NIHVIVO-2279 remove unused RoleBasedPolicy
This commit is contained in:
j2blake
parent
ca1518a5f4
commit
e45a302f68
2 changed files with 5 additions and 180 deletions
|
|
@ -1,171 +0,0 @@
|
|||
/* $This file is distributed under the terms of the license in /doc/license.txt$ */
|
||||
|
||||
package edu.cornell.mannlib.vitro.webapp.auth.policy;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.Identifier;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.identifier.IdentifierBundle;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.Authorization;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DefaultInconclusivePolicy;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyDecision;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.PolicyIface;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.AddNewUser;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.LoadOntology;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RebuildTextIndex;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.RemoveUser;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.ServerStatus;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UpdateTextIndex;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.admin.UploadFile;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ifaces.RequestedAction;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.CreateOwlClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineDataProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.DefineObjectProperty;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.ontology.RemoveOwlClass;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.AddObjectPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropDataPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.propstmt.DropObjectPropStmt;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.AddResource;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.resource.DropResource;
|
||||
|
||||
/**
|
||||
* Policy that mimics the authorization roles of the old system. So each
|
||||
* principle that is to be authorized needs to be associated with an individual
|
||||
* in the model and the individual needs to have a ObjectPropertyStatement between it and
|
||||
* a authorization role.
|
||||
*
|
||||
* ex.
|
||||
*
|
||||
* vivo:indvidual23323 vivo:cornellNetId "bdc34".
|
||||
* vivo:indvidual22323 vitro:authRole <role://50>.
|
||||
*
|
||||
* Notice that this policy doesn't need setup because it will look for
|
||||
* an authorization role identifier in the model.
|
||||
*
|
||||
* @author bdc34
|
||||
*
|
||||
*/
|
||||
public class RoleBasedPolicy extends DefaultInconclusivePolicy implements PolicyIface {
|
||||
private static final Log log = LogFactory.getLog(RoleBasedPolicy.class.getName());
|
||||
|
||||
/**
|
||||
* What is the minimum AuthRole needed to perform a given action?
|
||||
*/
|
||||
private static Map<Class<?>,AuthRole> actionToMinRole = new HashMap<Class<?>,AuthRole>();
|
||||
static{
|
||||
//anybody actions
|
||||
//view resources?
|
||||
|
||||
//user actions
|
||||
//allow netid authenticated people to do things?
|
||||
|
||||
//edit actions
|
||||
actionToMinRole.put(AddDataPropStmt.class, AuthRole.EDITOR);
|
||||
actionToMinRole.put(AddObjectPropStmt.class, AuthRole.EDITOR);
|
||||
actionToMinRole.put(AddResource.class, AuthRole.EDITOR);
|
||||
actionToMinRole.put(DropDataPropStmt.class, AuthRole.EDITOR);
|
||||
actionToMinRole.put(DropObjectPropStmt.class, AuthRole.EDITOR);
|
||||
actionToMinRole.put(DropResource.class, AuthRole.EDITOR);
|
||||
actionToMinRole.put(UploadFile.class, AuthRole.EDITOR);
|
||||
actionToMinRole.put(ServerStatus.class, AuthRole.EDITOR);
|
||||
actionToMinRole.put(UpdateTextIndex.class, AuthRole.EDITOR);
|
||||
//curator actions
|
||||
actionToMinRole.put(DefineDataProperty.class, AuthRole.CURATOR);
|
||||
actionToMinRole.put(DefineObjectProperty.class, AuthRole.CURATOR);
|
||||
actionToMinRole.put(CreateOwlClass.class, AuthRole.CURATOR);
|
||||
actionToMinRole.put(RemoveOwlClass.class, AuthRole.CURATOR);
|
||||
//dba actions (dba role is allowed to do anything)
|
||||
actionToMinRole.put(AddNewUser.class, AuthRole.DBA);
|
||||
actionToMinRole.put(LoadOntology.class, AuthRole.DBA);
|
||||
actionToMinRole.put(RemoveUser.class, AuthRole.DBA);
|
||||
actionToMinRole.put(RebuildTextIndex.class, AuthRole.DBA);
|
||||
};
|
||||
|
||||
public PolicyDecision isAuthorized(IdentifierBundle whomToAuth, RequestedAction whatToAuth) {
|
||||
if( whomToAuth == null ){
|
||||
log.error( "null was passed as whoToAuth" );
|
||||
return new BasicPolicyDecision(Authorization.INCONCLUSIVE,"null was passed as whoToAuth");
|
||||
}
|
||||
if( whatToAuth == null ){
|
||||
log.error("null was passed as whatToAuth");
|
||||
return new BasicPolicyDecision(Authorization.INCONCLUSIVE,"null was passed as whatToAuth");
|
||||
}
|
||||
|
||||
//dba can do anything
|
||||
if( AuthRole.DBA.thisRoleOrGreater(whomToAuth))
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"in DBA role");
|
||||
|
||||
//We need to find the class of the RequestedAction since that
|
||||
//encodes what type of action is being requested.
