Mercurial > lada > lada-server
changeset 833:fa922101a462
Refactored Authorization.
* Introduced "authorizer"
* Attribute and datatype depended authorization
line wrap: on
line diff
--- a/src/main/java/de/intevation/lada/importer/laf/LafWriter.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/importer/laf/LafWriter.java Fri Jan 08 12:05:26 2016 +0100 @@ -85,7 +85,7 @@ * @return success */ public boolean writeProbe(UserInfo userInfo, LProbe probe, ProbeTranslation probeTranslation) { - if (!authorization.isAuthorized(userInfo, probe)) { + if (!authorization.isAuthorized(userInfo, probe, LProbe.class)) { errors.add(new ReportItem("auth", "not authorized", 699)); return false; }
--- a/src/main/java/de/intevation/lada/rest/KommentarMService.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/KommentarMService.java Fri Jan 08 12:05:26 2016 +0100 @@ -118,10 +118,8 @@ LMessung.class, id, "land"); - if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { - if (!authorization.isAuthorized(id, LMessung.class)) { - return new Response(false, 699, null); - } + if (!authorization.isAuthorized(request, messung, RequestMethod.GET, LMessung.class)) { + return new Response(false, 699, null); } QueryBuilder<LKommentarM> builder = @@ -159,10 +157,8 @@ LMessung.class, kommentar.getMessungsId(), "land"); - if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { - if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { - return new Response(false, 699, null); - } + if (!authorization.isAuthorized(request, messung, RequestMethod.GET, LMessung.class)) { + return new Response(false, 699, null); } return authorization.filter(
--- a/src/main/java/de/intevation/lada/rest/MesswertService.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/MesswertService.java Fri Jan 08 12:05:26 2016 +0100 @@ -153,10 +153,13 @@ LMessung.class, id, "land"); - if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { - if (!authorization.isAuthorized(id, LMessung.class)) { - return new Response(false, 697, null); - } + if (!authorization.isAuthorized( + request, + messung, + RequestMethod.GET, + LMessung.class) + ) { + return new Response(false, 697, null); } QueryBuilder<LMesswert> builder = new QueryBuilder<LMesswert>( @@ -193,10 +196,13 @@ LMessung.class, messwert.getMessungsId(), "land"); - if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { - if (!authorization.isAuthorized(messung.getId(), LMessung.class)) { - return new Response(false, 699, null); - } + if (!authorization.isAuthorized( + request, + messung, + RequestMethod.GET, + LMessung.class) + ) { + return new Response(false, 699, null); } Violation violation = validator.validate(messwert); if (violation.hasErrors() || violation.hasWarnings()) {
--- a/src/main/java/de/intevation/lada/rest/ProbeService.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/ProbeService.java Fri Jan 08 12:05:26 2016 +0100 @@ -238,13 +238,13 @@ boolean readOnly = authorization.isReadOnly((Integer)entry.get("id")); entry.put("readonly", readOnly); - UserInfo ui = authorization.getInfo(request); QueryBuilder<LProbe> builder = new QueryBuilder<LProbe>( defaultRepo.entityManager("land"), LProbe.class); builder.and("id", (Integer)entry.get("id")); Response r = defaultRepo.filter(builder.getQuery(), "land"); List<LProbe> probe = (List<LProbe>)r.getData(); - entry.put("owner", authorization.isAuthorized(ui, probe.get(0))); + entry.put("owner", authorization.isAuthorized( + request, probe.get(0), RequestMethod.GET, LProbe.class)); } return new Response(true, 200, subList, result.size()); }
--- a/src/main/java/de/intevation/lada/rest/StatusService.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/rest/StatusService.java Fri Jan 08 12:05:26 2016 +0100 @@ -146,10 +146,12 @@ LMessung.class, id, "land"); - if (!authorization.isAuthorized(authorization.getInfo(request), messung)) { - if (!authorization.isAuthorized(id, LMessung.class)) { - return new Response(false, 697, null); - } + if (!authorization.isAuthorized( + request, + messung, + RequestMethod.GET, + LMessung.class)) { + return new Response(false, 697, null); } QueryBuilder<LStatusProtokoll> builder = @@ -227,14 +229,6 @@ @Context HttpServletRequest request, LStatusProtokoll status ) { - if (!authorization.isAuthorized( - request, - status, - RequestMethod.POST, - LStatusProtokoll.class) - ) { - return new Response(false, 699, null); - } UserInfo userInfo = authorization.getInfo(request); LMessung messung = defaultRepo.getByIdPlain( LMessung.class, status.getMessungsId(), "land");
