Skip to content

Commit

Permalink
Add permissions check for organization related remote subscriptions
Browse files Browse the repository at this point in the history
  • Loading branch information
@sleshchenko
sleshchenko committed Aug 28, 2018
1 parent cd07f48 commit e5ee146
Show file tree
Hide file tree
Showing 3 changed files with 104 additions and 3 deletions.
2 changes: 2 additions & 0 deletions ...ation/src/main/java/org/eclipse/che/multiuser/organization/api/OrganizationApiModule.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import org.eclipse.che.multiuser.organization.api.notification.OrganizationNotificationEmailSender;
import org.eclipse.che.multiuser.organization.api.permissions.OrganizationDomain;
import org.eclipse.che.multiuser.organization.api.permissions.OrganizationPermissionsFilter;
import org.eclipse.che.multiuser.organization.api.permissions.OrganizationRemoteSubscriptionPermissionsChecks;
import org.eclipse.che.multiuser.organization.api.permissions.OrganizationResourceDistributionServicePermissionsFilter;
import org.eclipse.che.multiuser.organization.api.permissions.OrganizationalAccountPermissionsChecker;
import org.eclipse.che.multiuser.organization.api.resource.DefaultOrganizationResourcesProvider;
Expand All @@ -43,6 +44,7 @@ public class OrganizationApiModule extends AbstractModule {
protected void configure() {
bind(OrganizationService.class);
bind(OrganizationPermissionsFilter.class);
bind(OrganizationRemoteSubscriptionPermissionsChecks.class);
bind(RemoveOrganizationOnLastUserRemovedEventSubscriber.class).asEagerSingleton();

Multibinder.newSetBinder(binder(), DefaultResourcesProvider.class)
Expand Down
5 changes: 2 additions & 3 deletions ...lipse/che/multiuser/organization/api/listener/OrganizationEventsWebsocketBroadcaster.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,8 @@ public class OrganizationEventsWebsocketBroadcaster {

private final RemoteSubscriptionManager remoteSubscriptionManager;

private static final String ORGANIZATION_MEMBERSHIP_METHOD_NAME =
"organization/membershipChanged";
private static final String ORGANIZATION_CHANGED_METHOD_NAME = "organization/statusChanged";
public static final String ORGANIZATION_MEMBERSHIP_METHOD_NAME = "organization/membershipChanged";
public static final String ORGANIZATION_CHANGED_METHOD_NAME = "organization/statusChanged";

@Inject
public OrganizationEventsWebsocketBroadcaster(
Expand Down
100 changes: 100 additions & 0 deletions ...ltiuser/organization/api/permissions/OrganizationRemoteSubscriptionPermissionsChecks.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
/*
* Copyright (c) 2012-2018 Red Hat, Inc.
* This program and the accompanying materials are made
* available under the terms of the Eclipse Public License 2.0
* which is available at https://www.eclipse.org/legal/epl-2.0/
*
* SPDX-License-Identifier: EPL-2.0
*
* Contributors:
* Red Hat, Inc. - initial API and implementation
*/
package org.eclipse.che.multiuser.organization.api.permissions;

import static org.eclipse.che.multiuser.organization.api.listener.OrganizationEventsWebsocketBroadcaster.ORGANIZATION_CHANGED_METHOD_NAME;
import static org.eclipse.che.multiuser.organization.api.listener.OrganizationEventsWebsocketBroadcaster.ORGANIZATION_MEMBERSHIP_METHOD_NAME;

import java.util.Map;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.eclipse.che.api.core.ConflictException;
import org.eclipse.che.api.core.ForbiddenException;
import org.eclipse.che.api.core.NotFoundException;
import org.eclipse.che.api.core.ServerException;
import org.eclipse.che.commons.env.EnvironmentContext;
import org.eclipse.che.multiuser.api.permission.server.PermissionsManager;
import org.eclipse.che.multiuser.api.permission.server.jsonrpc.RemoteSubscriptionPermissionCheck;
import org.eclipse.che.multiuser.api.permission.server.jsonrpc.RemoteSubscriptionPermissionManager;
import org.eclipse.che.multiuser.api.permission.server.model.impl.AbstractPermissions;

/** @author Sergii Leshchenko */
@Singleton
public class OrganizationRemoteSubscriptionPermissionsChecks {

private final PermissionsManager permissionsManager;

@Inject
public OrganizationRemoteSubscriptionPermissionsChecks(PermissionsManager permissionsManager) {
this.permissionsManager = permissionsManager;
}

@Inject
public void register(RemoteSubscriptionPermissionManager permissionFilter) {
OrganizationMembershipsChangedSubscriptionPermissionsCheck membershipsEventsCheck =
new OrganizationMembershipsChangedSubscriptionPermissionsCheck();

permissionFilter.registerCheck(membershipsEventsCheck, ORGANIZATION_MEMBERSHIP_METHOD_NAME);

OrganizationChangedSubscriptionPermissionsCheck organizationChangedCheck =
new OrganizationChangedSubscriptionPermissionsCheck(permissionsManager);
permissionFilter.registerCheck(organizationChangedCheck, ORGANIZATION_CHANGED_METHOD_NAME);
}

private class OrganizationMembershipsChangedSubscriptionPermissionsCheck
implements RemoteSubscriptionPermissionCheck {

@Override
public void check(Map<String, String> scope) throws ForbiddenException {
String userId = scope.get("userId");
if (userId == null) {
throw new ForbiddenException("User id must be specified in scope");
}

String currentUserId = EnvironmentContext.getCurrent().getSubject().getUserId();

if (!currentUserId.equals(userId)) {
throw new ForbiddenException("It is only allowed to listen to own memberships changes");
}
}
}

private class OrganizationChangedSubscriptionPermissionsCheck
implements RemoteSubscriptionPermissionCheck {

private final PermissionsManager permissionsManager;

public OrganizationChangedSubscriptionPermissionsCheck(PermissionsManager permissionsManager) {
this.permissionsManager = permissionsManager;
}

@Override
public void check(Map<String, String> scope) throws ForbiddenException {
String organizationId = scope.get("organizationId");
if (organizationId == null) {
throw new ForbiddenException("Organization id must be specified in scope");
}

String currentUserId = EnvironmentContext.getCurrent().getSubject().getUserId();

try {
AbstractPermissions permissions =
permissionsManager.get(currentUserId, OrganizationDomain.DOMAIN_ID, organizationId);
} catch (ConflictException | ServerException e) {
throw new ForbiddenException("Error occured while permission fetching: " + e.getMessage());
} catch (NotFoundException e) {
throw new ForbiddenException(
"User doesn't have any permissions for the specified organization.");
}
}
}
}

0 comments on commit e5ee146

Please sign in to comment.