KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > dspace > authorize > AuthorizeManager


1 /*
2  * AuthorizeManager.java
3  *
4  * Version: $Revision: 1.31 $
5  *
6  * Date: $Date: 2006/05/26 14:14:33 $
7  *
8  * Copyright (c) 2002-2005, Hewlett-Packard Company and Massachusetts
9  * Institute of Technology. All rights reserved.
10  *
11  * Redistribution and use in source and binary forms, with or without
12  * modification, are permitted provided that the following conditions are
13  * met:
14  *
15  * - Redistributions of source code must retain the above copyright
16  * notice, this list of conditions and the following disclaimer.
17  *
18  * - Redistributions in binary form must reproduce the above copyright
19  * notice, this list of conditions and the following disclaimer in the
20  * documentation and/or other materials provided with the distribution.
21  *
22  * - Neither the name of the Hewlett-Packard Company nor the name of the
23  * Massachusetts Institute of Technology nor the names of their
24  * contributors may be used to endorse or promote products derived from
25  * this software without specific prior written permission.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
28  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
29  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
30  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
31  * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
32  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
33  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
34  * OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
35  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
36  * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
37  * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
38  * DAMAGE.
39  */
40 package org.dspace.authorize;
41
42 import java.sql.SQLException JavaDoc;
43 import java.util.ArrayList JavaDoc;
44 import java.util.Iterator JavaDoc;
45 import java.util.List JavaDoc;
46
47 import org.dspace.content.DSpaceObject;
48 import org.dspace.core.Constants;
49 import org.dspace.core.Context;
50 import org.dspace.eperson.EPerson;
51 import org.dspace.eperson.Group;
52 import org.dspace.storage.rdbms.DatabaseManager;
53 import org.dspace.storage.rdbms.TableRow;
54 import org.dspace.storage.rdbms.TableRowIterator;
55
56 /**
57  * AuthorizeManager handles all authorization checks for DSpace. For better
58  * security, DSpace assumes that you do not have the right to do something
59  * unless that permission is spelled out somewhere. That "somewhere" is the
60  * ResourcePolicy table. The AuthorizeManager is given a user, an object, and an
61  * action, and it then does a lookup in the ResourcePolicy table to see if there
62  * are any policies giving the user permission to do that action.
63  * <p>
64  * ResourcePolicies now apply to single objects (such as submit (ADD) permission
65  * to a collection.)
66  * <p>
67  * Note: If an eperson is a member of the administrator group (id 1), then they
68  * are automatically given permission for all requests another special group is
69  * group 0, which is anonymous - all EPeople are members of group 0.
70  */
71 public class AuthorizeManager
72 {
73     /**
74      * Utility method, checks that the current user of the given context can
75      * perform all of the specified actions on the given object. An
76      * <code>AuthorizeException</code> if all the authorizations fail.
77      *
78      * @param c
79      * context with the current user
80      * @param o
81      * DSpace object user is attempting to perform action on
82      * @param actions
83      * array of action IDs from
84      * <code>org.dspace.core.Constants</code>
85      * @throws AuthorizeException
86      * if any one of the specified actions cannot be performed by
87      * the current user on the given object.
88      * @throws SQLException
89      * if there's a database problem
90      */
91     public static void authorizeAnyOf(Context c, DSpaceObject o, int[] actions)
92             throws AuthorizeException, SQLException JavaDoc
93     {
94         AuthorizeException ex = null;
95
96         for (int i = 0; i < actions.length; i++)
97         {
98             try
99             {
100                 authorizeAction(c, o, actions[i]);
101
102                 return;
103             }
104             catch (AuthorizeException e)
105             {
106                 if (ex == null)
107                 {
108                     ex = e;
109                 }
110             }
111         }
112
113         throw ex;
114     }
115
116     /**
117      * Checks that the context's current user can perform the given action on
118      * the given object. Throws an exception if the user is not authorized,
119      * otherwise the method call does nothing.
