litvinovg/vitro
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

NIHVIVO-2254 Rewrite the role-based policies to use the PropertyRestrictionPolicyHelper.

Browse source
This commit is contained in:
j2blake 2011-04-06 19:11:14 +00:00
parent 835ffa3481
commit b0db5dd122
23 changed files with 1139 additions and 2364 deletions
Download patch file Download diff file Expand all files Collapse all files

5
webapp/config/web.xml
View file

@ -164,6 +164,11 @@
</listener-class> </listener-class>
</listener> </listener>
<listener>
<listener-class> edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper$Setup
</listener-class>
</listener>
<listener> <listener>
<listener-class> <listener-class>
edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerSetup edu.cornell.mannlib.vitro.webapp.controller.freemarker.FreemarkerSetup

152
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/AdministrativeUriRestrictor.java
View file

@ -1,152 +0,0 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.policy;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.rdf.model.impl.Util;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/**
* Used by several policies to disallow the modification of Vitro-reserved
* resources and/or properties.
*/
public class AdministrativeUriRestrictor {
private static final Log log = LogFactory
.getLog(AdministrativeUriRestrictor.class);
private static final String[] DEFAULT_PROHIBITED_PROPERTIES = {};
private static final String[] DEFAULT_PROHIBITED_RESOURCES = {};
private static final String[] DEFAULT_PROHIBITED_NAMESPACES = {
VitroVocabulary.vitroURI,
VitroVocabulary.OWL,
"" };
private static final String[] DEFAULT_EDITABLE_VITRO_URIS = {
VitroVocabulary.MONIKER,
VitroVocabulary.BLURB,
VitroVocabulary.DESCRIPTION,
VitroVocabulary.MODTIME,
VitroVocabulary.TIMEKEY,
VitroVocabulary.CITATION,
VitroVocabulary.IND_MAIN_IMAGE,
VitroVocabulary.LINK,
VitroVocabulary.PRIMARY_LINK,
VitroVocabulary.ADDITIONAL_LINK,
VitroVocabulary.LINK_ANCHOR,
VitroVocabulary.LINK_URL,
VitroVocabulary.KEYWORD_INDIVIDUALRELATION,
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD,
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL,
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE };
/**
* Namespaces from which Self Editors should not be able to use resources.
*/
private final Set<String> prohibitedNamespaces;
/**
* URIs of properties that SelfEditors should not be able to use in
* statements
*/
protected final Set<String> prohibitedProperties;
/**
* URIs of resources that SelfEditors should not be able to use in
* statements
*/
protected final Set<String> prohibitedResources;
/**
* URIs of properties from prohibited namespaces that Self Editors need to
* be able to edit
*/
protected final Set<String> editableVitroUris;
public AdministrativeUriRestrictor(Set<String> prohibitedProperties,
Set<String> prohibitedResources, Set<String> prohibitedNamespaces,
Set<String> editableVitroUris) {
this.prohibitedProperties = useDefaultIfNull(prohibitedProperties,
DEFAULT_PROHIBITED_PROPERTIES);
this.prohibitedResources = useDefaultIfNull(prohibitedResources,
DEFAULT_PROHIBITED_RESOURCES);
this.prohibitedNamespaces = useDefaultIfNull(prohibitedNamespaces,
DEFAULT_PROHIBITED_NAMESPACES);
this.editableVitroUris = useDefaultIfNull(editableVitroUris,
DEFAULT_EDITABLE_VITRO_URIS);
}
private Set<String> useDefaultIfNull(Set<String> valueSet,
String[] defaultArray) {
Collection<String> strings = (valueSet == null) ? Arrays
.asList(defaultArray) : valueSet;
return Collections.unmodifiableSet(new HashSet<String>(strings));
}
public boolean canModifyResource(String uri) {
if (uri == null || uri.length() == 0) {
log.debug("Resource URI is empty: " + uri);
return false;
}
if (editableVitroUris.contains(uri)) {
log.debug("Resource matches an editable URI: " + uri);
return true;
}
String namespace = uri.substring(0, Util.splitNamespace(uri));
if (prohibitedNamespaces.contains(namespace)) {
log.debug("Resource matches a prohibited namespace: " + uri);
return false;
}
log.debug("Resource is not prohibited: " + uri);
return true;
}
public boolean canModifyPredicate(String uri) {
if (uri == null || uri.length() == 0) {
log.debug("Predicate URI is empty: " + uri);
return false;
}
if (prohibitedProperties.contains(uri)) {
log.debug("Predicate matches a prohibited predicate: " + uri);
return false;
}
if (editableVitroUris.contains(uri)) {
return true;
}
String namespace = uri.substring(0, Util.splitNamespace(uri));
if (prohibitedNamespaces.contains(namespace)) {
log.debug("Predicate matches a prohibited namespace: " + uri);
return false;
}
return true;
}
@Override
public String toString() {
return "AdministrativeUriRestrictor[prohibitedNamespaces="
+ prohibitedNamespaces + ", prohibitedProperties="
+ prohibitedProperties + ", prohibitedResources="
+ prohibitedResources + ", editableVitroUris="
+ editableVitroUris + "]";
}
}

21
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/BaseSelfEditingPolicy.java
View file

@ -5,16 +5,37 @@ package edu.cornell.mannlib.vitro.webapp.auth.policy;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.servlet.ServletContext;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier; import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing; import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
/** /**
* A base class with utility methods for policies involving self-editing. * A base class with utility methods for policies involving self-editing.
*/ */
public abstract class BaseSelfEditingPolicy { public abstract class BaseSelfEditingPolicy {
protected final ServletContext ctx;
protected final RoleLevel roleLevel;
public BaseSelfEditingPolicy(ServletContext ctx, RoleLevel roleLevel) {
this.ctx = ctx;
this.roleLevel = roleLevel;
}
protected boolean canModifyResource(String uri) {
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
uri, roleLevel);
}
protected boolean canModifyPredicate(String uri) {
return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
uri, roleLevel);
}
protected List<String> getUrisOfSelfEditor(IdentifierBundle ids) { protected List<String> getUrisOfSelfEditor(IdentifierBundle ids) {
List<String> uris = new ArrayList<String>(); List<String> uris = new ArrayList<String>();

556
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/CuratorEditingPolicy.java
View file

@ -2,432 +2,172 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy; package edu.cornell.mannlib.vitro.webapp.auth.policy;
import java.util.Collections; import javax.servlet.ServletContext;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.rdf.model.impl.Util;
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.CuratorEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.CuratorEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier; import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.VisitingPolicyIface; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.LoadOntology;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RebuildTextIndex;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RemoveUser;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UpdateTextIndex;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UploadFile;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.CreateOwlClass; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineDataProperty; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineObjectProperty;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.RemoveOwlClass;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary; import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
/** /**
* Policy to use for Vivo Curator-Editing for use at Cornell. * Policy to use for Vivo Curator-Editing for use at Cornell. All methods in
* All methods in this class should be thread safe * this class should be thread safe and side effect free.
* and side effect free.
*/ */
public class CuratorEditingPolicy implements VisitingPolicyIface { public class CuratorEditingPolicy implements PolicyIface {
protected static Log log = LogFactory.getLog( CuratorEditingPolicy.class ); private final ServletContext ctx;
/** regex for extracting a namespace from a URI */ public CuratorEditingPolicy(ServletContext ctx) {
// Do not use this; use Jena's splitNamespace() util instead. this.ctx = ctx;
//private Pattern ns = Pattern.compile("([^#]*#)[^#]*"); }
/** /**
* Namespaces from which Curator Editors should not be able to use resources. * Indicates which Authorization to use when the user isn't explicitly
*/ * authorized.
private Set<String> prohibitedNs; */
private PolicyDecision defaultDecision(String message) {
/** URIs of properties that CuratorEditors should not be able to use in statements*/ return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
protected Set<String>prohibitedProperties; }
/** URIs of resources that CuratorEditors should not be able to use in statements*/ @Override
protected Set<String>prohibitedResources; public PolicyDecision isAuthorized(IdentifierBundle whomToAuth,
RequestedAction whatToAuth) {
/** Indicates which Authorization to use when the user isn't explicitly authorized. */ if (whomToAuth == null) {
protected Authorization defaultFailure = Authorization.INCONCLUSIVE; return defaultDecision("whomToAuth was null");
}
/** URIs of properties from prohibited namespaces that Curator Editors need to be if (whatToAuth == null) {
* able to edit */ return defaultDecision("whatToAuth was null");
protected Set<String> editableVitroUris; }
public CuratorEditingPolicy( if (!isCurator(whomToAuth)) {
Set<String>prohibitedProperties, return defaultDecision("IdBundle does not include a Curator identifier");
Set<String>prohibitedResources, }
Set<String>prohibitedNamespaces,
Set<String>editableVitroUris ){ if (whatToAuth instanceof OntoRequestedAction) {
return defaultDecision("CuratorEditingPolicy doesn't authorize OntoRequestedActions");
if( prohibitedProperties != null ) } else if (whatToAuth instanceof AdminRequestedAction) {
this.prohibitedProperties = prohibitedProperties; return defaultDecision("CuratorEditingPolicy doesn't authorize AdminRequestedActions");
else }
this.prohibitedProperties = Collections.EMPTY_SET;
if (whatToAuth instanceof AddDataPropStmt) {
if( prohibitedResources != null ) return isAuthorized((AddDataPropStmt) whatToAuth);
this.prohibitedResources = prohibitedResources; } else if (whatToAuth instanceof DropDataPropStmt) {
else return isAuthorized((DropDataPropStmt) whatToAuth);
this.prohibitedResources = Collections.EMPTY_SET; } else if (whatToAuth instanceof EditDataPropStmt) {
return isAuthorized((EditDataPropStmt) whatToAuth);
if( prohibitedNamespaces != null ) } else if (whatToAuth instanceof AddObjectPropStmt) {
this.prohibitedNs = prohibitedNamespaces; return isAuthorized((AddObjectPropStmt) whatToAuth);
else{ } else if (whatToAuth instanceof DropObjectPropStmt) {
prohibitedNs = new HashSet<String>(); return isAuthorized((DropObjectPropStmt) whatToAuth);
prohibitedNs.add( VitroVocabulary.vitroURI); } else if (whatToAuth instanceof EditObjPropStmt) {
prohibitedNs.add( VitroVocabulary.OWL ); return isAuthorized((EditObjPropStmt) whatToAuth);
prohibitedNs.add(""); } else if (whatToAuth instanceof AddResource) {
} return isAuthorized((AddResource) whatToAuth);
} else if (whatToAuth instanceof DropResource) {
if( editableVitroUris != null ) return isAuthorized((DropResource) whatToAuth);
this.editableVitroUris = editableVitroUris; } else {
else{ return defaultDecision("unrecognized requested action: "
this.editableVitroUris = new HashSet<String>(); + whatToAuth);
this.editableVitroUris.add(VitroVocabulary.MONIKER); }
this.editableVitroUris.add(VitroVocabulary.BLURB); }
this.editableVitroUris.add(VitroVocabulary.DESCRIPTION);
this.editableVitroUris.add(VitroVocabulary.MODTIME); private boolean isCurator(IdentifierBundle whomToAuth) {
this.editableVitroUris.add(VitroVocabulary.TIMEKEY); for (Identifier id : whomToAuth) {
if (id instanceof CuratorEditingIdentifierFactory.CuratorEditingId) {
this.editableVitroUris.add(VitroVocabulary.CITATION); return true;
this.editableVitroUris.add(VitroVocabulary.IND_MAIN_IMAGE); }
}
this.editableVitroUris.add(VitroVocabulary.LINK); return false;
this.editableVitroUris.add(VitroVocabulary.PRIMARY_LINK); }
this.editableVitroUris.add(VitroVocabulary.ADDITIONAL_LINK);
this.editableVitroUris.add(VitroVocabulary.LINK_ANCHOR); private boolean canModifyResource(String uri) {
this.editableVitroUris.add(VitroVocabulary.LINK_URL); return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
uri, RoleLevel.CURATOR);
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION); }
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD);
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL); private boolean canModifyPredicate(String uri) {
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE); return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
} uri, RoleLevel.CURATOR);
} }
public PolicyDecision isAuthorized(IdentifierBundle whomToAuth, RequestedAction whatToAuth) { /**
BasicPolicyDecision pd = new BasicPolicyDecision(this.defaultFailure,"not yet set"); * Check authorization for Adding, Editing or Dropping a DataProperty.
if( whomToAuth == null ) */
return pd.setMessage("whomToAuth was null"); private PolicyDecision isAuthorized(AbstractDataPropertyAction action) {
if(whatToAuth == null) if (!canModifyResource(action.getSubjectUri())) {
return pd.setMessage("whatToAuth was null"); return defaultDecision("CuratorEditingPolicy does not grant access to admin resources; "
+ "may not modify " + action.getSubjectUri());
String roleStr = getRoleOf(whomToAuth); }
if (roleStr == null)
return pd.setMessage("Unable to get a role for the curator from IdBundle"); if (!canModifyPredicate(action.getPredicateUri())) {
return defaultDecision("CuratorEditingPolicy does not grant access to admin predicates; "
try{ + "may not modify " + action.getPredicateUri());
if( Integer.parseInt( roleStr ) /*<*/ != LoginStatusBean.CURATOR) }
return pd.setMessage("CuratorEditingPolicy found role of "+roleStr+" but only authorizes for users logged in as CURATOR or higher");
}catch(NumberFormatException nef){} return new BasicPolicyDecision(Authorization.AUTHORIZED,
"CuratorEditingPolicy: user may modify '"
if (whatToAuth instanceof OntoRequestedAction) + action.getSubjectUri() + "' ==> '"
return pd.setMessage("CuratorEditingPolicy doesn't authorize OntoRequestedActions"); + action.getPredicateUri() + "'");
if (whatToAuth instanceof AdminRequestedAction) }
return pd.setMessage("CuratorEditingPolicy doesn't authorize AdminRequestedActions");
/**
//kick off the visitor pattern * Check authorization for Adding, Editing or Dropping an ObjectProperty.
return whatToAuth.accept(this, whomToAuth); */
} private PolicyDecision isAuthorized(AbstractObjectPropertyAction action) {
if (!canModifyResource(action.uriOfSubject)) {
return defaultDecision("CuratorEditingPolicy does not grant access to admin resources; "
protected String getRoleOf( IdentifierBundle whomToAuth) { + "may not modify " + action.uriOfSubject);
if( whomToAuth == null ) return null; }
for(Identifier id : whomToAuth){ if (!canModifyPredicate(action.uriOfPredicate)) {
if (id instanceof CuratorEditingIdentifierFactory.CuratorEditingId) { return defaultDecision("CuratorEditingPolicy does not grant access to admin predicates; "
return ((CuratorEditingIdentifierFactory.CuratorEditingId)id).getRole(); + "may not modify " + action.uriOfPredicate);
} }
}
return null; if (!canModifyResource(action.uriOfObject)) {
} return defaultDecision("CuratorEditingPolicy does not grant access to admin resources; "
+ "may not modify " + action.uriOfObject);
protected boolean canModifyResource(String uri){ }
if( uri == null || uri.length() == 0 )
return false; return new BasicPolicyDecision(Authorization.AUTHORIZED,
"CuratorEditingPolicy: user may modify '" + action.uriOfSubject
if( editableVitroUris.contains( uri ) ) + "' ==> '" + action.uriOfPredicate + "' ==> '"
return true; + action.uriOfObject + "'");
}
String namespace = uri.substring(0, Util.splitNamespace(uri));
//Matcher match = ns.matcher(uri); /**
//if( match.matches() && match.groupCount() > 0){ * Check authorization for Adding or Dropping a Resource.
// String namespace = match.group(1); */
if( prohibitedNs.contains( namespace ) ) { private PolicyDecision isAuthorized(AbstractResourceAction action) {
log.debug("The uri "+uri+" represents a resource that cannot be modified because it matches a prohibited namespace"); if (!canModifyResource(action.getSubjectUri())) {
return false; return defaultDecision("CuratorEditingPolicy does not grant access to admin resources; "
} + "may not modify " + action.getSubjectUri());
//} }
return true;
} return new BasicPolicyDecision(Authorization.AUTHORIZED,
"CuratorEditingPolicy: may add or remove resource: "
+ action.getSubjectUri());
protected boolean canModifyPredicate(String uri){ }
if( uri == null || uri.length() == 0 )
return false; @Override
public String toString() {
if( editableVitroUris.contains( uri ) ) return "CuratorEditingPolicy - " + hashCode();
return true; }
if( prohibitedProperties.contains(uri)) {
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it is on a list of properties prohibited from curator editing");
return false;
}
String namespace = uri.substring(0, Util.splitNamespace(uri));
//Matcher match = ns.matcher(uri);
//if( match.matches() && match.groupCount() > 0){
// String namespace = match.group(1);
if( prohibitedNs.contains( namespace ) ) {
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it matches a prohibited namespace");
return false;
}
//}
return true;
}
public PolicyDecision visit(IdentifierBundle ids, AddObjectPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin predicates; " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user can edit allowed properties of anybody");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, DropResource action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not removal of admin resources");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: may remove resource");
}
public PolicyDecision visit(IdentifierBundle ids, AddResource action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not allow creation of admin resources");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: may add resource");
}
public PolicyDecision visit(IdentifierBundle ids, DropDataPropStmt action) {
if( ids == null || action == null ) {
log.debug("CuratorEditingPolicy for DropDataPropStmt is inconclusive because the test has null action or ids");
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
}
//cannot edit resources related to system
if( prohibitedNs.contains( action.getSubjectUri() ) ) { // jc55 was getResourceURI()
log.debug("CuratorEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin resources");
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources");
}
//many predicates are prohibited by namespace but there are many ones that curator editors need to work with
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) ) {
log.debug("CuratorEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin controls");
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin controls");
}
//cannot edit resources related to system
if( !canModifyResource( action.getSubjectUri() ) ) {
log.debug("CuratorEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.getSubjectUri());
}
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("CuratorEditingPolicy for EditDatapropStmt is inconclusive because it does not grant access to admin predicates; cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin predicates; " +
"cannot modify " + action.getPredicateUri());
}
log.debug("CuratorEditingPolicy for DropDatapropStmt returns authorization because the user is a curator");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user is may drop data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, DropObjectPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin predicates; " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user can edit any individual");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, AddDataPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
//cannot edit resources related to system
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources");
//many predicates are prohibited by namespace but there are many ones that curator editors need to work with
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin controls");
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("CuratorEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.getPredicateUri());
}
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user may add this data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, EditDataPropStmt action) {
if( ids == null || action == null ) {
log.debug("CuratorEditingPolicy for EditDataPropStmt is inconclusive because the test has null action or ids");
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
}
//cannot edit resources related to system
if( !canModifyResource( action.getSubjectUri() ) ) {
log.debug("CuratorEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.getSubjectUri());
}
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("CuratorEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.getPredicateUri());
}
log.debug("CuratorEditingPolicy for EditDatapropStmt returns authorization because the user is a curator");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user may edit data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, EditObjPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"CuratorEditingPolicy does not grant access to admin predicates; " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: user may edit any individual");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, UploadFile action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"CuratorEditingPolicy: may upload files");
}
// *** the following actions are generally not part of curator editing *** //
public PolicyDecision visit(IdentifierBundle ids, AddNewUser action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RemoveUser action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, LoadOntology action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RebuildTextIndex action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, UpdateTextIndex action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, ServerStatus action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, CreateOwlClass action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RemoveOwlClass action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, DefineDataProperty action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, DefineObjectProperty action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"CuratorEditingPolicy does not authorize administrative modifications");
}
public String toString(){
return "CuratorEditingPolicy " + hashCode()
+ " nspaces: " + prohibitedNs.size() + " prohibited Props: "
+ prohibitedProperties.size() + " prohibited resources: "
+ prohibitedResources.size();
}
} }

