Package edu.ucsb.nceas.metacat.dataone

Class D1AuthHelper

java.lang.Object
edu.ucsb.nceas.metacat.dataone.D1AuthHelper
public class D1AuthHelper extends Object
This is delegate class for D1NodeService and subclasses. It centralizes authorization implementations to make them more consistent across the various API methods, and more testable. There are 6 basic authorization checks that can be done, and these are implemented as protected methods in this class. these checks are: 1. session vs. systemMetadata subjects 2. session vs. local admin credentials 3. session vs. systemMetadata authoritativeMemberNode (requires NodeList) 4. session vs. CN nodelist subjects (checking for CN admin authorization) 5. session vs. systemMetadata replica nodeReferences (via nodelist subjects) 6. session vs. expanded rightsHolder equivalent subjects and groups. (uses API calls to the CN) In practice, there are currently only a handful of combinations of authorization checks being used. These are represented by the public methods in this class. If more combinations are ever required, they should be added as a new public method, and follow the general way the other methods are implemented. The combinations in use are: 1. CN admin only 2. Local or AuthoritativeMN only 3. Local MN or CN admin only 4. "isAuthorized" - all checks except allowing replica nodes 5. "getSystemMetadata" - all checks 6. "update" authorization - success depends on the local node being the authMN
Author:
rnahf

  • Constructor Summary

    Constructors
    Constructor
    Description
    D1AuthHelper(javax.servlet.http.HttpServletRequest request, org.dataone.service.types.v1.Identifier requestIdentifier, String notAuthorizedCode, String serviceFailureCode)
    Each instance should correspond to a single request.

  • Method Summary

    Modifier and Type
    Method
    Description
    protected boolean
    checkExpandedPermissions(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission)
    Compare all the session subjects against the expanded subjects (from listSubjects) of the object rightsHolder.
    void
    doAdminAuthorization(org.dataone.service.types.v1.Session session)
    Does MN/CN admin authorization
    void
    doAuthoritativeMNAuthorization(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta)
    Does local and AuthMN admin authorization
    void
    doCNOnlyAuthorization(org.dataone.service.types.v1.Session session)
    Does only localNode(CN)/CN authorization
    void
    doGetSysmetaAuthorization(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission)
    used by getSystemMetadata, describe, and getPackage, the latter two by delegation to getSystemMetadata Very similar to doIsAuthorized, but also allows replica nodes administrative access.
    void
    doIsAuthorized(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission)
    Performs all authorization steps used by isAuthorized.
    void
    doUpdateAuth(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission, org.dataone.service.types.v1.NodeReference localNodeId)
    The locus of updates is limited to the authoritativeMN.
    static boolean
    expandRightsHolder(org.dataone.service.types.v1.Subject rightHolder, org.dataone.service.types.v1.Subject sessionSubject)
    Check if the given userSession is the member of the right holder group (if the right holder is a group subject).
    protected org.dataone.service.types.v2.NodeList
    getCNNodeList()
    A centralized point for accessing the CN Nodelist, to make it easier to cache the nodelist in the future, if it's seen as helpful performance-wise
    protected boolean
    isAuthoritativeMNodeAdmin(org.dataone.service.types.v1.Session session, org.dataone.service.types.v1.NodeReference authoritativeMNode, org.dataone.service.types.v2.NodeList nodelist)
    Compare the session.subject to the authoritativeMN Node.nodeSubjects list of Subjects.
    protected boolean
    isAuthorizedBySysMetaSubjects(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission)
    Returns the authorization status of the Session vs.
    protected boolean
    isCNAdmin(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.NodeList nodelist)
    Compares session.subject against CN.NodeList
    boolean
    isLocalCNAdmin(org.dataone.service.types.v1.Session session)
    Test if the user identified by the provided token has administrative authorization on this node because they are calling themselves (the implementation uses property Settings to build a Node instance)
    boolean
    isLocalMNAdmin(org.dataone.service.types.v1.Session session)
    Test if the user identified by the provided token has administrative authorization on this node because they are calling themselves (the implementation uses property Settings to build a Node instance)
    protected boolean
    isLocalNodeAdmin(org.dataone.service.types.v1.Session session, org.dataone.service.types.v1.NodeType nodeType)
    Checks Metacat properties representing the local Node document for matching Node.subjects.
    protected boolean
    isReplicaMNodeAdmin(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v2.NodeList nodelist)
    Determines if the session represents a replicaMN of the given systemMetadata.
    protected void
    prepareAndThrowNotAuthorized(org.dataone.service.types.v1.Session session, org.dataone.service.types.v1.Identifier pid, org.dataone.service.types.v1.Permission permission, String detailCode)
    Format a 'NotAuthorized' exception
    static void
    resetCNList()
    Reset the cn list to a empty list.