120      *
121      * @param c
122      * context
123      * @param o
124      * a DSpaceObject
125      * @param action
126      * action to perform from <code>org.dspace.core.Constants</code>
127      *
128      * @throws AuthorizeException
129      * if the user is denied
130      */
131     public static void authorizeAction(Context c, DSpaceObject o, int action)
132             throws AuthorizeException, SQLException JavaDoc
133     {
134         if (o == null)
135         {
136             // action can be -1 due to a null entry
137 String JavaDoc actionText;
138
139             if (action == -1)
140             {
141                 actionText = "null";
142             }
143             else
144             {
145                 actionText = Constants.actionText[action];
146             }
147
148             EPerson e = c.getCurrentUser();
149             int userid;
150
151             if (e == null)
152             {
153                 userid = 0;
154             }
155             else
156             {
157                 userid = e.getID();
158             }
159
160             throw new AuthorizeException(
161                     "Authorization attempted on null DSpace object "
162                             + actionText + " by user " + userid);
163         }
164
165         if (!authorize(c, o, action, c.getCurrentUser()))
166         {
167             // denied, assemble and throw exception
168 int otype = o.getType();
169             int oid = o.getID();
170             int userid;
171             EPerson e = c.getCurrentUser();
172
173             if (e == null)
174             {
175                 userid = 0;
176             }
177             else
178             {
179                 userid = e.getID();
180             }
181
182             // AuthorizeException j = new AuthorizeException("Denied");
183 // j.printStackTrace();
184 // action can be -1 due to a null entry
185 String JavaDoc actionText;
186
187             if (action == -1)
188             {
189                 actionText = "null";
190             }
191             else
192             {
193                 actionText = Constants.actionText[action];
194             }
195
196             throw new AuthorizeException("Authorization denied for action "
197                     + actionText + " on " + Constants.typeText[otype] + ":"
198                     + oid + " by user " + userid, o, action);
199         }
200     }
201
202     /**
203      * same authorize, returns boolean for those who don't want to deal with
204      * catching exceptions.
205      *
206      * @param c
207      * DSpace context, containing current user
208      * @param o
209      * DSpaceObject
210      * @param a
211      * action being attempted, from
212      * <code>org.dspace.core.Constants</code>
213      *
214      * @return <code>true</code> if the current user in the context is
215      * authorized to perform the given action on the given object
216      */
217     public static boolean authorizeActionBoolean(Context c, DSpaceObject o,
218             int a) throws SQLException JavaDoc
219     {
220         boolean isAuthorized = true;
221
222         if (o == null)
223         {
224             return false;
225         }
226
227         try
228         {
229             authorizeAction(c, o, a);
230         }
231         catch (AuthorizeException e)
232         {
233             isAuthorized = false;
234         }
235
236         return isAuthorized;
237     }
238
239     /**
240      * Check to see if the given user can perform the given action on the given
241      * object. Always returns true if the ignore authorization flat is set in
242      * the current context.
243      *
244      * @param c
245      * current context. User is irrelevant; "ignore authorization"
246      * flag is relevant
247      * @param o
248      * object action is being attempted on
249      * @param action
250      * ID of action being attempted, from
251      * <code>org.dspace.core.Constants</code>
252      * @param e
253      * user attempting action
254      * @return <code>true</code> if user is authorized to perform the given
255      * action, <code>false</code> otherwise
256      * @throws SQLException
257      */
258     private static boolean authorize(Context c, DSpaceObject o, int action,
259             EPerson e) throws SQLException JavaDoc
260     {
261         int userid;
262
263         // return FALSE if there is no DSpaceObject
264 if (o == null)
265         {
266             return false;
267         }
268
269         // is authorization disabled for this context?
270 if (c.ignoreAuthorization())
271         {
272             return true;
273         }
274
275         // is eperson set? if not, userid = 0 (anonymous)
276 if (e == null)
277         {
278             userid = 0;
279         }
280         else
281         {
282             userid = e.getID();
283
284             // perform isadmin check since user
285 // is user part of admin group?
