#16 least restrictive permissions

DICE-UNC · Dec 13, 2019 · 8655961 · 8655961
1 parent 07eb9f1
commit 8655961
Show file tree

Hide file tree

Showing 2 changed files with 134 additions and 95 deletions.
diff --git a/...metalnx-services/src/main/java/com/emc/metalnx/services/irods/PermissionsServiceImpl.java b/...metalnx-services/src/main/java/com/emc/metalnx/services/irods/PermissionsServiceImpl.java
@@ -19,16 +19,15 @@
 import org.irods.jargon.core.pub.domain.UserGroup;
 import org.irods.jargon.core.pub.io.IRODSFile;
 import org.irods.jargon.core.pub.io.IRODSFileFactory;
+import org.irods.jargon.core.utils.MiscIRODSUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
-import com.emc.metalnx.core.domain.entity.DataGridCollectionAndDataObject;
 import com.emc.metalnx.core.domain.entity.DataGridFilePermission;
 import com.emc.metalnx.core.domain.entity.DataGridGroupPermission;
-import com.emc.metalnx.core.domain.entity.DataGridUser;
 import com.emc.metalnx.core.domain.entity.DataGridUserPermission;
 import com.emc.metalnx.core.domain.entity.enums.DataGridPermType;
 import com.emc.metalnx.core.domain.exceptions.DataGridConnectionRefusedException;
@@ -284,22 +283,53 @@ else if (permType.equals(DataGridPermType.OWN))
 	}
 
 	@Override
-	public void resolveMostPermissiveAccessForUser(DataGridCollectionAndDataObject obj, DataGridUser user)
+	public String resolveMostPermissiveAccessForUser(String irodsAbsolutePath, String userName)
 			throws DataGridException {
 
 		logger.info("resolveMostPermissiveAccessForUser()");
 
-		if (obj == null || user == null)
-			return;
+		if (irodsAbsolutePath == null || irodsAbsolutePath.isEmpty()) {
+			throw new IllegalArgumentException("null or empty irodsAbsolutePath");
+		}
+
+		if (userName == null || userName.isEmpty()) {
+			throw new IllegalArgumentException("null or empty userName");
+		}
+
+		logger.info("irodsAbsolutePath:{}", irodsAbsolutePath);
+		logger.info("userName:{}", userName);
+
+		/*
+		 * The user is characterized by the user name as well as the zone they are
+		 * logged into. The iRODS file path may indicate that the user is browsing
+		 * across a federation and a zone will be thus added to the user name assuming
+		 * user#zone is the subject for which permissions will be sought
+		 */
+
+		String targetZone = MiscIRODSUtils.getZoneInPath(irodsAbsolutePath);
+		logger.debug("targetZone from path:{}", targetZone);
+		String targetUser = null;
+		if (targetZone.equals(irodsServices.getCurrentUserZone())) {
+			logger.debug("expanding user name for cross-zone query");
+			StringBuilder sb = new StringBuilder();
+			sb.append(userName);
+			sb.append('#');
+			sb.append(irodsServices.getCurrentUserZone());
+			targetUser = sb.toString();
+		} else {
+			logger.debug("use existing user name within-zone");
+			targetUser = userName;
+			targetZone = "";
+		}
 
 		List<UserGroup> userGroups;
 		List<UserFilePermission> acl;
 
 		try {
-			logger.info("obtaining user groups for user:{}", user.getUsername());
-			userGroups = irodsServices.getGroupAO().findUserGroupsForUser(user.getUsername());
-			logger.info("obtaining acls list for object:{}", obj.getPath());
-			acl = getFilePermissionListForObject(obj.getPath());
+			logger.info("obtaining user groups for user:{}", userName);
+			userGroups = irodsServices.getGroupAO().findUserGroupsForUserInZone(targetUser, targetZone);
+			logger.info("obtaining acls list for object:{}", irodsAbsolutePath);
+			acl = getFilePermissionListForObject(irodsAbsolutePath);
 			logger.info("acl:{}", acl);
 		} catch (JargonException e) {
 			logger.error("jargon exception getting permission listing", e);
@@ -325,7 +355,7 @@ public void resolveMostPermissiveAccessForUser(DataGridCollectionAndDataObject o
 			String permUserName = perm.getUserName();
 
