSITORY_MANAGER_ROLE_PREFIX = "Repository Manager";
 
@@ -65,6 +63,5 @@ public class ArchivaRoleConstants
     public static final String OPERATION_EDIT_REPOSITORY = "archiva-edit-repository";
 
     public static final String OPERATION_REPOSITORY_UPLOAD = "archiva-upload-repository";
-
-    public static final String OPERATION_EDIT_CONFIGURATION = "archiva-edit-configuration";
+    
 }
diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleProfileManager.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleProfileManager.java
index 1dd7af2b2..f28444dbe 100644
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleProfileManager.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleProfileManager.java
@@ -25,6 +25,8 @@ import org.codehaus.plexus.rbac.profile.RoleProfileException;
 /**
  * Role profile manager.
  *
+ * Role Structures are laid out as documented http://docs.codehaus.org/display/MAVENUSER/Archiva+Security+Roles
+ *
  * @author Brett Porter
  * @todo composition over inheritence?
  * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfileManager" role-hint="archiva"
@@ -35,8 +37,9 @@ public class ArchivaRoleProfileManager
     public void initialize()
         throws RoleProfileException
     {
-        getRole( "archiva-repository-manager-base" );
-
+        getRole( "global-repository-manager" );
+        getRole( "global-repository-observer" );
+        
         mergeRoleProfiles( "system-administrator", "archiva-system-administrator" );
         mergeRoleProfiles( "user-administrator", "archiva-user-administrator" );
         mergeRoleProfiles( "guest", "archiva-guest" );
diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java
index c84ce4440..4ea8e454d 100644
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java
@@ -41,7 +41,6 @@ public class ArchivaSystemAdministratorRoleProfile
     {
         List operations = new ArrayList();
         operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
-        operations.add( ArchivaRoleConstants.OPERATION_EDIT_CONFIGURATION );
         operations.add( ArchivaRoleConstants.OPERATION_MANAGE_USERS );
         operations.add( ArchivaRoleConstants.OPERATION_RUN_INDEXER );
         operations.add( ArchivaRoleConstants.OPERATION_REGENERATE_INDEX );
diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/BaseRepositoryManagerRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/BaseRepositoryManagerRoleProfile.java
deleted file mode 100644
index a652aa73e..000000000
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/BaseRepositoryManagerRoleProfile.java
+++ /dev/null
@@ -1,57 +0,0 @@
-package org.apache.maven.archiva.security;
-
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- *   http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
-import org.codehaus.plexus.rbac.profile.AbstractRoleProfile;
-
-import java.util.ArrayList;
-import java.util.List;
-
-/**
- * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
- * role-hint="archiva-repository-manager-base"
- */
-public class BaseRepositoryManagerRoleProfile
-    extends AbstractRoleProfile
-{
-    public String getRoleName()
-    {
-        return ArchivaRoleConstants.BASE_REPOSITORY_MANAGER;
-    }
-
-    public List getOperations()
-    {
-        List operations = new ArrayList();
-
-        operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
-
-        return operations;
-    }
-
-    public boolean isPermanent()
-    {
-        return true;
-    }
-
-    public boolean isAssignable()
-    {
-        return false;
-    }
-}
diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java
index 824711117..50bcfbb6b 100644
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java
@@ -26,7 +26,7 @@ import java.util.List;
 
 /**
  * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
- * role-hint="archiva-repository-administrator"
+ * role-hint="global-repository-manager"
  */
 public class GlobalRepositoryManagerRoleProfile
     extends AbstractRoleProfile
@@ -49,9 +49,21 @@ public class GlobalRepositoryManagerRoleProfile
     public List getOperations()
     {      
         List operations = new ArrayList();
+        operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
         operations.add( ArchivaRoleConstants.OPERATION_ADD_REPOSITORY );
         operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY );
         operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY );
         return operations;
     }
+
+    public List getChildRoles()
+    {
+        List childRoles = new ArrayList();
+        childRoles.add( ArchivaRoleConstants.GLOBAL_REPOSITORY_OBSERVER_ROLE );
+        return childRoles;
+    }
+    
+    
+    
+    
 }
diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryObserverRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryObserverRoleProfile.java
index 34e61dd2e..defd5e023 100644
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryObserverRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryObserverRoleProfile.java
@@ -26,7 +26,7 @@ import java.util.List;
 
 /**
  * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
- * role-hint="archiva-repository-administrator"
+ * role-hint="global-repository-observer"
  */
 public class GlobalRepositoryObserverRoleProfile
     extends AbstractRoleProfile
@@ -48,6 +48,8 @@ public class GlobalRepositoryObserverRoleProfile
 
     public List getOperations()
     {      
-        return null;
+        List operations = new ArrayList();
+        operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
+        return operations;
     }
 }
diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java
index da657de9c..a9b6510d2 100644
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java
@@ -50,61 +50,17 @@ public class RepositoryManagerDynamicRoleProfile
     {
         List operations = new ArrayList();
 