286 if (isAdmin(c))
287             {
288                 return true;
289             }
290         }
291
292         List JavaDoc policies = getPoliciesActionFilter(c, o, action);
293         Iterator JavaDoc i = policies.iterator();
294
295         while (i.hasNext())
296         {
297             ResourcePolicy rp = (ResourcePolicy) i.next();
298
299             // check policies for date validity
300 if (rp.isDateValid())
301             {
302                 if ((rp.getEPersonID() != -1) && (rp.getEPersonID() == userid))
303                 {
304                     return true; // match
305 }
306
307                 if ((rp.getGroupID() != -1)
308                         && (Group.isMember(c, rp.getGroupID())))
309                 {
310                     // group was set, and eperson is a member
311 // of that group
312 return true;
313                 }
314             }
315         }
316
317         // default authorization is denial
318 return false;
319     }
320
321     ///////////////////////////////////////////////
322 // admin check methods
323 ///////////////////////////////////////////////
324
325     /**
326      * Check to see if the current user is an admin. Always return
327      * <code>true</code> if c.ignoreAuthorization is set. Anonymous users
328      * can't be Admins (EPerson set to NULL)
329      *
330      * @param c
331      * current context
332      *
333      * @return <code>true</code> if user is an admin or ignore authorization
334      * flag set
335      */
336     public static boolean isAdmin(Context c) throws SQLException JavaDoc
337     {
338         // if we're ignoring authorization, user is member of admin
339 if (c.ignoreAuthorization())
340         {
341             return true;
342         }
343
344         EPerson e = c.getCurrentUser();
345
346         if (e == null)
347         {
348             return false; // anonymous users can't be admins....
349 }
350         else
351         {
352             return Group.isMember(c, 1);
353         }
354     }
355
356     ///////////////////////////////////////////////
357 // policy manipulation methods
358 ///////////////////////////////////////////////
359
360     /**
361      * Add a policy for an individual eperson
362      *
363      * @param c
364      * context. Current user irrelevant
365      * @param o
366      * DSpaceObject to add policy to
367      * @param actionID
368      * ID of action from <code>org.dspace.core.Constants</code>
369      * @param e
370      * eperson who can perform the action
371      *
372      * @throws AuthorizeException
373      * if current user in context is not authorized to add policies
374      */
375     public static void addPolicy(Context c, DSpaceObject o, int actionID,
376             EPerson e) throws SQLException JavaDoc, AuthorizeException
377     {
378         ResourcePolicy rp = ResourcePolicy.create(c);
379
380         rp.setResource(o);
381         rp.setAction(actionID);
382         rp.setEPerson(e);
383
384         rp.update();
385     }
386
387     /**
388      * Add a policy for a group
389      *
390      * @param c
391      * current context
392      * @param o
393      * object to add policy for
394      * @param actionID
395      * ID of action from <code>org.dspace.core.Constants</code>
396      * @param g
397      * group to add policy for
398      * @throws SQLException
399      * if there's a database problem
400      * @throws AuthorizeException
401      * if the current user is not authorized to add this policy
402      */
403     public static void addPolicy(Context c, DSpaceObject o, int actionID,
404             Group g) throws SQLException JavaDoc, AuthorizeException
405     {
406         ResourcePolicy rp = ResourcePolicy.create(c);
407
408         rp.setResource(o);
409         rp.setAction(actionID);
410         rp.setGroup(g);
411
412         rp.update();
413     }
414
415     /**
416      * Return a List of the policies for an object
417      *
418      * @param c current context
419      * @param o object to retrieve policies for
420      *
421      * @return List of <code>ResourcePolicy</code> objects
422      */
423     public static List JavaDoc getPolicies(Context c, DSpaceObject o)
424             throws SQLException JavaDoc
425     {
426         TableRowIterator tri = DatabaseManager.queryTable(c, "resourcepolicy",
427                 "SELECT * FROM resourcepolicy WHERE resource_type_id= ? AND resource_id= ? ",
428                 o.getType(),o.getID());
429
430         List JavaDoc policies = new ArrayList JavaDoc();
431
432         while (tri.hasNext())
433         {
434             TableRow row = tri.next();
435
436             // first check the cache (FIXME: is this right?)