 			// Checking if current permission is related to logged user
-			if (permUserName.compareTo(user.getUsername()) == 0 || userGroupsSet.contains(permUserName)) {
+			if (permUserName.compareTo(targetUser) == 0 || userGroupsSet.contains(permUserName)) {
 				String permissionName = perm.getFilePermissionEnum().name();
 				int userOrGroupPerm = permissions.indexOf(permissionName);
 				int currentPermission = permissions.indexOf(resultingPermission);
@@ -340,7 +370,7 @@ public void resolveMostPermissiveAccessForUser(DataGridCollectionAndDataObject o
 			}
 		}
 
-		obj.setMostPermissiveAccessForCurrentUser(resultingPermission.toLowerCase());
+		return resultingPermission.toLowerCase();
 	}
 
 	/***********************************************************************************/

diff --git a/...t-data-profiler/src/main/java/com/emc/metalnx/services/interfaces/PermissionsService.java b/...t-data-profiler/src/main/java/com/emc/metalnx/services/interfaces/PermissionsService.java
@@ -1,101 +1,110 @@
- /* Copyright (c) 2018, University of North Carolina at Chapel Hill */
- /* Copyright (c) 2015-2017, Dell EMC */
-
-
+/* Copyright (c) 2018, University of North Carolina at Chapel Hill */
+/* Copyright (c) 2015-2017, Dell EMC */
 
 package com.emc.metalnx.services.interfaces;
 
-import com.emc.metalnx.core.domain.entity.*;
+import java.util.List;
+
+import org.irods.jargon.core.exception.JargonException;
+
+import com.emc.metalnx.core.domain.entity.DataGridFilePermission;
+import com.emc.metalnx.core.domain.entity.DataGridGroupPermission;
+import com.emc.metalnx.core.domain.entity.DataGridUserPermission;
 import com.emc.metalnx.core.domain.entity.enums.DataGridPermType;
 import com.emc.metalnx.core.domain.exceptions.DataGridConnectionRefusedException;
 import com.emc.metalnx.core.domain.exceptions.DataGridException;
-import org.irods.jargon.core.exception.JargonException;
-
-import java.util.List;
 
 public interface PermissionsService {
 
-    /**
-     * Finds the most restrictive permission from a list of paths.
-     *
-     * @return string containing the most restrictive permission ("none", "read", "write", or "own")
-     * @throws DataGridConnectionRefusedException if Metalnx cannot connect to the grid
-     */
-    DataGridPermType findMostRestrictivePermission(String... paths) throws DataGridConnectionRefusedException;
+	/**
+	 * Finds the most restrictive permission from a list of paths.
+	 *
+	 * @return string containing the most restrictive permission ("none", "read",
+	 *         "write", or "own")
+	 * @throws DataGridConnectionRefusedException if Metalnx cannot connect to the
+	 *                                            grid
+	 */
+	DataGridPermType findMostRestrictivePermission(String... paths) throws DataGridConnectionRefusedException;
 
-    /**
-     * Retrieves all permissions information about a given path for a given user.
-     * This path can be a collection or a data object. It also parses the
-     * results down to groups and users so there are no duplicate results.
-     *
-     * @param path
-     *            path to retrieve permissions from
-     * @param username
-     *            user name to check permissions on the given path
-     * @return list of {@link DataGridFilePermission} instances
-     */
-    List<DataGridFilePermission> getPathPermissionDetails(String path, String username) throws JargonException,
-            DataGridConnectionRefusedException;
+	/**
+	 * Retrieves all permissions information about a given path for a given user.
+	 * This path can be a collection or a data object. It also parses the results
+	 * down to groups and users so there are no duplicate results.
+	 *
+	 * @param path     path to retrieve permissions from
+	 * @param username user name to check permissions on the given path
+	 * @return list of {@link DataGridFilePermission} instances
+	 */
+	List<DataGridFilePermission> getPathPermissionDetails(String path, String username)
+			throws JargonException, DataGridConnectionRefusedException;
 
-    /**
-     * Retrieves all the permissions information about a given object
-     * that can be a collection or a data object. It also parses the
-     * results down to groups and users so there are no duplicate results.
-     *
-     * @param path
-     * @return list of {@link DataGridFilePermission} instances
-     */
-    List<DataGridFilePermission> getPathPermissionDetails(String path) throws JargonException,
-            DataGridConnectionRefusedException;
+	/**
+	 * Retrieves all the permissions information about a given object that can be a
+	 * collection or a data object. It also parses the results down to groups and
+	 * users so there are no duplicate results.
+	 *
+	 * @param path
+	 * @return list of {@link DataGridFilePermission} instances
+	 */
+	List<DataGridFilePermission> getPathPermissionDetails(String path)
+			throws JargonException, DataGridConnectionRefusedException;
 