569
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/DbAdminEditingPolicy.java
View file

@ -2,445 +2,172 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy; package edu.cornell.mannlib.vitro.webapp.auth.policy;
import java.util.Collections; import javax.servlet.ServletContext;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.rdf.model.impl.Util;
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.DbAdminEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.DbAdminEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier; import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.VisitingPolicyIface; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.LoadOntology;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RebuildTextIndex;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RemoveUser;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UpdateTextIndex;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UploadFile;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.CreateOwlClass; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineDataProperty; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineObjectProperty;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.RemoveOwlClass;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary; import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
/** /**
* Policy to use for Vivo non-privileged but user accouunt-based editing * Policy to use for Vivo non-privileged but user accouunt-based editing All
* All methods in this class should be thread safe * methods in this class should be thread safe and side effect free.
* and side effect free.
*/ */
public class DbAdminEditingPolicy implements VisitingPolicyIface { public class DbAdminEditingPolicy implements PolicyIface {
protected static Log log = LogFactory.getLog( DbAdminEditingPolicy.class ); private final ServletContext ctx;
/** regex for extracting a namespace from a URI */ public DbAdminEditingPolicy(ServletContext ctx) {
// Do not use this; use Jena's splitNamespace() util instead. this.ctx = ctx;
//private Pattern ns = Pattern.compile("([^#]*#)[^#]*"); }
/** /**
* Namespaces from which DbAdmins should not be able to use resources. * Indicates which Authorization to use when the user isn't explicitly
*/ * authorized.
private Set<String> prohibitedNs; */
private PolicyDecision defaultDecision(String message) {
/** URIs of properties that DbAdmins should not be able to use in statements*/ return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
protected Set<String>prohibitedProperties; }
/** URIs of resources that DbAdmins should not be able to use in statements*/ @Override
protected Set<String>prohibitedResources; public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
RequestedAction whatToAuth) {
/** Indicates which Authorization to use when the user isn't explicitly authorized. */ if (whoToAuth == null) {
protected Authorization defaultFailure = Authorization.INCONCLUSIVE; return defaultDecision("whomToAuth was null");
}
/** URIs of properties from prohibited namespaces that DbAdmins need to be if (whatToAuth == null) {
* able to edit */ return defaultDecision("whatToAuth was null");
protected Set<String> editableVitroUris; }
public DbAdminEditingPolicy( if (!isDba(whoToAuth)) {
Set<String>prohibitedProperties, return defaultDecision("IdBundle does not include a DbAdmin identifier");
Set<String>prohibitedResources, }
Set<String>prohibitedNamespaces,
Set<String>editableVitroUris ){ if (whatToAuth instanceof OntoRequestedAction) {
return defaultDecision("DbAdminEditingPolicy doesn't authorize OntoRequestedActions");
if( prohibitedProperties != null ) } else if (whatToAuth instanceof AdminRequestedAction) {
this.prohibitedProperties = prohibitedProperties; return defaultDecision("DbAdminEditingPolicy doesn't authorize AdminRequestedActions");
else }
this.prohibitedProperties = Collections.EMPTY_SET;
if (whatToAuth instanceof AddDataPropStmt) {
if( prohibitedResources != null ) return isAuthorized((AddDataPropStmt) whatToAuth);
this.prohibitedResources = prohibitedResources; } else if (whatToAuth instanceof DropDataPropStmt) {
else return isAuthorized((DropDataPropStmt) whatToAuth);
this.prohibitedResources = Collections.EMPTY_SET; } else if (whatToAuth instanceof EditDataPropStmt) {
return isAuthorized((EditDataPropStmt) whatToAuth);
if( prohibitedNamespaces != null ) } else if (whatToAuth instanceof AddObjectPropStmt) {
this.prohibitedNs = prohibitedNamespaces; return isAuthorized((AddObjectPropStmt) whatToAuth);
else{ } else if (whatToAuth instanceof DropObjectPropStmt) {
prohibitedNs = new HashSet<String>(); return isAuthorized((DropObjectPropStmt) whatToAuth);
prohibitedNs.add( VitroVocabulary.vitroURI); } else if (whatToAuth instanceof EditObjPropStmt) {
prohibitedNs.add( VitroVocabulary.OWL ); return isAuthorized((EditObjPropStmt) whatToAuth);
prohibitedNs.add(""); } else if (whatToAuth instanceof AddResource) {
} return isAuthorized((AddResource) whatToAuth);
} else if (whatToAuth instanceof DropResource) {
if( editableVitroUris != null ) return isAuthorized((DropResource) whatToAuth);
this.editableVitroUris = editableVitroUris; } else {
else{ return defaultDecision("unrecognized requested action: "
this.editableVitroUris = new HashSet<String>(); + whatToAuth);
this.editableVitroUris.add(VitroVocabulary.MONIKER); }
this.editableVitroUris.add(VitroVocabulary.BLURB); }
this.editableVitroUris.add(VitroVocabulary.DESCRIPTION);
this.editableVitroUris.add(VitroVocabulary.MODTIME); private boolean isDba(IdentifierBundle whomToAuth) {
this.editableVitroUris.add(VitroVocabulary.TIMEKEY); for (Identifier id : whomToAuth) {
if (id instanceof DbAdminEditingIdentifierFactory.DbAdminEditingId) {
this.editableVitroUris.add(VitroVocabulary.CITATION); return true;
this.editableVitroUris.add(VitroVocabulary.IND_MAIN_IMAGE); }
}
this.editableVitroUris.add(VitroVocabulary.LINK); return false;
this.editableVitroUris.add(VitroVocabulary.PRIMARY_LINK); }
this.editableVitroUris.add(VitroVocabulary.ADDITIONAL_LINK);
this.editableVitroUris.add(VitroVocabulary.LINK_ANCHOR); private boolean canModifyResource(String uri) {
this.editableVitroUris.add(VitroVocabulary.LINK_URL); return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
uri, RoleLevel.DB_ADMIN);
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION); }
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD);
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL); private boolean canModifyPredicate(String uri) {
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE); return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
} uri, RoleLevel.DB_ADMIN);
} }
public PolicyDecision isAuthorized(IdentifierBundle whoToAuth, RequestedAction whatToAuth) { /**
BasicPolicyDecision pd = new BasicPolicyDecision(this.defaultFailure,"not yet set"); * Check authorization for Adding, Editing or Dropping a DataProperty.
if( whoToAuth == null ) */
return pd.setMessage("whomToAuth was null"); private PolicyDecision isAuthorized(AbstractDataPropertyAction action) {
if(whatToAuth == null) if (!canModifyResource(action.getSubjectUri())) {
return pd.setMessage("whatToAuth was null"); return defaultDecision("DbAdminEditingPolicy does not grant access to admin resources; "
+ "may not modify " + action.getSubjectUri());
String roleStr = getRoleOf(whoToAuth); }
if (roleStr == null)
return pd.setMessage("Unable to get a role for the dbAdmin from IdBundle"); if (!canModifyPredicate(action.getPredicateUri())) {
return defaultDecision("DbAdminEditingPolicy does not grant access to admin predicates; "
try{ + "may not modify " + action.getPredicateUri());
if( Integer.parseInt( roleStr ) /*<*/ != LoginStatusBean.DBA) { }
return pd.setMessage("DbAdminEditingPolicy found role of "+roleStr+" and only authorizes for users logged in as DB_ADMIN");
} return new BasicPolicyDecision(Authorization.AUTHORIZED,
} catch(NumberFormatException nef){ "DbAdminEditingPolicy: user may modify '"
log.debug(nef,nef); + action.getSubjectUri() + "' ==> '"
} + action.getPredicateUri() + "'");
}
try{
SelfEditing sei = SelfEditingIdentifierFactory.getSelfEditingIdentifier(whoToAuth); /**
if( sei != null && sei.isFake() ){ * Check authorization for Adding, Editing or Dropping an ObjectProperty.
return pd.setMessage("DbAdminEditingPolicy will not authorize actions for a fake self editor"); */
} private PolicyDecision isAuthorized(AbstractObjectPropertyAction action) {
}catch( Exception e ){ if (!canModifyResource(action.uriOfSubject)) {
log.debug(e,e); return defaultDecision("DbAdminEditingPolicy does not grant access to admin resources; "
} + "may not modify " + action.uriOfSubject);
}
if (whatToAuth instanceof OntoRequestedAction)
return pd.setMessage("DbAdminEditingPolicy doesn't authorize OntoRequestedActions"); if (!canModifyPredicate(action.uriOfPredicate)) {
if (whatToAuth instanceof AdminRequestedAction) return defaultDecision("DbAdminEditingPolicy does not grant access to admin predicates; "
return pd.setMessage("DbAdminEditingPolicy doesn't authorize AdminRequestedActions"); + "may not modify " + action.uriOfPredicate);
}
//kick off the visitor pattern
return whatToAuth.accept(this, whoToAuth); if (!canModifyResource(action.uriOfObject)) {
} return defaultDecision("DbAdminEditingPolicy does not grant access to admin resources; "
+ "may not modify " + action.uriOfObject);
}
protected String getRoleOf( IdentifierBundle whomToAuth) {
if( whomToAuth == null ) return null; return new BasicPolicyDecision(Authorization.AUTHORIZED,
"DbAdminEditingPolicy: user may modify '" + action.uriOfSubject
for(Identifier id : whomToAuth){ + "' ==> '" + action.uriOfPredicate + "' ==> '"
if (id instanceof DbAdminEditingIdentifierFactory.DbAdminEditingId) { + action.uriOfObject + "'");
return ((DbAdminEditingIdentifierFactory.DbAdminEditingId)id).getRole(); }
}
} /**
return null; * Check authorization for Adding or Dropping a Resource.
} */
private PolicyDecision isAuthorized(AbstractResourceAction action) {
protected boolean canModifyResource(String uri){ if (!canModifyResource(action.getSubjectUri())) {
if( uri == null || uri.length() == 0 ) return defaultDecision("DbAdminEditingPolicy does not grant access to admin resources; "
return false; + "may not modify " + action.getSubjectUri());
}
if( editableVitroUris.contains( uri ) )
return true; return new BasicPolicyDecision(Authorization.AUTHORIZED,
"DbAdminEditingPolicy: may add or remove resource: "
String namespace = uri.substring(0, Util.splitNamespace(uri)); + action.getSubjectUri());
//Matcher match = ns.matcher(uri); }
//if( match.matches() && match.groupCount() > 0){
// String namespace = match.group(1); @Override
if( prohibitedNs.contains( namespace ) ) { public String toString() {
log.debug("The uri "+uri+" represents a resource that cannot be modified because it matches a prohibited namespace"); return "DbAdminEditingPolicy - " + hashCode();
return false; }
}
//}
return true;
}
protected boolean canModifyPredicate(String uri){
if( uri == null || uri.length() == 0 )
return false;
if( editableVitroUris.contains( uri ) ) // properties like moniker that are never (currently) set non-editable
return true;
if( prohibitedProperties.contains(uri)) {
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it is on a list of properties prohibited from dbAdmin editing");
return false;
}
String namespace = uri.substring(0, Util.splitNamespace(uri));
//Matcher match = ns.matcher(uri);
//if( match.matches() && match.groupCount() > 0){
// String namespace = match.group(1);
if( prohibitedNs.contains( namespace ) ) {
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it matches a prohibited namespace");
return false;
}
//}
return true;
}
public PolicyDecision visit(IdentifierBundle ids, AddObjectPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user can edit allowed properties of anybody");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, DropResource action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not removal of admin resources");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: may remove resource");
}
public PolicyDecision visit(IdentifierBundle ids, AddResource action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not allow creation of admin resources");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: may add resource");
}
public PolicyDecision visit(IdentifierBundle ids, DropDataPropStmt action) {
if( ids == null || action == null ) {
log.debug("DbAdminEditingPolicy for DropDataPropStmt is inconclusive because the test has null action or ids");
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
}
//cannot edit resources related to system
if( prohibitedNs.contains( action.getSubjectUri() ) ) { // jc55 was getResourceURI()
log.debug("DbAdminEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin resources");
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources");
}
//many predicates are prohibited by namespace but there are many ones that dbAdmin editors need to work with
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) ) {
log.debug("DbAdminEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin controls");
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin controls");
}
//cannot edit resources related to system
if( !canModifyResource( action.getSubjectUri() ) ) {
log.debug("DbAdminEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.getSubjectUri());
}
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("DbAdminEditingPolicy does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.getPredicateUri());
}
log.debug("DbAdminEditingPolicy for DropDatapropStmt returns authorization because the user is a dbAdmin");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user is may drop data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, DropObjectPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user can edit any individual");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, AddDataPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy has null action or ids");
//cannot edit resources related to system
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources from prohibited namespaces");
//many predicates are prohibited by namespace but there are many ones that dbAdmin editors need to work with
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin controls");
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("DbAdminEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.getPredicateUri());
}
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user may add this data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, EditDataPropStmt action) {
if( ids == null || action == null ) {
log.debug("DbAdminEditingPolicy for EditDataPropStmt is inconclusive because the test has null action or ids");
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
}
//cannot edit resources related to system
if( !canModifyResource( action.getSubjectUri() ) ) {
log.debug("DbAdminEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.getSubjectUri());
}
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("DbAdminEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.getPredicateUri());
}
log.debug("DbAdminEditingPolicy for EditDatapropStmt returns authorization because the user is a dbAdmin");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user may edit data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, EditObjPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"DbAdminEditingPolicy for EditObjPropStmt does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: user may edit any individual");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, UploadFile action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy: may upload files");
}
// *** the following actions are generally not part of dbAdmin editing *** //
public PolicyDecision visit(IdentifierBundle ids, AddNewUser action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RemoveUser action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, LoadOntology action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RebuildTextIndex action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, UpdateTextIndex action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, ServerStatus action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, CreateOwlClass action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RemoveOwlClass action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, DefineDataProperty action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, DefineObjectProperty action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"DbAdminEditingPolicy does authorize administrative modifications");
}
public String toString(){
return "DbAdminEditingPolicy " + hashCode()
+ " nspaces: " + prohibitedNs.size() + " prohibited Props: "
+ prohibitedProperties.size() + " prohibited resources: "
+ prohibitedResources.size();
}
} }

