1 package org.apache.maven.continuum.xmlrpc.server;
2
3 /*
4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 * KIND, either express or implied. See the License for the
18 * specific language governing permissions and limitations
19 * under the License.
20 */
21
22 import org.apache.maven.continuum.ContinuumException;
23 import org.apache.maven.continuum.security.ContinuumRoleConstants;
24 import org.apache.maven.continuum.xmlrpc.ContinuumService;
25 import org.codehaus.plexus.redback.authorization.AuthorizationException;
26 import org.codehaus.plexus.redback.system.SecuritySession;
27 import org.codehaus.plexus.redback.system.SecuritySystem;
28 import org.codehaus.plexus.util.StringUtils;
29
30 /**
31 * @author <a href="mailto:evenisse@apache.org">Emmanuel Venisse</a>
32 * @version $Id: AbstractContinuumSecureService.java 1372260 2012-08-13 04:29:09Z brett $
33 */
34 public abstract class AbstractContinuumSecureService
35 implements ContinuumService, ContinuumXmlRpcComponent
36 {
37 /**
38 * @plexus.requirement role-hint="default"
39 */
40 private SecuritySystem securitySystem;
41
42 private ContinuumXmlRpcConfig config;
43
44 public void setConfig( ContinuumXmlRpcConfig config )
45 {
46 this.config = config;
47 }
48
49 public SecuritySystem getSecuritySystem()
50 {
51 return securitySystem;
52 }
53
54 public SecuritySession getSecuritySession()
55 {
56 return config.getSecuritySession();
57 }
58
59 /**
60 * Check if the current user is already authenticated
61 *
62 * @return true if the user is authenticated
63 */
64 public boolean isAuthenticated()
65 {
66 return !( getSecuritySession() == null || !getSecuritySession().isAuthenticated() );
67
68 }
69
70 /**
71 * Check if the current user is authorized to do the action
72 *
73 * @param role the role
74 * @throws ContinuumException if the user isn't authorized
75 */
76 protected void checkAuthorization( String role )
77 throws ContinuumException
78 {
79 checkAuthorization( role, null, false );
80 }
81
82 /**
83 * Check if the current user is authorized to do the action
84 *
85 * @param role the role
86 * @param resource the operation resource
87 * @throws ContinuumException if the user isn't authorized
88 */
89 protected void checkAuthorization( String role, String resource )
90 throws ContinuumException
91 {
92 checkAuthorization( role, resource, true );
93 }
94
95 /**
96 * Verify if the current user is authorized to do the action
97 *
98 * @param role the role
99 * @param resource the operation resource
100 * @return true if the user is authorized
101 * @throws AuthorizationException if the authorizing request generate an error
102 */
103 protected boolean isAuthorized( String role, String resource )
104 throws AuthorizationException
105 {
106 return isAuthorized( role, resource, true );
107 }
108
109 /**
110 * Verify if the current user is authorized to do the action
111 *
112 * @param role the role
113 * @param resource the operation resource
114 * @param requiredResource true if resource can't be null
115 * @return true if the user is authorized
116 * @throws AuthorizationException if the authorizing request generate an error
117 */
118 protected boolean isAuthorized( String role, String resource, boolean requiredResource )
119 throws AuthorizationException
120 {
121 if ( resource != null && StringUtils.isNotEmpty( resource.trim() ) )
122 {
123 if ( !getSecuritySystem().isAuthorized( config.getSecuritySession(), role, resource ) )
124 {
125 return false;
126 }
127 }
128 else
129 {
130 if ( requiredResource || !getSecuritySystem().isAuthorized( config.getSecuritySession(), role ) )
131 {
132 return false;
133 }
134 }
135 return true;
136 }
137
138 /**
139 * Check if the current user is authorized to do the action
140 *
141 * @param role the role
142 * @param resource the operation resource
143 * @param requiredResource true if resource can't be null
144 * @throws ContinuumException if the user isn't authorized
145 */
146 protected void checkAuthorization( String role, String resource, boolean requiredResource )
147 throws ContinuumException
148 {
149 try
150 {
151 if ( !isAuthorized( role, resource, requiredResource ) )
152 {
153 throw new ContinuumException( "You're not authorized to execute this action." );
154 }
155 }
156 catch ( AuthorizationException ae )
157 {
