Merge pull request #146 from SawamiWataru/Issue-66-Limit-unit-user-pr…

…ivilege Issue 66 limit unit user privilege
personium · Feb 20, 2018 · 4f57c13 · 4f57c13
2 parents 2e3d612 + 3b73830
commit 4f57c13
Show file tree

Hide file tree

Showing 17 changed files with 1,423 additions and 852 deletions.
diff --git a/src/main/java/io/personium/core/auth/AccessContext.java b/src/main/java/io/personium/core/auth/AccessContext.java
diff --git a/src/main/java/io/personium/core/auth/BoxPrivilege.java b/src/main/java/io/personium/core/auth/BoxPrivilege.java
@@ -20,74 +20,44 @@
 import java.util.Map;
 
 /**
- * WebDAVACLのPrivilege.
+ * Privilege of box.
  */
 public final class BoxPrivilege extends Privilege {
-    /**
-     * コンストラクタ.
-     * @param name Privilege名
-     */
-    BoxPrivilege(final String name) {
-        super(name);
-    }
 
     /**
-     * コンストラクタ.
-     * @param name Privilege名
-     * @param parent 親Privilege
+     * Constructor.
+     * @param name Name
+     * @param accessType Access type
+     * @param parent Parent privilege
      */
-    BoxPrivilege(final String name, final Privilege parent) {
-        super(name, parent);
+    BoxPrivilege(String name, String accessType, Privilege parent) {
+        super(name, accessType, parent);
     }
 
-    /**
-     * すべての権限.
-     */
-    public static final BoxPrivilege ALL = new BoxPrivilege("all", CellPrivilege.ROOT);
-    /**
-     * リード権限.
-     */
-    public static final BoxPrivilege READ = new BoxPrivilege("read", ALL);
-    /**
-     * 属性リード権限.READ権限に含まれます.
-     */
-    public static final BoxPrivilege READ_PROPERTIES = new BoxPrivilege("read-properties", READ);
-    /**
-     * ACLリード権限. READ権限に含まれず、ALL権限にのみ含まれます.
-     */
-    public static final BoxPrivilege READ_ACL = new BoxPrivilege("read-acl", ALL);
-    /**
-     * ライト権限.ALL権限に含まれます.
-     */
-    public static final BoxPrivilege WRITE = new BoxPrivilege("write", ALL);
-    /**
-     * ACLライト権限. WRITE権限に含まれまれず、ALLにのみ含まれます。
-     */
-    public static final BoxPrivilege WRITE_ACL = new BoxPrivilege("write-acl", ALL);
-    /**
-     * BIND権限. WRITE権限に含まれます.
-     */
-    public static final BoxPrivilege BIND = new BoxPrivilege("bind", WRITE);
-    /**
-     * UNBIND権限. WRITE権限に含まれます.
-     */
-    public static final BoxPrivilege UNBIND = new BoxPrivilege("unbind", WRITE);
-    /**
-     * 内容ライト権限. WRITE権限に含まれます.
-     */
-    public static final BoxPrivilege WRITE_CONTENT = new BoxPrivilege("write-content", WRITE);
-    /**
-     * 属性ライト権限. WRITE権限に含まれます.
-     */
-    public static final BoxPrivilege WRITE_PROPERTIES = new BoxPrivilege("write-properties", WRITE);
-    /**
-     * サービス実行権限.ALL権限に含まれます.
-     */
-    public static final BoxPrivilege EXEC = new BoxPrivilege("exec", ALL);
-    /**
-     * スキーマ変更権限.ALL権限に含まれます.
-     */
-    public static final BoxPrivilege ALTER_SCHEMA = new BoxPrivilege("alter-schema", ALL);
+    /** すべての権限. */
+    public static final BoxPrivilege ALL = new BoxPrivilege("all", ACCESS_TYPE_ALL, CellPrivilege.ROOT);
+    /** リード権限. */
+    public static final BoxPrivilege READ = new BoxPrivilege("read", ACCESS_TYPE_READ, ALL);
+    /** 属性リード権限.READ権限に含まれます. */
+    public static final BoxPrivilege READ_PROPERTIES = new BoxPrivilege("read-properties", ACCESS_TYPE_READ, READ);
+    /** ACLリード権限. READ権限に含まれず、ALL権限にのみ含まれます. */
+    public static final BoxPrivilege READ_ACL = new BoxPrivilege("read-acl", ACCESS_TYPE_READ, ALL);
+    /** ライト権限.ALL権限に含まれます. */
+    public static final BoxPrivilege WRITE = new BoxPrivilege("write", ACCESS_TYPE_WRITE, ALL);
+    /** ACLライト権限. WRITE権限に含まれまれず、ALLにのみ含まれます。 */
+    public static final BoxPrivilege WRITE_ACL = new BoxPrivilege("write-acl", ACCESS_TYPE_WRITE, ALL);
+    /** BIND権限. WRITE権限に含まれます. */
+    public static final BoxPrivilege BIND = new BoxPrivilege("bind", ACCESS_TYPE_WRITE, WRITE);
+    /** UNBIND権限. WRITE権限に含まれます. */
+    public static final BoxPrivilege UNBIND = new BoxPrivilege("unbind", ACCESS_TYPE_WRITE, WRITE);
+    /** 内容ライト権限. WRITE権限に含まれます. */
+    public static final BoxPrivilege WRITE_CONTENT = new BoxPrivilege("write-content", ACCESS_TYPE_WRITE, WRITE);
+    /** 属性ライト権限. WRITE権限に含まれます. */
+    public static final BoxPrivilege WRITE_PROPERTIES = new BoxPrivilege("write-properties", ACCESS_TYPE_WRITE, WRITE);
+    /** サービス実行権限.ALL権限に含まれます. */
+    public static final BoxPrivilege EXEC = new BoxPrivilege("exec", ACCESS_TYPE_EXEC, ALL);
+    /** スキーマ変更権限.ALL権限に含まれます. */
+    public static final BoxPrivilege ALTER_SCHEMA = new BoxPrivilege("alter-schema", ACCESS_TYPE_WRITE, ALL);
 
