Changeset 5850 for DASISH

Timestamp:

11/24/14 20:38:26 (9 years ago)

Author:

olhsha@mpi.nl

Message:

when annotation update is received from a "Writer" then it is checked if it tries to change permissions. If so, 403 is the respond

Location:

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend

Files:

• UPDATE.txt (modified) (1 diff)
• pom.xml (modified) (1 diff)
• src/main/java/eu/dasish/annotation/backend/dao/DBDispatcher.java (modified) (4 diffs)
• src/main/java/eu/dasish/annotation/backend/dao/ILambda.java (modified) (2 diffs)
• src/main/java/eu/dasish/annotation/backend/dao/impl/DBDispatcherImlp.java (modified) (5 diffs)
• src/main/java/eu/dasish/annotation/backend/rest/AnnotationResource.java (modified) (3 diffs)
• src/main/java/eu/dasish/annotation/backend/rest/PrincipalResource.java (modified) (5 diffs)
• src/main/java/eu/dasish/annotation/backend/rest/RequestWrappers.java (modified) (1 diff)
• src/main/webapp/WEB-INF/shhaa.xml (modified) (1 diff)
• src/main/webapp/WEB-INF/web.xml (modified) (5 diffs)
• src/test/java/eu/dasish/annotation/backend/dao/impl/DBDispatcherTest.java (modified) (6 diffs)
• src/test/java/eu/dasish/annotation/backend/rest/AnnotationResourceTest.java (modified) (2 diffs)
• src/test/java/eu/dasish/annotation/backend/rest/AnnotationsTest.java (modified) (1 diff)
• src/test/resources/test-data/InsertTestData.sql (modified) (1 diff)

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/UPDATE.txt

@@ +1 @@
+Placing tarball: take the tar-ball of the new  version 1.6.1-basic-authentication, and follow the 
+standard MPI deployment procedure. The "current-nonshib" should link to this package.
 
-Placing tarball: take the tar-ball of the new  version 1.6.1-shibboleth, and follow the 
-standard MPI deployment procedure.
+No changings are to be done in context.xml and in the data-base because they are the same as
+for the sibboleth version, abd it works.
 
-Update the dasish annotation database with: 
-INSERT INTO access(access_mode) VALUES ('all');
-
-A new feature: an "all" access mode is added. The user with this permission have 
-the same rights as the owner, that it he can update permissions on the annotation
-and delete it at all.
+The splitting between logging of shibboleth and basic versions will be implemented in 
+next deployments
 
 

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/pom.xml

@@ -5 +5 @@
     <groupId>eu.dasish.annotation</groupId>
     <artifactId>annotator-backend</artifactId>
-    <version>1.6.1-shibboleth</version>    
+    <version>1.6.1-basic-authentication</version>    
     <packaging>war</packaging>
     <name>annotator-backend Jersey Webapp</name>

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/main/java/eu/dasish/annotation/backend/dao/DBDispatcher.java

@@ -18 +18 @@
 package eu.dasish.annotation.backend.dao;
 
+import eu.dasish.annotation.backend.ForbiddenException;
 import eu.dasish.annotation.backend.MatchMode;
 import eu.dasish.annotation.backend.NotInDataBaseException;
@@ -31 +32 @@
 import eu.dasish.annotation.schema.NotebookInfoList;
 import eu.dasish.annotation.schema.Access;
-import eu.dasish.annotation.schema.Action;
 import eu.dasish.annotation.schema.PermissionList;
 import eu.dasish.annotation.schema.ReferenceList;
@@ -226 +226 @@
      * @return 1 of the annotation if it is updated
      */
-    int updateAnnotation(Annotation annotation, String remoteUser) throws NotInDataBaseException;
+    int updateAnnotation(Annotation annotation, String remoteUser) throws NotInDataBaseException, ForbiddenException;
 
     /**
@@ -256 +256 @@
      * annotations_principals_accesss
      */
-    int updatePermissions(Number annotationID, PermissionList permissionList) throws NotInDataBaseException ;
+    int updateOrAddPermissions(Number annotationID, PermissionList permissionList) throws NotInDataBaseException ;
     
     int updatePublicAttribute(Number annotationID, Access publicAttribute);

