Issue #1485 fixed bug in CAVE localization where a save() operation would appear to work when it actually failed due to user not being authorized.
Change-Id: Ib37e5be2163d750ac24827c2868162b06c290390 Former-commit-id:8058260830[formerly5c51083f35] [formerly8058260830[formerly5c51083f35] [formerly6fd6b2e42d[formerly 3b5af8689a2fc2a7ee783d896c624fbc5581b58a]]] Former-commit-id:6fd6b2e42dFormer-commit-id:3d459dd57c[formerly2c05f3c179] Former-commit-id:75135bf8f6
This commit is contained in:
Max Schenkelberg
parent
ce68428901
commit
babef87edb
7 changed files with 109 additions and 108 deletions
|
|
@ -250,7 +250,7 @@ public class CAVELocalizationAdapter implements ILocalizationAdapter {
|
||||||
return true;
|
return true;
|
||||||
} catch (FileNotFoundException e) {
|
} catch (FileNotFoundException e) {
|
||||||
throw new LocalizationOpFailedException(
|
throw new LocalizationOpFailedException(
|
||||||
"Error saving file, does not exist");
|
"Error saving, file does not exist");
|
||||||
} finally {
|
} finally {
|
||||||
// Make sure to close input stream
|
// Make sure to close input stream
|
||||||
if (in != null) {
|
if (in != null) {
|
||||||
|
|
|
||||||
|
|
@ -777,7 +777,7 @@ public class LocalizationManager implements IPropertyChangeListener {
|
||||||
}
|
}
|
||||||
} catch (VizException e) {
|
} catch (VizException e) {
|
||||||
throw new LocalizationOpFailedException(
|
throw new LocalizationOpFailedException(
|
||||||
"Error storing file contents to server: "
|
"Error uploading file contents to localization server: "
|
||||||
+ e.getLocalizedMessage(), e);
|
+ e.getLocalizedMessage(), e);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -63,7 +63,7 @@ public class NwsNotAuthHandler implements INotAuthHandler {
|
||||||
+ request.getClass();
|
+ request.getClass();
|
||||||
UFStatus.getHandler(NwsNotAuthHandler.class).handle(Priority.PROBLEM,
|
UFStatus.getHandler(NwsNotAuthHandler.class).handle(Priority.PROBLEM,
|
||||||
message);
|
message);
|
||||||
return null;
|
throw new VizException(message);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
@ -82,7 +82,7 @@ public class NwsNotAuthHandler implements INotAuthHandler {
|
||||||
}
|
}
|
||||||
UFStatus.getHandler(NwsNotAuthHandler.class).handle(Priority.PROBLEM,
|
UFStatus.getHandler(NwsNotAuthHandler.class).handle(Priority.PROBLEM,
|
||||||
message);
|
message);
|
||||||
return null;
|
throw new VizException(message);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -19,13 +19,16 @@
|
||||||
**/
|
**/
|
||||||
package com.raytheon.edex.services;
|
package com.raytheon.edex.services;
|
||||||
|
|
||||||
import java.io.File;
|
import java.util.HashSet;
|
||||||
|
import java.util.Set;
|
||||||
|
|
||||||
import com.raytheon.uf.common.auth.exception.AuthorizationException;
|
import com.raytheon.uf.common.auth.exception.AuthorizationException;
|
||||||
import com.raytheon.uf.common.auth.req.AbstractPrivilegedRequest;
|
import com.raytheon.uf.common.auth.req.AbstractPrivilegedRequest;
|
||||||
import com.raytheon.uf.common.auth.user.IUser;
|
import com.raytheon.uf.common.auth.user.IUser;
|
||||||
|
import com.raytheon.uf.common.localization.IPathManager;
|
||||||
import com.raytheon.uf.common.localization.LocalizationContext;
|
import com.raytheon.uf.common.localization.LocalizationContext;
|
||||||
import com.raytheon.uf.common.localization.LocalizationContext.LocalizationLevel;
|
import com.raytheon.uf.common.localization.LocalizationContext.LocalizationLevel;
|
||||||
|
import com.raytheon.uf.common.localization.LocalizationContext.LocalizationType;
|
||||||
import com.raytheon.uf.edex.auth.AuthManager;
|
import com.raytheon.uf.edex.auth.AuthManager;
|
||||||