158 throw new ContinuumException( "error authorizing request." );
159 }
160 }
161
162 /**
163 * Check if the current user is authorized to view the specified project group
164 *
165 * @param resource the operation resource
166 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
167 */
168 protected void checkViewProjectGroupAuthorization( String resource )
169 throws ContinuumException
170 {
171 checkAuthorization( ContinuumRoleConstants.CONTINUUM_VIEW_GROUP_OPERATION, resource );
172 }
173
174 /**
175 * Check if the current user is authorized to add a project group
176 *
177 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
178 */
179 protected void checkAddProjectGroupAuthorization()
180 throws ContinuumException
181 {
182 checkAuthorization( ContinuumRoleConstants.CONTINUUM_ADD_GROUP_OPERATION );
183 }
184
185 /**
186 * Check if the current user is authorized to delete the specified project group
187 *
188 * @param resource the operation resource
189 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
190 */
191 protected void checkRemoveProjectGroupAuthorization( String resource )
192 throws ContinuumException
193 {
194 checkAuthorization( ContinuumRoleConstants.CONTINUUM_REMOVE_GROUP_OPERATION, resource );
195 }
196
197 /**
198 * Check if the current user is authorized to build the specified project group
199 *
200 * @param resource the operation resource
201 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
202 */
203 protected void checkBuildProjectGroupAuthorization( String resource )
204 throws ContinuumException
205 {
206 checkAuthorization( ContinuumRoleConstants.CONTINUUM_BUILD_GROUP_OPERATION, resource );
207 }
208
209 /**
210 * Check if the current user is authorized to modify the specified project group
211 *
212 * @param resource the operation resource
213 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
214 */
215 protected void checkModifyProjectGroupAuthorization( String resource )
216 throws ContinuumException
217 {
218 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MODIFY_GROUP_OPERATION, resource );
219 }
220
221 /**
222 * Check if the current user is authorized to add a project to a specific project group
223 *
224 * @param resource the operation resource
225 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
226 */
227 protected void checkAddProjectToGroupAuthorization( String resource )
228 throws ContinuumException
229 {
230 checkAuthorization( ContinuumRoleConstants.CONTINUUM_ADD_PROJECT_TO_GROUP_OPERATION, resource );
231 }
232
233 /**
234 * Check if the current user is authorized to delete a project from a specified group
235 *
236 * @param resource the operation resource
237 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
238 */
239 protected void checkRemoveProjectFromGroupAuthorization( String resource )
240 throws ContinuumException
241 {
242 checkAuthorization( ContinuumRoleConstants.CONTINUUM_REMOVE_PROJECT_FROM_GROUP_OPERATION, resource );
243 }
244
245 /**
246 * Check if the current user is authorized to modify a project in the specified group
247 *
248 * @param resource the operation resource
249 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
250 */
251 protected void checkModifyProjectInGroupAuthorization( String resource )
252 throws ContinuumException
253 {
254 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MODIFY_PROJECT_IN_GROUP_OPERATION, resource );
255 }
256
257 /**
258 * Check if the current user is authorized to build a project in the specified group
259 *
260 * @param resource the operation resource
261 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
262 */
263 protected void checkBuildProjectInGroupAuthorization( String resource )
264 throws ContinuumException
265 {
266 checkAuthorization( ContinuumRoleConstants.CONTINUUM_BUILD_PROJECT_IN_GROUP_OPERATION, resource );
267 }
268
269 /**
270 * Check if the current user is authorized to add a build definition for the specified
271 * project group
272 *
273 * @param resource the operation resource
274 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
275 */
276 protected void checkAddGroupBuildDefinitionAuthorization( String resource )
277 throws ContinuumException
278 {
279 checkAuthorization( ContinuumRoleConstants.CONTINUUM_ADD_GROUP_BUILD_DEFINTION_OPERATION, resource );
280 }
281
282 /**
