NIHVIVO-2509 Replace InformationResourceEditingPolicy with SelfEditorRelationshipPolicy, which is better structured and handles more special relationships.

This commit is contained in:
j2blake 2011-04-25 16:26:58 +00:00
parent 1ef114ff45
commit ac55760a5a
7 changed files with 668 additions and 448 deletions

View file

@ -149,11 +149,6 @@
</listener-class>
</listener> -->
<!--
<listener>
<listener-class> edu.cornell.mannlib.vitro.webapp.auth.policy.setup.InformationResourceEditingPolicySetup</listener-class>
</listener> -->
<listener>
<listener-class>
edu.cornell.mannlib.vitro.webapp.auth.identifier.UserToIndIdentifierFactorySetup

View file

@ -1,332 +0,0 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.policy;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.rdf.model.Property;
import com.hp.hpl.jena.rdf.model.RDFNode;
import com.hp.hpl.jena.rdf.model.Resource;
import com.hp.hpl.jena.rdf.model.Selector;
import com.hp.hpl.jena.rdf.model.SimpleSelector;
import com.hp.hpl.jena.rdf.model.StmtIterator;
import com.hp.hpl.jena.shared.Lock;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/**
* Allows a self-editor to edit properties on any InformationResource of which
* he is an author or an editor.
*/
public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
implements PolicyIface {
private static final Log log = LogFactory
.getLog(InformationResourceEditingPolicy.class);
private static final String NS_CORE = "http://vivoweb.org/ontology/core#";
private static final String URI_INFORMATION_RESOURCE_TYPE = NS_CORE
+ "InformationResource";
private static final String URI_EDITOR_PROPERTY = "http://purl.org/ontology/bibo/editor";
private static final String URI_IN_AUTHORSHIP_PROPERTY = NS_CORE
+ "informationResourceInAuthorship";
private static final String URI_LINKED_AUTHOR_PROPERTY = NS_CORE
+ "linkedAuthor";
private static final String URI_FEATURES_PROPERTY = NS_CORE + "features";
private final OntModel model;
public InformationResourceEditingPolicy(ServletContext ctx, OntModel model) {
super(ctx, RoleLevel.SELF);
this.model = model;
}
@Override
public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
RequestedAction whatToAuth) {
if (whoToAuth == null) {
return inconclusiveDecision("whoToAuth was null");
}
if (whatToAuth == null) {
return inconclusiveDecision("whatToAuth was null");
}
List<String> userUris = getUrisOfSelfEditor(whoToAuth);
if (userUris.isEmpty()) {
return inconclusiveDecision("Not self-editing.");
}
if (whatToAuth instanceof AbstractObjectPropertyAction) {
return isAuthorizedForObjectPropertyAction(userUris,
(AbstractObjectPropertyAction) whatToAuth);
}
if (whatToAuth instanceof AbstractDataPropertyAction) {
return isAuthorizedForDataPropertyAction(userUris,
(AbstractDataPropertyAction) whatToAuth);
}
return inconclusiveDecision("Does not authorize "
+ whatToAuth.getClass().getSimpleName() + " actions");
}
/**
* The user can edit a data property if it is not restricted and if it is
* about an information resource which he authored or edited, or in which he
* is featured.
*/
private PolicyDecision isAuthorizedForDataPropertyAction(
List<String> userUris, AbstractDataPropertyAction action) {
String subject = action.getSubjectUri();
String predicate = action.getPredicateUri();
if (!canModifyResource(subject)) {
return cantModifyResource(subject);
}
if (!canModifyPredicate(predicate)) {
return cantModifyPredicate(predicate);
}
if (isInformationResource(subject)) {
if (anyUrisInCommon(userUris, getUrisOfEditors(subject))) {
return authorizedSubjectEditor();
}
if (anyUrisInCommon(userUris, getUrisOfAuthors(subject))) {
return authorizedSubjectAuthor();
}
if (anyUrisInCommon(userUris, getUrisOfFeatured(subject))) {
return authorizedSubjectFeatured();
}
}
return userNotAuthorizedToStatement();
}
/**
* The user can edit an object property if it is not restricted and if it is
* about an information resource which he authored or edited, or in which he
* is featured.
