public List<Vo> getAllVos(PerunSession perunSession)
     throws InternalErrorException, PrivilegeException {
   Utils.notNull(perunSession, "sess");
   if (!AuthzResolver.isAuthorized(perunSession, Role.VOADMIN)
       && !AuthzResolver.isAuthorized(perunSession, Role.GROUPADMIN)
       && !AuthzResolver.isAuthorized(perunSession, Role.FACILITYADMIN)) {
     throw new PrivilegeException(perunSession, "getAllVos");
   }
   return vosManagerBl.getVos(perunSession);
 }
  public int deletePublicationById(PerunSession sess, Integer id) throws CabinetException {

    Publication pub = findPublicationById(id);
    if (pub == null) throw new CabinetException(ErrorCodes.PUBLICATION_NOT_EXISTS);

    // To delete publication user must be either PERUNADMIN
    // or user who created record (publication.createdBy==actor property)
    try {
      if (!AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)
          && !pub.getCreatedBy().equalsIgnoreCase(sess.getPerunPrincipal().getActor())
          && !pub.getCreatedByUid().equals(sess.getPerunPrincipal().getUserId())) {
        // not perun admin or author of record
        throw new CabinetException(
            "You are not allowed to delete publications you didn't created.",
            ErrorCodes.NOT_AUTHORIZED);
      }
    } catch (PerunException pe) {
      throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, pe);
    }

    // delete action
    try {

      // delete authors
      for (Authorship a : authorshipService.findAuthorshipsByPublicationId(id)) {
        authorshipService.deleteAuthorshipById(sess, a.getId());
      }
      // delete thanks
      for (Thanks t : thanksService.findThanksByPublicationId(id)) {
        thanksService.deleteThanksById(sess, t.getId());
      }

      // delete publication
      if (AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {

        // only perun admin can actually delete publication
        return publicationDao.deletePublicationById(id);

      } else {

        return 1; // for others return as OK - perunadmin then deletes pubs manually
      }

    } catch (DataIntegrityViolationException ex) {
      throw new CabinetException(
          "Can't delete publication with authors or thanks. Please remove them first in order to delete publication.",
          ErrorCodes.PUBLICATION_HAS_AUTHORS_OR_THANKS);
    } catch (PerunException ex) {
      throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, ex);
    }
  }
  public Vo getVoByShortName(PerunSession sess, String shortName)
      throws VoNotExistsException, InternalErrorException, PrivilegeException {
    Utils.notNull(shortName, "shortName");
    Utils.notNull(sess, "sess");
    Vo vo = vosManagerBl.getVoByShortName(sess, shortName);

    // Authorization
    // TODO Any groupAdmin can get anyVo
    if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)
        && !AuthzResolver.isAuthorized(sess, Role.GROUPADMIN)
        && !AuthzResolver.isAuthorized(sess, Role.SERVICE)) {
      throw new PrivilegeException(sess, "getVoByShortName");
    }

    return vo;
  }
Exemple #4
0
  /** All new members will be given role VOOBSERVER and TOPGROUPCREATOR */
  @Override
  public Application approveApplication(PerunSession session, Application app)
      throws PerunException {

    if (Application.AppType.INITIAL.equals(app.getType())) {

      Vo vo = app.getVo();
      User user = app.getUser();

      AuthzResolver.setRole(session, user, vo, Role.TOPGROUPCREATOR);

      Group membersGroup =
          session.getPerun().getGroupsManager().getGroupByName(session, vo, "members");
      AuthzResolver.setRole(session, user, membersGroup, Role.GROUPADMIN);
    }

    return app;
  }
  public List<User> getAdmins(PerunSession sess, Vo vo)
      throws InternalErrorException, PrivilegeException, VoNotExistsException {
    Utils.notNull(sess, "sess");
    vosManagerBl.checkVoExists(sess, vo);

