Apache
/
archiva
mirror of https://github.com/apache/archiva.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[MRM-913] bring delete artifact security into line with uploading an artifact 

git-svn-id: https://svn.apache.org/repos/asf/archiva/trunk@755726 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Brett Porter 2009-03-18 20:47:20 +00:00
parent f8051daf10
commit 20b3d982cf
5 changed files with 74 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java
View File

@ -64,6 +64,8 @@ public class ArchivaRoleConstants
public static final String OPERATION_REPOSITORY_UPLOAD = "archiva-upload-repository"; public static final String OPERATION_REPOSITORY_UPLOAD = "archiva-upload-repository";
public static final String OPERATION_REPOSITORY_DELETE = "archiva-delete-artifact";
// Role templates // Role templates
public static final String TEMPLATE_REPOSITORY_MANAGER = "archiva-repository-manager"; public static final String TEMPLATE_REPOSITORY_MANAGER = "archiva-repository-manager";

146
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/DefaultUserRepositories.java
View File

@ -20,17 +20,12 @@ package org.apache.maven.archiva.security;
*/ */
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collection;
import java.util.List; import java.util.List;
import org.apache.maven.archiva.configuration.ArchivaConfiguration; import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
import org.codehaus.plexus.redback.authentication.AuthenticationResult; import org.codehaus.plexus.redback.authentication.AuthenticationResult;
import org.codehaus.plexus.redback.authorization.AuthorizationException; import org.codehaus.plexus.redback.authorization.AuthorizationException;
import org.codehaus.plexus.redback.rbac.RBACManager;
import org.codehaus.plexus.redback.rbac.RbacManagerException;
import org.codehaus.plexus.redback.rbac.RbacObjectNotFoundException;
import org.codehaus.plexus.redback.rbac.Role;
import org.codehaus.plexus.redback.role.RoleManager; import org.codehaus.plexus.redback.role.RoleManager;
import org.codehaus.plexus.redback.role.RoleManagerException; import org.codehaus.plexus.redback.role.RoleManagerException;
import org.codehaus.plexus.redback.system.DefaultSecuritySession; import org.codehaus.plexus.redback.system.DefaultSecuritySession;
@ -38,6 +33,8 @@ import org.codehaus.plexus.redback.system.SecuritySession;
import org.codehaus.plexus.redback.system.SecuritySystem; import org.codehaus.plexus.redback.system.SecuritySystem;
import org.codehaus.plexus.redback.users.User; import org.codehaus.plexus.redback.users.User;
import org.codehaus.plexus.redback.users.UserNotFoundException; import org.codehaus.plexus.redback.users.UserNotFoundException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/** /**
* DefaultUserRepositories * DefaultUserRepositories
@ -53,11 +50,6 @@ public class DefaultUserRepositories
*/ */
private SecuritySystem securitySystem; private SecuritySystem securitySystem;
/**
* @plexus.requirement role-hint="cached"
*/
private RBACManager rbacManager;
/** /**
* @plexus.requirement role-hint="default" * @plexus.requirement role-hint="default"
*/ */
@ -67,6 +59,8 @@ public class DefaultUserRepositories
* @plexus.requirement * @plexus.requirement
*/ */
private ArchivaConfiguration archivaConfiguration; private ArchivaConfiguration archivaConfiguration;
private Logger log = LoggerFactory.getLogger( DefaultUserRepositories.class );
public List<String> getObservableRepositoryIds( String principal ) public List<String> getObservableRepositoryIds( String principal )
throws PrincipalNotFoundException, AccessDeniedException, ArchivaSecurityException throws PrincipalNotFoundException, AccessDeniedException, ArchivaSecurityException
@ -87,49 +81,59 @@ public class DefaultUserRepositories
private List<String> getAccessibleRepositoryIds( String principal, String operation ) private List<String> getAccessibleRepositoryIds( String principal, String operation )
throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException
{ {
SecuritySession securitySession = createSession( principal );
List<String> repoIds = new ArrayList<String>();
List<ManagedRepositoryConfiguration> repos =
archivaConfiguration.getConfiguration().getManagedRepositories();
for ( ManagedRepositoryConfiguration repo : repos )
{
try
{
String repoId = repo.getId();
if ( securitySystem.isAuthorized( securitySession, operation, repoId ) )
{
repoIds.add( repoId );
