Merge pull request #3103 from IQSS/1380-honor-ip-groups

Proper detection of IP addresses in JSF context

doc/sphinx-guides/source/api/native-api.rst

@@ -125,12 +125,12 @@ List versions of the dataset::
 Show a version of the dataset. The Dataset also include any metadata blocks the data might have::
 
   GET http://$SERVER/api/datasets/$id/versions/$versionNumber?key=$apiKey
-  
-      
+
+
 Export the metadata of the current published version of a dataset in various formats see Note below::
 
     GET http://$SERVER/api/datasets/export?exporter=ddi&persistentId=$persistentId
-  
+
     Note: Supported exporters (export formats) are ddi, oai_ddi, dcterms, oai_dc, and dataverse_json.
 
 
@@ -163,9 +163,9 @@ To revert to the default logic, use ``:publicationDate`` as the ``$datasetFieldT
 Note that the dataset field used has to be a date field::
 
     PUT http://$SERVER/api/datasets/$id/citationdate?key=$apiKey
-    
+
 Restores the default logic of the field type to be used as the citation date. Same as ``PUT`` with ``:publicationDate`` body::
-    
+
     DELETE http://$SERVER/api/datasets/$id/citationdate?key=$apiKey
 
 List all the role assignments at the given dataset::
@@ -368,18 +368,29 @@ Toggles superuser mode on the ``AuthenticatedUser`` whose ``identifier`` (withou
 
     POST http://$SERVER/api/admin/superuser/$identifier
 
+List all role assignments of a role assignee (i.e. a user or a group)::
+
+    GET http://$SERVER/api/admin/assignments/assignees/$identifier
+
+Note that ``identifier`` can contain slashes (e.g. ``&ip/localhost-users``).
+
 IpGroups
 ^^^^^^^^
 
-List all the ip groups::
+Lists all the ip groups::
 
   GET http://$SERVER/api/admin/groups/ip
 
-Adds a new ip group. POST data should specify the group in JSON format. Examples are available at ``data/ipGroup1.json``. ::
+Adds a new ip group. POST data should specify the group in JSON format. Examples are available at the ``data`` folder. Using this method, an IP Group is always created, but its ``alias`` might be different than the one appearing in the
+JSON file, to ensure it is unique. ::
 
   POST http://$SERVER/api/admin/groups/ip
 
-Returns a the group in a JSON format. ``groupIdtf`` can either be the group id in the database (in case it is numeric), or the group alias. ::
+Creates or updates the ip group ``$groupAlias``. ::
+
+    POST http://$SERVER/api/admin/groups/ip/$groupAlias
+
+Returns a the group in a JSON format. ``$groupIdtf`` can either be the group id in the database (in case it is numeric), or the group alias. ::
 
   GET http://$SERVER/api/admin/groups/ip/$groupIdtf
 

scripts/api/data/ipGroup-all-ipv4.json

@@ -0,0 +1,5 @@
+{
+  "alias":"all-ipv4",
+  "name":"IP group to match all IPv4 addresses",
+  "ranges" : [["0.0.0.0", "255.255.255.255"]]
+}

scripts/api/data/ipGroup-localhost.json

@@ -1,6 +1,5 @@
 {
   "alias":"localhost",
   "name":"Localhost connections",
-  "ranges" : [["127.0.0.1", "127.0.0.1"],
-              ["::1", "::1"]]
+  "addresses": [ "::1", "127.0.0.1" ]
 }

scripts/api/data/ipGroup-single-IPv4.json

@@ -0,0 +1,5 @@
+{
+  "alias":"singleIPv4",
+  "name":"Single IPv4",
+  "addresses" : ["128.0.0.7"]
+}

scripts/api/data/ipGroup-single-IPv6.json

@@ -0,0 +1,5 @@
+{
+  "alias":"singleIPv6",
+  "name":"Single IPv6",
+  "addresses" : ["aa:bb:cc:dd:ee:ff::1"]
+}

scripts/api/data/ipGroupDuplicate-v1.json

@@ -0,0 +1,7 @@
+{
+  "alias":"ipGroup-dup",
+  "name":"IP Group with duplicate files (1)",
+  "description":"This is the FIRST version of the group",
+  "ranges" : [["60.0.0.0", "60.0.0.255"],
+              ["60::1", "60::ffff"]]
+}

