From: Mathieu Baudier <mbaudier@argeo.org>
Date: Sun, 4 Feb 2018 10:11:09 +0000 (+0100)
Subject: Make user/anonymous semantics more consistent with Authorization
X-Git-Tag: argeo-commons-2.1.71~26
X-Git-Url: https://git.argeo.org/?p=lgpl%2Fargeo-commons.git;a=commitdiff_plain;h=35507e18257f2e9f59842ba5120fcd3f19c4cf4d

Make user/anonymous semantics more consistent with Authorization
---

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
index dadcc4dbc..661cc6905 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/CmsAuthUtils.java
@@ -65,13 +65,13 @@ class CmsAuthUtils {
 				name = NodeSecurityUtils.ROLE_ANONYMOUS_NAME;
 				userPrincipal = new AnonymousPrincipal();
 				principals.add(userPrincipal);
-				// principals.add(new AnonymousPrincipal());
 			} else {
 				name = new LdapName(authName);
 				NodeSecurityUtils.checkUserName(name);
 				userPrincipal = new X500Principal(name.toString());
 				principals.add(userPrincipal);
-				principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME, userPrincipal));
+				// principals.add(new ImpliedByPrincipal(NodeSecurityUtils.ROLE_USER_NAME,
+				// userPrincipal));
 			}
 
 			// Add roles provided by authorization
@@ -79,6 +79,8 @@ class CmsAuthUtils {
 				LdapName roleName = new LdapName(role);
 				if (roleName.equals(name)) {
 					// skip
+				} else if (roleName.equals(NodeSecurityUtils.ROLE_ANONYMOUS_NAME)) {
+					// skip
 				} else {
 					NodeSecurityUtils.checkImpliedPrincipalName(roleName);
 					principals.add(new ImpliedByPrincipal(roleName.toString(), userPrincipal));
diff --git a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
index 436d30058..077a1f8a7 100644
--- a/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
+++ b/org.argeo.cms/src/org/argeo/cms/internal/kernel/NodeUserAdmin.java
@@ -14,6 +14,7 @@ import java.util.HashMap;
 import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.Map;
+import java.util.Set;
 
 import javax.naming.ldap.LdapName;
 import javax.security.auth.Subject;
@@ -58,6 +59,7 @@ import org.osgi.framework.FrameworkUtil;
 import org.osgi.framework.ServiceRegistration;
 import org.osgi.service.cm.ConfigurationException;
 import org.osgi.service.cm.ManagedServiceFactory;
+import org.osgi.service.useradmin.Authorization;
 import org.osgi.service.useradmin.UserAdmin;
 import org.osgi.util.tracker.ServiceTracker;
 
@@ -161,6 +163,17 @@ class NodeUserAdmin extends AggregatingUserAdmin implements ManagedServiceFactor
 	public String getName() {
 		return "Node User Admin";
 	}
+	
+	
+
+	@Override
+	protected void addAbstractSystemRoles(Authorization rawAuthorization, Set<String> sysRoles) {
+		if(rawAuthorization.getName()==null) {
+			sysRoles.add(NodeConstants.ROLE_ANONYMOUS);
+		}else {
+			sysRoles.add(NodeConstants.ROLE_USER);
+		}
+	}
 
 	protected void postAdd(AbstractUserDirectory userDirectory) {
 		// JTA
diff --git a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
index 2b2ca0c51..d2054416b 100644
--- a/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
+++ b/org.argeo.enterprise/src/org/argeo/osgi/useradmin/AggregatingUserAdmin.java
@@ -90,11 +90,20 @@ public class AggregatingUserAdmin implements UserAdmin {
 			Authorization auth = systemRoles.getAuthorization((User) userAdmin.getRole(role));
 			sysRoles.addAll(Arrays.asList(auth.getRoles()));
 		}
+		addAbstractSystemRoles(rawAuthorization, sysRoles);
 		Authorization authorization = new AggregatingAuthorization(rawAuthorization.getName(),
 				rawAuthorization.toString(), sysRoles, rawAuthorization.getRoles());
 		return authorization;
 	}
 
+	/**
+	 * Enrich with application-specific roles which are strictly programmatic, such
+	 * as anonymous/user semantics.
+	 */
+	protected void addAbstractSystemRoles(Authorization rawAuthorization, Set<String> sysRoles) {
+
+	}
+
 	//
 	// USER ADMIN AGGREGATOR
 	//
@@ -181,8 +190,8 @@ public class AggregatingUserAdmin implements UserAdmin {
 	}
 
 	/**
-	 * Called before each user directory is destroyed, so that additional
-	 * actions can be performed.
+	 * Called before each user directory is destroyed, so that additional actions
+	 * can be performed.
 	 */
 	protected void preDestroy(AbstractUserDirectory userDirectory) {
 	}
diff --git a/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java b/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
index fd01cc6c6..7c784b0dc 100644
--- a/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
+++ b/org.argeo.node.api/src/org/argeo/node/security/NodeSecurityUtils.java
@@ -33,8 +33,8 @@ public class NodeSecurityUtils {
 	}
 
 	public static void checkImpliedPrincipalName(LdapName roleName) throws IllegalArgumentException {
-		if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName))
-			throw new IllegalArgumentException(roleName + " cannot be listed as role");
+//		if (ROLE_USER_NAME.equals(roleName) || ROLE_ANONYMOUS_NAME.equals(roleName))
+//			throw new IllegalArgumentException(roleName + " cannot be listed as role");
 	}
 
 }