}
}
catch ( AuthorizationException e )
{
// swallow.
log.debug( "Not authorizing '" + principal + "' for repository '" + repo.getId() + "': "
+ e.getMessage() );
}
}
return repoIds;
}
private SecuritySession createSession( String principal )
throws ArchivaSecurityException, AccessDeniedException
{
User user;
try try
{ {
User user = securitySystem.getUserManager().findUser( principal ); user = securitySystem.getUserManager().findUser( principal );
if ( user == null ) if ( user == null )
{ {
throw new ArchivaSecurityException( "The security system had an internal error - please check your system logs" ); throw new ArchivaSecurityException(
"The security system had an internal error - please check your system logs" );
} }
if ( user.isLocked() )
{
throw new AccessDeniedException( "User " + principal + "(" + user.getFullName() + ") is locked." );
}
AuthenticationResult authn = new AuthenticationResult( true, principal, null );
SecuritySession securitySession = new DefaultSecuritySession( authn, user );
List<String> repoIds = new ArrayList<String>();
List<ManagedRepositoryConfiguration> repos =
archivaConfiguration.getConfiguration().getManagedRepositories();
for ( ManagedRepositoryConfiguration repo : repos )
{
try
{
String repoId = repo.getId();
if ( securitySystem.isAuthorized( securitySession, operation, repoId ) )
{
repoIds.add( repoId );
}
}
catch ( AuthorizationException e )
{
// swallow.
}
}
return repoIds;
} }
catch ( UserNotFoundException e ) catch ( UserNotFoundException e )
{ {
throw new PrincipalNotFoundException( "Unable to find principal " + principal + "" ); throw new PrincipalNotFoundException( "Unable to find principal " + principal + "" );
} }
if ( user.isLocked() )
{
throw new AccessDeniedException( "User " + principal + "(" + user.getFullName() + ") is locked." );
}
AuthenticationResult authn = new AuthenticationResult( true, principal, null );
return new DefaultSecuritySession( authn, user );
} }
public void createMissingRepositoryRoles( String repoId ) public void createMissingRepositoryRoles( String repoId )
@ -160,28 +164,12 @@ public class DefaultUserRepositories
{ {
try try
{ {
User user = securitySystem.getUserManager().findUser( principal ); SecuritySession securitySession = createSession( principal );
if ( user == null )
{
throw new ArchivaSecurityException( "The security system had an internal error - please check your system logs" );
}
if ( user.isLocked() )
{
throw new AccessDeniedException( "User " + principal + "(" + user.getFullName() + ") is locked." );
}
AuthenticationResult authn = new AuthenticationResult( true, principal, null );
SecuritySession securitySession = new DefaultSecuritySession( authn, user );
return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD, return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD,
repoId ); repoId );
} }
catch ( UserNotFoundException e )
{
throw new PrincipalNotFoundException( "Unable to find principal " + principal + "" );
}
catch ( AuthorizationException e ) catch ( AuthorizationException e )
{ {
throw new ArchivaSecurityException( e.getMessage() ); throw new ArchivaSecurityException( e.getMessage() );
@ -189,41 +177,19 @@ public class DefaultUserRepositories
} }
public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId )
throws RbacManagerException, RbacObjectNotFoundException throws AccessDeniedException, ArchivaSecurityException
{ {
boolean isAuthorized = false;
String delimiter = " - ";
try try
{ {
Collection<Role> roleList = rbacManager.getEffectivelyAssignedRoles( principal ); SecuritySession securitySession = createSession( principal );
for ( Role role : roleList ) return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_DELETE,
{ repoId );
String roleName = role.getName();
if ( roleName.startsWith( ArchivaRoleConstants.REPOSITORY_MANAGER_ROLE_PREFIX ) )
{
int delimiterIndex = roleName.indexOf( delimiter );
String resourceName = roleName.substring( delimiterIndex + delimiter.length() );
if ( resourceName.equals( repoId ) )
{
isAuthorized = true;
break;
}
}
}
} }
catch ( RbacObjectNotFoundException e ) catch ( AuthorizationException e )
{ {
throw new RbacObjectNotFoundException( "Unable to find user " + principal + "" ); throw new ArchivaSecurityException( e.getMessage() );
} }
catch ( RbacManagerException e )
{
throw new RbacManagerException( "Unable to get roles for user " + principal + "" );
}
return isAuthorized;
} }
} }