437 ResourcePolicy cachepolicy = (ResourcePolicy) c.fromCache(
438                     ResourcePolicy.class, row.getIntColumn("policy_id"));
439
440             if (cachepolicy != null)
441             {
442                 policies.add(cachepolicy);
443             }
444             else
445             {
446                 policies.add(new ResourcePolicy(c, row));
447             }
448         }
449         tri.close();
450
451         return policies;
452     }
453
454     /**
455      * Return a list of policies for an object that match the action
456      *
457      * @param c
458      * context
459      * @param o
460      * DSpaceObject policies relate to
461      * @param actionID
462      * action (defined in class Constants)
463      * @throws SQLException
464      * if there's a database problem
465      */
466     public static List JavaDoc getPoliciesActionFilter(Context c, DSpaceObject o,
467             int actionID) throws SQLException JavaDoc
468     {
469         TableRowIterator tri = DatabaseManager.queryTable(c, "resourcepolicy",
470                 "SELECT * FROM resourcepolicy WHERE resource_type_id= ? "+
471                 "AND resource_id= ? AND action_id= ? ",
472                 o.getType(), o.getID(),actionID);
473
474         List JavaDoc policies = new ArrayList JavaDoc();
475
476         while (tri.hasNext())
477         {
478             TableRow row = tri.next();
479
480             // first check the cache (FIXME: is this right?)
481 ResourcePolicy cachepolicy = (ResourcePolicy) c.fromCache(
482                     ResourcePolicy.class, row.getIntColumn("policy_id"));
483
484             if (cachepolicy != null)
485             {
486                 policies.add(cachepolicy);
487             }
488             else
489             {
490                 policies.add(new ResourcePolicy(c, row));
491             }
492         }
493         tri.close();
494
495         return policies;
496     }
497
498     /**
499      * Add policies to an object to match those from a previous object
500      *
501      * @param c context
502      * @param src
503      * source of policies
504      * @param dest
505      * destination of inherited policies
506      * @throws SQLException
507      * if there's a database problem
508      * @throws AuthorizeException
509      * if the current user is not authorized to add these policies
510      */
511     public static void inheritPolicies(Context c, DSpaceObject src,
512             DSpaceObject dest) throws SQLException JavaDoc, AuthorizeException
513     {
514         // find all policies for the source object
515 List JavaDoc policies = getPolicies(c, src);
516
517         addPolicies(c, policies, dest);
518     }
519
520     /**
521      * Copies policies from a list of resource policies to a given DSpaceObject
522      *
523      * @param c
524      * DSpace context
525      * @param policies
526      * List of ResourcePolicy objects
527      * @param dest
528      * object to have policies added
529      * @throws SQLException
530      * if there's a database problem
531      * @throws AuthorizeException
532      * if the current user is not authorized to add these policies
533      */
534     public static void addPolicies(Context c, List JavaDoc policies, DSpaceObject dest)
535             throws SQLException JavaDoc, AuthorizeException
536     {
537         Iterator JavaDoc i = policies.iterator();
538
539         // now add them to the destination object
540 while (i.hasNext())
541         {
542             ResourcePolicy srp = (ResourcePolicy) i.next();
543
544             ResourcePolicy drp = ResourcePolicy.create(c);
545
546             // copy over values
547 drp.setResource(dest);
548             drp.setAction(srp.getAction());
549             drp.setEPerson(srp.getEPerson());
550             drp.setGroup(srp.getGroup());
551             drp.setStartDate(srp.getStartDate());
552             drp.setEndDate(srp.getEndDate());
553
554             // and write out new policy
555 drp.update();
556         }
557     }
558
559     /**
560      * removes ALL policies for an object. FIXME doesn't check authorization
561      *
562      * @param c
563      * DSpace context
564      * @param o
565      * object to remove policies for
566      * @throws SQLException
567      * if there's a database problem
568      */
569     public static void removeAllPolicies(Context c, DSpaceObject o)
570             throws SQLException JavaDoc
571     {
572         // FIXME: authorization check?