556
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/EditorEditingPolicy.java
View file

@ -2,432 +2,172 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy; package edu.cornell.mannlib.vitro.webapp.auth.policy;
import java.util.Collections; import javax.servlet.ServletContext;
import java.util.HashSet;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.rdf.model.impl.Util;
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.EditorEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.EditorEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier; import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.VisitingPolicyIface; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.LoadOntology;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RebuildTextIndex;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RemoveUser;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UpdateTextIndex;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UploadFile;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.AdminRequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.OntoRequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.CreateOwlClass; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineDataProperty; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineObjectProperty;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.RemoveOwlClass;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditDataPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.EditObjPropStmt;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary; import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
/** /**
* Policy to use for Vivo non-privileged but user accouunt-based editing * Policy to use for Vivo non-privileged but user accouunt-based editing All
* All methods in this class should be thread safe * methods in this class should be thread safe and side effect free.
* and side effect free.
*/ */
public class EditorEditingPolicy implements VisitingPolicyIface{ public class EditorEditingPolicy implements PolicyIface {
protected static Log log = LogFactory.getLog( EditorEditingPolicy.class );
private final ServletContext ctx;
/** regex for extracting a namespace from a URI */
// Do not use this; use Jena's splitNamespace() util instead. public EditorEditingPolicy(ServletContext ctx) {
//private Pattern ns = Pattern.compile("([^#]*#)[^#]*"); this.ctx = ctx;
}
/**
* Namespaces from which Editors should not be able to use resources. /**
*/ * Indicates which Authorization to use when the user isn't explicitly
private Set<String> prohibitedNs; * authorized.
*/
/** URIs of properties that Editors should not be able to use in statements*/ private PolicyDecision defaultDecision(String message) {
protected Set<String>prohibitedProperties; return new BasicPolicyDecision(Authorization.INCONCLUSIVE, message);
}
/** URIs of resources that Editors should not be able to use in statements*/
protected Set<String>prohibitedResources; @Override
public PolicyDecision isAuthorized(IdentifierBundle whomToAuth,
/** Indicates which Authorization to use when the user isn't explicitly authorized. */ RequestedAction whatToAuth) {
protected Authorization defaultFailure = Authorization.INCONCLUSIVE; if (whomToAuth == null) {
return defaultDecision("whomToAuth was null");
/** URIs of properties from prohibited namespaces that Editors need to be }
* able to edit */ if (whatToAuth == null) {
protected Set<String> editableVitroUris; return defaultDecision("whatToAuth was null");
}
public EditorEditingPolicy( if (!isEditor(whomToAuth)) {
Set<String>prohibitedProperties, return defaultDecision("IdBundle does not include an Editor identifier");
Set<String>prohibitedResources, }
Set<String>prohibitedNamespaces,
Set<String>editableVitroUris ){ if (whatToAuth instanceof OntoRequestedAction) {
return defaultDecision("EditorEditingPolicy doesn't authorize OntoRequestedActions");
if( prohibitedProperties != null ) } else if (whatToAuth instanceof AdminRequestedAction) {
this.prohibitedProperties = prohibitedProperties; return defaultDecision("EditorEditingPolicy doesn't authorize AdminRequestedActions");
else }
this.prohibitedProperties = Collections.EMPTY_SET;
if (whatToAuth instanceof AddDataPropStmt) {
if( prohibitedResources != null ) return isAuthorized((AddDataPropStmt) whatToAuth);
this.prohibitedResources = prohibitedResources; } else if (whatToAuth instanceof DropDataPropStmt) {
else return isAuthorized((DropDataPropStmt) whatToAuth);
this.prohibitedResources = Collections.EMPTY_SET; } else if (whatToAuth instanceof EditDataPropStmt) {
return isAuthorized((EditDataPropStmt) whatToAuth);
if( prohibitedNamespaces != null ) } else if (whatToAuth instanceof AddObjectPropStmt) {
this.prohibitedNs = prohibitedNamespaces; return isAuthorized((AddObjectPropStmt) whatToAuth);
else{ } else if (whatToAuth instanceof DropObjectPropStmt) {
prohibitedNs = new HashSet<String>(); return isAuthorized((DropObjectPropStmt) whatToAuth);
prohibitedNs.add( VitroVocabulary.vitroURI); } else if (whatToAuth instanceof EditObjPropStmt) {
prohibitedNs.add( VitroVocabulary.OWL ); return isAuthorized((EditObjPropStmt) whatToAuth);
prohibitedNs.add(""); } else if (whatToAuth instanceof AddResource) {
} return isAuthorized((AddResource) whatToAuth);
} else if (whatToAuth instanceof DropResource) {
if( editableVitroUris != null ) return isAuthorized((DropResource) whatToAuth);
this.editableVitroUris = editableVitroUris; } else {
else{ return defaultDecision("unrecognized requested action: "
this.editableVitroUris = new HashSet<String>(); + whatToAuth);
this.editableVitroUris.add(VitroVocabulary.MONIKER); }
this.editableVitroUris.add(VitroVocabulary.BLURB); }
this.editableVitroUris.add(VitroVocabulary.DESCRIPTION);
this.editableVitroUris.add(VitroVocabulary.MODTIME); private boolean isEditor(IdentifierBundle whomToAuth) {
this.editableVitroUris.add(VitroVocabulary.TIMEKEY); for (Identifier id : whomToAuth) {
if (id instanceof EditorEditingIdentifierFactory.EditorEditingId) {
this.editableVitroUris.add(VitroVocabulary.CITATION); return true;
this.editableVitroUris.add(VitroVocabulary.IND_MAIN_IMAGE); }
}
this.editableVitroUris.add(VitroVocabulary.LINK); return false;
this.editableVitroUris.add(VitroVocabulary.PRIMARY_LINK); }
this.editableVitroUris.add(VitroVocabulary.ADDITIONAL_LINK);
this.editableVitroUris.add(VitroVocabulary.LINK_ANCHOR); private boolean canModifyResource(String uri) {
this.editableVitroUris.add(VitroVocabulary.LINK_URL); return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyResource(
uri, RoleLevel.EDITOR);
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION); }
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD);
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL); private boolean canModifyPredicate(String uri) {
this.editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE); return PropertyRestrictionPolicyHelper.getBean(ctx).canModifyPredicate(
} uri, RoleLevel.EDITOR);
} }
public PolicyDecision isAuthorized(IdentifierBundle whomToAuth, RequestedAction whatToAuth) { /**
BasicPolicyDecision pd = new BasicPolicyDecision(this.defaultFailure,"not yet set"); * Check authorization for Adding, Editing or Dropping a DataProperty.
if( whomToAuth == null ) */
return pd.setMessage("whomToAuth was null"); private PolicyDecision isAuthorized(AbstractDataPropertyAction action) {
if(whatToAuth == null) if (!canModifyResource(action.getSubjectUri())) {
return pd.setMessage("whatToAuth was null"); return defaultDecision("EditorEditingPolicy does not grant access to admin resources; "
+ "may not modify " + action.getSubjectUri());
String roleStr = getRoleOf(whomToAuth); }
if (roleStr == null)
return pd.setMessage("Unable to get a role for the editor from IdBundle"); if (!canModifyPredicate(action.getPredicateUri())) {
return defaultDecision("EditorEditingPolicy does not grant access to admin predicates; "
try{ + "may not modify " + action.getPredicateUri());
if( Integer.parseInt( roleStr ) /*<*/ != LoginStatusBean.EDITOR) }
return pd.setMessage("EditorEditingPolicy found role of "+roleStr+" but only authorizes for users logged in as EDITOR or higher");
}catch(NumberFormatException nef){} return new BasicPolicyDecision(Authorization.AUTHORIZED,
"EditorEditingPolicy: user may modify '"
if (whatToAuth instanceof OntoRequestedAction) + action.getSubjectUri() + "' ==> '"
return pd.setMessage("EditorEditingPolicy doesn't authorize OntoRequestedActions"); + action.getPredicateUri() + "'");
if (whatToAuth instanceof AdminRequestedAction) }
return pd.setMessage("EditorEditingPolicy doesn't authorize AdminRequestedActions");
/**
//kick off the visitor pattern * Check authorization for Adding, Editing or Dropping an ObjectProperty.
return whatToAuth.accept(this, whomToAuth); */
} private PolicyDecision isAuthorized(AbstractObjectPropertyAction action) {
if (!canModifyResource(action.uriOfSubject)) {
return defaultDecision("EditorEditingPolicy does not grant access to admin resources; "
protected String getRoleOf( IdentifierBundle whomToAuth) { + "may not modify " + action.uriOfSubject);
if( whomToAuth == null ) return null; }
for(Identifier id : whomToAuth){ if (!canModifyPredicate(action.uriOfPredicate)) {
if (id instanceof EditorEditingIdentifierFactory.EditorEditingId) { return defaultDecision("EditorEditingPolicy does not grant access to admin predicates; "
return ((EditorEditingIdentifierFactory.EditorEditingId)id).getRole(); + "may not modify " + action.uriOfPredicate);
} }
}
return null; if (!canModifyResource(action.uriOfObject)) {
} return defaultDecision("EditorEditingPolicy does not grant access to admin resources; "
+ "may not modify " + action.uriOfObject);
protected boolean canModifyResource(String uri){ }
if( uri == null || uri.length() == 0 )
return false; return new BasicPolicyDecision(Authorization.AUTHORIZED,
"EditorEditingPolicy: user may modify '" + action.uriOfSubject
if( editableVitroUris.contains( uri ) ) + "' ==> '" + action.uriOfPredicate + "' ==> '"
return true; + action.uriOfObject + "'");
}
String namespace = uri.substring(0, Util.splitNamespace(uri));
//Matcher match = ns.matcher(uri); /**
//if( match.matches() && match.groupCount() > 0){ * Check authorization for Adding or Dropping a Resource.
// String namespace = match.group(1); */
if( prohibitedNs.contains( namespace ) ) { private PolicyDecision isAuthorized(AbstractResourceAction action) {
log.debug("The uri "+uri+" represents a resource that cannot be modified because it matches a prohibited namespace"); if (!canModifyResource(action.getSubjectUri())) {
return false; return defaultDecision("EditorEditingPolicy does not grant access to admin resources; "
} + "may not modify " + action.getSubjectUri());
//} }
return true;
} return new BasicPolicyDecision(Authorization.AUTHORIZED,
"EditorEditingPolicy: may add or remove resource: "
+ action.getSubjectUri());
protected boolean canModifyPredicate(String uri){ }
if( uri == null || uri.length() == 0 )
return false; @Override
public String toString() {
if( editableVitroUris.contains( uri ) ) return "EditorEditingPolicy - " + hashCode();
return true; }
if( prohibitedProperties.contains(uri)) {
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it is on a list of properties prohibited from editor editing");
return false;
}
String namespace = uri.substring(0, Util.splitNamespace(uri));
//Matcher match = ns.matcher(uri);
//if( match.matches() && match.groupCount() > 0){
// String namespace = match.group(1);
if( prohibitedNs.contains( namespace ) ) {
log.debug("The uri "+uri+" represents a predicate that cannot be modified because it matches a prohibited namespace");
return false;
}
//}
return true;
}
public PolicyDecision visit(IdentifierBundle ids, AddObjectPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin predicates; " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user can edit allowed properties of anybody");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, DropResource action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not removal of admin resources");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: may remove resource");
}
public PolicyDecision visit(IdentifierBundle ids, AddResource action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not allow creation of admin resources");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: may add resource");
}
public PolicyDecision visit(IdentifierBundle ids, DropDataPropStmt action) {
if( ids == null || action == null ) {
log.debug("EditorEditingPolicy for DropDataPropStmt is inconclusive because the test has null action or ids");
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
}
//cannot edit resources related to system
if( prohibitedNs.contains( action.getSubjectUri() ) ) { // jc55 was getResourceURI()
log.debug("EditorEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin resources");
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources");
}
//many predicates are prohibited by namespace but there are many ones that editor editors need to work with
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) ) {
log.debug("EditorEditingPolicy for DropDatapropStmt is inconclusive because it does not grant access to admin controls");
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin controls");
}
//cannot edit resources related to system
if( !canModifyResource( action.getSubjectUri() ) ) {
log.debug("EditorEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.getSubjectUri());
}
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("EditorEditingPolicy for EditDatapropStmt is inconclusive because it does not grant access to admin predicates; cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin predicates; " +
"cannot modify " + action.getPredicateUri());
}
log.debug("EditorEditingPolicy for DropDatapropStmt returns authorization because the user is a editor");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user is may drop data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, DropObjectPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin predicates; " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user can edit any individual");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, AddDataPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
//cannot edit resources related to system
if( prohibitedNs.contains( action.getSubjectUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources");
//many predicates are prohibited by namespace but there are many ones that editor editors need to work with
if( prohibitedNs.contains(action.getPredicateUri() ) && ! editableVitroUris.contains( action.getPredicateUri() ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin controls");
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("EditorEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy for AddDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.getPredicateUri());
}
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user may add this data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, EditDataPropStmt action) {
if( ids == null || action == null ) {
log.debug("EditorEditingPolicy for EditDataPropStmt is inconclusive because the test has null action or ids");
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
}
//cannot edit resources related to system
if( !canModifyResource( action.getSubjectUri() ) ) {
log.debug("EditorEditingPolicy for EditDatapropStmt action is inconclusive because it does not grant access to admin resources; cannot modify " + action.getSubjectUri());
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.getSubjectUri());
}
if( !canModifyPredicate( action.getPredicateUri() ) ) {
log.debug("EditorEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: cannot modify " + action.getPredicateUri());
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy for EditDataPropStmt does not grant access to prohibited predicates or certain namespaces: " +
"cannot modify " + action.getPredicateUri());
}
log.debug("EditorEditingPolicy for EditDatapropStmt returns authorization because the user is a editor");
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user may edit data property statement");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, EditObjPropStmt action) {
if( ids == null || action == null )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy, null action or ids");
//cannot edit resources related to system
if( !canModifyResource( action.uriOfObject ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfObject);
if( !canModifyResource( action.uriOfSubject ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin resources; " +
"cannot modify " + action.uriOfSubject);
if( !canModifyPredicate( action.uriOfPredicate ) )
return new BasicPolicyDecision(this.defaultFailure,"EditorEditingPolicy does not grant access to admin predicates; " +
"cannot modify " + action.uriOfPredicate);
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: user may edit any individual");
/* see SelfEditingPolicy for examples of any individual-based policy decisions */
}
public PolicyDecision visit(IdentifierBundle ids, UploadFile action) {
return new BasicPolicyDecision(Authorization.AUTHORIZED,"EditorEditingPolicy: may upload files");
}
// *** the following actions are generally not part of editor editing *** //
public PolicyDecision visit(IdentifierBundle ids, AddNewUser action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RemoveUser action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, LoadOntology action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RebuildTextIndex action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, UpdateTextIndex action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, ServerStatus action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, CreateOwlClass action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, RemoveOwlClass action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, DefineDataProperty action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public PolicyDecision visit(IdentifierBundle ids, DefineObjectProperty action) {
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"EditorEditingPolicy does not authorize administrative modifications");
}
public String toString(){
return "EditorEditingPolicy " + hashCode()
+ " nspaces: " + prohibitedNs.size() + " prohibited Props: "
+ prohibitedProperties.size() + " prohibited resources: "
+ prohibitedResources.size();
}
} }

49
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/InformationResourceEditingPolicy.java
View file

