public List<Vo> getAllVos(PerunSession perunSession)
throws InternalErrorException, PrivilegeException {
Utils.notNull(perunSession, "sess");
if (!AuthzResolver.isAuthorized(perunSession, Role.VOADMIN)
&& !AuthzResolver.isAuthorized(perunSession, Role.GROUPADMIN)
&& !AuthzResolver.isAuthorized(perunSession, Role.FACILITYADMIN)) {
throw new PrivilegeException(perunSession, "getAllVos");
}
return vosManagerBl.getVos(perunSession);
}
public int deletePublicationById(PerunSession sess, Integer id) throws CabinetException {
Publication pub = findPublicationById(id);
if (pub == null) throw new CabinetException(ErrorCodes.PUBLICATION_NOT_EXISTS);
// To delete publication user must be either PERUNADMIN
// or user who created record (publication.createdBy==actor property)
try {
if (!AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)
&& !pub.getCreatedBy().equalsIgnoreCase(sess.getPerunPrincipal().getActor())
&& !pub.getCreatedByUid().equals(sess.getPerunPrincipal().getUserId())) {
// not perun admin or author of record
throw new CabinetException(
"You are not allowed to delete publications you didn't created.",
ErrorCodes.NOT_AUTHORIZED);
}
} catch (PerunException pe) {
throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, pe);
}
// delete action
try {
// delete authors
for (Authorship a : authorshipService.findAuthorshipsByPublicationId(id)) {
authorshipService.deleteAuthorshipById(sess, a.getId());
}
// delete thanks
for (Thanks t : thanksService.findThanksByPublicationId(id)) {
thanksService.deleteThanksById(sess, t.getId());
}
// delete publication
if (AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
// only perun admin can actually delete publication
return publicationDao.deletePublicationById(id);
} else {
return 1; // for others return as OK - perunadmin then deletes pubs manually
}
} catch (DataIntegrityViolationException ex) {
throw new CabinetException(
"Can't delete publication with authors or thanks. Please remove them first in order to delete publication.",
ErrorCodes.PUBLICATION_HAS_AUTHORS_OR_THANKS);
} catch (PerunException ex) {
throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, ex);
}
}
public Vo getVoByShortName(PerunSession sess, String shortName)
throws VoNotExistsException, InternalErrorException, PrivilegeException {
Utils.notNull(shortName, "shortName");
Utils.notNull(sess, "sess");
Vo vo = vosManagerBl.getVoByShortName(sess, shortName);
// Authorization
// TODO Any groupAdmin can get anyVo
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)
&& !AuthzResolver.isAuthorized(sess, Role.GROUPADMIN)
&& !AuthzResolver.isAuthorized(sess, Role.SERVICE)) {
throw new PrivilegeException(sess, "getVoByShortName");
}
return vo;
}
/** All new members will be given role VOOBSERVER and TOPGROUPCREATOR */
@Override
public Application approveApplication(PerunSession session, Application app)
throws PerunException {
if (Application.AppType.INITIAL.equals(app.getType())) {
Vo vo = app.getVo();
User user = app.getUser();
AuthzResolver.setRole(session, user, vo, Role.TOPGROUPCREATOR);
Group membersGroup =
session.getPerun().getGroupsManager().getGroupByName(session, vo, "members");
AuthzResolver.setRole(session, user, membersGroup, Role.GROUPADMIN);
}
return app;
}
public List<User> getAdmins(PerunSession sess, Vo vo)
throws InternalErrorException, PrivilegeException, VoNotExistsException {
Utils.notNull(sess, "sess");
vosManagerBl.checkVoExists(sess, vo);
// Authorization - Vo admin required
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
throw new PrivilegeException(sess, "getAdmins");
}
return vosManagerBl.getAdmins(sess, vo);
}
public List<Candidate> findCandidates(PerunSession sess, Vo vo, String searchString)
throws InternalErrorException, VoNotExistsException, PrivilegeException {
Utils.notNull(searchString, "searchString");
Utils.notNull(sess, "sess");
vosManagerBl.checkVoExists(sess, vo);
// Authorization - Vo admin required
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
throw new PrivilegeException(sess, "findCandidates");
}
return vosManagerBl.findCandidates(sess, vo, searchString);
}
public void removeAdmin(PerunSession sess, Vo vo, User user)
throws InternalErrorException, PrivilegeException, VoNotExistsException,
UserNotAdminException, UserNotExistsException {
Utils.notNull(sess, "sess");
vosManagerBl.checkVoExists(sess, vo);
perunBl.getUsersManagerBl().checkUserExists(sess, user);
// Authorization - Vo admin required
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
throw new PrivilegeException(sess, "deleteAdmin");
