This is an automated email from the ASF dual-hosted git repository. yasith pushed a commit to branch feat/airavata-service-layer in repository https://gitbox.apache.org/repos/asf/airavata.git
commit 87ef5191e4033af33e4b1d8e8e5f3667f8a978f2 Author: yasithdev <[email protected]> AuthorDate: Thu Mar 26 12:24:12 2026 -0500 refactor: extract shared helpers to SharingHelper utility class Consolidate duplicated isSharingEnabled(), userHasAccess(), retrieveGatewayGroups(), shareEntityWithAdminGatewayGroups(), and createManageSharingPermissionTypeIfMissing() from ExperimentService, ProjectService, CredentialService, ApplicationCatalogService, GatewayService, GroupResourceProfileService, and ResourceSharingService into a single SharingHelper utility class. --- .../appcatalog/ApplicationCatalogService.java | 110 +++------------------ .../service/credential/CredentialService.java | 35 +------ .../service/experiment/ExperimentService.java | 21 ++-- .../airavata/service/gateway/GatewayService.java | 11 +-- .../groupprofile/GroupResourceProfileService.java | 103 ++++--------------- .../airavata/service/project/ProjectService.java | 21 ++-- .../service/sharing/ResourceSharingService.java | 29 +----- .../airavata/service/sharing/SharingHelper.java | 78 +++++++++++++++ 8 files changed, 132 insertions(+), 276 deletions(-) diff --git a/airavata-api/src/main/java/org/apache/airavata/service/appcatalog/ApplicationCatalogService.java b/airavata-api/src/main/java/org/apache/airavata/service/appcatalog/ApplicationCatalogService.java index 8872937927..b9816146fd 100644 --- a/airavata-api/src/main/java/org/apache/airavata/service/appcatalog/ApplicationCatalogService.java +++ b/airavata-api/src/main/java/org/apache/airavata/service/appcatalog/ApplicationCatalogService.java @@ -1,11 +1,9 @@ package org.apache.airavata.service.appcatalog; -import org.apache.airavata.common.utils.ServerSettings; import org.apache.airavata.credential.store.server.CredentialStoreServerHandler; import org.apache.airavata.model.appcatalog.appdeployment.ApplicationDeploymentDescription; import org.apache.airavata.model.appcatalog.appdeployment.ApplicationModule; import org.apache.airavata.model.appcatalog.appinterface.ApplicationInterfaceDescription; -import org.apache.airavata.model.appcatalog.gatewaygroups.GatewayGroups; import org.apache.airavata.model.appcatalog.groupresourceprofile.GroupComputeResourcePreference; import org.apache.airavata.model.appcatalog.groupresourceprofile.GroupResourceProfile; import org.apache.airavata.model.application.io.InputDataObjectType; @@ -17,10 +15,9 @@ import org.apache.airavata.registry.api.service.handler.RegistryServerHandler; import org.apache.airavata.service.context.RequestContext; import org.apache.airavata.service.exception.ServiceAuthorizationException; import org.apache.airavata.service.exception.ServiceException; -import org.apache.airavata.service.security.GatewayGroupsInitializer; +import org.apache.airavata.service.sharing.SharingHelper; import org.apache.airavata.sharing.registry.models.Entity; import org.apache.airavata.sharing.registry.models.EntitySearchField; -import org.apache.airavata.sharing.registry.models.PermissionType; import org.apache.airavata.sharing.registry.models.SearchCondition; import org.apache.airavata.sharing.registry.models.SearchCriteria; import org.apache.airavata.sharing.registry.server.SharingRegistryServerHandler; @@ -28,7 +25,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.util.ArrayList; -import java.util.Arrays; import java.util.List; import java.util.Map; @@ -91,7 +87,7 @@ public class ApplicationCatalogService { throws ServiceException { try { List<String> accessibleAppDeploymentIds = new ArrayList<>(); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { List<SearchCriteria> sharingFilters = new ArrayList<>(); SearchCriteria entityTypeFilter = new SearchCriteria(); entityTypeFilter.setSearchField(EntitySearchField.ENTITY_TYPE_ID); @@ -147,10 +143,8 @@ public class ApplicationCatalogService { entity.setName(result); entity.setDescription(applicationDeployment.getAppDeploymentDescription()); sharingHandler.createEntity(entity); - shareEntityWithAdminGatewayGroups(entity); + SharingHelper.shareEntityWithAdminGatewayGroups(sharingHandler, registryHandler, entity); return result; - } catch (ServiceException e) { - throw e; } catch (Exception e) { throw new ServiceException("Error while adding application deployment: " + e.getMessage(), e); } @@ -159,8 +153,8 @@ public class ApplicationCatalogService { public ApplicationDeploymentDescription getApplicationDeployment(RequestContext ctx, String appDeploymentId) throws ServiceException { try { - if (isSharingEnabled()) { - if (!userHasAccess(ctx, appDeploymentId, ResourcePermissionType.READ)) { + if (SharingHelper.isSharingEnabled()) { + if (!SharingHelper.userHasAccess(sharingHandler, ctx.getGatewayId(), ctx.getUserId(), appDeploymentId, ResourcePermissionType.READ)) { throw new ServiceAuthorizationException( "User does not have access to application deployment " + appDeploymentId); } @@ -177,8 +171,8 @@ public class ApplicationCatalogService { RequestContext ctx, String appDeploymentId, ApplicationDeploymentDescription applicationDeployment) throws ServiceException { try { - if (isSharingEnabled()) { - if (!userHasAccess(ctx, appDeploymentId, ResourcePermissionType.WRITE)) { + if (SharingHelper.isSharingEnabled()) { + if (!SharingHelper.userHasAccess(sharingHandler, ctx.getGatewayId(), ctx.getUserId(), appDeploymentId, ResourcePermissionType.WRITE)) { throw new ServiceAuthorizationException( "User does not have WRITE access to application deployment " + appDeploymentId); } @@ -193,7 +187,7 @@ public class ApplicationCatalogService { public boolean deleteApplicationDeployment(RequestContext ctx, String appDeploymentId) throws ServiceException { try { - if (!userHasAccess(ctx, appDeploymentId, ResourcePermissionType.WRITE)) { + if (!SharingHelper.userHasAccess(sharingHandler, ctx.getGatewayId(), ctx.getUserId(), appDeploymentId, ResourcePermissionType.WRITE)) { throw new ServiceAuthorizationException( "User does not have WRITE access to application deployment " + appDeploymentId); } @@ -217,7 +211,7 @@ public class ApplicationCatalogService { throws ServiceException { try { List<String> accessibleAppDeploymentIds = new ArrayList<>(); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { List<SearchCriteria> sharingFilters = new ArrayList<>(); SearchCriteria entityTypeFilter = new SearchCriteria(); entityTypeFilter.setSearchField(EntitySearchField.ENTITY_TYPE_ID); @@ -260,7 +254,7 @@ public class ApplicationCatalogService { RequestContext ctx, String appModuleId, String groupResourceProfileId) throws ServiceException { try { - if (!userHasAccess(ctx, groupResourceProfileId, ResourcePermissionType.READ)) { + if (!SharingHelper.userHasAccess(sharingHandler, ctx.getGatewayId(), ctx.getUserId(), groupResourceProfileId, ResourcePermissionType.READ)) { throw new ServiceAuthorizationException( "User is not authorized to access Group Resource Profile " + groupResourceProfileId); } @@ -413,91 +407,9 @@ public class ApplicationCatalogService { } } - // ------------------------------------------------------------------------- - // Helpers - // ------------------------------------------------------------------------- - - private boolean isSharingEnabled() { - try { - return ServerSettings.isEnableSharing(); - } catch (Exception e) { - return false; - } - } - - private boolean userHasAccess(RequestContext ctx, String entityId, ResourcePermissionType permissionType) { - final String domainId = ctx.getGatewayId(); - final String userId = ctx.getUserId() + "@" + domainId; - try { - final boolean hasOwnerAccess = sharingHandler.userHasAccess( - domainId, userId, entityId, domainId + ":" + ResourcePermissionType.OWNER); - if (permissionType.equals(ResourcePermissionType.WRITE)) { - return hasOwnerAccess - || sharingHandler.userHasAccess( - domainId, userId, entityId, domainId + ":" + ResourcePermissionType.WRITE); - } else if (permissionType.equals(ResourcePermissionType.READ)) { - return hasOwnerAccess - || sharingHandler.userHasAccess( - domainId, userId, entityId, domainId + ":" + ResourcePermissionType.READ); - } else if (permissionType.equals(ResourcePermissionType.MANAGE_SHARING)) { - return hasOwnerAccess - || sharingHandler.userHasAccess( - domainId, userId, entityId, domainId + ":" + ResourcePermissionType.MANAGE_SHARING); - } else if (permissionType.equals(ResourcePermissionType.OWNER)) { - return hasOwnerAccess; - } - return false; - } catch (Exception e) { - throw new RuntimeException("Unable to check if user has access", e); - } - } - - private void shareEntityWithAdminGatewayGroups(Entity entity) throws Exception { - final String domainId = entity.getDomainId(); - GatewayGroups gatewayGroups = retrieveGatewayGroups(domainId); - createManageSharingPermissionTypeIfMissing(domainId); - sharingHandler.shareEntityWithGroups( - domainId, - entity.getEntityId(), - Arrays.asList(gatewayGroups.getAdminsGroupId()), - domainId + ":MANAGE_SHARING", - true); - sharingHandler.shareEntityWithGroups( - domainId, - entity.getEntityId(), - Arrays.asList(gatewayGroups.getAdminsGroupId()), - domainId + ":WRITE", - true); - sharingHandler.shareEntityWithGroups( - domainId, - entity.getEntityId(), - Arrays.asList(gatewayGroups.getAdminsGroupId(), gatewayGroups.getReadOnlyAdminsGroupId()), - domainId + ":READ", - true); - } - - private GatewayGroups retrieveGatewayGroups(String gatewayId) throws Exception { - if (registryHandler.isGatewayGroupsExists(gatewayId)) { - return registryHandler.getGatewayGroups(gatewayId); - } else { - return GatewayGroupsInitializer.initializeGatewayGroups(gatewayId); - } - } - - private void createManageSharingPermissionTypeIfMissing(String domainId) throws Exception { - String permissionTypeId = domainId + ":MANAGE_SHARING"; - if (!sharingHandler.isPermissionExists(domainId, permissionTypeId)) { - PermissionType permissionType = new PermissionType(); - permissionType.setPermissionTypeId(permissionTypeId); - permissionType.setDomainId(domainId); - permissionType.setName("MANAGE_SHARING"); - sharingHandler.createPermissionType(permissionType); - } - } - private List<String> getAccessibleComputeResourceIds(RequestContext ctx, String gatewayId) throws Exception { List<String> accessibleComputeResourceIds = new ArrayList<>(); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { List<SearchCriteria> filters = new ArrayList<>(); SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.setSearchField(EntitySearchField.ENTITY_TYPE_ID); diff --git a/airavata-api/src/main/java/org/apache/airavata/service/credential/CredentialService.java b/airavata-api/src/main/java/org/apache/airavata/service/credential/CredentialService.java index 2c2420253b..0b2cbeedc9 100644 --- a/airavata-api/src/main/java/org/apache/airavata/service/credential/CredentialService.java +++ b/airavata-api/src/main/java/org/apache/airavata/service/credential/CredentialService.java @@ -1,6 +1,5 @@ package org.apache.airavata.service.credential; -import org.apache.airavata.common.utils.ServerSettings; import org.apache.airavata.credential.store.server.CredentialStoreServerHandler; import org.apache.airavata.model.credential.store.CredentialSummary; import org.apache.airavata.model.credential.store.PasswordCredential; @@ -15,6 +14,7 @@ import org.apache.airavata.sharing.registry.models.Entity; import org.apache.airavata.sharing.registry.models.EntitySearchField; import org.apache.airavata.sharing.registry.models.SearchCondition; import org.apache.airavata.sharing.registry.models.SearchCriteria; +import org.apache.airavata.service.sharing.SharingHelper; import org.apache.airavata.sharing.registry.server.SharingRegistryServerHandler; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -108,7 +108,7 @@ public class CredentialService { String gatewayId = ctx.getGatewayId(); String userName = ctx.getUserId(); try { - if (!userHasAccess(gatewayId, userName, tokenId, ResourcePermissionType.READ)) { + if (!SharingHelper.userHasAccess(sharingHandler, gatewayId, userName, tokenId, ResourcePermissionType.READ)) { logger.info("User " + userName + " not allowed to access credential store token " + tokenId); throw new ServiceAuthorizationException("User does not have permission to access this resource"); } @@ -149,7 +149,7 @@ public class CredentialService { String gatewayId = ctx.getGatewayId(); String userName = ctx.getUserId(); try { - if (!userHasAccess(gatewayId, userName, airavataCredStoreToken, ResourcePermissionType.WRITE)) { + if (!SharingHelper.userHasAccess(sharingHandler, gatewayId, userName, airavataCredStoreToken, ResourcePermissionType.WRITE)) { logger.info("User " + userName + " not allowed to delete (no WRITE permission) credential store token " + airavataCredStoreToken); throw new ServiceAuthorizationException("User does not have permission to delete this resource."); } @@ -166,7 +166,7 @@ public class CredentialService { String gatewayId = ctx.getGatewayId(); String userName = ctx.getUserId(); try { - if (!userHasAccess(gatewayId, userName, airavataCredStoreToken, ResourcePermissionType.WRITE)) { + if (!SharingHelper.userHasAccess(sharingHandler, gatewayId, userName, airavataCredStoreToken, ResourcePermissionType.WRITE)) { logger.info("User " + userName + " not allowed to delete (no WRITE permission) credential store token " + airavataCredStoreToken); throw new ServiceAuthorizationException("User does not have permission to delete this resource."); } @@ -179,31 +179,4 @@ public class CredentialService { } } - private boolean userHasAccess(String gatewayId, String userName, String entityId, ResourcePermissionType permissionType) { - String userId = userName + "@" + gatewayId; - try { - boolean hasOwnerAccess = sharingHandler.userHasAccess( - gatewayId, userId, entityId, gatewayId + ":" + ResourcePermissionType.OWNER); - if (permissionType.equals(ResourcePermissionType.WRITE)) { - return hasOwnerAccess - || sharingHandler.userHasAccess(gatewayId, userId, entityId, gatewayId + ":" + ResourcePermissionType.WRITE); - } else if (permissionType.equals(ResourcePermissionType.READ)) { - return hasOwnerAccess - || sharingHandler.userHasAccess(gatewayId, userId, entityId, gatewayId + ":" + ResourcePermissionType.READ); - } else if (permissionType.equals(ResourcePermissionType.OWNER)) { - return hasOwnerAccess; - } - return false; - } catch (Exception e) { - throw new RuntimeException("Unable to check if user has access", e); - } - } - - private boolean isSharingEnabled() { - try { - return ServerSettings.isEnableSharing(); - } catch (Exception e) { - return false; - } - } } diff --git a/airavata-api/src/main/java/org/apache/airavata/service/experiment/ExperimentService.java b/airavata-api/src/main/java/org/apache/airavata/service/experiment/ExperimentService.java index bf86ff92a0..7e7b52098a 100644 --- a/airavata-api/src/main/java/org/apache/airavata/service/experiment/ExperimentService.java +++ b/airavata-api/src/main/java/org/apache/airavata/service/experiment/ExperimentService.java @@ -1,6 +1,5 @@ package org.apache.airavata.service.experiment; -import org.apache.airavata.common.utils.ServerSettings; import org.apache.airavata.model.experiment.ExperimentModel; import org.apache.airavata.model.experiment.ExperimentStatistics; import org.apache.airavata.model.experiment.ExperimentSummaryModel; @@ -28,6 +27,7 @@ import org.apache.airavata.sharing.registry.models.Entity; import org.apache.airavata.sharing.registry.models.SearchCriteria; import org.apache.airavata.sharing.registry.models.EntitySearchField; import org.apache.airavata.sharing.registry.models.SearchCondition; +import org.apache.airavata.service.sharing.SharingHelper; import org.apache.airavata.sharing.registry.server.SharingRegistryServerHandler; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -62,7 +62,7 @@ public class ExperimentService { try { String experimentId = registryHandler.createExperiment(ctx.getGatewayId(), experiment); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { Entity entity = new Entity(); entity.setEntityId(experimentId); @@ -106,7 +106,7 @@ public class ExperimentService { } // Check sharing permissions - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { String qualifiedUserId = ctx.getUserId() + "@" + ctx.getGatewayId(); if (!sharingHandler.userHasAccess( ctx.getGatewayId(), qualifiedUserId, experimentId, ctx.getGatewayId() + ":READ")) { @@ -130,7 +130,7 @@ public class ExperimentService { if (!ctx.getUserId().equals(experiment.getUserName()) || !ctx.getGatewayId().equals(experiment.getGatewayId())) { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { String qualifiedUserId = ctx.getUserId() + "@" + ctx.getGatewayId(); if (!sharingHandler.userHasAccess( ctx.getGatewayId(), qualifiedUserId, experimentId, @@ -368,7 +368,7 @@ public class ExperimentService { RequestContext ctx, String projectId, int limit, int offset) throws ServiceException { try { Project project = registryHandler.getProject(projectId); - if (isSharingEnabled() + if (SharingHelper.isSharingEnabled() && (!ctx.getUserId().equals(project.getOwner()) || !ctx.getGatewayId().equals(project.getGatewayId()))) { String qualifiedUserId = ctx.getUserId() + "@" + ctx.getGatewayId(); @@ -408,7 +408,7 @@ public class ExperimentService { throws ServiceException { try { ExperimentModel existing = registryHandler.getExperiment(experimentId); - if (isSharingEnabled() + if (SharingHelper.isSharingEnabled() && (!ctx.getUserId().equals(existing.getUserName()) || !ctx.getGatewayId().equals(existing.getGatewayId()))) { String qualifiedUserId = ctx.getUserId() + "@" + ctx.getGatewayId(); @@ -419,7 +419,7 @@ public class ExperimentService { "User does not have permission to update this resource"); } } - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { Entity entity = sharingHandler.getEntity(ctx.getGatewayId(), experimentId); entity.setName(experiment.getExperimentName()); @@ -685,11 +685,4 @@ public class ExperimentService { } } - private boolean isSharingEnabled() { - try { - return ServerSettings.isEnableSharing(); - } catch (Exception e) { - return false; - } - } } diff --git a/airavata-api/src/main/java/org/apache/airavata/service/gateway/GatewayService.java b/airavata-api/src/main/java/org/apache/airavata/service/gateway/GatewayService.java index 979fd55b87..9f9cffb0b3 100644 --- a/airavata-api/src/main/java/org/apache/airavata/service/gateway/GatewayService.java +++ b/airavata-api/src/main/java/org/apache/airavata/service/gateway/GatewayService.java @@ -1,11 +1,11 @@ package org.apache.airavata.service.gateway; -import org.apache.airavata.common.utils.ServerSettings; import org.apache.airavata.model.group.ResourceType; import org.apache.airavata.model.workspace.Gateway; import org.apache.airavata.registry.api.service.handler.RegistryServerHandler; import org.apache.airavata.service.context.RequestContext; import org.apache.airavata.service.exception.ServiceException; +import org.apache.airavata.service.sharing.SharingHelper; import org.apache.airavata.sharing.registry.models.Domain; import org.apache.airavata.sharing.registry.models.EntityType; import org.apache.airavata.sharing.registry.models.PermissionType; @@ -31,7 +31,7 @@ public class GatewayService { try { String gatewayId = registryHandler.addGateway(gateway); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { Domain domain = new Domain(); domain.setDomainId(gateway.getGatewayId()); domain.setName(gateway.getGatewayName()); @@ -165,11 +165,4 @@ public class GatewayService { } } - private boolean isSharingEnabled() { - try { - return ServerSettings.isEnableSharing(); - } catch (Exception e) { - return false; - } - } } diff --git a/airavata-api/src/main/java/org/apache/airavata/service/groupprofile/GroupResourceProfileService.java b/airavata-api/src/main/java/org/apache/airavata/service/groupprofile/GroupResourceProfileService.java index bf068ebab8..89e3615e08 100644 --- a/airavata-api/src/main/java/org/apache/airavata/service/groupprofile/GroupResourceProfileService.java +++ b/airavata-api/src/main/java/org/apache/airavata/service/groupprofile/GroupResourceProfileService.java @@ -1,6 +1,5 @@ package org.apache.airavata.service.groupprofile; -import org.apache.airavata.common.utils.ServerSettings; import org.apache.airavata.model.appcatalog.gatewaygroups.GatewayGroups; import org.apache.airavata.model.appcatalog.groupresourceprofile.BatchQueueResourcePolicy; import org.apache.airavata.model.appcatalog.groupresourceprofile.ComputeResourcePolicy; @@ -12,10 +11,9 @@ import org.apache.airavata.registry.api.service.handler.RegistryServerHandler; import org.apache.airavata.service.context.RequestContext; import org.apache.airavata.service.exception.ServiceAuthorizationException; import org.apache.airavata.service.exception.ServiceException; -import org.apache.airavata.service.security.GatewayGroupsInitializer; +import org.apache.airavata.service.sharing.SharingHelper; import org.apache.airavata.sharing.registry.models.Entity; import org.apache.airavata.sharing.registry.models.EntitySearchField; -import org.apache.airavata.sharing.registry.models.PermissionType; import org.apache.airavata.sharing.registry.models.SearchCondition; import org.apache.airavata.sharing.registry.models.SearchCriteria; import org.apache.airavata.sharing.registry.server.SharingRegistryServerHandler; @@ -23,7 +21,6 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import java.util.ArrayList; -import java.util.Arrays; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -46,7 +43,7 @@ public class GroupResourceProfileService { try { validateGroupResourceProfileCredentials(ctx, groupResourceProfile); String groupResourceProfileId = registryHandler.createGroupResourceProfile(groupResourceProfile); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { Entity entity = new Entity(); entity.setEntityId(groupResourceProfileId); @@ -56,7 +53,7 @@ public class GroupResourceProfileService { entity.setOwnerId(userId + "@" + domainId); entity.setName(groupResourceProfile.getGroupResourceProfileName()); sharingHandler.createEntity(entity); - shareEntityWithAdminGatewayGroups(entity); + SharingHelper.shareEntityWithAdminGatewayGroups(sharingHandler, registryHandler, entity); } catch (Exception ex) { logger.error("Rolling back group resource profile