-        // I'm not sure these are appropriate roles.
         operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY );
         operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY );
-
         operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
         operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
         return operations;
     }
 
-
-    public List getChildRoles()
-    {
-        return Collections.singletonList( ArchivaRoleConstants.BASE_REPOSITORY_MANAGER );
-    }
-
-    public List getDynamicChildRoles( String string )
-    {
-        return Collections.singletonList(
-            ArchivaRoleConstants.REPOSITORY_OBSERVER_ROLE_PREFIX + ArchivaRoleConstants.DELIMITER + string );
-    }
-
     public boolean isAssignable()
     {
         return true;
     }
-    
-    public Role getRole( String resource )
-        throws RoleProfileException
-    {
-        try
-        {
-            if ( rbacManager.roleExists( getRoleName( resource ) ) )
-            {
-                return rbacManager.getRole( getRoleName( resource ) );
-            }
-            else
-            {
-                // first time assign the role to the group administrator since they need the access
-                Role newRole = generateRole( resource );
-
-                Role repoAdmin = rbacManager.getRole( ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );
-                repoAdmin.addChildRoleName( newRole.getName() );
-                rbacManager.saveRole( repoAdmin );
-
-                return newRole;
-            }
-        }
-        catch ( RbacObjectNotFoundException ne )
-        {
-            throw new RoleProfileException( "unable to get role", ne );
-        }
-        catch ( RbacManagerException e )
-        {
-            throw new RoleProfileException( "system error with rbac manager", e );
-        }
-    }
+   
 }
 
diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryObserverDynamicRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryObserverDynamicRoleProfile.java
index 84b696db8..d49affe1c 100644
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryObserverDynamicRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryObserverDynamicRoleProfile.java
@@ -57,34 +57,4 @@ public class RepositoryObserverDynamicRoleProfile
         return true;
     }
     