    //  Authorization - Vo admin required
    if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
      throw new PrivilegeException(sess, "getAdmins");
    }

    return vosManagerBl.getAdmins(sess, vo);
  }
  public List<Candidate> findCandidates(PerunSession sess, Vo vo, String searchString)
      throws InternalErrorException, VoNotExistsException, PrivilegeException {
    Utils.notNull(searchString, "searchString");
    Utils.notNull(sess, "sess");
    vosManagerBl.checkVoExists(sess, vo);

    // Authorization - Vo admin required
    if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
      throw new PrivilegeException(sess, "findCandidates");
    }

    return vosManagerBl.findCandidates(sess, vo, searchString);
  }
  public void removeAdmin(PerunSession sess, Vo vo, User user)
      throws InternalErrorException, PrivilegeException, VoNotExistsException,
          UserNotAdminException, UserNotExistsException {
    Utils.notNull(sess, "sess");
    vosManagerBl.checkVoExists(sess, vo);
    perunBl.getUsersManagerBl().checkUserExists(sess, user);

    // Authorization - Vo admin required
    if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
      throw new PrivilegeException(sess, "deleteAdmin");
    }

    vosManagerBl.removeAdmin(sess, vo, user);
  }
  public void deleteVo(PerunSession sess, Vo vo)
      throws VoNotExistsException, InternalErrorException, PrivilegeException,
          RelationExistsException {
    Utils.notNull(sess, "sess");

    // Authorization - only Perun admin can delete the VO
    if (!AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
      throw new PrivilegeException(sess, "deleteVo");
    }

    vosManagerBl.checkVoExists(sess, vo);

    vosManagerBl.deleteVo(sess, vo);
  }
  public List<Vo> getVos(PerunSession sess) throws InternalErrorException, PrivilegeException {
    Utils.notNull(sess, "sess");

    // Perun admin can see everything
    if (AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
      return vosManagerBl.getVos(sess);
    } else {
      if (sess.getPerunPrincipal().getRoles().hasRole(Role.VOADMIN)
          || sess.getPerunPrincipal().getRoles().hasRole(Role.GROUPADMIN)) {

        Set<Vo> vos = new HashSet<Vo>();

        // Get Vos where user is VO Admin
        for (PerunBean vo :
            AuthzResolver.getComplementaryObjectsForRole(sess, Role.VOADMIN, Vo.class)) {
          vos.add((Vo) vo);
        }

        // Get Vos where user has an group admin right on some of the group
        for (PerunBean group :
            AuthzResolver.getComplementaryObjectsForRole(sess, Role.GROUPADMIN, Group.class)) {
          try {
            vos.add(vosManagerBl.getVoById(sess, ((Group) group).getVoId()));
          } catch (VoNotExistsException e) {
            throw new ConsistencyErrorException(
                "User has group admin role for group from non-existent VO id:"
                    + ((Group) group).getVoId(),
                e);
          }
        }

        return new ArrayList<Vo>(vos);
      } else {
        throw new PrivilegeException(sess, "getVos");
      }
    }
  }
  public List<RichUser> getRichAdminsWithAttributes(PerunSession sess, Vo vo)
      throws InternalErrorException, PrivilegeException, VoNotExistsException,
          UserNotExistsException {
    Utils.notNull(sess, "sess");
    vosManagerBl.checkVoExists(sess, vo);

    //  Authorization - Vo admin required
    if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
      throw new PrivilegeException(sess, "getRichAdminsWithAttributes");
    }

    return getPerunBl()
        .getUsersManagerBl()
        .filterOnlyAllowedAttributes(sess, vosManagerBl.getRichAdminsWithAttributes(sess, vo));
  }
  @Override
  public void addAdmin(PerunSession sess, Vo vo, Group group)
      throws InternalErrorException, PrivilegeException, AlreadyAdminException,
          VoNotExistsException, GroupNotExistsException {
    Utils.notNull(sess, "sess");
    vosManagerBl.checkVoExists(sess, vo);
    perunBl.getGroupsManagerBl().checkGroupExists(sess, group);