     static Map<String, BoxPrivilege> map = new HashMap<String, BoxPrivilege>();
 

diff --git a/src/main/java/io/personium/core/auth/CellPrivilege.java b/src/main/java/io/personium/core/auth/CellPrivilege.java
@@ -20,102 +20,58 @@
 import java.util.Map;
 
 /**
- * WebDAVACLのPrivilege.
+ * Privilege of cell.
  */
-public final class CellPrivilege extends Privilege {
-    /**
-     * コンストラクタ.
-     * @param name Privilege名
-     */
-    CellPrivilege(final String name) {
-        super(name);
-    }
+public class CellPrivilege extends Privilege {
 
     /**
-     * コンストラクタ.
-     * @param name Privilege名
-     * @param parent 親Privilege
+     * Constructor.
+     * @param name Name
+     * @param accessType Access type
+     * @param parent Parent privilege
      */
-    CellPrivilege(final String name, final CellPrivilege parent) {
-        super(name, parent);
+    CellPrivilege(String name, String accessType, Privilege parent) {
+        super(name, accessType, parent);
     }
 
-    /**
-     * すべての権限.
-     */
-    public static final CellPrivilege ROOT = new CellPrivilege("root");
-    /**
-     * Account, Role, extRole グループ操作権限.
-     */
-    public static final CellPrivilege AUTH = new CellPrivilege("auth", ROOT);
-    /**
-     * AUTHグループ read権限.
-     */
-    public static final CellPrivilege AUTH_READ = new CellPrivilege("auth-read", AUTH);
-    /**
-     * ReceivedMessage, SentMessage グループ操作権限.
-     */
-    public static final CellPrivilege MESSAGE = new CellPrivilege("message", ROOT);
-    /**
-     * MESSAGEグループ read権限.
-     */
-    public static final CellPrivilege MESSAGE_READ = new CellPrivilege("message-read", MESSAGE);
-    /**
-     * event, log グループ操作権限.
-     */
-    public static final CellPrivilege EVENT = new CellPrivilege("event", ROOT);
-    /**
-     * EVENTグループ read権限.
-     */
-    public static final CellPrivilege EVENT_READ = new CellPrivilege("event-read", EVENT);
-    /**
-     * log 操作権限.
-     */
-    public static final CellPrivilege LOG = new CellPrivilege("log", ROOT);
-    /**
-     * log read権限.
-     */
-    public static final CellPrivilege LOG_READ = new CellPrivilege("log-read", LOG);
-    /**
-     * relation, extCell グループ操作権限.
-     */
-    public static final CellPrivilege SOCIAL = new CellPrivilege("social", ROOT);
-    /**
-     * SOCIALグループ read権限.
-     */
-    public static final CellPrivilege SOCIAL_READ = new CellPrivilege("social-read", SOCIAL);
-    /**
-     * Box グループ操作権限.
-     */
-    public static final CellPrivilege BOX = new CellPrivilege("box", ROOT);
-    /**
-     * BOXグループ read権限.
-     */
-    public static final CellPrivilege BOX_READ = new CellPrivilege("box-read", BOX);
-    /**
-     * BOXグループ bar-install権限.
-     */
-    public static final CellPrivilege BOX_BAR_INSTALL = new CellPrivilege("box-install", BOX);
-    /**
-     * ACL グループ操作権限.
-     */
-    public static final CellPrivilege ACL = new CellPrivilege("acl", ROOT);
-    /**
-     * ACLグループ read権限.
-     */
-    public static final CellPrivilege ACL_READ = new CellPrivilege("acl-read", ACL);
-    /**
-     * PROPFIND権限.
-     */