}
vosManagerBl.removeAdmin(sess, vo, user);
}
public void deleteVo(PerunSession sess, Vo vo)
throws VoNotExistsException, InternalErrorException, PrivilegeException,
RelationExistsException {
Utils.notNull(sess, "sess");
// Authorization - only Perun admin can delete the VO
if (!AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
throw new PrivilegeException(sess, "deleteVo");
}
vosManagerBl.checkVoExists(sess, vo);
vosManagerBl.deleteVo(sess, vo);
}
public List<Vo> getVos(PerunSession sess) throws InternalErrorException, PrivilegeException {
Utils.notNull(sess, "sess");
// Perun admin can see everything
if (AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
return vosManagerBl.getVos(sess);
} else {
if (sess.getPerunPrincipal().getRoles().hasRole(Role.VOADMIN)
|| sess.getPerunPrincipal().getRoles().hasRole(Role.GROUPADMIN)) {
Set<Vo> vos = new HashSet<Vo>();
// Get Vos where user is VO Admin
for (PerunBean vo :
AuthzResolver.getComplementaryObjectsForRole(sess, Role.VOADMIN, Vo.class)) {
vos.add((Vo) vo);
}
// Get Vos where user has an group admin right on some of the group
for (PerunBean group :
AuthzResolver.getComplementaryObjectsForRole(sess, Role.GROUPADMIN, Group.class)) {
try {
vos.add(vosManagerBl.getVoById(sess, ((Group) group).getVoId()));
} catch (VoNotExistsException e) {
throw new ConsistencyErrorException(
"User has group admin role for group from non-existent VO id:"
+ ((Group) group).getVoId(),
e);
}
}
return new ArrayList<Vo>(vos);
} else {
throw new PrivilegeException(sess, "getVos");
}
}
}
public List<RichUser> getRichAdminsWithAttributes(PerunSession sess, Vo vo)
throws InternalErrorException, PrivilegeException, VoNotExistsException,
UserNotExistsException {
Utils.notNull(sess, "sess");
vosManagerBl.checkVoExists(sess, vo);
// Authorization - Vo admin required
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
throw new PrivilegeException(sess, "getRichAdminsWithAttributes");
}
return getPerunBl()
.getUsersManagerBl()
.filterOnlyAllowedAttributes(sess, vosManagerBl.getRichAdminsWithAttributes(sess, vo));
}
@Override
public void addAdmin(PerunSession sess, Vo vo, Group group)
throws InternalErrorException, PrivilegeException, AlreadyAdminException,
VoNotExistsException, GroupNotExistsException {
Utils.notNull(sess, "sess");
vosManagerBl.checkVoExists(sess, vo);
perunBl.getGroupsManagerBl().checkGroupExists(sess, group);
// Authorization - Vo admin required
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
throw new PrivilegeException(sess, "addAdmin");
}
vosManagerBl.addAdmin(sess, vo, group);
}
public int lockPublications(PerunSession sess, boolean lock, List<Publication> pubs)
throws CabinetException {
// AUTHZ
try {
if (!AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
throw new CabinetException("lockPublications()", ErrorCodes.NOT_AUTHORIZED);
}
} catch (PerunException ex) {
throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, ex);
}
// check input
if (pubs == null) {
throw new NullPointerException("Publications to lock/unlock can't be null");
}
// GO
return publicationDao.lockPublications(lock, pubs);
}
public Vo updateVo(PerunSession sess, Vo vo)
throws VoNotExistsException, InternalErrorException, PrivilegeException {
Utils.notNull(sess, "sess");
vosManagerBl.checkVoExists(sess, vo);
// Authorization - Vo admin required
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
throw new PrivilegeException(sess, "updateVo");
}
if (vo.getName().length() > 128) {
throw new InternalErrorException("VO name is too long, >128 characters");
}
if (!vo.getShortName().matches("^[-_a-zA-z0-9.]{1,16}$")) {
throw new InternalErrorException(
"Wrong VO short name - must matches [-_a-zA-z0-9.]+ and not be longer than 16 characters.");
}
return vosManagerBl.updateVo(sess, vo);
}
@Override
public List<Identity> checkForSimilarUsers(PerunSession sess, int appId) throws PerunException {
String email = "";
String name = "";
List<RichUser> result = new ArrayList<RichUser>();
List<String> attrNames = new ArrayList<String>();
attrNames.add("urn:perun:user:attribute-def:def:preferredMail");
attrNames.add("urn:perun:user:attribute-def:def:organization");
Application app = registrarManager.getApplicationById(registrarSession, appId);
if (app.getGroup() == null) {
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, app.getVo())) {
if (sess.getPerunPrincipal().getUser() != null) {
// check if application to find similar users by belongs to user
if (!sess.getPerunPrincipal().getUser().equals(app.getUser()))
