/**
* Establishes the user associated with the operation.
*
* @param context the assertion operation context
* @throws NotAuthorizedException if authentication was required
* @throws AsnInsufficientPrivilegeException if the user has insufficient privilege
* @throws AsnUnestablishedUserException if the user could not be established
*/
public void establishUser(AsnContext context)
throws NotAuthorizedException, AsnUnestablishedUserException {
// initialize
this.setWasUserEstablished(false);
AsnOperation operation = context.getOperation();
User user = context.getRequestContext().getUser();
// establish the user part of the operation
if (operation.getUserPart() == null) {
operation.setUserPart(new AsnUserPart());
}
operation.getUserPart().setIPAddress(context.getRequestOptions().getIPAddress());
AsnAuthPolicy authPolicy = operation.getAuthPolicy();
if (authPolicy.getAuthenticationRequired()) {
if ((user == null) || !user.getAuthenticationStatus().getWasAuthenticated()) {
throw new NotAuthorizedException("Not authorized.");
}
}
if ((user == null) || !user.getAuthenticationStatus().getWasAuthenticated()) {
operation.getUserPart().setName(AsnConstants.ANONYMOUS_USERNAME);
this.setWasUserEstablished(true);
} else {
String key = Val.chkStr(user.getKey());
if (key.length() > 0) {
operation.getUserPart().setKey(key);
if (user.getLocalID() >= 0) {
operation.getUserPart().setID("" + user.getLocalID());
String name = Val.chkStr(user.getName());
if (name.length() > 0) {
operation.getUserPart().setName(name);
this.setWasUserEstablished(true);
}
}
}
}
if (!this.getWasUserEstablished()) {
throw new AsnUnestablishedUserException();
}
// check the admin database for a disabled user:ipaddress or user:key
// check the admin index for moderation privileges
}
/**
* Constructs a administrator based upon the user associated with the current request context.
*
* @param context the current request context (contains the active user)
* @throws NotAuthorizedException if the user does not have publishing rights
*/
protected void checkRole(RequestContext context) throws NotAuthorizedException {
// initialize
User user = context.getUser();
user.setKey(user.getKey());
user.setLocalID(user.getLocalID());
user.setDistinguishedName(user.getDistinguishedName());
user.setName(user.getName());
// establish credentials
UsernamePasswordCredentials creds = new UsernamePasswordCredentials();
creds.setUsername(user.getName());
user.setCredentials(creds);
user.setAuthenticationStatus(user.getAuthenticationStatus());
assertAdministratorRole(user);
}
/**
* Gets the status indicating whether this publisher is an administrator.
*
* @return true if this publisher is an administrator
*/
private boolean getIsAdministrator(User user) {
RoleSet roles = user.getAuthenticationStatus().getAuthenticatedRoles();
return roles.hasRole("gptAdministrator");
}
/**
* Asserts the administrator role.
*
* @throws NotAuthorizedException if the administrator role has not been granted
*/
private void assertAdministratorRole(User user) throws NotAuthorizedException {
RoleSet roles = user.getAuthenticationStatus().getAuthenticatedRoles();
roles.assertRole("gptAdministrator");
}
/**
* Authorizes a create, update, delete or query based operation.
*
* @param context the assertion operation context
* @param assertion the active assertion
* @param action the action
* @throws NotAuthorizedException if authentication was required
* @throws AsnInsufficientPrivilegeException if the user has insufficient privilege
*/
private void authorizeAction(AsnContext context, Assertion assertion, String action)
throws NotAuthorizedException, AsnInsufficientPrivilegeException {
// ensure an authorization policy
AsnOperation operation = context.getOperation();
if (operation.getAuthPolicy() == null) {
String msg = "An authorization policy was not configured.";
throw new ConfigurationException(msg);
}
// check the user, ensure an authenticated user if required
User user = context.getRequestContext().getUser();
boolean userWasAuthenticated = false;
if ((user != null) && user.getAuthenticationStatus().getWasAuthenticated()) {
userWasAuthenticated = true;
}
if (operation.getAuthPolicy().getAuthenticationRequired() && !userWasAuthenticated) {
throw new NotAuthorizedException("Not authorized.");
}
// determine the principals
AsnPrincipals principals = null;
boolean isWrite = false;
if (action.equals(AsnAuthorizer.ACTION_CREATE)) {
isWrite = true;
principals = operation.getAuthPolicy().getCreatePrincipals();
if (principals == null) {
String msg = "Create principals were not configured.";
throw new ConfigurationException(msg);
}
} else if (action.equals(AsnAuthorizer.ACTION_DELETE)) {
isWrite = true;
principals = operation.getAuthPolicy().getDeletePrincipals();
