SecurityCleanupEventInspector.java

/**
 * Copyright (c) 2008-2011 Sonatype, Inc.
 * All rights reserved. Includes the third-party code listed at http://www.sonatype.com/products/nexus/attributions.
 *
 * This program is free software: you can redistribute it and/or modify it only under the terms of the GNU Affero General
 * Public License Version 3 as published by the Free Software Foundation.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License Version 3
 * for more details.
 *
 * You should have received a copy of the GNU Affero General Public License Version 3 along with this program.  If not, see
 * http://www.gnu.org/licenses.
 *
 * Sonatype Nexus (TM) Open Source Version is available from Sonatype, Inc. Sonatype and Sonatype Nexus are trademarks of
 * Sonatype, Inc. Apache Maven is a trademark of the Apache Foundation. M2Eclipse is a trademark of the Eclipse Foundation.
 * All other trademarks are the property of their respective owners.
 */
package org.sonatype.nexus.security;

import java.util.HashSet;
import java.util.Set;

import org.codehaus.plexus.component.annotations.Component;
import org.codehaus.plexus.component.annotations.Requirement;
import org.sonatype.nexus.jsecurity.realms.TargetPrivilegeDescriptor;
import org.sonatype.nexus.jsecurity.realms.TargetPrivilegeGroupPropertyDescriptor;
import org.sonatype.nexus.jsecurity.realms.TargetPrivilegeRepositoryPropertyDescriptor;
import org.sonatype.nexus.jsecurity.realms.TargetPrivilegeRepositoryTargetPropertyDescriptor;
import org.sonatype.nexus.proxy.events.AbstractEventInspector;
import org.sonatype.nexus.proxy.events.EventInspector;
import org.sonatype.nexus.proxy.events.RepositoryRegistryEventRemove;
import org.sonatype.nexus.proxy.events.TargetRegistryEventRemove;
import org.sonatype.plexus.appevents.Event;
import org.sonatype.security.SecuritySystem;
import org.sonatype.security.authorization.NoSuchAuthorizationManagerException;
import org.sonatype.security.authorization.NoSuchPrivilegeException;
import org.sonatype.security.authorization.Privilege;
import org.sonatype.security.authorization.xml.SecurityXmlAuthorizationManager;
import org.sonatype.security.realms.tools.ConfigurationManager;

@Component( role = EventInspector.class, hint = "SecurityCleanupEventInspector" )
public class SecurityCleanupEventInspector
    extends AbstractEventInspector
{
    @Requirement( hint = "default" )
    private ConfigurationManager configManager;

    @Requirement
    private SecuritySystem security;

    public boolean accepts( Event<?> evt )
    {
        return evt instanceof RepositoryRegistryEventRemove || evt instanceof TargetRegistryEventRemove;
    }

    public void inspect( Event<?> evt )
    {
        if ( evt instanceof RepositoryRegistryEventRemove )
        {
            RepositoryRegistryEventRemove rEvt = (RepositoryRegistryEventRemove) evt;

            String repositoryId = rEvt.getRepository().getId();

            try
            {
                // Delete target privs that match repo/groupId
                cleanupPrivileges( TargetPrivilegeRepositoryPropertyDescriptor.ID, repositoryId );
                cleanupPrivileges( TargetPrivilegeGroupPropertyDescriptor.ID, repositoryId );
            }
            catch ( NoSuchPrivilegeException e )
            {
                getLogger().error( "Unable to clean privileges attached to repository", e );
            }
            catch ( NoSuchAuthorizationManagerException e )
            {
                getLogger().error( "Unable to clean privileges attached to repository", e );
            }
        }
        if ( evt instanceof TargetRegistryEventRemove )
        {
            TargetRegistryEventRemove rEvt = (TargetRegistryEventRemove) evt;
            
            String targetId = rEvt.getTarget().getId();

            try
            {
                cleanupPrivileges( TargetPrivilegeRepositoryTargetPropertyDescriptor.ID, targetId );
            }
            catch ( NoSuchPrivilegeException e )
            {
                getLogger().error( "Unable to clean privileges attached to target: " + targetId, e );
            }
            catch ( NoSuchAuthorizationManagerException e )
            {
                getLogger().error( "Unable to clean privileges attached to target: " + targetId, e );
            }
        }
    }

    protected void cleanupPrivileges( String propertyId, String propertyValue )
        throws NoSuchPrivilegeException, NoSuchAuthorizationManagerException
    {
        Set<Privilege> privileges = security.listPrivileges();

        Set<String> removedIds = new HashSet<String>();

        for ( Privilege privilege : privileges )
        {
            if ( !privilege.isReadOnly() && privilege.getType().equals( TargetPrivilegeDescriptor.TYPE )
                && ( propertyValue.equals( privilege.getPrivilegeProperty( propertyId ) ) ) )
            {
                getLogger().debug( "Removing Privilege " + privilege.getName() + " because repository was removed" );
                security.getAuthorizationManager( SecurityXmlAuthorizationManager.SOURCE ).deletePrivilege(
                                                                                                            privilege.getId() );
                removedIds.add( privilege.getId() );
            }
        }

        for ( String privilegeId : removedIds )
        {
            configManager.cleanRemovedPrivilege( privilegeId );
        }
        configManager.save();
    }
}