1. Sebastian Sdorra
  2. scm-manager

Commits

Sebastian Sdorra  committed bd3f12b

use shiro api for permission filter

  • Participants
  • Parent commits 099b424
  • Branches apache-shiro

Comments (0)

Files changed (2)

File scm-core/src/main/java/sonia/scm/repository/PermissionUtil.java

View file
 
 import com.google.inject.Provider;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import sonia.scm.config.ScmConfiguration;
+import sonia.scm.security.Role;
 import sonia.scm.security.ScmSecurityException;
-import sonia.scm.user.User;
 import sonia.scm.util.AssertUtil;
 import sonia.scm.web.security.WebSecurityContext;
 
    * @param pt
    */
   public static void assertPermission(Repository repository,
-          WebSecurityContext securityContext, PermissionType pt)
+    WebSecurityContext securityContext, PermissionType pt)
   {
     if (!hasPermission(repository, securityContext, pt))
     {
    * @param pt
    */
   public static void assertPermission(Repository repository,
-          Provider<WebSecurityContext> securityContextProvider,
-          PermissionType pt)
+    Provider<WebSecurityContext> securityContextProvider, PermissionType pt)
   {
     assertPermission(repository, securityContextProvider.get(), pt);
   }
    * @return
    */
   public static boolean hasPermission(Repository repository,
-          Provider<WebSecurityContext> securityContextProvider,
-          PermissionType pt)
+    Provider<WebSecurityContext> securityContextProvider, PermissionType pt)
   {
     return hasPermission(repository, securityContextProvider.get(), pt);
   }
    * @param pt
    *
    * @return
+   * @deprecated use {@link #hasPermission(Repository,PermissionType)} instead
    */
+  @Deprecated
   public static boolean hasPermission(Repository repository,
-          WebSecurityContext securityContext, PermissionType pt)
+    WebSecurityContext securityContext, PermissionType pt)
+  {
+    return hasPermission(repository, pt);
+  }
+
+  /**
+   * Method description
+   *
+   *
+   * @param repository
+   * @param securityContext
+   * @param pt
+   *
+   * @return
+   * @since 1.21
+   */
+  public static boolean hasPermission(Repository repository, PermissionType pt)
   {
     boolean result = false;
 
-    if (securityContext != null)
+    Subject subject = SecurityUtils.getSubject();
+
+    if (subject.isAuthenticated())
     {
-      User user = securityContext.getUser();
 
-      if (user != null)
+      String username = subject.getPrincipal().toString();
+
+      AssertUtil.assertIsNotEmpty(username);
+
+      if (subject.hasRole(Role.ADMIN)
+        || ((pt == PermissionType.READ) && repository.isPublicReadable()))
       {
-        String username = user.getName();
+        result = true;
+      }
+      else
+      {
+        List<Permission> permissions = repository.getPermissions();
 
-        AssertUtil.assertIsNotEmpty(username);
+        if (permissions != null)
+        {
 
-        if (user.isAdmin()
-            || ((pt == PermissionType.READ) && repository.isPublicReadable()))
-        {
-          result = true;
-        }
-        else
-        {
-          List<Permission> permissions = repository.getPermissions();
+          // TODO
 
-          if (permissions != null)
-          {
-            result = hasPermission(permissions, username,
-                                   securityContext.getGroups(), pt);
-          }
+          /*
+           * result = hasPermission(permissions, username,
+           *                      securityContext.getGroups(), pt);
+           */
         }
       }
     }
    *
    * @return true if the repository is writable
    * @since 1.14
+   * @deprecated use {@link #isWritable(ScmConfiguration, Repository)} instead
+   */
+  @Deprecated
+  public static boolean isWritable(ScmConfiguration configuration,
+    Repository repository, WebSecurityContext securityContext)
+  {
+    return isWritable(configuration, repository);
+  }
+
+  /**
+   * Returns true if the repository is writable.
+   *
+   *
+   * @param configuration SCM-Manager main configuration
+   * @param repository repository to check
+   * @param securityContext current user security context
+   *
+   * @return true if the repository is writable
+   * @since 1.21
    */
   public static boolean isWritable(ScmConfiguration configuration,
-                                    Repository repository,
-                                    WebSecurityContext securityContext)
+    Repository repository)
   {
     boolean permitted = false;
 
       if (logger.isWarnEnabled())
       {
         logger.warn("{} is archived and is not writeable",
-                    repository.getName());
+          repository.getName());
       }
     }
     else
     {
-      permitted = PermissionUtil.hasPermission(repository, securityContext,
-              PermissionType.WRITE);
+      permitted = PermissionUtil.hasPermission(repository,
+        PermissionType.WRITE);
     }
 
     return permitted;
    * @return
    */
   private static boolean hasPermission(List<Permission> permissions,
-          String username, Collection<String> groups, PermissionType pt)
+    String username, Collection<String> groups, PermissionType pt)
   {
     boolean result = false;
 
       String name = p.getName();
 
       if (((name != null) && (p.getType().getValue() >= pt.getValue()))
-          && (name.equals(username)
-              || (p.isGroupPermission() && groups.contains(p.getName()))))
+        && (name.equals(username)
+          || (p.isGroupPermission() && groups.contains(p.getName()))))
       {
         result = true;
 

File scm-core/src/main/java/sonia/scm/web/filter/PermissionFilter.java

View file
 import com.google.common.base.Splitter;
 import com.google.inject.Provider;
 