@ -5,6 +5,8 @@ package edu.cornell.mannlib.vitro.webapp.auth.policy;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
import javax.servlet.ServletContext;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
@ -23,6 +25,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary; import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/** /**
@ -44,12 +47,10 @@ public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
+ "linkedAuthor"; + "linkedAuthor";
private final OntModel model; private final OntModel model;
private final AdministrativeUriRestrictor restrictor;
public InformationResourceEditingPolicy(OntModel model, public InformationResourceEditingPolicy(ServletContext ctx, OntModel model) {
AdministrativeUriRestrictor restrictor) { super(ctx, RoleLevel.SELF);
this.model = model; this.model = model;
this.restrictor = restrictor;
} }
@Override @Override
@ -91,10 +92,10 @@ public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
String subject = action.getSubjectUri(); String subject = action.getSubjectUri();
String predicate = action.getPredicateUri(); String predicate = action.getPredicateUri();
if (!restrictor.canModifyResource(subject)) { if (!canModifyResource(subject)) {
return cantModifyResource(subject); return cantModifyResource(subject);
} }
if (!restrictor.canModifyPredicate(predicate)) { if (!canModifyPredicate(predicate)) {
return cantModifyPredicate(predicate); return cantModifyPredicate(predicate);
} }
@ -120,13 +121,13 @@ public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
String predicate = action.getUriOfPredicate(); String predicate = action.getUriOfPredicate();
String object = action.getUriOfObject(); String object = action.getUriOfObject();
if (!restrictor.canModifyResource(subject)) { if (!canModifyResource(subject)) {
return cantModifyResource(subject); return cantModifyResource(subject);
} }
if (!restrictor.canModifyPredicate(predicate)) { if (!canModifyPredicate(predicate)) {
return cantModifyPredicate(predicate); return cantModifyPredicate(predicate);
} }
if (!restrictor.canModifyResource(object)) { if (!canModifyResource(object)) {
return cantModifyResource(object); return cantModifyResource(object);
} }
@ -286,34 +287,4 @@ public class InformationResourceEditingPolicy extends BaseSelfEditingPolicy
private PolicyDecision authorizedObjectAuthor() { private PolicyDecision authorizedObjectAuthor() {
return authorizedDecision("User is author of the object of the statement"); return authorizedDecision("User is author of the object of the statement");
} }
/**
* TODO
*
* <pre>
* We don't need to do resource operations.
*
* We can do data or object property operations
* if not restricted
* if the subject or object is an information resource
* if that information resource has an author or editor who is an active self-editor.
* </pre>
*/
/**
* TODO
*
* <pre>
* If the request is an object property operation
*
* Check restrictions. If restricted, we are done.
* Get the URIs of self-editors identifiers. If none, we are done.
* Get the list of editors and authors for this document. Is
* Get the list of information resources that these self-editors author or edit.
* If subject or object is in that set, approve.
*
* If the request is a data property operations, same except there is no object.
* </pre>
*/
} }

35
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicy.java
View file

@ -3,12 +3,8 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy; package edu.cornell.mannlib.vitro.webapp.auth.policy;
import java.util.List; import java.util.List;
import java.util.Set;
import org.apache.commons.logging.Log; import javax.servlet.ServletContext;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
@ -17,6 +13,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAct
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractDataPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AbstractObjectPropertyAction;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractResourceAction;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
/** /**
* Policy to use for Vivo Self-Editing based on NetId for use at Cornell. All * Policy to use for Vivo Self-Editing based on NetId for use at Cornell. All
@ -24,19 +21,11 @@ import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AbstractRe
*/ */
public class SelfEditingPolicy extends BaseSelfEditingPolicy implements public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
PolicyIface { PolicyIface {
protected static Log log = LogFactory.getLog(SelfEditingPolicy.class); public SelfEditingPolicy(ServletContext ctx) {
super(ctx, RoleLevel.SELF);
protected final OntModel model;
private final AdministrativeUriRestrictor restrictor;
public SelfEditingPolicy(Set<String> prohibitedProperties,
Set<String> prohibitedResources, Set<String> prohibitedNamespaces,
Set<String> editableVitroUris, OntModel model) {
this.model = model;
this.restrictor = new AdministrativeUriRestrictor(prohibitedProperties,
prohibitedResources, prohibitedNamespaces, editableVitroUris);
} }
@Override
public PolicyDecision isAuthorized(IdentifierBundle whoToAuth, public PolicyDecision isAuthorized(IdentifierBundle whoToAuth,
RequestedAction whatToAuth) { RequestedAction whatToAuth) {
if (whoToAuth == null) { if (whoToAuth == null) {
@ -80,13 +69,13 @@ public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
String predicate = action.getUriOfPredicate(); String predicate = action.getUriOfPredicate();
String object = action.getUriOfObject(); String object = action.getUriOfObject();
if (!restrictor.canModifyResource(subject)) { if (!canModifyResource(subject)) {
return cantModifyResource(subject); return cantModifyResource(subject);
} }
if (!restrictor.canModifyPredicate(predicate)) { if (!canModifyPredicate(predicate)) {
return cantModifyPredicate(predicate); return cantModifyPredicate(predicate);
} }
if (!restrictor.canModifyResource(object)) { if (!canModifyResource(object)) {
return cantModifyResource(object); return cantModifyResource(object);
} }
@ -106,10 +95,10 @@ public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
String subject = action.getSubjectUri(); String subject = action.getSubjectUri();
String predicate = action.getPredicateUri(); String predicate = action.getPredicateUri();
if (!restrictor.canModifyResource(subject)) { if (!canModifyResource(subject)) {
return cantModifyResource(subject); return cantModifyResource(subject);
} }
if (!restrictor.canModifyPredicate(predicate)) { if (!canModifyPredicate(predicate)) {
return cantModifyPredicate(predicate); return cantModifyPredicate(predicate);
} }
@ -126,7 +115,7 @@ public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
private PolicyDecision isAuthorizedForResourceAction( private PolicyDecision isAuthorizedForResourceAction(
AbstractResourceAction action) { AbstractResourceAction action) {
String uri = action.getSubjectUri(); String uri = action.getSubjectUri();
if (!restrictor.canModifyResource(uri)) { if (!canModifyResource(uri)) {
return cantModifyResource(uri); return cantModifyResource(uri);
} else { } else {
return authorizedDecision("May add/remove resource."); return authorizedDecision("May add/remove resource.");
@ -162,7 +151,7 @@ public class SelfEditingPolicy extends BaseSelfEditingPolicy implements
@Override @Override
public String toString() { public String toString() {
return "SelfEditingPolicy " + hashCode() + "[" + restrictor + "]"; return "SelfEditingPolicy - " + hashCode();
} }
} }

12
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionListener.java
View file

@ -11,8 +11,8 @@ import com.hp.hpl.jena.ontology.OntModel;
import edu.cornell.mannlib.vedit.beans.EditProcessObject; import edu.cornell.mannlib.vedit.beans.EditProcessObject;
import edu.cornell.mannlib.vedit.listener.ChangeListener; import edu.cornell.mannlib.vedit.listener.ChangeListener;
import edu.cornell.mannlib.vitro.webapp.beans.Property;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel; import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
import edu.cornell.mannlib.vitro.webapp.beans.Property;
/** /**
* Add this ChangeListener to your EditProcessObject when modifying the * Add this ChangeListener to your EditProcessObject when modifying the
@ -37,7 +37,7 @@ public class PropertyRestrictionListener implements ChangeListener {
Property p = (Property) oldObj; Property p = (Property) oldObj;
if (eitherRoleChanged(p.getHiddenFromDisplayBelowRoleLevel(), if (eitherRoleChanged(p.getHiddenFromDisplayBelowRoleLevel(),
p.getProhibitedFromUpdateBelowRoleLevel(), null, null)) { p.getProhibitedFromUpdateBelowRoleLevel(), null, null)) {
log.debug("replacing all prohibition policies after deletion"); log.debug("rebuilding the PropertyRestrictionPolicyHelper after deletion");
createAndSetBean(); createAndSetBean();
} }
} }
@ -51,7 +51,7 @@ public class PropertyRestrictionListener implements ChangeListener {
if (eitherRoleChanged(null, null, if (eitherRoleChanged(null, null,
p.getHiddenFromDisplayBelowRoleLevel(), p.getHiddenFromDisplayBelowRoleLevel(),
p.getProhibitedFromUpdateBelowRoleLevel())) { p.getProhibitedFromUpdateBelowRoleLevel())) {
log.debug("replacing all prohibition policies after insertion"); log.debug("rebuilding the PropertyRestrictionPolicyHelper after insertion");
createAndSetBean(); createAndSetBean();
} }
} }
@ -67,7 +67,7 @@ public class PropertyRestrictionListener implements ChangeListener {
oldP.getProhibitedFromUpdateBelowRoleLevel(), oldP.getProhibitedFromUpdateBelowRoleLevel(),
newP.getHiddenFromDisplayBelowRoleLevel(), newP.getHiddenFromDisplayBelowRoleLevel(),
newP.getProhibitedFromUpdateBelowRoleLevel())) { newP.getProhibitedFromUpdateBelowRoleLevel())) {
log.debug("replacing all prohibition policies after update"); log.debug("rebuilding the PropertyRestrictionPolicyHelper after update");
createAndSetBean(); createAndSetBean();
} }
} }
@ -91,6 +91,8 @@ public class PropertyRestrictionListener implements ChangeListener {
private void createAndSetBean() { private void createAndSetBean() {
OntModel model = (OntModel) ctx.getAttribute("jenaOntModel"); OntModel model = (OntModel) ctx.getAttribute("jenaOntModel");
PropertyRestrictionPolicyHelper.createAndSetBean(ctx, model); PropertyRestrictionPolicyHelper bean = PropertyRestrictionPolicyHelper
.createBean(model);
PropertyRestrictionPolicyHelper.setBean(ctx, bean);
} }
} }

125
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionPolicyHelper.java
View file

@ -2,12 +2,12 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy.bean; package edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
import java.util.Arrays;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.HashMap; import java.util.HashMap;
import java.util.HashSet; import java.util.HashSet;
import java.util.Map; import java.util.Map;
import java.util.Set;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextEvent;
@ -27,57 +27,49 @@ import com.hp.hpl.jena.shared.Lock;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel; import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary; import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
/** /**
* Assists the role-based policies in determining whether a property or resource * Assists the role-based policies in determining whether a property or resource
* may be displayed or modified. * may be displayed or modified.
*
* There is a bean in the context that holds the current threshold role levels
* for displaying and modifying restricted properties.
*
* Create this bean after the Jena model is in place in the context.
*
* Add PropertyRestrictionListener to your EditProcessObject if you are editing
* a property, to ensure that the bean stays current.
*/ */
public class PropertyRestrictionPolicyHelper { public class PropertyRestrictionPolicyHelper {
private static final Log log = LogFactory private static final Log log = LogFactory
.getLog(PropertyRestrictionPolicyHelper.class); .getLog(PropertyRestrictionPolicyHelper.class);
private static final Collection<String> PROHIBITED_NAMESPACES = setProhibitedNamespaces(); private static final Collection<String> PROHIBITED_NAMESPACES = Arrays
private static final Collection<String> PERMITTED_EXCEPTIONS = setPermittedExceptions(); .asList(new String[] { VitroVocabulary.vitroURI,
VitroVocabulary.OWL, "" });
private static Collection<String> setProhibitedNamespaces() { private static final Collection<String> PERMITTED_EXCEPTIONS = Arrays
Set<String> prohibitedNs = new HashSet<String>(); .asList(new String[] {
prohibitedNs.add(VitroVocabulary.vitroURI); VitroVocabulary.MONIKER,
prohibitedNs.add(VitroVocabulary.OWL); VitroVocabulary.BLURB,
prohibitedNs.add(""); VitroVocabulary.DESCRIPTION,
return Collections.unmodifiableSet(prohibitedNs); VitroVocabulary.MODTIME,
} VitroVocabulary.TIMEKEY,
private static Collection<String> setPermittedExceptions() { VitroVocabulary.CITATION,
Set<String> editableVitroUris = new HashSet<String>(); VitroVocabulary.IND_MAIN_IMAGE,
editableVitroUris.add(VitroVocabulary.MONIKER); VitroVocabulary.LINK,
editableVitroUris.add(VitroVocabulary.BLURB); VitroVocabulary.PRIMARY_LINK,
editableVitroUris.add(VitroVocabulary.DESCRIPTION); VitroVocabulary.ADDITIONAL_LINK,
editableVitroUris.add(VitroVocabulary.MODTIME); VitroVocabulary.LINK_ANCHOR,
editableVitroUris.add(VitroVocabulary.TIMEKEY); VitroVocabulary.LINK_URL,
editableVitroUris.add(VitroVocabulary.CITATION); VitroVocabulary.KEYWORD_INDIVIDUALRELATION,
editableVitroUris.add(VitroVocabulary.IND_MAIN_IMAGE); VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD,
VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL,
editableVitroUris.add(VitroVocabulary.LINK); VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE });
editableVitroUris.add(VitroVocabulary.PRIMARY_LINK);
editableVitroUris.add(VitroVocabulary.ADDITIONAL_LINK);
editableVitroUris.add(VitroVocabulary.LINK_ANCHOR);
editableVitroUris.add(VitroVocabulary.LINK_URL);
editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION);
editableVitroUris
.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESKEYWORD);
editableVitroUris
.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_INVOLVESINDIVIDUAL);
editableVitroUris.add(VitroVocabulary.KEYWORD_INDIVIDUALRELATION_MODE);
return Collections.unmodifiableSet(editableVitroUris);
}
// ----------------------------------------------------------------------
// static methods
// ----------------------------------------------------------------------
/** /**
* The bean is attached to the ServletContext using this attribute name. * The bean is attached to the ServletContext using this attribute name.
@ -85,6 +77,10 @@ public class PropertyRestrictionPolicyHelper {
private static final String ATTRIBUTE_NAME = PropertyRestrictionPolicyHelper.class private static final String ATTRIBUTE_NAME = PropertyRestrictionPolicyHelper.class
.getName(); .getName();
// ----------------------------------------------------------------------
// static methods
// ----------------------------------------------------------------------
public static PropertyRestrictionPolicyHelper getBean(ServletContext ctx) { public static PropertyRestrictionPolicyHelper getBean(ServletContext ctx) {
Object attribute = ctx.getAttribute(ATTRIBUTE_NAME); Object attribute = ctx.getAttribute(ATTRIBUTE_NAME);
if (!(attribute instanceof PropertyRestrictionPolicyHelper)) { if (!(attribute instanceof PropertyRestrictionPolicyHelper)) {
@ -98,11 +94,19 @@ public class PropertyRestrictionPolicyHelper {
ctx.removeAttribute(ATTRIBUTE_NAME); ctx.removeAttribute(ATTRIBUTE_NAME);
} }
public static void setBean(ServletContext ctx,
PropertyRestrictionPolicyHelper bean) {
if (bean == null) {
throw new NullPointerException("bean may not be null.");
}
ctx.setAttribute(ATTRIBUTE_NAME, bean);
}
/** /**
* Initialize the bean with the standard prohibitions and exceptions, and * Initialize the bean with the standard prohibitions and exceptions, and
* with the thresholds obtained from the model. * with the thresholds obtained from the model.
*/ */
public static void createAndSetBean(ServletContext ctx, OntModel model) { public static PropertyRestrictionPolicyHelper createBean(OntModel model) {
Map<String, RoleLevel> displayThresholdMap = new HashMap<String, RoleLevel>(); Map<String, RoleLevel> displayThresholdMap = new HashMap<String, RoleLevel>();
Map<String, RoleLevel> modifyThresholdMap = new HashMap<String, RoleLevel>(); Map<String, RoleLevel> modifyThresholdMap = new HashMap<String, RoleLevel>();
@ -119,12 +123,12 @@ public class PropertyRestrictionPolicyHelper {
PROHIBITED_NAMESPACES, PERMITTED_EXCEPTIONS, PROHIBITED_NAMESPACES, PERMITTED_EXCEPTIONS,
displayThresholdMap, modifyThresholdMap); displayThresholdMap, modifyThresholdMap);
ctx.setAttribute(ATTRIBUTE_NAME, bean); return bean;
} }
/** /**
* Find all the resources that possess this property, and map the resource * Find all the resources that possess this property, and map the resource
* URI to the require RoleLevel. * URI to the required RoleLevel.
*/ */
private static void populateThresholdMap(OntModel model, private static void populateThresholdMap(OntModel model,
Map<String, RoleLevel> map, String propertyUri) { Map<String, RoleLevel> map, String propertyUri) {
@ -167,22 +171,22 @@ public class PropertyRestrictionPolicyHelper {
private final Collection<String> modifyExceptionsAllowedUris; private final Collection<String> modifyExceptionsAllowedUris;
/** /**
* URIs in here can be displayed only if the user's role is at least as high * These URIs can be displayed only if the user's role is at least as high
* as the threshold role. * as the threshold role.
*/ */
private final Map<String, RoleLevel> displayThresholdMap; private final Map<String, RoleLevel> displayThresholdMap;
/** /**
* URIs in here can be modified only if the user's role is at least as high * These URIs can be modified only if the user's role is at least as high as
* as the threshold role. * the threshold role.
*/ */
private final Map<String, RoleLevel> modifyThresholdMap; private final Map<String, RoleLevel> modifyThresholdMap;
/** /**
* Store unmodifiable versions of the inputs. * Store unmodifiable versions of the inputs.
* *
* Protected access: should only be created by the static methods, or by * Protected access: the bean should only be created by the static methods,
* unit tests. * or by unit tests.
*/ */
protected PropertyRestrictionPolicyHelper( protected PropertyRestrictionPolicyHelper(
Collection<String> modifyProhibitedNamespaces, Collection<String> modifyProhibitedNamespaces,
@ -193,9 +197,9 @@ public class PropertyRestrictionPolicyHelper {
this.modifyExceptionsAllowedUris = unmodifiable(modifyExceptionsAllowedUris); this.modifyExceptionsAllowedUris = unmodifiable(modifyExceptionsAllowedUris);
this.displayThresholdMap = unmodifiable(displayThresholdMap); this.displayThresholdMap = unmodifiable(displayThresholdMap);
this.modifyThresholdMap = unmodifiable(modifyThresholdMap); this.modifyThresholdMap = unmodifiable(modifyThresholdMap);
if (log.isDebugEnabled()) { if (log.isDebugEnabled()) {
log.debug("prohibited namespaces: " + this.modifyProhibitedNamespaces); log.debug("prohibited: " + this.modifyProhibitedNamespaces);
log.debug("exceptions: " + this.modifyExceptionsAllowedUris); log.debug("exceptions: " + this.modifyExceptionsAllowedUris);
log.debug("display thresholds: " + this.displayThresholdMap); log.debug("display thresholds: " + this.displayThresholdMap);
log.debug("modify thresholds: " + this.modifyThresholdMap); log.debug("modify thresholds: " + this.modifyThresholdMap);
@ -347,8 +351,27 @@ public class PropertyRestrictionPolicyHelper {
@Override @Override
public void contextInitialized(ServletContextEvent sce) { public void contextInitialized(ServletContextEvent sce) {
ServletContext ctx = sce.getServletContext(); ServletContext ctx = sce.getServletContext();
OntModel model = (OntModel) ctx.getAttribute("jenaOntModel");
createAndSetBean(ctx, model); if (AbortStartup.isStartupAborted(ctx)) {
return;
}
try {
OntModel model = (OntModel) ctx.getAttribute("jenaOntModel");
if (model == null) {
throw new NullPointerException(
"jenaOntModel has not been initialized.");
}
PropertyRestrictionPolicyHelper bean = PropertyRestrictionPolicyHelper
.createBean(model);
PropertyRestrictionPolicyHelper.setBean(ctx, bean);
} catch (Exception e) {
log.error("could not run PropertyRestrictionPolicyHelper$Setup: "
+ e);
AbortStartup.abortStartup(ctx);
throw new RuntimeException(e);
}
} }
@Override @Override

