From: bsinou Date: Thu, 2 Feb 2017 12:37:00 +0000 (+0100) Subject: Work on the security model, introduce Suite specific system roles X-Git-Tag: argeo-suite-0.1.1~11 X-Git-Url: https://git.argeo.org/?p=gpl%2Fargeo-suite.git;a=commitdiff_plain;h=5a311ee5a160279e4627cd06733ea65178b8a1b0 Work on the security model, introduce Suite specific system roles --- diff --git a/org.argeo.suite.core/src/org/argeo/suite/ArgeoSuiteRole.java b/org.argeo.suite.core/src/org/argeo/suite/ArgeoSuiteRole.java new file mode 100644 index 0000000..0b19f66 --- /dev/null +++ b/org.argeo.suite.core/src/org/argeo/suite/ArgeoSuiteRole.java @@ -0,0 +1,14 @@ +package org.argeo.suite; + +import org.argeo.naming.LdapAttrs; +import org.argeo.node.NodeConstants; + +/** Argeo Office specific roles used in the code */ +public enum ArgeoSuiteRole { + coworker, manager; + + public String dn() { + return new StringBuilder(LdapAttrs.cn.name()).append("=").append(SuiteConstants.AS_DOMAIN_PREFIX).append(".") + .append(name()).append(",").append(NodeConstants.ROLES_BASEDN).toString(); + } +} diff --git a/org.argeo.suite.core/src/org/argeo/suite/SuiteConstants.java b/org.argeo.suite.core/src/org/argeo/suite/SuiteConstants.java index ee172ed..26f2aac 100644 --- a/org.argeo.suite.core/src/org/argeo/suite/SuiteConstants.java +++ b/org.argeo.suite.core/src/org/argeo/suite/SuiteConstants.java @@ -1,5 +1,7 @@ package org.argeo.suite; +/** Argeo Suite constants */ public interface SuiteConstants { + String AS_DOMAIN_PREFIX = "org.argeo.suite"; } diff --git a/org.argeo.suite.core/src/org/argeo/suite/people/PeopleSuiteServiceImpl.java b/org.argeo.suite.core/src/org/argeo/suite/people/PeopleSuiteServiceImpl.java index 27efb4d..12222fa 100644 --- a/org.argeo.suite.core/src/org/argeo/suite/people/PeopleSuiteServiceImpl.java +++ b/org.argeo.suite.core/src/org/argeo/suite/people/PeopleSuiteServiceImpl.java @@ -1,5 +1,9 @@ package org.argeo.suite.people; +import java.io.IOException; +import java.util.ArrayList; +import java.util.Map; + import javax.jcr.Repository; import javax.jcr.RepositoryException; import javax.jcr.Session; @@ -14,9 +18,13 @@ import org.argeo.connect.people.PeopleService; import org.argeo.connect.people.PeopleTypes; import org.argeo.connect.people.ResourceService; import org.argeo.connect.people.core.PeopleServiceImpl; +import org.argeo.connect.people.core.imports.EncodedTagCsvFileParser; +import org.argeo.connect.util.ConnectJcrUtils; import org.argeo.jcr.JcrUtils; import org.argeo.node.NodeConstants; +import org.argeo.suite.ArgeoSuiteRole; import org.argeo.suite.SuiteException; +import org.springframework.core.io.Resource; /** Default implementation of an Argeo Suite specific People Backend */ public class PeopleSuiteServiceImpl extends PeopleServiceImpl implements PeopleService, PeopleConstants { @@ -25,7 +33,7 @@ public class PeopleSuiteServiceImpl extends PeopleServiceImpl implements PeopleS /* DEPENDENCY INJECTION */ private Repository repository; private String workspaceName; - // private UserAdminService userAdminService; + private Map initResources = null; public void init() { super.init(); @@ -33,6 +41,7 @@ public class PeopleSuiteServiceImpl extends PeopleServiceImpl implements PeopleS try { adminSession = repository.login(workspaceName); initialiseModel(adminSession); + initModelResources(adminSession); } catch (Exception e) { throw new SuiteException("Cannot initialise model", e); } finally { @@ -40,37 +49,47 @@ public class PeopleSuiteServiceImpl extends PeopleServiceImpl implements PeopleS } } - // HELPERS - - // TODO Hard-coded creation of default public and shared file directories - // To be cleaned once first init and configuration mechanisms have been - // implemented + // TODO Hard-coded model initialisation + // To be cleaned once first init and config mechanisms have been implemented private final static String publicPath = "/public"; - private final static String sharedFilePath = "/sharedFiles"; + // FIXME to be added in NodeConstants + private final static String