-    public static final CellPrivilege PROPFIND = new CellPrivilege("propfind", ROOT);
-    /**
-     * Rule operation privilege.
-     */
-    public static final CellPrivilege RULE = new CellPrivilege("rule", ROOT);
-    /**
-     * Rule read privilege.
-     */
-    public static final CellPrivilege RULE_READ = new CellPrivilege("rule-read", RULE);
+    /** すべての権限. */
+    public static final CellPrivilege ROOT = new CellPrivilege("root", ACCESS_TYPE_ALL, null);
+    /** Account, Role, extRole グループ操作権限. */
+    public static final CellPrivilege AUTH = new CellPrivilege("auth", ACCESS_TYPE_WRITE, ROOT);
+    /** AUTHグループ read権限. */
+    public static final CellPrivilege AUTH_READ = new CellPrivilege("auth-read", ACCESS_TYPE_READ, AUTH);
+    /** ReceivedMessage, SentMessage グループ操作権限. */
+    public static final CellPrivilege MESSAGE = new CellPrivilege("message", ACCESS_TYPE_WRITE, ROOT);
+    /** MESSAGEグループ read権限. */
+    public static final CellPrivilege MESSAGE_READ = new CellPrivilege("message-read", ACCESS_TYPE_READ, MESSAGE);
+    /** event, log グループ操作権限. */
+    public static final CellPrivilege EVENT = new CellPrivilege("event", ACCESS_TYPE_WRITE, ROOT);
+    /** EVENTグループ read権限. */
+    public static final CellPrivilege EVENT_READ = new CellPrivilege("event-read", ACCESS_TYPE_READ, EVENT);
+    /** log 操作権限. */
+    public static final CellPrivilege LOG = new CellPrivilege("log", ACCESS_TYPE_WRITE, ROOT);
+    /** log read権限. */
+    public static final CellPrivilege LOG_READ = new CellPrivilege("log-read", ACCESS_TYPE_READ, LOG);
+    /** relation, extCell グループ操作権限. */
+    public static final CellPrivilege SOCIAL = new CellPrivilege("social", ACCESS_TYPE_WRITE, ROOT);
+    /** SOCIALグループ read権限. */
+    public static final CellPrivilege SOCIAL_READ = new CellPrivilege("social-read", ACCESS_TYPE_READ, SOCIAL);
+    /** Box グループ操作権限. */
+    public static final CellPrivilege BOX = new CellPrivilege("box", ACCESS_TYPE_WRITE, ROOT);
+    /** BOXグループ read権限. */
+    public static final CellPrivilege BOX_READ = new CellPrivilege("box-read", ACCESS_TYPE_READ, BOX);
+    /** BOXグループ bar-install権限. */
+    public static final CellPrivilege BOX_BAR_INSTALL = new CellPrivilege("box-install", ACCESS_TYPE_WRITE, BOX);
+    /** ACL グループ操作権限. */
+    public static final CellPrivilege ACL = new CellPrivilege("acl", ACCESS_TYPE_WRITE, ROOT);
+    /** ACLグループ read権限. */
+    public static final CellPrivilege ACL_READ = new CellPrivilege("acl-read", ACCESS_TYPE_READ, ACL);
+    /** PROPFIND権限. */
+    public static final CellPrivilege PROPFIND = new CellPrivilege("propfind", ACCESS_TYPE_READ, ROOT);
+    /** Rule operation privilege. */
+    public static final CellPrivilege RULE = new CellPrivilege("rule", ACCESS_TYPE_WRITE, ROOT);
+    /** Rule read privilege. */
+    public static final CellPrivilege RULE_READ = new CellPrivilege("rule-read", ACCESS_TYPE_READ, RULE);
 
     static Map<String, CellPrivilege> map = new HashMap<String, CellPrivilege>();
 

diff --git a/src/main/java/io/personium/core/auth/Privilege.java b/src/main/java/io/personium/core/auth/Privilege.java
@@ -18,42 +18,62 @@
 