112
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/CuratorEditingPolicySetup.java
View file

@ -2,10 +2,6 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup; package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener; import javax.servlet.ServletContextListener;
@ -13,82 +9,54 @@ import javax.servlet.ServletContextListener;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.rdf.model.Model;
import com.hp.hpl.jena.rdf.model.ResIterator;
import com.hp.hpl.jena.rdf.model.Resource;
import com.hp.hpl.jena.rdf.model.ResourceFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories; import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.CuratorEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.CuratorEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.policy.CuratorEditingPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.CuratorEditingPolicy;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList; import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean; import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/** /**
* Sets up RoleBasedPolicy and IdentifierBundleFactory. * Sets up RoleBasedPolicy and IdentifierBundleFactory. This will cause the
* This will cause the vitro native login to add Identifiers that can * vitro native login to add Identifiers that can be used by the Auth system and
* be used by the Auth system and the in-line editing. * the in-line editing.
* *
* To use this add it as a listener to the web.xml. * To use this add it as a listener to the web.xml.
* *
* See RoleBasedPolicy.java * See RoleBasedPolicy.java
*
* @author bdc34
*
*/ */
public class CuratorEditingPolicySetup implements ServletContextListener { public class CuratorEditingPolicySetup implements ServletContextListener {
private static final Log log = LogFactory.getLog(CuratorEditingPolicySetup.class.getName()); private static final Log log = LogFactory
.getLog(CuratorEditingPolicySetup.class.getName());
@Override
@Override
public void contextInitialized(ServletContextEvent sce) { public void contextInitialized(ServletContextEvent sce) {
try{ ServletContext ctx = sce.getServletContext();
log.debug("Setting up CuratorEditingPolicy");
if (AbortStartup.isStartupAborted(ctx)) {
//need to make a policy and add it to the ServeltContext return;
OntModel model = (OntModel)sce.getServletContext().getAttribute("jenaOntModel"); }
CuratorEditingPolicy cep = makeCuratorEditPolicyFromModel(model);
ServletPolicyList.addPolicy(sce.getServletContext(), cep); try {
log.debug("Setting up CuratorEditingPolicy");
//need to put an IdentifierFactory for CuratorEditingIds into the ServletContext
ActiveIdentifierBundleFactories.addFactory(sce, new CuratorEditingIdentifierFactory()); // need to make a policy and add it to the ServletContext
CuratorEditingPolicy cep = new CuratorEditingPolicy(ctx);
log.debug( "Finished setting up CuratorEditingPolicy: " + cep ); ServletPolicyList.addPolicy(ctx, cep);
}catch(Exception e){
log.error("could not run CuratorEditingPolicySetup: " + e); // need to put an IdentifierFactory for CuratorEditingIds into the
e.printStackTrace(); // ServletContext
} ActiveIdentifierBundleFactories.addFactory(sce,
} new CuratorEditingIdentifierFactory());
@Override log.debug("Finished setting up CuratorEditingPolicy: " + cep);
public void contextDestroyed(ServletContextEvent sce) { /*nothing*/ } } catch (Exception e) {
log.error("could not run CuratorEditingPolicySetup: " + e);
public static CuratorEditingPolicy makeCuratorEditPolicyFromModel( Model model ){ AbortStartup.abortStartup(ctx);
CuratorEditingPolicy pol = null; throw new RuntimeException(e);
if( model == null ) }
pol = new CuratorEditingPolicy(null,null,null,null); }
else{
Set<String> prohibitedProps = new HashSet<String>(); @Override
//ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROPERTY_CURATOREDITPROHIBITEDANNOT ) ); public void contextDestroyed(ServletContextEvent sce) { /* nothing */
// need to iterate through one level higher than CURATOR (the higher of current 2 targeted levels) plus all higher levels }
for (BaseResourceBean.RoleLevel e : EnumSet.range(BaseResourceBean.RoleLevel.DB_ADMIN,BaseResourceBean.RoleLevel.NOBODY)) { }
ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),ResourceFactory.createResource(e.getURI()));
while( it.hasNext() ){
Resource resource = it.nextResource();
if( resource != null && resource.getURI() != null ) {
log.debug("adding \""+resource.getURI()+"\" to properties prohibited from inline curator editing ("+e.getLabel()+")");
prohibitedProps.add( resource.getURI() );
}
}
}
pol = new CuratorEditingPolicy(prohibitedProps,null,null,null);
}
return pol;
}
public static void replaceCuratorEditing( ServletContext sc, Model model ){
ServletPolicyList.replacePolicy(sc, makeCuratorEditPolicyFromModel(model));
}
}

110
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/DbAdminEditingPolicySetup.java
View file

@ -2,9 +2,6 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup; package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener; import javax.servlet.ServletContextListener;
@ -12,81 +9,54 @@ import javax.servlet.ServletContextListener;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.rdf.model.Model;
import com.hp.hpl.jena.rdf.model.ResIterator;
import com.hp.hpl.jena.rdf.model.Resource;
import com.hp.hpl.jena.rdf.model.ResourceFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories; import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.DbAdminEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.DbAdminEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.policy.DbAdminEditingPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.DbAdminEditingPolicy;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList; import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean; import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/** /**
* Sets up RoleBasedPolicy and IdentifierBundleFactory. * Sets up RoleBasedPolicy and IdentifierBundleFactory. This will cause the
* This will cause the vitro native login to add Identifiers that can * vitro native login to add Identifiers that can be used by the Auth system and
* be used by the Auth system and the in-line editing. * the in-line editing.
* *
* To use this add it as a listener to the web.xml. * To use this add it as a listener to the web.xml.
* *
* See RoleBasedPolicy.java * See RoleBasedPolicy.java
*
* @author bdc34
*
*/ */
public class DbAdminEditingPolicySetup implements ServletContextListener { public class DbAdminEditingPolicySetup implements ServletContextListener {
private static final Log log = LogFactory.getLog(DbAdminEditingPolicySetup.class.getName()); private static final Log log = LogFactory
.getLog(DbAdminEditingPolicySetup.class.getName());
@Override
@Override
public void contextInitialized(ServletContextEvent sce) { public void contextInitialized(ServletContextEvent sce) {
try{ ServletContext ctx = sce.getServletContext();
log.debug("Setting up DbAdminEditingPolicy");
if (AbortStartup.isStartupAborted(ctx)) {
//need to make a policy and add it to the ServeltContext return;
OntModel model = (OntModel)sce.getServletContext().getAttribute("jenaOntModel"); }
DbAdminEditingPolicy cep = makeDbAdminEditPolicyFromModel(model);
ServletPolicyList.addPolicy(sce.getServletContext(), cep); try {
log.debug("Setting up DbAdminEditingPolicy");
//need to put an IdentifierFactory for DbAdminEditingIds into the ServletContext
ActiveIdentifierBundleFactories.addFactory(sce, new DbAdminEditingIdentifierFactory()); // need to make a policy and add it to the ServletContext
DbAdminEditingPolicy dep = new DbAdminEditingPolicy(ctx);
log.debug( "Finished setting up DbAdminEditingPolicy: " + cep ); ServletPolicyList.addPolicy(ctx, dep);
}catch(Exception e){
log.error("could not run DbAdminEditingPolicySetup: " + e); // need to put an IdentifierFactory for DbAdminEditingIds into the
e.printStackTrace(); // ServletContext
} ActiveIdentifierBundleFactories.addFactory(sce,
} new DbAdminEditingIdentifierFactory());
@Override log.debug("Finished setting up DbAdminEditingPolicy: " + dep);
public void contextDestroyed(ServletContextEvent sce) { /*nothing*/ } } catch (Exception e) {
log.error("could not run DbAdminEditingPolicySetup: " + e);
public static DbAdminEditingPolicy makeDbAdminEditPolicyFromModel( Model model ){ AbortStartup.abortStartup(ctx);
DbAdminEditingPolicy pol = null; throw new RuntimeException(e);
if( model == null ) }
pol = new DbAdminEditingPolicy(null,null,null,null); }
else{
Set<String> prohibitedProps = new HashSet<String>(); @Override
// no need to iterate through any level higher than DB_ADMIN public void contextDestroyed(ServletContextEvent sce) { /* nothing */
//for (BaseResourceBean.RoleLevel e : EnumSet.range(BaseResourceBean.RoleLevel.NOBODY,BaseResourceBean.RoleLevel.NOBODY)) { }
BaseResourceBean.RoleLevel e = BaseResourceBean.RoleLevel.NOBODY; }
ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),ResourceFactory.createResource(e.getURI()));
while( it.hasNext() ){
Resource resource = it.nextResource();
if( resource != null && resource.getURI() != null ) {
log.debug("adding \""+resource.getURI()+"\" to properties prohibited from dbAdmin editing ("+e.getLabel()+")");
prohibitedProps.add( resource.getURI() );
}
}
//}
pol = new DbAdminEditingPolicy(prohibitedProps,null,null,null);
}
return pol;
}
public static void replaceDbAdminEditing( ServletContext sc, Model model ){
ServletPolicyList.replacePolicy(sc, makeDbAdminEditPolicyFromModel(model));
}
}

110
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/EditorEditingPolicySetup.java
View file

@ -2,10 +2,6 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup; package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener; import javax.servlet.ServletContextListener;
@ -13,80 +9,54 @@ import javax.servlet.ServletContextListener;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.rdf.model.Model;
import com.hp.hpl.jena.rdf.model.ResIterator;
import com.hp.hpl.jena.rdf.model.Resource;
import com.hp.hpl.jena.rdf.model.ResourceFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories; import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.EditorEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.EditorEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.policy.EditorEditingPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.EditorEditingPolicy;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList; import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean; import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/** /**
* Sets up RoleBasedPolicy and IdentifierBundleFactory. * Sets up RoleBasedPolicy and IdentifierBundleFactory. This will cause the
* This will cause the vitro native login to add Identifiers that can * vitro native login to add Identifiers that can be used by the Auth system and
* be used by the Auth system and the in-line editing. * the in-line editing.
* *
* To use this add it as a listener to the web.xml. * To use this add it as a listener to the web.xml.
* *
* See RoleBasedPolicy.java * See RoleBasedPolicy.java
*
* @author bdc34
*
*/ */
public class EditorEditingPolicySetup implements ServletContextListener { public class EditorEditingPolicySetup implements ServletContextListener {
private static final Log log = LogFactory.getLog(EditorEditingPolicySetup.class.getName()); private static final Log log = LogFactory
.getLog(EditorEditingPolicySetup.class.getName());
@Override
@Override
public void contextInitialized(ServletContextEvent sce) { public void contextInitialized(ServletContextEvent sce) {
try{ ServletContext ctx = sce.getServletContext();
log.debug("Setting up EditorEditingPolicy");
if (AbortStartup.isStartupAborted(ctx)) {
//need to make a policy and add it to the ServeltContext return;
OntModel model = (OntModel)sce.getServletContext().getAttribute("jenaOntModel"); }
EditorEditingPolicy cep = makeEditorEditPolicyFromModel(model);
ServletPolicyList.addPolicy(sce.getServletContext(), cep); try {
log.debug("Setting up EditorEditingPolicy");
//need to put an IdentifierFactory for EditorEditingIds into the ServletContext
ActiveIdentifierBundleFactories.addFactory(sce, new EditorEditingIdentifierFactory()); // need to make a policy and add it to the ServletContext
EditorEditingPolicy cep = new EditorEditingPolicy(ctx);
log.debug( "Finished setting up EditorEditingPolicy: " + cep ); ServletPolicyList.addPolicy(ctx, cep);
}catch(Exception e){
log.error("could not run EditorEditingPolicySetup: " + e); // need to put an IdentifierFactory for EditorEditingIds into the
e.printStackTrace(); // ServletContext
} ActiveIdentifierBundleFactories.addFactory(sce,
} new EditorEditingIdentifierFactory());
@Override log.debug("Finished setting up EditorEditingPolicy: " + cep);
public void contextDestroyed(ServletContextEvent sce) { /*nothing*/ } } catch (Exception e) {
log.error("could not run EditorEditingPolicySetup: " + e);
public static EditorEditingPolicy makeEditorEditPolicyFromModel( Model model ){ AbortStartup.abortStartup(ctx);
EditorEditingPolicy pol = null; throw new RuntimeException(e);
if( model == null ) }
pol = new EditorEditingPolicy(null,null,null,null); }
else{
Set<String> prohibitedProps = new HashSet<String>(); @Override
// need to iterate through one level higher than EDITOR (the higher of current 2 targeted levels) plus all higher levels public void contextDestroyed(ServletContextEvent sce) { /* nothing */
for (BaseResourceBean.RoleLevel e : EnumSet.range(BaseResourceBean.RoleLevel.CURATOR,BaseResourceBean.RoleLevel.NOBODY)) { }
ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),ResourceFactory.createResource(e.getURI())); }
while( it.hasNext() ){
Resource resource = it.nextResource();
if( resource != null && resource.getURI() != null ) {
log.debug("adding \""+resource.getURI()+"\" to properties prohibited from inline editor editing ("+e.getLabel()+")");
prohibitedProps.add( resource.getURI() );
}
}
}
pol = new EditorEditingPolicy(prohibitedProps,null,null,null);
}
return pol;
}
public static void replaceEditorEditing( ServletContext sc, Model model ){
ServletPolicyList.replacePolicy(sc, makeEditorEditPolicyFromModel(model));
}
}

74
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/InformationResourceEditingPolicySetup.java
View file