scripts/api/data/ipGroupDuplicate-v2.json

@@ -0,0 +1,7 @@
+{
+  "alias":"ipGroup-dup",
+  "name":"IP Group with duplicate files-v2",
+  "description":"This is the second version of the group",
+  "ranges" : [["70.0.0.0", "70.0.0.255"],
+              ["70::1", "70::ffff"]]
+}

scripts/issues/1380/01-add.localhost.sh

@@ -0,0 +1,2 @@
+# Add the localhost group to the system.
+curl -X POST -H"Content-Type:application/json" -d@../../api/data/ipGroup-localhost.json  localhost:8080/api/admin/groups/ip

scripts/issues/1380/02-build-dv-structure.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+echo Run this after running setup-users.sh, and making Pete an
+echo admin on the root dataverse.
+
+
+PETE=$(grep :result: users.out | grep Pete | cut -f4 -d: | tr -d \ )
+UMA=$(grep :result: users.out | grep Uma | cut -f4 -d: | tr -d \ )
+
+pushd ../../api
+./setup-dvs.sh $PETE $UMA
+popd

scripts/issues/1380/add-ip-group.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Add the passed group to the system.
+curl -X POST -H"Content-Type:application/json" -d@../../api/data/$1  localhost:8080/api/admin/groups/ip

scripts/issues/1380/add-user

@@ -0,0 +1,3 @@
+#!/bin/bash
+# add-user dv group user api-token
+curl -H "Content-type:application/json" -X POST -d"[$3]" localhost:8080/api/dataverses/$1/groups/$2/roleAssignees?key=$4

scripts/issues/1380/data/3-eg1.json

@@ -0,0 +1 @@
+["&explicit/3-eg1"]

scripts/issues/1380/data/guest.json

@@ -0,0 +1 @@
+[":guest"]

scripts/issues/1380/data/locals.json

@@ -0,0 +1 @@
+["&ip/localhost"]

scripts/issues/1380/data/pete.json

@@ -0,0 +1 @@
+["@pete"]

scripts/issues/1380/data/uma.json

@@ -0,0 +1 @@
+["@uma"]

scripts/issues/1380/db-list-dvs

@@ -0,0 +1 @@
+psql dvndb -c "select dvobject.id, name, alias, owner_id from dvobject inner join dataverse on dvobject.id = dataverse.id"

scripts/issues/1380/delete-ip-group

@@ -0,0 +1,9 @@
+#/bin/bahx
+if [ $# -eq 0 ]
+  then
+    echo "Please provide IP group id"
+    echo "e.g $0 845"
+    exit 1
+fi
+
+curl -X DELETE http://localhost:8080/api/admin/groups/ip/$1

scripts/issues/1380/dvs.gv

@@ -0,0 +1,19 @@
+digraph {
+d1[label="Root"]
+d2[label="Top dataverse of Pete"]
+d3[label="Pete's public place"]
+d4[label="Pete's restricted data"]
+d5[label="Pete's secrets"]
+d6[label="Top dataverse of Uma"]
+d7[label="Uma's first"]
+d8[label="Uma's restricted"]
+
+d1 -> d2
+d2 -> d3
+d2 -> d4
+d2 -> d5
+d1 -> d6
+d6 -> d7
+d6 -> d8
+
+}

scripts/issues/1380/explicitGroup1.json

@@ -0,0 +1,5 @@
+{
+ "description":"Sample Explicit Group",
+ "displayName":"Close Collaborators",
+ "aliasInOwner":"eg1"
+}

scripts/issues/1380/explicitGroup2.json

@@ -0,0 +1,5 @@
+{
+ "description":"Sample Explicit Group",
+ "displayName":"Not-So-Close Collaborators",
+ "aliasInOwner":"eg2"
+}

scripts/issues/1380/keys.txt

@@ -0,0 +1,3 @@
+Keys for P e t e and U m a. Produced by running setup-all.sh from the /scripts/api folder.
+Pete:757a6493-456a-4bf0-943e-9b559d551a3f
+Uma:8797f19b-b8aa-4f96-a789-1b99506f2eab

scripts/issues/1380/list-groups-for

@@ -0,0 +1,2 @@
+#!/bin/bash
+curl -s -X GET http://localhost:8080/api/test/explicitGroups/$1 | jq .

scripts/issues/1380/list-ip-groups.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+curl -X GET http://localhost:8080/api/admin/groups/ip | jq .

