From fc88141ee989e3c0f3395bd32e09cce9652e5773 Mon Sep 17 00:00:00 2001 From: Timm Fitschen <t.fitschen@indiscale.com> Date: Mon, 20 Dec 2021 17:24:57 +0100 Subject: [PATCH] Throw AuthenticationExceptions instead of Messages in ACM Transactions --- src/main/java/org/caosdb/server/CaosDBServer.java | 10 ++++++++++ .../caosdb/server/accessControl/ACMPermissions.java | 12 ------------ .../org/caosdb/server/jobs/core/AccessControl.java | 4 ++++ .../server/jobs/core/CheckStateTransition.java | 4 ++++ .../server/scripting/ScriptingPermissions.java | 4 ++++ .../org/caosdb/server/transaction/RetrieveACL.java | 3 ++- .../org/caosdb/server/transaction/UpdateACL.java | 8 +++++--- 7 files changed, 29 insertions(+), 16 deletions(-) diff --git a/src/main/java/org/caosdb/server/CaosDBServer.java b/src/main/java/org/caosdb/server/CaosDBServer.java index b445749d..f238bdd7 100644 --- a/src/main/java/org/caosdb/server/CaosDBServer.java +++ b/src/main/java/org/caosdb/server/CaosDBServer.java @@ -60,6 +60,8 @@ import org.caosdb.server.entity.EntityInterface; import org.caosdb.server.entity.Role; import org.caosdb.server.entity.container.Container; import org.caosdb.server.grpc.GRPCServer; +import org.caosdb.server.jobs.core.AccessControl; +import org.caosdb.server.jobs.core.CheckStateTransition; import org.caosdb.server.logging.RequestErrorLogMessage; import org.caosdb.server.resource.AuthenticationResource; import org.caosdb.server.resource.DefaultResource; @@ -81,6 +83,7 @@ import org.caosdb.server.resource.Webinterface; import org.caosdb.server.resource.WebinterfaceBuildNumber; import org.caosdb.server.resource.transaction.EntityNamesResource; import org.caosdb.server.resource.transaction.EntityResource; +import org.caosdb.server.scripting.ScriptingPermissions; import org.caosdb.server.transaction.ChecksumUpdater; import org.caosdb.server.utils.FileUtils; import org.caosdb.server.utils.Initialization; @@ -280,6 +283,13 @@ public class CaosDBServer extends Application { // init Shiro (user authentication/authorization and session management) final Ini config = getShiroConfig(); initShiro(config); + + // Init Permissions + logger.debug("Register permissions: ", ScriptingPermissions.PERMISSION_EXECUTION("*")); + logger.debug("Register permissions: ", CheckStateTransition.STATE_PERMISSIONS.toString()); + logger.debug( + "Register permissions: ", CheckStateTransition.PERMISSION_STATE_FORCE_FINAL.toString()); + logger.debug("Register permissions: ", AccessControl.TRANSACTION_PERMISSIONS.toString()); } public static Ini getShiroConfig() { diff --git a/src/main/java/org/caosdb/server/accessControl/ACMPermissions.java b/src/main/java/org/caosdb/server/accessControl/ACMPermissions.java index 264af444..854fc07f 100644 --- a/src/main/java/org/caosdb/server/accessControl/ACMPermissions.java +++ b/src/main/java/org/caosdb/server/accessControl/ACMPermissions.java @@ -26,9 +26,6 @@ import java.util.HashSet; import java.util.LinkedList; import java.util.List; import java.util.Set; -import org.caosdb.server.jobs.core.AccessControl; -import org.caosdb.server.jobs.core.CheckStateTransition; -import org.caosdb.server.scripting.ScriptingPermissions; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -264,15 +261,6 @@ public class ACMPermissions implements Comparable<ACMPermissions> { return assign_role.toString(role); } - static { - // trigger adding all permissions to ALL - LOGGER.debug("Register permissions: ", ScriptingPermissions.PERMISSION_EXECUTION("*")); - LOGGER.debug("Register permissions: ", CheckStateTransition.STATE_PERMISSIONS.toString()); - LOGGER.debug( - "Register permissions: ", CheckStateTransition.PERMISSION_STATE_FORCE_FINAL.toString()); - LOGGER.debug("Register permissions: ", AccessControl.TRANSACTION_PERMISSIONS.toString()); - } - @Override public int compareTo(ACMPermissions that) { return this.toString().compareToIgnoreCase(that.toString()); diff --git a/src/main/java/org/caosdb/server/jobs/core/AccessControl.java b/src/main/java/org/caosdb/server/jobs/core/AccessControl.java index dc596e50..724dd898 100644 --- a/src/main/java/org/caosdb/server/jobs/core/AccessControl.java +++ b/src/main/java/org/caosdb/server/jobs/core/AccessControl.java @@ -53,6 +53,10 @@ public class AccessControl extends ContainerJob { public final String toString(String transaction, String entityRole) { return "TRANSACTION:" + transaction + (entityRole != null ? (":" + entityRole) : ""); } + + public static String init() { + return TransactionPermission.class.getSimpleName(); + } } public static final TransactionPermission TRANSACTION_PERMISSIONS = diff --git a/src/main/java/org/caosdb/server/jobs/core/CheckStateTransition.java b/src/main/java/org/caosdb/server/jobs/core/CheckStateTransition.java index fa21ed3a..a43face9 100644 --- a/src/main/java/org/caosdb/server/jobs/core/CheckStateTransition.java +++ b/src/main/java/org/caosdb/server/jobs/core/CheckStateTransition.java @@ -54,6 +54,10 @@ public class CheckStateTransition extends EntityStateJob { public final String toString(String state_model) { return toString().replace(STATE_MODEL_PARAMETER, state_model); } + + public static String init() { + return StateModelPermission.class.getSimpleName(); + } } public static final StateModelPermission PERMISSION_STATE_FORCE_FINAL = diff --git a/src/main/java/org/caosdb/server/scripting/ScriptingPermissions.java b/src/main/java/org/caosdb/server/scripting/ScriptingPermissions.java index ff596a79..0af49e9f 100644 --- a/src/main/java/org/caosdb/server/scripting/ScriptingPermissions.java +++ b/src/main/java/org/caosdb/server/scripting/ScriptingPermissions.java @@ -22,4 +22,8 @@ public class ScriptingPermissions extends ACMPermissions { public static final String PERMISSION_EXECUTION(final String call) { return execution.toString(call); } + + public static String init() { + return ScriptingPermissions.class.getSimpleName(); + } } diff --git a/src/main/java/org/caosdb/server/transaction/RetrieveACL.java b/src/main/java/org/caosdb/server/transaction/RetrieveACL.java index c82ff76e..cd9c5c08 100644 --- a/src/main/java/org/caosdb/server/transaction/RetrieveACL.java +++ b/src/main/java/org/caosdb/server/transaction/RetrieveACL.java @@ -24,6 +24,7 @@ package org.caosdb.server.transaction; import com.google.protobuf.ProtocolStringList; import java.util.UUID; import org.apache.shiro.SecurityUtils; +import org.apache.shiro.authz.AuthorizationException; import org.caosdb.server.database.backend.transaction.RetrieveEntityACLTransaction; import org.caosdb.server.entity.Entity; import org.caosdb.server.entity.EntityInterface; @@ -71,7 +72,7 @@ public class RetrieveACL extends Transaction<TransactionContainer> { e.setEntityACL(acl); } else if (acl != null && acl.isPermitted(getTransactor(), EntityPermission.RETRIEVE_ENTITY)) { - e.addError(org.caosdb.server.utils.ServerMessages.AUTHORIZATION_ERROR); + throw new AuthorizationException("You are not permitted to update this entity's ACL."); } else { e.addError(org.caosdb.server.utils.ServerMessages.ENTITY_DOES_NOT_EXIST); } diff --git a/src/main/java/org/caosdb/server/transaction/UpdateACL.java b/src/main/java/org/caosdb/server/transaction/UpdateACL.java index e0b0c5cf..84c73080 100644 --- a/src/main/java/org/caosdb/server/transaction/UpdateACL.java +++ b/src/main/java/org/caosdb/server/transaction/UpdateACL.java @@ -23,6 +23,7 @@ package org.caosdb.server.transaction; import static org.caosdb.server.query.Query.clearCache; +import org.apache.shiro.authz.AuthorizationException; import org.caosdb.server.database.backend.transaction.RetrieveFullEntityTransaction; import org.caosdb.server.database.backend.transaction.UpdateEntityTransaction; import org.caosdb.server.entity.EntityInterface; @@ -88,8 +89,8 @@ public class UpdateACL extends Transaction<TransactionContainer> } else { if (!oldAcl.getPriorityEntityACL().equals(newAcl.getPriorityEntityACL()) && !oldAcl.isPermitted(getTransactor(), EntityPermission.EDIT_PRIORITY_ACL)) { - // the user is now permitted to update the prioriy acl. - result.addError(org.caosdb.server.utils.ServerMessages.AUTHORIZATION_ERROR); + throw new AuthorizationException( + "You are not permitted to change prioritized permission rules of this entity."); } // we're good to go. set new entity acl @@ -99,7 +100,8 @@ public class UpdateACL extends Transaction<TransactionContainer> } else if (oldAcl != null && oldAcl.isPermitted(getTransactor(), EntityPermission.RETRIEVE_ENTITY)) { // the user knows that this entity exists - result.addError(org.caosdb.server.utils.ServerMessages.AUTHORIZATION_ERROR); + throw new AuthorizationException( + "You are not permitted to change permission rules of this entity."); } else { // we pretend this entity doesn't exist result.addError(org.caosdb.server.utils.ServerMessages.ENTITY_DOES_NOT_EXIST); -- GitLab