throw new PrivilegeException("checkForSimilarUsers");
} else {
if (!sess.getPerunPrincipal().getExtSourceName().equals(app.getExtSourceName())
&& !sess.getPerunPrincipal().getActor().equals(app.getCreatedBy()))
throw new PrivilegeException("checkForSimilarUsers");
}
}
} else {
if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, app.getVo())
&& !AuthzResolver.isAuthorized(sess, Role.GROUPADMIN, app.getGroup())) {
if (sess.getPerunPrincipal().getUser() != null) {
// check if application to find similar users by belongs to user
if (!sess.getPerunPrincipal().getUser().equals(app.getUser()))
throw new PrivilegeException("checkForSimilarUsers");
} else {
if (!sess.getPerunPrincipal().getExtSourceName().equals(app.getExtSourceName())
&& !sess.getPerunPrincipal().getActor().equals(app.getCreatedBy()))
throw new PrivilegeException("checkForSimilarUsers");
}
}
}
// only for initial VO applications if user==null
if (app.getType().equals(Application.AppType.INITIAL)
&& app.getGroup() == null
&& app.getUser() == null) {
try {
User u =
perun
.getUsersManager()
.getUserByExtSourceNameAndExtLogin(
registrarSession, app.getExtSourceName(), app.getCreatedBy());
if (u != null) {
// user connected his identity after app creation and before it's approval.
// do not show error message in GUI by returning an empty array.
return convertToIdentities(result);
}
} catch (Exception ex) {
// we don't care, let's try to search by name
}
List<ApplicationFormItemData> data = registrarManager.getApplicationDataById(sess, appId);
// search by email, which should be unique (check is more precise)
for (ApplicationFormItemData item : data) {
if ("urn:perun:user:attribute-def:def:preferredMail"
.equals(item.getFormItem().getPerunDestinationAttribute())) {
email = item.getValue();
}
if (email != null && !email.isEmpty()) break;
}
List<RichUser> users =
(email != null && !email.isEmpty())
? perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, email, attrNames)
: new ArrayList<RichUser>();
if (users != null && !users.isEmpty()) {
// found by preferredMail
return convertToIdentities(users);
}
// search by different mail
email = ""; // clear previous value
for (ApplicationFormItemData item : data) {
if ("urn:perun:member:attribute-def:def:mail"
.equals(item.getFormItem().getPerunDestinationAttribute())) {
email = item.getValue();
}
if (email != null && !email.isEmpty()) break;
}
users =
(email != null && !email.isEmpty())
? perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, email, attrNames)
: new ArrayList<RichUser>();
if (users != null && !users.isEmpty()) {
// found by member mail
return convertToIdentities(users);
}
// continue to search by display name
for (ApplicationFormItemData item : data) {
if (RegistrarManagerImpl.URN_USER_DISPLAY_NAME.equals(
item.getFormItem().getPerunDestinationAttribute())) {
name = item.getValue();
// use parsed name to drop mistakes on IDP side
try {
if (name != null && !name.isEmpty()) {
Map<String, String> nameMap = Utils.parseCommonName(name);
// drop name titles to spread search
String newName = "";
if (nameMap.get("firstName") != null && !nameMap.get("firstName").isEmpty()) {
newName += nameMap.get("firstName") + " ";
}
if (nameMap.get("lastName") != null && !nameMap.get("lastName").isEmpty()) {
newName += nameMap.get("lastName");
}
// fill parsed name instead of input
if (newName != null && !newName.isEmpty()) {
name = newName;
}
}
} catch (Exception ex) {
log.error(
"[REGISTRAR] Unable to parse new user's display/common name when searching for similar users. Exception: {}",
ex);
}
if (name != null && !name.isEmpty()) break;
}
}
users =
(name != null && !name.isEmpty())
? perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames)
: new ArrayList<RichUser>();
if (users != null && !users.isEmpty()) {
// found by member display name
return convertToIdentities(users);
}
// continue to search by last name
name = ""; // clear previous value
for (ApplicationFormItemData item : data) {
if (RegistrarManagerImpl.URN_USER_LAST_NAME.equals(
item.getFormItem().getPerunDestinationAttribute())) {
name = item.getValue();
if (name != null && !name.isEmpty()) break;
}
}
if (name != null && !name.isEmpty()) {
// what was found by name
return convertToIdentities(
perun
.getUsersManager()
.findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames));
} else {
// not found by name
return convertToIdentities(result);
}
} else {
// not found, since not proper type of application to check users for
return convertToIdentities(result);
}
}
