DomainAuthorizationStrategy.java

/**
 * Licensed to the Austrian Association for Software Tool Integration (AASTI)
 * under one or more contributor license agreements. See the NOTICE file
 * distributed with this work for additional information regarding copyright
 * ownership. The AASTI licenses this file to you under the Apache License,
 * Version 2.0 (the "License"); you may not use this file except in compliance
 * with the License. You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.openengsb.ui.common;

import java.util.Arrays;
import java.util.Collection;
import java.util.List;

import javax.inject.Inject;
import javax.inject.Named;

import org.apache.commons.lang.ArrayUtils;
import org.apache.wicket.Component;
import org.apache.wicket.authorization.Action;
import org.apache.wicket.authorization.IAuthorizationStrategy;
import org.apache.wicket.request.component.IRequestableComponent;
import org.openengsb.core.api.security.AuthenticationContext;
import org.openengsb.core.api.security.SecurityAttributeProvider;
import org.openengsb.core.api.security.annotation.SecurityAttribute;
import org.openengsb.core.api.security.annotation.SecurityAttributes;
import org.openengsb.core.api.security.model.SecurityAttributeEntry;
import org.openengsb.domain.authorization.AuthorizationDomain;
import org.openengsb.domain.authorization.AuthorizationDomain.Access;
import org.openengsb.ui.api.UIAction;
import org.ops4j.pax.wicket.api.PaxWicketBeanInjectionSource;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;

public class DomainAuthorizationStrategy implements IAuthorizationStrategy {

    private static final Logger LOGGER = LoggerFactory.getLogger(DomainAuthorizationStrategy.class);

    @Inject
    @Named("authorizer")
    @PaxWicketBeanInjectionSource(PaxWicketBeanInjectionSource.INJECTION_SOURCE_BLUEPRINT)
    private AuthorizationDomain authorizer;

    @Inject
    @Named("authenticationContext")
    private AuthenticationContext authenticationContext;

    @Inject
    @Named("attributeProviders")
    private List<SecurityAttributeProvider> attributeProviders;

    @Override
    public boolean isActionAuthorized(Component arg0, Action arg1) {
        List<SecurityAttributeEntry> attributeList = Lists.newArrayList();
        if (hasSecurityAnnotation(arg0.getClass())) {
            attributeList.addAll(getSecurityAttributes(arg0.getClass()));
        }

        LOGGER.info(ArrayUtils.toString(attributeProviders.getClass().getInterfaces()));

        for (SecurityAttributeProvider p : attributeProviders) {
            Collection<SecurityAttributeEntry> runtimeAttributes = p.getAttribute(arg0);
            if (runtimeAttributes != null) {
                attributeList.addAll(runtimeAttributes);
            }
        }

        if (attributeList.isEmpty()) {
            return true;
        }

        String user = getAuthenticatedUser();
        if (user == null) {
            return false;
        }
        UIAction secureAction =
            new UIAction(attributeList, arg1.getName(), ImmutableMap.of("component", (Object) arg0));

        Access checkAccess = authorizer.checkAccess(user, secureAction);
        if (checkAccess != Access.GRANTED) {
            LOGGER.warn("User {} was denied action {} on component {}", new Object[]{ user, arg1.toString(),
                arg0.getClass().getName() });
        }
        return checkAccess == Access.GRANTED;
    }

    @Override
    public <T extends IRequestableComponent> boolean isInstantiationAuthorized(Class<T> componentClass) {
        if (!hasSecurityAnnotation(componentClass)) {
            return true;
        }

        String user = getAuthenticatedUser();
        if (user == null) {
            return false;
        }

        LOGGER.trace("security-attribute-annotation present on {}", componentClass);

        return authorizer.checkAccess(user, new UIAction(getSecurityAttributes(componentClass))) == Access.GRANTED;
    }

    private String getAuthenticatedUser() {
        Object principal = authenticationContext.getAuthenticatedPrincipal();
        if (principal == null) {
            return null;
        }
        return principal.toString();
    }

    private boolean hasSecurityAnnotation(Class<? extends IRequestableComponent> class1) {
        return class1.isAnnotationPresent(SecurityAttribute.class)
                || class1.isAnnotationPresent(SecurityAttributes.class);
    }

    private Collection<SecurityAttributeEntry> getSecurityAttributes(
            Class<? extends IRequestableComponent> componentClass) {
        SecurityAttribute annotation = componentClass.getAnnotation(SecurityAttribute.class);
        if (annotation != null) {
            return Arrays.asList(convertAnnotationToEntry(annotation));
        }
        SecurityAttributes annotation2 = componentClass.getAnnotation(SecurityAttributes.class);
        if (annotation2 != null) {
            Collection<SecurityAttributeEntry> result = Lists.newArrayList();
            for (SecurityAttribute a : annotation2.value()) {
                result.add(convertAnnotationToEntry(a));
            }
            return result;
        }
        return null;
    }

    private SecurityAttributeEntry convertAnnotationToEntry(SecurityAttribute annotation) {
        return new SecurityAttributeEntry(annotation.key(), annotation.value());
    }

    public void setAuthorizer(AuthorizationDomain authorizer) {
        this.authorizer = authorizer;
    }

}