-    public Role getRole( String resource )
-    throws RoleProfileException
-{
-    try
-    {
-        if ( rbacManager.roleExists( getRoleName( resource ) ) )
-        {
-            return rbacManager.getRole( getRoleName( resource ) );
-        }
-        else
-        {
-            // first time assign the role to the group administrator since they need the access
-            Role newRole = generateRole( resource );
-
-            Role repoAdmin = rbacManager.getRole( ArchivaRoleConstants.GLOBAL_REPOSITORY_OBSERVER_ROLE );
-            repoAdmin.addChildRoleName( newRole.getName() );
-            rbacManager.saveRole( repoAdmin );
-
-            return newRole;
-        }
-    }
-    catch ( RbacObjectNotFoundException ne )
-    {
-        throw new RoleProfileException( "unable to get role", ne );
-    }
-    catch ( RbacManagerException e )
-    {
-        throw new RoleProfileException( "system error with rbac manager", e );
-    }
-}
 }
diff --git a/archiva-security/src/main/resources/META-INF/plexus/components.xml b/archiva-security/src/main/resources/META-INF/plexus/components.xml
index d486b047f..bed50b59f 100644
--- a/archiva-security/src/main/resources/META-INF/plexus/components.xml
+++ b/archiva-security/src/main/resources/META-INF/plexus/components.xml
@@ -85,8 +85,22 @@
     </component>
     <component>
       <role>org.codehaus.plexus.rbac.profile.RoleProfile</role>
-      <role-hint>archiva-repository-manager-base</role-hint>
-      <implementation>org.apache.maven.archiva.security.BaseRepositoryManagerRoleProfile</implementation>
+      <role-hint>global-repository-manager</role-hint>
+      <implementation>org.apache.maven.archiva.security.GlobalRepositoryManagerRoleProfile</implementation>
+      <requirements>
+        <requirement>
+          <role>org.codehaus.plexus.security.rbac.RBACManager</role>
+        </requirement>
+        <requirement>
+          <role>org.codehaus.plexus.PlexusContainer</role>
+          <field-name>container</field-name>
+        </requirement>
+      </requirements>
+    </component>
+        <component>
+      <role>org.codehaus.plexus.rbac.profile.RoleProfile</role>
+      <role-hint>global-repository-observer</role-hint>
+      <implementation>org.apache.maven.archiva.security.GlobalRepositoryObserverRoleProfile</implementation>
       <requirements>
         <requirement>
           <role>org.codehaus.plexus.security.rbac.RBACManager</role>
diff --git a/archiva-webapp/pom.xml b/archiva-webapp/pom.xml
index c9d02499a..4f3887ecf 100644
--- a/archiva-webapp/pom.xml
+++ b/archiva-webapp/pom.xml
@@ -264,7 +264,7 @@
           <jettyEnvXml>src/jetty-env.xml</jettyEnvXml>
           <connectors>
             <connector implementation="org.mortbay.jetty.nio.SelectChannelConnector">
-              <port>9091</port>
+              <port>9090</port>
               <maxIdleTime>60000</maxIdleTime>
             </connector>
           </connectors>
diff --git a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/index.jsp b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/index.jsp
index ba45254a3..b722d305a 100644
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/index.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/index.jsp
@@ -35,7 +35,7 @@
   <div>
     <div style="float: right">
       <%-- TODO replace with icons --%>
-      <pss:ifAuthorized permission="archiva-edit-configuration" resource="*">
+      <pss:ifAuthorized permission="archiva-manage-configuration">
         <a href="<ww:url action="configure" />">Edit Configuration</a>
       </pss:ifAuthorized>
     </div>
diff --git a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/managedRepositories.jsp b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/managedRepositories.jsp
index c9b3e1f61..ec4c59c7c 100644
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/managedRepositories.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/managedRepositories.jsp
@@ -39,7 +39,7 @@
 <div>
   <div style="float: right">
     <%-- TODO replace with icons --%>
-    <pss:ifAuthorized permission="archiva-add-repository">
+    <pss:ifAuthorized permission="archiva-manage-configuration">
       <ww:url id="addRepositoryUrl" action="addRepository" method="input"/>
       <ww:a href="%{addRepositoryUrl}">Add Repository</ww:a>
     </pss:ifAuthorized>
@@ -52,9 +52,10 @@
   <strong>There are no managed repositories configured yet.</strong>
 </c:if>
 <c:forEach items="${repositories}" var="repository" varStatus="i">
-  <pss:ifAnyAuthorized permissions="archiva-edit-repository, archiva-delete-repository" resource="${repository.id}">
+  
     <div>
       <div style="float: right">
+      <pss:ifAnyAuthorized permissions="archiva-manage-configuration">
         <ww:url id="editRepositoryUrl" action="editRepository" method="input">
           <ww:param name="repoId" value="%{'${repository.id}'}"/>
         </ww:url>
@@ -64,6 +65,7 @@
           <%-- TODO replace with icons --%>
         <ww:a href="%{editRepositoryUrl}">Edit Repository</ww:a>
         <ww:a href="%{deleteRepositoryUrl}">Delete Repository</ww:a>
+        </pss:ifAnyAuthorized>
       </div>
       <h3>${repository.name}</h3>
       <table class="infoTable">
@@ -142,7 +144,6 @@
         </tr>
       </table>
     </div>
-  </pss:ifAnyAuthorized>
 </c:forEach>
 </div>
 
diff --git a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxiedRepositories.jsp b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxiedRepositories.jsp
index 8171bc6c2..de6479873 100644
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxiedRepositories.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxiedRepositories.jsp
@@ -20,6 +20,7 @@
 <%@ taglib prefix="ww" uri="/webwork" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 <%@ taglib prefix="my" tagdir="/WEB-INF/tags" %>
+<%@ taglib prefix="pss" uri="/plexusSecuritySystem" %>
 
 <html>
 <head>
@@ -33,10 +34,14 @@
 
 <div id="contentArea">
   <div>
+   
     <%-- TODO replace with icons --%>
     <div style="float: right">
-      <a href="<ww:url action="addProxiedRepository" method="input" />">Add Repository</a>
+      <pss:ifAuthorized permission="archiva-manage-configuration">
+        <a href="<ww:url action="addProxiedRepository" method="input" />">Add Repository</a>
+      </pss:ifAuthorized>
     </div>
+    
     <h2>Proxied Repositories</h2>
   </div>
 
@@ -48,10 +53,12 @@
     <div>
       <div style="float: right">
           <%-- TODO replace with icons --%>
-        <a href="<ww:url action="editProxiedRepository" method="input"><ww:param name="repoId" value="%{'${repository.id}'}" /></ww:url>">Edit
+        <pss:ifAuthorized permission="archiva-manage-configuration">
+          <a href="<ww:url action="editProxiedRepository" method="input"><ww:param name="repoId" value="%{'${repository.id}'}" /></ww:url>">Edit
           Repository</a> | <a
           href="<ww:url action="deleteProxiedRepository" method="input"><ww:param name="repoId" value="%{'${repository.id}'}" /></ww:url>">Delete
-        Repository</a>
+          Repository</a>
+        </pss:ifAuthorized>
       </div>
       <h3>${repository.name}</h3>
       <table class="infoTable">
-- 
2.39.5