--- a/src/main/java/de/intevation/lada/util/auth/Authorization.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/Authorization.java Fri Jan 08 12:05:26 2016 +0100 @@ -20,7 +20,7 @@ public <T> Response filter(Object source, Response data, Class<T> clazz); public <T> boolean isAuthorized( Object source, Object data, RequestMethod method, Class<T> clazz); - public <T> boolean isAuthorized(int id, Class<T> clazz); - public boolean isAuthorized(UserInfo userInfo, Object data); + //public <T> boolean isAuthorized(int id, Class<T> clazz); + public <T> boolean isAuthorized(UserInfo userInfo, Object data, Class<T> clazz); boolean isReadOnly(Integer probeId); }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/main/java/de/intevation/lada/util/auth/Authorizer.java Fri Jan 08 12:05:26 2016 +0100 @@ -0,0 +1,18 @@ +package de.intevation.lada.util.auth; + +import de.intevation.lada.util.rest.RequestMethod; +import de.intevation.lada.util.rest.Response; + +public interface Authorizer { + + public <T> boolean isAuthorized( + Object data, + RequestMethod method, + UserInfo userInfo, + Class<T> clazz); + + public <T> Response filter( + Response data, + UserInfo userInfo, + Class<T> clazz); +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/main/java/de/intevation/lada/util/auth/BaseAuthorizer.java Fri Jan 08 12:05:26 2016 +0100 @@ -0,0 +1,83 @@ +package de.intevation.lada.util.auth; + +import java.util.List; + +import javax.inject.Inject; +import javax.persistence.EntityManager; + +import de.intevation.lada.model.land.LMessung; +import de.intevation.lada.model.land.LProbe; +import de.intevation.lada.model.land.LStatusProtokoll; +import de.intevation.lada.util.annotation.RepositoryConfig; +import de.intevation.lada.util.data.QueryBuilder; +import de.intevation.lada.util.data.Repository; +import de.intevation.lada.util.data.RepositoryType; +import de.intevation.lada.util.rest.Response; + +public abstract class BaseAuthorizer implements Authorizer { + + /** + * The Repository used to read from Database. + */ + @Inject + @RepositoryConfig(type=RepositoryType.RO) + protected Repository repository; + + /** + * Get the authorization of a single probe. + * + * @param userInfo The user information. + * @param probe The probe to authorize. + */ + protected boolean getAuthorization(UserInfo userInfo, LProbe probe) { + if (userInfo.getMessstellen().contains(probe.getMstId())) { + return true; + } + else { + return false; + } + } + + /** + * Test whether a probe is readonly. + * + * @param probeId The probe Id. + * @return True if the probe is readonly. + */ + public boolean isProbeReadOnly(Integer probeId) { + EntityManager manager = repository.entityManager("land"); + QueryBuilder<LMessung> builder = + new QueryBuilder<LMessung>( + manager, + LMessung.class); + builder.and("probeId", probeId); + Response response = repository.filter(builder.getQuery(), "land"); + @SuppressWarnings("unchecked") + List<LMessung> messungen = (List<LMessung>) response.getData(); + for (int i = 0; i < messungen.size(); i++) { + if (messungen.get(i).getStatus() == null) { + return false; + } + LStatusProtokoll status = repository.getByIdPlain( + LStatusProtokoll.class, messungen.get(i).getStatus(), "land"); + if (status.getStatusWert() != 0 && status.getStatusWert() != 4) { + return true; + } + } + return false; + } + + public boolean isMessungReadOnly(Integer messungsId) { + LMessung messung = + repository.getByIdPlain(LMessung.class, messungsId, "land"); + if (messung.getStatus() == null) { + return false; + } + LStatusProtokoll status = repository.getByIdPlain( + LStatusProtokoll.class, + messung.getStatus(), + "land"); + return (status.getStatusWert() != 0 && status.getStatusWert() != 4); + } + +}
--- a/src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/DefaultAuthorization.java Fri Jan 08 12:05:26 2016 +0100 @@ -83,12 +83,11 @@ * @return true */ @Override - public boolean isAuthorized(UserInfo userInfo, Object data) { + public <T> boolean isAuthorized( + UserInfo userInfo, + Object data, + Class<T> clazz) { return true; } - @Override - public <T> boolean isAuthorized(int id, Class<T> clazz) { - return true; - } }
--- a/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java Fri Jan 08 12:05:26 2016 +0100 @@ -7,23 +7,30 @@ */ package de.intevation.lada.util.auth; -import java.lang.reflect.InvocationTargetException; -import java.lang.reflect.Method; import java.util.ArrayList; import java.util.Arrays; +import java.util.HashMap; import java.util.List; +import java.util.Map; +import javax.annotation.PostConstruct; import javax.inject.Inject; import javax.persistence.EntityManager; import javax.servlet.http.HttpServletRequest; -import org.apache.log4j.Logger; - +import de.intevation.lada.model.land.LKommentarM; +import de.intevation.lada.model.land.LKommentarP; import de.intevation.lada.model.land.LMessung; +import de.intevation.lada.model.land.LMesswert; +import de.intevation.lada.model.land.LOrtszuordnung; import de.intevation.lada.model.land.LProbe; import de.intevation.lada.model.land.LStatusProtokoll; +import