001 package org.apache.archiva.security; 002 003 /* 004 * Licensed to the Apache Software Foundation (ASF) under one 005 * or more contributor license agreements. See the NOTICE file 006 * distributed with this work for additional information 007 * regarding copyright ownership. The ASF licenses this file 008 * to you under the Apache License, Version 2.0 (the 009 * "License"); you may not use this file except in compliance 010 * with the License. You may obtain a copy of the License at 011 * 012 * http://www.apache.org/licenses/LICENSE-2.0 013 * 014 * Unless required by applicable law or agreed to in writing, 015 * software distributed under the License is distributed on an 016 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 017 * KIND, either express or implied. See the License for the 018 * specific language governing permissions and limitations 019 * under the License. 020 */ 021 022 import org.apache.archiva.admin.model.RepositoryAdminException; 023 import org.apache.archiva.admin.model.beans.ManagedRepository; 024 import org.apache.archiva.admin.model.managed.ManagedRepositoryAdmin; 025 import org.apache.archiva.redback.authentication.AuthenticationResult; 026 import org.apache.archiva.redback.authorization.AuthorizationException; 027 import org.apache.archiva.redback.role.RoleManager; 028 import org.apache.archiva.redback.role.RoleManagerException; 029 import org.apache.archiva.redback.system.DefaultSecuritySession; 030 import org.apache.archiva.redback.system.SecuritySession; 031 import org.apache.archiva.redback.system.SecuritySystem; 032 import org.apache.archiva.redback.users.User; 033 import org.apache.archiva.redback.users.UserManagerException; 034 import org.apache.archiva.redback.users.UserNotFoundException; 035 import org.apache.archiva.security.common.ArchivaRoleConstants; 036 import org.slf4j.Logger; 037 import org.slf4j.LoggerFactory; 038 import org.springframework.stereotype.Service; 039 040 import javax.inject.Inject; 041 import java.util.ArrayList; 042 import java.util.List; 043 044 /** 045 * DefaultUserRepositories 046 */ 047 @Service( "userRepositories" ) 048 public class DefaultUserRepositories 049 implements UserRepositories 050 { 051 052 @Inject 053 private SecuritySystem securitySystem; 054 055 @Inject 056 private RoleManager roleManager; 057 058 @Inject 059 private ManagedRepositoryAdmin managedRepositoryAdmin; 060 061 private Logger log = LoggerFactory.getLogger( getClass() ); 062 063 public List<String> getObservableRepositoryIds( String principal ) 064 throws PrincipalNotFoundException, AccessDeniedException, ArchivaSecurityException 065 { 066 String operation = ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS; 067 068 return getAccessibleRepositoryIds( principal, operation ); 069 } 070 071 public List<String> getManagableRepositoryIds( String principal ) 072 throws PrincipalNotFoundException, AccessDeniedException, ArchivaSecurityException 073 { 074 String operation = ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD; 075 076 return getAccessibleRepositoryIds( principal, operation ); 077 } 078 079 private List<String> getAccessibleRepositoryIds( String principal, String operation ) 080 throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException 081 { 082 083 List<ManagedRepository> managedRepositories = getAccessibleRepositories( principal, operation ); 084 List<String> repoIds = new ArrayList<String>( managedRepositories.size() ); 085 for ( ManagedRepository managedRepository : managedRepositories ) 086 { 087 repoIds.add( managedRepository.getId() ); 088 } 089 090 return repoIds; 091 } 092 093 public List<ManagedRepository> getAccessibleRepositories( String principal ) 094 throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException 095 { 096 return getAccessibleRepositories( principal, ArchivaRoleConstants.OPERATION_REPOSITORY_ACCESS ); 097 } 098 099 private List<ManagedRepository> getAccessibleRepositories( String principal, String