573 DatabaseManager.updateQuery(c, "DELETE FROM resourcepolicy WHERE "
574                  + "resource_type_id= ? AND resource_id= ? ",
575                  o.getType(), o.getID());
576     }
577
578     /**
579      * Remove all policies from an object that match a given action. FIXME
580      * doesn't check authorization
581      *
582      * @param context
583      * current context
584      * @param dso
585      * object to remove policies from
586      * @param actionID
587      * ID of action to match from
588      * <code>org.dspace.core.Constants</code>, or -1=all
589      * @throws SQLException
590      * if there's a database problem
591      */
592     public static void removePoliciesActionFilter(Context context,
593             DSpaceObject dso, int actionID) throws SQLException JavaDoc
594     {
595         if (actionID == -1)
596         {
597             // remove all policies from object
598 removeAllPolicies(context, dso);
599         }
600         else
601         {
602             DatabaseManager.updateQuery(context,
603                     "DELETE FROM resourcepolicy WHERE resource_type_id= ? AND "+
604                     "resource_id= ? AND action_id= ? ",
605                     dso.getType(), dso.getID(), actionID);
606         }
607     }
608
609     /**
610      * Removes all policies relating to a particular group. FIXME doesn't check
611      * authorization
612      *
613      * @param c
614      * current context
615      * @param groupID
616      * ID of the group
617      * @throws SQLException
618      * if there's a database problem
619      */
620     public static void removeGroupPolicies(Context c, int groupID)
621             throws SQLException JavaDoc
622     {
623         DatabaseManager.updateQuery(c, "DELETE FROM resourcepolicy WHERE "
624                 + "epersongroup_id= ? ", groupID);
625     }
626
627     /**
628      * Removes all policies from a group for a particular object that belong to
629      * a Group. FIXME doesn't check authorization
630      *
631      * @param c
632      * current context
633      * @param o
634      * the object
635      * @param g
636      * the group
637      * @throws SQLException
638      * if there's a database problem
639      */
640     public static void removeGroupPolicies(Context c, DSpaceObject o, Group g)
641             throws SQLException JavaDoc
642     {
643         DatabaseManager.updateQuery(c, "DELETE FROM resourcepolicy WHERE "
644                 + "resource_type_id= ? AND resource_id= ? AND epersongroup_id= ? ",
645                 o.getType(), o.getID(), g.getID());
646     }
647
648     /**
649      * Returns all groups authorized to perform an action on an object. Returns
650      * empty array if no matches.
651      *
652      * @param c
653      * current context
654      * @param o
655      * object
656      * @param actionID
657      * ID of action frm <code>org.dspace.core.Constants</code>
658      * @return array of <code>Group</code>s that can perform the specified
659      * action on the specified object
660      * @throws java.sql.SQLException
661      * if there's a database problem
662      */
663     public static Group[] getAuthorizedGroups(Context c, DSpaceObject o,
664             int actionID) throws java.sql.SQLException JavaDoc
665     {
666         // do query matching groups, actions, and objects
667 TableRowIterator tri = DatabaseManager.queryTable(c, "resourcepolicy",
668                 "SELECT * FROM resourcepolicy WHERE resource_type_id= ? "+
669                 "AND resource_id= ? AND action_id= ? ",o.getType(),o.getID(),actionID);
670         
671         List JavaDoc groups = new ArrayList JavaDoc();
672
673         while (tri.hasNext())
674         {
675             TableRow row = tri.next();
676
677             // first check the cache (FIXME: is this right?)
678 ResourcePolicy cachepolicy = (ResourcePolicy) c.fromCache(
679                     ResourcePolicy.class, row.getIntColumn("policy_id"));
680
681             ResourcePolicy myPolicy = null;
682
683             if (cachepolicy != null)
684             {
685                 myPolicy = cachepolicy;
686             }
687             else
688             {
689                 myPolicy = new ResourcePolicy(c, row);
690             }
691
692             // now do we have a group?
693 Group myGroup = myPolicy.getGroup();
694
695             if (myGroup != null)
696             {
697                 groups.add(myGroup);
698             }
699         }
700         tri.close();
701
702         Group[] groupArray = new Group[groups.size()];
703         groupArray = (Group[]) groups.toArray(groupArray);
704
705         return groupArray;
706     }
707 }
708
Popular Tags