de.intevation.lada.model.land.LZusatzWert; import de.intevation.lada.model.stamm.Auth; -import de.intevation.lada.model.stamm.AuthLstUmw; +import de.intevation.lada.model.stamm.DatensatzErzeuger; +import de.intevation.lada.model.stamm.MessprogrammKategorie; +import de.intevation.lada.model.stamm.Ort; +import de.intevation.lada.model.stamm.Probenehmer; import de.intevation.lada.util.annotation.AuthorizationConfig; import de.intevation.lada.util.annotation.RepositoryConfig; import de.intevation.lada.util.data.QueryBuilder; @@ -41,18 +48,38 @@ public class HeaderAuthorization implements Authorization { /** - * The logger used in this class. - */ - @Inject - private Logger logger; - - /** * The Repository used to read from Database. */ @Inject @RepositoryConfig(type=RepositoryType.RO) private Repository repository; + @SuppressWarnings("rawtypes") + private Map<Class, Authorizer> authorizers; + @Inject ProbeAuthorizer probeAuthorizer; + @Inject MessungAuthorizer messungAuthorizer; + @Inject ProbeIdAuthorizer pIdAuthorizer; + @Inject MessungIdAuthorizer mIdAuthorizer; + @Inject NetzbetreiberAuthorizer netzAuthorizer; + + @SuppressWarnings("rawtypes") + @PostConstruct + public void init() { + authorizers = new HashMap<Class, Authorizer>(); + authorizers.put(LProbe.class, probeAuthorizer); + authorizers.put(LMessung.class, messungAuthorizer); + authorizers.put(LOrtszuordnung.class, pIdAuthorizer); + authorizers.put(LKommentarP.class, pIdAuthorizer); + authorizers.put(LZusatzWert.class, pIdAuthorizer); + authorizers.put(LKommentarM.class, mIdAuthorizer); + authorizers.put(LMesswert.class, mIdAuthorizer); + authorizers.put(LStatusProtokoll.class, mIdAuthorizer); + authorizers.put(Probenehmer.class, netzAuthorizer); + authorizers.put(DatensatzErzeuger.class, netzAuthorizer); + authorizers.put(MessprogrammKategorie.class, netzAuthorizer); + authorizers.put(Ort.class, netzAuthorizer); + } + /** * Request user informations using the HttpServletRequest. * @@ -89,44 +116,12 @@ if (userInfo == null) { return data; } - if (clazz == LProbe.class) { - return this.authorizeProbe(userInfo, data); - } - if (clazz == LMessung.class) { - return this.authorizeMessung(userInfo, data); - } - Method[] methods = clazz.getMethods(); - for (Method method: methods) { - if (method.getName().equals("getProbeId")) { - return this.authorizeWithProbeId(userInfo, data, clazz); - } - if (method.getName().equals("getMessungsId")) { - return this.authorizeWithMessungsId(userInfo, data, clazz); - } + Authorizer authorizer = authorizers.get(clazz); + //This is a hack... Allows wildcard for unknown classes. + if (authorizer == null) { + return data; } - return data; - } - - @Override - public <T> boolean isAuthorized(int id, Class<T> clazz) { - if (clazz == LMessung.class) { - LMessung messung = repository.getByIdPlain( - LMessung.class, - id, - "land"); - if (messung.getStatus() == null) { - return false; - } - LStatusProtokoll status = repository.getByIdPlain( - LStatusProtokoll.class, - messung.getStatus(), - "land"); - if (status.getStatusWert() == 0) { - return false; - } - return true; - } - return false; + return authorizer.filter(data, userInfo, clazz); } /** @@ -149,97 +144,12 @@ if (userInfo == null) { return false; } - if (clazz == LProbe.class) { - LProbe probe = (LProbe)data; - if (method == RequestMethod.POST) { - return getAuthorization(userInfo, probe); - } - else if (method == RequestMethod.PUT || - method == RequestMethod.DELETE) { - return !isReadOnly(probe.getId()); - } - else { - return false; - } - } - else if (clazz == LMessung.class) { - LMessung messung = (LMessung)data; - Response response = - repository.getById(LProbe.class, messung.getProbeId(), "land"); - LProbe probe = (LProbe)response.getData(); - if (method == RequestMethod.POST) { - return getAuthorization(userInfo, probe); - } - else if (method == RequestMethod.PUT || - method == RequestMethod.DELETE) { - return !this.isMessungReadOnly(messung) && - getAuthorization(userInfo, probe); - } - } - else { - Method[] methods = clazz.getMethods(); - for (Method m: methods) { - if (m.getName().equals("getProbeId")) { - Integer id; - try { - id = (Integer) m.invoke(data); - } catch (IllegalAccessException | IllegalArgumentException - | InvocationTargetException e) { - logger.warn(e.getCause() + ": " + e.getMessage()); - return false; - } - Response response = - repository.getById(LProbe.class, id, "land"); - LProbe probe = (LProbe)response.getData(); - return !isReadOnly(id) && getAuthorization(userInfo, probe); - - } - if (m.getName().equals("getMessungsId")) { - Integer id; - try { - id = (Integer) m.invoke(data); - } catch (IllegalAccessException | IllegalArgumentException - | InvocationTargetException e) { - logger.warn(e.getCause() + ": " + e.getMessage()); - return