283 * Check if the current user is authorized to delete a build definition in the specified
284 * project group
285 *
286 * @param resource the operation resource
287 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
288 */
289 protected void checkRemoveGroupBuildDefinitionAuthorization( String resource )
290 throws ContinuumException
291 {
292 checkAuthorization( ContinuumRoleConstants.CONTINUUM_REMOVE_GROUP_BUILD_DEFINITION_OPERATION, resource );
293 }
294
295 /**
296 * Check if the current user is authorized to modify a build definition in the specified
297 * project group
298 *
299 * @param resource the operation resource
300 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
301 */
302 protected void checkModifyGroupBuildDefinitionAuthorization( String resource )
303 throws ContinuumException
304 {
305 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MODIFY_GROUP_BUILD_DEFINITION_OPERATION, resource );
306 }
307
308 /**
309 * Check if the current user is authorized to add a group build definition to a specific
310 * project
311 *
312 * @param resource the operation resource
313 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
314 */
315 protected void checkAddProjectBuildDefinitionAuthorization( String resource )
316 throws ContinuumException
317 {
318 checkAuthorization( ContinuumRoleConstants.CONTINUUM_ADD_PROJECT_BUILD_DEFINTION_OPERATION, resource );
319 }
320
321 /**
322 * Check if the current user is authorized to modify a build definition of a specific project
323 *
324 * @param resource the operation resource
325 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
326 */
327 protected void checkModifyProjectBuildDefinitionAuthorization( String resource )
328 throws ContinuumException
329 {
330 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MODIFY_PROJECT_BUILD_DEFINITION_OPERATION, resource );
331 }
332
333 /**
334 * Check if the current user is authorized to delete a build definition of a specific
335 * project
336 *
337 * @param resource the operation resource
338 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
339 */
340 protected void checkRemoveProjectBuildDefinitionAuthorization( String resource )
341 throws ContinuumException
342 {
343 checkAuthorization( ContinuumRoleConstants.CONTINUUM_REMOVE_PROJECT_BUILD_DEFINITION_OPERATION, resource );
344 }
345
346 /**
347 * Check if the current user is authorized to add a notifier to the specified
348 * project group
349 *
350 * @param resource the operation resource
351 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
352 */
353 protected void checkAddProjectGroupNotifierAuthorization( String resource )
354 throws ContinuumException
355 {
356 checkAuthorization( ContinuumRoleConstants.CONTINUUM_ADD_GROUP_NOTIFIER_OPERATION, resource );
357 }
358
359 /**
360 * Check if the current user is authorized to delete a notifier in the specified
361 * project group
362 *
363 * @param resource the operation resource
364 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
365 */
366 protected void checkRemoveProjectGroupNotifierAuthorization( String resource )
367 throws ContinuumException
368 {
369 checkAuthorization( ContinuumRoleConstants.CONTINUUM_REMOVE_GROUP_NOTIFIER_OPERATION, resource );
370 }
371
372 /**
373 * Check if the current user is authorized to modify a notifier in the specified
374 * project group
375 *
376 * @param resource the operartion resource
377 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
378 */
379 protected void checkModifyProjectGroupNotifierAuthorization( String resource )
380 throws ContinuumException
381 {
382 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MODIFY_GROUP_NOTIFIER_OPERATION, resource );
383 }
384
385 /**
386 * Check if the current user is authorized to add a notifier to a specific project
387 *
388 * @param resource the operation resource
389 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
390 */
391 protected void checkAddProjectNotifierAuthorization( String resource )
392 throws ContinuumException
393 {
394 checkAuthorization( ContinuumRoleConstants.CONTINUUM_ADD_PROJECT_NOTIFIER_OPERATION, resource );
395 }
396
397 /**
398 * Check if the current user is authorized to delete a notifier in a specific project
399 *
400 * @param resource the operation resource
401 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
