Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2026-02-03 21:29:18 +01:00
Code Issues Packages Projects Releases Activity

start implementation of repository permissions

Browse Source
This commit is contained in:
Sebastian Sdorra
2015-07-09 20:29:07 +02:00
parent 480a188763
commit 6dd765e3be
22 changed files with 730 additions and 701 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
scm-core/src/main/java/sonia/scm/ScmStateFactory.java
View File

@@ -34,9 +34,7 @@ package sonia.scm;
//~--- non-JDK imports --------------------------------------------------------
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableList.Builder;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.Subject;
@@ -47,7 +45,6 @@ import sonia.scm.security.AuthorizationCollector;
import sonia.scm.security.PermissionDescriptor;
import sonia.scm.security.Role;
import sonia.scm.security.SecuritySystem;
import sonia.scm.security.StringablePermission;
import sonia.scm.user.User;
import sonia.scm.user.UserManager;
@@ -144,19 +141,11 @@ public final class ScmStateFactory
ap = securitySystem.getAvailablePermissions();
}
Builder<String> builder = ImmutableList.builder();
List<String> permissions =
ImmutableList.copyOf(
authorizationCollector.collect().getStringPermissions());
for (Permission p : authorizationCollector.collect().getObjectPermissions())
{
if (p instanceof StringablePermission)
{
builder.add(((StringablePermission) p).getAsString());
}
}
return createState(user, groups.getCollection(), token, builder.build(),
ap);
return createState(user, groups.getCollection(), token, permissions, ap);
}
private ScmState createState(User user, Collection<String> groups,
@@ -164,8 +153,10 @@ public final class ScmStateFactory
List<PermissionDescriptor> availablePermissions)
{
User u = user.clone();
// do not return password on authentication
u.setPassword(null);
return new ScmState(contextProvider.getVersion(), u, groups, token,
repositoryManger.getConfiguredTypes(), userManager.getDefaultType(),
new ScmClientConfig(configuration), assignedPermissions,

31
scm-core/src/main/java/sonia/scm/repository/PermissionType.java
View File

@@ -34,7 +34,7 @@
package sonia.scm.repository;
/**
* Type of permission for a {@link Repository}.
* Type of permissionPrefix for a {@link Repository}.
*
* @author Sebastian Sdorra
*/
@@ -42,30 +42,42 @@ public enum PermissionType
{
/** read permision */
READ(0),
READ(0, "repository:read:"),
/** read and write permission */
WRITE(10),
/** read and write permissionPrefix */
WRITE(10, "repository:read,write:"),
/**
* read, write and
* also the ability to manage the properties and permissions
*/
OWNER(100);
OWNER(100, "repository:*:");
/**
* Constructs a new permission type
* Constructs a new permissionPrefix type
*
*
* @param value
*/
private PermissionType(int value)
private PermissionType(int value, String permissionPrefix)
{
this.value = value;
this.permissionPrefix = permissionPrefix;
}
//~--- get methods ----------------------------------------------------------
/**
*
* @return
*
* @since 2.0.0
*/
public String getPermissionPrefix()
{
return permissionPrefix;
}
/**
* Returns the integer representation of the {@link PermissionType}
*
@@ -80,5 +92,8 @@ public enum PermissionType
//~--- fields ---------------------------------------------------------------
/** Field description */
private int value;
private final String permissionPrefix;
/** Field description */
private final int value;
}

151
scm-core/src/main/java/sonia/scm/repository/PermissionUtil.java
View File

@@ -1,151 +0,0 @@
/**
* Copyright (c) 2010, Sebastian Sdorra
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. Neither the name of SCM-Manager; nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.repository;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.security.RepositoryPermission;
import sonia.scm.security.Role;
import sonia.scm.util.AssertUtil;
/**
*
* @author Sebastian Sdorra
*/
public final class PermissionUtil
{
/**
* the logger for PermissionUtil
*/
private static final Logger logger =
LoggerFactory.getLogger(PermissionUtil.class);
//~--- constructors ---------------------------------------------------------
/**
* Constructs ...
*
*/
private PermissionUtil() {}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param configuration
* @param repository
* @param pt
*
* @return
*
* @since 1.21
*/
public static boolean hasPermission(ScmConfiguration configuration,
Repository repository, PermissionType pt)
{
boolean result;
Subject subject = SecurityUtils.getSubject();
if (subject.isAuthenticated() || subject.isRemembered())
{
String username = subject.getPrincipal().toString();
AssertUtil.assertIsNotEmpty(username);
if (subject.hasRole(Role.ADMIN)
|| ((pt == PermissionType.READ) && repository.isPublicReadable()))
{
result = true;
}
else
{
result = subject.isPermitted(new RepositoryPermission(repository, pt));
}
}
else
{
// check anonymous access
result = (configuration != null)
&& configuration.isAnonymousAccessEnabled()
&& repository.isPublicReadable() && (pt == PermissionType.READ);
}
return result;
}
/**
* Returns true if the repository is writable.
*
*
* @param configuration SCM-Manager main configuration
* @param repository repository to check
*
* @return true if the repository is writable
* @since 1.21
*/
public static boolean isWritable(ScmConfiguration configuration,
Repository repository)
{
boolean permitted = false;
if (configuration.isEnableRepositoryArchive() && repository.isArchived())
{
if (logger.isWarnEnabled())
{
logger.warn("{} is archived and is not writeable",
repository.getName());
}
}
else
{
permitted = PermissionUtil.hasPermission(configuration, repository,
PermissionType.WRITE);
}
return permitted;
}
}