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/main/java/eu/dasish/annotation/backend/dao/ILambda.java

@@ -18 +18 @@
 package eu.dasish.annotation.backend.dao;
 
+import eu.dasish.annotation.backend.ForbiddenException;
 import eu.dasish.annotation.backend.NotInDataBaseException;
 
@@ -26 +27 @@
 public interface ILambda<Map, R> {
     
-    public R apply(Map params)   throws NotInDataBaseException;
+    public R apply(Map params)   throws NotInDataBaseException, ForbiddenException;
     
 }

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/main/java/eu/dasish/annotation/backend/dao/impl/DBDispatcherImlp.java

@@ -18 +18 @@
 package eu.dasish.annotation.backend.dao.impl;
 
+import eu.dasish.annotation.backend.ForbiddenException;
 import eu.dasish.annotation.backend.NotInDataBaseException;
 import eu.dasish.annotation.backend.Resource;
@@ -152 +153 @@
 
     ///////////////////////////////////////////////////
-   
     private void fillInPermissionList(List<Permission> listPermissions, Number resourceID, Resource resource) {
         List<Map<Number, String>> principalsAccesss = this.getDao(resource).getPermissions(resourceID);
@@ -164 +164 @@
         }
     }
-    
+
     @Override
     public PermissionList getPermissions(Number resourceID, Resource resource) {
@@ -704 +704 @@
 
     @Override
-    public int updatePermissions(Number annotationID, PermissionList permissionList) throws NotInDataBaseException {
+    public int updateOrAddPermissions(Number annotationID, PermissionList permissionList) throws NotInDataBaseException {
         annotationDao.updatePublicAccess(annotationID, permissionList.getPublic());
         List<Permission> permissions = permissionList.getPermission();
@@ -720 +720 @@
         return result;
     }
+
 // TODO: optimize (not chnanged targets should not be deleted)
-// TODO: unit test
-
-    @Override
-    public int updateAnnotation(Annotation annotation, String remoteUser) throws NotInDataBaseException {
+    @Override
+    public int updateAnnotation(Annotation annotation, String remoteUser) throws NotInDataBaseException, ForbiddenException {
+
         Number annotationID = annotationDao.getInternalID(UUID.fromString(annotation.getId()));
         Number ownerID = principalDao.getInternalIDFromHref(annotation.getOwnerHref());
+        Number remoteUserID = principalDao.getPrincipalInternalIDFromRemoteID(remoteUser);
+        
+        boolean isOwner = ownerID.equals(remoteUserID);
+        boolean hasAllAccess = annotationDao.getAccess(annotationID, remoteUserID).equals(Access.ALL);
+        boolean isAdmin = remoteUserID.equals(principalDao.getDBAdminID());
+        boolean weakPrincipal = (!isOwner && !hasAllAccess && !isAdmin);
+
+        if (weakPrincipal) { // we need to check if permissions are intact
+            if (!(annotation.getPermissions().getPublic()).equals(annotationDao.getPublicAttribute(annotationID))) {
+                throw new ForbiddenException("The inlogged user does not have rights to update 'public' attribute in this annotation.");
+            }
+            List<Map<Number, String>> permissionsDB = annotationDao.getPermissions(annotationID);
+            if (!this.permissionsIntact(annotation.getPermissions().getPermission(), permissionsDB))  {
+                throw new ForbiddenException("The inlogged user does not have rights to update permissions in this annotation.");
+            }
+        }
+
+
         int updatedAnnotations = annotationDao.updateAnnotation(annotation, annotationID, ownerID);
         int deletedTargets = annotationDao.deleteAllAnnotationTarget(annotationID);
         int addedTargets = this.addTargets(annotation, annotationID);
-
-        Number remoteUserID = principalDao.getPrincipalInternalIDFromRemoteID(remoteUser);
-
-        if (ownerID.equals(remoteUserID) || (annotationDao.getAccess(annotationID, remoteUserID).equals(Access.ALL))) {
-            int deletedPrinsipalsAccesss = annotationDao.deletePermissions(annotationID);
-            int addedPrincipalsAccesss = this.addPermissions(annotation.getPermissions().getPermission(), annotationID);
-               
-        };
+        if (!weakPrincipal) { // if weak permissions reach this point then permissions are the same
+            int changedPermissions = this.updateOrAddPermissions(annotationID, annotation.getPermissions());
+        }
         return updatedAnnotations;
     }
 
