Skip to content

Commit 0e19122

Browse files
HejdaJakubHejdaJakub
authored
Merge pull request #3974 from HejdaJakub/notAuthorized-st-1042
fix(core): refresh principal roles more effectively
2 parents c4e30dc + 6345ef6 commit 0e19122

File tree

1 file changed

+14
-15
lines changed

1 file changed

+14
-15
lines changed

perun-core/src/main/java/cz/metacentrum/perun/core/blImpl/AuthzResolverBlImpl.java

Lines changed: 14 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -2517,15 +2517,14 @@ public static synchronized void refreshAuthz(PerunSession sess) {
25172517
Utils.checkPerunSession(sess);
25182518
log.trace("Refreshing authz roles for session {}.", sess);
25192519

2520-
// Set empty set of roles
2521-
sess.getPerunPrincipal().setRoles(new AuthzRoles());
2520+
// Create empty variable for set of roles for further fulfillment and replacement
2521+
AuthzRoles roles = new AuthzRoles();
25222522
// Prepare service roles like engine, service, registrar, perunAdmin etc.
2523-
boolean serviceRole = prepareServiceRoles(sess);
2523+
boolean serviceRole = prepareServiceRoles(sess, roles);
25242524

25252525
// No need to search further for service principals included in 'dontlookupusers' configuration
25262526
if (!serviceRole || !BeansUtils.getCoreConfig().getDontLookupUsers().contains(sess.getPerunPrincipal().getActor())) {
25272527
User user = sess.getPerunPrincipal().getUser();
2528-
AuthzRoles roles = sess.getPerunPrincipal().getRoles();
25292528
if (user != null) {
25302529
AuthzRoles userRoles = authzResolverImpl.getRoles(user, true);
25312530
// Add service roles, they don't have complementary objects
@@ -2545,10 +2544,10 @@ public static synchronized void refreshAuthz(PerunSession sess) {
25452544
}
25462545

25472546
setAdditionalRoles(sess, roles, user);
2548-
2549-
sess.getPerunPrincipal().setRoles(roles);
25502547
}
25512548

2549+
sess.getPerunPrincipal().setRoles(roles);
2550+
25522551
if (sess.getPerunClient().getType() == PerunClient.Type.OAUTH) {
25532552
//for OAuth clients, do not allow delegating roles not allowed by scopes
25542553
List<String> oauthScopes = sess.getPerunClient().getScopes();
@@ -2950,42 +2949,42 @@ private static PerunBl getPerunBl() {
29502949
}
29512950

29522951
/**
2953-
* Prepare service roles to session AuthzRoles (PERUNADMIN, SERVICE, RPC, ENGINE etc.)
2952+
* Prepare service roles (PERUNADMIN, SERVICE, RPC, ENGINE etc.)
29542953
*
2955-
* @param sess use session to add roles
2954+
* @param sess session
2955+
* @param roles add roles to this parameter
29562956
* @return true if some service role was added, false otherwise
29572957
*/
2958-
private static boolean prepareServiceRoles(PerunSession sess) {
2958+
private static boolean prepareServiceRoles(PerunSession sess, AuthzRoles roles) {
29592959
// Load list of perunAdmins from the configuration, split the list by the comma
29602960
List<String> perunAdmins = BeansUtils.getCoreConfig().getAdmins();
29612961
boolean serviceRole = false;
29622962

29632963
// Check if the PerunPrincipal is in a group of Perun Admins
29642964
if (perunAdmins.contains(sess.getPerunPrincipal().getActor())) {
2965-
sess.getPerunPrincipal().getRoles().putAuthzRole(Role.PERUNADMIN);
2966-
sess.getPerunPrincipal().setAuthzInitialized(true);
2965+
roles.putAuthzRole(Role.PERUNADMIN);
29672966
// We can quit, because perun admin has all privileges
29682967
log.trace("AuthzResolver.init: Perun Admin {} loaded", sess.getPerunPrincipal().getActor());
29692968
return true;
29702969
}
29712970

29722971
String perunRpcAdmin = BeansUtils.getCoreConfig().getRpcPrincipal();
29732972
if (sess.getPerunPrincipal().getActor().equals(perunRpcAdmin)) {
2974-
sess.getPerunPrincipal().getRoles().putAuthzRole(Role.RPC);
2973+
roles.putAuthzRole(Role.RPC);
29752974
log.trace("AuthzResolver.init: Perun RPC {} loaded", perunRpcAdmin);
29762975
serviceRole = true;
29772976
}
29782977

29792978
List<String> perunEngineAdmins = BeansUtils.getCoreConfig().getEnginePrincipals();
29802979
if (perunEngineAdmins.contains(sess.getPerunPrincipal().getActor())) {
2981-
sess.getPerunPrincipal().getRoles().putAuthzRole(Role.ENGINE);
2980+
roles.putAuthzRole(Role.ENGINE);
29822981
log.trace("AuthzResolver.init: Perun Engine {} loaded", perunEngineAdmins);
29832982
serviceRole = true;
29842983
}
29852984

29862985
List<String> perunNotifications = BeansUtils.getCoreConfig().getNotificationPrincipals();
29872986
if (perunNotifications.contains(sess.getPerunPrincipal().getActor())) {
2988-
sess.getPerunPrincipal().getRoles().putAuthzRole(Role.NOTIFICATIONS);
2987+
roles.putAuthzRole(Role.NOTIFICATIONS);
29892988
log.trace("AuthzResolver.init: Perun Notifications {} loaded", perunNotifications);
29902989
serviceRole = true;
29912990
}
@@ -2995,7 +2994,7 @@ private static boolean prepareServiceRoles(PerunSession sess) {
29952994
//sess.getPerunPrincipal().getRoles().putAuthzRole(Role.REGISTRAR);
29962995

29972996
//FIXME ted pridame i roli plneho admina
2998-
sess.getPerunPrincipal().getRoles().putAuthzRole(Role.PERUNADMIN);
2997+
roles.putAuthzRole(Role.PERUNADMIN);
29992998

30002999
log.trace("AuthzResolver.init: Perun Registrar {} loaded", perunRegistrars);
30013000
serviceRole = true;

0 commit comments

Comments
 (0)