    Methods inherited from class java.lang.Object

    clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

  • Constructor Details

    • D1AuthHelper

      public D1AuthHelper(javax.servlet.http.HttpServletRequest request, org.dataone.service.types.v1.Identifier requestIdentifier, String notAuthorizedCode, String serviceFailureCode)
      Each instance should correspond to a single request.
      Parameters:
      request - Request to check for authorization
      requestIdentifier - Identifier of requester
      notAuthorizedCode - Desired not authorized code
      serviceFailureCode - Desired service failure code

  • Method Details

    • doIsAuthorized

      public void doIsAuthorized(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission) throws org.dataone.service.exceptions.ServiceFailure, org.dataone.service.exceptions.NotAuthorized
      Performs all authorization steps used by isAuthorized. Checks for accessPolicy & rightsHolder authorization, and authorizes local, authoritativeMN, and CN admins.
      Parameters:
      session - User session
      sysmeta - Sysmeta document
      permission - Permission level to check
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When unable to check for authorization
      org.dataone.service.exceptions.NotAuthorized - When session is not authorized

    • doAuthoritativeMNAuthorization

      public void doAuthoritativeMNAuthorization(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta) throws org.dataone.service.exceptions.ServiceFailure, org.dataone.service.exceptions.NotAuthorized
      Does local and AuthMN admin authorization
      Parameters:
      session - User session to check
      sysmeta - Sysmeta document
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When unable to check for authorization
      org.dataone.service.exceptions.NotAuthorized - When session is not authorized

    • doUpdateAuth

      public void doUpdateAuth(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission, org.dataone.service.types.v1.NodeReference localNodeId) throws org.dataone.service.exceptions.NotAuthorized, org.dataone.service.exceptions.ServiceFailure
      The locus of updates is limited to the authoritativeMN. Therefore, the authorization rules are somewhat specialized:
      1. If the update is happening on the authoritative MN, either
        • the session has the appropriate permission vs the system metadata or
        • the session represents the MN Admin Subject
      2. If the session represents the D1 CN, it is allowed.
      Throws:
      org.dataone.service.exceptions.NotAuthorized
      org.dataone.service.exceptions.ServiceFailure

    • doCNOnlyAuthorization

      public void doCNOnlyAuthorization(org.dataone.service.types.v1.Session session) throws org.dataone.service.exceptions.ServiceFailure, org.dataone.service.exceptions.NotAuthorized
      Does only localNode(CN)/CN authorization
      Parameters:
      session - User session to check
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When unable to check for authorization
      org.dataone.service.exceptions.NotAuthorized - When session is not authorized

    • doAdminAuthorization

      public void doAdminAuthorization(org.dataone.service.types.v1.Session session) throws org.dataone.service.exceptions.ServiceFailure, org.dataone.service.exceptions.NotAuthorized
      Does MN/CN admin authorization
      Parameters:
      session - A session object that contains a subject value to check for authorization
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When there is an issue checking for authorization
      org.dataone.service.exceptions.NotAuthorized - When the session subject is not authorized

    • doGetSysmetaAuthorization

      public void doGetSysmetaAuthorization(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission) throws org.dataone.service.exceptions.ServiceFailure, org.dataone.service.exceptions.NotAuthorized
      used by getSystemMetadata, describe, and getPackage, the latter two by delegation to getSystemMetadata Very similar to doIsAuthorized, but also allows replica nodes administrative access.
      Parameters:
      session - User session to check
      sysmeta - Sysmeta document
      permission - Permission level to check
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When unable to check for authorization
      org.dataone.service.exceptions.NotAuthorized - When session is not authorized

    • prepareAndThrowNotAuthorized

      protected void prepareAndThrowNotAuthorized(org.dataone.service.types.v1.Session session, org.dataone.service.types.v1.Identifier pid, org.dataone.service.types.v1.Permission permission, String detailCode) throws org.dataone.service.exceptions.NotAuthorized
      Format a 'NotAuthorized' exception
      Parameters:
      session - Session that has been determined to be not authorized
      pid - Persistent identifier
      permission - Permission level requested to check
      detailCode - Detail code of exception
      Throws:
      org.dataone.service.exceptions.NotAuthorized

    • checkExpandedPermissions

      protected boolean checkExpandedPermissions(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission) throws org.dataone.service.exceptions.ServiceFailure
      Compare all the session subjects against the expanded subjects (from listSubjects) of the object rightsHolder.
      Parameters:
      session - User session to check
      sysmeta - Sysmeta document
      permission - Permission type to check
      Returns:
      True if approved user session subject
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When there is an issue checking for authorization

    • getCNNodeList

      protected org.dataone.service.types.v2.NodeList getCNNodeList() throws org.dataone.service.exceptions.ServiceFailure
      A centralized point for accessing the CN Nodelist, to make it easier to cache the nodelist in the future, if it's seen as helpful performance-wise
      Returns:
      NodeList
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When there is an issue checking for authorization