*/
private PolicyDecision isAuthorizedForObjectPropertyAction(
List<String> userUris, AbstractObjectPropertyAction action) {
String subject = action.getUriOfSubject();
String predicate = action.getUriOfPredicate();
String object = action.getUriOfObject();
if (!canModifyResource(subject)) {
return cantModifyResource(subject);
}
if (!canModifyPredicate(predicate)) {
return cantModifyPredicate(predicate);
}
if (!canModifyResource(object)) {
return cantModifyResource(object);
}
if (isInformationResource(subject)) {
if (anyUrisInCommon(userUris, getUrisOfEditors(subject))) {
return authorizedSubjectEditor();
}
if (anyUrisInCommon(userUris, getUrisOfAuthors(subject))) {
return authorizedSubjectAuthor();
}
if (anyUrisInCommon(userUris, getUrisOfFeatured(subject))) {
return authorizedSubjectFeatured();
}
}
if (isInformationResource(object)) {
if (anyUrisInCommon(userUris, getUrisOfEditors(object))) {
return authorizedObjectEditor();
}
if (anyUrisInCommon(userUris, getUrisOfAuthors(object))) {
return authorizedObjectAuthor();
}
if (anyUrisInCommon(userUris, getUrisOfFeatured(object))) {
return authorizedObjectFeatured();
}
}
return userNotAuthorizedToStatement();
}
private boolean isInformationResource(String uri) {
Selector selector = createSelector(uri, VitroVocabulary.RDF_TYPE,
URI_INFORMATION_RESOURCE_TYPE);
StmtIterator stmts = null;
model.enterCriticalSection(Lock.READ);
try {
stmts = model.listStatements(selector);
if (stmts.hasNext()) {
return true;
} else {
return false;
}
} finally {
if (stmts != null) {
stmts.close();
}
model.leaveCriticalSection();
}
}
private List<String> getUrisOfEditors(String infoResourceUri) {
List<String> list = new ArrayList<String>();
Selector selector = createSelector(infoResourceUri,
URI_EDITOR_PROPERTY, null);
StmtIterator stmts = null;
model.enterCriticalSection(Lock.READ);
try {
stmts = model.listStatements(selector);
while (stmts.hasNext()) {
list.add(stmts.next().getObject().toString());
}
return list;
} finally {
if (stmts != null) {
stmts.close();
}
model.leaveCriticalSection();
}
}
private List<String> getUrisOfAuthors(String infoResourceUri) {
List<String> list = new ArrayList<String>();
Selector selector = createSelector(infoResourceUri,
URI_IN_AUTHORSHIP_PROPERTY, null);
StmtIterator stmts = null;
model.enterCriticalSection(Lock.READ);
try {
stmts = model.listStatements(selector);
while (stmts.hasNext()) {
RDFNode objectNode = stmts.next().getObject();
if (objectNode.isResource()) {
log.debug("found authorship for '" + infoResourceUri
+ "': " + objectNode);
list.addAll(getUrisOfAuthors(objectNode.asResource()));
}
}
log.debug("uris of authors for '" + infoResourceUri + "': " + list);
return list;
} finally {
if (stmts != null) {
stmts.close();
}
model.leaveCriticalSection();
}
}
private List<String> getUrisOfFeatured(String infoResourceUri) {
List<String> list = new ArrayList<String>();
Selector selector = createSelector(infoResourceUri,
URI_FEATURES_PROPERTY, null);
StmtIterator stmts = null;
model.enterCriticalSection(Lock.READ);
try {
stmts = model.listStatements(selector);
while (stmts.hasNext()) {
list.add(stmts.next().getObject().toString());
}
return list;
} finally {
if (stmts != null) {
stmts.close();
}
model.leaveCriticalSection();
}
}
/** Note that we must already be in a critical section! */
private List<String> getUrisOfAuthors(Resource authorship) {
List<String> list = new ArrayList<String>();
Selector selector = createSelector(authorship,
URI_LINKED_AUTHOR_PROPERTY, null);
StmtIterator stmts = null;
try {
stmts = model.listStatements(selector);
while (stmts.hasNext()) {
list.add(stmts.next().getObject().toString());
}
return list;
} finally {
if (stmts != null) {
stmts.close();
}
}
}
private Selector createSelector(String subjectUri, String predicateUri,
String objectUri) {
Resource subject = (subjectUri == null) ? null : model
.getResource(subjectUri);
return createSelector(subject, predicateUri, objectUri);
}
private Selector createSelector(Resource subject, String predicateUri,
String objectUri) {
Property predicate = (predicateUri == null) ? null : model
.getProperty(predicateUri);
RDFNode object = (objectUri == null) ? null : model
.getResource(objectUri);
return new SimpleSelector(subject, predicate, object);
}
private boolean anyUrisInCommon(List<String> userUris,
List<String> editorsOrAuthors) {
for (String userUri : userUris) {
if (editorsOrAuthors.contains(userUri)) {
return true;
}
}
return false;
}
private PolicyDecision authorizedSubjectEditor() {
return authorizedDecision("User is editor of the subject of the statement");
}
private PolicyDecision authorizedObjectEditor() {
return authorizedDecision("User is editor of the object of the statement");
}
private PolicyDecision authorizedSubjectAuthor() {
return authorizedDecision("User is author of the subject of the statement");
}
private PolicyDecision authorizedObjectAuthor() {
return authorizedDecision("User is author of the object of the statement");
}
private PolicyDecision authorizedSubjectFeatured() {
return authorizedDecision("User is featured in the subject of the statement");
}
private PolicyDecision authorizedObjectFeatured() {
return authorizedDecision("User is featured in the object of the statement");
}
}

View file

@ -1,62 +0,0 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import edu.cornell.mannlib.vitro.webapp.auth.policy.InformationResourceEditingPolicy;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
/**
* Set up the InformationResourceEditingPolicy. This is tied to the SelfEditor
* identifier, but has enough of its own logic to merit its own policy class.