@ -2,10 +2,6 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup; package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener; import javax.servlet.ServletContextListener;
@ -14,15 +10,10 @@ import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel; import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.rdf.model.ResIterator;
import com.hp.hpl.jena.rdf.model.Resource;
import com.hp.hpl.jena.rdf.model.ResourceFactory;
import edu.cornell.mannlib.vitro.webapp.auth.policy.AdministrativeUriRestrictor;
import edu.cornell.mannlib.vitro.webapp.auth.policy.InformationResourceEditingPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.InformationResourceEditingPolicy;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList; import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean; import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/** /**
* Set up the InformationResourceEditingPolicy. This is tied to the SelfEditor * Set up the InformationResourceEditingPolicy. This is tied to the SelfEditor
@ -35,62 +26,37 @@ public class InformationResourceEditingPolicySetup implements
@Override @Override
public void contextInitialized(ServletContextEvent sce) { public void contextInitialized(ServletContextEvent sce) {
ServletContext ctx = sce.getServletContext();
if (AbortStartup.isStartupAborted(ctx)) {
return;
}
try { try {
log.debug("Setting up InformationResourceEditingPolicy"); log.debug("Setting up InformationResourceEditingPolicy");
// need to make a policy and add it to the ServletContext
OntModel model = (OntModel) sce.getServletContext().getAttribute( OntModel model = (OntModel) sce.getServletContext().getAttribute(
"jenaOntModel"); "jenaOntModel");
replacePolicy(sce.getServletContext(), model); InformationResourceEditingPolicy irep = new InformationResourceEditingPolicy(
ctx, model);
ServletPolicyList.addPolicy(ctx, irep);
log.debug("InformationResourceEditingPolicy has been setup. "); // don't need an IdentifierFactory if the SelfEditingPolicy is
// providing it.
log.debug("Finished setting up InformationResourceEditingPolicy: "
+ irep);
} catch (Exception e) { } catch (Exception e) {
log.error("could not run SelfEditingPolicySetup: " + e); log.error("could not run InformationResourceEditingPolicySetup: "
e.printStackTrace(); + e);
AbortStartup.abortStartup(ctx);
throw new RuntimeException(e);
} }
} }
public static InformationResourceEditingPolicy makePolicyFromModel(
OntModel model) {
InformationResourceEditingPolicy policy = null;
if (model == null)
policy = new InformationResourceEditingPolicy(null,
new AdministrativeUriRestrictor(null, null, null, null));
else {
Set<String> prohibitedProps = new HashSet<String>();
// need to iterate through one level higher than SELF (the lowest
// level where restrictions make sense) plus all higher levels
for (BaseResourceBean.RoleLevel e : EnumSet.range(
BaseResourceBean.RoleLevel.EDITOR,
BaseResourceBean.RoleLevel.NOBODY)) {
ResIterator it = model
.listSubjectsWithProperty(
model.createProperty(VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),
ResourceFactory.createResource(e.getURI()));
while (it.hasNext()) {
Resource resource = it.nextResource();
if (resource != null && resource.getURI() != null) {
log.debug("adding '"
+ resource.getURI()
+ "' to properties prohibited from information resource editing ("
+ e.getLabel() + ")");
prohibitedProps.add(resource.getURI());
}
}
}
policy = new InformationResourceEditingPolicy(model,
new AdministrativeUriRestrictor(prohibitedProps, null, null, null));
}
return policy;
}
public static void replacePolicy(ServletContext sc, OntModel model) {
ServletPolicyList.replacePolicy(sc, makePolicyFromModel(model));
}
@Override @Override
public void contextDestroyed(ServletContextEvent sce) { public void contextDestroyed(ServletContextEvent sce) {
// Nothing to do. // Nothing to do.
} }
} }

123
webapp/src/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/SelfEditingPolicySetup.java
View file

@ -2,10 +2,6 @@
package edu.cornell.mannlib.vitro.webapp.auth.policy.setup; package edu.cornell.mannlib.vitro.webapp.auth.policy.setup;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent; import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener; import javax.servlet.ServletContextListener;
@ -13,88 +9,57 @@ import javax.servlet.ServletContextListener;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.rdf.model.ResIterator;
import com.hp.hpl.jena.rdf.model.Resource;
import com.hp.hpl.jena.rdf.model.ResourceFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories; import edu.cornell.mannlib.vitro.webapp.auth.identifier.ActiveIdentifierBundleFactories;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList; import edu.cornell.mannlib.vitro.webapp.auth.policy.ServletPolicyList;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean; import edu.cornell.mannlib.vitro.webapp.servlet.setup.AbortStartup;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/** /**
* Policy for SelfEditors. This will set up the self-editing policy which * Policy for SelfEditors. This will set up the self-editing policy which will
* will will look for SelfEditing identifier in the IdentifierBundle. If * will look for SelfEditing identifier in the IdentifierBundle. If the user is
* the user is associated with a URI in the system then they will be allowed * associated with a URI in the system then they will be allowed to edit
* to edit resources related to that URI. * resources related to that URI.
*
* To use this add it as a listener to the web.xml.
*
* The SelfEditing policy may return
* Authorization.UNAUTHORIZED so it should be at the start of the
* ServletPolicyList if you want it to override other Policies.
* For example, this Listener should be before the curator listener so
* that if a curator is faking selfEditing the capabilities they have
* as curator will not override the results of the SelfEditing policy.
* *
* @author bdc34 * To use this add it as a listener to the web.xml.
*
*/ */
public class SelfEditingPolicySetup implements ServletContextListener { public class SelfEditingPolicySetup implements ServletContextListener {
private static final Log log = LogFactory.getLog(SelfEditingPolicySetup.class.getName()); private static final Log log = LogFactory
public static final String SELF_EDITING_POLICY_WAS_SETUP= "selfEditingPolicyWasSetup"; .getLog(SelfEditingPolicySetup.class.getName());
public static final String SELF_EDITING_POLICY_WAS_SETUP = "selfEditingPolicyWasSetup";
@Override
public void contextInitialized(ServletContextEvent sce) {
try{
log.debug("Setting up SelfEditingPolicy");
OntModel model = (OntModel)sce.getServletContext().getAttribute("jenaOntModel");
replaceSelfEditing(sce.getServletContext(), model);
ActiveIdentifierBundleFactories.addFactory(sce, new SelfEditingIdentifierFactory()); @Override
public void contextInitialized(ServletContextEvent sce) {
sce.getServletContext().setAttribute(SELF_EDITING_POLICY_WAS_SETUP, Boolean.TRUE); ServletContext ctx = sce.getServletContext();
log.debug( "SelfEditingPolicy has been setup. " ); if (AbortStartup.isStartupAborted(ctx)) {
}catch(Exception e){ return;
log.error("could not run SelfEditingPolicySetup: " + e); }
e.printStackTrace();
} try {
} log.debug("Setting up SelfEditingPolicy");
@Override // need to make a policy and add it to the ServletContext
public void contextDestroyed(ServletContextEvent sce) { /*nothing*/ } SelfEditingPolicy cep = new SelfEditingPolicy(ctx);
ServletPolicyList.addPolicy(ctx, cep);
public static SelfEditingPolicy makeSelfEditPolicyFromModel( OntModel model ){
SelfEditingPolicy pol = null; // need to put an IdentifierFactory for CuratorEditingIds into the
if( model == null ) // ServletContext
pol = new SelfEditingPolicy(null,null,null,null, null); ActiveIdentifierBundleFactories.addFactory(sce,
else{ new SelfEditingIdentifierFactory());
Set<String> prohibitedProps = new HashSet<String>();
//ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROPERTY_SELFEDITPROHIBITEDANNOT ) ); sce.getServletContext().setAttribute(SELF_EDITING_POLICY_WAS_SETUP,
Boolean.TRUE);
// need to iterate through one level higher than SELF (the lowest level where restrictions make sense) plus all higher levels
for (BaseResourceBean.RoleLevel e : EnumSet.range(BaseResourceBean.RoleLevel.EDITOR,BaseResourceBean.RoleLevel.NOBODY)) { log.debug("Finished setting up SelfEditingPolicy: " + cep);
ResIterator it = model.listSubjectsWithProperty( model.createProperty( VitroVocabulary.PROHIBITED_FROM_UPDATE_BELOW_ROLE_LEVEL_ANNOT),ResourceFactory.createResource(e.getURI())); } catch (Exception e) {
while( it.hasNext() ){ log.error("could not run SelfEditingPolicySetup: " + e);
Resource resource = it.nextResource(); AbortStartup.abortStartup(ctx);
if( resource != null && resource.getURI() != null ) { throw new RuntimeException(e);
log.debug("adding \""+resource.getURI()+"\" to properties prohibited from self-editing ("+e.getLabel()+")"); }
prohibitedProps.add( resource.getURI() ); }
}
} @Override
} public void contextDestroyed(ServletContextEvent sce) { /* nothing */
pol = new SelfEditingPolicy(prohibitedProps,null,null,null,model); }
}
return pol;
}
public static void replaceSelfEditing( ServletContext sc, OntModel model ){
ServletPolicyList.replacePolicy(sc, makeSelfEditPolicyFromModel(model));
}
} }

74
webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/DatapropRetryController.java
View file

@ -2,49 +2,47 @@
package edu.cornell.mannlib.vitro.webapp.controller.edit; package edu.cornell.mannlib.vitro.webapp.controller.edit;
import java.io.IOException; import java.io.IOException;
import java.net.URLEncoder; import java.net.URLEncoder;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap; import java.util.HashMap;
import java.util.LinkedList; import java.util.LinkedList;
import java.util.List; import java.util.List;
import javax.servlet.RequestDispatcher; import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import edu.cornell.mannlib.vedit.beans.EditProcessObject; import edu.cornell.mannlib.vedit.beans.EditProcessObject;
import edu.cornell.mannlib.vedit.beans.FormObject; import edu.cornell.mannlib.vedit.beans.FormObject;
import edu.cornell.mannlib.vedit.beans.Option; import edu.cornell.mannlib.vedit.beans.Option;
import edu.cornell.mannlib.vedit.controller.BaseEditController; import edu.cornell.mannlib.vedit.controller.BaseEditController;
import edu.cornell.mannlib.vedit.forwarder.PageForwarder; import edu.cornell.mannlib.vedit.forwarder.PageForwarder;
import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder; import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder;
import edu.cornell.mannlib.vedit.util.FormUtils; import edu.cornell.mannlib.vedit.util.FormUtils;
import edu.cornell.mannlib.vedit.validator.impl.EnumValuesValidator; import edu.cornell.mannlib.vedit.validator.impl.IntValidator;
import edu.cornell.mannlib.vedit.validator.impl.IntValidator; import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator; import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionListener;
import edu.cornell.mannlib.vitro.webapp.beans.DataProperty; import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
import edu.cornell.mannlib.vitro.webapp.beans.Ontology; import edu.cornell.mannlib.vitro.webapp.beans.Portal;
import edu.cornell.mannlib.vitro.webapp.beans.Portal; import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
import edu.cornell.mannlib.vitro.webapp.beans.VClass; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
import edu.cornell.mannlib.vitro.webapp.controller.Controllers; import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup; import edu.cornell.mannlib.vitro.webapp.dao.DatatypeDao;
import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao; import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
import edu.cornell.mannlib.vitro.webapp.dao.DatatypeDao; import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
import edu.cornell.mannlib.vitro.webapp.edit.listener.impl.EditProhibitionListener;
public class DatapropRetryController extends BaseEditController { public class DatapropRetryController extends BaseEditController {
private static final Log log = LogFactory.getLog(DatapropRetryController.class.getName()); private static final Log log = LogFactory.getLog(DatapropRetryController.class.getName());
public void doPost (HttpServletRequest request, HttpServletResponse response) { @Override
public void doPost (HttpServletRequest request, HttpServletResponse response) {
if (!checkLoginStatus(request,response)) if (!checkLoginStatus(request,response))
return; return;
@ -134,7 +132,7 @@ public class DatapropRetryController extends BaseEditController {
//set up any listeners //set up any listeners
List changeListenerList = new ArrayList(); List changeListenerList = new ArrayList();
changeListenerList.add(new EditProhibitionListener(getServletContext())); changeListenerList.add(new PropertyRestrictionListener(getServletContext()));
epo.setChangeListenerList(changeListenerList); epo.setChangeListenerList(changeListenerList);

79
webapp/src/edu/cornell/mannlib/vitro/webapp/controller/edit/PropertyRetryController.java
View file

@ -2,54 +2,51 @@
package edu.cornell.mannlib.vitro.webapp.controller.edit; package edu.cornell.mannlib.vitro.webapp.controller.edit;
import java.io.IOException; import java.io.IOException;
import java.net.URLEncoder; import java.net.URLEncoder;
import java.text.Collator; import java.text.Collator;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Collections; import java.util.Collections;
import java.util.Comparator; import java.util.Comparator;
import java.util.HashMap; import java.util.HashMap;
import java.util.Iterator; import java.util.Iterator;
import java.util.LinkedList; import java.util.List;
import java.util.List;
import java.util.ListIterator; import java.util.ListIterator;
import javax.servlet.RequestDispatcher; import javax.servlet.RequestDispatcher;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import edu.cornell.mannlib.vedit.beans.EditProcessObject; import edu.cornell.mannlib.vedit.beans.EditProcessObject;
import edu.cornell.mannlib.vedit.beans.FormObject; import edu.cornell.mannlib.vedit.beans.FormObject;
import edu.cornell.mannlib.vedit.beans.Option; import edu.cornell.mannlib.vedit.beans.Option;
import edu.cornell.mannlib.vedit.controller.BaseEditController; import edu.cornell.mannlib.vedit.controller.BaseEditController;
import edu.cornell.mannlib.vedit.forwarder.PageForwarder; import edu.cornell.mannlib.vedit.forwarder.PageForwarder;
import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder; import edu.cornell.mannlib.vedit.forwarder.impl.UrlForwarder;
import edu.cornell.mannlib.vedit.util.FormUtils; import edu.cornell.mannlib.vedit.util.FormUtils;
import edu.cornell.mannlib.vedit.validator.ValidationObject; import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator;
import edu.cornell.mannlib.vedit.validator.Validator; import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionListener;
import edu.cornell.mannlib.vedit.validator.impl.EnumValuesValidator; import edu.cornell.mannlib.vitro.webapp.beans.DataProperty;
import edu.cornell.mannlib.vedit.validator.impl.XMLNameValidator; import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty;
import edu.cornell.mannlib.vitro.webapp.beans.DataProperty; import edu.cornell.mannlib.vitro.webapp.beans.Portal;
import edu.cornell.mannlib.vitro.webapp.beans.ObjectProperty; import edu.cornell.mannlib.vitro.webapp.beans.VClass;
import edu.cornell.mannlib.vitro.webapp.beans.Portal; import edu.cornell.mannlib.vitro.webapp.controller.Controllers;
import edu.cornell.mannlib.vitro.webapp.beans.VClass; import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest;
import edu.cornell.mannlib.vitro.webapp.controller.Controllers; import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup;
import edu.cornell.mannlib.vitro.webapp.controller.VitroRequest; import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao;
import edu.cornell.mannlib.vitro.webapp.controller.edit.utils.RoleLevelOptionsSetup; import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao;
import edu.cornell.mannlib.vitro.webapp.dao.DataPropertyDao; import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
import edu.cornell.mannlib.vitro.webapp.dao.ObjectPropertyDao; import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
import edu.cornell.mannlib.vitro.webapp.dao.OntologyDao;
import edu.cornell.mannlib.vitro.webapp.dao.VClassDao;
import edu.cornell.mannlib.vitro.webapp.edit.listener.impl.EditProhibitionListener;
public class PropertyRetryController extends BaseEditController { public class PropertyRetryController extends BaseEditController {
private static final Log log = LogFactory.getLog(PropertyRetryController.class.getName()); private static final Log log = LogFactory.getLog(PropertyRetryController.class.getName());
public void doPost (HttpServletRequest req, HttpServletResponse response) { @Override
public void doPost (HttpServletRequest req, HttpServletResponse response) {
VitroRequest request = new VitroRequest(req); VitroRequest request = new VitroRequest(req);
if (!checkLoginStatus(request,response)) if (!checkLoginStatus(request,response))
return; return;
@ -87,7 +84,7 @@ public class PropertyRetryController extends BaseEditController {
String uri = request.getParameter("uri"); String uri = request.getParameter("uri");
if (uri != null) { if (uri != null) {
try { try {
propertyForEditing = (ObjectProperty)propDao.getObjectPropertyByURI(uri); propertyForEditing = propDao.getObjectPropertyByURI(uri);
action = "update"; action = "update";
epo.setAction("update"); epo.setAction("update");
} catch (NullPointerException e) { } catch (NullPointerException e) {
@ -125,7 +122,7 @@ public class PropertyRetryController extends BaseEditController {
//set up any listeners //set up any listeners
List changeListenerList = new ArrayList(); List changeListenerList = new ArrayList();
//changeListenerList.add(new HiddenFromDisplayListener(getServletContext())); //changeListenerList.add(new HiddenFromDisplayListener(getServletContext()));
changeListenerList.add(new EditProhibitionListener(getServletContext())); changeListenerList.add(new PropertyRestrictionListener(getServletContext()));
epo.setChangeListenerList(changeListenerList); epo.setChangeListenerList(changeListenerList);
//set portal flag to current portal //set portal flag to current portal

