From 8a25837c36071d799e65dc5686fda53736b2a852 Mon Sep 17 00:00:00 2001
From: anttil <anttil>
Date: Tue, 26 Jun 2012 10:32:52 +0000
Subject: [PATCH] BIS-100 / SP-138: Add authorization checks for space and
material creation to AtomicOperationsPredicate.
SVN: 25859
---
.../predicate/AtomicOperationsPredicate.java | 53 +++++++++++++++++++
.../systemtest/EntityOperationTest.java | 21 +++-----
2 files changed, 61 insertions(+), 13 deletions(-)
diff --git a/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/authorization/predicate/AtomicOperationsPredicate.java b/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/authorization/predicate/AtomicOperationsPredicate.java
index 190341ae9a0..55e3bdcd779 100644
--- a/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/authorization/predicate/AtomicOperationsPredicate.java
+++ b/openbis/source/java/ch/systemsx/cisd/openbis/generic/shared/authorization/predicate/AtomicOperationsPredicate.java
@@ -23,11 +23,13 @@ import ch.systemsx.cisd.openbis.generic.shared.authorization.IAuthorizationDataP
import ch.systemsx.cisd.openbis.generic.shared.authorization.RoleWithIdentifier;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewExperiment;
import ch.systemsx.cisd.openbis.generic.shared.basic.dto.NewSample;
+import ch.systemsx.cisd.openbis.generic.shared.basic.dto.RoleWithHierarchy.RoleCode;
import ch.systemsx.cisd.openbis.generic.shared.dto.AtomicEntityOperationDetails;
import ch.systemsx.cisd.openbis.generic.shared.dto.DataSetUpdatesDTO;
import ch.systemsx.cisd.openbis.generic.shared.dto.ExperimentUpdatesDTO;
import ch.systemsx.cisd.openbis.generic.shared.dto.NewExternalData;
import ch.systemsx.cisd.openbis.generic.shared.dto.PersonPE;
+import ch.systemsx.cisd.openbis.generic.shared.dto.RoleAssignmentPE;
import ch.systemsx.cisd.openbis.generic.shared.dto.SampleUpdatesDTO;
import ch.systemsx.cisd.openbis.generic.shared.dto.identifier.ExperimentIdentifier;
import ch.systemsx.cisd.openbis.generic.shared.dto.identifier.SampleIdentifier;
@@ -142,10 +144,61 @@ public class AtomicOperationsPredicate extends AbstractPredicate<AtomicEntityOpe
{
result = evaluateDataSetUpdatesPredicate();
}
+ if (result.equals(Status.OK))
+ {
+ result = evaluateSpaceRegistrations();
+ }
+ if (result.equals(Status.OK))
+ {
+ result = evaluateMaterialRegistrations();
+ }
return result;
}
+ private Status evaluateSpaceRegistrations()
+ {
+ if (value.getSpaceRegistrations() != null && value.getSpaceRegistrations().size() > 0)
+ {
+ return isInstanceEtlServer(person);
+ } else
+ {
+ return Status.OK;
+ }
+ }
+
+ private Status evaluateMaterialRegistrations()
+ {
+ if (value.getMaterialRegistrations() != null
+ && value.getMaterialRegistrations().size() > 0)
+ {
+ return isInstanceEtlServer(person);
+ } else
+ {
+ return Status.OK;
+ }
+ }
+
+ private Status isInstanceEtlServer(PersonPE person)
+ {
+ for (RoleAssignmentPE role : person.getRoleAssignments())
+ {
+ if (role.getSpace() == null)
+ {
+ RoleCode roleCode = role.getRole();
+ if (RoleCode.ADMIN.equals(roleCode) || RoleCode.ETL_SERVER.equals(roleCode))
+ {
+ return Status.OK;
+ }
+ }
+ }
+ return Status
+ .createError(
+ false,
+ "None of method roles '[INSTANCE_ETL_SERVER, INSTANCE_ADMIN]' could be found in roles of user '"
+ + person.getUserId() + "'.");
+ }
+
private Status evaluateExperimentUpdatePredicate()
{
for (ExperimentUpdatesDTO experimentUpdates : value.getExperimentUpdates())
diff --git a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/EntityOperationTest.java b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/EntityOperationTest.java
index 7ab242acd2e..4c075d45d7d 100644
--- a/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/EntityOperationTest.java
+++ b/openbis/sourceTest/java/ch/systemsx/cisd/openbis/systemtest/EntityOperationTest.java
@@ -296,15 +296,15 @@ public class EntityOperationTest extends SystemTestCase
assertEquals("CISD/TEST_SPACE", space.toString());
}
- @Test
- public void testCreateSpaceAsInstanceAdminButLoginAsSpaceETLServer()
+ @Test(expectedExceptions =
+ { AuthorizationFailureException.class })
+ public void testCreateSpaceAsInstanceAdminButLoginAsSpaceETLServerFails()
{
String sessionToken = authenticateAs(SPACE_ETL_SERVER_FOR_A);
AtomicEntityOperationDetails eo =
new EntityOperationBuilder().user(INSTANCE_ADMIN).space("TEST_SPACE").create();
- AtomicEntityOperationResult result = etlService.performEntityOperations(sessionToken, eo);
- assertEquals(1, result.getSpacesCreatedCount());
+ etlService.performEntityOperations(sessionToken, eo);
}
@Test
@@ -338,8 +338,9 @@ public class EntityOperationTest extends SystemTestCase
assertEquals("[GENE_SYMBOL: 42]", material.getProperties().toString());
}
- @Test
- public void testCreateMaterialAsInstanceAdminButLoginAsSpaceETLServer()
+ @Test(expectedExceptions =
+ { AuthorizationFailureException.class })
+ public void testCreateMaterialAsInstanceAdminButLoginAsSpaceETLServerFails()
{
String sessionToken = authenticateAs(SPACE_ETL_SERVER_FOR_A);
AtomicEntityOperationDetails eo =
@@ -350,13 +351,7 @@ public class EntityOperationTest extends SystemTestCase
new MaterialBuilder().code("ALPHA").property("GENE_SYMBOL", "42")
.getMaterial()).create();
- AtomicEntityOperationResult result = etlService.performEntityOperations(sessionToken, eo);
- assertEquals(1, result.getMaterialsCreatedCount());
-
- Material material =
- etlService.tryGetMaterial(sessionToken, new MaterialIdentifier("ALPHA", "GENE"));
- assertEquals("ALPHA (GENE)", material.toString());
- assertEquals("[GENE_SYMBOL: 42]", material.getProperties().toString());
+ etlService.performEntityOperations(sessionToken, eo);
}
@Test
--
GitLab