-    // TODO: unit test
+    private boolean permissionsIntact(List<Permission> permissionsInput, List<Map<Number, String>> permissionsDB) throws NotInDataBaseException{
+        if (permissionsInput == null || permissionsInput.isEmpty()) {
+            return true;
+        }
+        
+        if (permissionsDB == null || permissionsDB.isEmpty()) {
+            return false;
+        }
+        
+        for(Permission permission:permissionsInput) {
+            Number principalID = principalDao.getInternalIDFromHref(permission.getPrincipalHref());
+            String accessLevel = permission.getLevel().value();
+            Map current = new HashMap<Number, String>();
+            current.put(principalID, accessLevel);
+            int index = permissionsDB.indexOf(current);
+            if (index>-1) {
+             if (!accessLevel.equals(permissionsDB.get(index).get(principalID)))   {
+                 return false;
+             } 
+            } else {
+                if (!accessLevel.equals(Access.NONE.value())) {
+                    return false;
+                }
+            }
+        }
+        return true;
+    }
+
     @Override
     public int updateAnnotationBody(Number internalID, AnnotationBody annotationBody) {

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/main/java/eu/dasish/annotation/backend/rest/AnnotationResource.java

@@ -314 +314 @@
             httpServletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage());
             return (new ObjectFactory()).createResponseBody(new ResponseBody());
+        } catch (ForbiddenException e2) {
+            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, e2.getMessage());
+            return (new ObjectFactory()).createResponseBody(new ResponseBody());
         }
     }
@@ -365 +368 @@
     private class UpdateAnnotation implements ILambda<Map, ResponseBody> {
 
-        @Override
-        public ResponseBody apply(Map params) throws NotInDataBaseException {
+        @Override 
+        public ResponseBody apply(Map params) throws NotInDataBaseException, ForbiddenException {
             Annotation annotation = (Annotation) params.get("annotation");
             Number annotationID = (Number) params.get("internalID");
@@ -644 +647 @@
             Number annotationID = (Number) params.get("internalID");
             PermissionList permissions = (PermissionList) params.get("permissions");
-            int updatedRows = dbDispatcher.updatePermissions(annotationID, permissions);
+            int updatedRows = dbDispatcher.updateOrAddPermissions(annotationID, permissions);
             return dbDispatcher.makeAccessResponseEnvelope(annotationID, Resource.ANNOTATION);
         }

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/main/java/eu/dasish/annotation/backend/rest/PrincipalResource.java

@@ -83 +83 @@
             httpServletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage());
             return new ObjectFactory().createPrincipal(new Principal());
+        } catch (ForbiddenException e2) {
+            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, e2.getMessage());
+            return new ObjectFactory().createPrincipal(new Principal());
         }
     }
@@ -122 +125 @@
             httpServletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage());
             return new ObjectFactory().createPrincipal(new Principal());
+        } catch (ForbiddenException e2) {
+            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, e2.getMessage());
+            return new ObjectFactory().createPrincipal(new Principal());
         }
     }
@@ -146 +152 @@
         } catch (NotInDataBaseException e) {
             httpServletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage());
+            return new ObjectFactory().createCurrentPrincipalInfo(new CurrentPrincipalInfo());
+        } catch (ForbiddenException e2) {
+            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, e2.getMessage());
             return new ObjectFactory().createCurrentPrincipalInfo(new CurrentPrincipalInfo());
         }
@@ -330 +339 @@
                 httpServletResponse.sendError(HttpServletResponse.SC_NOT_FOUND, e.getMessage());
                 return new ObjectFactory().createPrincipal(new Principal());
+            } catch (ForbiddenException e2) {
+                httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, e2.getMessage());
+                return new ObjectFactory().createPrincipal(new Principal());
             }
         } else {
@@ -358 +370 @@
         Map params = new HashMap<String, Object>();
         params.put("newPrincipal", newPrincipal);
-        Principal result = (Principal) (new RequestWrappers(this)).wrapRequestResource(params, new UpdatePrincipal());
-        return (result != null) ? (new ObjectFactory().createPrincipal(result)) : (new ObjectFactory().createPrincipal(new Principal()));
+        try {
+            Principal result = (Principal) (new RequestWrappers(this)).wrapRequestResource(params, new UpdatePrincipal());
+            return (result != null) ? (new ObjectFactory().createPrincipal(result)) : (new ObjectFactory().createPrincipal(new Principal()));
+        } catch (ForbiddenException e2) {
+            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, e2.getMessage());
+            return new ObjectFactory().createPrincipal(new Principal());
+        }
     }
 

