[DURACOM-447] Cris security from

- 98939d6
- 865f8c6
- CST-3981
- DSC-643 (check)

Author: AdamF42

dspace-api/src/main/java/org/dspace/authorize/ResourcePolicyOwnerVO.java

@@ -0,0 +1,37 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.authorize;
+
+import java.util.UUID;
+
+/**
+ * VO that model an owner of a resource policy (eperson or group).
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class ResourcePolicyOwnerVO {
+
+    private final UUID ePersonId;
+
+    private final UUID groupId;
+
+    public ResourcePolicyOwnerVO(UUID ePersonId, UUID groupId) {
+        this.ePersonId = ePersonId;
+        this.groupId = groupId;
+    }
+
+    public UUID getEPersonId() {
+        return ePersonId;
+    }
+
+    public UUID getGroupId() {
+        return groupId;
+    }
+
+}

dspace-api/src/main/java/org/dspace/authorize/ResourcePolicyServiceImpl.java

@@ -41,7 +41,7 @@ public class ResourcePolicyServiceImpl implements ResourcePolicyService {
     /**
      * log4j logger
      */
-    private static Logger log = org.apache.logging.log4j.LogManager.getLogger(ResourcePolicyServiceImpl.class);
+    private static final Logger log = org.apache.logging.log4j.LogManager.getLogger(ResourcePolicyServiceImpl.class);
 
     @Autowired(required = true)
     protected ContentServiceFactory contentServiceFactory;
@@ -115,6 +115,11 @@ public List<ResourcePolicy> find(Context c, DSpaceObject o, int actionId) throws
         return resourcePolicyDAO.findByDSoAndAction(c, o, actionId);
     }
 
+    @Override
+    public List<ResourcePolicy> find(Context c, DSpaceObject o, int actionId, String type) throws SQLException {
+        return resourcePolicyDAO.findByDSoAndActionAndType(c, o, actionId, type);
+    }
+
     @Override
     public List<ResourcePolicy> find(Context c, DSpaceObject dso, Group group, int action) throws SQLException {
         return resourcePolicyDAO.findByTypeGroupAction(c, dso, group, action);
@@ -205,13 +210,11 @@ public boolean isDateValid(ResourcePolicy resourcePolicy) {
         }
 
         // now expiration date
-        if (ed != null && now.isAfter(ed)) {
-            // end date is set, return false if we're after it
-            return false;
-        }
+        // end date is set, return false if we're after it
+        return ed == null || !now.isAfter(ed);
 
         // if we made it this far, start < now < end
-        return true; // date must be okay
+// date must be okay
     }
 
     @Override
@@ -361,7 +364,7 @@ public int countByEPerson(Context context, EPerson eperson) throws SQLException
 
     @Override
     public List<ResourcePolicy> findByEPersonAndResourceUuid(Context context, EPerson eperson, UUID resourceUuid,
-        int offset, int limit) throws SQLException {
+                                                             int offset, int limit) throws SQLException {
         return resourcePolicyDAO.findByEPersonAndResourceUuid(context, eperson, resourceUuid, offset, limit);
     }
 
@@ -373,7 +376,7 @@ public int countResourcePoliciesByEPersonAndResourceUuid(Context context, EPerso
 
     @Override
     public List<ResourcePolicy> findByResouceUuidAndActionId(Context context, UUID resourceUuid, int actionId,
-        int offset, int limit) throws SQLException {
+                                                             int offset, int limit) throws SQLException {
         return resourcePolicyDAO.findByResouceUuidAndActionId(context, resourceUuid, actionId, offset, limit);
     }
 
@@ -405,7 +408,7 @@ public int countResourcePolicyByGroup(Context context, Group group) throws SQLEx
 
     @Override
     public List<ResourcePolicy> findByGroupAndResourceUuid(Context context, Group group, UUID resourceUuid,
-        int offset, int limit) throws SQLException {
+                                                           int offset, int limit) throws SQLException {
         return resourcePolicyDAO.findByGroupAndResourceUuid(context, group, resourceUuid, offset, limit);
     }
 
@@ -428,4 +431,10 @@ public boolean isMyResourcePolicy(Context context, EPerson eperson, Integer id)
         }
         return isMy || authorizeService.isAdmin(context, eperson, resourcePolicy.getdSpaceObject());
     }
+
+    @Override
+    public List<ResourcePolicyOwnerVO> findValidPolicyOwners(Context c, List<UUID> dsoIds, int actionID)
+        throws SQLException {
+        return resourcePolicyDAO.findValidPolicyOwners(c, dsoIds, actionID);
+    }
 }

dspace-api/src/main/java/org/dspace/authorize/dao/ResourcePolicyDAO.java

@@ -12,6 +12,7 @@
 import java.util.UUID;
 
 import org.dspace.authorize.ResourcePolicy;
+import org.dspace.authorize.ResourcePolicyOwnerVO;
 import org.dspace.content.DSpaceObject;
 import org.dspace.core.Context;
 import org.dspace.core.GenericDAO;
@@ -42,6 +43,9 @@ public List<ResourcePolicy> findByDsoAndType(Context context, DSpaceObject dSpac
     public void deleteByDsoAndTypeAndAction(Context context, DSpaceObject dSpaceObject, String type, int action)
         throws SQLException;
 
