private void assertListStringAttribute(Metacard mc, String attrName, String[] expectedValues) {
if (mc.getAttribute(attrName) != null) {
List<?> values = (List<?>) mc.getAttribute(attrName).getValues();
assertThat(values, not(nullValue()));
assertThat(values.size(), equalTo(expectedValues.length));
List<String> valuesList = new ArrayList<String>();
valuesList.addAll((List<? extends String>) values);
assertThat(valuesList, hasItems(expectedValues));
}
}
@Override
public ResourceResponse processPostResource(ResourceResponse input, Metacard metacard)
throws StopProcessingException {
if (input.getRequest() == null || input.getRequest().getProperties() == null) {
throw new StopProcessingException(
"Unable to filter contents of current message, no user Subject available.");
}
KeyValueCollectionPermission securityPermission =
new KeyValueCollectionPermission(CollectionPermission.READ_ACTION);
Subject subject = getSubject(input);
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
for (FilterStrategy filterStrategy : filterStrategies.values()) {
FilterResult filterResult = filterStrategy.process(input, metacard);
if (filterResult.processed()) {
if (filterResult.response() == null) {
throw new StopProcessingException("Subject not permitted to receive resource");
} else {
input = (ResourceResponse) filterResult.response();
}
break;
// returned metacards are ignored for resource requests
}
}
if (filterStrategies.size() == 0) {
throw new StopProcessingException("Subject not permitted to receive resource");
}
}
return input;
}
@Test
public void testGeoTaggedJpeg() throws Exception {
InputStream stream =
Thread.currentThread().getContextClassLoader().getResourceAsStream("testJPEG_GEO.jpg");
/*
* The dates in testJPED_GEO.jpg do not contain timezones. If no timezone is specified,
* the Tika input transformer assumes the local time zone. Set the system timezone to UTC
* so we can do assertions.
*/
TimeZone defaultTimeZone = TimeZone.getDefault();
TimeZone.setDefault(TimeZone.getTimeZone("UTC"));
Metacard metacard = transform(stream);
assertNotNull(metacard);
assertNotNull(metacard.getMetadata());
assertThat(
metacard.getMetadata(), containsString("<meta name=\"Model\" content=\"Canon EOS 40D\"/>"));
assertThat(metacard.getContentTypeName(), is("image/jpeg"));
assertThat(convertDate(metacard.getCreatedDate()), is("2009-08-11 09:09:45 UTC"));
assertThat(convertDate(metacard.getModifiedDate()), is("2009-10-02 23:02:49 UTC"));
assertThat(
(String) metacard.getAttribute(Metacard.GEOGRAPHY).getValue(),
is("POINT(-54.1234 12.54321)"));
// Reset timezone back to local time zone.
TimeZone.setDefault(defaultTimeZone);
}
@Override
public UpdateRequest processPreUpdate(UpdateRequest input, Map<String, Metacard> metacards)
throws StopProcessingException {
KeyValueCollectionPermission securityPermission =
new KeyValueCollectionPermission(CollectionPermission.UPDATE_ACTION);
List<Map.Entry<Serializable, Metacard>> updates = input.getUpdates();
Subject subject = getSubject(input);
Subject systemSubject = getSystemSubject();
List<String> unknownIds = new ArrayList<>();
List<String> notPermittedIds = new ArrayList<>();
for (Map.Entry<Serializable, Metacard> entry : updates) {
Metacard newMetacard = entry.getValue();
Attribute attr = newMetacard.getAttribute(Metacard.SECURITY);
String id = null;
if (entry.getKey() != null && !entry.getKey().equals("null")) {
id = (String) entry.getKey();
} else if (newMetacard.getId() != null && !newMetacard.getId().equals("null")) {
id = newMetacard.getId();
}
Metacard oldMetacard = metacards.get(id);
if (oldMetacard == null) {
unknownIds.add(id);
} else {
Attribute oldAttr = oldMetacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.UPDATE_ACTION)
|| !checkPermissions(
oldAttr, securityPermission, subject, CollectionPermission.UPDATE_ACTION)
|| !checkPermissions(
attr, securityPermission, systemSubject, CollectionPermission.UPDATE_ACTION)) {
notPermittedIds.add(newMetacard.getId());
}
}
}
if (!unknownIds.isEmpty() || !notPermittedIds.isEmpty()) {
throw new StopProcessingException(
"Update operation not permitted with bad data. Unknown metacards: [ "
+ listToString(unknownIds)
+ " ]. Not Permitted metacards: [ "
+ listToString(notPermittedIds)
+ " ]");
}
return input;
}
private Map<String, Set<String>> buildSecurityMap(Metacard metacard) {
Map<String, Set<String>> securityMap = new HashMap<>();
if (metacard != null) {
for (String metacardAttribute : metacardAttributes) {
Attribute attribute = metacard.getAttribute(metacardAttribute);
if (attribute != null) {
securityMap.put(metacardAttribute, new HashSet<>(listAsStrings(attribute.getValues())));
}
}
}
return securityMap;
}
private PolicyResponse getWritePolicy(Metacard input, Map<String, Serializable> properties) {
HashMap<String, Set<String>> operationPolicy = new HashMap<>();
if (Requests.isLocal(properties) && input.getTags().contains(RegistryConstants.REGISTRY_TAG)) {
Attribute attribute = input.getAttribute(RegistryObjectMetacardType.REGISTRY_BASE_URL);
if (isRegistryDisabled()
|| (attribute != null
&& attribute.getValue() instanceof String
&& ((String) attribute.getValue()).startsWith(SystemBaseUrl.getBaseUrl()))) {
operationPolicy.putAll(bypassAccessPolicy);
} else {
operationPolicy.putAll(writeAccessPolicy);
}
}
return new PolicyResponseImpl(operationPolicy, new HashMap<>());
}
private void assertMetacard(Metacard mc, Map<String, Object> expectedValues) {
assertThat(mc.getId(), equalTo((String) expectedValues.get(Metacard.ID)));
assertListStringAttribute(
mc,
CswRecordMetacardType.CSW_IDENTIFIER,
(String[]) expectedValues.get(CswRecordMetacardType.CSW_IDENTIFIER));
assertThat(mc.getTitle(), equalTo((String) expectedValues.get(Metacard.TITLE)));
assertListStringAttribute(
mc,
CswRecordMetacardType.CSW_TITLE,
(String[]) expectedValues.get(CswRecordMetacardType.CSW_TITLE));
assertThat(mc.getModifiedDate(), equalTo((Date) expectedValues.get(Metacard.MODIFIED)));
assertListStringAttribute(
mc,
CswRecordMetacardType.CSW_MODIFIED,
(String[]) expectedValues.get(CswRecordMetacardType.CSW_MODIFIED));
assertListStringAttribute(
mc,
CswRecordMetacardType.CSW_SUBJECT,
(String[]) expectedValues.get(CswRecordMetacardType.CSW_SUBJECT));
assertListStringAttribute(
mc,
CswRecordMetacardType.CSW_ABSTRACT,
(String[]) expectedValues.get(CswRecordMetacardType.CSW_ABSTRACT));
assertListStringAttribute(
mc,
CswRecordMetacardType.CSW_RIGHTS,
(String[]) expectedValues.get(CswRecordMetacardType.CSW_RIGHTS));
assertListStringAttribute(
mc,
CswRecordMetacardType.CSW_LANGUAGE,
(String[]) expectedValues.get(CswRecordMetacardType.CSW_LANGUAGE));
assertThat(
(String) mc.getAttribute(CswRecordMetacardType.CSW_TYPE).getValue(),
equalTo((String) expectedValues.get(CswRecordMetacardType.CSW_TYPE)));
assertListStringAttribute(
mc,
CswRecordMetacardType.CSW_FORMAT,
(String[]) expectedValues.get(CswRecordMetacardType.CSW_FORMAT));
assertThat(mc.getLocation(), equalTo((String) expectedValues.get(Metacard.GEOGRAPHY)));
assertListStringAttribute(
mc,
CswRecordMetacardType.OWS_BOUNDING_BOX,
(String[]) expectedValues.get(CswRecordMetacardType.OWS_BOUNDING_BOX));
}
@Override
public QueryResponse processPostQuery(QueryResponse input) throws StopProcessingException {
if (input.getRequest() == null || input.getRequest().getProperties() == null) {
throw new StopProcessingException(
"Unable to filter contents of current message, no user Subject available.");
}
Subject subject = getSubject(input);
List<Result> results = input.getResults();
List<Result> newResults = new ArrayList<>(results.size());
Metacard metacard;
KeyValueCollectionPermission securityPermission =
new KeyValueCollectionPermission(CollectionPermission.READ_ACTION);
int filteredMetacards = 0;
for (Result result : results) {
metacard = result.getMetacard();
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.READ_ACTION)) {
for (FilterStrategy filterStrategy : filterStrategies.values()) {
FilterResult filterResult = filterStrategy.process(input, metacard);
if (filterResult.processed()) {
if (filterResult.metacard() != null) {
newResults.add(new ResultImpl(filterResult.metacard()));
}
break;
// returned responses are ignored for queries
}
}
filteredMetacards++;
} else {
newResults.add(result);
}
}
LOGGER.info("Filtered {} metacards, returned {}", filteredMetacards, newResults.size());
SecurityLogger.logInfo(
"Filtered " + filteredMetacards + " metacards, returned " + newResults.size());
input.getResults().clear();
input.getResults().addAll(newResults);
newResults.clear();
return input;
}
@Override
public boolean metacardMatch(Metacard metacard) {
if (Metacard.SOURCE_ID.equals(attributeName)) {
return metacard.getSourceId().equals(attributeValue);
} else {
Attribute attribute = metacard.getAttribute(attributeName);
if (attribute != null) {
if (attributeValueMatch(
attribute, metacard.getMetacardType().getAttributeDescriptor(attributeName))) {
LOGGER.debug(
"Found match for Attribute: {} Value: {} URL: {}",
attributeName,
attributeValue,
styleUrl);
return true;
}
}
}
return false;
}
@Override
public CreateRequest processPreCreate(CreateRequest input) throws StopProcessingException {
KeyValueCollectionPermission securityPermission =
new KeyValueCollectionPermission(CollectionPermission.CREATE_ACTION);
List<Metacard> metacards = input.getMetacards();
Subject subject = getSubject(input);
Subject systemSubject = getSystemSubject();
List<String> notPermittedIds = new ArrayList<>();
for (Metacard metacard : metacards) {
Attribute attr = metacard.getAttribute(Metacard.SECURITY);
if (!checkPermissions(attr, securityPermission, subject, CollectionPermission.CREATE_ACTION)
|| !checkPermissions(
attr, securityPermission, systemSubject, CollectionPermission.CREATE_ACTION)) {
notPermittedIds.add(metacard.getId());
}
}
if (!notPermittedIds.isEmpty()) {
throw new StopProcessingException(
"Metacard creation not permitted for: [ " + listToString(notPermittedIds) + " ]");
}
return input;
}
