You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airavata.apache.org by ma...@apache.org on 2018/06/05 15:42:15 UTC

[airavata] 02/03: AIRAVATA-2781 Adding userCanAccess to API to test Admins write access

This is an automated email from the ASF dual-hosted git repository.

machristie pushed a commit to branch group-based-auth
in repository https://gitbox.apache.org/repos/asf/airavata.git

commit 10d4d7fe66273617bc46fff9bb134447b7c7eda4
Author: Marcus Christie <ma...@apache.org>
AuthorDate: Tue Jun 5 11:39:42 2018 -0400

    AIRAVATA-2781 Adding userCanAccess to API to test Admins write access
---
 .../api/server/handler/AiravataServerHandler.java  | 28 ++++++++++++++++++++++
 .../airavata-apis/airavata_api.thrift              |  6 +++++
 2 files changed, 34 insertions(+)

diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
index 16f6c23..49c32a6 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
@@ -5115,6 +5115,34 @@ public class AiravataServerHandler implements Airavata.Iface {
 
     @Override
     @SecurityCheck
+    public boolean userHasAccess(AuthzToken authzToken, String resourceId, ResourcePermissionType permissionType) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
+        final String domainId = authzToken.getClaimsMap().get(Constants.GATEWAY_ID);
+        final String userId = authzToken.getClaimsMap().get(Constants.USER_NAME) + "@" + domainId;
+        SharingRegistryService.Client sharingClient = sharingClientPool.getResource();
+        try {
+            final boolean hasOwnerAccess = sharingClient.userHasAccess(domainId, userId, resourceId, domainId + ":" + ResourcePermissionType.OWNER);
+            boolean hasAccess = false;
+            if (permissionType.equals(ResourcePermissionType.WRITE)) {
+                hasAccess = hasOwnerAccess || sharingClient.userHasAccess(domainId, userId, resourceId, domainId + ":" + ResourcePermissionType.WRITE);
+            } else if (permissionType.equals(ResourcePermissionType.READ)) {
+                hasAccess = hasOwnerAccess || sharingClient.userHasAccess(domainId, userId, resourceId, domainId + ":" + ResourcePermissionType.READ);
+            } else if (permissionType.equals(ResourcePermissionType.OWNER)) {
+                hasAccess = hasOwnerAccess;
+            }
+            sharingClientPool.returnResource(sharingClient);
+            return hasAccess;
+        } catch (Exception e) {
+            String msg = "Error in if user can access resource. User ID : " + userId + ", Resource ID : " + resourceId + ", Resource Permission Type : " + permissionType.toString();
+            logger.error(msg, e);
+            AiravataSystemException exception = new AiravataSystemException(AiravataErrorType.INTERNAL_ERROR);
+            exception.setMessage(msg + " More info : " + e.getMessage());
+            sharingClientPool.returnBrokenResource(sharingClient);
+            throw exception;
+        }
+    }
+
+    @Override
+    @SecurityCheck
     public String createGroupResourceProfile(AuthzToken authzToken, GroupResourceProfile groupResourceProfile) throws InvalidRequestException, AiravataClientException, AiravataSystemException, AuthorizationException, TException {
         // TODO: verify that gatewayId in groupResourceProfile matches authzToken gatewayId
         RegistryService.Client regClient = registryClientPool.getResource();
diff --git a/thrift-interface-descriptions/airavata-apis/airavata_api.thrift b/thrift-interface-descriptions/airavata-apis/airavata_api.thrift
index 8cba91e..0a43ecb 100644
--- a/thrift-interface-descriptions/airavata-apis/airavata_api.thrift
+++ b/thrift-interface-descriptions/airavata-apis/airavata_api.thrift
@@ -3520,6 +3520,12 @@ service Airavata {
                                                  3: airavata_errors.AiravataSystemException ase,
                                                  4: airavata_errors.AuthorizationException ae)
 
+ bool userHasAccess(1: required security_model.AuthzToken authzToken, 2: required string resourceId, 3: required group_manager_model.ResourcePermissionType permissionType)
+                throws (1: airavata_errors.InvalidRequestException ire,
+                                                 2: airavata_errors.AiravataClientException ace,
+                                                 3: airavata_errors.AiravataSystemException ase,
+                                                 4: airavata_errors.AuthorizationException ae)
+
 
  string createGroupResourceProfile(1: required security_model.AuthzToken authzToken, 2: required group_resource_profile_model.GroupResourceProfile groupResourceProfile)
                                                                          throws (1: airavata_errors.InvalidRequestException ire,

-- 
To stop receiving notification emails like this one, please contact
machristie@apache.org.