From 41106cb13c8fb6b8c5e659b4b66f460e49dc5479 Mon Sep 17 00:00:00 2001
From: Timm Fitschen <timm.fitschen@ds.mpg.de>
Date: Tue, 26 Mar 2019 16:48:23 +0100
Subject: [PATCH] ENH: Anonymous User configurable permissions
---
conf/core/global_entity_permissions.xml | 10 +++++
conf/core/server.conf | 2 +
conf/server.conf.template | 44 -------------------
.../java/caosdb/server/ServerProperties.java | 2 +
.../caosdb/server/permissions/EntityACL.java | 44 ++++++++++++++-----
.../server/permissions/EntityACLTest.java | 10 +++++
6 files changed, 58 insertions(+), 54 deletions(-)
create mode 100644 conf/core/global_entity_permissions.xml
delete mode 100644 conf/server.conf.template
diff --git a/conf/core/global_entity_permissions.xml b/conf/core/global_entity_permissions.xml
new file mode 100644
index 00000000..3cebb79b
--- /dev/null
+++ b/conf/core/global_entity_permissions.xml
@@ -0,0 +1,10 @@
+<globalPermissions>
+ <Grant priority="false" role="?OWNER?"><Permission name="*"/></Grant>
+ <Grant priority="false" role="?OTHER?"><Permission name="RETRIEVE:*"/></Grant>
+ <Grant priority="false" role="?OTHER?"><Permission name="USE:*"/></Grant>
+ <Grant priority="false" role="anonymous"><Permission name="RETRIEVE:*"/></Grant>
+ <Grant priority="false" role="anonymous"><Permission name="USE:*"/></Grant>
+ <Deny priority="false" role="?OTHER?"><Permission name="UPDATE:*"/></Deny>
+ <Deny priority="false" role="?OTHER?"><Permission name="DELETE"/></Deny>
+ <Deny priority="true" role="?OTHER?"><Permission name="EDIT:ACL"/></Deny>
+</globalPermissions>
diff --git a/conf/core/server.conf b/conf/core/server.conf
index 6ef583d3..78a7605b 100644
--- a/conf/core/server.conf
+++ b/conf/core/server.conf
@@ -60,3 +60,5 @@ SUDO_PASSWORD=
QUERY_FILTER_ENTITIES_WITHOUT_RETRIEVE_PERMISSIONS=TRUE
CHECK_ENTITY_ACL_ROLES_MODE=MUST
+
+GLOBAL_ENTITY_PERMISSIONS_FILE=./conf/core/global_entity_permissions.xml
diff --git a/conf/server.conf.template b/conf/server.conf.template
deleted file mode 100644
index 44914348..00000000
--- a/conf/server.conf.template
+++ /dev/null
@@ -1,44 +0,0 @@
-#
-# ** header v3.0
-# This file is a part of the CaosDB Project.
-#
-# Copyright (C) 2018 Research Group Biomedical Physics,
-# Max-Planck-Institute for Dynamics and Self-Organization Göttingen
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program. If not, see <https://www.gnu.org/licenses/>.
-#
-# ** end header
-#
-
-# MySQL
-MYSQL_USER_NAME = {mysql-user-name}
-MYSQL_USER_PASSWORD = {mysql-user-password}
-MYSQL_DATABASE_NAME = {mysql-database_name}
-MYSQL_HOST = {mysql-host}
-
-# (HTTP will be redirected to HTTPS)
-SERVER_PORT_HTTP = {server-port-http}
-SERVER_PORT_HTTPS = {server-port-https}
-
-# about certificates needed for HTTPS auth
-CERTIFICATES_KEY_PASSWORD = {certificates-key-password}
-CERTIFICATES_KEY_STORE_PATH = {certificates-key-store-path}
-CERTIFICATES_KEY_STORE_PASSWORD = {certificates-key-store-password}
-
-# Location of the internal file storage
-FILE_SYSTEM_ROOT = {file-system-root}
-DROP_OFF_BOX = {drop-off-box}
-TMP_FILES = {tmp-files}
-
-SESSION_TIMEOUT_MS = 43200000
diff --git a/src/main/java/caosdb/server/ServerProperties.java b/src/main/java/caosdb/server/ServerProperties.java
index 6dc25483..3543d9c3 100644
--- a/src/main/java/caosdb/server/ServerProperties.java
+++ b/src/main/java/caosdb/server/ServerProperties.java
@@ -126,6 +126,8 @@ public class ServerProperties extends Properties {
public static final String KEY_CHECK_ENTITY_ACL_ROLES_MODE = "CHECK_ENTITY_ACL_ROLES_MODE";
+ public static final String KEY_GLOBAL_ENTITY_PERMISSIONS_FILE = "GLOBAL_ENTITY_PERMISSIONS_FILE";
+
/**
* Read the config files and initialize the server properties.