+    public List<ResourcePolicy> findByDSoAndActionAndType(Context c, DSpaceObject o, int actionId, String type)
+        throws SQLException;
+
     public List<ResourcePolicy> findByTypeGroupAction(Context context, DSpaceObject dso, Group group, int action)
         throws SQLException;
 
@@ -242,5 +246,16 @@ public List<ResourcePolicy> findByGroupAndResourceUuid(Context context, Group gr
 
     public ResourcePolicy findOneById(Context context, Integer id) throws SQLException;
 
+    /**
+     * Return a list of date valid policy owners for a list of object that match the
+     * action.
+     *
+     * @param  c            context
+     * @param  dsoIds       DSpaceObject ids policies relate to
+     * @param  actionID     action (defined in class Constants)
+     * @return              list of resource policies
+     * @throws SQLException if there's a database problem
+     */
+    List<ResourcePolicyOwnerVO> findValidPolicyOwners(Context c, List<UUID> dsoIds, int actionID) throws SQLException;
 
 }

dspace-api/src/main/java/org/dspace/authorize/dao/impl/ResourcePolicyDAOImpl.java

@@ -7,7 +7,10 @@
  */
 package org.dspace.authorize.dao.impl;
 
+import static java.util.Collections.emptyList;
+
 import java.sql.SQLException;
+import java.time.LocalDate;
 import java.util.Collections;
 import java.util.LinkedList;
 import java.util.List;
@@ -22,6 +25,7 @@
 import jakarta.persistence.criteria.Root;
 import org.apache.commons.collections.CollectionUtils;
 import org.dspace.authorize.ResourcePolicy;
+import org.dspace.authorize.ResourcePolicyOwnerVO;
 import org.dspace.authorize.ResourcePolicy_;
 import org.dspace.authorize.dao.ResourcePolicyDAO;
 import org.dspace.content.DSpaceObject;
@@ -106,6 +110,23 @@ public List<ResourcePolicy> findByDSoAndAction(Context context, DSpaceObject dso
         return list(context, criteriaQuery, false, ResourcePolicy.class, -1, -1);
     }
 
+    @Override
+    public List<ResourcePolicy> findByDSoAndActionAndType(Context context, DSpaceObject dso, int actionId, String type)
+        throws SQLException {
+
+        CriteriaBuilder builder = getCriteriaBuilder(context);
+        CriteriaQuery<ResourcePolicy> criteriaQuery = getCriteriaQuery(builder, ResourcePolicy.class);
+        Root<ResourcePolicy> resourcePolicyRoot = criteriaQuery.from(ResourcePolicy.class);
+
+        criteriaQuery.select(resourcePolicyRoot);
+
+        criteriaQuery.where(builder.and(builder.equal(resourcePolicyRoot.get(ResourcePolicy_.dSpaceObject), dso),
+            builder.and(builder.equal(resourcePolicyRoot.get(ResourcePolicy_.actionId), actionId),
+                builder.equal(resourcePolicyRoot.get(ResourcePolicy_.rptype), type))));
+
+        return list(context, criteriaQuery, false, ResourcePolicy.class, -1, -1);
+    }
+
     @Override
     public void deleteByDsoAndTypeAndAction(Context context, DSpaceObject dso, String type, int actionId)
         throws SQLException {
@@ -420,4 +441,29 @@ public ResourcePolicy findOneById(Context context, Integer id) throws SQLExcepti
         criteriaQuery.where(criteriaBuilder.equal(resourcePolicyRoot.get(ResourcePolicy_.id), id));
         return singleResult(context, criteriaQuery);
     }
+
+    @Override
+    @SuppressWarnings("unchecked")
+    public List<ResourcePolicyOwnerVO> findValidPolicyOwners(Context context, List<UUID> dsoIds, int actionID)
+        throws SQLException {
+
+        if (CollectionUtils.isEmpty(dsoIds)) {
+            return emptyList();
+        }
+
+        String sqlQuery = ""
+            + " SELECT new org.dspace.authorize.ResourcePolicyOwnerVO(policy.eperson.id, policy.epersonGroup.id)"
+            + "   FROM ResourcePolicy policy "
+            + "  WHERE policy.dSpaceObject.id in (:dsoIds) "
+            + "    AND policy.actionId = :actionId "
+            + "    AND (policy.startDate is NULL OR policy.startDate <= :date)"
+            + "    AND (policy.endDate is NULL OR policy.endDate >= :date)";
+
+        Query query = createQuery(context, sqlQuery);
+        query.setParameter("dsoIds", dsoIds);
+        query.setParameter("actionId", actionID);
+        query.setParameter("date", LocalDate.now());
+        return query.getResultList();
+
+    }
 }

dspace-api/src/main/java/org/dspace/authorize/relationship/RelationshipAuthorizer.java

