Security role changes, added global repository manager that is the role for administering all repositories configuration wise, the particular repository managers now administer content _in_ their assigned repositories, observers get read access to corresponding repository (or global access to add if they get the global observer) and I also removed the archiva-edit-configuration operation since it was duplicated by the archiva-manage-configuraiton operation

git-svn-id: https://svn.apache.org/repos/asf/maven/archiva/trunk@513431 13f79535-47bb-0310-9956-ffa450edef68
2007-03-01 18:32:59 +00:00 · 2007-03-01 18:32:59 +00:00 · eecc68356e
parent 013a962760
commit eecc68356e
13 changed files with 56 additions and 152 deletions
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleConstants.java
@ -36,8 +36,6 @@ public class ArchivaRoleConstants
    public static final String GUEST_ROLE = "Guest";
    public static final String BASE_REPOSITORY_MANAGER = "Repository Manager Base";
    // dynamic role prefixes
    public static final String REPOSITORY_MANAGER_ROLE_PREFIX = "Repository Manager";
@ -65,6 +63,5 @@ public class ArchivaRoleConstants
    public static final String OPERATION_EDIT_REPOSITORY = "archiva-edit-repository";
    public static final String OPERATION_REPOSITORY_UPLOAD = "archiva-upload-repository";
-
+    
    public static final String OPERATION_EDIT_CONFIGURATION = "archiva-edit-configuration";
 }
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleProfileManager.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaRoleProfileManager.java
@ -25,6 +25,8 @@ import org.codehaus.plexus.rbac.profile.RoleProfileException;
 /**
 * Role profile manager.
 *
 * Role Structures are laid out as documented http://docs.codehaus.org/display/MAVENUSER/Archiva+Security+Roles
 *
 * @author Brett Porter
 * @todo composition over inheritence?
 * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfileManager" role-hint="archiva"
@ -35,8 +37,9 @@ public class ArchivaRoleProfileManager
    public void initialize()
        throws RoleProfileException
    {
-        getRole( "archiva-repository-manager-base" );
+        getRole( "global-repository-manager" );
-
+        getRole( "global-repository-observer" );
        mergeRoleProfiles( "system-administrator", "archiva-system-administrator" );
        mergeRoleProfiles( "user-administrator", "archiva-user-administrator" );
        mergeRoleProfiles( "guest", "archiva-guest" );
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/ArchivaSystemAdministratorRoleProfile.java
@ -41,7 +41,6 @@ public class ArchivaSystemAdministratorRoleProfile
    {
        List operations = new ArrayList();
        operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
        operations.add( ArchivaRoleConstants.OPERATION_EDIT_CONFIGURATION );
        operations.add( ArchivaRoleConstants.OPERATION_MANAGE_USERS );
        operations.add( ArchivaRoleConstants.OPERATION_RUN_INDEXER );
        operations.add( ArchivaRoleConstants.OPERATION_REGENERATE_INDEX );
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/BaseRepositoryManagerRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/BaseRepositoryManagerRoleProfile.java
@ -1,57 +0,0 @@
 package org.apache.maven.archiva.security;
 /*
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 */
 import org.codehaus.plexus.rbac.profile.AbstractRoleProfile;
 import java.util.ArrayList;
 import java.util.List;
 /**
 * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
 * role-hint="archiva-repository-manager-base"
 */
 public class BaseRepositoryManagerRoleProfile
    extends AbstractRoleProfile
 {
    public String getRoleName()
    {
        return ArchivaRoleConstants.BASE_REPOSITORY_MANAGER;
    }
    public List getOperations()
    {
        List operations = new ArrayList();
        operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
        return operations;
    }
    public boolean isPermanent()
    {
        return true;
    }
    public boolean isAssignable()
    {
        return false;
    }
 }
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryManagerRoleProfile.java
@ -26,7 +26,7 @@ import java.util.List;
 /**
 * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
- * role-hint="archiva-repository-administrator"
+ * role-hint="global-repository-manager"
 */
 public class GlobalRepositoryManagerRoleProfile
    extends AbstractRoleProfile
@ -49,9 +49,21 @@ public class GlobalRepositoryManagerRoleProfile
    public List getOperations()
    {      
        List operations = new ArrayList();
        operations.add( ArchivaRoleConstants.OPERATION_MANAGE_CONFIGURATION );
        operations.add( ArchivaRoleConstants.OPERATION_ADD_REPOSITORY );
        operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY );
        operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY );
        return operations;
    }
    public List getChildRoles()
    {
        List childRoles = new ArrayList();
        childRoles.add( ArchivaRoleConstants.GLOBAL_REPOSITORY_OBSERVER_ROLE );
        return childRoles;
    }
 }
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryObserverRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/GlobalRepositoryObserverRoleProfile.java
@ -26,7 +26,7 @@ import java.util.List;
 /**
 * @plexus.component role="org.codehaus.plexus.rbac.profile.RoleProfile"
- * role-hint="archiva-repository-administrator"
+ * role-hint="global-repository-observer"
 */
 public class GlobalRepositoryObserverRoleProfile
    extends AbstractRoleProfile
@ -48,6 +48,8 @@ public class GlobalRepositoryObserverRoleProfile
    public List getOperations()
    {      
-        return null;
+        List operations = new ArrayList();
        operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
        return operations;
    }
 }
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryManagerDynamicRoleProfile.java
@ -50,61 +50,17 @@ public class RepositoryManagerDynamicRoleProfile
    {
        List operations = new ArrayList();
        // I'm not sure these are appropriate roles.