285
scm-core/src/main/java/sonia/scm/repository/RepositoryPermissions.java Normal file
View File

@@ -0,0 +1,285 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.repository;
//~--- non-JDK imports --------------------------------------------------------
import sonia.scm.security.PermissionActionCheck;
import sonia.scm.security.PermissionCheck;
/**
*
* @author Sebastian Sdorra
* @since 2.0.0
*/
public final class RepositoryPermissions
{
/** Field description */
public static final String ACTION_CREATE = "create";
/** Field description */
public static final String ACTION_DELETE = "delete";
/** Field description */
public static final String ACTION_MODIFY = "modify";
/** Field description */
public static final String ACTION_HC = "hc,".concat(ACTION_MODIFY);
/** Field description */
public static final String ACTION_READ = "read";
/** Field description */
public static final String ACTION_WRITE = "write";
/** Field description */
public static final String SEPERATOR = ":";
public static final String SEPERATOR_ACTION = ",";
/** Field description */
public static final String TYPE = "repository";
//~--- constructors ---------------------------------------------------------
private RepositoryPermissions() {}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @return
*/
public static PermissionCheck create()
{
return check(ACTION_CREATE);
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck delete(Repository r)
{
return delete(r.getId());
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck delete(String id)
{
return check(ACTION_DELETE.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> delete()
{
return actionCheck(ACTION_DELETE);
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck healthCheck(String id)
{
return check(ACTION_HC.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> healthCheck()
{
return new PermissionActionCheck<>(
TYPE.concat(SEPERATOR).concat(ACTION_HC));
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck healthCheck(Repository r)
{
return healthCheck(r.getId());
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck modify(Repository r)
{
return modify(r.getId());
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck modify(String id)
{
return check(ACTION_MODIFY.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> modify()
{
return actionCheck(ACTION_MODIFY);
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck read(String id)
{
return check(ACTION_READ.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck read(Repository r)
{
return read(r.getId());
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> read()
{
return actionCheck(ACTION_READ);
}
/**
* Method description
*
*
* @param id
*
* @return
*/
public static PermissionCheck write(String id)
{
return check(ACTION_WRITE.concat(SEPERATOR).concat(id));
}
/**
* Method description
*
*
* @param r
*
* @return
*/
public static PermissionCheck write(Repository r)
{
return write(r.getId());
}
/**
* Method description
*
*
* @return
*/
public static PermissionActionCheck<Repository> write()
{
return actionCheck(ACTION_WRITE);
}
private static PermissionActionCheck<Repository> actionCheck(String action)
{
return new PermissionActionCheck<>(TYPE.concat(SEPERATOR).concat(action));
}
private static PermissionCheck check(String permission)
{
return new PermissionCheck(TYPE.concat(SEPERATOR).concat(permission));
}
}

12
scm-core/src/main/java/sonia/scm/repository/api/RepositoryServiceFactory.java
View File

@@ -55,8 +55,6 @@ import sonia.scm.repository.BlameResult;
import sonia.scm.repository.Branches;
import sonia.scm.repository.BrowserResult;
import sonia.scm.repository.ChangesetPagingResult;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.PermissionUtil;
import sonia.scm.repository.PostReceiveRepositoryHookEvent;
import sonia.scm.repository.PreProcessorUtil;
import sonia.scm.repository.Repository;
@@ -64,6 +62,7 @@ import sonia.scm.repository.RepositoryCacheKeyPredicate;
import sonia.scm.repository.RepositoryEvent;
import sonia.scm.repository.RepositoryManager;
import sonia.scm.repository.RepositoryNotFoundException;
import sonia.scm.repository.RepositoryPermissions;
import sonia.scm.repository.Tags;
import sonia.scm.repository.spi.RepositoryServiceProvider;
import sonia.scm.repository.spi.RepositoryServiceResolver;
@@ -251,11 +250,7 @@ public final class RepositoryServiceFactory
Preconditions.checkNotNull(repository, "repository is required");
// check for read permissions of current user
if (!PermissionUtil.hasPermission(configuration, repository,
PermissionType.READ))
{
throw new ScmSecurityException("read permission are required");
}
RepositoryPermissions.read(repository);
RepositoryService service = null;
@@ -311,7 +306,8 @@ public final class RepositoryServiceFactory
this.browseCache = cacheManager.getCache(BrowseCommandBuilder.CACHE_NAME);
this.logCache = cacheManager.getCache(LogCommandBuilder.CACHE_NAME);
this.tagsCache = cacheManager.getCache(TagsCommandBuilder.CACHE_NAME);
this.branchesCache =cacheManager.getCache(BranchesCommandBuilder.CACHE_NAME);
this.branchesCache =
cacheManager.getCache(BranchesCommandBuilder.CACHE_NAME);
}
//~--- methods ------------------------------------------------------------

