[New] Added privilege checking for StrolchQueries

2014-09-08 13:35:37 +02:00 · 2014-09-08 13:35:37 +02:00 · 5c677aa757
parent ae5a0b0a14
commit 5c677aa757
13 changed files with 98 additions and 10 deletions
--- a/src/main/java/li/strolch/agent/api/RestrictableElement.java
+++ b/src/main/java/li/strolch/agent/api/RestrictableElement.java
@ -0,0 +1,49 @@
+/*
+ * Copyright 2013 Robert von Burg <eitch@eitchnet.ch>
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * 
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ * 
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package li.strolch.agent.api;
+
+import ch.eitchnet.privilege.model.Restrictable;
+
+/**
+ * A simple implementation for the {@link Restrictable} interface
+ * 
+ * @author Robert von Burg <eitch@eitchnet.ch>
+ */
+public class RestrictableElement implements Restrictable {
+
+	private String name;
+	private Object value;
+
+	public RestrictableElement(String name, Object value) {
+		super();
+		this.name = name;
+		this.value = value;
+	}
+
+	@Override
+	public String getPrivilegeName() {
+		return this.name;
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return this.value;
+	}
+
+	public static Restrictable restrictableFor(String name, Object value) {
+		return new RestrictableElement(name, value);
+	}
+}
--- a/src/main/java/li/strolch/agent/impl/EmptyRealm.java
+++ b/src/main/java/li/strolch/agent/impl/EmptyRealm.java
@ -78,7 +78,7 @@ public class EmptyRealm extends InternalStrolchRealm {
 	@Override
 	public void initialize(ComponentContainer container, ComponentConfiguration configuration) {
 		super.initialize(container, configuration);
-		this.persistenceHandler = new InMemoryPersistence();
+		this.persistenceHandler = new InMemoryPersistence(container.getPrivilegeHandler());
 		this.resourceMap = new TransactionalResourceMap();
 		this.orderMap = new TransactionalOrderMap();

--- a/src/main/java/li/strolch/agent/impl/TransientRealm.java
+++ b/src/main/java/li/strolch/agent/impl/TransientRealm.java
@ -97,7 +97,7 @@ public class TransientRealm extends InternalStrolchRealm {

 		this.modelFile = configuration.getDataFile(key, null, configuration.getRuntimeConfiguration(), true);

-		this.persistenceHandler = new InMemoryPersistence();
+		this.persistenceHandler = new InMemoryPersistence(container.getPrivilegeHandler());
 		this.resourceMap = new TransactionalResourceMap();
 		this.orderMap = new TransactionalOrderMap();

--- a/src/main/java/li/strolch/persistence/api/AbstractTransaction.java
+++ b/src/main/java/li/strolch/persistence/api/AbstractTransaction.java
@ -52,17 +52,20 @@ import li.strolch.model.parameter.Parameter;
 import li.strolch.model.parameter.StringParameter;
 import li.strolch.model.query.OrderQuery;
 import li.strolch.model.query.ResourceQuery;
+import li.strolch.model.query.StrolchQuery;
 import li.strolch.model.timedstate.StrolchTimedState;
 import li.strolch.model.timevalue.IValue;
 import li.strolch.model.visitor.NoStrategyOrderVisitor;
 import li.strolch.model.visitor.NoStrategyResourceVisitor;
 import li.strolch.persistence.inmemory.InMemoryTransaction;
+import li.strolch.runtime.privilege.PrivilegeHandler;
 import li.strolch.service.api.Command;

 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

 import ch.eitchnet.privilege.model.Certificate;
+import ch.eitchnet.privilege.model.PrivilegeContext;
 import ch.eitchnet.utils.dbc.DBC;
 import ch.eitchnet.utils.helper.StringHelper;

@ -88,12 +91,16 @@ public abstract class AbstractTransaction implements StrolchTransaction {

 	private String action;
 	private Certificate certificate;
+	private PrivilegeHandler privilegeHandler;

-	public AbstractTransaction(StrolchRealm realm, Certificate certificate, String action) {
+	public AbstractTransaction(PrivilegeHandler privilegeHandler, StrolchRealm realm, Certificate certificate,
+			String action) {
+		DBC.PRE.assertNotNull("privilegeHandler must be set!", privilegeHandler); //$NON-NLS-1$
 		DBC.PRE.assertNotNull("realm must be set!", realm); //$NON-NLS-1$
 		DBC.PRE.assertNotNull("certificate must be set!", certificate); //$NON-NLS-1$
 		DBC.PRE.assertNotNull("action must be set!", action); //$NON-NLS-1$

+		this.privilegeHandler = privilegeHandler;
 		this.realm = (InternalStrolchRealm) realm;
 		this.action = action;
 		this.certificate = certificate;
@ -228,33 +235,44 @@ public abstract class AbstractTransaction implements StrolchTransaction {
 		return this.auditTrail;
 	}

+	private void assertQueryAllowed(StrolchQuery query) {
+		PrivilegeContext privilegeContext = this.privilegeHandler.getPrivilegeContext(this.certificate);
+		privilegeContext.validateAction(query);
+	}
+
 	@Override
 	public List<Order> doQuery(OrderQuery query) {
+		assertQueryAllowed(query);
 		return getPersistenceHandler().getOrderDao(this).doQuery(query, new NoStrategyOrderVisitor());
 	}

 	@Override
 	public <U> List<U> doQuery(OrderQuery query, OrderVisitor<U> orderVisitor) {
+		assertQueryAllowed(query);
 		return getPersistenceHandler().getOrderDao(this).doQuery(query, orderVisitor);
 	}

 	@Override
 	public List<Resource> doQuery(ResourceQuery query) {
+		assertQueryAllowed(query);
 		return getPersistenceHandler().getResourceDao(this).doQuery(query, new NoStrategyResourceVisitor());
 	}

 	@Override
 	public <U> List<U> doQuery(ResourceQuery query, ResourceVisitor<U> resourceVisitor) {
+		assertQueryAllowed(query);
 		return getPersistenceHandler().getResourceDao(this).doQuery(query, resourceVisitor);
 	}

 	@Override
 	public List<Audit> doQuery(AuditQuery query) {
+		assertQueryAllowed(query);
 		return getPersistenceHandler().getAuditDao(this).doQuery(query, new NoStrategyAuditVisitor());
 	}

 	@Override
 	public <U> List<U> doQuery(AuditQuery query, AuditVisitor<U> auditVisitor) {
+		assertQueryAllowed(query);
 		return getPersistenceHandler().getAuditDao(this).doQuery(query, auditVisitor);
 	}

--- a/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistence.java
+++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistence.java
@ -9,19 +9,22 @@ import li.strolch.persistence.api.OrderDao;
 import li.strolch.persistence.api.PersistenceHandler;
 import li.strolch.persistence.api.ResourceDao;
 import li.strolch.persistence.api.StrolchTransaction;
+import li.strolch.runtime.privilege.PrivilegeHandler;
 import ch.eitchnet.privilege.model.Certificate;

 public class InMemoryPersistence implements PersistenceHandler {

 	private Map<String, DaoCache> daoCache;
+	private PrivilegeHandler privilegeHandler;

-	public InMemoryPersistence() {
+	public InMemoryPersistence(PrivilegeHandler privilegeHandler) {
+		this.privilegeHandler = privilegeHandler;
 		this.daoCache = new HashMap<>();
 	}

 	@Override
 	public StrolchTransaction openTx(StrolchRealm realm, Certificate certificate, String action) {
-		return new InMemoryTransaction(realm, certificate, action, this);
+		return new InMemoryTransaction(this.privilegeHandler, realm, certificate, action, this);
 	}

 	@Override
--- a/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistenceHandler.java
+++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistenceHandler.java
@ -43,7 +43,7 @@ public class InMemoryPersistenceHandler extends StrolchComponent implements Pers

 	@Override
 	public void initialize(ComponentConfiguration configuration) {
-		this.persistence = new InMemoryPersistence();
+		this.persistence = new InMemoryPersistence(getContainer().getPrivilegeHandler());
 		super.initialize(configuration);
 	}

--- a/src/main/java/li/strolch/persistence/inmemory/InMemoryTransaction.java
+++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryTransaction.java
@ -5,15 +5,16 @@ import li.strolch.persistence.api.AbstractTransaction;
 import li.strolch.persistence.api.PersistenceHandler;
 import li.strolch.persistence.api.TransactionResult;
 import li.strolch.persistence.api.TransactionState;
+import li.strolch.runtime.privilege.PrivilegeHandler;
 import ch.eitchnet.privilege.model.Certificate;

 public class InMemoryTransaction extends AbstractTransaction {

 	private InMemoryPersistence persistenceHandler;

-	public InMemoryTransaction(StrolchRealm realm, Certificate certificate, String action,
-			InMemoryPersistence persistenceHandler) {
-		super(realm, certificate, action);
+	public InMemoryTransaction(PrivilegeHandler privilegeHandler, StrolchRealm realm, Certificate certificate,
+			String action, InMemoryPersistence persistenceHandler) {
+		super(privilegeHandler, realm, certificate, action);
 		this.persistenceHandler = persistenceHandler;
 	}

--- a/src/test/resources/cachedtest/config/PrivilegeModel.xml
+++ b/src/test/resources/cachedtest/config/PrivilegeModel.xml
@ -31,7 +31,9 @@
 			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
 				<AllAllowed>true</AllAllowed>
 			</Privilege>
+			<Privilege name="li.strolch.model.query.StrolchQuery" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
 		</Role>
-
 	</Roles>
 </UsersAndRoles>
--- a/src/test/resources/emptytest/config/PrivilegeModel.xml
+++ b/src/test/resources/emptytest/config/PrivilegeModel.xml
@ -31,6 +31,9 @@
 			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
 				<AllAllowed>true</AllAllowed>
 			</Privilege>
+			<Privilege name="li.strolch.model.query.StrolchQuery" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
 		</Role>

 	</Roles>
--- a/src/test/resources/minimaltest/config/PrivilegeModel.xml
+++ b/src/test/resources/minimaltest/config/PrivilegeModel.xml
@ -31,6 +31,9 @@
 			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
 				<AllAllowed>true</AllAllowed>
 			</Privilege>
+			<Privilege name="li.strolch.model.query.StrolchQuery" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
 		</Role>
 	</Roles>
 </UsersAndRoles>
--- a/src/test/resources/realmtest/config/PrivilegeModel.xml
+++ b/src/test/resources/realmtest/config/PrivilegeModel.xml
@ -31,6 +31,9 @@
 			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
 				<AllAllowed>true</AllAllowed>
 			</Privilege>
+			<Privilege name="li.strolch.model.query.StrolchQuery" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
 		</Role>

 	</Roles>
--- a/src/test/resources/transactionaltest/config/PrivilegeModel.xml
+++ b/src/test/resources/transactionaltest/config/PrivilegeModel.xml
@ -31,6 +31,9 @@
 			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
 				<AllAllowed>true</AllAllowed>
 			</Privilege>
+			<Privilege name="li.strolch.model.query.StrolchQuery" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
 		</Role>

 	</Roles>
--- a/src/test/resources/transienttest/config/PrivilegeModel.xml
+++ b/src/test/resources/transienttest/config/PrivilegeModel.xml
@ -33,6 +33,9 @@
 			<Privilege name="li.strolch.service.api.Service" policy="DefaultPrivilege">
 				<AllAllowed>true</AllAllowed>
 			</Privilege>
+			<Privilege name="li.strolch.model.query.StrolchQuery" policy="DefaultPrivilege">
+				<AllAllowed>true</AllAllowed>
+			</Privilege>
 		</Role>

 	</Roles>