false; - } - Response mResponse = - repository.getById(LMessung.class, id, "land"); - LMessung messung = (LMessung)mResponse.getData(); - Response pResponse = - repository.getById( - LProbe.class, - messung.getProbeId(), - "land"); - LProbe probe = (LProbe)pResponse.getData(); - if (messung.getStatus() == null) { - return false; - } - LStatusProtokoll status = repository.getByIdPlain( - LStatusProtokoll.class, - messung.getStatus(), - "land"); - return status.getStatusWert() == 0 && - getAuthorization(userInfo, probe); - } - } - } - return true; - } - - /** - * Get the authorization of a single probe. - * - * @param userInfo The user information. - * @param probe The probe to authorize. - */ - private boolean getAuthorization(UserInfo userInfo, LProbe probe) { - if (userInfo.getMessstellen().contains(probe.getMstId())) { + Authorizer authorizer = authorizers.get(clazz); + //This is a hack... Allows wildcard for unknown classes. + if (authorizer == null) { return true; } - else { - return false; - } + return authorizer.isAuthorized(data, method, userInfo, clazz); } /** @@ -285,304 +195,6 @@ } /** - * Authorize data that has a messungsId Attribute. - * - * @param userInfo The user information. - * @param data The Response object containing the data. - * @param clazz The data object class. - * @return A Response object containing the data. - */ - @SuppressWarnings("unchecked") - private <T> Response authorizeWithMessungsId( - UserInfo userInfo, - Response data, - Class<T> clazz - ) { - if (data.getData() instanceof List<?>) { - List<Object> objects = new ArrayList<Object>(); - for (Object object :(List<Object>)data.getData()) { - objects.add(authorizeSingleWithMessungsId(userInfo, object, clazz)); - } - data.setData(objects); - } - else { - Object object = data.getData(); - data.setData(authorizeSingleWithMessungsId(userInfo, object, clazz)); - } - return data; - } - - /** - * Authorize data that has a probeId Attribute. - * - * @param userInfo The user information. - * @param data The Response object containing the data. - * @param clazz The data object class. - * @return A Response object containing the data. - */ - @SuppressWarnings("unchecked") - private <T> Response authorizeWithProbeId( - UserInfo userInfo, - Response data, - Class<T> clazz - ) { - if (data.getData() instanceof List<?>) { - List<Object> objects = new ArrayList<Object>(); - for (Object object :(List<Object>)data.getData()) { - objects.add(authorizeSingleWithProbeId( - userInfo, - object, - clazz)); - } - data.setData(objects); - } - else { - Object object = data.getData(); - data.setData(authorizeSingleWithProbeId(userInfo, object, clazz)); - } - return data; - } - - /** - * Authorize a single data object that has a messungsId Attribute. - * - * @param userInfo The user information. - * @param data The Response object containing the data. - * @param clazz The data object class. - * @return A Response object containing the data. - */ - private <T> Object authorizeSingleWithMessungsId( - UserInfo userInfo, - Object data, - Class<T> clazz - ) { - try { - Method getMessungsId = clazz.getMethod("getMessungsId"); - Integer id = (Integer)getMessungsId.invoke(data); - LMessung messung = - (LMessung)repository.getById( - LMessung.class, id, "land").getData(); - LProbe probe = - (LProbe)repository.getById( - LProbe.class, messung.getProbeId(), "land").getData(); - - boolean readOnly = true; - boolean owner = false; - if (!userInfo.getNetzbetreiber().contains( - probe.getNetzbetreiberId())) { - owner = false; - readOnly = true; - } - else { - if (userInfo.getMessstellen().contains(probe.getMstId())) { - owner = true; - } - else { - owner = false; - } - readOnly = this.isMessungReadOnly(messung); - } - - Method setOwner = clazz.getMethod("setOwner", boolean.class); - Method setReadonly = clazz.getMethod("setReadonly", boolean.class); - setOwner.invoke(data, owner); - setReadonly.invoke(data, readOnly); - } catch (NoSuchMethodException | SecurityException - | IllegalAccessException | IllegalArgumentException - | InvocationTargetException e) { - return null; - } - return data; - } - - /** - * Authorize a single data object that has a probeId Attribute. - * - * @param userInfo The user information. - * @param data The Response object containing the data. - * @param clazz The data object class. - * @return A Response object containing the data. - */ - private <T> Object authorizeSingleWithProbeId( - UserInfo userInfo, - Object data, - Class<T> clazz - ) { - try { - Method getProbeId = clazz.getMethod("getProbeId"); - Integer id = null; - if (getProbeId != null) { - id = (Integer) getProbeId.invoke(data); - } - else { - return null; - } - LProbe probe = - (LProbe)repository.getById(LProbe.class, id, "land").getData(); - - boolean