Merge branch 'AIRAVATA-3297'

commit: a8fc69bfee49f49507f1d926e9baa2db51cb290b [log] [tgz]
author: Marcus Christie <machristie@apache.org> Mon Jan 18 07:56:04 2021 -0500
committer: Marcus Christie <machristie@apache.org> Mon Jan 18 07:56:04 2021 -0500
tree: 31d6052b143ca2505c07ade662c402aa56b08877
parent: 6591afaaf6a594ceb9723738543224fd1d14bcfb [diff]
parent: 6abd10f2415281dc6e6887f55b82cb76e10e9c8d [diff]
diff --git a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
index 724e27c..a5e1894 100644
--- a/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java
+++ b/airavata-api/airavata-api-server/src/main/java/org/apache/airavata/api/server/handler/AiravataServerHandler.java

@@ -5081,9 +5081,11 @@
                     sharingClient.shareEntityWithUsers(gatewayId, resourceId,
                             Arrays.asList(userPermission.getKey()), authzToken.getClaimsMap().get(Constants.GATEWAY_ID) + ":" + "READ", true);
                 else if(userPermission.getValue().equals(ResourcePermissionType.MANAGE_SHARING)) {
-                    if (userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER))
+                    if (userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER)) {
+                        createManageSharingPermissionTypeIfMissing(sharingClient, gatewayId);
                         sharingClient.shareEntityWithUsers(gatewayId, resourceId,
                                 Arrays.asList(userPermission.getKey()), authzToken.getClaimsMap().get(Constants.GATEWAY_ID) + ":" + "MANAGE_SHARING", true);
+                    }
                     else
                         throw new AuthorizationException("User is not allowed to grant sharing permission because the user is not the resource owner.");
                 }
@@ -5126,9 +5128,11 @@
                     sharingClient.shareEntityWithGroups(gatewayId, resourceId,
                             Arrays.asList(groupPermission.getKey()), authzToken.getClaimsMap().get(Constants.GATEWAY_ID) + ":" + "READ", true);
                 else if(groupPermission.getValue().equals(ResourcePermissionType.MANAGE_SHARING)){
-                    if(userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER))
+                    if(userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER)) {
+                        createManageSharingPermissionTypeIfMissing(sharingClient, gatewayId);
                         sharingClient.shareEntityWithGroups(gatewayId, resourceId,
                                 Arrays.asList(groupPermission.getKey()), authzToken.getClaimsMap().get(Constants.GATEWAY_ID) + ":" + "MANAGE_SHARING", true);
+                    }
                     else
                         throw new AuthorizationException("User is not allowed to grant sharing permission because the user is not the resource owner.");
                 }
@@ -5170,9 +5174,11 @@
                     sharingClient.revokeEntitySharingFromUsers(gatewayId, resourceId,
                             Arrays.asList(userPermission.getKey()), authzToken.getClaimsMap().get(Constants.GATEWAY_ID) + ":" + "READ");
                 else if(userPermission.getValue().equals(ResourcePermissionType.MANAGE_SHARING)){
-                    if (userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER))
+                    if (userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER)) {
+                        createManageSharingPermissionTypeIfMissing(sharingClient, gatewayId);
                         sharingClient.revokeEntitySharingFromUsers(gatewayId, resourceId,
                                 Arrays.asList(userPermission.getKey()), authzToken.getClaimsMap().get(Constants.GATEWAY_ID) + ":" + "MANAGE_SHARING");
+                    }
                     else
                         throw new AuthorizationException("User is not allowed to change sharing permission because the user is not the resource owner.");
                 }
@@ -5213,7 +5219,7 @@
                     ResourceType.EXPERIMENT, ResourceType.APPLICATION_DEPLOYMENT, ResourceType.GROUP_RESOURCE_PROFILE
             ));
             if (adminRestrictedResourceTypes.contains(resourceType)) {
-                // Prevent removing Admins WRITE access and Read Only Admins READ access
+                // Prevent removing Admins WRITE/MANAGE_SHARING access and Read Only Admins READ access
                 GatewayGroups gatewayGroups = retrieveGatewayGroups(regClient, gatewayId);
                 if (groupPermissionList.containsKey(gatewayGroups.getAdminsGroupId())
                         && groupPermissionList.get(gatewayGroups.getAdminsGroupId()).equals(ResourcePermissionType.WRITE)) {
@@ -5224,8 +5230,12 @@
                     throw new Exception("Not allowed to remove Read Only Admins group's READ access.");
                 }
                 if (groupPermissionList.containsKey(gatewayGroups.getAdminsGroupId())
+                        && groupPermissionList.get(gatewayGroups.getAdminsGroupId()).equals(ResourcePermissionType.READ)) {
+                    throw new Exception("Not allowed to remove Admins group's READ access.");
+                }
+                if (groupPermissionList.containsKey(gatewayGroups.getAdminsGroupId())
                         && groupPermissionList.get(gatewayGroups.getAdminsGroupId()).equals(ResourcePermissionType.MANAGE_SHARING)) {
-                    throw new Exception("Not allowed to remove Admins group's SHARING access.");
+                    throw new Exception("Not allowed to remove Admins group's MANAGE_SHARING access.");
                 }
             }
             for(Map.Entry<String, ResourcePermissionType> groupPermission : groupPermissionList.entrySet()){
@@ -5236,9 +5246,11 @@
                     sharingClient.revokeEntitySharingFromUsers(gatewayId, resourceId,
                             Arrays.asList(groupPermission.getKey()), gatewayId + ":" + "READ");
                 else if(groupPermission.getValue().equals(ResourcePermissionType.MANAGE_SHARING)){
-                    if(userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER))
+                    if(userHasAccessInternal(sharingClient, authzToken, resourceId, ResourcePermissionType.OWNER)) {
+                        createManageSharingPermissionTypeIfMissing(sharingClient, gatewayId);
                         sharingClient.revokeEntitySharingFromUsers(gatewayId, resourceId,
                                 Arrays.asList(groupPermission.getKey()), gatewayId + ":" + "MANAGE_SHARING");
+                    }
                     else
                         throw new AuthorizationException("User is not allowed to change sharing because the user is not the resource owner");
                 }
@@ -6098,6 +6110,8 @@
     private void shareEntityWithAdminGatewayGroups(RegistryService.Client regClient, SharingRegistryService.Client sharingClient, Entity entity) throws TException {
         final String domainId = entity.getDomainId();
         GatewayGroups gatewayGroups = retrieveGatewayGroups(regClient, domainId);
+        createManageSharingPermissionTypeIfMissing(sharingClient, domainId);
+        sharingClient.shareEntityWithGroups(domainId, entity.getEntityId(), Arrays.asList(gatewayGroups.getAdminsGroupId()), domainId + ":MANAGE_SHARING", true);
         sharingClient.shareEntityWithGroups(domainId, entity.getEntityId(), Arrays.asList(gatewayGroups.getAdminsGroupId()), domainId + ":WRITE", true);
         sharingClient.shareEntityWithGroups(domainId, entity.getEntityId(), Arrays.asList(gatewayGroups.getAdminsGroupId(), gatewayGroups.getReadOnlyAdminsGroupId()), domainId + ":READ", true);
     }
@@ -6133,6 +6147,20 @@
         throw new RuntimeException("Unrecognized entity type id: " + entity.getEntityTypeId());
     }
 
