diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java index 93a27e0e97..2bd19cd68e 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java @@ -246,12 +246,6 @@ protected static void addAccessAttributes(HttpServletRequest req, String entityU for (RoleInfo role : roles) { RoleInfo roleCopy = role.clone(); roleInfos.add(roleCopy); - if (isPublicForbiddenOperation(operation)) { - if (roleCopy.isPublic) { - roleCopy.setEnabled(false); - roleCopy.setGranted(false); - } - } } getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); } @@ -359,10 +353,6 @@ protected static void addNotRelatedPropertySuppressions(HttpServletRequest req, req.setAttribute(PROPERTY_SUPPRESSIONS_NOT_RELATED, propertySuppressionsToRoles); } - static boolean isPublicForbiddenOperation(AccessOperation operation) { - return operation.equals(AccessOperation.PUBLISH); - } - public static class RoleInfo { String uri; String label; diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java index db98ba2a97..e7266b608c 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java @@ -244,9 +244,6 @@ private void updateEntityPermissions(HttpServletRequest request, String entityUr String operationGroupName = ao.toString().toLowerCase(); Set selectedRoles = getSelectedRoles(request, operationGroupName); for (RoleInfo role : roles) { - if (role.isPublic() && isPublicForbiddenOperation(ao)) { - continue; - } if (selectedRoles.contains(role.getUri())) { EntityPolicyController.grantAccess(entityUri, aot, ao, role.getUri()); } else { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java index e4cea2785c..25608560e7 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java @@ -1,5 +1,11 @@ package edu.cornell.mannlib.vitro.webapp.migration.auth; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.CLASS; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.DATA_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_DATA_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_OBJECT_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.OBJECT_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.OperationGroup.PUBLISH_GROUP; import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.ROLE_ADMIN_URI; import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.ROLE_CURATOR_URI; import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.ROLE_EDITOR_URI; @@ -89,6 +95,34 @@ protected void migrateConfiguration() { PolicyLoader.getInstance().loadPolicies(); } + protected void updatePublicPublishPermissions() { + Set group = Collections.singleton(PUBLISH_GROUP); + Set role = Collections.singleton(ROLE_PUBLIC_URI); + + log.info("Started annotation configuration conversion"); + Map>> opConfigs = getObjectPropertyAnnotations(); + log.info(String.format("Found %s object property annotation configurations", opConfigs.size())); + Map>> dpConfigs = getDataPropertyAnnotations(); + log.info(String.format("Found %s data property annotation configurations", dpConfigs.size())); + Map>> classConfigs = getClassAnnotations(); + log.info(String.format("Found %s class annotation configurations", classConfigs.size())); + Map>> fopConfigs = getFauxObjectPropertyAnnotations(opConfigs.keySet()); + log.info(String.format("Found %s faux object property annotation configurations", fopConfigs.size())); + Map>> fdpConfigs = getFauxDataPropertyAnnotations(dpConfigs.keySet()); + log.info(String.format("Found %s faux data property annotation configurations", fdpConfigs.size())); + + Long values = updatePolicyDatasets(OBJECT_PROPERTY, group, role, opConfigs); + log.info(String.format("Added %d values in object property datasets.", values)); + values = updatePolicyDatasets(DATA_PROPERTY, group, role, dpConfigs); + log.info(String.format("Added %d values in data property datasets.", values)); + values = updatePolicyDatasets(CLASS, group, role, classConfigs); + log.info(String.format("Added %d values in class property datasets.", values)); + values = updatePolicyDatasets(FAUX_OBJECT_PROPERTY, group, role, fopConfigs); + log.info(String.format("Added %d values in faux object property datasets.", values)); + values = updatePolicyDatasets(FAUX_DATA_PROPERTY, group, role, fdpConfigs); + log.info(String.format("Added %d values in faux data property datasets.", values)); + } + protected Map>> getFauxDataPropertyAnnotations(Set dataProperties) { String queryText = getAnnotationQuery(fauxTypeSpecificPatterns); return getFauxConfigurations(queryText, configurationRdfService, dataProperties); @@ -162,7 +196,6 @@ private void collectConfiguration(Map>> String publishAnnotation = qs.getResource("publish").getURI(); Set publishRoles = new HashSet<>(showMap.get(publishAnnotation)); - publishRoles.remove(ROLE_PUBLIC_URI); String updateAnnotation = qs.getResource("update").getURI(); Set updateRoles = new HashSet<>(showMap.get(updateAnnotation)); @@ -191,10 +224,7 @@ private static Long[] updatePolicyDatasets(AccessObjectType aot, EntityPolicyController.getDataValueStatements(entityUri, aot, ao, rolesToAdd, additions); Set rolesToRemove = new HashSet<>(ALL_ROLES); rolesToRemove.removeAll(rolesToAdd); - // Don't remove public publish and update data sets, as there are no public policies for that - // operation - // groups - if (OperationGroup.PUBLISH_GROUP.equals(og) || OperationGroup.UPDATE_GROUP.equals(og)) { + if (OperationGroup.UPDATE_GROUP.equals(og)) { rolesToRemove.remove(ROLE_PUBLIC_URI); } if (!rolesToRemove.isEmpty()) { @@ -213,6 +243,33 @@ private static Long[] updatePolicyDatasets(AccessObjectType aot, return new Long[] { getLineCount(additions.toString()), getLineCount(removals.toString()) }; } + + private static long updatePolicyDatasets(AccessObjectType aot, Set ogs, Set roles, + Map>> configs) { + StringBuilder additions = new StringBuilder(); + for (String entityUri : configs.keySet()) { + Map> groupMap = configs.get(entityUri); + Set currentOperationGroups = new HashSet(groupMap.keySet()); + currentOperationGroups.retainAll(ogs); + for (OperationGroup og : currentOperationGroups) { + for (AccessOperation ao : OperationGroup.getOperations(og)) { + Set rolesToAdd = new HashSet(groupMap.get(og)); + rolesToAdd.retainAll(roles); + if (!rolesToAdd.isEmpty()) { + log.info(String.format("Granted access to %s %s %s for roles %s", ao, aot, entityUri, + rolesToString(rolesToAdd))); + } + EntityPolicyController.getDataValueStatements(entityUri, aot, ao, rolesToAdd, additions); + log.debug(String.format( + "Updated entity %s dataset for operation group %s access object type %s roles %s", + entityUri, og, aot, rolesToAdd)); + } + } + } + PolicyLoader.getInstance().updateAccessControlModel(additions.toString(), true); + return getLineCount(additions.toString()); + } + private static Object rolesToString(Set roles) { String result = ""; for (String roleUri : roles) { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java index 4deda945a4..9697d3cf98 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java @@ -32,6 +32,7 @@ public class AuthMigrator implements ServletContextListener { + private static final long CURRENT_VERSION = 2; private static final Log log = LogFactory.getLog(AuthMigrator.class); protected static final Set ALL_ROLES = new HashSet( Arrays.asList(ROLE_ADMIN_URI, ROLE_CURATOR_URI, ROLE_EDITOR_URI, ROLE_SELF_EDITOR_URI, ROLE_PUBLIC_URI)); @@ -72,6 +73,33 @@ public void contextInitialized(ServletContextEvent sce) { if (!isMigrationRequired()) { return; } + long currentVersion = getVersion(); + if (currentVersion == 0) { + runCompleteMigration(sce, begin); + } else if (currentVersion == 1) { + migratePublishPublicPermissions(sce, begin); + } + } + + private void migratePublishPublicPermissions(ServletContextEvent sce, long begin) { + ServletContext ctx = sce.getServletContext(); + StartupStatus ss = StartupStatus.getBean(ctx); + log.info("Started publish permissions authorization reconfiguration for public role"); + convertPublicPublishPermissions(); + ss.info(this, secondsSince(begin) + " seconds spent to reconfigure publish permissions for public role"); + removeVersion(getVersion()); + setVersion(CURRENT_VERSION); + log.info(String.format("Updated access control configuration to version %d", CURRENT_VERSION)); + PolicyLoader.getInstance().loadPolicies(); + log.info("Reloaded all policies after migration"); + } + + private void convertPublicPublishPermissions() { + AnnotationMigrator annotationMigrator = new AnnotationMigrator(contentRdfService, configurationRdfService); + annotationMigrator.updatePublicPublishPermissions(); + } + + private void runCompleteMigration(ServletContextEvent sce, long begin) { ServletContext ctx = sce.getServletContext(); StartupStatus ss = StartupStatus.getBean(ctx); log.info("Started authorization configuration update"); @@ -97,7 +125,8 @@ protected void convertAuthorizationConfiguration() { } migrateSimplePermissions(); removeVersion(getVersion()); - setVersion(1L); + setVersion(CURRENT_VERSION); + log.info(String.format("Updated access control configuration to version %d", CURRENT_VERSION)); } private void migrateSimplePermissions() { @@ -112,7 +141,7 @@ private void migrateAnnotationConfiguation() { } private boolean