diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java index 9ca1c68b0..d837c1a63 100644 --- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java +++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java @@ -27,6 +27,8 @@ public class ArchivaRoleConstants public static final String SYSTEM_ADMINISTRATOR_ROLE = "System Administrator"; public static final String USER_ADMINISTRATOR_ROLE = "User Administrator"; + + public static final String GLOBAL_REPOSITORY_MANAGER_ROLE = "Global Repository Manager"; public static final String REGISTERED_USER_ROLE = "Registered User"; diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java index a5d596e2e..c84ce4440 100644 --- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java +++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java @@ -46,13 +46,18 @@ public class ArchivaSystemAdministratorRoleProfile operations.add( ArchivaRoleConstants.OPERATION_RUN_INDEXER ); operations.add( ArchivaRoleConstants.OPERATION_REGENERATE_INDEX ); operations.add( ArchivaRoleConstants.OPERATION_ACCESS_REPORT ); // TODO: does this need to be templated? - operations.add( ArchivaRoleConstants.OPERATION_ADD_REPOSITORY ); - operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY ); - operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY ); // we don't add access/upload repository operations. This isn't a sys-admin function, and we don't want to // encourage the use of the sys admin role for such operations. They can grant it as necessary. return operations; } + + + public List getChildRoles() + { + List childRoles = new ArrayList(); + childRoles.add( ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE ); + return childRoles; + } public boolean isAssignable() { diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java new file mode 100644 index 000000000..824711117 --- /dev/null +++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java @@ -0,0 +1,57 @@ +package org.apache.maven.archiva.security; + +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +import org.codehaus.plexus.rbac.profile.AbstractRoleProfile; + +import java.util.ArrayList; +import java.util.List; + +/** + * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile" + * role-hint="archiva-repository-administrator" + */ +public class GlobalRepositoryManagerRoleProfile + extends AbstractRoleProfile +{ + /** + * Create the Role name for a Repository Observer, using the provided repository id. + * + * @param repoId the repository id + */ + public String getRoleName( ) + { + return ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE; + } + + public boolean isAssignable() + { + return true; + } + + public List getOperations() + { + List operations = new ArrayList(); + operations.add( ArchivaRoleConstants.OPERATION_ADD_REPOSITORY ); + operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY ); + operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY ); + return operations; + } +} diff --git a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java index 7a9338ed7..da657de9c 100644 --- a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java +++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java @@ -20,6 +20,10 @@ package org.apache.maven.archiva.security; */ import org.codehaus.plexus.rbac.profile.AbstractDynamicRoleProfile; +import org.codehaus.plexus.rbac.profile.RoleProfileException; +import org.codehaus.plexus.security.rbac.RbacManagerException; +import org.codehaus.plexus.security.rbac.RbacObjectNotFoundException; +import org.codehaus.plexus.security.rbac.Role; import java.util.ArrayList; import java.util.Collections; @@ -71,5 +75,36 @@ public class RepositoryManagerDynamicRoleProfile { return true; } + + public Role getRole( String resource ) + throws RoleProfileException + { + try + { + if ( rbacManager.roleExists( getRoleName( resource ) ) ) + { + return rbacManager.getRole( getRoleName( resource ) ); + } + else + { + // first time assign the role to the group administrator since they need the access + Role newRole = generateRole( resource ); + + Role repoAdmin = rbacManager.getRole( ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE ); + repoAdmin.addChildRoleName( newRole.getName() ); + rbacManager.saveRole( repoAdmin ); + + return newRole; + } + } + catch ( RbacObjectNotFoundException ne ) + { + throw new RoleProfileException( "unable to get role", ne ); + } + catch ( RbacManagerException e ) + { + throw new RoleProfileException( "system error with rbac manager", e ); + } + } }