+    private void createManageSharingPermissionTypeIfMissing(SharingRegistryService.Client sharingClient, String domainId) throws TException {
+        // AIRAVATA-3297 Some gateways were created without the MANAGE_SHARING permission, so add it if missing
+        String permissionTypeId = domainId + ":MANAGE_SHARING";
+        if (!sharingClient.isPermissionExists(domainId, permissionTypeId)) {
+            PermissionType permissionType = new PermissionType();
+            permissionType.setPermissionTypeId(permissionTypeId);
+            permissionType.setDomainId(domainId);
+            permissionType.setName("MANAGE_SHARING");
+            permissionType.setDescription("Manage sharing permission type");
+            sharingClient.createPermissionType(permissionType);
+            logger.info("Created MANAGE_SHARING permission type for domain " + domainId);
+        }
+    }
+
     private GatewayGroups retrieveGatewayGroups(RegistryService.Client regClient, String gatewayId) throws TException {
 
         if (regClient.isGatewayGroupsExists(gatewayId)) {

diff --git a/modules/sharing-registry/sharing-registry-server/src/main/java/org/apache/airavata/sharing/registry/messaging/SharingServiceDBEventHandler.java b/modules/sharing-registry/sharing-registry-server/src/main/java/org/apache/airavata/sharing/registry/messaging/SharingServiceDBEventHandler.java
index ecc6eb8..558f63f 100644
--- a/modules/sharing-registry/sharing-registry-server/src/main/java/org/apache/airavata/sharing/registry/messaging/SharingServiceDBEventHandler.java
+++ b/modules/sharing-registry/sharing-registry-server/src/main/java/org/apache/airavata/sharing/registry/messaging/SharingServiceDBEventHandler.java

@@ -244,6 +244,19 @@
                                     log.warn("DuplicateEntryException while consuming TENANT create message, ex: " + ex.getMessage() + ", Permission Id : " + domain.getDomainId() + ":WRITE", ex);
                                 }
 
+                                log.info("Creating Permission Type. Id : " + domain.getDomainId()+":MANAGE_SHARING");
+                                permissionType = new PermissionType();
+                                permissionType.setPermissionTypeId(domain.getDomainId()+":MANAGE_SHARING");
+                                permissionType.setDomainId(domain.getDomainId());
+                                permissionType.setName("MANAGE_SHARING");
+                                permissionType.setDescription("Manage sharing permission type");
+                                try {
+                                    sharingRegistryClient.createPermissionType(permissionType);
+                                    log.debug("Permission Type created. Id : " + domain.getDomainId() + ":MANAGE_SHARING");
+                                } catch (DuplicateEntryException ex) {
+                                    log.warn("DuplicateEntryException while consuming TENANT create message, ex: " + ex.getMessage() + ", Permission Id : " + domain.getDomainId() + ":MANAGE_SHARING", ex);
+                                }
+
                                 break;
                         }
commit	a8fc69bfee49f49507f1d926e9baa2db51cb290b	[log] [tgz]
author	Marcus Christie <machristie@apache.org>	Mon Jan 18 07:56:04 2021 -0500
committer	Marcus Christie <machristie@apache.org>	Mon Jan 18 07:56:04 2021 -0500
tree	31d6052b143ca2505c07ade662c402aa56b08877
parent	6591afaaf6a594ceb9723738543224fd1d14bcfb [diff]
parent	6abd10f2415281dc6e6887f55b82cb76e10e9c8d [diff]