001 //$HeadURL: svn+ssh://jwilden@svn.wald.intevation.org/deegree/base/branches/2.5_testing/src/org/deegree/security/drm/SecurityHelper.java $
002 /*----------------------------------------------------------------------------
003 This file is part of deegree, http://deegree.org/
004 Copyright (C) 2001-2009 by:
005 Department of Geography, University of Bonn
006 and
007 lat/lon GmbH
008
009 This library is free software; you can redistribute it and/or modify it under
010 the terms of the GNU Lesser General Public License as published by the Free
011 Software Foundation; either version 2.1 of the License, or (at your option)
012 any later version.
013 This library is distributed in the hope that it will be useful, but WITHOUT
014 ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
015 FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
016 details.
017 You should have received a copy of the GNU Lesser General Public License
018 along with this library; if not, write to the Free Software Foundation, Inc.,
019 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
020
021 Contact information:
022
023 lat/lon GmbH
024 Aennchenstr. 19, 53177 Bonn
025 Germany
026 http://lat-lon.de/
027
028 Department of Geography, University of Bonn
029 Prof. Dr. Klaus Greve
030 Postfach 1147, 53001 Bonn
031 Germany
032 http://www.geographie.uni-bonn.de/deegree/
033
034 e-mail: info@deegree.org
035 ----------------------------------------------------------------------------*/
036 package org.deegree.security.drm;
037
038 import java.util.HashSet;
039 import java.util.Iterator;
040 import java.util.Set;
041
042 import org.deegree.security.GeneralSecurityException;
043 import org.deegree.security.UnauthorizedException;
044 import org.deegree.security.drm.model.RightType;
045 import org.deegree.security.drm.model.Role;
046 import org.deegree.security.drm.model.User;
047
048 /**
049 * Helper class that performs access checks.
050 * <p>
051 *
052 * @author <a href="mschneider@lat-lon.de">Markus Schneider</a>
053 * @author last edited by: $Author: apoth $
054 *
055 * @version $Revision: 28661 $, $Date: 2010-12-09 09:12:29 +0100 (Do, 09 Dez 2010) $
056 */
057 public class SecurityHelper {
058
059 /**
060 * Returns the administrator (the 'Administrator'- or a 'SUBADMIN:'-role) for the given role.
061 * <p>
062 *
063 * @param access
064 * @param role
065 * @return the administrator (the 'Administrator'- or a 'SUBADMIN:'-role) for the given role.
066 * @throws GeneralSecurityException
067 *
068 */
069 public static Role findAdminForRole( SecurityAccess access, Role role )
070 throws GeneralSecurityException {
071
072 Role[] allRoles = access.getAllRoles();
073 Role admin = access.getRoleById( Role.ID_SEC_ADMIN );
074 for ( int i = 0; i < allRoles.length; i++ ) {
075 if ( allRoles[i].getName().startsWith( "SUBADMIN:" ) ) {
076 // if a subadmin-role has the update right, it is
077 // considered to be the administrative for the role
078 if ( allRoles[i].hasRight( access, RightType.UPDATE, role ) ) {
079 admin = allRoles[i];
080 }
081 }
082 }
083 return admin;
084 }
085
086 /**
087 * Returns the associated 'Administrator'- or 'SUBADMIN:'-role of the token holder.
088 * <p>
089 *
090 * @param access
091 * @return the associated 'Administrator'- or 'SUBADMIN:'-role of the token holder.