readOnly = true; - boolean owner = false; - if (!userInfo.getNetzbetreiber().contains( - probe.getNetzbetreiberId())) { - owner = false; - readOnly = true; - } - else { - if (userInfo.getMessstellen().contains(probe.getMstId())) { - owner = true; - } - else { - owner = false; - } - readOnly = this.isReadOnly(id); - } - - Method setOwner = clazz.getMethod("setOwner", boolean.class); - Method setReadonly = clazz.getMethod("setReadonly", boolean.class); - setOwner.invoke(data, owner); - setReadonly.invoke(data, readOnly); - } catch (NoSuchMethodException | SecurityException - | IllegalAccessException | IllegalArgumentException - | InvocationTargetException e) { - return null; - } - return data; - } - - /** - * Authorize probe objects. - * - * @param userInfo The user information. - * @param data The Response object containing the probe objects. - * @return A Response object containing the data. - */ - @SuppressWarnings("unchecked") - private Response authorizeProbe(UserInfo userInfo, Response data) { - if (data.getData() instanceof List<?>) { - List<LProbe> proben = new ArrayList<LProbe>(); - for (LProbe probe :(List<LProbe>)data.getData()) { - proben.add(authorizeSingleProbe(userInfo, probe)); - } - data.setData(proben); - } - else if (data.getData() instanceof LProbe) { - LProbe probe = (LProbe)data.getData(); - data.setData(authorizeSingleProbe(userInfo, probe)); - } - return data; - } - - /** - * Authorize a sinle probe object. - * - * @param userInfo The user information. - * @param probe The probe object. - * @return The probe. - */ - private LProbe authorizeSingleProbe(UserInfo userInfo, LProbe probe) { - if (!userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) { - probe.setOwner(false); - probe.setReadonly(true); - return probe; - } - if (userInfo.getMessstellen().contains(probe.getMstId())) { - probe.setOwner(true); - } - else { - probe.setOwner(false); - } - probe.setReadonly(this.isReadOnly(probe.getId())); - return probe; - } - - /** - * Authorize messung objects. - * - * @param userInfo The user information. - * @param data The Response object containing the messung objects. - * @return A Response object containing the data. - */ - @SuppressWarnings("unchecked") - private Response authorizeMessung(UserInfo userInfo, Response data) { - if (data.getData() instanceof List<?>) { - List<LMessung> messungen = new ArrayList<LMessung>(); - for (LMessung messung :(List<LMessung>)data.getData()) { - messungen.add(authorizeSingleMessung(userInfo, messung)); - } - data.setData(messungen); - } - else if (data.getData() instanceof LMessung) { - LMessung messung = (LMessung)data.getData(); - data.setData(authorizeSingleMessung(userInfo, messung)); - } - return data; - } - - /** - * Authorize a sinle messung object. - * - * @param userInfo The user information. - * @param messung The messung object. - * @return The messung. - */ - private LMessung authorizeSingleMessung( - UserInfo userInfo, - LMessung messung - ) { - LProbe probe = - (LProbe)repository.getById( - LProbe.class, messung.getProbeId(), "land").getData(); - if (!userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) { - messung.setOwner(false); - messung.setReadonly(true); - return messung; - } - if (userInfo.getMessstellen().contains(probe.getMstId())) { - messung.setOwner(true); - } - else { - messung.setOwner(false); - } - if (messung.getStatus() == null) { - messung.setReadonly(false); - } - else { - LStatusProtokoll status = repository.getByIdPlain( - LStatusProtokoll.class, - messung.getStatus(), - "land"); - messung.setReadonly( - status.getStatusWert() != 0 && status.getStatusWert() != 4); - } - - boolean statusEdit = false; - if (userInfo.getFunktionen().contains(3)) { - QueryBuilder<AuthLstUmw> lstFilter = new QueryBuilder<AuthLstUmw>( - repository.entityManager("stamm"), - AuthLstUmw.class); - lstFilter.or("lstId", userInfo.getMessstellen()); - List<AuthLstUmw> lsts = - repository.filterPlain(lstFilter.getQuery(), "stamm"); - for (int i = 0; i < lsts.size(); i++) { - if (lsts.get(i).getUmwId().equals(probe.getUmwId())) { - statusEdit = true; - } - } - } - else if (userInfo.getFunktionen().contains(2) && - userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) { - statusEdit = true; - } - else if (userInfo.getFunktionen().contains(1) && - userInfo.getMessstellen().contains(probe.getMstId())) { - statusEdit = true; - } - messung.setStatusEdit(statusEdit); - - return messung; - } - - /** * Test whether a probe is readonly. * * @param probeId The probe Id. @@ -620,25 +232,16 @@ * @return True if the user is authorized else returns false. */ @Override - public boolean isAuthorized(UserInfo userInfo, Object data) { - if (data instanceof LProbe) { - return getAuthorization(userInfo, (LProbe)data); - } - else if (data instanceof