133
webapp/src/edu/cornell/mannlib/vitro/webapp/edit/listener/impl/EditProhibitionListener.java
View file

@ -1,133 +0,0 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.edit.listener.impl;
import javax.servlet.ServletContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import com.hp.hpl.jena.ontology.OntModel;
import edu.cornell.mannlib.vedit.beans.EditProcessObject;
import edu.cornell.mannlib.vedit.listener.ChangeListener;
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.CuratorEditingPolicySetup;
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.DbAdminEditingPolicySetup;
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.EditorEditingPolicySetup;
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.InformationResourceEditingPolicySetup;
import edu.cornell.mannlib.vitro.webapp.auth.policy.setup.SelfEditingPolicySetup;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean;
import edu.cornell.mannlib.vitro.webapp.beans.Property;
public class EditProhibitionListener implements ChangeListener {
private static final Log log = LogFactory.getLog(EditProhibitionListener.class.getName());
private ServletContext context = null;
public EditProhibitionListener(ServletContext context) {
this.context = context;
}
public void doDeleted(Object oldObj, EditProcessObject epo) {
Property p = (Property) oldObj;
OntModel model = (OntModel) context.getAttribute("jenaOntModel");
BaseResourceBean.RoleLevel oldRoleLevel = p.getProhibitedFromUpdateBelowRoleLevel();
if (oldRoleLevel != null) {
log.debug("replacing all edit prohibition policies after deletion");
// do you want to do something more selective, such as seeing whether only certain policies are affected?
// But, some (lower) will be affected if higher levels change (or will they if the object has been deleted?)
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
EditorEditingPolicySetup.replaceEditorEditing(context,model);
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
/*
if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.PUBLIC)==0) {
SelfEditingPolicySetup.replaceSelfEditing(context,model);
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.SELF)==0) {
SelfEditingPolicySetup.replaceSelfEditing(context,model);
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.EDITOR)==0) {
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.CURATOR)==0) {
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.DB_ADMIN)==0) {
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
} else if (oldRoleLevel.compareTo(BaseResourceBean.RoleLevel.NOBODY)==0) {
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
} */
}
}
public void doInserted(Object newObj, EditProcessObject epo) {
Property p = (Property) newObj;
OntModel model = (OntModel) context.getAttribute("jenaOntModel");
BaseResourceBean.RoleLevel newRoleLevel = p.getProhibitedFromUpdateBelowRoleLevel();
if (newRoleLevel != null) { // note have to replace even at same level since may have been unspecified
if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.SELF)==0) {
log.debug("replacing self editing editing policies after insertion of \"self\" update level");
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
} else if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.EDITOR)==0) {
log.debug("replacing editor and lower editing policies after insertion of new \"editor\" update level");
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
EditorEditingPolicySetup.replaceEditorEditing(context,model);
} else if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.CURATOR)==0) {
log.debug("replacing curator and lower editing policies after insertion of new \"curator\" update level");
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
EditorEditingPolicySetup.replaceEditorEditing(context,model);
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
} else if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.DB_ADMIN)==0) {
log.debug("replacing db_admin and lower editing policies after insertion of new \"db_admin\" update level");
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
EditorEditingPolicySetup.replaceEditorEditing(context,model);
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
} else if (newRoleLevel.compareTo(BaseResourceBean.RoleLevel.NOBODY)==0) {
log.debug("replacing db_admin and lower editing policies after insertion of new \"nobody\" update level");
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
EditorEditingPolicySetup.replaceEditorEditing(context,model);
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
}
}
}
public void doUpdated(Object oldObj, Object newObj, EditProcessObject epo) {
Property oldP = (Property) oldObj;
Property newP = (Property) newObj;
OntModel model = (OntModel) context.getAttribute("jenaOntModel");
BaseResourceBean.RoleLevel oldRoleLevel = oldP.getProhibitedFromUpdateBelowRoleLevel();
BaseResourceBean.RoleLevel newRoleLevel = newP.getProhibitedFromUpdateBelowRoleLevel();
if (newRoleLevel != null) { // will always be true since select box has no non-empty choices
if (oldRoleLevel != null) {
if (newRoleLevel.compareTo(oldRoleLevel)!=0) {
log.debug("replacing all editing policies after update when new level different from old");
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
EditorEditingPolicySetup.replaceEditorEditing(context,model);
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
} else {
log.debug("update did not change role level");
}
} else {
log.debug("replacing all editing policies after update when a role level introduced");
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
EditorEditingPolicySetup.replaceEditorEditing(context,model);
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
}
} else if (oldRoleLevel != null) { // with fixed selections, not likely to happen
log.debug("replacing all editing policies after update when old role level removed");
SelfEditingPolicySetup.replaceSelfEditing(context,model);
InformationResourceEditingPolicySetup.replacePolicy(context,model);
EditorEditingPolicySetup.replaceEditorEditing(context,model);
CuratorEditingPolicySetup.replaceCuratorEditing(context,model);
DbAdminEditingPolicySetup.replaceDbAdminEditing(context,model);
}
}
}

45
webapp/test/edu/cornell/mannlib/vitro/webapp/auth/policy/AdministrativeUriRestrictorTest.java
View file

@ -1,45 +0,0 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package edu.cornell.mannlib.vitro.webapp.auth.policy;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
import edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary;
/**
* TODO
*/
public class AdministrativeUriRestrictorTest extends AbstractTestClass {
private static final String SAFE_NS = "http://test.mannlib.cornell.edu/ns/01#";
private static final String UNSAFE_NS = VitroVocabulary.vitroURI;
private static final String SAFE_RESOURCE = SAFE_NS + "otherIndividual77777";
private static final String UNSAFE_RESOURCE = UNSAFE_NS + "otherIndividual99999";
private static final String SAFE_PREDICATE = SAFE_NS + "hasHairStyle";
private static final String UNSAFE_PREDICATE = UNSAFE_NS + "hasSuperPowers";
private AdministrativeUriRestrictor restrictor;
@Before
public void setup() {
restrictor = new AdministrativeUriRestrictor(null, null, null, null);
}
@Test
public void testCanModifiyNs(){
Assert.assertTrue( restrictor.canModifyResource("http://bobs.com#hats") );
Assert.assertTrue( restrictor.canModifyResource("ftp://bobs.com#hats"));
Assert.assertTrue( restrictor.canModifyResource( SAFE_RESOURCE ));
Assert.assertTrue( restrictor.canModifyPredicate( SAFE_PREDICATE ));
Assert.assertTrue( restrictor.canModifyResource("http://bobs.com/hats"));
Assert.assertTrue( ! restrictor.canModifyResource(""));
Assert.assertTrue( ! restrictor.canModifyResource(VitroVocabulary.vitroURI + "something"));
Assert.assertTrue( ! restrictor.canModifyResource(VitroVocabulary.OWL + "Ontology"));
Assert.assertTrue( ! restrictor.canModifyPredicate( UNSAFE_PREDICATE ));
Assert.assertTrue( ! restrictor.canModifyResource( UNSAFE_RESOURCE ));
Assert.assertTrue( ! restrictor.canModifyResource( UNSAFE_NS ));
}
}

13
webapp/test/edu/cornell/mannlib/vitro/webapp/auth/policy/InformationResourceEditingPolicyTest.java
View file

@ -16,6 +16,9 @@ import org.junit.Before;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import stubs.edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelperStub;
import stubs.javax.servlet.ServletContextStub;
import com.hp.hpl.jena.ontology.OntModel; import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.ontology.OntModelSpec; import com.hp.hpl.jena.ontology.OntModelSpec;
import com.hp.hpl.jena.rdf.model.Model; import com.hp.hpl.jena.rdf.model.Model;
@ -28,6 +31,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing; import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory.SelfEditing;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
@ -105,9 +109,12 @@ public class InformationResourceEditingPolicyTest extends AbstractTestClass {
@Before @Before
public void setupPolicy() { public void setupPolicy() {
AdministrativeUriRestrictor restrictor = new AdministrativeUriRestrictor( ServletContextStub ctx = new ServletContextStub();
null, null, null, null); PropertyRestrictionPolicyHelper prph = PropertyRestrictionPolicyHelperStub
policy = new InformationResourceEditingPolicy(ontModel, restrictor); .getInstance(new String[] { NS_RESTRICTED });
PropertyRestrictionPolicyHelper.setBean(ctx, prph);
policy = new InformationResourceEditingPolicy(ctx, ontModel);
} }
private IdentifierBundle idNobody; private IdentifierBundle idNobody;

472
webapp/test/edu/cornell/mannlib/vitro/webapp/auth/policy/SelfEditingPolicyTest.java
View file

