123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245 |
- package org.apache.archiva.security;
-
- /*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-
- import org.apache.archiva.admin.model.RepositoryAdminException;
- import org.apache.archiva.admin.model.beans.ManagedRepository;
- import org.apache.archiva.admin.model.managed.ManagedRepositoryAdmin;
- import org.apache.archiva.redback.authentication.AuthenticationResult;
- import org.apache.archiva.redback.authorization.AuthorizationException;
- import org.apache.archiva.redback.role.RoleManager;
- import org.apache.archiva.redback.role.RoleManagerException;
- import org.apache.archiva.redback.system.DefaultSecuritySession;
- import org.apache.archiva.redback.system.SecuritySession;
- import org.apache.archiva.redback.system.SecuritySystem;
- import org.apache.archiva.redback.users.User;
- import org.apache.archiva.redback.users.UserManagerException;
- import org.apache.archiva.redback.users.UserNotFoundException;
- import org.apache.archiva.security.common.ArchivaRoleConstants;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
- import org.springframework.stereotype.Service;
-
- import javax.inject.Inject;
- import java.util.ArrayList;
- import java.util.List;
-
- /**
- * DefaultUserRepositories
- */
- @Service( "userRepositories" )
- public class DefaultUserRepositories
- implements UserRepositories
- {
-
- @Inject
- private SecuritySystem securitySystem;
-
- @Inject
- private RoleManager roleManager;
-
- @Inject
- private ManagedRepositoryAdmin managedRepositoryAdmin;
-
- private Logger log = LoggerFactory.getLogger( getClass() );
-
- public List<String> getObservableRepositoryIds( String principal )
- throws PrincipalNotFoundException, AccessDeniedException, ArchivaSecurityException
- {
- String operation = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS;
-
- return getAccessibleRepositoryIds( principal, operation );
- }
-
- public List<String> getManagableRepositoryIds( String principal )
- throws PrincipalNotFoundException, AccessDeniedException, ArchivaSecurityException
- {
- String operation = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD;
-
- return getAccessibleRepositoryIds( principal, operation );
- }
-
- private List<String> getAccessibleRepositoryIds( String principal, String operation )
- throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException
- {
-
- List<ManagedRepository> managedRepositories = getAccessibleRepositories( principal, operation );
- List<String> repoIds = new ArrayList<>( managedRepositories.size() );
- for ( ManagedRepository managedRepository : managedRepositories )
- {
- repoIds.add( managedRepository.getId() );
- }
-
- return repoIds;
- }
-
- public List<ManagedRepository> getAccessibleRepositories( String principal )
- throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException
- {
- return getAccessibleRepositories( principal, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
- }
-
- private List<ManagedRepository> getAccessibleRepositories( String principal, String operation )
- throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException
- {
- SecuritySession securitySession = createSession( principal );
-
- List<ManagedRepository> managedRepositories = new ArrayList<>();
-
- try
- {
- List<ManagedRepository> repos = managedRepositoryAdmin.getManagedRepositories();
-
- for ( ManagedRepository repo : repos )
- {
- try
- {
- String repoId = repo.getId();
- if ( securitySystem.isAuthorized( securitySession, operation, repoId ) )
- {
- managedRepositories.add( repo );
- }
- }
- catch ( AuthorizationException e )
- {
- // swallow.
-
- log.debug( "Not authorizing '{}' for repository '{}': {}", principal, repo.getId(),
- e.getMessage() );
-
- }
- }
-
- return managedRepositories;
- }
- catch ( RepositoryAdminException e )
- {
- throw new ArchivaSecurityException( e.getMessage(), e );
- }
- }
-
- private SecuritySession createSession( String principal )
- throws ArchivaSecurityException, AccessDeniedException
- {
- User user;
- try
- {
- user = securitySystem.getUserManager().findUser( principal );
- if ( user == null )
- {
- throw new ArchivaSecurityException(
- "The security system had an internal error - please check your system logs" );
- }
- }
- catch ( UserNotFoundException e )
- {
- throw new PrincipalNotFoundException( "Unable to find principal " + principal + "", e );
- }
- catch ( UserManagerException e )
- {
- throw new ArchivaSecurityException( e.getMessage(), e );
- }
-
- if ( user.isLocked() )
- {
- throw new AccessDeniedException( "User " + principal + "(" + user.getFullName() + ") is locked." );
- }
-
- AuthenticationResult authn = new AuthenticationResult( true, principal, null );
- authn.setUser( user );
- return new DefaultSecuritySession( authn, user );
- }
-
- public void createMissingRepositoryRoles( String repoId )
- throws ArchivaSecurityException
- {
- try
- {
- if ( !roleManager.templatedRoleExists( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId ) )
- {
- roleManager.createTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId );
- }
-
- if ( !roleManager.templatedRoleExists( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId ) )
- {
- roleManager.createTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId );
- }
- }
- catch ( RoleManagerException e )
- {
- throw new ArchivaSecurityException( "Unable to create roles for configured repositories: " + e.getMessage(),
- e );
- }
- }
-
- public boolean isAuthorizedToUploadArtifacts( String principal, String repoId )
- throws PrincipalNotFoundException, ArchivaSecurityException
- {
- try
- {
- SecuritySession securitySession = createSession( principal );
-
- return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD,
- repoId );
-
- }
- catch ( AuthorizationException e )
- {
- throw new ArchivaSecurityException( e.getMessage(), e);
- }
- }
-
- public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId )
- throws ArchivaSecurityException
- {
- try
- {
- SecuritySession securitySession = createSession( principal );
-
- return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_DELETE,
- repoId );
-
- }
- catch ( AuthorizationException e )
- {
- throw new ArchivaSecurityException( e.getMessage(), e);
- }
- }
-
- public SecuritySystem getSecuritySystem()
- {
- return securitySystem;
- }
-
- public void setSecuritySystem( SecuritySystem securitySystem )
- {
- this.securitySystem = securitySystem;
- }
-
- public RoleManager getRoleManager()
- {
- return roleManager;
- }
-
- public void setRoleManager( RoleManager roleManager )
- {
- this.roleManager = roleManager;
- }
- }
|