*/
public class InformationResourceEditingPolicySetup implements
ServletContextListener {
private static final Log log = LogFactory
.getLog(InformationResourceEditingPolicySetup.class);
@Override
public void contextInitialized(ServletContextEvent sce) {
ServletContext ctx = sce.getServletContext();
if (AbortStartup.isStartupAborted(ctx)) {
return;
}
try {
log.debug("Setting up InformationResourceEditingPolicy");
// need to make a policy and add it to the ServletContext
OntModel model = (OntModel) sce.getServletContext().getAttribute(
"jenaOntModel");
InformationResourceEditingPolicy irep = new InformationResourceEditingPolicy(
ctx, model);
ServletPolicyList.addPolicy(ctx, irep);
// don't need an IdentifierFactory if the SelfEditingPolicy is
// providing it.
log.debug("Finished setting up InformationResourceEditingPolicy: "
+ irep);
} catch (Exception e) {
log.error("could not run InformationResourceEditingPolicySetup: "
+ e);
AbortStartup.abortStartup(ctx);
throw new RuntimeException(e);
}
}
@Override
public void contextDestroyed(ServletContextEvent sce) {
// Nothing to do.
}
}

View file

@ -0,0 +1,231 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.policy.specialrelationships;
import java.util.ArrayList;
import java.util.List;
import javax.servlet.ServletContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.rdf.model.Property;
import com.hp.hpl.jena.rdf.model.RDFNode;
import com.hp.hpl.jena.rdf.model.Resource;
import com.hp.hpl.jena.rdf.model.Selector;
import com.hp.hpl.jena.rdf.model.SimpleSelector;
import com.hp.hpl.jena.rdf.model.StmtIterator;
import com.hp.hpl.jena.shared.Lock;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.HasAssociatedIndividual;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.policy.BasicPolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/**
* A collection of building-block methods so we can code a policy based on the
* relationship of the object being edited to the identity of the user doing the
* editing.
*/
public abstract class AbstractRelationshipPolicy implements PolicyIface {
private static final Log log = LogFactory
.getLog(AbstractRelationshipPolicy.class);
protected final ServletContext ctx;
protected final OntModel model;
public AbstractRelationshipPolicy(ServletContext ctx, OntModel model) {
this.ctx = ctx;
this.model = model;
}
/**
* Check to see whether we are self-editing, and for which Individuals.