scripts/issues/1380/users.out

@@ -0,0 +1,6 @@
+{"status":"OK","data":{"user":{"id":4,"firstName":"Gabbi","lastName":"Guest","userName":"gabbi","affiliation":"low","position":"A Guest","email":"gabbi@malinator.com"},"authenticatedUser":{"id":4,"identifier":"@gabbi","displayName":"Gabbi Guest","firstName":"Gabbi","lastName":"Guest","email":"gabbi@malinator.com","superuser":false,"affiliation":"low","position":"A Guest","persistentUserId":"gabbi","authenticationProviderId":"builtin"},"apiToken":"d1940786-c315-491e-9812-a8ff809289cc"}}
+{"status":"OK","data":{"user":{"id":5,"firstName":"Cathy","lastName":"Collaborator","userName":"cathy","affiliation":"mid","position":"Data Scientist","email":"cathy@malinator.com"},"authenticatedUser":{"id":5,"identifier":"@cathy","displayName":"Cathy Collaborator","firstName":"Cathy","lastName":"Collaborator","email":"cathy@malinator.com","superuser":false,"affiliation":"mid","position":"Data Scientist","persistentUserId":"cathy","authenticationProviderId":"builtin"},"apiToken":"0ddfcb1e-fb51-4ce7-88ab-308b23e13e9a"}}
+{"status":"OK","data":{"user":{"id":6,"firstName":"Nick","lastName":"NSA","userName":"nick","affiliation":"gov","position":"Signals Intelligence","email":"nick@malinator.com"},"authenticatedUser":{"id":6,"identifier":"@nick","displayName":"Nick NSA","firstName":"Nick","lastName":"NSA","email":"nick@malinator.com","superuser":false,"affiliation":"gov","position":"Signals Intelligence","persistentUserId":"nick","authenticationProviderId":"builtin"},"apiToken":"6d74745d-1733-459a-ae29-422110056ec0"}}
+reporting API keys
+:result: Pete's key is: 757a6493-456a-4bf0-943e-9b559d551a3f
+:result: Uma's key is: 8797f19b-b8aa-4f96-a789-1b99506f2eab

scripts/search/tests/ipgroup-add

@@ -1,5 +1,5 @@
 #!/bin/sh
 . scripts/search/export-keys
-OUTPUT=`curl -s -X POST -d @scripts/api/data/ipGroup3.json http://localhost:8080/api/admin/groups/ip -H "Content-type:application/json"`
+OUTPUT=`curl -s -X POST -d @scripts/api/data/ipGroup-all.json http://localhost:8080/api/admin/groups/ip -H "Content-type:application/json"`
 echo $OUTPUT
 echo $OUTPUT | jq .

src/main/java/edu/harvard/iq/dataverse/DataFile.java

@@ -229,6 +229,11 @@ public String getOriginalFileFormat() {
         return null;
     }
 
+    @Override
+    public boolean isAncestorOf( DvObject other ) {
+        return equals(other);
+    }
+
     /*
      * A user-friendly version of the "original format":
      */

src/main/java/edu/harvard/iq/dataverse/Dataset.java

@@ -654,5 +654,9 @@ public String getDisplayName() {
     protected boolean isPermissionRoot() {
         return false;
     }
-
+
+    @Override
+    public boolean isAncestorOf( DvObject other ) {
+        return equals(other) || equals(other.getOwner());
+    }
 }

src/main/java/edu/harvard/iq/dataverse/DatasetPage.java

@@ -83,7 +83,6 @@
 
 import javax.faces.event.AjaxBehaviorEvent;
 
-import javax.faces.context.ExternalContext;
 import org.apache.commons.lang.StringEscapeUtils;
 
 import org.primefaces.component.tabview.TabView;
@@ -187,7 +186,6 @@ public enum DisplayMode {
     private List<Template> dataverseTemplates = new ArrayList();
     private Template defaultTemplate;
     private Template selectedTemplate;
-    private String globalId;
     private String persistentId;
     private String version;
     private String protocol = "";
@@ -322,11 +320,7 @@ public Long getMaxFileUploadSizeInBytes(){
     }
 
     public boolean isUnlimitedUploadFileSize(){
-
-        if (this.maxFileUploadSizeInBytes == null){
-            return true;
-        }
-        return false;
+        return (this.maxFileUploadSizeInBytes == null);
     }
 
     public boolean isMetadataExportEnabled() {
@@ -455,9 +449,8 @@ public boolean isNoDVsRemaining() {
      * Convenience method for "Download File" button display logic
      * 
      * Used by the dataset.xhtml render logic when listing files
-     *       > Assume user already has view access to the file list 
-     *         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^!!!
-     * 
+     * <b>Assumes user already has view access to the file list.</b>
+     *         
      * @param fileMetadata
      * @return boolean
      */
@@ -498,29 +491,13 @@ public boolean canDownloadFile(FileMetadata fileMetadata){
         }
 