import com.raytheon.uf.edex.auth.AuthManagerFactory;
|
import com.raytheon.uf.edex.auth.AuthManagerFactory;
|
||||||
import com.raytheon.uf.edex.auth.req.AbstractPrivilegedRequestHandler;
|
import com.raytheon.uf.edex.auth.req.AbstractPrivilegedRequestHandler;
|
||||||
|
|
@ -51,87 +54,85 @@ import com.raytheon.uf.edex.auth.roles.IRoleStorage;
|
||||||
*/
|
*/
|
||||||
public abstract class AbstractPrivilegedLocalizationRequestHandler<T extends AbstractPrivilegedRequest>
|
public abstract class AbstractPrivilegedLocalizationRequestHandler<T extends AbstractPrivilegedRequest>
|
||||||
extends AbstractPrivilegedRequestHandler<T> {
|
extends AbstractPrivilegedRequestHandler<T> {
|
||||||
|
|
||||||
|
private static final String PATH_SEPARATOR = IPathManager.SEPARATOR;
|
||||||
|
|
||||||
|
private static final String SEPARATOR = ".";
|
||||||
|
|
||||||
|
private static final String ROLE_PREFIX = "com.raytheon.localization";
|
||||||
|
|
||||||
private static final String APPLICATION = "Localization";
|
private static final String APPLICATION = "Localization";
|
||||||
|
|
||||||
protected AuthorizationResponse getAuthorizationResponse(IUser user,
|
protected AuthorizationResponse getAuthorizationResponse(IUser user,
|
||||||
LocalizationContext context, LocalizationLevel level,
|
LocalizationContext context, String fileName, String myContextName)
|
||||||
String fileName, String myContextName)
|
|
||||||
throws AuthorizationException {
|
throws AuthorizationException {
|
||||||
String contextName = context.getContextName();
|
String contextName = context.getContextName();
|
||||||
|
LocalizationLevel level = context.getLocalizationLevel();
|
||||||
|
LocalizationType type = context.getLocalizationType();
|
||||||
|
boolean contextsMatch = (myContextName != null && myContextName
|
||||||
|
.equals(contextName));
|
||||||
if (level.isSystemLevel()) {
|
if (level.isSystemLevel()) {
|
||||||
return new AuthorizationResponse(false,
|
return new AuthorizationResponse(false,
|
||||||
"Modification to system level configuration is prohibited.");
|
"Modification to system level configuration is prohibited.");
|
||||||
} else if (myContextName != null
|
} else if (level == LocalizationLevel.USER && contextsMatch) {
|
||||||
&& myContextName.equals(contextName)
|
// Don't prevent users from modifying own files
|
||||||
&& (context.getLocalizationLevel() == LocalizationLevel.USER || context
|
|
||||||
.getLocalizationLevel() == LocalizationLevel.WORKSTATION)) {
|
|
||||||
// If context names match and we are user or workstation file
|
|
||||||
// request, that is ok
|
|
||||||
return new AuthorizationResponse(true);
|
return new AuthorizationResponse(true);
|
||||||
}
|
}
|
||||||
|
|
||||||
AuthManager manager = AuthManagerFactory.getInstance().getManager();
|
AuthManager manager = AuthManagerFactory.getInstance().getManager();
|
||||||
IRoleStorage roleStorage = manager.getRoleStorage();
|
IRoleStorage roleStorage = manager.getRoleStorage();
|
||||||
String roleId = "";
|
String[] permissions = roleStorage
|
||||||
|
.getAllDefinedPermissions(APPLICATION);
|
||||||
|
Set<String> definedPermissions = new HashSet<String>();
|
||||||
|
for (String permission : permissions) {
|
||||||
|
definedPermissions.add(permission.toLowerCase());
|
||||||
|
}
|
||||||
|
|
||||||
|
String absoluteRoleId = buildRoleId(level, type, contextName, fileName);
|
||||||
// First round check com.raytheon.localization.level
|
// First round check com.raytheon.localization.level
|
||||||
// Second round check com.raytheon.localization.level.name
|
// Second round check com.raytheon.localization.level.name
|
||||||
for (int i = 0; i < 2; ++i) {
|
for (int i = 0; i < 2; ++i) {
|
||||||
roleId = "com.raytheon.localization."