*/
protected List<String> getUrisOfSelfEditor(IdentifierBundle ids) {
List<String> uris = new ArrayList<String>();
if (ids != null) {
for (Identifier id : ids) {
if (id instanceof HasAssociatedIndividual) {
HasAssociatedIndividual selfEditId = (HasAssociatedIndividual) id;
if (!selfEditId.isBlacklisted()) {
uris.add(selfEditId.getAssociatedIndividualUri());
}
}
}
}
return uris;
}
protected boolean canModifyResource(String uri) {
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
uri, RoleLevel.SELF);
}
protected boolean canModifyPredicate(String uri) {
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
uri, RoleLevel.SELF);
}
protected boolean isResourceOfType(String resourceUri, String typeUri) {
Selector selector = createSelector(resourceUri,
VitroVocabulary.RDF_TYPE, typeUri);
StmtIterator stmts = null;
model.enterCriticalSection(Lock.READ);
try {
stmts = model.listStatements(selector);
if (stmts.hasNext()) {
log.debug("resource '" + resourceUri + "' is of type '"
+ typeUri + "'");
return true;
} else {
log.debug("resource '" + resourceUri + "' is not of type '"
+ typeUri + "'");
return false;
}
} finally {
if (stmts != null) {
stmts.close();
}
model.leaveCriticalSection();
}
}
protected List<String> getObjectsOfProperty(String resourceUri,
String propertyUri) {
List<String> list = new ArrayList<String>();
Selector selector = createSelector(resourceUri, propertyUri, null);
StmtIterator stmts = null;
model.enterCriticalSection(Lock.READ);
try {
stmts = model.listStatements(selector);
while (stmts.hasNext()) {
list.add(stmts.next().getObject().toString());
}
log.debug("Objects of property '" + propertyUri + "' on resource '"
+ resourceUri + "': " + list);
return list;
} finally {
if (stmts != null) {
stmts.close();
}
model.leaveCriticalSection();
}
}
protected List<String> getObjectsOfLinkedProperty(String resourceUri,
String linkUri, String propertyUri) {
List<String> list = new ArrayList<String>();
Selector selector = createSelector(resourceUri, linkUri, null);
StmtIterator stmts = null;
model.enterCriticalSection(Lock.READ);
try {
stmts = model.listStatements(selector);
while (stmts.hasNext()) {
RDFNode objectNode = stmts.next().getObject();
if (objectNode.isResource()) {
log.debug("found authorship for '" + resourceUri + "': "
+ objectNode);
list.addAll(getUrisOfAuthors(objectNode.asResource(),
propertyUri));
}
}
log.debug("Objects of linked properties '" + linkUri + "' ==> '"
+ propertyUri + "' on '" + resourceUri + "': " + list);
return list;
} finally {
if (stmts != null) {
stmts.close();
}
model.leaveCriticalSection();
}
}
/** Note that we must already be in a critical section! */
private List<String> getUrisOfAuthors(Resource authorship,
String propertyUri) {
List<String> list = new ArrayList<String>();
Selector selector = createSelector(authorship, propertyUri, null);
StmtIterator stmts = null;
try {
stmts = model.listStatements(selector);
while (stmts.hasNext()) {
list.add(stmts.next().getObject().toString());
}
return list;
} finally {
if (stmts != null) {
stmts.close();
}
}
}
protected Selector createSelector(String subjectUri, String predicateUri,
String objectUri) {
Resource subject = (subjectUri == null) ? null : model
.getResource(subjectUri);
return createSelector(subject, predicateUri, objectUri);
}
protected Selector createSelector(Resource subject, String predicateUri,
String objectUri) {
Property predicate = (predicateUri == null) ? null : model
.getProperty(predicateUri);
RDFNode object = (objectUri == null) ? null : model
.getResource(objectUri);
return new SimpleSelector(subject, predicate, object);
}
protected boolean anyUrisInCommon(List<String> userUris,
List<String> editorsOrAuthors) {
for (String userUri : userUris) {
if (editorsOrAuthors.contains(userUri)) {
return true;
}
}
return false;
}
protected PolicyDecision cantModifyResource(String uri) {
return inconclusiveDecision("No access to admin resources; cannot modify "
+ uri);
}
protected PolicyDecision cantModifyPredicate(String uri) {
return inconclusiveDecision("No access to admin predicates; cannot modify "
+ uri);
}
protected PolicyDecision userNotAuthorizedToStatement() {
return inconclusiveDecision("User has no access to this statement.");
}
/** An INCONCLUSIVE decision with a message like "PolicyClass: message". */
protected PolicyDecision inconclusiveDecision(String message) {
return new BasicPolicyDecision(Authorization.INCONCLUSIVE, getClass()
.getSimpleName() + ": " + message);
}
/** An AUTHORIZED decision with a message like "PolicyClass: message". */
protected PolicyDecision authorizedDecision(String message) {
return new BasicPolicyDecision(Authorization.AUTHORIZED, getClass()
.getSimpleName() + ": " + message);
}
}

View file

@ -0,0 +1,380 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.policy.specialrelationships;
import java.util.List;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
/**
* Permit self-editors to edit the properties of classes with which they share a
* special relationship. So for example:
*
* A self-editor may edit properties of an InformationResource for which he is
* an author, an editor, or in which he is featured.
*
* A self-editor may edit properties of a Project in which he plays a clinical
* role.
*
* Etc.
*
* NOTE: properties or resources which are restricted by namespace or by access
* setting will still not be editable, even if this special relationship
* applies.