operation ) 100 throws ArchivaSecurityException, AccessDeniedException, PrincipalNotFoundException 101 { 102 SecuritySession securitySession = createSession( principal ); 103 104 List<ManagedRepository> managedRepositories = new ArrayList<ManagedRepository>(); 105 106 try 107 { 108 List<ManagedRepository> repos = managedRepositoryAdmin.getManagedRepositories(); 109 110 for ( ManagedRepository repo : repos ) 111 { 112 try 113 { 114 String repoId = repo.getId(); 115 if ( securitySystem.isAuthorized( securitySession, operation, repoId ) ) 116 { 117 managedRepositories.add( repo ); 118 } 119 } 120 catch ( AuthorizationException e ) 121 { 122 // swallow. 123 124 log.debug( "Not authorizing '{}' for repository '{}': {}", principal, repo.getId(), 125 e.getMessage() ); 126 127 } 128 } 129 130 return managedRepositories; 131 } 132 catch ( RepositoryAdminException e ) 133 { 134 throw new ArchivaSecurityException( e.getMessage(), e ); 135 } 136 } 137 138 private SecuritySession createSession( String principal ) 139 throws ArchivaSecurityException, AccessDeniedException 140 { 141 User user; 142 try 143 { 144 user = securitySystem.getUserManager().findUser( principal ); 145 if ( user == null ) 146 { 147 throw new ArchivaSecurityException( 148 "The security system had an internal error - please check your system logs" ); 149 } 150 } 151 catch ( UserNotFoundException e ) 152 { 153 throw new PrincipalNotFoundException( "Unable to find principal " + principal + "", e ); 154 } 155 catch ( UserManagerException e ) 156 { 157 throw new ArchivaSecurityException( e.getMessage(), e ); 158 } 159 160 if ( user.isLocked() ) 161 { 162 throw new AccessDeniedException( "User " + principal + "(" + user.getFullName() + ") is locked." ); 163 } 164 165 AuthenticationResult authn = new AuthenticationResult( true, principal, null ); 166 authn.setUser( user ); 167 return new DefaultSecuritySession( authn, user ); 168 } 169 170 public void createMissingRepositoryRoles( String repoId ) 171 throws ArchivaSecurityException 172 { 173 try 174 { 175 if ( !roleManager.templatedRoleExists( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId ) ) 176 { 177 roleManager.createTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_OBSERVER, repoId ); 178 } 179 180 if ( !roleManager.templatedRoleExists( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId ) ) 181 { 182 roleManager.createTemplatedRole( ArchivaRoleConstants.TEMPLATE_REPOSITORY_MANAGER, repoId ); 183 } 184 } 185 catch ( RoleManagerException e ) 186 { 187 throw new ArchivaSecurityException( "Unable to create roles for configured repositories: " + e.getMessage(), 188 e ); 189 } 190 } 191 192 public boolean isAuthorizedToUploadArtifacts( String principal, String repoId ) 193 throws PrincipalNotFoundException, ArchivaSecurityException 194 { 195 try 196 { 197 SecuritySession securitySession = createSession( principal ); 198 199 return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_UPLOAD, 200 repoId ); 201 202 } 203 catch ( AuthorizationException e ) 204 { 205 throw new ArchivaSecurityException( e.getMessage(), e); 206 } 207 } 208 209 public boolean isAuthorizedToDeleteArtifacts( String principal, String repoId ) 210 throws ArchivaSecurityException 211 { 212 try 213 { 214 SecuritySession securitySession = createSession( principal ); 215 216 return securitySystem.isAuthorized( securitySession, ArchivaRoleConstants.OPERATION_REPOSITORY_DELETE, 217 repoId ); 218 219 } 220 catch ( AuthorizationException e ) 221 { 222 throw new ArchivaSecurityException( e.getMessage(), e); 223 } 224 } 225 226 public SecuritySystem getSecuritySystem() 227 { 228 return securitySystem; 229 } 230 231 public void setSecuritySystem( SecuritySystem securitySystem ) 232 { 233 this.securitySystem = securitySystem; 234 } 235 236 public RoleManager getRoleManager() 237 { 238 return roleManager; 239 } 240 241 public void setRoleManager( RoleManager roleManager ) 242 { 243 this.roleManager = roleManager; 244 } 245 }