|
String contextNameToUse = i > 0 ? contextName : null;
|
||||||
+ context.getLocalizationLevel().name()
|
String roleId = buildRoleId(level, type, contextNameToUse, fileName);
|
||||||
+ "/" + context.getLocalizationType().name();
|
|
||||||
if (i > 0) {
|
|
||||||
if (contextName != null) {
|
|
||||||
roleId += "." + contextName;
|
|
||||||
} else {
|
|
||||||
// We already checked this case
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// check most specific to least specific
|
// check most specific to least specific
|
||||||
// com.raytheon.localization.<level>.(<specificLevel>.)/type/path/name/
|
// com.raytheon.localization.<level>.(<specificLevel>.)/type/path/name/
|
||||||
int minIndex = roleId.length();
|
int minLength = roleId.length() - fileName.length() - 1;
|
||||||
roleId += File.separator + fileName;
|
do {
|
||||||
int index = roleId.length();
|
if (roleStorage.isAuthorized(roleId,
|
||||||
|
user.uniqueId().toString(), APPLICATION)) {
|
||||||
while (index > minIndex) {
|
|
||||||
roleId = roleId.substring(0, index);
|
|
||||||
|
|
||||||
if (roleStorage.isAuthorized(roleId, user.uniqueId().toString(), APPLICATION)) {
|
|
||||||
return new AuthorizationResponse(true);
|
return new AuthorizationResponse(true);
|
||||||
|
} else if (definedPermissions.contains(roleId.toLowerCase())) {
|
||||||
|
// User not authorized and this roleId is explicitly defined
|
||||||
|
return notAuthorized(user, absoluteRoleId);
|
||||||
}
|
}
|
||||||
|
|
||||||
index = roleId.lastIndexOf(File.separator, index - 1);
|
roleId = roleId.substring(0,
|
||||||
}
|
roleId.lastIndexOf(PATH_SEPARATOR, roleId.length()));
|
||||||
|
} while (roleId.length() >= minLength);
|
||||||
roleId = "com.raytheon.localization."
|
|
||||||
+ context.getLocalizationLevel().name();
|
|
||||||
if (i > 0) {
|
|
||||||
if (contextName != null) {
|
|
||||||
roleId += "." + contextName;
|
|
||||||
} else {
|
|
||||||
// We already checked this case
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
// com.raytheon.localization.<level>.(<specificLevel>)
|
|
||||||
if (roleStorage.isAuthorized(roleId, user.uniqueId().toString(), APPLICATION)) {
|
|
||||||
return new AuthorizationResponse(true);
|
|
||||||
}
|
|
||||||
|
|
||||||
// com.raytheon.localization.<level>.(<specificLevel>.)/type
|
|
||||||
roleId += "/" + context.getLocalizationType().name();
|
|
||||||
|
|
||||||
if (roleStorage.isAuthorized(roleId, user.uniqueId().toString(), APPLICATION)) {
|
|
||||||
return new AuthorizationResponse(true);
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (level == LocalizationLevel.WORKSTATION && contextsMatch) {
|
||||||
|
// If no rule found and user is attempting to modify workstation
|
||||||
|
// they are using, default to allow
|
||||||
|
return new AuthorizationResponse(true);
|
||||||
|
}
|
||||||
|
|
||||||
|
return notAuthorized(user, absoluteRoleId);
|
||||||
|
}
|
||||||
|
|
||||||
|
private String buildRoleId(LocalizationLevel level, LocalizationType type,
|
||||||
|
String contextName, String fileName) {
|
||||||
|
String roleId = ROLE_PREFIX + SEPARATOR + level;
|
||||||
|
if (contextName != null) {
|
||||||
|
roleId += SEPARATOR + contextName;
|
||||||
|
}
|
||||||
|
roleId += PATH_SEPARATOR + type;
|
||||||
|
roleId += PATH_SEPARATOR + fileName;
|
||||||
|
return roleId;
|
||||||
|
}
|
||||||
|
|
||||||
|
private AuthorizationResponse notAuthorized(IUser user, String roleId) {
|
||||||
return new AuthorizationResponse(false, "User, " + user.uniqueId()
|
return new AuthorizationResponse(false, "User, " + user.uniqueId()
|
||||||
+ ", is not authorized to perform request needing role: "
|
+ ", is not authorized to perform request needing role: "
|
||||||
+ roleId);
|
+ roleId);
|
||||||
|
|
|
||||||
|
|
@ -294,9 +294,8 @@ public class LocalizationStreamHandler
|
||||||
return new AuthorizationResponse(true);
|
return new AuthorizationResponse(true);
|
||||||
} else if (request instanceof LocalizationStreamPutRequest) {
|
} else if (request instanceof LocalizationStreamPutRequest) {
|
||||||
LocalizationContext context = request.getContext();
|
LocalizationContext context = request.getContext();