         // --------------------------------------------------------------------
-        // Conditions (2) through (4) are for Restricted files
+        // Conditions (2) through (3) are for Restricted files
         // --------------------------------------------------------------------
 
         // --------------------------------------------------------------------
-        // (2) In Dataverse 4.3 and earlier we required that users be authenticated
-        // to download files, but in developing the Private URL feature, we have
-        // added a new subclass of "User" called "PrivateUrlUser" that returns false
-        // for isAuthenticated but that should be able to download restricted files
-        // when given the Member role (which includes the DownloadFile permission).
-        // This is consistent with how Builtin and Shib users (both are
-        // AuthenticatedUsers) can download restricted files when they are granted
-        // the Member role. For this reason condition 2 has been changed. Previously,
-        // we required isSessionUserAuthenticated to return true. Now we require
-        // that the User is not an instance of GuestUser, which is similar in
-        // spirit to the previous check.
-        // --------------------------------------------------------------------
-        if (session.getUser() instanceof GuestUser){
-            this.fileDownloadPermissionMap.put(fid, false);
-            return false;
-        }
-
-        // --------------------------------------------------------------------
-        // (3) Does the User have DownloadFile Permission at the **Dataset** level 
+        // (2) Does the User have DownloadFile Permission at the **Dataset** level 
+        // Michael: Leaving this in for now, but shouldn't this be alredy resolved
+        //          by the premission system, given that files are never permission roots?
         // --------------------------------------------------------------------
         if (this.doesSessionUserHaveDataSetPermission(Permission.DownloadFile)){
             // Yes, save answer and return true
@@ -529,15 +506,15 @@ public boolean canDownloadFile(FileMetadata fileMetadata){
         }
 
         // --------------------------------------------------------------------
-        // (4) Does the user has DownloadFile permission on the DataFile            
+        // (3) Does the user has DownloadFile permission on the DataFile            
         // --------------------------------------------------------------------
         if (this.permissionService.on(fileMetadata.getDataFile()).has(Permission.DownloadFile)){
             this.fileDownloadPermissionMap.put(fid, true);
             return true;
         }
 
         // --------------------------------------------------------------------
-        // (6) No download....
+        // (4) No download for you! Come back with permissions!
         // --------------------------------------------------------------------
         this.fileDownloadPermissionMap.put(fid, false);
 
@@ -558,7 +535,7 @@ public boolean isThumbnailAvailable(FileMetadata fileMetadata) {
 
     // Another convenience method - to cache Update Permission on the dataset: 
     public boolean canUpdateDataset() {
-        return permissionsWrapper.canUpdateDataset(this.session.getUser(), this.dataset);
+        return permissionsWrapper.canUpdateDataset(dvRequestService.getDataverseRequest(), this.dataset);
     }
 
     public boolean canPublishDataverse() {
@@ -579,42 +556,17 @@ public boolean canPublishDataverse() {
     //}
 
     public boolean canViewUnpublishedDataset() {
-        return permissionsWrapper.canViewUnpublishedDataset(this.session.getUser(), this.dataset);
-        //return doesSessionUserHaveDataSetPermission(Permission.ViewUnpublishedDataset);
+        return permissionsWrapper.canViewUnpublishedDataset( dvRequestService.getDataverseRequest(), dataset);
     }
 
-    private Boolean sessionUserAuthenticated = null;
-
-
     /* 
      * 4.2.1 optimization. 
      * HOWEVER, this doesn't appear to be saving us anything! 
      * i.e., it's just as cheap to use session.getUser().isAuthenticated() 
      * every time; it doesn't do any new db lookups. 
     */
     public boolean isSessionUserAuthenticated() {
-        logger.fine("entering isSessionUserAuthenticated;");
-        if (sessionUserAuthenticated != null) {
-            logger.fine("using cached isSessionUserAuthenticated;");
-
-            return sessionUserAuthenticated;
-        }
-
-        if (session == null) {
-            return false;
-        }
-
-        if (session.getUser() == null) {
-            return false;
-        }
-
-        if (session.getUser().isAuthenticated()) {
-            sessionUserAuthenticated = true; 
-            return true;
-        }
-
-        sessionUserAuthenticated = false;
-        return false;
+        return session.getUser().isAuthenticated();
     }
 
     /**