From c673b0fb1024e19bff85c1dc9d92f33020b88dbb Mon Sep 17 00:00:00 2001
From: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Date: Thu, 8 Dec 2016 07:56:40 +0100
Subject: [PATCH] replace admin role check from SecurityUtil with permission
 checks

---
 .../sonia/scm/plugin/PluginInformation.java   | 13 ++-
 .../java/sonia/scm/util/SecurityUtil.java     | 79 -------------------
 .../scm/plugin/DefaultPluginManager.java      | 23 +++---
 3 files changed, 23 insertions(+), 92 deletions(-)
 delete mode 100644 scm-core/src/main/java/sonia/scm/util/SecurityUtil.java

diff --git a/scm-core/src/main/java/sonia/scm/plugin/PluginInformation.java b/scm-core/src/main/java/sonia/scm/plugin/PluginInformation.java
index 2d0507b2df..1cf23fd3d9 100644
--- a/scm-core/src/main/java/sonia/scm/plugin/PluginInformation.java
+++ b/scm-core/src/main/java/sonia/scm/plugin/PluginInformation.java
@@ -35,6 +35,9 @@ package sonia.scm.plugin;
 
 //~--- non-JDK imports --------------------------------------------------------
 
+import com.github.sdorra.ssp.PermissionObject;
+import com.github.sdorra.ssp.StaticPermissions;
+
 import com.google.common.base.Objects;
 
 import sonia.scm.Validateable;
@@ -57,9 +60,16 @@ import javax.xml.bind.annotation.XmlRootElement;
  *
  * @author Sebastian Sdorra
  */
+@StaticPermissions(
+  value = "plugin", 
+  generatedClass = "PluginPermissions", 
+  permissions = {},
+  globalPermissions = { "read", "manage" }
+)
 @XmlAccessorType(XmlAccessType.FIELD)
 @XmlRootElement(name = "plugin-information")
-public class PluginInformation implements Validateable, Cloneable, Serializable
+public class PluginInformation 
+       implements PermissionObject, Validateable, Cloneable, Serializable
 {
 
   /** Field description */
@@ -262,6 +272,7 @@ public class PluginInformation implements Validateable, Cloneable, Serializable
    *
    * @return
    */
+  @Override
   public String getId()
   {
     return getId(true);
diff --git a/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java b/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java
deleted file mode 100644
index d6bb8984b7..0000000000
--- a/scm-core/src/main/java/sonia/scm/util/SecurityUtil.java
+++ /dev/null
@@ -1,79 +0,0 @@
-/**
- * Copyright (c) 2010, Sebastian Sdorra
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * 1. Redistributions of source code must retain the above copyright notice,
- *    this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright notice,
- *    this list of conditions and the following disclaimer in the documentation
- *    and/or other materials provided with the distribution.
- * 3. Neither the name of SCM-Manager; nor the names of its
- *    contributors may be used to endorse or promote products derived from this
- *    software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
- * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
- * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * http://bitbucket.org/sdorra/scm-manager
- *
- */
-
-
-
-package sonia.scm.util;
-
-//~--- non-JDK imports --------------------------------------------------------
-
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.subject.Subject;
-
-import sonia.scm.security.Role;
-import sonia.scm.security.ScmSecurityException;
-
-/**
- *
- * @author Sebastian Sdorra
- */
-public final class SecurityUtil
-{
-
-  /**
-   * Constructs ...
-   *
-   */
-  private SecurityUtil() {}
-
-  //~--- methods --------------------------------------------------------------
-
-  /**
-   * This method is only present for compatibility reasons.
-   * Use {@link Subject#checkRole(java.lang.String)} with {
-   * @link Role#ADMIN} instead.
-   *
-   * @since 1.21
-   */
-  public static void assertIsAdmin()
-  {
-    Subject subject = SecurityUtils.getSubject();
-
-    if (!subject.hasRole(Role.USER))
-    {
-      throw new ScmSecurityException("user is not authenticated");
-    }
-    else if (!subject.hasRole(Role.ADMIN))
-    {
-      throw new ScmSecurityException("admin account is required");
-    }
-  }
-}
diff --git a/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java b/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java
index 4041910359..3771005ca7 100644
--- a/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java
+++ b/scm-webapp/src/main/java/sonia/scm/plugin/DefaultPluginManager.java
@@ -56,7 +56,6 @@ import sonia.scm.io.ZipUnArchiver;
 import sonia.scm.net.HttpClient;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.util.IOUtil;
-import sonia.scm.util.SecurityUtil;
 import sonia.scm.util.SystemUtil;
 import sonia.scm.util.Util;
 import sonia.scm.version.Version;
@@ -191,8 +190,8 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public void install(String id)
   {
-    SecurityUtil.assertIsAdmin();
-
+    PluginPermissions.manage().check();
+    
     PluginCenter center = getPluginCenter();
 
     // pluginHandler.install(id);
@@ -226,7 +225,7 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public void installPackage(InputStream packageStream) throws IOException
   {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.manage().check();
 
     File tempDirectory = Files.createTempDir();
 
@@ -274,7 +273,7 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public void uninstall(String id)
   {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.manage().check();
 
     Plugin plugin = installedPlugins.get(id);
 
@@ -320,7 +319,7 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public void update(String id)
   {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.manage().check();
 
     String[] idParts = id.split(":");
     String groupId = idParts[0];
@@ -364,7 +363,7 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public PluginInformation get(String id)
   {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();
 
     PluginInformation result = null;
 
@@ -393,7 +392,7 @@ public class DefaultPluginManager implements PluginManager
   public Set<PluginInformation> get(Predicate<PluginInformation> predicate)
   {
     AssertUtil.assertIsNotNull(predicate);
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();
 
     Set<PluginInformation> infoSet = new HashSet<>();
 
@@ -412,7 +411,7 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public Collection<PluginInformation> getAll()
   {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();
 
     Set<PluginInformation> infoSet = getInstalled();
 
@@ -430,7 +429,7 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public Collection<PluginInformation> getAvailable()
   {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();
 
     Set<PluginInformation> availablePlugins = new HashSet<>();
     Set<PluginInformation> centerPlugins = getPluginCenter().getPlugins();
@@ -455,7 +454,7 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public Set<PluginInformation> getAvailableUpdates()
   {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();
 
     return get(FILTER_UPDATES);
   }
@@ -469,7 +468,7 @@ public class DefaultPluginManager implements PluginManager
   @Override
   public Set<PluginInformation> getInstalled()
   {
-    SecurityUtil.assertIsAdmin();
+    PluginPermissions.read().check();
 
     Set<PluginInformation> infoSet = new LinkedHashSet<>();