*
* NOTE: This could be further generalized by building a list of authorizing
* relationships, where each relationship may specify a type of object, a
* relating property (or chain of properties), and a text message describing the
* relationship (to be used in the decision). We could go even farther and drive
* this from an XML config file, so site administrators could configure it
* themselves. A great tool for this is the one used to process the Tomcat
* server.xml file, see http://commons.apache.org/digester/
*/
public class SelfEditorRelationshipPolicy extends AbstractRelationshipPolicy
implements PolicyIface {
private static final Log log = LogFactory
.getLog(SelfEditorRelationshipPolicy.class);
private static final String NS_CORE = "http://vivoweb.org/ontology/core#";
private static final String URI_INFORMATION_RESOURCE_TYPE = NS_CORE
+ "InformationResource";
private static final String URI_EDITOR_PROPERTY = "http://purl.org/ontology/bibo/editor";
private static final String URI_FEATURES_PROPERTY = NS_CORE + "features";
private static final String URI_IN_AUTHORSHIP_PROPERTY = NS_CORE
+ "informationResourceInAuthorship";
private static final String URI_LINKED_AUTHOR_PROPERTY = NS_CORE
+ "linkedAuthor";
private static final String URI_GRANT_TYPE = NS_CORE + "Grant";
private static final String URI_RELATED_ROLE_PROPERTY = NS_CORE
+ "relatedRole";
private static final String URI_PRINCIPAL_INVESTIGATOR_OF_PROPERTY = NS_CORE
+ "principalInvestigatorRoleOf";
private static final String URI_CO_PRINCIPAL_INVESTIGATOR_OF_PROPERTY = NS_CORE
+ "co-PrincipalInvestigatorRoleOf";
private static final String URI_PROJECT_TYPE = NS_CORE + "Project";
private static final String URI_SERVICE_TYPE = NS_CORE + "Service";
private static final String URI_CLINICAL_ROLE_OF_PROPERTY = NS_CORE
+ "clinicalRoleOf";
private static final String URI_PRESENTATION_TYPE = NS_CORE
+ "Presentation";
private static final String URI_PRESENTER_ROLE_OF_PROPERTY = NS_CORE
+ "presenterRoleOf";
private static final String URI_COURSE_TYPE = NS_CORE + "Course";
private static final String URI_TEACHER_ROLE_OF_PROPERTY = NS_CORE
+ "teacherRoleOf";
private static final String URI_ADVISING_RELATIONSHIP_TYPE = NS_CORE
+ "AdvisingRelationship";
private static final String URI_ADVISOR_PROPERTY = NS_CORE + "advisor";
public SelfEditorRelationshipPolicy(ServletContext ctx, OntModel model) {
super(ctx, model);
}
@Override
public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
RequestedAction whatToAuth) {
PolicyDecision decision = null;
if (whatToAuth == null) {
decision = inconclusiveDecision("whatToAuth was null");
} else if (whatToAuth instanceof AbstractDataPropertyAction) {
decision = isAuthorized(whoToAuth,
distill((AbstractDataPropertyAction) whatToAuth));
} else if (whatToAuth instanceof AbstractObjectPropertyAction) {
decision = isAuthorized(whoToAuth,
distill((AbstractObjectPropertyAction) whatToAuth));
} else {
decision = inconclusiveDecision("Does not authorize "
+ whatToAuth.getClass().getSimpleName() + " actions");
}
if (decision == null) {
return userNotAuthorizedToStatement();
} else {
return decision;
}
}
private DistilledAction distill(AbstractDataPropertyAction action) {
return new DistilledAction(action.getPredicateUri(),
action.getSubjectUri());
}
private DistilledAction distill(AbstractObjectPropertyAction action) {
return new DistilledAction(action.uriOfPredicate, action.uriOfSubject,
action.uriOfObject);
}
private PolicyDecision isAuthorized(IdentifierBundle ids,
DistilledAction action) {
List<String> userUris = getUrisOfSelfEditor(ids);
if (userUris.isEmpty()) {
return inconclusiveDecision("Not self-editing.");
}
if (!canModifyPredicate(action.predicateUri)) {
return cantModifyPredicate(action.predicateUri);
}
for (String resourceUri : action.resourceUris) {
if (!canModifyResource(resourceUri)) {
return cantModifyResource(resourceUri);
}
}
for (String resourceUri : action.resourceUris) {
if (isInformationResource(resourceUri)) {
if (anyUrisInCommon(userUris, getUrisOfEditors(resourceUri))) {
return authorizedEditor(resourceUri);
}
if (anyUrisInCommon(userUris, getUrisOfAuthors(resourceUri))) {
return authorizedAuthor(resourceUri);
}
if (anyUrisInCommon(userUris, getUrisOfFeatured(resourceUri))) {
return authorizedFeatured(resourceUri);
}
}
if (isGrant(resourceUri)) {