*
diff --git a/src/main/java/caosdb/server/permissions/EntityACL.java b/src/main/java/caosdb/server/permissions/EntityACL.java
index f2f89765..34ef3435 100644
--- a/src/main/java/caosdb/server/permissions/EntityACL.java
+++ b/src/main/java/caosdb/server/permissions/EntityACL.java
@@ -25,9 +25,13 @@ package caosdb.server.permissions;
import static caosdb.server.permissions.Role.OTHER_ROLE;
import static caosdb.server.permissions.Role.OWNER_ROLE;
+import caosdb.server.CaosDBServer;
+import caosdb.server.ServerProperties;
import caosdb.server.accessControl.AuthenticationUtils;
import caosdb.server.accessControl.Principal;
import caosdb.server.database.exceptions.TransactionException;
+import java.io.File;
+import java.io.IOException;
import java.util.ArrayList;
import java.util.BitSet;
import java.util.Collection;
@@ -39,7 +43,10 @@ import java.util.Set;
import org.apache.shiro.subject.Subject;
import org.eclipse.jetty.util.ajax.JSON;
import org.jdom2.DataConversionException;
+import org.jdom2.Document;
import org.jdom2.Element;
+import org.jdom2.JDOMException;
+import org.jdom2.input.SAXBuilder;
public class EntityACL {
@@ -57,16 +64,24 @@ public class EntityACL {
}
private static EntityACL loadGlobalPermissions() {
- final EntityACLFactory f = new EntityACLFactory();
- f.grant(OWNER_ROLE, "*");
- f.grant(OTHER_ROLE, "RETRIEVE:*");
- f.grant(OTHER_ROLE, "USE:*");
- f.grant(Role.ANONYMOUS_ROLE, "RETRIEVE:*");
- f.grant(Role.ANONYMOUS_ROLE, "USE:*");
- f.deny(OTHER_ROLE, "UPDATE:*");
- f.deny(OTHER_ROLE, "DELETE");
- f.deny(OTHER_ROLE, true, "EDIT:ACL");
- return f.create();
+ SAXBuilder saxBuilder = new SAXBuilder();
+ File file =
+ new File(
+ CaosDBServer.getServerProperty(ServerProperties.KEY_GLOBAL_ENTITY_PERMISSIONS_FILE)
+ .trim());
+
+ try {
+ Document doc = saxBuilder.build(file);
+ Element root = doc.getRootElement();
+ return parseFromElement(root);
+ } catch (JDOMException e) {
+ e.printStackTrace();
+ System.exit(1);
+ } catch (IOException e) {
+ e.printStackTrace();
+ System.exit(1);
+ }
+ return null;
}
public EntityACL(final EntityACI... aci) {
@@ -262,6 +277,15 @@ public class EntityACL {
return new EntityACL(priorityAcl);
}
+ /**
+ * Example
+ *
+ * <p><globalPermission> <Grant priority="false" role="%OWNER%"><Permission name="*"/></Grant>
+ * </globalPermissions>
+ *
+ * @param e
+ * @return
+ */
public static final EntityACL parseFromElement(final Element e) {
final EntityACLFactory factory = new EntityACLFactory();
diff --git a/src/test/java/caosdb/server/permissions/EntityACLTest.java b/src/test/java/caosdb/server/permissions/EntityACLTest.java
index 6e99aa78..13ebb627 100644
--- a/src/test/java/caosdb/server/permissions/EntityACLTest.java
+++ b/src/test/java/caosdb/server/permissions/EntityACLTest.java
@@ -22,6 +22,9 @@
*/
package caosdb.server.permissions;
+import static org.junit.Assert.assertNotNull;
+
+import caosdb.server.CaosDBServer;
import caosdb.server.resource.AbstractCaosDBServerResource;
import caosdb.server.resource.AbstractCaosDBServerResource.XMLParser;
import caosdb.server.utils.Utils;
@@ -31,6 +34,7 @@ import java.util.LinkedList;
import org.jdom2.Element;
import org.jdom2.JDOMException;
import org.junit.Assert;
+import org.junit.BeforeClass;
import org.junit.Test;
public class EntityACLTest {
@@ -43,6 +47,12 @@ public class EntityACLTest {
return value;
}
+ @BeforeClass
+ public static void init() throws IOException {
+ CaosDBServer.initServerProperties();
+ assertNotNull(EntityACL.GLOBAL_PERMISSIONS);
+ }
+
@Test
public void testConvert() {
long l = Integer.MAX_VALUE;
--
GitLab