LMessung) { - LProbe probe = repository.getByIdPlain(LProbe.class, ((LMessung)data).getProbeId(), "land"); - return getAuthorization(userInfo, probe); + public <T> boolean isAuthorized( + UserInfo userInfo, + Object data, + Class<T> clazz + ) { + Authorizer authorizer = authorizers.get(clazz); + //This is a hack... Allows wildcard for unknown classes. + if (authorizer == null) { + return true; } - return false; - } - - private boolean isMessungReadOnly(LMessung messung) { - if (messung.getStatus() == null) { - return false; - } - LStatusProtokoll status = repository.getByIdPlain( - LStatusProtokoll.class, - messung.getStatus(), - "land"); - return (status.getStatusWert() != 0 && status.getStatusWert() != 4); + return authorizer.isAuthorized(data, RequestMethod.GET, userInfo, clazz); } }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/main/java/de/intevation/lada/util/auth/MessungAuthorizer.java Fri Jan 08 12:05:26 2016 +0100 @@ -0,0 +1,120 @@ +package de.intevation.lada.util.auth; + +import java.util.ArrayList; +import java.util.List; + +import de.intevation.lada.model.land.LMessung; +import de.intevation.lada.model.land.LProbe; +import de.intevation.lada.model.land.LStatusProtokoll; +import de.intevation.lada.model.stamm.AuthLstUmw; +import de.intevation.lada.util.data.QueryBuilder; +import de.intevation.lada.util.rest.RequestMethod; +import de.intevation.lada.util.rest.Response; + +public class MessungAuthorizer extends BaseAuthorizer { + + @Override + public <T> boolean isAuthorized( + Object data, + RequestMethod method, + UserInfo userInfo, + Class<T> clazz + ) { + LMessung messung = (LMessung)data; + Response response = + repository.getById(LProbe.class, messung.getProbeId(), "land"); + LProbe probe = (LProbe)response.getData(); + if (method == RequestMethod.PUT || + method == RequestMethod.DELETE) { + return !this.isMessungReadOnly(messung.getId()) && + getAuthorization(userInfo, probe); + } + return getAuthorization(userInfo, probe); + } + + @SuppressWarnings("unchecked") + @Override + public <T> Response filter( + Response data, + UserInfo userInfo, + Class<T> clazz + ) { + if (data.getData() instanceof List<?>) { + List<LMessung> messungen = new ArrayList<LMessung>(); + for (LMessung messung :(List<LMessung>)data.getData()) { + messungen.add(setAuthData(userInfo, messung)); + } + data.setData(messungen); + } + else if (data.getData() instanceof LMessung) { + LMessung messung = (LMessung)data.getData(); + data.setData(setAuthData(userInfo, messung)); + } + return data; + } + + /** + * Authorize a sinle messung object. + * + * @param userInfo The user information. + * @param messung The messung object. + * @return The messung. + */ + private LMessung setAuthData( + UserInfo userInfo, + LMessung messung + ) { + LProbe probe = + (LProbe)repository.getById( + LProbe.class, messung.getProbeId(), "land").getData(); + if (!userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) { + messung.setOwner(false); + messung.setReadonly(true); + return messung; + } + if (userInfo.getMessstellen().contains(probe.getMstId())) { + messung.setOwner(true); + } + else { + messung.setOwner(false); + } + if (messung.getStatus() == null) { + messung.setReadonly(false); + } + else { + LStatusProtokoll status = repository.getByIdPlain( + LStatusProtokoll.class, + messung.getStatus(), + "land"); + messung.setReadonly( + status.getStatusWert() != 0 && status.getStatusWert() != 4); + } + + boolean statusEdit = false; + if (userInfo.getFunktionen().contains(3)) { + QueryBuilder<AuthLstUmw> lstFilter = new QueryBuilder<AuthLstUmw>( + repository.entityManager("stamm"), + AuthLstUmw.class); + lstFilter.or("lstId", userInfo.getMessstellen()); + List<AuthLstUmw> lsts = + repository.filterPlain(lstFilter.getQuery(), "stamm"); + for (int i = 0; i < lsts.size(); i++) { + if (lsts.get(i).getUmwId().equals(probe.getUmwId())) { + statusEdit = true; + } + } + } + else if (userInfo.getFunktionen().contains(2) && + userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) { + statusEdit = true; + } + else if (userInfo.getFunktionen().contains(1) && + userInfo.getMessstellen().contains(probe.getMstId())) { + statusEdit = true; + } + messung.setStatusEdit(statusEdit); + + return messung; + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/main/java/de/intevation/lada/util/auth/MessungIdAuthorizer.java Fri Jan 08 12:05:26 2016 +0100 @@ -0,0 +1,131 @@ +package de.intevation.lada.util.auth; + +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.List; + +import de.intevation.lada.model.land.LMessung; +import de.intevation.lada.model.land.LProbe; +import de.intevation.lada.model.land.LStatusProtokoll; +import de.intevation.lada.util.rest.RequestMethod; +import de.intevation.lada.util.rest.Response; + +public class MessungIdAuthorizer