    // Authorization - Vo admin required
    if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
      throw new PrivilegeException(sess, "addAdmin");
    }

    vosManagerBl.addAdmin(sess, vo, group);
  }
  public int lockPublications(PerunSession sess, boolean lock, List<Publication> pubs)
      throws CabinetException {

    // AUTHZ
    try {
      if (!AuthzResolver.isAuthorized(sess, Role.PERUNADMIN)) {
        throw new CabinetException("lockPublications()", ErrorCodes.NOT_AUTHORIZED);
      }
    } catch (PerunException ex) {
      throw new CabinetException(ErrorCodes.PERUN_EXCEPTION, ex);
    }
    // check input
    if (pubs == null) {
      throw new NullPointerException("Publications to lock/unlock can't be null");
    }

    // GO
    return publicationDao.lockPublications(lock, pubs);
  }
  public Vo updateVo(PerunSession sess, Vo vo)
      throws VoNotExistsException, InternalErrorException, PrivilegeException {
    Utils.notNull(sess, "sess");
    vosManagerBl.checkVoExists(sess, vo);

    // Authorization - Vo admin required
    if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, vo)) {
      throw new PrivilegeException(sess, "updateVo");
    }

    if (vo.getName().length() > 128) {
      throw new InternalErrorException("VO name is too long, >128 characters");
    }

    if (!vo.getShortName().matches("^[-_a-zA-z0-9.]{1,16}$")) {
      throw new InternalErrorException(
          "Wrong VO short name - must matches [-_a-zA-z0-9.]+ and not be longer than 16 characters.");
    }

    return vosManagerBl.updateVo(sess, vo);
  }
  @Override
  public List<Identity> checkForSimilarUsers(PerunSession sess, int appId) throws PerunException {

    String email = "";
    String name = "";
    List<RichUser> result = new ArrayList<RichUser>();

    List<String> attrNames = new ArrayList<String>();
    attrNames.add("urn:perun:user:attribute-def:def:preferredMail");
    attrNames.add("urn:perun:user:attribute-def:def:organization");

    Application app = registrarManager.getApplicationById(registrarSession, appId);

    if (app.getGroup() == null) {
      if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, app.getVo())) {
        if (sess.getPerunPrincipal().getUser() != null) {
          // check if application to find similar users by belongs to user
          if (!sess.getPerunPrincipal().getUser().equals(app.getUser()))
            throw new PrivilegeException("checkForSimilarUsers");
        } else {
          if (!sess.getPerunPrincipal().getExtSourceName().equals(app.getExtSourceName())
              && !sess.getPerunPrincipal().getActor().equals(app.getCreatedBy()))
            throw new PrivilegeException("checkForSimilarUsers");
        }
      }
    } else {
      if (!AuthzResolver.isAuthorized(sess, Role.VOADMIN, app.getVo())
          && !AuthzResolver.isAuthorized(sess, Role.GROUPADMIN, app.getGroup())) {
        if (sess.getPerunPrincipal().getUser() != null) {
          // check if application to find similar users by belongs to user
          if (!sess.getPerunPrincipal().getUser().equals(app.getUser()))
            throw new PrivilegeException("checkForSimilarUsers");
        } else {
          if (!sess.getPerunPrincipal().getExtSourceName().equals(app.getExtSourceName())
              && !sess.getPerunPrincipal().getActor().equals(app.getCreatedBy()))
            throw new PrivilegeException("checkForSimilarUsers");
        }
      }
    }