092 * <p>
093 * @throws ManagementException
094 * @throws GeneralSecurityException
095 */
096 public static Role checkForAdminOrSubadminRole( SecurityAccess access )
097 throws ManagementException, GeneralSecurityException {
098 Role adminOrSubadminRole = null;
099 Role[] roles = access.getUser().getRoles( access );
100 for ( int i = 0; i < roles.length; i++ ) {
101 if ( roles[i].getID() == Role.ID_SEC_ADMIN || roles[i].getName().startsWith( "SUBADMIN:" ) ) {
102 if ( adminOrSubadminRole == null ) {
103 adminOrSubadminRole = roles[i];
104 } else {
105 throw new ManagementException( "Unzulässige Rollenvergabe: Benutzer '"
106 + access.getUser().getTitle() + "' hat sowohl die Rolle '"
107 + adminOrSubadminRole.getTitle() + "' als auch die Rolle '"
108 + roles[i].getTitle() + "'." );
109 }
110 }
111 }
112 if ( adminOrSubadminRole == null ) {
113 throw new UnauthorizedException( "Sie haben nicht die für den Zugriff " + "benötigte 'Administrator'- "
114 + "bzw. Subadministrator-Rolle." );
115 }
116 return adminOrSubadminRole;
117 }
118
119 /**
120 * Tests if the given token is associated with the 'Administrator'-role.
121 * <p>
122 *
123 * @param access
124 * @throws GeneralSecurityException
125 * this is an UnauthorizedException if the user does not have the
126 * 'Administrator'-role
127 */
128 public static void checkForAdminRole( SecurityAccess access )
129 throws GeneralSecurityException {
130 Role[] roles = access.getUser().getRoles( access );
131 for ( int i = 0; i < roles.length; i++ ) {
132 if ( roles[i].getID() == Role.ID_SEC_ADMIN ) {
133 return;
134 }
135 }
136 throw new UnauthorizedException( "Sie haben nicht die für den Zugriff " + "benötigte 'Administrator'-Rolle." );
137 }
138
139 /**
140 * Tests if the 'SUBADMIN:' and 'Administrator'-roles are all disjoint (so that there are no
141 * users that have more than 1 role).
142 * <p>
143 *
144 * @param access
145 * @throws ManagementException
146 * if there is a user with more than one role
147 * @throws GeneralSecurityException
148 */
149 @SuppressWarnings("unchecked")
150 public static void checkSubadminRoleValidity( SecurityAccess access )
151 throws ManagementException, GeneralSecurityException {
152
153 Role[] subadminRoles = access.getRolesByNS( "SUBADMIN" );
154 Set<User>[] rolesAndUsers = new Set[subadminRoles.length + 1];
155 String[] roleNames = new String[subadminRoles.length + 1];
156
157 // admin role
158 User[] users = access.getRoleById( Role.ID_SEC_ADMIN ).getAllUsers( access );
159 rolesAndUsers[0] = new HashSet<User>();
160 roleNames[0] = "Administrator";
161 for ( int i = 0; i < users.length; i++ ) {
162 rolesAndUsers[0].add( users[i] );
163 }
164
165 // subadmin roles
166 for ( int i = 1; i < rolesAndUsers.length; i++ ) {
167 users = subadminRoles[i - 1].getAllUsers( access );
168 rolesAndUsers[i] = new HashSet<User>();
169 roleNames[i] = subadminRoles[i - 1].getTitle();
170 for ( int j = 0; j < users.length; j++ ) {
171 rolesAndUsers[i].add( users[j] );
172 }
173 }
174
175 // now check if all usersets are disjoint
176 for ( int i = 0; i < rolesAndUsers.length - 1; i++ ) {
177 Set userSet1 = rolesAndUsers[i];
178 for ( int j = i + 1; j < rolesAndUsers.length; j++ ) {
179 Set userSet2 = rolesAndUsers[j];
180 Iterator it = userSet2.iterator();
181 while ( it.hasNext() ) {
182 User user = (User) it.next();
183 if ( userSet1.contains( user ) ) {
184 throw new ManagementException( "Ungültige Subadmin-Rollenvergabe. Benutzer '" + user.getTitle()
185 + "' würde sowohl die Rolle '" + roleNames[i]
186 + "' als auch die Rolle '" + roleNames[j] + "' erhalten." );
187 }
188 }
189 }
190 }
191 }
192 }