@ -8,16 +8,16 @@ import static junit.framework.Assert.assertEquals;
import static junit.framework.Assert.assertNotNull; import static junit.framework.Assert.assertNotNull;
import static junit.framework.Assert.assertNull; import static junit.framework.Assert.assertNull;
import java.util.HashSet;
import java.util.Set;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import stubs.edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelperStub;
import stubs.javax.servlet.ServletContextStub;
import edu.cornell.mannlib.vitro.testing.AbstractTestClass; import edu.cornell.mannlib.vitro.testing.AbstractTestClass;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.ArrayIdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
@ -47,295 +47,265 @@ public class SelfEditingPolicyTest extends AbstractTestClass {
private static final String UNSAFE_NS = VitroVocabulary.vitroURI; private static final String UNSAFE_NS = VitroVocabulary.vitroURI;
private static final String SELFEDITOR_URI = SAFE_NS + "individual244"; private static final String SELFEDITOR_URI = SAFE_NS + "individual244";
private static final String SAFE_RESOURCE = SAFE_NS + "otherIndividual77777"; private static final String SAFE_RESOURCE = SAFE_NS + "otherIndividual77777";
private static final String UNSAFE_RESOURCE = UNSAFE_NS + "otherIndividual99999"; private static final String UNSAFE_RESOURCE = UNSAFE_NS + "otherIndividual99999";
private static final String SAFE_PREDICATE = SAFE_NS + "hasHairStyle"; private static final String SAFE_PREDICATE = SAFE_NS + "hasHairStyle";
private static final String UNSAFE_PREDICATE = UNSAFE_NS + "hasSuperPowers"; private static final String UNSAFE_PREDICATE = UNSAFE_NS + "hasSuperPowers";
private ServletContextStub ctx;
private SelfEditingPolicy policy; private SelfEditingPolicy policy;
private IdentifierBundle ids; private IdentifierBundle ids;
private RequestedAction whatToAuth; private RequestedAction whatToAuth;
@Before @Before
public void setUp() throws Exception { public void setUp() throws Exception {
policy = new SelfEditingPolicy(null,null,null,null,null); ctx = new ServletContextStub();
ids = new ArrayIdentifierBundle(); PropertyRestrictionPolicyHelper prph = PropertyRestrictionPolicyHelperStub
ids.add( new SelfEditingIdentifierFactory.NetId("test223") ); .getInstance(new String[] { UNSAFE_NS });
PropertyRestrictionPolicyHelper.setBean(ctx, prph);
IndividualImpl ind = new IndividualImpl();
ind.setURI( SELFEDITOR_URI ); policy = new SelfEditingPolicy(ctx);
ids.add( new SelfEditingIdentifierFactory.SelfEditing( ind, SelfEditingIdentifierFactory.NOT_BLACKLISTED ) );
ids = new ArrayIdentifierBundle();
} ids.add(new SelfEditingIdentifierFactory.NetId("test223"));
IndividualImpl ind = new IndividualImpl();
ind.setURI(SELFEDITOR_URI);
ids.add(new SelfEditingIdentifierFactory.SelfEditing(ind,
SelfEditingIdentifierFactory.NOT_BLACKLISTED));
}
@Test @Test
public void testProhibitedProperties() { public void testProhibitedProperties() {
Set<String> badProps = new HashSet<String>(); PropertyRestrictionPolicyHelper prph = PropertyRestrictionPolicyHelperStub
badProps.add("http://mannlib.cornell.edu/bad#prp234"); .getInstance(new String[] { UNSAFE_NS }, new String[] {
badProps.add("http://mannlib.cornell.edu/bad#prp999"); "http://mannlib.cornell.edu/bad#prp234",
badProps.add("http://mannlib.cornell.edu/bad#prp333"); "http://mannlib.cornell.edu/bad#prp999",
badProps.add("http://mannlib.cornell.edu/bad#prp777"); "http://mannlib.cornell.edu/bad#prp333",
badProps.add("http://mannlib.cornell.edu/bad#prp0020"); "http://mannlib.cornell.edu/bad#prp777",
SelfEditingPolicy badPropPolicy = new SelfEditingPolicy(badProps, null, null, null, null); "http://mannlib.cornell.edu/bad#prp0020" });
PropertyRestrictionPolicyHelper.setBean(ctx, prph);
whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI,
"http://mannlib.cornell.edu/bad#prp234", SAFE_RESOURCE); "http://mannlib.cornell.edu/bad#prp234", SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(SAFE_RESOURCE, whatToAuth = new AddObjectPropStmt(SAFE_RESOURCE,
"http://mannlib.cornell.edu/bad#prp234", SELFEDITOR_URI); "http://mannlib.cornell.edu/bad#prp234", SELFEDITOR_URI);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI,
"http://mannlib.cornell.edu/bad#prp999", SAFE_RESOURCE); "http://mannlib.cornell.edu/bad#prp999", SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt( whatToAuth = new AddObjectPropStmt(SAFE_RESOURCE,
SAFE_RESOURCE ,"http://mannlib.cornell.edu/bad#prp999", SELFEDITOR_URI); "http://mannlib.cornell.edu/bad#prp999", SELFEDITOR_URI);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt( whatToAuth = new AddObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SAFE_RESOURCE ,SAFE_PREDICATE, SELFEDITOR_URI); SELFEDITOR_URI);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(
SELFEDITOR_URI,SAFE_PREDICATE,SAFE_RESOURCE);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(
SELFEDITOR_URI, UNSAFE_PREDICATE, SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
//now with dataprop statements
whatToAuth = new AddDataPropStmt(
SELFEDITOR_URI,"http://mannlib.cornell.edu/bad#prp234" ,SAFE_RESOURCE, null, null);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(
SAFE_RESOURCE ,"http://mannlib.cornell.edu/bad#prp234", SELFEDITOR_URI, null, null);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(
SELFEDITOR_URI,"http://mannlib.cornell.edu/bad#prp999" ,SAFE_RESOURCE, null, null);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(
SAFE_RESOURCE ,"http://mannlib.cornell.edu/bad#prp999", SELFEDITOR_URI, null, null);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(
SAFE_RESOURCE ,SAFE_PREDICATE, SELFEDITOR_URI, null, null);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(
SELFEDITOR_URI,SAFE_PREDICATE,SAFE_RESOURCE, null, null);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(
SELFEDITOR_URI, UNSAFE_PREDICATE, SAFE_RESOURCE, null, null);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
}
@Test
public void testForbiddenMoniker(){
Set<String> badProps = new HashSet<String>();
badProps.add(VitroVocabulary.MONIKER);
SelfEditingPolicy badPropPolicy = new SelfEditingPolicy(badProps,null,null,null,null);
whatToAuth = new AddDataPropStmt(
SELFEDITOR_URI, VitroVocabulary.MONIKER ,"someValue", null, null);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(
SAFE_RESOURCE ,VitroVocabulary.MONIKER , "somevalue", null, null);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
DataPropertyStatement dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SELFEDITOR_URI);
dps.setDatapropURI(VitroVocabulary.MONIKER);
dps.setData("some moniker");
whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
//try where moniker is permitted
badProps = new HashSet<String>();
badPropPolicy = new SelfEditingPolicy(badProps,null,null,null,null);
whatToAuth = new AddDataPropStmt(
SELFEDITOR_URI, VitroVocabulary.MONIKER ,"somevalue", null, null);
assertDecision(AUTHORIZED, badPropPolicy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(
UNSAFE_RESOURCE ,VitroVocabulary.MONIKER , "somevalue", null, null);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SAFE_RESOURCE);
dps.setDatapropURI(VitroVocabulary.MONIKER);
dps.setData("some moniker");
whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, badPropPolicy.isAuthorized(ids, whatToAuth));
}
@Test
public void testVisitIdentifierBundleAddObjectPropStmt() {
whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, SAFE_RESOURCE);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth)); assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE, SELFEDITOR_URI); whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, UNSAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
// now with dataprop statements
whatToAuth = new AddDataPropStmt(SELFEDITOR_URI,
"http://mannlib.cornell.edu/bad#prp234", "someString", null,
null);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(SELFEDITOR_URI,
"http://mannlib.cornell.edu/bad#prp999", "someString", null,
null);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
"someString", null, null);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddDataPropStmt(SELFEDITOR_URI, UNSAFE_PREDICATE,
"someString", null, null);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
}
@Test
public void testVisitIdentifierBundleAddObjectPropStmt() {
whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SELFEDITOR_URI);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth)); assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
// this is the case where the editor is not part of the stmt // this is the case where the editor is not part of the stmt
whatToAuth = new AddObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE, SAFE_RESOURCE); whatToAuth = new AddObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, UNSAFE_PREDICATE, SAFE_RESOURCE); whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, UNSAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, UNSAFE_RESOURCE); whatToAuth = new AddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
UNSAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
} }
// //
// @Test // @Test
// public void testVisitIdentifierBundleDropResource() { // public void testVisitIdentifierBundleDropResource() {
// fail("Not yet implemented"); // fail("Not yet implemented");
// } // }
// //
// @Test // @Test
// public void testVisitIdentifierBundleDropDataPropStmt() { // public void testVisitIdentifierBundleDropDataPropStmt() {
// fail("Not yet implemented"); // fail("Not yet implemented");
// } // }
// //
@Test
public void testVisitIdentifierBundleDropObjectPropStmt() {
whatToAuth = new DropObjectPropStmt(
SELFEDITOR_URI,SAFE_PREDICATE,SAFE_RESOURCE);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new DropObjectPropStmt(
SAFE_RESOURCE ,SAFE_PREDICATE, SELFEDITOR_URI);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
// this is the case where the editor is not part of the stmt
whatToAuth = new DropObjectPropStmt(
SAFE_RESOURCE, SAFE_PREDICATE, SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new DropObjectPropStmt(
SELFEDITOR_URI, UNSAFE_PREDICATE, SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new DropObjectPropStmt(
SELFEDITOR_URI, SAFE_PREDICATE, UNSAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
}
//
// @Test
// public void testVisitIdentifierBundleAddResource() {
// fail("Not yet implemented");
// }
//
// @Test
// public void testVisitIdentifierBundleAddDataPropStmt() {
// fail("Not yet implemented");
// }
//
// @Test
// public void testVisitIdentifierBundleUploadFile() {
// fail("Not yet implemented");
// }
//
//
@Test
public void testVisitIdentifierBundleEditDataPropStmt() {
DataPropertyStatement dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SELFEDITOR_URI);
dps.setDatapropURI(SAFE_PREDICATE);
dps.setData("junk");
whatToAuth = new EditDataPropStmt(dps);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SELFEDITOR_URI);
dps.setDatapropURI(UNSAFE_PREDICATE);
dps.setData("junk");
whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
dps = new DataPropertyStatementImpl();
dps.setIndividualURI(UNSAFE_RESOURCE);
dps.setDatapropURI(SAFE_PREDICATE);
whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SAFE_RESOURCE);
dps.setDatapropURI(SAFE_PREDICATE);
whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
}
@Test @Test
public void testVisitIdentifierBundleEditObjPropStmt() { public void testVisitIdentifierBundleDropObjectPropStmt() {
EditObjPropStmt whatToAuth = new EditObjPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, SAFE_RESOURCE); whatToAuth = new DropObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth)); assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new EditObjPropStmt(SAFE_RESOURCE, SAFE_PREDICATE, SELFEDITOR_URI); whatToAuth = new DropObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SELFEDITOR_URI);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth)); assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
// this is the case where the editor is not part of the stmt // this is the case where the editor is not part of the stmt
whatToAuth = new EditObjPropStmt(SAFE_RESOURCE, SAFE_PREDICATE, SAFE_RESOURCE); whatToAuth = new DropObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new EditObjPropStmt(SELFEDITOR_URI, UNSAFE_PREDICATE, SAFE_RESOURCE); whatToAuth = new DropObjectPropStmt(SELFEDITOR_URI, UNSAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new EditObjPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, UNSAFE_RESOURCE); whatToAuth = new DropObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
UNSAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
} }
//
// @Test
// public void testVisitIdentifierBundleAddResource() {
// fail("Not yet implemented");
// }
//
// @Test
// public void testVisitIdentifierBundleAddDataPropStmt() {
// fail("Not yet implemented");
// }
//
// @Test
// public void testVisitIdentifierBundleUploadFile() {
// fail("Not yet implemented");
// }
//
//
@Test
public void testVisitIdentifierBundleEditDataPropStmt() {
DataPropertyStatement dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SELFEDITOR_URI);
dps.setDatapropURI(SAFE_PREDICATE);
dps.setData("junk");
whatToAuth = new EditDataPropStmt(dps);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SELFEDITOR_URI);
dps.setDatapropURI(UNSAFE_PREDICATE);
dps.setData("junk");
whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
dps = new DataPropertyStatementImpl();
dps.setIndividualURI(UNSAFE_RESOURCE);
dps.setDatapropURI(SAFE_PREDICATE);
whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SAFE_RESOURCE);
dps.setDatapropURI(SAFE_PREDICATE);
whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
}
@Test
public void testVisitIdentifierBundleEditObjPropStmt() {
whatToAuth = new EditObjPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new EditObjPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SELFEDITOR_URI);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
// this is the case where the editor is not part of the stmt
whatToAuth = new EditObjPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new EditObjPropStmt(SELFEDITOR_URI, UNSAFE_PREDICATE,
SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
whatToAuth = new EditObjPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
UNSAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
}
// ---------------------------------------------------------------------- // ----------------------------------------------------------------------
// What if there are two SelfEditor Identifiers? // What if there are two SelfEditor Identifiers?
// ---------------------------------------------------------------------- // ----------------------------------------------------------------------
@Test @Test
public void twoSEIsFindObjectPropertySubject() { public void twoSEIsFindObjectPropertySubject() {
setUpTwoSEIs(); setUpTwoSEIs();
whatToAuth = new DropObjectPropStmt( whatToAuth = new DropObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE,
SELFEDITOR_URI,SAFE_PREDICATE,SAFE_RESOURCE); SAFE_RESOURCE);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth)); assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
} }
@Test @Test
public void twoSEIsFindObjectPropertyObject() { public void twoSEIsFindObjectPropertyObject() {
setUpTwoSEIs(); setUpTwoSEIs();
whatToAuth = new DropObjectPropStmt( whatToAuth = new DropObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SAFE_RESOURCE ,SAFE_PREDICATE, SELFEDITOR_URI); SELFEDITOR_URI);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth)); assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
} }
@Test @Test
public void twoSEIsDontFindInObjectProperty() { public void twoSEIsDontFindInObjectProperty() {
setUpTwoSEIs(); setUpTwoSEIs();
whatToAuth = new DropObjectPropStmt( whatToAuth = new DropObjectPropStmt(SAFE_RESOURCE, SAFE_PREDICATE,
SAFE_RESOURCE ,SAFE_PREDICATE, SAFE_RESOURCE); SAFE_RESOURCE);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
} }
@Test @Test
public void twoSEIsFindDataPropertySubject() { public void twoSEIsFindDataPropertySubject() {
setUpTwoSEIs(); setUpTwoSEIs();
DataPropertyStatement dps = new DataPropertyStatementImpl(); DataPropertyStatement dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SELFEDITOR_URI); dps.setIndividualURI(SELFEDITOR_URI);
dps.setDatapropURI(SAFE_PREDICATE); dps.setDatapropURI(SAFE_PREDICATE);
dps.setData("junk"); dps.setData("junk");
whatToAuth = new EditDataPropStmt(dps); whatToAuth = new EditDataPropStmt(dps);
assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth)); assertDecision(AUTHORIZED, policy.isAuthorized(ids, whatToAuth));
} }
@Test @Test
@ -343,36 +313,39 @@ public class SelfEditingPolicyTest extends AbstractTestClass {
setUpTwoSEIs(); setUpTwoSEIs();
DataPropertyStatement dps = new DataPropertyStatementImpl(); DataPropertyStatement dps = new DataPropertyStatementImpl();
dps.setIndividualURI(SAFE_RESOURCE); dps.setIndividualURI(SAFE_RESOURCE);
dps.setDatapropURI(SAFE_PREDICATE); dps.setDatapropURI(SAFE_PREDICATE);
dps.setData("junk"); dps.setData("junk");
whatToAuth = new EditDataPropStmt(dps); whatToAuth = new EditDataPropStmt(dps);
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth)); assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, whatToAuth));
} }
private void setUpTwoSEIs() { private void setUpTwoSEIs() {
ids = new ArrayIdentifierBundle(); ids = new ArrayIdentifierBundle();
ids.add( new SelfEditingIdentifierFactory.NetId("bozoUser") );
IndividualImpl ind1 = new IndividualImpl();
ind1.setURI( SAFE_NS + "bozoUri" );
ids.add( new SelfEditingIdentifierFactory.SelfEditing( ind1, SelfEditingIdentifierFactory.NOT_BLACKLISTED ) );
ids.add( new SelfEditingIdentifierFactory.NetId("test223") ); ids.add(new SelfEditingIdentifierFactory.NetId("bozoUser"));
IndividualImpl ind2 = new IndividualImpl(); IndividualImpl ind1 = new IndividualImpl();
ind2.setURI( SELFEDITOR_URI ); ind1.setURI(SAFE_NS + "bozoUri");
ids.add( new SelfEditingIdentifierFactory.SelfEditing( ind2, SelfEditingIdentifierFactory.NOT_BLACKLISTED ) ); ids.add(new SelfEditingIdentifierFactory.SelfEditing(ind1,
SelfEditingIdentifierFactory.NOT_BLACKLISTED));
ids.add(new SelfEditingIdentifierFactory.NetId("test223"));
IndividualImpl ind2 = new IndividualImpl();
ind2.setURI(SELFEDITOR_URI);
ids.add(new SelfEditingIdentifierFactory.SelfEditing(ind2,
SelfEditingIdentifierFactory.NOT_BLACKLISTED));
} }
// ---------------------------------------------------------------------- // ----------------------------------------------------------------------
// Ignore administrative requests. // Ignore administrative requests.
// ---------------------------------------------------------------------- // ----------------------------------------------------------------------
@Test @Test
public void testServerStatus() { public void testServerStatus() {
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, new ServerStatus())); assertDecision(INCONCLUSIVE,
policy.isAuthorized(ids, new ServerStatus()));
} }
@Test @Test
@ -415,17 +388,20 @@ public class SelfEditingPolicyTest extends AbstractTestClass {
@Test @Test
public void testLoadOntology() { public void testLoadOntology() {
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, new LoadOntology())); assertDecision(INCONCLUSIVE,
policy.isAuthorized(ids, new LoadOntology()));
} }
@Test @Test
public void testRebuildTextIndex() { public void testRebuildTextIndex() {
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, new RebuildTextIndex())); assertDecision(INCONCLUSIVE,
policy.isAuthorized(ids, new RebuildTextIndex()));
} }
@Test @Test
public void testVisitIdentifierBundleUpdateTextIndex() { public void testVisitIdentifierBundleUpdateTextIndex() {
assertDecision(INCONCLUSIVE, policy.isAuthorized(ids, new UpdateTextIndex())); assertDecision(INCONCLUSIVE,
policy.isAuthorized(ids, new UpdateTextIndex()));
} }
// ---------------------------------------------------------------------- // ----------------------------------------------------------------------

15
webapp/test/edu/cornell/mannlib/vitro/webapp/auth/policy/setup/SelfEditingPolicySetupTest.java
View file

@ -11,6 +11,9 @@ import org.junit.Assert;
import org.junit.Before; import org.junit.Before;
import org.junit.Test; import org.junit.Test;
import stubs.edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelperStub;
import stubs.javax.servlet.ServletContextStub;
import com.hp.hpl.jena.ontology.OntModel; import com.hp.hpl.jena.ontology.OntModel;
import com.hp.hpl.jena.rdf.model.ModelFactory; import com.hp.hpl.jena.rdf.model.ModelFactory;
import com.hp.hpl.jena.rdf.model.impl.RDFDefaultErrorHandler; import com.hp.hpl.jena.rdf.model.impl.RDFDefaultErrorHandler;
@ -21,6 +24,7 @@ import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle; import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory; import edu.cornell.mannlib.vitro.webapp.auth.identifier.SelfEditingIdentifierFactory;
import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy; import edu.cornell.mannlib.vitro.webapp.auth.policy.SelfEditingPolicy;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision; import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt; import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
@ -80,7 +84,12 @@ public class SelfEditingPolicySetupTest extends AbstractTestClass {
Assert.assertNotNull(model); Assert.assertNotNull(model);
Assert.assertTrue(model.size() > 0); Assert.assertTrue(model.size() > 0);
policy = SelfEditingPolicySetup.makeSelfEditPolicyFromModel(model); ServletContextStub ctx = new ServletContextStub();
PropertyRestrictionPolicyHelper.setBean(ctx,
PropertyRestrictionPolicyHelperStub
.getInstance(new String[] { ADMIN_NS }));
policy = new SelfEditingPolicy(ctx);
Assert.assertNotNull(policy); Assert.assertNotNull(policy);
seIndividual = new IndividualImpl(); seIndividual = new IndividualImpl();
@ -116,8 +125,7 @@ public class SelfEditingPolicySetupTest extends AbstractTestClass {
@Test @Test
public void noSelfEditorIdentifier() { public void noSelfEditorIdentifier() {
ids.clear(); ids.clear();
ids.add(new Identifier() { ids.add(new Identifier() { /* empty identifier */ });
});
assertAddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, SAFE_RESOURCE, assertAddObjectPropStmt(SELFEDITOR_URI, SAFE_PREDICATE, SAFE_RESOURCE,
Authorization.INCONCLUSIVE); Authorization.INCONCLUSIVE);
} }
@ -308,5 +316,4 @@ public class SelfEditingPolicySetupTest extends AbstractTestClass {
Assert.assertNotNull(dec); Assert.assertNotNull(dec);
Assert.assertEquals(expectedAuthorization, dec.getAuthorized()); Assert.assertEquals(expectedAuthorization, dec.getAuthorized());
} }
} }

63
webapp/test/stubs/edu/cornell/mannlib/vitro/webapp/auth/policy/bean/PropertyRestrictionPolicyHelperStub.java Normal file
View file

@ -0,0 +1,63 @@
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
package stubs.edu.cornell.mannlib.vitro.webapp.auth.policy.bean;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import edu.cornell.mannlib.vitro.webapp.auth.policy.bean.PropertyRestrictionPolicyHelper;
import edu.cornell.mannlib.vitro.webapp.beans.BaseResourceBean.RoleLevel;
/**
* Allow the unit test to specify a variety of restrictions
*/
public class PropertyRestrictionPolicyHelperStub extends
PropertyRestrictionPolicyHelper {
/** Don't prohibit or restrict anything. */
public static PropertyRestrictionPolicyHelper getInstance() {
return getInstance(null, null);
}
/** Prohibit some namespaces. */
public static PropertyRestrictionPolicyHelperStub getInstance(
String[] restrictedNamespaces) {
return getInstance(restrictedNamespaces, null);
}
/**
* Prohibit some namespaces and restrict some properties from modification
* by anybody.
*/
public static PropertyRestrictionPolicyHelperStub getInstance(
String[] restrictedNamespaces, String[] restrictedProperties) {
Set<String> namespaceSet = new HashSet<String>();
if (restrictedNamespaces != null) {
namespaceSet.addAll(Arrays.asList(restrictedNamespaces));
}
Map<String, RoleLevel> thresholdMap = new HashMap<String, RoleLevel>();
if (restrictedProperties != null) {
for (String prop : restrictedProperties) {
thresholdMap.put(prop, RoleLevel.NOBODY);
}
}
return new PropertyRestrictionPolicyHelperStub(namespaceSet, null,
null, thresholdMap);
}
private PropertyRestrictionPolicyHelperStub(
Set<String> modifyRestrictedNamespaces,
Set<String> modifyPermittedExceptions,
Map<String, RoleLevel> displayThresholds,
Map<String, RoleLevel> modifyThresholds) {
super(modifyRestrictedNamespaces, modifyPermittedExceptions,
displayThresholds, modifyThresholds);
}
}