if (anyUrisInCommon(userUris,
getUrisOfPrincipalInvestigators(resourceUri))) {
return authorizedPI(resourceUri);
}
if (anyUrisInCommon(userUris,
getUrisOfCoPrincipalInvestigators(resourceUri))) {
return authorizedCoPI(resourceUri);
}
}
if (isProject(resourceUri) || isService(resourceUri)) {
if (anyUrisInCommon(userUris,
getUrisOfClinicalAgents(resourceUri))) {
return authorizedClinicalAgent(resourceUri);
}
}
if (isPresentation(resourceUri)) {
if (anyUrisInCommon(userUris, getUrisOfPresenters(resourceUri))) {
return authorizedPresenter(resourceUri);
}
}
if (isCourse(resourceUri)) {
if (anyUrisInCommon(userUris, getUrisOfTeachers(resourceUri))) {
return authorizedTeacher(resourceUri);
}
}
if (isAdvisingRelationship(resourceUri)) {
if (anyUrisInCommon(userUris, getUrisOfAdvisors(resourceUri))) {
return authorizedAdvisor(resourceUri);
}
}
}
return userNotAuthorizedToStatement();
}
// ----------------------------------------------------------------------
// methods for InformationResource
// ----------------------------------------------------------------------
private boolean isInformationResource(String resourceUri) {
return isResourceOfType(resourceUri, URI_INFORMATION_RESOURCE_TYPE);
}
private List<String> getUrisOfEditors(String resourceUri) {
return getObjectsOfProperty(resourceUri, URI_EDITOR_PROPERTY);
}
private List<String> getUrisOfFeatured(String resourceUri) {
return getObjectsOfProperty(resourceUri, URI_FEATURES_PROPERTY);
}
private List<String> getUrisOfAuthors(String resourceUri) {
return getObjectsOfLinkedProperty(resourceUri,
URI_IN_AUTHORSHIP_PROPERTY, URI_LINKED_AUTHOR_PROPERTY);
}
private PolicyDecision authorizedEditor(String uri) {
return authorizedDecision("User is an editor of " + uri);
}
private PolicyDecision authorizedAuthor(String uri) {
return authorizedDecision("User is author of " + uri);
}
private PolicyDecision authorizedFeatured(String uri) {
return authorizedDecision("User is featured in " + uri);
}
// ----------------------------------------------------------------------
// methods for Grant
// ----------------------------------------------------------------------
private boolean isGrant(String resourceUri) {
return isResourceOfType(resourceUri, URI_GRANT_TYPE);
}
private List<String> getUrisOfPrincipalInvestigators(String resourceUri) {
return getObjectsOfLinkedProperty(resourceUri,
URI_RELATED_ROLE_PROPERTY,
URI_PRINCIPAL_INVESTIGATOR_OF_PROPERTY);
}
private List<String> getUrisOfCoPrincipalInvestigators(String resourceUri) {
return getObjectsOfLinkedProperty(resourceUri,
URI_RELATED_ROLE_PROPERTY,
URI_CO_PRINCIPAL_INVESTIGATOR_OF_PROPERTY);
}
private PolicyDecision authorizedPI(String resourceUri) {
return authorizedDecision("User is Principal Investigator of "
+ resourceUri);
}
private PolicyDecision authorizedCoPI(String resourceUri) {
return authorizedDecision("User is Co-Principal Investigator of "
+ resourceUri);
}
// ----------------------------------------------------------------------
// methods for Project or Service
// ----------------------------------------------------------------------
private boolean isProject(String resourceUri) {
return isResourceOfType(resourceUri, URI_PROJECT_TYPE);
}
private boolean isService(String resourceUri) {
return isResourceOfType(resourceUri, URI_SERVICE_TYPE);
}
private List<String> getUrisOfClinicalAgents(String resourceUri) {
return getObjectsOfLinkedProperty(resourceUri,
URI_RELATED_ROLE_PROPERTY, URI_CLINICAL_ROLE_OF_PROPERTY);
}
private PolicyDecision authorizedClinicalAgent(String resourceUri) {
return authorizedDecision("User has a Clinical Role on " + resourceUri);
}
// ----------------------------------------------------------------------
// methods for Presentation
// ----------------------------------------------------------------------
private boolean isPresentation(String resourceUri) {
return isResourceOfType(resourceUri, URI_PRESENTATION_TYPE);
}
private List<String> getUrisOfPresenters(String resourceUri) {
return getObjectsOfLinkedProperty(resourceUri,
URI_RELATED_ROLE_PROPERTY, URI_PRESENTER_ROLE_OF_PROPERTY);
}
private PolicyDecision authorizedPresenter(String resourceUri) {
return authorizedDecision("User is a Presenter of " + resourceUri);
}
// ----------------------------------------------------------------------
// methods for Course