extends BaseAuthorizer { + + @Override + public <T> boolean isAuthorized( + Object data, + RequestMethod method, + UserInfo userInfo, + Class<T> clazz + ) { + Method m; + try { + m = clazz.getMethod("getMessungsId"); + } catch (NoSuchMethodException | SecurityException e1) { + return false; + } + Integer id; + try { + id = (Integer) m.invoke(data); + } catch (IllegalAccessException | + IllegalArgumentException | + InvocationTargetException e + ) { + return false; + } + LMessung messung = repository.getByIdPlain(LMessung.class, id, "land"); + LProbe probe = repository.getByIdPlain( + LProbe.class, + messung.getProbeId(), + "land"); + if (messung.getStatus() == null) { + return false; + } + LStatusProtokoll status = repository.getByIdPlain( + LStatusProtokoll.class, + messung.getStatus(), + "land"); + return (method == RequestMethod.POST || + method == RequestMethod.PUT || + method == RequestMethod.DELETE || + status.getStatusWert() != 0) && + getAuthorization(userInfo, probe); + } + + @SuppressWarnings("unchecked") + @Override + public <T> Response filter( + Response data, + UserInfo userInfo, + Class<T> clazz + ) { + if (data.getData() instanceof List<?>) { + List<Object> objects = new ArrayList<Object>(); + for (Object object :(List<Object>)data.getData()) { + objects.add(setAuthData(userInfo, object, clazz)); + } + data.setData(objects); + } + else { + Object object = data.getData(); + data.setData(setAuthData(userInfo, object, clazz)); + } + return data; + } + + /** + * Authorize a single data object that has a messungsId Attribute. + * + * @param userInfo The user information. + * @param data The Response object containing the data. + * @param clazz The data object class. + * @return A Response object containing the data. + */ + private <T> Object setAuthData( + UserInfo userInfo, + Object data, + Class<T> clazz + ) { + try { + Method getMessungsId = clazz.getMethod("getMessungsId"); + Integer id = (Integer)getMessungsId.invoke(data); + LMessung messung = repository.getByIdPlain( + LMessung.class, + id, + "land"); + LProbe probe = repository.getByIdPlain( + LProbe.class, + messung.getProbeId(), + "land"); + + boolean readOnly = true; + boolean owner = false; + if (!userInfo.getNetzbetreiber().contains( + probe.getNetzbetreiberId())) { + owner = false; + readOnly = true; + } + else { + if (userInfo.getMessstellen().contains(probe.getMstId())) { + owner = true; + } + else { + owner = false; + } + readOnly = this.isMessungReadOnly(messung.getId()); + } + + Method setOwner = clazz.getMethod("setOwner", boolean.class); + Method setReadonly = clazz.getMethod("setReadonly", boolean.class); + setOwner.invoke(data, owner); + setReadonly.invoke(data, readOnly); + } catch (NoSuchMethodException | SecurityException + | IllegalAccessException | IllegalArgumentException + | InvocationTargetException e) { + return null; + } + return data; + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/main/java/de/intevation/lada/util/auth/NetzbetreiberAuthorizer.java Fri Jan 08 12:05:26 2016 +0100 @@ -0,0 +1,49 @@ +package de.intevation.lada.util.auth; + +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; + +import de.intevation.lada.util.rest.RequestMethod; +import de.intevation.lada.util.rest.Response; + +public class NetzbetreiberAuthorizer extends BaseAuthorizer { + + @Override + public <T> boolean isAuthorized( + Object data, + RequestMethod method, + UserInfo userInfo, + Class<T> clazz + ) { + Method m; + try { + m = clazz.getMethod("getNetzbetreiberId"); + } catch (NoSuchMethodException | SecurityException e1) { + return false; + } + String id; + try { + id = (String) m.invoke(data); + } catch (IllegalAccessException | + IllegalArgumentException | + InvocationTargetException e + ) { + return false; + } + return (method == RequestMethod.POST || + method == RequestMethod.PUT || + method == RequestMethod.DELETE) && + userInfo.getNetzbetreiber().contains(id) && + userInfo.getFunktionen().contains(4); + } + + @Override + public <T> Response filter( + Response data, + UserInfo userInfo, + Class<T> clazz + ) { + return data; + } + +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/main/java/de/intevation/lada/util/auth/ProbeAuthorizer.java Fri Jan 08 12:05:26 2016 +0100 @@ -0,0 +1,73 @@ +package de.intevation.lada.util.auth; + +import java.util.ArrayList; +import java.util.List; + +import de.intevation.lada.model.land.LProbe; +import de.intevation.lada.util.rest.RequestMethod; +import de.intevation.lada.util.rest.Response; + +public class ProbeAuthorizer extends BaseAuthorizer { + + @Override + public <T> boolean isAuthorized( + Object data, + RequestMethod method, + UserInfo userInfo, + Class<T> clazz + ) { + LProbe probe = (LProbe)data; + if (method == RequestMethod.POST) { + return getAuthorization(userInfo, probe); + } + else if (method == RequestMethod.PUT || + method == RequestMethod.DELETE) { + return !isProbeReadOnly(probe.getId()); + } + return false; + } + + @SuppressWarnings("unchecked") + @Override + public <T> Response filter( + Response data, + UserInfo userInfo, + Class<T> clazz + ) { + if (data.getData() instanceof List<?