121
scm-core/src/main/java/sonia/scm/security/PermissionActionCheck.java Normal file
View File

@@ -0,0 +1,121 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import sonia.scm.ModelObject;
/**
*
* @author Sebastian Sdorra
* @param <T>
*
* @since 2.0.0
*/
public final class PermissionActionCheck<T extends ModelObject>
{
/**
* Constructs ...
*
* @param typedAction
*/
public PermissionActionCheck(String typedAction)
{
this.prefix = typedAction.concat(":");
this.subject = SecurityUtils.getSubject();
}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param id
*/
public void check(String id)
{
subject.checkPermission(prefix.concat(id));
}
/**
* Method description
*
*
* @param item
*/
public void check(T item)
{
subject.checkPermission(prefix.concat(item.getId()));
}
//~--- get methods ----------------------------------------------------------
/**
* Method description
*
*
* @param id
*
* @return
*/
public boolean isPermitted(String id)
{
return subject.isPermitted(prefix.concat(id));
}
/**
* Method description
*
*
* @param item
*
* @return
*/
public boolean isPermitted(T item)
{
return subject.isPermitted(prefix.concat(item.getId()));
}
//~--- fields ---------------------------------------------------------------
/** Field description */
private final String prefix;
/** Field description */
private final Subject subject;
}

85
scm-core/src/main/java/sonia/scm/security/PermissionCheck.java Normal file
View File

@@ -0,0 +1,85 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.SecurityUtils;
/**
*
* @author Sebastian Sdorra
* @since 2.0.0
*/
public final class PermissionCheck
{
/**
* Constructs ...
*
*
* @param permission
*/
public PermissionCheck(String permission)
{
this.permission = permission;
}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*/
public void check()
{
SecurityUtils.getSubject().checkPermission(permission);
}
//~--- get methods ----------------------------------------------------------
/**
* Method description
*
*
* @return
*/
public boolean isPermitted()
{
return SecurityUtils.getSubject().isPermitted(permission);
}
//~--- fields ---------------------------------------------------------------
/** Field description */
private final String permission;
}

11
scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java
View File

@@ -46,9 +46,8 @@ import org.slf4j.LoggerFactory;
import sonia.scm.ArgumentIsInvalidException;
import sonia.scm.SCMContext;
import sonia.scm.config.ScmConfiguration;
import sonia.scm.repository.PermissionType;
import sonia.scm.repository.PermissionUtil;
import sonia.scm.repository.Repository;
import sonia.scm.repository.RepositoryPermissions;
import sonia.scm.security.Role;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.HttpUtil;
@@ -64,6 +63,7 @@ import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.shiro.authz.AuthorizationException;
/**
* Abstract http filter to check repository permissions.
@@ -191,7 +191,7 @@ public abstract class PermissionFilter extends HttpFilter
response.sendRedirect(getRepositoryRootHelpUrl(request));
}
catch (ScmSecurityException ex)
catch (ScmSecurityException | AuthorizationException ex)
{
if (logger.isWarnEnabled())
{
@@ -353,12 +353,11 @@ public abstract class PermissionFilter extends HttpFilter
if (writeRequest)
{
permitted = PermissionUtil.isWritable(configuration, repository);
permitted = RepositoryPermissions.write(repository).isPermitted();
}
else
{
permitted = PermissionUtil.hasPermission(configuration, repository,
PermissionType.READ);
permitted = RepositoryPermissions.read(repository).isPermitted();
}
return permitted;

12
scm-core/src/main/java/sonia/scm/web/filter/ProviderPermissionFilter.java
View File

@@ -38,6 +38,8 @@ package sonia.scm.web.filter;
import com.google.common.base.Throwables;
import com.google.inject.ProvisionException;
import org.apache.shiro.authz.AuthorizationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -101,13 +103,9 @@ public abstract class ProviderPermissionFilter extends PermissionFilter
}
catch (ProvisionException ex)
{
Throwables.propagateIfInstanceOf(ex.getCause(),
IllegalStateException.class);
if (logger.isErrorEnabled())
{
logger.error("could not get repository from request", ex);
}
Throwables.propagateIfPossible(ex.getCause(),
IllegalStateException.class, AuthorizationException.class);
logger.error("could not get repository from request", ex);
}
return repository;