|
||||||
LocalizationLevel level = context.getLocalizationLevel();
|
|
||||||
String fileName = request.getFileName();
|
String fileName = request.getFileName();
|
||||||
return getAuthorizationResponse(user, context, level, fileName,
|
return getAuthorizationResponse(user, context, fileName,
|
||||||
request.getMyContextName());
|
request.getMyContextName());
|
||||||
}
|
}
|
||||||
return new AuthorizationResponse(true);
|
return new AuthorizationResponse(true);
|
||||||
|
|
|
||||||
|
|
@ -6,7 +6,6 @@ import java.util.List;
|
||||||
import com.raytheon.uf.common.auth.exception.AuthorizationException;
|
import com.raytheon.uf.common.auth.exception.AuthorizationException;
|
||||||
import com.raytheon.uf.common.auth.user.IUser;
|
import com.raytheon.uf.common.auth.user.IUser;
|
||||||
import com.raytheon.uf.common.localization.LocalizationContext;
|
import com.raytheon.uf.common.localization.LocalizationContext;
|
||||||
import com.raytheon.uf.common.localization.LocalizationContext.LocalizationLevel;
|
|
||||||
import com.raytheon.uf.common.localization.msgs.AbstractPrivilegedUtilityCommand;
|
import com.raytheon.uf.common.localization.msgs.AbstractPrivilegedUtilityCommand;
|
||||||
import com.raytheon.uf.common.localization.msgs.AbstractUtilityResponse;
|
import com.raytheon.uf.common.localization.msgs.AbstractUtilityResponse;
|
||||||
import com.raytheon.uf.common.localization.msgs.DeleteUtilityCommand;
|
import com.raytheon.uf.common.localization.msgs.DeleteUtilityCommand;
|
||||||
|
|
@ -73,10 +72,9 @@ public class PrivilegedUtilityHandler
|
||||||
AbstractPrivilegedUtilityCommand[] commands = request.getCommands();
|
AbstractPrivilegedUtilityCommand[] commands = request.getCommands();
|
||||||
for (AbstractPrivilegedUtilityCommand abstractUtilityCommand : commands) {
|
for (AbstractPrivilegedUtilityCommand abstractUtilityCommand : commands) {
|
||||||
LocalizationContext context = abstractUtilityCommand.getContext();
|
LocalizationContext context = abstractUtilityCommand.getContext();
|
||||||
LocalizationLevel level = context.getLocalizationLevel();
|
|
||||||
String filename = abstractUtilityCommand.getFilename();
|
String filename = abstractUtilityCommand.getFilename();
|
||||||
AuthorizationResponse resp = getAuthorizationResponse(user,
|
AuthorizationResponse resp = getAuthorizationResponse(user,
|
||||||
context, level, filename,
|
context, filename,
|
||||||
abstractUtilityCommand.getMyContextName());
|
abstractUtilityCommand.getMyContextName());
|
||||||
if (resp.isAuthorized() == false) {
|
if (resp.isAuthorized() == false) {
|
||||||
// If we are not authorized for any of the commands, break early
|
// If we are not authorized for any of the commands, break early
|
||||||
|
|
|
||||||
|
|
@ -98,11 +98,11 @@ public class EdexLogHandler implements IUFStatusHandler {
|
||||||
*/
|
*/
|
||||||
@Override
|
@Override
|
||||||
public void handle(UFStatus status) {
|
public void handle(UFStatus status) {
|
||||||
handle(status, this.category);
|
handle(status, this.category);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void handle(UFStatus status, String category) {
|
public void handle(UFStatus status, String category) {
|
||||||
Priority p = status.getPriority();
|
Priority p = status.getPriority();
|
||||||
String statusMsg = status.getMessage();
|
String statusMsg = status.getMessage();
|
||||||
if (category != null) {
|
if (category != null) {
|
||||||
|
|
@ -154,11 +154,14 @@ public class EdexLogHandler implements IUFStatusHandler {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void handle(Priority p, String msg) {
|
public void handle(Priority p, String msg) {
|
||||||
handle(p, this.category, msg);
|
handle(p, this.category, msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void handle(Priority p, String category, String msg) {
|
public void handle(Priority p, String category, String msg) {
|
||||||
|
// msg has been null if someone does e.getLocalizedMessage()
|
||||||
|
// and it is null which causes null pointer exception
|
||||||
|
msg = String.valueOf(msg);
|
||||||
if (category != null) {
|
if (category != null) {
|
||||||