// ----------------------------------------------------------------------
private boolean isCourse(String resourceUri) {
return isResourceOfType(resourceUri, URI_COURSE_TYPE);
}
private List<String> getUrisOfTeachers(String resourceUri) {
return getObjectsOfLinkedProperty(resourceUri,
URI_RELATED_ROLE_PROPERTY, URI_TEACHER_ROLE_OF_PROPERTY);
}
private PolicyDecision authorizedTeacher(String resourceUri) {
return authorizedDecision("User is a Teacher of " + resourceUri);
}
// ----------------------------------------------------------------------
// methods for AdvisingRelationship
// ----------------------------------------------------------------------
private boolean isAdvisingRelationship(String resourceUri) {
return isResourceOfType(resourceUri, URI_ADVISING_RELATIONSHIP_TYPE);
}
private List<String> getUrisOfAdvisors(String resourceUri) {
return getObjectsOfProperty(resourceUri, URI_ADVISOR_PROPERTY);
}
private PolicyDecision authorizedAdvisor(String resourceUri) {
return authorizedDecision("User is an Advisor of " + resourceUri);
}
// ----------------------------------------------------------------------
// helper classes
// ----------------------------------------------------------------------
/**
* This allows us to treat data properties and object properties the same.
* It's just that object properties have more resourceUris.
*/
static class DistilledAction {
final String[] resourceUris;
final String predicateUri;
public DistilledAction(String predicateUri, String... resourceUris) {
this.resourceUris = resourceUris;
this.predicateUri = predicateUri;
}
}
/**
* When the system starts up, install the policy. This class must be a
* listener in web.xml
*
* The CommonIdentifierBundleFactory already creates the IDs we need.
*/
public static class Setup implements ServletContextListener {
@Override
public void contextInitialized(ServletContextEvent sce) {
ServletContext ctx = sce.getServletContext();
if (AbortStartup.isStartupAborted(ctx)) {
return;
}
try {
OntModel ontModel = (OntModel) sce.getServletContext()
.getAttribute("jenaOntModel");
ServletPolicyList.addPolicy(ctx,
new SelfEditorRelationshipPolicy(ctx, ontModel));
} catch (Exception e) {
log.error("could not run " + this.getClass().getSimpleName()
+ ": " + e);
AbortStartup.abortStartup(ctx);
throw new RuntimeException(e);
}
}
@Override
public void contextDestroyed(ServletContextEvent sce) { /* nothing */
}
}
}

View file

@ -1,6 +1,6 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.policy;
package edu.cornell.mannlib.vitro.webapp.auth.policy.specialrelationships;
import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization.AUTHORIZED;
import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization.INCONCLUSIVE;
@ -28,9 +28,8 @@ import com.hp.hpl.jena.rdf.model.StmtIterator;
import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.HasAssociatedIndividual;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
@ -39,15 +38,19 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAct
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource;
import edu.cornell.mannlib.vitro.webapp.beans.IndividualImpl;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/**
* TODO
* Check the relationships in the SelfEditorRelationshipPolicy.
*
* This only checks the relationships that deal with InformationResources.
* Testing the others seems too redundant. If we generalize this to use
* configurable relationships, then we'll be able to make more general tests as
* well.
*/
public class InformationResourceEditingPolicyTest extends AbstractTestClass {
public class SelfEditorRelationshipPolicyTest extends AbstractTestClass {
private static final Log log = LogFactory
.getLog(InformationResourceEditingPolicyTest.class);
.getLog(SelfEditorRelationshipPolicyTest.class);
/** Can edit properties or resources in this namespace. */
private static final String NS_PERMITTED = "http://vivo.mydomain.edu/individual/";
@ -71,7 +74,8 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
/**
* Where the model statements are stored for this test.
*/
private static final String N3_DATA_FILENAME = "resources/InformationResourceEditingPolicyTest.n3";
private static final String N3_DATA_FILENAME = "SelfEditorRelationship"
+ "PolicyTest.n3";
/**
* These URIs must match the data in the N3 file.