-    /**
-     * Gets all the groups with some kind of permission on the permissions list
-     *
-     * @param ufps
-     * @return list of {@link DataGridGroupPermission}
-     */
-    List<DataGridGroupPermission> getGroupsWithPermissions(List<DataGridFilePermission> ufps);
+	/**
+	 * Gets all the groups with some kind of permission on the permissions list
+	 *
+	 * @param ufps
+	 * @return list of {@link DataGridGroupPermission}
+	 */
+	List<DataGridGroupPermission> getGroupsWithPermissions(List<DataGridFilePermission> ufps);
 
-    /**
-     * Gets all the users (not including groups) with some kind of permission on the list
-     *
-     * @param ufps
-     * @return list of {@link DataGridUserPermission}
-     */
-    List<DataGridUserPermission> getUsersWithPermissions(List<DataGridFilePermission> ufps);
+	/**
+	 * Gets all the users (not including groups) with some kind of permission on the
+	 * list
+	 *
+	 * @param ufps
+	 * @return list of {@link DataGridUserPermission}
+	 */
+	List<DataGridUserPermission> getUsersWithPermissions(List<DataGridFilePermission> ufps);
 
-    /**
-     * Checks if the logged user can modify a given path
-     *
-     * @param path
-     * @return boolean
-     * @throws DataGridConnectionRefusedException
-     */
-    boolean canLoggedUserModifyPermissionOnPath(String path) throws DataGridConnectionRefusedException;
+	/**
+	 * Checks if the logged user can modify a given path
+	 *
+	 * @param path
+	 * @return boolean
+	 * @throws DataGridConnectionRefusedException
+	 */
+	boolean canLoggedUserModifyPermissionOnPath(String path) throws DataGridConnectionRefusedException;
 
-    /**
-     * Updates permission on the given path for the given user or group.
-     *
-     * @param permType
-     * @param userOrGroupName
-     *            user or group name to give permissions
-     * @param recursive
-     *            flag that says whether or not the given permission should be applied recursively
-     * @param inAdminMode
-     *          if true, tries to set permission in admin mode (-M option)
-     *          if false, tries to set permission normally (no additional options)
-     * @param paths to apply permission
-     * @return a {@link boolean} indicating the status of the request
-     * @throws DataGridConnectionRefusedException
-     */
-    boolean setPermissionOnPath(DataGridPermType permType, String userOrGroupName, boolean recursive,
-                                boolean inAdminMode, String... paths) throws DataGridConnectionRefusedException;
+	/**
+	 * Updates permission on the given path for the given user or group.
+	 *
+	 * @param permType
+	 * @param userOrGroupName user or group name to give permissions
+	 * @param recursive       flag that says whether or not the given permission
+	 *                        should be applied recursively
+	 * @param inAdminMode     if true, tries to set permission in admin mode (-M
+	 *                        option) if false, tries to set permission normally (no
+	 *                        additional options)
+	 * @param paths           to apply permission
+	 * @return a {@link boolean} indicating the status of the request
+	 * @throws DataGridConnectionRefusedException
+	 */
+	boolean setPermissionOnPath(DataGridPermType permType, String userOrGroupName, boolean recursive,
+			boolean inAdminMode, String... paths) throws DataGridConnectionRefusedException;
 
-    /**
-     * Finds resulting most permissive permission for a given user
-     * @param obj
-     * @param user
-     */
-    void resolveMostPermissiveAccessForUser(DataGridCollectionAndDataObject obj, DataGridUser user) throws
-            DataGridException;
+	/**
+	 * Find the most permissive access for a user, based on user or group
+	 * permissions. This is specifically built to handle cross-zone permissions,
+	 * where the user id will be properly interpreted as it would be present on the
+	 * given zone. This means that user 'pam' logged into 'zone1' will be queried as
+	 * 'pam#zone1' when interrogating a federated zone
+	 * 
+	 * @param irodsAbsolutePath {@code String} with the target iRODS path
+	 * @param userName          {@code String} with the user name in plain form,
+	 *                          expecting that federated zones will be queried in
+	 *                          user#homezone format
+	 * @return{@code String} with the highest level of permission
+	 * @throws DataGridException {@link DataGridException}
+	 */
+	String resolveMostPermissiveAccessForUser(String irodsAbsolutePath, String userName) throws DataGridException;
 }