>) { + List<LProbe> proben = new ArrayList<LProbe>(); + for (LProbe probe :(List<LProbe>)data.getData()) { + proben.add(setAuthData(userInfo, probe)); + } + data.setData(proben); + } + else if (data.getData() instanceof LProbe) { + LProbe probe = (LProbe)data.getData(); + data.setData(setAuthData(userInfo, probe)); + } + return data; + } + + /** + * Set authorization data for the current probe object. + * + * @param userInfo The user information. + * @param probe The probe object. + * @return The probe. + */ + private LProbe setAuthData(UserInfo userInfo, LProbe probe) { + if (!userInfo.getNetzbetreiber().contains(probe.getNetzbetreiberId())) { + probe.setOwner(false); + probe.setReadonly(true); + return probe; + } + if (userInfo.getMessstellen().contains(probe.getMstId())) { + probe.setOwner(true); + } + else { + probe.setOwner(false); + } + probe.setReadonly(this.isProbeReadOnly(probe.getId())); + return probe; + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/main/java/de/intevation/lada/util/auth/ProbeIdAuthorizer.java Fri Jan 08 12:05:26 2016 +0100 @@ -0,0 +1,114 @@ +package de.intevation.lada.util.auth; + +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; +import java.util.ArrayList; +import java.util.List; + +import de.intevation.lada.model.land.LProbe; +import de.intevation.lada.util.rest.RequestMethod; +import de.intevation.lada.util.rest.Response; + +public class ProbeIdAuthorizer extends BaseAuthorizer { + + @Override + public <T> boolean isAuthorized( + Object data, + RequestMethod method, + UserInfo userInfo, + Class<T> clazz + ) { + Method m; + try { + m = clazz.getMethod("getProbeId"); + } catch (NoSuchMethodException | SecurityException e1) { + return false; + } + Integer id; + try { + id = (Integer) m.invoke(data); + } catch (IllegalAccessException | + IllegalArgumentException | + InvocationTargetException e + ) { + return false; + } + LProbe probe = + repository.getByIdPlain(LProbe.class, id, "land"); + return !isProbeReadOnly(id) && getAuthorization(userInfo, probe); + } + + @SuppressWarnings("unchecked") + @Override + public <T> Response filter( + Response data, + UserInfo userInfo, + Class<T> clazz + ) { + if (data.getData() instanceof List<?>) { + List<Object> objects = new ArrayList<Object>(); + for (Object object :(List<Object>)data.getData()) { + objects.add(setAuthData(userInfo, object, clazz)); + } + data.setData(objects); + } + else { + Object object = data.getData(); + data.setData(setAuthData(userInfo, object, clazz)); + } + return data; + } + /** + * Authorize a single data object that has a probeId Attribute. + * + * @param userInfo The user information. + * @param data The Response object containing the data. + * @param clazz The data object class. + * @return A Response object containing the data. + */ + private <T> Object setAuthData( + UserInfo userInfo, + Object data, + Class<T> clazz + ) { + try { + Method getProbeId = clazz.getMethod("getProbeId"); + Integer id = null; + if (getProbeId != null) { + id = (Integer) getProbeId.invoke(data); + } + else { + return null; + } + LProbe probe = + (LProbe)repository.getById(LProbe.class, id, "land").getData(); + + boolean readOnly = true; + boolean owner = false; + if (!userInfo.getNetzbetreiber().contains( + probe.getNetzbetreiberId())) { + owner = false; + readOnly = true; + } + else { + if (userInfo.getMessstellen().contains(probe.getMstId())) { + owner = true; + } + else { + owner = false; + } + readOnly = this.isProbeReadOnly(id); + } + + Method setOwner = clazz.getMethod("setOwner", boolean.class); + Method setReadonly = clazz.getMethod("setReadonly", boolean.class); + setOwner.invoke(data, owner); + setReadonly.invoke(data, readOnly); + } catch (NoSuchMethodException | SecurityException + | IllegalAccessException | IllegalArgumentException + | InvocationTargetException e) { + return null; + } + return data; + } +}
--- a/src/main/java/de/intevation/lada/util/auth/TestAuthorization.java Fri Dec 18 18:01:00 2015 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/TestAuthorization.java Fri Jan 08 12:05:26 2016 +0100 @@ -49,7 +49,7 @@ } @Override - public boolean isAuthorized(UserInfo userInfo, Object data) { + public <T> boolean isAuthorized(UserInfo userInfo, Object data, Class<T> clazz) { return true; } @@ -57,10 +57,4 @@ public boolean isReadOnly(Integer probeId) { return false; } - - @Override - public <T> boolean isAuthorized(int id, Class<T> clazz) { - return true; - } - }