@ -96,7 +100,7 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
@BeforeClass
public static void setupModel() throws IOException {
InputStream stream = InformationResourceEditingPolicyTest.class
InputStream stream = SelfEditorRelationshipPolicyTest.class
.getResourceAsStream(N3_DATA_FILENAME);
Model model = ModelFactory.createDefaultModel();
model.read(stream, null, "N3");
@ -108,7 +112,7 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
dumpModel();
}
private InformationResourceEditingPolicy policy;
private SelfEditorRelationshipPolicy policy;
private RequestedAction action;
@Before
@ -118,7 +122,7 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
.getInstance(new String[] { NS_RESTRICTED });
PropertyRestrictionPolicyHelper.setBean(ctx, prph);
policy = new InformationResourceEditingPolicy(ctx, ontModel);
policy = new SelfEditorRelationshipPolicy(ctx, ontModel);
}
private IdentifierBundle idNobody;
@ -148,7 +152,7 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
}
// ----------------------------------------------------------------------
// the tests
// boilerplate tests
// ----------------------------------------------------------------------
@Test
@ -189,12 +193,30 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
}
@Test
public void dataPropSubjectIsNotInfoResource() {
action = new AddDataPropStmt(URI_PERMITTED_RESOURCE,
URI_PERMITTED_PREDICATE, "junk", null, null);
public void objectPropSubjectIsRestricted() {
action = new AddObjectPropStmt(URI_RESTRICTED_RESOURCE,
URI_PERMITTED_PREDICATE, URI_JOE_EDITED_IT);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
@Test
public void objectPropPredicateIsRestricted() {
action = new AddObjectPropStmt(URI_PERMITTED_RESOURCE,
URI_RESTRICTED_PREDICATE, URI_JOE_EDITED_IT);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
@Test
public void objectPropObjectIsRestricted() {
action = new AddObjectPropStmt(URI_JOE_EDITED_IT,
URI_PERMITTED_PREDICATE, URI_RESTRICTED_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
// ----------------------------------------------------------------------
// InformationResource tests
// ----------------------------------------------------------------------
@Test
public void dataPropSubjectIsInfoResourceButNobodyIsSelfEditing() {
action = new AddDataPropStmt(URI_JOE_WROTE_IT, URI_PERMITTED_PREDICATE,
@ -255,34 +277,6 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
assertDecision(AUTHORIZED, policy.isAuthorized(idBozoAndJoe, action));
}
@Test
public void objectPropSubjectIsRestricted() {
action = new AddObjectPropStmt(URI_RESTRICTED_RESOURCE,
URI_PERMITTED_PREDICATE, URI_JOE_EDITED_IT);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
@Test
public void objectPropPredicateIsRestricted() {
action = new AddObjectPropStmt(URI_PERMITTED_RESOURCE,
URI_RESTRICTED_PREDICATE, URI_JOE_EDITED_IT);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
@Test
public void objectPropObjectIsRestricted() {
action = new AddObjectPropStmt(URI_JOE_EDITED_IT,
URI_PERMITTED_PREDICATE, URI_RESTRICTED_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
@Test
public void objectPropNeitherSubjectOrObjectIsInfoResource() {
action = new AddObjectPropStmt(URI_PERMITTED_RESOURCE,
URI_PERMITTED_PREDICATE, URI_PERMITTED_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
@Test
public void objectPropSubjectIsInfoResourceButNobodyIsSelfEditing() {
action = new AddObjectPropStmt(URI_JOE_EDITED_IT,
@ -403,16 +397,30 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
assertDecision(AUTHORIZED, policy.isAuthorized(idBozoAndJoe, action));
}
// ----------------------------------------------------------------------
// Other tests
// ----------------------------------------------------------------------
@Test
public void dataPropSubjectIsNotInfoResource() {
action = new AddDataPropStmt(URI_PERMITTED_RESOURCE,
URI_PERMITTED_PREDICATE, "junk", null, null);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
@Test
public void objectPropNeitherSubjectOrObjectIsInfoResource() {
action = new AddObjectPropStmt(URI_PERMITTED_RESOURCE,
URI_PERMITTED_PREDICATE, URI_PERMITTED_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(idJoe, action));
}
// ----------------------------------------------------------------------
// helper methods
// ----------------------------------------------------------------------
private SelfEditing makeSelfEditingId(String uri) {
IndividualImpl ind = new IndividualImpl();
ind.setURI(uri);
SelfEditing selfEditing = new SelfEditing(ind,
SelfEditingIdentifierFactory.NOT_BLACKLISTED);
return selfEditing;
private HasAssociatedIndividual makeSelfEditingId(String uri) {
return new HasAssociatedIndividual(uri, null);
}
private void assertDecision(Authorization expected, PolicyDecision decision) {