StringBuilder sb = new StringBuilder(msg.length() + 64);
|
StringBuilder sb = new StringBuilder(msg.length() + 64);
|
||||||
sb.append(category);
|
sb.append(category);
|
||||||
|
|
@ -197,13 +200,13 @@ public class EdexLogHandler implements IUFStatusHandler {
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void handle(Priority p, String msg, Throwable t) {
|
public void handle(Priority p, String msg, Throwable t) {
|
||||||
handle(p, category, msg, t);
|
handle(p, category, msg, t);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void handle(Priority p, String category, String msg, Throwable t) {
|
public void handle(Priority p, String category, String msg, Throwable t) {
|
||||||
// msg has been null if someone does e.getLocalizedMessage()
|
// msg has been null if someone does e.getLocalizedMessage()
|
||||||
// and it is null which causes null pointer exception
|
// and it is null which causes null pointer exception
|
||||||
msg = String.valueOf(msg);
|
msg = String.valueOf(msg);
|
||||||
if (category != null) {
|
if (category != null) {
|
||||||
StringBuilder sb = new StringBuilder(msg.length() + 64);
|
StringBuilder sb = new StringBuilder(msg.length() + 64);
|
||||||
|
|
@ -249,21 +252,21 @@ public class EdexLogHandler implements IUFStatusHandler {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void debug(String category, String message) {
|
public void debug(String category, String message) {
|
||||||
if (this.clazzLogger.isDebugEnabled()) {
|
if (this.clazzLogger.isDebugEnabled()) {
|
||||||
handle(Priority.DEBUG, category, message);
|
handle(Priority.DEBUG, category, message);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void info(String message) {
|
public void info(String message) {
|
||||||
handle(Priority.INFO, message);
|
handle(Priority.INFO, message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void info(String category, String message) {
|
public void info(String category, String message) {
|
||||||
handle(Priority.INFO, category, message);
|
handle(Priority.INFO, category, message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void warn(String message) {
|
public void warn(String message) {
|
||||||
|
|
@ -271,38 +274,38 @@ public class EdexLogHandler implements IUFStatusHandler {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void warn(String category, String message) {
|
public void warn(String category, String message) {
|
||||||
handle(Priority.WARN, category, message);
|
handle(Priority.WARN, category, message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void error(String message) {
|
public void error(String message) {
|
||||||
handle(Priority.ERROR, message);
|
handle(Priority.ERROR, message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void error(String category, String message) {
|
public void error(String category, String message) {
|
||||||
handle(Priority.ERROR, category, message);
|
handle(Priority.ERROR, category, message);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void error(String message, Throwable throwable) {
|
public void error(String message, Throwable throwable) {
|
||||||
handle(Priority.ERROR, message, throwable);
|
handle(Priority.ERROR, message, throwable);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void error(String category, String message, Throwable throwable) {
|
public void error(String category, String message, Throwable throwable) {
|
||||||
handle(Priority.ERROR, category, message, throwable);
|
handle(Priority.ERROR, category, message, throwable);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void fatal(String message, Throwable throwable) {
|
public void fatal(String message, Throwable throwable) {
|
||||||
handle(Priority.FATAL, message, throwable);
|
handle(Priority.FATAL, message, throwable);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void fatal(String category, String message, Throwable throwable) {
|
public void fatal(String category, String message, Throwable throwable) {
|
||||||
handle(Priority.FATAL, category, message, throwable);
|
handle(Priority.FATAL, category, message, throwable);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue