From 24027394468c1fbc7927a69df059921bece347de Mon Sep 17 00:00:00 2001
From: Timm Fitschen <t.fitschen@indiscale.com>
Date: Mon, 14 Dec 2020 23:11:46 +0100
Subject: [PATCH] WIP

---
 .../server/permissions/CaosPermission.java    |  5 +++-
 .../server/permissions/PermissionRule.java    | 28 +++++++++++--------
 .../resource/TestScriptingResource.java       |  5 +---
 3 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/src/main/java/org/caosdb/server/permissions/CaosPermission.java b/src/main/java/org/caosdb/server/permissions/CaosPermission.java
index 1b793bb2..bfbb7eb2 100644
--- a/src/main/java/org/caosdb/server/permissions/CaosPermission.java
+++ b/src/main/java/org/caosdb/server/permissions/CaosPermission.java
@@ -24,7 +24,9 @@ package org.caosdb.server.permissions;
 
 import java.util.HashSet;
 import java.util.Map;
+import org.apache.shiro.SecurityUtils;
 import org.apache.shiro.authz.Permission;
+import org.apache.shiro.subject.Subject;
 import org.eclipse.jetty.util.ajax.JSON;
 
 public class CaosPermission extends HashSet<PermissionRule> implements Permission {
@@ -52,9 +54,10 @@ public class CaosPermission extends HashSet<PermissionRule> implements Permissio
     boolean grant = false;
     boolean deny = false;
     boolean grant_priority = false;
+    Subject subject = SecurityUtils.getSubject();
 
     for (final PermissionRule r : this) {
-      if (r.getPermission().implies(p)) {
+      if (r.getPermission(subject).implies(p)) {
         if (r.isGrant()) {
           if (r.isPriority()) {
             grant_priority = true;
diff --git a/src/main/java/org/caosdb/server/permissions/PermissionRule.java b/src/main/java/org/caosdb/server/permissions/PermissionRule.java
index b6ee9151..85d3b628 100644
--- a/src/main/java/org/caosdb/server/permissions/PermissionRule.java
+++ b/src/main/java/org/caosdb/server/permissions/PermissionRule.java
@@ -26,23 +26,21 @@ import java.util.HashMap;
 import java.util.Map;
 import org.apache.shiro.authz.Permission;
 import org.apache.shiro.authz.permission.WildcardPermission;
+import org.apache.shiro.subject.Subject;
+import org.caosdb.server.accessControl.Principal;
 import org.jdom2.Element;
 
 public class PermissionRule {
 
-  private final WildcardPermission permission;
+  private final String permission;
   private final boolean priority;
   private final boolean grant;
 
   public PermissionRule(final String grant, final String priority, final String permission) {
-    this(
-        Boolean.parseBoolean(grant),
-        Boolean.parseBoolean(priority),
-        new WildcardPermission(permission));
+    this(Boolean.parseBoolean(grant), Boolean.parseBoolean(priority), permission);
   }
 
-  public PermissionRule(
-      final boolean grant, final boolean priority, final WildcardPermission permission) {
+  public PermissionRule(final boolean grant, final boolean priority, final String permission) {
     this.grant = grant;
     this.priority = priority;
     this.permission = permission;
@@ -56,8 +54,9 @@ public class PermissionRule {
     return this.priority;
   }
 
-  public Permission getPermission() {
-    return this.permission;
+  public Permission getPermission(String realm, String username) {
+    return new WildcardPermission(
+        permission.replaceAll("\\?REALM\\?", realm).replaceAll("\\?USERNAME\\?", username));
   }
 
   public static PermissionRule parse(final Map<String, String> rule) {
@@ -69,7 +68,7 @@ public class PermissionRule {
     if (isPriority()) {
       ret.setAttribute("priority", Boolean.toString(true));
     }
-    ret.setAttribute("permission", getPermission().toString());
+    ret.setAttribute("permission", permission);
     return ret;
   }
 
@@ -77,14 +76,19 @@ public class PermissionRule {
     return new PermissionRule(
         e.getName().equalsIgnoreCase("Grant"),
         e.getAttribute("priority") != null && Boolean.parseBoolean(e.getAttributeValue("priority")),
-        new WildcardPermission(e.getAttributeValue("permission")));
+        e.getAttributeValue("permission"));
   }
 
   public Map<String, String> getMap() {
     final HashMap<String, String> ret = new HashMap<String, String>();
     ret.put("priority", Boolean.toString(isPriority()));
     ret.put("grant", Boolean.toString(isGrant()));
-    ret.put("permission", getPermission().toString());
+    ret.put("permission", permission);
     return ret;
   }
+
+  public Permission getPermission(Subject subject) {
+    Principal principal = (Principal) subject.getPrincipal();
+    return getPermission(principal.getRealm(), principal.getUsername());
+  }
 }
diff --git a/src/test/java/org/caosdb/server/resource/TestScriptingResource.java b/src/test/java/org/caosdb/server/resource/TestScriptingResource.java
index 845f589a..7f743452 100644
--- a/src/test/java/org/caosdb/server/resource/TestScriptingResource.java
+++ b/src/test/java/org/caosdb/server/resource/TestScriptingResource.java
@@ -29,7 +29,6 @@ import java.util.Date;
 import java.util.HashSet;
 import java.util.List;
 import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.authz.permission.WildcardPermission;
 import org.apache.shiro.subject.Subject;
 import org.caosdb.server.CaosDBServer;
 import org.caosdb.server.accessControl.AnonymousAuthenticationToken;
@@ -95,9 +94,7 @@ public class TestScriptingResource {
       HashSet<PermissionRule> result = new HashSet<>();
       result.add(
           new PermissionRule(
-              true,
-              false,
-              new WildcardPermission(ScriptingPermissions.PERMISSION_EXECUTION("anonymous_ok"))));
+              true, false, ScriptingPermissions.PERMISSION_EXECUTION("anonymous_ok")));
       return result;
     }
 
-- 
GitLab