9
archiva-modules/archiva-web/archiva-security/src/main/java/org/apache/maven/archiva/security/UserRepositories.java
View File

@ -19,9 +19,6 @@ package org.apache.maven.archiva.security;
* under the License. * under the License.
*/ */
import org.codehaus.plexus.redback.rbac.RbacObjectNotFoundException;
import org.codehaus.plexus.redback.rbac.RbacManagerException;
import java.util.List; import java.util.List;
/** /**
@ -82,10 +79,10 @@ public interface UserRepositories
* @param principal * @param principal
* @param repoId * @param repoId
* @return * @return
* @throws RbacManagerException * @throws ArchivaSecurityException
* @throws RbacObjectNotFoundException * @throws AccessDeniedException
*/ */
public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId )
throws RbacManagerException, RbacObjectNotFoundException; throws AccessDeniedException, ArchivaSecurityException;
} }

23
archiva-modules/archiva-web/archiva-webapp/src/main/java/org/apache/maven/archiva/web/action/DeleteArtifactAction.java
View File

@ -35,33 +35,32 @@ import org.apache.maven.archiva.common.utils.VersionComparator;
import org.apache.maven.archiva.common.utils.VersionUtil; import org.apache.maven.archiva.common.utils.VersionUtil;
import org.apache.maven.archiva.configuration.ArchivaConfiguration; import org.apache.maven.archiva.configuration.ArchivaConfiguration;
import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration; import org.apache.maven.archiva.configuration.ManagedRepositoryConfiguration;
import org.apache.maven.archiva.database.updater.DatabaseConsumers;
import org.apache.maven.archiva.database.ArchivaDatabaseException; import org.apache.maven.archiva.database.ArchivaDatabaseException;
import org.apache.maven.archiva.database.ArtifactDAO; import org.apache.maven.archiva.database.ArtifactDAO;
import org.apache.maven.archiva.database.constraints.ArtifactVersionsConstraint; import org.apache.maven.archiva.database.constraints.ArtifactVersionsConstraint;
import org.apache.maven.archiva.database.updater.DatabaseConsumers;
import org.apache.maven.archiva.model.ArchivaArtifact; import org.apache.maven.archiva.model.ArchivaArtifact;
import org.apache.maven.archiva.model.ArchivaRepositoryMetadata; import org.apache.maven.archiva.model.ArchivaRepositoryMetadata;
import org.apache.maven.archiva.model.VersionedReference; import org.apache.maven.archiva.model.VersionedReference;
import org.apache.maven.archiva.repository.audit.Auditable; import org.apache.maven.archiva.repository.ContentNotFoundException;
import org.apache.maven.archiva.repository.ManagedRepositoryContent;
import org.apache.maven.archiva.repository.RepositoryContentFactory;
import org.apache.maven.archiva.repository.RepositoryException;
import org.apache.maven.archiva.repository.RepositoryNotFoundException;
import org.apache.maven.archiva.repository.audit.AuditEvent; import org.apache.maven.archiva.repository.audit.AuditEvent;
import org.apache.maven.archiva.repository.audit.AuditListener; import org.apache.maven.archiva.repository.audit.AuditListener;
import org.apache.maven.archiva.repository.audit.Auditable;
import org.apache.maven.archiva.repository.metadata.MetadataTools; import org.apache.maven.archiva.repository.metadata.MetadataTools;
import org.apache.maven.archiva.repository.metadata.RepositoryMetadataException; import org.apache.maven.archiva.repository.metadata.RepositoryMetadataException;
import org.apache.maven.archiva.repository.metadata.RepositoryMetadataReader; import org.apache.maven.archiva.repository.metadata.RepositoryMetadataReader;
import org.apache.maven.archiva.repository.metadata.RepositoryMetadataWriter; import org.apache.maven.archiva.repository.metadata.RepositoryMetadataWriter;
import org.apache.maven.archiva.repository.ContentNotFoundException;
import org.apache.maven.archiva.repository.RepositoryException;
import org.apache.maven.archiva.repository.RepositoryNotFoundException;
import org.apache.maven.archiva.repository.ManagedRepositoryContent;
import org.apache.maven.archiva.repository.RepositoryContentFactory;
import org.apache.maven.archiva.security.AccessDeniedException; import org.apache.maven.archiva.security.AccessDeniedException;
import org.apache.maven.archiva.security.ArchivaSecurityException; import org.apache.maven.archiva.security.ArchivaSecurityException;
import org.apache.maven.archiva.security.ArchivaXworkUser; import org.apache.maven.archiva.security.ArchivaXworkUser;
import org.apache.maven.archiva.security.PrincipalNotFoundException; import org.apache.maven.archiva.security.PrincipalNotFoundException;
import org.apache.maven.archiva.security.UserRepositories; import org.apache.maven.archiva.security.UserRepositories;
import org.codehaus.plexus.redback.rbac.RbacManagerException;
import org.apache.struts2.ServletActionContext; import org.apache.struts2.ServletActionContext;
import com.opensymphony.xwork2.ActionContext; import com.opensymphony.xwork2.ActionContext;
import com.opensymphony.xwork2.Preparable; import com.opensymphony.xwork2.Preparable;
import com.opensymphony.xwork2.Validateable; import com.opensymphony.xwork2.Validateable;
@ -394,7 +393,11 @@ public class DeleteArtifactAction
addActionError( "Invalid version." ); addActionError( "Invalid version." );
} }
} }
catch ( RbacManagerException e ) catch ( AccessDeniedException e )
{
addActionError( e.getMessage() );
}
catch ( ArchivaSecurityException e )
{ {
addActionError( e.getMessage() ); addActionError( e.getMessage() );
} }

8
archiva-modules/archiva-web/archiva-webapp/src/test/java/org/apache/maven/archiva/security/UserRepositoriesStub.java
View File

@ -22,13 +22,6 @@ package org.apache.maven.archiva.security;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import org.apache.maven.archiva.security.AccessDeniedException;
import org.apache.maven.archiva.security.ArchivaSecurityException;
import org.apache.maven.archiva.security.PrincipalNotFoundException;
import org.apache.maven.archiva.security.UserRepositories;
import org.codehaus.plexus.redback.rbac.RbacObjectNotFoundException;
import org.codehaus.plexus.redback.rbac.RbacManagerException;
/** /**
* UserRepositories stub used for testing. * UserRepositories stub used for testing.
* *
@ -62,7 +55,6 @@ public class UserRepositoriesStub
} }
public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId )
throws RbacManagerException, RbacObjectNotFoundException
{ {
return false; return false;
} }