@@ -0,0 +1,36 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.authorize.relationship;
+
+import org.dspace.content.Item;
+import org.dspace.content.RelationshipType;
+import org.dspace.core.Context;
+
+/**
+ * Interface for classes that check if a relationship of a specific type can be
+ * created between two items.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public interface RelationshipAuthorizer {
+
+    /**
+     * Check if the current user is authorized to create/edit/delete a relationship
+     * of the given type between the leftItem and the rigthItem.
+     *
+     * @param  context          The DSpace context
+     * @param  relationshipType the type of the relationship to be checked
+     * @param  leftItem         the left item of the relationship
+     * @param  rightItem        the right item of the relationship
+     * @return                  true if the current user can create/edit or delete
+     *                          the relationship, false otherwise
+     */
+    boolean canHandleRelationship(Context context, RelationshipType relationshipType, Item leftItem, Item rightItem);
+
+}

dspace-api/src/main/java/org/dspace/authorize/relationship/RelationshipAuthorizerImpl.java

@@ -0,0 +1,115 @@
+/**
+ * The contents of this file are subject to the license and copyright
+ * detailed in the LICENSE and NOTICE files at the root of the source
+ * tree and available online at
+ *
+ * http://www.dspace.org/license/
+ */
+package org.dspace.authorize.relationship;
+
+import static java.util.Objects.requireNonNull;
+import static org.springframework.util.Assert.notNull;
+
+import org.dspace.content.EntityType;
+import org.dspace.content.Item;
+import org.dspace.content.RelationshipType;
+import org.dspace.core.Context;
+
+/**
+ * Default implementation of {@link RelationshipAuthorizer}.
+ *
+ * @author Luca Giamminonni (luca.giamminonni at 4science.it)
+ *
+ */
+public class RelationshipAuthorizerImpl implements RelationshipAuthorizer {
+
+    private String leftEntityType;
+
+    private String leftwardType;
+
+    private String rightEntityType;
+
+    private String rightwardType;
+
+    private RelationshipItemAuthorizer leftItemAuthorizer;
+
+    private RelationshipItemAuthorizer rightItemAuthorizer;
+
+    private boolean andCondition;
+
+    public RelationshipAuthorizerImpl(RelationshipItemAuthorizer leftItemAuthorizer,
+        RelationshipItemAuthorizer rightItemAuthorizer) {
+        this.leftItemAuthorizer = requireNonNull(leftItemAuthorizer, "Left item authorizer required");
+        this.rightItemAuthorizer = requireNonNull(rightItemAuthorizer, "Right item authorizer required");
+    }
+
+    @Override
+    public boolean canHandleRelationship(Context context,
+        RelationshipType relationshipType, Item leftItem, Item rightItem) {
+
+        notNull(relationshipType, "The relationship type is required to handle a relationship");
+        notNull(leftItem, "The left item is required to handle a relationship");
+        notNull(rightItem, "The right item is required to handle a relationship");
+
+        if (notMatchesRelationshipType(relationshipType)) {
+            return false;
+        }
+
+        if (andCondition) {
+            return leftItemAuthorizer.canHandleRelationshipOnItem(context, leftItem)
+                && rightItemAuthorizer.canHandleRelationshipOnItem(context, rightItem);
+        } else {
+            return leftItemAuthorizer.canHandleRelationshipOnItem(context, leftItem)
+                || rightItemAuthorizer.canHandleRelationshipOnItem(context, rightItem);
+        }
+
+    }
+
+    private boolean notMatchesRelationshipType(RelationshipType relationshipType) {
+
+        if (leftEntityType != null && !leftEntityType.equals(getEntityTypeLabel(relationshipType.getLeftType()))) {
+            return true;
+        }
+
+        if (rightEntityType != null && !rightEntityType.equals(getEntityTypeLabel(relationshipType.getRightType()))) {
+            return true;
+        }
+
+        if (leftwardType != null && !leftwardType.equals(relationshipType.getLeftwardType())) {
+            return true;
+        }
+
+        if (rightwardType != null && !rightwardType.equals(relationshipType.getRightwardType())) {
+            return true;
+        }
+
+        return false;
+
+    }
+
+    private String getEntityTypeLabel(EntityType entityType) {
+        return entityType != null ? entityType.getLabel() : null;
+    }
+
+    public void setLeftEntityType(String leftEntityType) {
+        this.leftEntityType = leftEntityType;
+    }
+
+    public void setLeftwardType(String leftwardType) {
+        this.leftwardType = leftwardType;
+    }
+
+    public void setRightEntityType(String rightEntityType) {
+        this.rightEntityType = rightEntityType;
+    }
+
+    public void setRightwardType(String rightwardType) {
+        this.rightwardType = rightwardType;
+    }
+
+    public void setAndCondition(boolean andCondition) {
+        this.andCondition = andCondition;
+    }
+
+
+}