|
||||
Class<?> requesetClass = whatToAuth.getClass();
|
||||
AuthRole minmumRoleForAction = actionToMinRole.get(requesetClass);
|
||||
|
||||
if( minmumRoleForAction == null ){
|
||||
String msg = "no minimum role found for action " + whatToAuth.getClass().getName();
|
||||
log.error(msg);
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,msg);
|
||||
}
|
||||
|
||||
if( minmumRoleForAction.thisRoleOrGreater(whomToAuth) )
|
||||
return new BasicPolicyDecision(Authorization.AUTHORIZED,"authorized for role");
|
||||
else
|
||||
return new BasicPolicyDecision(Authorization.UNAUTHORIZED,"not authorized for role");
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "RoleBasedPolicy";
|
||||
}
|
||||
|
||||
|
||||
/********************** Roles *****************************************/
|
||||
public static enum AuthRole implements Identifier {
|
||||
ANYBODY( "role:/0" ,LoginStatusBean.ANYBODY),
|
||||
USER( "role:/1" ,LoginStatusBean.NON_EDITOR),
|
||||
EDITOR( "role:/4" ,LoginStatusBean.EDITOR),
|
||||
CURATOR( "role:/5" ,LoginStatusBean.CURATOR),
|
||||
DBA( "role:/50",LoginStatusBean.DBA);
|
||||
|
||||
private final String roleUri;
|
||||
private final int level;
|
||||
|
||||
AuthRole(String uri, int level) {
|
||||
this.roleUri = uri;
|
||||
this.level = level;
|
||||
}
|
||||
|
||||
public String roleUri() { return roleUri; }
|
||||
public int level() {return level;}
|
||||
|
||||
/** returns null if not found */
|
||||
public static AuthRole convertUriToAuthRole(String uri){
|
||||
for( AuthRole role : AuthRole.values()){
|
||||
if( role.roleUri().equals( uri ))
|
||||
return role;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public boolean thisRoleOrGreater(IdentifierBundle ibundle){
|
||||
if( ibundle == null )
|
||||
return false;
|
||||
for(Object obj : ibundle){
|
||||
if( obj instanceof AuthRole &&
|
||||
((AuthRole)obj).level() >= this.level())
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
@Override
|
||||
public String toString() {
|
||||
return "AuthRole: " + name();
|
||||
}
|
||||
}/* end of enum AuthRole */
|
||||
}/* end of class RoleBasedPolicy */
|
||||
|
|
@ -17,7 +17,6 @@ import org.apache.commons.logging.LogFactory;
|
|||
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean;
|
||||
import edu.cornell.mannlib.vedit.beans.LoginStatusBean.AuthenticationSource;
|
||||
import edu.cornell.mannlib.vitro.webapp.auth.policy.RoleBasedPolicy.AuthRole;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.SelfEditingConfiguration;
|
||||
import edu.cornell.mannlib.vitro.webapp.beans.User;
|
||||
import edu.cornell.mannlib.vitro.webapp.controller.edit.Authenticate;
|
||||
|
|
@ -105,25 +104,22 @@ public class BasicAuthenticator extends Authenticator {
|
|||
recordLoginOnUserRecord(user);
|
||||
|
||||
String userUri = user.getURI();
|
||||
String roleUri = user.getRoleURI();
|
||||
int securityLevel = parseUserSecurityLevel(user);
|
||||
recordLoginWithOrWithoutUserAccount(username, userUri, roleUri,
|
||||
securityLevel, authSource);
|
||||
recordLoginWithOrWithoutUserAccount(username, userUri, securityLevel,
|
||||
authSource);
|
||||
}
|
||||
|
||||
@Override
|
||||
public void recordLoginWithoutUserAccount(String username,
|
||||
String individualUri, AuthenticationSource authSource) {
|
||||
String roleUri = AuthRole.USER.roleUri();
|
||||
int securityLevel = LoginStatusBean.NON_EDITOR;
|
||||
recordLoginWithOrWithoutUserAccount(username, individualUri, roleUri,
|
||||
securityLevel, authSource);
|
||||
recordLoginWithOrWithoutUserAccount(username, individualUri, securityLevel,
|
||||
authSource);
|
||||
}
|
||||
|
||||
/** This much is in common on login, whether or not you have a user account. */
|
||||
private void recordLoginWithOrWithoutUserAccount(String username,
|
||||
String userUri, String roleUri, int securityLevel,
|
||||
AuthenticationSource authSource) {
|
||||
String userUri, int securityLevel, AuthenticationSource authSource) {
|
||||
HttpSession session = request.getSession();
|
||||
createLoginStatusBean(username, userUri, securityLevel, authSource,
|
||||
session);
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue