From 5c677aa75722ced1759b803d193e9e897b7740a3 Mon Sep 17 00:00:00 2001 From: Robert von Burg Date: Mon, 8 Sep 2014 13:35:37 +0200 Subject: [PATCH] [New] Added privilege checking for StrolchQueries --- .../agent/api/RestrictableElement.java | 49 +++++++++++++++++++ .../li/strolch/agent/impl/EmptyRealm.java | 2 +- .../li/strolch/agent/impl/TransientRealm.java | 2 +- .../persistence/api/AbstractTransaction.java | 20 +++++++- .../inmemory/InMemoryPersistence.java | 7 ++- .../inmemory/InMemoryPersistenceHandler.java | 2 +- .../inmemory/InMemoryTransaction.java | 7 +-- .../cachedtest/config/PrivilegeModel.xml | 4 +- .../emptytest/config/PrivilegeModel.xml | 3 ++ .../minimaltest/config/PrivilegeModel.xml | 3 ++ .../realmtest/config/PrivilegeModel.xml | 3 ++ .../config/PrivilegeModel.xml | 3 ++ .../transienttest/config/PrivilegeModel.xml | 3 ++ 13 files changed, 98 insertions(+), 10 deletions(-) create mode 100644 src/main/java/li/strolch/agent/api/RestrictableElement.java diff --git a/src/main/java/li/strolch/agent/api/RestrictableElement.java b/src/main/java/li/strolch/agent/api/RestrictableElement.java new file mode 100644 index 000000000..7a00c6067 --- /dev/null +++ b/src/main/java/li/strolch/agent/api/RestrictableElement.java @@ -0,0 +1,49 @@ +/* + * Copyright 2013 Robert von Burg + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package li.strolch.agent.api; + +import ch.eitchnet.privilege.model.Restrictable; + +/** + * A simple implementation for the {@link Restrictable} interface + * + * @author Robert von Burg + */ +public class RestrictableElement implements Restrictable { + + private String name; + private Object value; + + public RestrictableElement(String name, Object value) { + super(); + this.name = name; + this.value = value; + } + + @Override + public String getPrivilegeName() { + return this.name; + } + + @Override + public Object getPrivilegeValue() { + return this.value; + } + + public static Restrictable restrictableFor(String name, Object value) { + return new RestrictableElement(name, value); + } +} diff --git a/src/main/java/li/strolch/agent/impl/EmptyRealm.java b/src/main/java/li/strolch/agent/impl/EmptyRealm.java index 3372b6e6c..184eb5862 100644 --- a/src/main/java/li/strolch/agent/impl/EmptyRealm.java +++ b/src/main/java/li/strolch/agent/impl/EmptyRealm.java @@ -78,7 +78,7 @@ public class EmptyRealm extends InternalStrolchRealm { @Override public void initialize(ComponentContainer container, ComponentConfiguration configuration) { super.initialize(container, configuration); - this.persistenceHandler = new InMemoryPersistence(); + this.persistenceHandler = new InMemoryPersistence(container.getPrivilegeHandler()); this.resourceMap = new TransactionalResourceMap(); this.orderMap = new TransactionalOrderMap(); diff --git a/src/main/java/li/strolch/agent/impl/TransientRealm.java b/src/main/java/li/strolch/agent/impl/TransientRealm.java index 90f560357..7b20a89bf 100644 --- a/src/main/java/li/strolch/agent/impl/TransientRealm.java +++ b/src/main/java/li/strolch/agent/impl/TransientRealm.java @@ -97,7 +97,7 @@ public class TransientRealm extends InternalStrolchRealm { this.modelFile = configuration.getDataFile(key, null, configuration.getRuntimeConfiguration(), true); - this.persistenceHandler = new InMemoryPersistence(); + this.persistenceHandler = new InMemoryPersistence(container.getPrivilegeHandler()); this.resourceMap = new TransactionalResourceMap(); this.orderMap = new TransactionalOrderMap(); diff --git a/src/main/java/li/strolch/persistence/api/AbstractTransaction.java b/src/main/java/li/strolch/persistence/api/AbstractTransaction.java index 85f1b2cbc..09c831f4b 100644 --- a/src/main/java/li/strolch/persistence/api/AbstractTransaction.java +++ b/src/main/java/li/strolch/persistence/api/AbstractTransaction.java @@ -52,17 +52,20 @@ import li.strolch.model.parameter.Parameter; import li.strolch.model.parameter.StringParameter; import li.strolch.model.query.OrderQuery; import li.strolch.model.query.ResourceQuery; +import li.strolch.model.query.StrolchQuery; import li.strolch.model.timedstate.StrolchTimedState; import li.strolch.model.timevalue.IValue; import li.strolch.model.visitor.NoStrategyOrderVisitor; import li.strolch.model.visitor.NoStrategyResourceVisitor; import li.strolch.persistence.inmemory.InMemoryTransaction; +import li.strolch.runtime.privilege.PrivilegeHandler; import li.strolch.service.api.Command; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import ch.eitchnet.privilege.model.Certificate; +import ch.eitchnet.privilege.model.PrivilegeContext; import ch.eitchnet.utils.dbc.DBC; import ch.eitchnet.utils.helper.StringHelper; @@ -88,12 +91,16 @@ public abstract class AbstractTransaction implements StrolchTransaction { private String action; private Certificate certificate; + private PrivilegeHandler privilegeHandler; - public AbstractTransaction(StrolchRealm realm, Certificate certificate, String action) { + public AbstractTransaction(PrivilegeHandler privilegeHandler, StrolchRealm realm, Certificate certificate, + String action) { + DBC.PRE.assertNotNull("privilegeHandler must be set!", privilegeHandler); //$NON-NLS-1$ DBC.PRE.assertNotNull("realm must be set!", realm); //$NON-NLS-1$ DBC.PRE.assertNotNull("certificate must be set!", certificate); //$NON-NLS-1$ DBC.PRE.assertNotNull("action must be set!", action); //$NON-NLS-1$ + this.privilegeHandler = privilegeHandler; this.realm = (InternalStrolchRealm) realm; this.action = action; this.certificate = certificate; @@ -228,33 +235,44 @@ public abstract class AbstractTransaction implements StrolchTransaction { return this.auditTrail; } + private void assertQueryAllowed(StrolchQuery query) { + PrivilegeContext privilegeContext = this.privilegeHandler.getPrivilegeContext(this.certificate); + privilegeContext.validateAction(query); + } + @Override public List doQuery(OrderQuery query) { + assertQueryAllowed(query); return getPersistenceHandler().getOrderDao(this).doQuery(query, new NoStrategyOrderVisitor()); } @Override public List doQuery(OrderQuery query, OrderVisitor orderVisitor) { + assertQueryAllowed(query); return getPersistenceHandler().getOrderDao(this).doQuery(query, orderVisitor); } @Override public List doQuery(ResourceQuery query) { + assertQueryAllowed(query); return getPersistenceHandler().getResourceDao(this).doQuery(query, new NoStrategyResourceVisitor()); } @Override public List doQuery(ResourceQuery query, ResourceVisitor resourceVisitor) { + assertQueryAllowed(query); return getPersistenceHandler().getResourceDao(this).doQuery(query, resourceVisitor); } @Override public List doQuery(AuditQuery query) { + assertQueryAllowed(query); return getPersistenceHandler().getAuditDao(this).doQuery(query, new NoStrategyAuditVisitor()); } @Override public List doQuery(AuditQuery query, AuditVisitor auditVisitor) { + assertQueryAllowed(query); return getPersistenceHandler().getAuditDao(this).doQuery(query, auditVisitor); } diff --git a/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistence.java b/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistence.java index d5bb83f27..31ea01515 100644 --- a/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistence.java +++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistence.java @@ -9,19 +9,22 @@ import li.strolch.persistence.api.OrderDao; import li.strolch.persistence.api.PersistenceHandler; import li.strolch.persistence.api.ResourceDao; import li.strolch.persistence.api.StrolchTransaction; +import li.strolch.runtime.privilege.PrivilegeHandler; import ch.eitchnet.privilege.model.Certificate; public class InMemoryPersistence implements PersistenceHandler { private Map daoCache; + private PrivilegeHandler privilegeHandler; - public InMemoryPersistence() { + public InMemoryPersistence(PrivilegeHandler privilegeHandler) { + this.privilegeHandler = privilegeHandler; this.daoCache = new HashMap<>(); } @Override public StrolchTransaction openTx(StrolchRealm realm, Certificate certificate, String action) { - return new InMemoryTransaction(realm, certificate, action, this); + return