    • expandRightsHolder

      public static boolean expandRightsHolder(org.dataone.service.types.v1.Subject rightHolder, org.dataone.service.types.v1.Subject sessionSubject) throws org.dataone.service.exceptions.ServiceFailure, org.dataone.service.exceptions.NotImplemented, org.dataone.service.exceptions.InvalidRequest, org.dataone.service.exceptions.NotAuthorized, org.dataone.service.exceptions.InvalidToken
      Check if the given userSession is the member of the right holder group (if the right holder is a group subject). If the right holder is not a group, it will be false of course. This method is public and static because it is used outside of D1NodeService & subclasses (PermissionController)
      Parameters:
      rightHolder - the subject of the right holder.
      sessionSubject - the subject will be compared
      Returns:
      true if the user session is a member of the right holder group; false otherwise.
      Throws:
      org.dataone.service.exceptions.NotImplemented - When a method has not yet been implemented
      org.dataone.service.exceptions.ServiceFailure - When there is an issue checking for authorization
      org.dataone.service.exceptions.NotAuthorized - When session is not authorized
      org.dataone.service.exceptions.InvalidToken - Issue with credentials provided
      org.dataone.service.exceptions.InvalidRequest - Issue with the request

    • isLocalMNAdmin

      public boolean isLocalMNAdmin(org.dataone.service.types.v1.Session session) throws org.dataone.service.exceptions.ServiceFailure
      Test if the user identified by the provided token has administrative authorization on this node because they are calling themselves (the implementation uses property Settings to build a Node instance)
      Parameters:
      session - The Session object containing the credentials for the Subject
      Returns:
      true if the user is this node
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When there is an issue checking for authorization

    • isLocalCNAdmin

      public boolean isLocalCNAdmin(org.dataone.service.types.v1.Session session) throws org.dataone.service.exceptions.ServiceFailure
      Test if the user identified by the provided token has administrative authorization on this node because they are calling themselves (the implementation uses property Settings to build a Node instance)
      Parameters:
      session - - the Session object containing the credentials for the Subject
      Returns:
      true if the user is this node
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When there is an issue checking for authorization

    • isLocalNodeAdmin

      protected boolean isLocalNodeAdmin(org.dataone.service.types.v1.Session session, org.dataone.service.types.v1.NodeType nodeType) throws org.dataone.service.exceptions.ServiceFailure
      Checks Metacat properties representing the local Node document for matching Node.subjects. The NodeType parameter can be set to limit this authorization check if needed.
      Parameters:
      session - User session to check
      nodeType - Type of node desired to check (ex. NodeType.MN or NodeType.CN))
      Returns:
      True if session subject is a local node admin or Metacat admin
      Throws:
      org.dataone.service.exceptions.ServiceFailure - When there is an issue checking for authorization

    • isAuthorizedBySysMetaSubjects

      protected boolean isAuthorizedBySysMetaSubjects(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v1.Permission permission)
      Returns the authorization status of the Session vs. the given SystemMetadata based on the rightsHolder and AccessPolicy fields
      Parameters:
      session - User session to check
      sysmeta - Sysmeta document
      permission - Permission level to check
      Returns:
      True if authorized based on the sysmeta subject

    • isReplicaMNodeAdmin

      protected boolean isReplicaMNodeAdmin(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.SystemMetadata sysmeta, org.dataone.service.types.v2.NodeList nodelist)
      Determines if the session represents a replicaMN of the given systemMetadata.
      Parameters:
      session - User session to check
      sysmeta - Sysmeta document
      nodelist - List of relevant nodes to check
      Returns:
      True if it is a replica mn node admin

    • isAuthoritativeMNodeAdmin

      protected boolean isAuthoritativeMNodeAdmin(org.dataone.service.types.v1.Session session, org.dataone.service.types.v1.NodeReference authoritativeMNode, org.dataone.service.types.v2.NodeList nodelist)
      Compare the session.subject to the authoritativeMN Node.nodeSubjects list of Subjects. According to the DataONE documentation, the authoritative member node has all the rights of the *rightsHolder*. Any null parameter will result in return of false
      Parameters:
      session - User session to check
      authoritativeMNode - The authoritativeMNode reference
      nodelist - List of relevant nodes to check
      Returns:
      True if it is an authoritative MNode admin

    • isCNAdmin

      protected boolean isCNAdmin(org.dataone.service.types.v1.Session session, org.dataone.service.types.v2.NodeList nodelist)
      Compares session.subject against CN.NodeList
      Parameters:
      session - User session to check
      nodelist - List of relevant nodes to check
      Returns:
      True if session subject is a CN admin

    • resetCNList

      public static void resetCNList()
      Reset the cn list to a empty list. Currently it is only for testing.