 
 /**
- * WebDAVACLのPrivilege.
+ * Privilege of WebDAV ACL.
  */
 public abstract class Privilege {
+
+    // Access type is provisional.
+    // Only READ is used in the current(core-1.6.4) process.
+    /** Access type : READ. */
+    public static final String ACCESS_TYPE_READ = "read";
+    /** Access type : WRITE. */
+    public static final String ACCESS_TYPE_WRITE = "write";
+    /** Access type : EXEC. */
+    public static final String ACCESS_TYPE_EXEC = "exec";
+    /** Access type : ALL. */
+    public static final String ACCESS_TYPE_ALL = "all";
+
+    /** Name. */
     private String name;
+    /** Access type. */
+    private String accessType;
+    /** Parent privilege. */
+    private Privilege parent;
+
     /**
-     * @return 権限名
+     * Constructor.
+     * @param name Name
+     * @param accessType Access type
+     * @param parent Parent privilege
      */
-    public String getName() {
-        return name;
+    Privilege(String name, String accessType, Privilege parent) {
+        this.name = name;
+        this.accessType = accessType;
+        this.parent = parent;
     }
 
     /**
-     * @return 親権限
+     * Get name.
+     * @return Name
      */
-    public Privilege getParent() {
-        return parent;
+    public String getName() {
+        return name;
     }
 
-    private Privilege parent;
-
     /**
-     * コンストラクタ.
-     * @param name Privilege名
+     * Get access type.
+     * @return Access type
      */
-    Privilege(final String name) {
-        this.name = name;
+    public String getAccessType() {
+        return accessType;
     }
 
     /**
-     * コンストラクタ.
-     * @param name Privilege名
-     * @param parent 親Privilege
+     * Get parent.
+     * @return Parent privilege
      */
-    Privilege(final String name, final Privilege parent) {
-        this.name = name;
-        this.parent = parent;
+    public Privilege getParent() {
+        return parent;
     }
 
     /**

diff --git a/src/main/java/io/personium/core/model/BoxUrlRsCmp.java b/src/main/java/io/personium/core/model/BoxUrlRsCmp.java
@@ -47,7 +47,7 @@ public void checkAccessContext(AccessContext ac, Privilege privilege) {
         AcceptableAuthScheme allowedAuthScheme = getAcceptableAuthScheme();
 
         // For unit user token, do not check
-        if (ac.isUnitUserToken()) {
+        if (ac.isUnitUserToken(privilege)) {
             return;
         }
 

diff --git a/src/main/java/io/personium/core/model/CellRsCmp.java b/src/main/java/io/personium/core/model/CellRsCmp.java
@@ -113,13 +113,13 @@ public boolean hasPrivilege(AccessContext ac, Privilege privilege) {
     }
 
     /**
-     * アクセス制御を行う.
-     * @param ac アクセスコンテキスト
-     * @param privilege アクセス可能な権限
+     * Performs access control.
+     * @param ac Access context
+     * @param privilege Required privilege
      */
-    public void checkAccessContext(final AccessContext ac, Privilege privilege) {
-        // ユニットユーザトークンチェック
-        if (ac.isUnitUserToken()) {
+    public void checkAccessContext(AccessContext ac, Privilege privilege) {
+        // Check UnitUser token.
+        if (ac.isUnitUserToken(privilege)) {
             return;
         }
 

diff --git a/src/main/java/io/personium/core/model/DavRsCmp.java b/src/main/java/io/personium/core/model/DavRsCmp.java
@@ -230,7 +230,7 @@ public final Response doPropfind(final Reader requestBodyXml, final String depth
 
         // ACL config output is allowed by Unit User or when ACL Privilege is configured.
         boolean canAclRead = false;
-        if (this.getAccessContext().isUnitUserToken()
+        if (this.getAccessContext().isUnitUserToken(requiredForReadAcl)
                 || this.hasPrivilege(this.getAccessContext(), requiredForReadAcl)) {
             canAclRead = true;
         }
@@ -420,7 +420,7 @@ public Response options() {
      */
     public void checkAccessContext(final AccessContext ac, Privilege privilege) {
         // if accessed with valid UnitUserToken then fine.
-        if (ac.isUnitUserToken()) {
+        if (ac.isUnitUserToken(privilege)) {
             return;
         }