new InMemoryTransaction(this.privilegeHandler, realm, certificate, action, this); } @Override diff --git a/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistenceHandler.java b/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistenceHandler.java index 7b98ecc4e..192f778a1 100644 --- a/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistenceHandler.java +++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryPersistenceHandler.java @@ -43,7 +43,7 @@ public class InMemoryPersistenceHandler extends StrolchComponent implements Pers @Override public void initialize(ComponentConfiguration configuration) { - this.persistence = new InMemoryPersistence(); + this.persistence = new InMemoryPersistence(getContainer().getPrivilegeHandler()); super.initialize(configuration); } diff --git a/src/main/java/li/strolch/persistence/inmemory/InMemoryTransaction.java b/src/main/java/li/strolch/persistence/inmemory/InMemoryTransaction.java index 25bbf69c5..8077e69ab 100644 --- a/src/main/java/li/strolch/persistence/inmemory/InMemoryTransaction.java +++ b/src/main/java/li/strolch/persistence/inmemory/InMemoryTransaction.java @@ -5,15 +5,16 @@ import li.strolch.persistence.api.AbstractTransaction; import li.strolch.persistence.api.PersistenceHandler; import li.strolch.persistence.api.TransactionResult; import li.strolch.persistence.api.TransactionState; +import li.strolch.runtime.privilege.PrivilegeHandler; import ch.eitchnet.privilege.model.Certificate; public class InMemoryTransaction extends AbstractTransaction { private InMemoryPersistence persistenceHandler; - public InMemoryTransaction(StrolchRealm realm, Certificate certificate, String action, - InMemoryPersistence persistenceHandler) { - super(realm, certificate, action); + public InMemoryTransaction(PrivilegeHandler privilegeHandler, StrolchRealm realm, Certificate certificate, + String action, InMemoryPersistence persistenceHandler) { + super(privilegeHandler, realm, certificate, action); this.persistenceHandler = persistenceHandler; } diff --git a/src/test/resources/cachedtest/config/PrivilegeModel.xml b/src/test/resources/cachedtest/config/PrivilegeModel.xml index 45adbcb67..0ed6ce7b2 100644 --- a/src/test/resources/cachedtest/config/PrivilegeModel.xml +++ b/src/test/resources/cachedtest/config/PrivilegeModel.xml @@ -31,7 +31,9 @@ true + + true + - \ No newline at end of file diff --git a/src/test/resources/emptytest/config/PrivilegeModel.xml b/src/test/resources/emptytest/config/PrivilegeModel.xml index 45adbcb67..5394a74b4 100644 --- a/src/test/resources/emptytest/config/PrivilegeModel.xml +++ b/src/test/resources/emptytest/config/PrivilegeModel.xml @@ -31,6 +31,9 @@ true + + true + diff --git a/src/test/resources/minimaltest/config/PrivilegeModel.xml b/src/test/resources/minimaltest/config/PrivilegeModel.xml index bac84f10c..45d20b677 100644 --- a/src/test/resources/minimaltest/config/PrivilegeModel.xml +++ b/src/test/resources/minimaltest/config/PrivilegeModel.xml @@ -31,6 +31,9 @@ true + + true + \ No newline at end of file diff --git a/src/test/resources/realmtest/config/PrivilegeModel.xml b/src/test/resources/realmtest/config/PrivilegeModel.xml index 45adbcb67..5394a74b4 100644 --- a/src/test/resources/realmtest/config/PrivilegeModel.xml +++ b/src/test/resources/realmtest/config/PrivilegeModel.xml @@ -31,6 +31,9 @@ true + + true + diff --git a/src/test/resources/transactionaltest/config/PrivilegeModel.xml b/src/test/resources/transactionaltest/config/PrivilegeModel.xml index 45adbcb67..5394a74b4 100644 --- a/src/test/resources/transactionaltest/config/PrivilegeModel.xml +++ b/src/test/resources/transactionaltest/config/PrivilegeModel.xml @@ -31,6 +31,9 @@ true + + true + diff --git a/src/test/resources/transienttest/config/PrivilegeModel.xml b/src/test/resources/transienttest/config/PrivilegeModel.xml index 424ce83d9..1b64ae333 100644 --- a/src/test/resources/transienttest/config/PrivilegeModel.xml +++ b/src/test/resources/transienttest/config/PrivilegeModel.xml @@ -33,6 +33,9 @@ true + + true +