        operations.add( ArchivaRoleConstants.OPERATION_EDIT_REPOSITORY );
        operations.add( ArchivaRoleConstants.OPERATION_DELETE_REPOSITORY );
        operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS );
        operations.add( ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD );
        return operations;
    }
    public List getChildRoles()
    {
        return Collections.singletonList( ArchivaRoleConstants.BASE_REPOSITORY_MANAGER );
    }
    public List getDynamicChildRoles( String string )
    {
        return Collections.singletonList(
            ArchivaRoleConstants.REPOSITORY_OBSERVER_ROLE_PREFIX + ArchivaRoleConstants.DELIMITER + string );
    }
    public boolean isAssignable()
    {
        return true;
    }
-    
+   
    public Role getRole( String resource )
        throws RoleProfileException
    {
        try
        {
            if ( rbacManager.roleExists( getRoleName( resource ) ) )
            {
                return rbacManager.getRole( getRoleName( resource ) );
            }
            else
            {
                // first time assign the role to the group administrator since they need the access
                Role newRole = generateRole( resource );
                Role repoAdmin = rbacManager.getRole( ArchivaRoleConstants.GLOBAL_REPOSITORY_MANAGER_ROLE );
                repoAdmin.addChildRoleName( newRole.getName() );
                rbacManager.saveRole( repoAdmin );
                return newRole;
            }
        }
        catch ( RbacObjectNotFoundException ne )
        {
            throw new RoleProfileException( "unable to get role", ne );
        }
        catch ( RbacManagerException e )
        {
            throw new RoleProfileException( "system error with rbac manager", e );
        }
    }
 }
--- a/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryObserverDynamicRoleProfile.java
+++ b/archiva-security/src/main/java/org/apache/maven/archiva/security/RepositoryObserverDynamicRoleProfile.java
@ -57,34 +57,4 @@ public class RepositoryObserverDynamicRoleProfile
        return true;
    }
    public Role getRole( String resource )
    throws RoleProfileException
 {
    try
    {
        if ( rbacManager.roleExists( getRoleName( resource ) ) )
        {
            return rbacManager.getRole( getRoleName( resource ) );
        }
        else
        {
            // first time assign the role to the group administrator since they need the access
            Role newRole = generateRole( resource );
            Role repoAdmin = rbacManager.getRole( ArchivaRoleConstants.GLOBAL_REPOSITORY_OBSERVER_ROLE );
            repoAdmin.addChildRoleName( newRole.getName() );
            rbacManager.saveRole( repoAdmin );
            return newRole;
        }
    }
    catch ( RbacObjectNotFoundException ne )
    {
        throw new RoleProfileException( "unable to get role", ne );
    }
    catch ( RbacManagerException e )
    {
        throw new RoleProfileException( "system error with rbac manager", e );
    }
 }
 }
--- a/archiva-security/src/main/resources/META-INF/plexus/components.xml
+++ b/archiva-security/src/main/resources/META-INF/plexus/components.xml
@ -85,8 +85,22 @@
    </component>
    <component>
      <role>org.codehaus.plexus.rbac.profile.RoleProfile</role>
-      <role-hint>archiva-repository-manager-base</role-hint>
+      <role-hint>global-repository-manager</role-hint>
-      <implementation>org.apache.maven.archiva.security.BaseRepositoryManagerRoleProfile</implementation>
+      <implementation>org.apache.maven.archiva.security.GlobalRepositoryManagerRoleProfile</implementation>
      <requirements>
        <requirement>
          <role>org.codehaus.plexus.security.rbac.RBACManager</role>
        </requirement>
        <requirement>
          <role>org.codehaus.plexus.PlexusContainer</role>
          <field-name>container</field-name>
        </requirement>
      </requirements>
    </component>
        <component>
      <role>org.codehaus.plexus.rbac.profile.RoleProfile</role>
      <role-hint>global-repository-observer</role-hint>
      <implementation>org.apache.maven.archiva.security.GlobalRepositoryObserverRoleProfile</implementation>