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import sonia.scm.repository.PermissionUtil;
 import sonia.scm.repository.Repository;
 import sonia.scm.security.ScmSecurityException;
-import sonia.scm.user.User;
-import sonia.scm.util.AssertUtil;
 import sonia.scm.util.HttpUtil;
 import sonia.scm.util.Util;
 import sonia.scm.web.security.WebSecurityContext;
    * @param configuration
    * @param securityContextProvider
    */
-  public PermissionFilter(ScmConfiguration configuration,
-                          Provider<WebSecurityContext> securityContextProvider)
+  public PermissionFilter(ScmConfiguration configuration)
   {
     this.configuration = configuration;
-    this.securityContextProvider = securityContextProvider;
+  }
+
+  /**
+   * Constructs ...
+   *
+   *
+   *
+   * @param configuration
+   * @param securityContextProvider
+   * @deprecated
+   */
+  @Deprecated
+  public PermissionFilter(ScmConfiguration configuration,
+    Provider<WebSecurityContext> securityContextProvider)
+  {
+    this.configuration = configuration;
   }
 
   //~--- get methods ----------------------------------------------------------
    */
   @Override
   protected void doFilter(HttpServletRequest request,
-                          HttpServletResponse response, FilterChain chain)
-          throws IOException, ServletException
+    HttpServletResponse response, FilterChain chain)
+    throws IOException, ServletException
   {
-    WebSecurityContext securityContext = securityContextProvider.get();
+    Subject subject = SecurityUtils.getSubject();
 
-    AssertUtil.assertIsNotNull(securityContext);
-
-    User user = securityContext.getUser();
-
-    if (user != null)
+    if (subject.isAuthenticated())
     {
       try
       {
         {
           boolean writeRequest = isWriteRequest(request);
 
-          if (hasPermission(repository, securityContext, writeRequest))
+          if (hasPermission(repository, writeRequest))
           {
             if (logger.isTraceEnabled())
             {
               logger.trace("{} access to repository {} for user {} granted",
-                           new Object[] { writeRequest
-                                          ? "write"
-                                          : "read", repository.getName(),
-                                          user.getName() });
+                new Object[] { writeRequest
+                ? "write"
+                : "read", repository.getName(), subject.getPrincipal() });
             }
 
             chain.doFilter(request, response);
             if (logger.isInfoEnabled())
             {
               logger.info("{} access to repository {} for user {} denied",
-                          new Object[] { writeRequest
-                                         ? "write"
-                                         : "read", repository.getName(),
-                                         user.getName() });
+                new Object[] { writeRequest
+                ? "write"
+                : "read", repository.getName(), subject.getPrincipal() });
             }
 
-            sendAccessDenied(response, user);
+            sendAccessDenied(response, subject);
           }
         }
         else
         if (logger.isTraceEnabled())
         {
           logger.trace(
-              "wrong request at ".concat(request.getRequestURI()).concat(
-                " send redirect"), ex);
+            "wrong request at ".concat(request.getRequestURI()).concat(
+              " send redirect"), ex);
         }
         else if (logger.isWarnEnabled())
         {
           logger.warn("wrong request at {} send redirect",
-                      request.getRequestURI());
+            request.getRequestURI());
         }
 
         response.sendRedirect(getRepositoryRootHelpUrl(request));
       {
         if (logger.isWarnEnabled())
         {
-          logger.warn("user {} has not enough permissions", user.getName());
+          logger.warn("user {} has not enough permissions",
+            subject.getPrincipal());
         }
 
-        sendAccessDenied(response, user);
+        sendAccessDenied(response, subject);
       }
     }
     else
   private String extractType(HttpServletRequest request)
   {
     Iterator<String> it = Splitter.on(
-                              HttpUtil.SEPARATOR_PATH).omitEmptyStrings().split(
-                              request.getRequestURI()).iterator();
+                            HttpUtil.SEPARATOR_PATH).omitEmptyStrings().split(
+                            request.getRequestURI()).iterator();
     String type = it.next();
 
     if (Util.isNotEmpty(request.getContextPath()))
    *
    * @param response
    * @param user
+   * @param subject
    *
    * @throws IOException
    */
-  private void sendAccessDenied(HttpServletResponse response, User user)
-          throws IOException
+  private void sendAccessDenied(HttpServletResponse response, Subject subject)
+    throws IOException
   {
-    if (SCMContext.USER_ANONYMOUS.equals(user.getName()))
+
+    // TODO check anonymous access
+    if (SCMContext.USER_ANONYMOUS.equals(subject.getPrincipal()))
     {
       HttpUtil.sendUnauthorized(response);
     }
    *
    * @return
    */
-  private boolean hasPermission(Repository repository,
-                                WebSecurityContext securityContext,
-                                boolean writeRequest)
+  private boolean hasPermission(Repository repository, boolean writeRequest)
   {
     boolean permitted = false;
 
     if (writeRequest)
     {
-      permitted = PermissionUtil.isWritable(configuration, repository,
-              securityContext);
+      permitted = PermissionUtil.isWritable(configuration, repository);
     }
     else
     {
-      permitted = PermissionUtil.hasPermission(repository, securityContext,
-              PermissionType.READ);
+      permitted = PermissionUtil.hasPermission(repository, PermissionType.READ);
     }
 
     return permitted;
   //~--- fields ---------------------------------------------------------------
 
   /** Field description */
-  protected Provider<WebSecurityContext> securityContextProvider;
-
-  /** Field description */
   private ScmConfiguration configuration;
 }