groupHomePath = "/groups"; + // FIXME Users must have read access on the jcr:system/jcr:versionStorage + // node under JackRabbit to be able to manage versions + private final static String jackRabbitVersionSystemPath = "/jcr:system"; + // private final static String sharedFilePath = "/sharedFiles"; @Override protected void initialiseModel(Session adminSession) throws RepositoryException { super.initialiseModel(adminSession); JcrUtils.mkdirs(adminSession, publicPath, NodeType.NT_UNSTRUCTURED); - JcrUtils.mkdirs(adminSession, sharedFilePath, NodeType.NT_FOLDER); - initModelResources(adminSession); + JcrUtils.mkdirs(adminSession, groupHomePath, NodeType.NT_UNSTRUCTURED); + // JcrUtils.mkdirs(adminSession, sharedFilePath, NodeType.NT_FOLDER); if (adminSession.hasPendingChanges()) { adminSession.save(); - log.info("Repository has been initialized " + "with People's model"); configureACL(adminSession); + log.info("Repository has been initialised with Argeo Suite model"); } + initModelResources(adminSession); } // First draft of configuration of the people specific rights private void configureACL(Session session) throws RepositoryException { - String memberGroupDn = "cn=" + PeopleConstants.ROLE_MEMBER + ",ou=roles,ou=node"; - JcrUtils.addPrivilege(session, getBasePath(null), memberGroupDn, Privilege.JCR_ALL); + + // Initialise people + JcrUtils.addPrivilege(session, getBasePath(null), ArgeoSuiteRole.coworker.dn(), Privilege.JCR_ALL); + JcrUtils.addPrivilege(session, jackRabbitVersionSystemPath, ArgeoSuiteRole.coworker.dn(), Privilege.JCR_READ); + + // Default configuration of the workspace JcrUtils.addPrivilege(session, "/", NodeConstants.ROLE_ADMIN, Privilege.JCR_ALL); + JcrUtils.addPrivilege(session, groupHomePath, NodeConstants.ROLE_USER_ADMIN, Privilege.JCR_ALL); + JcrUtils.addPrivilege(session, publicPath, NodeConstants.ROLE_USER, Privilege.JCR_READ); JcrUtils.addPrivilege(session, publicPath, "anonymous", Privilege.JCR_READ); JcrUtils.addPrivilege(session, publicPath, NodeConstants.ROLE_ANONYMOUS, Privilege.JCR_READ); - JcrUtils.addPrivilege(session, sharedFilePath, NodeConstants.ROLE_USER, Privilege.JCR_ALL); + // JcrUtils.addPrivilege(session, sharedFilePath, + // NodeConstants.ROLE_USER, Privilege.JCR_ALL); session.save(); log.info("Access control configured"); } @@ -78,60 +97,63 @@ public class PeopleSuiteServiceImpl extends PeopleServiceImpl implements PeopleS /** * Initialises People resource model and optionally imports legacy resources */ - protected void initModelResources(Session adminSession) throws RepositoryException { - // initialisation - ResourceService resourceService = getResourceService(); - resourceService.initialiseResources(adminSession); - - // Resource resource = initResources.get("Countries"); - // if (resourceService.getTagLikeResourceParent(adminSession, - // PeopleConstants.RESOURCE_COUNTRY) == null - // && resource != null) { - // resourceService.createTagLikeResourceParent(adminSession, - // PeopleConstants.RESOURCE_COUNTRY, - // PeopleTypes.PEOPLE_TAG_ENCODED_INSTANCE, PeopleNames.PEOPLE_CODE, - // getBasePath(null), - // JcrUiUtils.getLocalJcrItemName(NodeType.NT_UNSTRUCTURED), new - // ArrayList()); - // String EN_SHORT_NAME = "English short name (upper-lower case)"; - // String ISO_CODE = "Alpha-2 code"; - // new EncodedTagCsvFileParser(resourceService, adminSession, - // PeopleConstants.RESOURCE_COUNTRY, ISO_CODE, - // EN_SHORT_NAME).parse(resource.getInputStream(), "UTF-8"); - // } - // - // resource = initResources.get("Languages"); - // if (resourceService.getTagLikeResourceParent(adminSession, - // PeopleConstants.RESOURCE_LANG) == null - // && resource != null) { - // resourceService.createTagLikeResourceParent(adminSession, - // PeopleConstants.RESOURCE_LANG, - // PeopleTypes.PEOPLE_TAG_ENCODED_INSTANCE, PeopleNames.PEOPLE_CODE, - // getBasePath(null), - // JcrUiUtils.getLocalJcrItemName(NodeType.NT_UNSTRUCTURED), new - // ArrayList()); - // String EN_SHORT_NAME = "Language name"; - // String ISO_CODE = "639-1"; - // new EncodedTagCsvFileParser(resourceService, adminSession, - // PeopleConstants.RESOURCE_LANG, ISO_CODE, - // EN_SHORT_NAME).parse(resource.getInputStream(), "UTF-8"); - // } - - // Create tag & mailing list parents - if (resourceService.getTagLikeResourceParent(adminSession, PeopleConstants.RESOURCE_TAG) == null) - resourceService.createTagLikeResourceParent(adminSession, PeopleConstants.RESOURCE_TAG, - PeopleTypes.PEOPLE_TAG_INSTANCE, null, getBasePath(null), PeopleTypes.PEOPLE_ENTITY, - PeopleNames.PEOPLE_TAGS); - if (resourceService.getTagLikeResourceParent(adminSession, PeopleTypes.PEOPLE_MAILING_LIST) == null) - resourceService.createTagLikeResourceParent(adminSession, null, PeopleTypes.PEOPLE_MAILING_LIST, null, - getBasePath(null), PeopleTypes.PEOPLE_ENTITY, PeopleNames.PEOPLE_MAILING_LISTS); - - if (adminSession.hasPendingChanges()) { - adminSession.save(); - log.info("Resources have been added to People's model"); + protected void initModelResources(Session adminSession) { + try { + // initialisation + ResourceService resourceService = getResourceService(); + resourceService.initialiseResources(adminSession); + + Resource resource = initResources.get("Countries"); + if (resourceService.getTagLikeResourceParent(adminSession, PeopleConstants.RESOURCE_COUNTRY) == null + && resource != null) { + resourceService.createTagLikeResourceParent(adminSession, PeopleConstants.RESOURCE_COUNTRY, + PeopleTypes.PEOPLE_TAG_ENCODED_INSTANCE, PeopleNames.PEOPLE_CODE, getBasePath(null), + ConnectJcrUtils.getLocalJcrItemName(NodeType.NT_UNSTRUCTURED), new ArrayList()); + String EN_SHORT_NAME = "English short name (upper-lower case)"; + String ISO_CODE = "Alpha-2 code"; + new EncodedTagCsvFileParser(resourceService, adminSession, PeopleConstants.RESOURCE_COUNTRY, ISO_CODE, + EN_SHORT_NAME).parse(resource.getInputStream(), "UTF-8"); + } + + resource = initResources.get("Languages"); + if (resourceService.getTagLikeResourceParent(adminSession, PeopleConstants.RESOURCE_LANG) == null + && resource != null) { + resourceService.createTagLikeResourceParent(adminSession, PeopleConstants.RESOURCE_LANG, + PeopleTypes.PEOPLE_TAG_ENCODED_INSTANCE, PeopleNames.PEOPLE_CODE, getBasePath(null), + ConnectJcrUtils.getLocalJcrItemName(NodeType.NT_UNSTRUCTURED), new ArrayList()); + String EN_SHORT_NAME = "Language name"; + String ISO_CODE = "639-1"; + new EncodedTagCsvFileParser(resourceService, adminSession, PeopleConstants.RESOURCE_LANG, ISO_CODE, + EN_SHORT_NAME).parse(resource.getInputStream(), "UTF-8"); + } + + // Create tag & mailing list parents + if (resourceService.getTagLikeResourceParent(adminSession, PeopleConstants.RESOURCE_TAG) == null) + resourceService.createTagLikeResourceParent(adminSession, PeopleConstants.RESOURCE_TAG, + PeopleTypes.PEOPLE_TAG_INSTANCE, null, getBasePath(null), PeopleTypes.PEOPLE_ENTITY, + PeopleNames.PEOPLE_TAGS); + if (resourceService.getTagLikeResourceParent(adminSession, PeopleTypes.PEOPLE_MAILING_LIST) == null) + resourceService.createTagLikeResourceParent(adminSession, null, PeopleTypes.PEOPLE_MAILING_LIST, null, + getBasePath(null), PeopleTypes.PEOPLE_ENTITY, PeopleNames.PEOPLE_MAILING_LISTS); + + if (adminSession.hasPendingChanges()) { + adminSession.save(); + log.info("Resources have been added to Argeo Suite model"); + } + } catch (IOException | RepositoryException e) { + throw new SuiteException("Cannot initialise resources ", e); } } + /** Give access to the repository to extending classes */ + protected Repository getRepository() { + return repository; + } + + protected String getWorkspaceName() { + return workspaceName; + } + /* DEPENDENCY INJECTION */ public void setRepository(Repository repository) { this.repository = repository; @@ -140,4 +162,8 @@ public class PeopleSuiteServiceImpl extends PeopleServiceImpl implements PeopleS public void setWorkspaceName(String workspaceName) { this.workspaceName = workspaceName; } + + public void setInitResources(Map initResources) { + this.initResources = initResources; + } }