if (principals == null) {
String msg = "Delete principals were not configured.";
throw new ConfigurationException(msg);
}
} else if (action.equals(AsnAuthorizer.ACTION_ENABLE)
|| action.equals(AsnAuthorizer.ACTION_DISABLE)) {
isWrite = true;
principals = operation.getAuthPolicy().getEnableDisablePrincipals();
if (principals == null) {
String msg = "Enable/Disable principals were not configured.";
throw new ConfigurationException(msg);
}
} else if (action.equals(AsnAuthorizer.ACTION_QUERY)) {
principals = operation.getAuthPolicy().getQueryPrincipals();
if (principals == null) {
String msg = "Query principals were not configured.";
throw new ConfigurationException(msg);
}
} else if (action.equals(AsnAuthorizer.ACTION_UPDATE)) {
isWrite = true;
principals = operation.getAuthPolicy().getQueryPrincipals();
if (principals == null) {
String msg = "Query principals were not configured.";
throw new ConfigurationException(msg);
}
}
// hard check to ensure an authenticated user for any modifications
// (regardless of configuration)
if (isWrite && !userWasAuthenticated) {
throw new AsnInsufficientPrivilegeException();
}
// check "any user" user privilege
if (principals.contains(AsnConstants.PRINCIPAL_ANY)) {
return;
}
// check administrator privilege
if (userWasAuthenticated) {
if (principals.contains(AsnConstants.PRINCIPAL_ADMINISTRATOR)) {
RoleSet roles = user.getAuthenticationStatus().getAuthenticatedRoles();
if (roles.hasRole("gptAdministrator")) {
return;
}
}
}
// check for ownership
if (userWasAuthenticated && (assertion != null) && assertion.getWasReadFromIndex()) {
if (principals.contains(AsnConstants.PRINCIPAL_OWNER)) {
String asnUserKey = Val.chkStr(assertion.getUserPart().getKey());
String userKey = Val.chkStr(user.getKey());
if ((asnUserKey.length() > 0) && asnUserKey.equals(userKey)) {
return;
}
}
}
throw new AsnInsufficientPrivilegeException();
}
/**
* Determines if the user can perform an action.
*
* @param context the assertion operation context
* @param policy the authorization policy
* @param assertion the active assertion
* @param action the action
* @return true if the user can perform the action
*/
private boolean canAct(
AsnContext context, AsnAuthPolicy policy, Assertion assertion, String action) {
// ensure an authorization policy
if (policy == null) {
return false;
}
// check the user, ensure an authenticated user if required
User user = context.getRequestContext().getUser();
boolean userWasAuthenticated = false;
if ((user != null) && user.getAuthenticationStatus().getWasAuthenticated()) {
userWasAuthenticated = true;
}
if (policy.getAuthenticationRequired() && !userWasAuthenticated) {
return false;
}
// determine the write principals (creation or modification)
AsnPrincipals principals = null;
boolean isWrite = false;
if (action.equals(AsnAuthorizer.ACTION_CREATE)) {
isWrite = true;
principals = policy.getCreatePrincipals();
} else if (action.equals(AsnAuthorizer.ACTION_DELETE)) {
isWrite = true;
principals = policy.getDeletePrincipals();
if (assertion == null) return false;
} else if (action.equals(AsnAuthorizer.ACTION_DISABLE)) {
isWrite = true;
principals = policy.getEnableDisablePrincipals();
if (assertion == null) return false;
if (!assertion.getSystemPart().getEnabled()) return false;
} else if (action.equals(AsnAuthorizer.ACTION_ENABLE)) {
isWrite = true;
principals = policy.getEnableDisablePrincipals();
if (assertion.getSystemPart().getEnabled()) return false;
if (assertion == null) return false;
} else if (action.equals(AsnAuthorizer.ACTION_QUERY)) {
principals = policy.getQueryPrincipals();
} else if (action.equals(AsnAuthorizer.ACTION_UPDATE)) {
isWrite = true;
principals = policy.getQueryPrincipals();
if (assertion == null) return false;
if (!assertion.getSystemPart().getEnabled()) return false;
}
if ((policy == null) || (principals == null)) {
return false;
}
// hard check to ensure an authenticated user for any modifications
// (regardless of configuration)
if (isWrite && !userWasAuthenticated) {
return false;
}
// check "any user" user privilege
if (principals.contains(AsnConstants.PRINCIPAL_ANY)) {
return true;
}
// check administrator privilege
if (userWasAuthenticated) {
if (principals.contains(AsnConstants.PRINCIPAL_ADMINISTRATOR)) {
RoleSet roles = user.getAuthenticationStatus().getAuthenticatedRoles();
if (roles.hasRole("gptAdministrator")) {
return true;
}
}
}
// check for ownership
if (userWasAuthenticated && (assertion != null) && assertion.getWasReadFromIndex()) {
if (principals.contains(AsnConstants.PRINCIPAL_OWNER)) {
String asnUserKey = Val.chkStr(assertion.getUserPart().getKey());
String userKey = Val.chkStr(user.getKey());
if ((asnUserKey.length() > 0) && asnUserKey.equals(userKey)) {
return true;
}
}
}
return false;
}