isMigrationRequired() { - if (getVersion() == 0L) { + if (getVersion() < CURRENT_VERSION) { return true; } return false; @@ -120,7 +149,6 @@ private boolean isMigrationRequired() { protected long getVersion() { long version = 0L; - try { ResultSet rs = RDFServiceUtils.sparqlSelectQuery(VERSION_QUERY, configurationRdfService); while (rs.hasNext()) { diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 index d35a71c5f8..adaa110ac8 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 @@ -20,6 +20,7 @@ access:hasDataSet :CuratorUpdateClassDataSet ; access:hasDataSet :AdminUpdateClassDataSet ; + access:hasDataSet :PublicPublishClassDataSet ; access:hasDataSet :SelfEditorPublishClassDataSet ; access:hasDataSet :EditorPublishClassDataSet ; access:hasDataSet :CuratorPublishClassDataSet ; @@ -251,6 +252,20 @@ access:hasKeyComponent access-individual:AdminRoleUri ; access:hasKeyComponent access-individual:UpdateOperation . +### Public publish class uri data sets + +:PublicPublishClassDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishClassDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:ClassValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishClassValueSet . + +:PublicPublishClassDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:Class ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + ### Self editor publish class uri data sets :SelfEditorPublishClassDataSet a access:DataSet ; @@ -348,6 +363,7 @@ access:values :EditorPublishClassValueSet ; access:values :EditorDisplayClassValueSet ; access:values :EditorUpdateClassValueSet ; + access:values :PublicPublishClassValueSet ; access:values :SelfEditorPublishClassValueSet ; access:values :SelfEditorDisplayClassValueSet ; access:values :SelfEditorUpdateClassValueSet ; @@ -382,6 +398,9 @@ :EditorUpdateClassValueSet a access:ValueSet ; access:containsElementsOfType access-individual:Class . +:PublicPublishClassValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:Class . + :SelfEditorPublishClassValueSet a access:ValueSet ; access:containsElementsOfType access-individual:Class . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 index a4f4be4415..9fd8953162 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 @@ -30,18 +30,22 @@ access:hasDataSet :CuratorDisplayFauxDataPropertyDataSet ; access:hasDataSet :AdminDisplayFauxDataPropertyDataSet ; + access:hasDataSet :PublicPublishObjectPropertyDataSet ; access:hasDataSet :EditorPublishObjectPropertyDataSet ; access:hasDataSet :CuratorPublishObjectPropertyDataSet ; access:hasDataSet :AdminPublishObjectPropertyDataSet ; + access:hasDataSet :PublicPublishDataPropertyDataSet ; access:hasDataSet :EditorPublishDataPropertyDataSet ; access:hasDataSet :CuratorPublishDataPropertyDataSet ; access:hasDataSet :AdminPublishDataPropertyDataSet ; + access:hasDataSet :PublicPublishFauxObjectPropertyDataSet ; access:hasDataSet :EditorPublishFauxObjectPropertyDataSet ; access:hasDataSet :CuratorPublishFauxObjectPropertyDataSet ; access:hasDataSet :AdminPublishFauxObjectPropertyDataSet ; + access:hasDataSet :PublicPublishFauxDataPropertyDataSet ; access:hasDataSet :EditorPublishFauxDataPropertyDataSet ; access:hasDataSet :CuratorPublishFauxDataPropertyDataSet ; access:hasDataSet :AdminPublishFauxDataPropertyDataSet ; @@ -1583,6 +1587,19 @@ ### Publish object property data sets +:PublicPublishObjectPropertyDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishObjectPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ; + access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishObjectPropertyValueSet . + +:PublicPublishObjectPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:ObjectProperty ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + :EditorPublishObjectPropertyDataSet a access:DataSet ; access:hasDataSetKey :EditorPublishObjectPropertyDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; @@ -1624,6 +1641,19 @@ ### Publish data property data sets +:PublicPublishDataPropertyDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishDataPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:DataPropertyValueSet ; + access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishDataPropertyValueSet . + +:PublicPublishDataPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:DataProperty ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + :EditorPublishDataPropertyDataSet a access:DataSet ; access:hasDataSetKey :EditorPublishDataPropertyDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; @@ -1665,6 +1695,19 @@ ### Publish faux object property data sets +:PublicPublishFauxObjectPropertyDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishFauxObjectPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ; + access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishFauxObjectPropertyValueSet . + +:PublicPublishFauxObjectPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:FauxObjectProperty ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + :EditorPublishFauxObjectPropertyDataSet a access:DataSet ; access:hasDataSetKey :EditorPublishFauxObjectPropertyDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; @@ -1706,6 +1749,19 @@ ### Publish faux data property data sets +:PublicPublishFauxDataPropertyDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishFauxDataPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ; + access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishFauxDataPropertyValueSet . + +:PublicPublishFauxDataPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:FauxDataProperty ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + :EditorPublishFauxDataPropertyDataSet a access:DataSet ; access:hasDataSetKey :EditorPublishFauxDataPropertyDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; @@ -1817,18 +1873,22 @@ access:values :CuratorDisplayFauxDataPropertyValueSet ; access:values :AdminDisplayFauxDataPropertyValueSet ; + access:values :PublicPublishObjectPropertyValueSet ; access:values :EditorPublishObjectPropertyValueSet ; access:values :CuratorPublishObjectPropertyValueSet ; access:values :AdminPublishObjectPropertyValueSet ; + access:values :PublicPublishDataPropertyValueSet ; access:values :EditorPublishDataPropertyValueSet ; access:values :CuratorPublishDataPropertyValueSet ; access:values :AdminPublishDataPropertyValueSet ; + access:values :PublicPublishFauxObjectPropertyValueSet ; access:values :EditorPublishFauxObjectPropertyValueSet ; access:values :CuratorPublishFauxObjectPropertyValueSet ; access:values :AdminPublishFauxObjectPropertyValueSet ; + access:values :PublicPublishFauxDataPropertyValueSet ; access:values :EditorPublishFauxDataPropertyValueSet ; access:values :CuratorPublishFauxDataPropertyValueSet ; access:values :AdminPublishFauxDataPropertyValueSet ; @@ -1917,18 +1977,22 @@ access:values :CuratorDisplayFauxDataPropertyValueSet ; access:values :AdminDisplayFauxDataPropertyValueSet ; + access:values :PublicPublishObjectPropertyValueSet ; access:values :EditorPublishObjectPropertyValueSet ; access:values :CuratorPublishObjectPropertyValueSet ; access:values :AdminPublishObjectPropertyValueSet ; + access:values :PublicPublishDataPropertyValueSet ; access:values :EditorPublishDataPropertyValueSet ; access:values :CuratorPublishDataPropertyValueSet ; access:values :AdminPublishDataPropertyValueSet ; + access:values :PublicPublishFauxObjectPropertyValueSet ; access:values :EditorPublishFauxObjectPropertyValueSet ; access:values :CuratorPublishFauxObjectPropertyValueSet ; access:values :AdminPublishFauxObjectPropertyValueSet ; + access:values :PublicPublishFauxDataPropertyValueSet ; access:values :EditorPublishFauxDataPropertyValueSet ; access:values :CuratorPublishFauxDataPropertyValueSet ; access:values :AdminPublishFauxDataPropertyValueSet ; @@ -2139,6 +2203,8 @@ :AdminDisplayFauxDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxDataProperty . +:PublicPublishObjectPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:ObjectProperty . :EditorPublishObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:ObjectProperty . :CuratorPublishObjectPropertyValueSet a access:ValueSet ; @@ -2146,6 +2212,8 @@ :AdminPublishObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:ObjectProperty . +:PublicPublishDataPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:DataProperty . :EditorPublishDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:DataProperty . :CuratorPublishDataPropertyValueSet a access:ValueSet ; @@ -2153,6 +2221,8 @@ :AdminPublishDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:DataProperty . +:PublicPublishFauxObjectPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:FauxObjectProperty . :EditorPublishFauxObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxObjectProperty . :CuratorPublishFauxObjectPropertyValueSet a access:ValueSet ; @@ -2160,6 +2230,8 @@ :AdminPublishFauxObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxObjectProperty . +:PublicPublishFauxDataPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:FauxDataProperty . :EditorPublishFauxDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxDataProperty . :CuratorPublishFauxDataPropertyValueSet a access:ValueSet ;