402 */
403 protected void checkRemoveProjectNotifierAuthorization( String resource )
404 throws ContinuumException
405 {
406 checkAuthorization( ContinuumRoleConstants.CONTINUUM_REMOVE_PROJECT_NOTIFIER_OPERATION, resource );
407 }
408
409 /**
410 * Check if the current user is authorized to modify a notifier in a specific project
411 *
412 * @param resource the operation resource
413 * @throws ContinuumException if the user isn't authorized if the user isn't authorized
414 */
415 protected void checkModifyProjectNotifierAuthorization( String resource )
416 throws ContinuumException
417 {
418 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MODIFY_PROJECT_NOTIFIER_OPERATION, resource );
419 }
420
421 /**
422 * Check if the current user is authorized to manage the application's configuration
423 *
424 * @throws ContinuumException if the user isn't authorized if the user isn't authenticated
425 */
426 protected void checkManageConfigurationAuthorization()
427 throws ContinuumException
428 {
429 if ( !isAuthenticated() )
430 {
431 throw new ContinuumException( "Authentication required." );
432 }
433
434 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MANAGE_CONFIGURATION );
435 }
436
437 /**
438 * Check if the current user is authorized to manage the project build schedules
439 *
440 * @throws ContinuumException if the user isn't authorized if the user isn't authenticated
441 */
442 protected void checkManageSchedulesAuthorization()
443 throws ContinuumException
444 {
445 if ( !isAuthenticated() )
446 {
447 throw new ContinuumException( "Authentication required." );
448 }
449
450 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MANAGE_SCHEDULES );
451 }
452
453 /**
454 * Check if the current user is authorized to manage the installations
455 *
456 * @throws ContinuumException if the user isn't authorized if the user isn't authenticated
457 */
458 protected void checkManageInstallationsAuthorization()
459 throws ContinuumException
460 {
461 if ( !isAuthenticated() )
462 {
463 throw new ContinuumException( "Authentication required." );
464 }
465
466 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MANAGE_INSTALLATIONS );
467 }
468
469 /**
470 * Check if the current user is authorized to manage the profiles
471 *
472 * @throws ContinuumException if the user isn't authorized if the user isn't authenticated
473 */
474 protected void checkManageProfilesAuthorization()
475 throws ContinuumException
476 {
477 if ( !isAuthenticated() )
478 {
479 throw new ContinuumException( "Authentication required." );
480 }
481
482 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MANAGE_PROFILES );
483 }
484
485 /**
486 * Check if the current user is authorized to manage the build definitions templates
487 *
488 * @throws ContinuumException if the user isn't authorized if the user isn't authenticated
489 */
490 protected void checkManageBuildDefinitionTemplatesAuthorization()
491 throws ContinuumException
492 {
493 if ( !isAuthenticated() )
494 {
495 throw new ContinuumException( "Authentication required." );
496 }
497
498 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MANAGE_BUILD_TEMPLATES );
499 }
500
501 protected void checkManageQueuesAuthorization()
502 throws ContinuumException
503 {
504 if ( !isAuthenticated() )
505 {
506 throw new ContinuumException( "Authentication required." );
507 }
508
509 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MANAGE_QUEUES );
510 }
511
512 protected void checkManagePurgingAuthorization()
513 throws ContinuumException
514 {
515 if ( !isAuthenticated() )
516 {
517 throw new ContinuumException( "Authentication required." );
518 }
519
520 try
521 {
522 checkAuthorization( ContinuumRoleConstants.SYSTEM_ADMINISTRATOR_ROLE );
523 }
524 catch ( ContinuumException e )
525 {
526 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MANAGE_PURGING );
527 }
528 }
529
530 protected void checkManageRepositoriesAuthorization()
531 throws ContinuumException
532 {
533 if ( !isAuthenticated() )
534 {
535 throw new ContinuumException( "Authentication required." );
536 }
537
538 try
539 {
540 checkAuthorization( ContinuumRoleConstants.SYSTEM_ADMINISTRATOR_ROLE );
541 }
542 catch ( ContinuumException e )
543 {
544 checkAuthorization( ContinuumRoleConstants.CONTINUUM_MANAGE_REPOSITORIES );
545 }
546 }
547 }