      <requirements>
        <requirement>
          <role>org.codehaus.plexus.security.rbac.RBACManager</role>
--- a/archiva-webapp/pom.xml
+++ b/archiva-webapp/pom.xml
@ -264,7 +264,7 @@
          <jettyEnvXml>src/jetty-env.xml</jettyEnvXml>
          <connectors>
            <connector implementation="org.mortbay.jetty.nio.SelectChannelConnector">
-              <port>9091</port>
+              <port>9090</port>
              <maxIdleTime>60000</maxIdleTime>
            </connector>
          </connectors>
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/index.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/index.jsp
@ -35,7 +35,7 @@
  <div>
    <div style="float: right">
      <%-- TODO replace with icons --%>
-      <pss:ifAuthorized permission="archiva-edit-configuration" resource="*">
+      <pss:ifAuthorized permission="archiva-manage-configuration">
        <a href="<ww:url action="configure" />">Edit Configuration</a>
      </pss:ifAuthorized>
    </div>
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/managedRepositories.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/managedRepositories.jsp
@ -39,7 +39,7 @@
 <div>
  <div style="float: right">
    <%-- TODO replace with icons --%>
-    <pss:ifAuthorized permission="archiva-add-repository">
+    <pss:ifAuthorized permission="archiva-manage-configuration">
      <ww:url id="addRepositoryUrl" action="addRepository" method="input"/>
      <ww:a href="%{addRepositoryUrl}">Add Repository</ww:a>
    </pss:ifAuthorized>
@ -52,9 +52,10 @@
  <strong>There are no managed repositories configured yet.</strong>
 </c:if>
 <c:forEach items="${repositories}" var="repository" varStatus="i">
-  <pss:ifAnyAuthorized permissions="archiva-edit-repository, archiva-delete-repository" resource="${repository.id}">
+  
    <div>
      <div style="float: right">
      <pss:ifAnyAuthorized permissions="archiva-manage-configuration">
        <ww:url id="editRepositoryUrl" action="editRepository" method="input">
          <ww:param name="repoId" value="%{'${repository.id}'}"/>
        </ww:url>
@ -64,6 +65,7 @@
          <%-- TODO replace with icons --%>
        <ww:a href="%{editRepositoryUrl}">Edit Repository</ww:a>
        <ww:a href="%{deleteRepositoryUrl}">Delete Repository</ww:a>
        </pss:ifAnyAuthorized>
      </div>
      <h3>${repository.name}</h3>
      <table class="infoTable">
@ -142,7 +144,6 @@
        </tr>
      </table>
    </div>
  </pss:ifAnyAuthorized>
 </c:forEach>
 </div>
--- a/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxiedRepositories.jsp
+++ b/archiva-webapp/src/main/webapp/WEB-INF/jsp/admin/proxiedRepositories.jsp
@ -20,6 +20,7 @@
 <%@ taglib prefix="ww" uri="/webwork" %>
 <%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
 <%@ taglib prefix="my" tagdir="/WEB-INF/tags" %>
 <%@ taglib prefix="pss" uri="/plexusSecuritySystem" %>
 <html>
 <head>
@ -33,10 +34,14 @@
 <div id="contentArea">
  <div>
    <%-- TODO replace with icons --%>
    <div style="float: right">
-      <a href="<ww:url action="addProxiedRepository" method="input" />">Add Repository</a>
+      <pss:ifAuthorized permission="archiva-manage-configuration">
        <a href="<ww:url action="addProxiedRepository" method="input" />">Add Repository</a>
      </pss:ifAuthorized>
    </div>
    <h2>Proxied Repositories</h2>
  </div>
@ -48,10 +53,12 @@
    <div>
      <div style="float: right">
          <%-- TODO replace with icons --%>
-        <a href="<ww:url action="editProxiedRepository" method="input"><ww:param name="repoId" value="%{'${repository.id}'}" /></ww:url>">Edit
+        <pss:ifAuthorized permission="archiva-manage-configuration">
          <a href="<ww:url action="editProxiedRepository" method="input"><ww:param name="repoId" value="%{'${repository.id}'}" /></ww:url>">Edit
          Repository</a> | <a
          href="<ww:url action="deleteProxiedRepository" method="input"><ww:param name="repoId" value="%{'${repository.id}'}" /></ww:url>">Delete
-        Repository</a>
+          Repository</a>
        </pss:ifAuthorized>
      </div>
      <h3>${repository.name}</h3>
      <table class="infoTable">