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/main/java/eu/dasish/annotation/backend/rest/RequestWrappers.java

@@ -52 +52 @@
     }
 
-    public T wrapRequestResource(Map params, ILambda<Map, T> dbRequestor) throws IOException, NotInDataBaseException {
+    public T wrapRequestResource(Map params, ILambda<Map, T> dbRequestor) throws IOException, NotInDataBaseException, ForbiddenException {
         Number remotePrincipalID = resourceResource.getPrincipalID();
         if (remotePrincipalID == null) {

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/main/webapp/WEB-INF/shhaa.xml

@@ -38 +38 @@
                 <username>anonymous</username>
             </fallback>
-            <sso action="lI">https://lux16.mpi.nl/Shibboleth.sso/Login</sso> 
-            <slo action="lO">https://lux16.mpi.nl/Shibboleth.sso/Logout</slo> 
+            <sso action="lI">https://lux17.mpi.nl/Shibboleth.sso/Login</sso> 
+            <slo action="lO">https://lux17.mpi.nl/Shibboleth.sso/Logout</slo> 
         </authentication>
         

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/main/webapp/WEB-INF/web.xml

@@ -40 +40 @@
     <context-param>
         <param-name>eu.dasish.annotation.backend.isShibbolethSession</param-name>
-        <param-value>true</param-value>
+        <param-value>false</param-value>
     </context-param>
     <context-param>
@@ -48 +48 @@
     <context-param>
         <param-name>eu.dasish.annotation.backend.logout.shibboleth</param-name>
-        <param-value>https://lux16.mpi.nl/Shibboleth.sso/Logout</param-value> 
+        <param-value>https://lux17.mpi.nl/Shibboleth.sso/Logout</param-value> 
     </context-param>
     
@@ -111 +111 @@
    
     <!-- Spring security -->
-     <!-- <filter>
+     <filter>
         <filter-name>springSecurityFilterChain</filter-name>
         <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
@@ -118 +118 @@
         <filter-name>springSecurityFilterChain</filter-name>
         <url-pattern>/*</url-pattern>
-    </filter-mapping> -->
+    </filter-mapping>
     
     <!--  Shibboleth filter -->
-   <filter>
+   <!-- <filter>
         <filter-name>AAIFilter</filter-name>
         <filter-class>de.mpg.aai.shhaa.AuthFilter</filter-class>
@@ -128 +128 @@
         <filter-name>AAIFilter</filter-name>
         <url-pattern>/*</url-pattern>
-    </filter-mapping> 
+    </filter-mapping> -->
     
   </web-app>  

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/test/java/eu/dasish/annotation/backend/dao/impl/DBDispatcherTest.java

@@ -18 +18 @@
 package eu.dasish.annotation.backend.dao.impl;
 
+import eu.dasish.annotation.backend.ForbiddenException;
 import eu.dasish.annotation.backend.Helpers;
 import eu.dasish.annotation.backend.MatchMode;
@@ -2089 +2090 @@
 //        }
     @Test
-    public void testUpdateAnnotation() throws NotInDataBaseException {
+    public void testUpdateAnnotation() throws NotInDataBaseException, ForbiddenException {
 