    // only for initial VO applications if user==null
    if (app.getType().equals(Application.AppType.INITIAL)
        && app.getGroup() == null
        && app.getUser() == null) {

      try {
        User u =
            perun
                .getUsersManager()
                .getUserByExtSourceNameAndExtLogin(
                    registrarSession, app.getExtSourceName(), app.getCreatedBy());
        if (u != null) {
          // user connected his identity after app creation and before it's approval.
          // do not show error message in GUI by returning an empty array.
          return convertToIdentities(result);
        }
      } catch (Exception ex) {
        // we don't care, let's try to search by name
      }

      List<ApplicationFormItemData> data = registrarManager.getApplicationDataById(sess, appId);

      // search by email, which should be unique (check is more precise)
      for (ApplicationFormItemData item : data) {
        if ("urn:perun:user:attribute-def:def:preferredMail"
            .equals(item.getFormItem().getPerunDestinationAttribute())) {
          email = item.getValue();
        }
        if (email != null && !email.isEmpty()) break;
      }

      List<RichUser> users =
          (email != null && !email.isEmpty())
              ? perun
                  .getUsersManager()
                  .findRichUsersWithAttributesByExactMatch(registrarSession, email, attrNames)
              : new ArrayList<RichUser>();

      if (users != null && !users.isEmpty()) {
        // found by preferredMail
        return convertToIdentities(users);
      }

      // search by different mail

      email = ""; // clear previous value
      for (ApplicationFormItemData item : data) {
        if ("urn:perun:member:attribute-def:def:mail"
            .equals(item.getFormItem().getPerunDestinationAttribute())) {
          email = item.getValue();
        }
        if (email != null && !email.isEmpty()) break;
      }

      users =
          (email != null && !email.isEmpty())
              ? perun
                  .getUsersManager()
                  .findRichUsersWithAttributesByExactMatch(registrarSession, email, attrNames)
              : new ArrayList<RichUser>();
      if (users != null && !users.isEmpty()) {
        // found by member mail
        return convertToIdentities(users);
      }

      // continue to search by display name

      for (ApplicationFormItemData item : data) {
        if (RegistrarManagerImpl.URN_USER_DISPLAY_NAME.equals(
            item.getFormItem().getPerunDestinationAttribute())) {
          name = item.getValue();
          // use parsed name to drop mistakes on IDP side
          try {
            if (name != null && !name.isEmpty()) {
              Map<String, String> nameMap = Utils.parseCommonName(name);
              // drop name titles to spread search
              String newName = "";
              if (nameMap.get("firstName") != null && !nameMap.get("firstName").isEmpty()) {
                newName += nameMap.get("firstName") + " ";
              }
              if (nameMap.get("lastName") != null && !nameMap.get("lastName").isEmpty()) {
                newName += nameMap.get("lastName");
              }
              // fill parsed name instead of input
              if (newName != null && !newName.isEmpty()) {
                name = newName;
              }
            }
          } catch (Exception ex) {
            log.error(
                "[REGISTRAR] Unable to parse new user's display/common name when searching for similar users. Exception: {}",
                ex);
          }
          if (name != null && !name.isEmpty()) break;
        }
      }

      users =
          (name != null && !name.isEmpty())
              ? perun
                  .getUsersManager()
                  .findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames)
              : new ArrayList<RichUser>();
      if (users != null && !users.isEmpty()) {
        // found by member display name
        return convertToIdentities(users);
      }

      // continue to search by last name

      name = ""; // clear previous value
      for (ApplicationFormItemData item : data) {
        if (RegistrarManagerImpl.URN_USER_LAST_NAME.equals(
            item.getFormItem().getPerunDestinationAttribute())) {
          name = item.getValue();
          if (name != null && !name.isEmpty()) break;
        }
      }

      if (name != null && !name.isEmpty()) {
        // what was found by name
        return convertToIdentities(
            perun
                .getUsersManager()
                .findRichUsersWithAttributesByExactMatch(registrarSession, name, attrNames));
      } else {
        // not found by name
        return convertToIdentities(result);
      }

    } else {
      // not found, since not proper type of application to check users for
      return convertToIdentities(result);
    }
  }