static WrapperPolicy buildWrapperPolicy( ResourceAccessManager accessManager, Authentication user, CatalogInfo info, String resourceName, MixedModeBehavior mixedModeBehavior) { return buildWrapperPolicy( accessManager, user, info, resourceName, mixedModeBehavior, Collections.emptyList()); }
protected WrapperPolicy buildWrapperPolicy( Authentication user, @Nonnull CatalogInfo info, MixedModeBehavior mixedModeBehavior) { return buildWrapperPolicy(accessManager, user, info, mixedModeBehavior); }
/** * Factors out the policy that decides what access level the current user has to a specific * resource considering the read/write access, the security mode, and the filtering status * * @param user * @param canRead * @param canWrite * @param resourceName */ public WrapperPolicy buildWrapperPolicy( Authentication user, CatalogInfo info, String resourceName, MixedModeBehavior mixedModeBehavior) { return SecureCatalogImpl.buildWrapperPolicy( accessManager, user, info, resourceName, mixedModeBehavior, Collections.emptyList()); }
/** Given a workspace and user, returns it back if the user can access it, null otherwise */ protected <T extends WorkspaceInfo> T checkAccess( Authentication user, T ws, MixedModeBehavior mixedModeBehavior) { if (ws == null) return null; WrapperPolicy policy = buildWrapperPolicy(user, ws, ws.getName(), mixedModeBehavior); // if we don't need to hide it, then we can return it as is since it // can only provide metadata. if (policy.level == AccessLevel.HIDDEN) return null; else return ws; }
/** * Given a {@link StyleInfo} and a user, returns it back if the user can access it. * * @return <code>null</code> if the user can't acess the style, otherwise the original style. */ protected StyleInfo checkAccess( Authentication user, StyleInfo style, MixedModeBehavior mixedModeBehavior) { if (style == null) return null; WrapperPolicy policy = buildWrapperPolicy(user, style, style.getName(), mixedModeBehavior); // if we don't need to hide it, then we can return it as is since it // can only provide metadata. if (policy.level == AccessLevel.HIDDEN) return null; else return style; }
/** * Given a store and a user, returns it back if the user can access its workspace in read mode, * null otherwise */ protected <T extends StoreInfo> T checkAccess( Authentication user, T store, MixedModeBehavior mixedModeBehavior) { if (store == null) return null; WrapperPolicy policy = buildWrapperPolicy(user, store.getWorkspace(), store.getName(), mixedModeBehavior); // handle the modes that do not require wrapping if (policy.level == AccessLevel.HIDDEN) return null; else if (policy.level == AccessLevel.READ_WRITE || (policy.level == AccessLevel.READ_ONLY && store instanceof CoverageStoreInfo)) return store; // otherwise we are in a mixed case where the user can read but not // write, or // cannot read but is allowed by the operation mode to access the // metadata if (store instanceof DataStoreInfo || store instanceof CoverageStoreInfo || store instanceof WMSStoreInfo || store instanceof WMTSStoreInfo) { return (T) SecuredObjects.secure(store, policy); } else { throw new RuntimeException("Unknown store type " + store.getClass()); } }
/** Given a layer and a user, returns it back if the user can access it, null otherwise */ protected LayerInfo checkAccess( Authentication user, LayerInfo layer, MixedModeBehavior mixedModeBehavior, List<LayerGroupInfo> containers) { if (layer == null) return null; // first off, handle the case where the user cannot even read the data WrapperPolicy policy = buildWrapperPolicy(user, layer, layer.getName(), mixedModeBehavior, containers); // handle the modes that do not require wrapping if (policy.level == AccessLevel.HIDDEN) return null; else if (policy.level == AccessLevel.READ_WRITE && policy.getLimits() == null) return layer; // otherwise we are in a mixed case where the user can read but not write, or // cannot read but is allowed by the operation mode to access the metadata return (LayerInfo) SecuredObjects.secure(layer, policy); }
/** * Given a {@link FeatureTypeInfo} and a user, returns it back if the user can access it in * write mode, makes it read only if the user can access it in read only mode, returns null * otherwise */ protected <T extends ResourceInfo> T checkAccess( Authentication user, T info, MixedModeBehavior mixedModeBehavior) { // handle null case if (info == null) return null; // first off, handle the case where the user cannot even read the data WrapperPolicy policy = buildWrapperPolicy(user, info, info.getName(), mixedModeBehavior); // handle the modes that do not require wrapping if (policy.level == AccessLevel.HIDDEN) return null; else if (policy.level == AccessLevel.READ_WRITE && policy.getLimits() == null) return info; // otherwise we are in a mixed case where the user can read but not write, or // cannot read but is allowed by the operation mode to access the metadata return (T) SecuredObjects.secure(info, policy); }
buildWrapperPolicy(user, group, group.getName(), mixedModeBehavior, containers); if (policy.level == AccessLevel.HIDDEN) { return null;
ws.setName(((NamespaceInfo) info).getPrefix()); return buildWrapperPolicy(accessManager, user, ws, ws.getName(), mixedModeBehavior); return buildWrapperPolicy( accessManager, user, info, ((WorkspaceInfo) info).getName(), mixedModeBehavior); return buildWrapperPolicy( accessManager, user, return buildWrapperPolicy( accessManager, user, info, ((ResourceInfo) info).getName(), mixedModeBehavior); return buildWrapperPolicy( accessManager, user, info, ((LayerInfo) info).getName(), mixedModeBehavior); buildWrapperPolicy( accessManager, user, layer, layer.getName(), mixedModeBehavior); if (AccessLevel.HIDDEN.equals(policy.getAccessLevel())) { return buildWrapperPolicy( accessManager, user, info, ((StyleInfo) info).getName(), mixedModeBehavior);
@Override public Boolean evaluate(Object object) { CatalogInfo info = (CatalogInfo) object; if (info instanceof NamespaceInfo) { info = getCatalog().getWorkspaceByName(((NamespaceInfo) info).getPrefix()); } if (info == null) { return false; } WrapperPolicy policy = getSecurityWrapper() .buildWrapperPolicy( resourceAccesssManager, user, info, MixedModeBehavior.HIDE); AccessLevel accessLevel = policy.getAccessLevel(); boolean visible = !AccessLevel.HIDDEN.equals(accessLevel); return Boolean.valueOf(visible); } }