         System.out.println("test updateAnnotation");
@@ -2107 +2108 @@
                 oneOf(principalDao).getInternalIDFromHref(annotation.getOwnerHref());
                 will(returnValue(1));
-
+                
+                oneOf(annotationDao).getAccess(1,1);
+                will(returnValue(Access.NONE));
+                
+                oneOf(principalDao).getDBAdminID();
+                will(returnValue(3));
+                
                 oneOf(annotationDao).updateAnnotation(annotation, 1, 1);
                 will(returnValue(1));
@@ -2113 +2120 @@
                 oneOf(annotationDao).deleteAllAnnotationTarget(1);
                 will(returnValue(1));
-
-                oneOf(annotationDao).deletePermissions(1);
-                will(returnValue(3));
-
 
                 /// adding the first target, not found in the DB
@@ -2145 +2148 @@
 
                 /////
+                
+                oneOf(annotationDao).updatePublicAccess(1, Access.WRITE);
+                will(returnValue(1));
+                
                 oneOf(principalDao).getInternalIDFromHref(permissions.getPermission().get(0).getPrincipalHref());
                 will(returnValue(2));
-
-                oneOf(annotationDao).addPermission(1, 2, Access.WRITE);
+                
+                oneOf(annotationDao).hasExplicitAccess(1, 2);
+                will(returnValue(true));
+                
+                oneOf(annotationDao).updatePermission(1, 2, Access.WRITE);
                 will(returnValue(1));
 
                 oneOf(principalDao).getInternalIDFromHref(permissions.getPermission().get(1).getPrincipalHref());
                 will(returnValue(3));
-
-                oneOf(annotationDao).addPermission(1, 3, Access.READ);
+                
+                 oneOf(annotationDao).hasExplicitAccess(1, 3);
+                 will(returnValue(true));
+
+                oneOf(annotationDao).updatePermission(1, 3, Access.READ);
                 will(returnValue(1));
 
@@ -2284 +2297 @@
         });
 
-        assertEquals(3, dbDispatcher.updatePermissions(1, permissions));
+        assertEquals(3, dbDispatcher.updateOrAddPermissions(1, permissions));
 
     }

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/test/java/eu/dasish/annotation/backend/rest/AnnotationResourceTest.java

@@ -18 +18 @@
 package eu.dasish.annotation.backend.rest;
 
+import eu.dasish.annotation.backend.ForbiddenException;
 import eu.dasish.annotation.backend.Helpers;
 import eu.dasish.annotation.backend.NotInDataBaseException;
@@ -231 +232 @@
 
     @Test
-    public void testUpdateAnnotation() throws NotInDataBaseException, IOException{
+    public void testUpdateAnnotation() throws NotInDataBaseException, IOException, ForbiddenException{
         System.out.println("test updateAnnotation");
 

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/test/java/eu/dasish/annotation/backend/rest/AnnotationsTest.java

@@ -255 +255 @@
         assertEquals("updated annotation 1", entityA.getHeadline());
         assertEquals(3, entityA.getPermissions().getPermission().size());
-//        assertEquals(Access.READ, entityA.getPermissions().getPublic());
+        assertEquals(Access.READ, entityA.getPermissions().getPublic());
+        assertEquals(Access.WRITE, entityA.getPermissions().getPermission().get(0).getLevel());
+        assertEquals(Access.WRITE, entityA.getPermissions().getPermission().get(1).getLevel());
+        assertEquals(Access.READ, entityA.getPermissions().getPermission().get(2).getLevel());
 //        assertEquals(_relativePath + "/principals/00000000-0000-0000-0000-000000000111", entityA.getOwnerHref());
 //        assertEquals("http://nl.wikipedia.org/wiki/Sagrada_Fam%C3%ADlia#de_Opdracht", entityA.getTargets().getTargetInfo().get(0).getLink());

DASISH/t5.6/backend/annotator-backend/trunk/annotator-backend/src/test/resources/test-data/InsertTestData.sql

@@ -105 +105 @@
 
 
----- ACCESSS --------------------------------------------------------------------------------------------
+---- ACCESS--------------------------------------------------------------------------------------------