Apache
/
archiva-redback-core
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'pr/9' 

closed #9
[MRM-1908] Logged on users can write any repository
This commit is contained in:
olivier lamy 2016-09-13 10:49:27 +10:00
parent 87e1950057 796af57be2
commit 8e98a8aa9e
1 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
redback-integrations/redback-rest/redback-rest-services/src/main/java/org/apache/archiva/redback/rest/services/interceptors/PermissionsInterceptor.java
View File

@ -30,6 +30,8 @@ import org.apache.archiva.redback.policy.MustChangePasswordException;
import org.apache.archiva.redback.system.SecuritySession;
import org.apache.archiva.redback.system.SecuritySystem;
import org.apache.commons.lang.StringUtils;
import org.apache.cxf.jaxrs.model.OperationResourceInfo;
import org.apache.cxf.jaxrs.model.Parameter;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.slf4j.Logger;
@ -39,10 +41,17 @@ import org.springframework.stereotype.Service;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.PathParam;
import javax.ws.rs.QueryParam;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.List;
/**
* @author Olivier Lamy
@ -132,10 +141,16 @@ public class PermissionsInterceptor
}
try
{
String resource = redbackAuthorization.resource();
if (resource.startsWith("{") && resource.endsWith("}") && resource.length()>2) {
resource = getMethodParameter(containerRequestContext, message, resource.substring(1,resource.length()-1));
log.debug("Found resource from annotated parameter: {}",resource);
}
AuthorizationResult authorizationResult =
securitySystem.authorize( authenticationResult.getUser(), permission, //
StringUtils.isBlank( redbackAuthorization.resource() ) //
? null : redbackAuthorization.resource() );
StringUtils.isBlank( resource ) //
? null : resource );
if ( authenticationResult != null && authorizationResult.isAuthorized() )
{
log.debug( "isAuthorized for permission {}", permission );
@ -188,4 +203,44 @@ public class PermissionsInterceptor
containerRequestContext.abortWith( Response.status( Response.Status.FORBIDDEN ).build() );
}
/*
* Extracts a request parameter value from the message. Currently checks only path and query parameter.
*/
private String getMethodParameter(final ContainerRequestContext requestContext, final Message message, final String parameterName) {
OperationResourceInfo operationResourceInfo = message.getExchange().get( OperationResourceInfo.class );
if ( operationResourceInfo == null )
{
return "";
}
Annotation[][] annotations = operationResourceInfo.getInParameterAnnotations();
for(int i = 0; i< annotations.length; i++) {
for (int k = 0; k < annotations[i].length; k++) {
if (annotations[i][k] instanceof PathParam && parameterName.equals(((PathParam) annotations[i][k]).value())) {
log.debug("Found PathParam annotation");
UriInfo uriInfo = requestContext.getUriInfo();
MultivaluedMap<String, String> pathParameters = uriInfo.getPathParameters();
if (pathParameters.containsKey(parameterName)) {
return pathParameters.getFirst(parameterName);
} else {
break;
}
} else if (annotations[i][k] instanceof QueryParam && parameterName.equals(((QueryParam) annotations[i][k]).value())) {
log.debug("Found QueryParam annotation");
UriInfo uriInfo = requestContext.getUriInfo();
MultivaluedMap<String, String> pathParameters = uriInfo.getQueryParameters();
if (pathParameters.containsKey(parameterName)) {
return pathParameters.getFirst(parameterName);
} else {
break;
}
}
}
}
log.warn("No matching request parameter value found: {}", parameterName);
return "";
}
}