creation ID: {}", groupResourceProfileId, ex); registryHandler.removeGroupResourceProfile(groupResourceProfileId); @@ -78,7 +75,7 @@ public class GroupResourceProfileService { String profileId = groupResourceProfile.getGroupResourceProfileId(); try { validateGroupResourceProfileCredentials(ctx, groupResourceProfile); - if (isSharingEnabled() && !userHasAccess(gatewayId, userId, profileId, ResourcePermissionType.WRITE)) { + if (SharingHelper.isSharingEnabled() && !SharingHelper.userHasAccess(sharingHandler, gatewayId, userId, profileId, ResourcePermissionType.WRITE)) { throw new ServiceAuthorizationException("User does not have permission to update group resource profile"); } registryHandler.updateGroupResourceProfile(groupResourceProfile); @@ -94,7 +91,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, groupResourceProfileId, gatewayId + ":READ")) { throw new ServiceAuthorizationException("User does not have permission to access group resource profile"); @@ -119,7 +116,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, groupResourceProfileId, gatewayId + ":WRITE")) { throw new ServiceAuthorizationException("User does not have permission to remove group resource profile"); @@ -145,7 +142,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); try { List<String> accessibleGroupResProfileIds = new ArrayList<>(); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { List<SearchCriteria> filters = new ArrayList<>(); SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.setSearchField(EntitySearchField.ENTITY_TYPE_ID); @@ -168,7 +165,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, groupResourceProfileId, gatewayId + ":WRITE")) { throw new ServiceAuthorizationException("User does not have permission to remove group compute preferences"); @@ -193,7 +190,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { ComputeResourcePolicy computeResourcePolicy = registryHandler.getGroupComputeResourcePolicy(resourcePolicyId); if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, @@ -220,7 +217,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { BatchQueueResourcePolicy batchQueueResourcePolicy = registryHandler.getBatchQueueResourcePolicy(resourcePolicyId); if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, @@ -247,7 +244,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, groupResourceProfileId, gatewayId + ":READ")) { throw new ServiceAuthorizationException("User does not have permission to access group resource profile"); @@ -272,7 +269,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { ComputeResourcePolicy computeResourcePolicy = registryHandler.getGroupComputeResourcePolicy(resourcePolicyId); if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, @@ -299,7 +296,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { BatchQueueResourcePolicy batchQueueResourcePolicy = registryHandler.getBatchQueueResourcePolicy(resourcePolicyId); if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, @@ -326,7 +323,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, groupResourceProfileId, gatewayId + ":READ")) { throw new ServiceAuthorizationException("User does not have permission to access group resource profile"); @@ -351,7 +348,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, groupResourceProfileId, gatewayId + ":READ")) { throw new ServiceAuthorizationException("User does not have permission to access group resource profile"); @@ -376,7 +373,7 @@ public class GroupResourceProfileService { String userId = ctx.getUserId(); String gatewayId = ctx.getGatewayId(); try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { if (!sharingHandler.userHasAccess(gatewayId, userId + "@" + gatewayId, groupResourceProfileId, gatewayId + ":READ")) { throw new ServiceAuthorizationException("User does not have permission to access group resource profile"); @@ -400,7 +397,7 @@ public class GroupResourceProfileService { public GatewayGroups getGatewayGroups(RequestContext ctx) throws ServiceException { String gatewayId = ctx.getGatewayId(); try { - GatewayGroups gatewayGroups = retrieveGatewayGroups(gatewayId); + GatewayGroups gatewayGroups = SharingHelper.retrieveGatewayGroups(registryHandler, gatewayId); logger.debug("Retrieved GatewayGroups for gateway {}", gatewayId); return gatewayGroups; } catch (Exception e) { @@ -425,74 +422,10 @@ public class GroupResourceProfileService { tokenIds.add(groupResourceProfile.getDefaultCredentialStoreToken()); } for (String tokenId : tokenIds) { - if (!userHasAccess(gatewayId, userId, tokenId, ResourcePermissionType.READ)) { + if (!SharingHelper.userHasAccess(sharingHandler, gatewayId, userId, tokenId, ResourcePermissionType.READ)) { throw new ServiceAuthorizationException("User does not have READ permission to credential token " + tokenId + "."); } } } - private boolean userHasAccess(String gatewayId, String userId, String entityId, ResourcePermissionType permissionType) { - String qualifiedUserId = userId + "@" + gatewayId; - try { - boolean hasOwnerAccess = sharingHandler.userHasAccess( - gatewayId, qualifiedUserId, entityId, gatewayId + ":" + ResourcePermissionType.OWNER); - if (permissionType.equals(ResourcePermissionType.OWNER)) { - return hasOwnerAccess; - } else if (permissionType.equals(ResourcePermissionType.WRITE)) { - return hasOwnerAccess || sharingHandler.userHasAccess( - gatewayId, qualifiedUserId, entityId, gatewayId + ":" + ResourcePermissionType.WRITE); - } else if (permissionType.equals(ResourcePermissionType.READ)) { - return hasOwnerAccess || sharingHandler.userHasAccess( - gatewayId, qualifiedUserId, entityId, gatewayId + ":" + ResourcePermissionType.READ); - } else if (permissionType.equals(ResourcePermissionType.MANAGE_SHARING)) { - return hasOwnerAccess || sharingHandler.userHasAccess( - gatewayId, qualifiedUserId, entityId, gatewayId + ":" + ResourcePermissionType.MANAGE_SHARING); - } - return false; - } catch (Exception e) { - throw new RuntimeException("Unable to check if user has access", e); - } - } - - private GatewayGroups retrieveGatewayGroups(String gatewayId) throws Exception { - if (registryHandler.isGatewayGroupsExists(gatewayId)) { - return registryHandler.getGatewayGroups(gatewayId); - } else { - return GatewayGroupsInitializer.initializeGatewayGroups(gatewayId); - } - } - - private void shareEntityWithAdminGatewayGroups(Entity entity) throws Exception { - final String domainId = entity.getDomainId(); - GatewayGroups gatewayGroups = retrieveGatewayGroups(domainId); - createManageSharingPermissionTypeIfMissing(domainId); - sharingHandler.shareEntityWithGroups(domainId, entity.getEntityId(), - Arrays.asList(gatewayGroups.getAdminsGroupId()), domainId + ":MANAGE_SHARING", true); - sharingHandler.shareEntityWithGroups(domainId, entity.getEntityId(), - Arrays.asList(gatewayGroups.getAdminsGroupId()), domainId + ":WRITE", true); - sharingHandler.shareEntityWithGroups(domainId, entity.getEntityId(), - Arrays.asList(gatewayGroups.getAdminsGroupId(), gatewayGroups.getReadOnlyAdminsGroupId()), - domainId + ":READ", true); - } - - private void createManageSharingPermissionTypeIfMissing(String domainId) throws Exception { - String permissionTypeId = domainId + ":MANAGE_SHARING"; - if (!sharingHandler.isPermissionExists(domainId, permissionTypeId)) { - PermissionType permissionType = new PermissionType(); - permissionType.setPermissionTypeId(permissionTypeId); - permissionType.setDomainId(domainId); - permissionType.setName("MANAGE_SHARING"); - permissionType.setDescription("Manage sharing permission type"); - sharingHandler.createPermissionType(permissionType); - logger.info("Created MANAGE_SHARING permission type for domain {}", domainId); - } - } - - private boolean isSharingEnabled() { - try { - return ServerSettings.isEnableSharing(); - } catch (Exception e) { - return false; - } - } } diff --git a/airavata-api/src/main/java/org/apache/airavata/service/project/ProjectService.java b/airavata-api/src/main/java/org/apache/airavata/service/project/ProjectService.java index 6a428a4eae..0b0e374613 100644 --- a/airavata-api/src/main/java/org/apache/airavata/service/project/ProjectService.java +++ b/airavata-api/src/main/java/org/apache/airavata/service/project/ProjectService.java @@ -1,6 +1,5 @@ package org.apache.airavata.service.project; -import org.apache.airavata.common.utils.ServerSettings; import org.apache.airavata.model.workspace.Project; import org.apache.airavata.model.experiment.ProjectSearchFields; import org.apache.airavata.registry.api.service.handler.RegistryServerHandler; @@ -12,6 +11,7 @@ import org.apache.airavata.sharing.registry.models.Entity; import org.apache.airavata.sharing.registry.models.EntitySearchField; import org.apache.airavata.sharing.registry.models.SearchCondition; import org.apache.airavata.sharing.registry.models.SearchCriteria; +import org.apache.airavata.service.sharing.SharingHelper; import org.apache.airavata.sharing.registry.server.SharingRegistryServerHandler; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -38,7 +38,7 @@ public class ProjectService { try { String projectId = registryHandler.createProject(gatewayId, project); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { try { Entity entity = new Entity(); entity.setEntityId(projectId); @@ -74,7 +74,7 @@ public class ProjectService { if (!ctx.getUserId().equals(existingProject.getOwner()) || !ctx.getGatewayId().equals(existingProject.getGatewayId())) { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { String qualifiedUserId = ctx.getUserId() + "@" + ctx.getGatewayId(); if (!sharingHandler.userHasAccess( ctx.getGatewayId(), qualifiedUserId, projectId, ctx.getGatewayId() + ":WRITE")) { @@ -112,7 +112,7 @@ public class ProjectService { if (!ctx.getUserId().equals(existingProject.getOwner()) || !ctx.getGatewayId().equals(existingProject.getGatewayId())) { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { String qualifiedUserId = ctx.getUserId() + "@" + ctx.getGatewayId(); if (!sharingHandler.userHasAccess( ctx.getGatewayId(), qualifiedUserId, projectId, ctx.getGatewayId() + ":WRITE")) { @@ -147,7 +147,7 @@ public class ProjectService { return project; } - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { String qualifiedUserId = ctx.getUserId() + "@" + ctx.getGatewayId(); if (!sharingHandler.userHasAccess( ctx.getGatewayId(), qualifiedUserId, projectId, ctx.getGatewayId() + ":READ")) { @@ -168,7 +168,7 @@ public class ProjectService { public List<Project> getUserProjects(RequestContext ctx, String gatewayId, String userName, int limit, int offset) throws ServiceException { try { - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { List<String> accessibleProjectIds = new ArrayList<>(); List<SearchCriteria> filters = new ArrayList<>(); SearchCriteria searchCriteria = new SearchCriteria(); @@ -198,7 +198,7 @@ public class ProjectService { try { List<String> accessibleProjIds = new ArrayList<>(); - if (isSharingEnabled()) { + if (SharingHelper.isSharingEnabled()) { List<SearchCriteria> sharingFilters = new ArrayList<>(); SearchCriteria searchCriteria = new SearchCriteria(); searchCriteria.setSearchField(EntitySearchField.ENTITY_TYPE_ID); @@ -220,11 +220,4 @@ public class ProjectService { } } - private boolean isSharingEnabled() { - try { - return ServerSettings.isEnableSharing(); - } catch (Exception e) { - return false; - } - } } diff --git a/airavata-api/src/main/java/org/apache/airavata/service/sharing/ResourceSharingService.java b/airavata-api/src/main/java/org/apache/airavata/service/sharing/ResourceSharingService.java index bd9b2b6202..8ae337d395 100644 --- a/airavata-api/src/main/java/org/apache/airavata/service/sharing/ResourceSharingService.java +++ b/airavata-api/src/main/java/org/apache/airavata/service/sharing/ResourceSharingService.java @@ -7,8 +7,6 @@ import org.apache.airavata.registry.api.service.handler.RegistryServerHandler; import org.apache.airavata.service.context.RequestContext; import org.apache.airavata.service.exception.ServiceAuthorizationException; import org.apache.airavata.service.exception.ServiceException; -import org.apache.airavata.service.security.GatewayGroupsInitializer; -import org.apache.airavata.sharing.registry.models.PermissionType; import org.apache.airavata.sharing.registry.models.User; import org.apache.airavata.sharing.registry.models.UserGroup; import org.apache.airavata.sharing.registry.server.SharingRegistryServerHandler; @@ -342,7 +340,10 @@ public class ResourceSharingService { } private void validateAdminGroupNotRevoked(String gatewayId, String resourceId, Map<String, ResourcePermissionType> groupPermissionList) throws Exception { - GatewayGroups gatewayGroups = retrieveGatewayGroups(gatewayId); + if (registryHandler == null) { + return; + } + GatewayGroups gatewayGroups = SharingHelper.retrieveGatewayGroups(registryHandler, gatewayId); if (gatewayGroups == null) { return; } @@ -353,27 +354,7 @@ public class ResourceSharingService { } } - private GatewayGroups retrieveGatewayGroups(String gatewayId) throws Exception { - if (registryHandler == null) { - return null; - } - if (registryHandler.isGatewayGroupsExists(gatewayId)) { - return registryHandler.getGatewayGroups(gatewayId); - } else { - return GatewayGroupsInitializer.initializeGatewayGroups(gatewayId); - } - } - void createManageSharingPermissionTypeIfMissing(String domainId) throws Exception { - String permissionTypeId = domainId + ":MANAGE_SHARING"; - if (!sharingHandler.isPermissionExists(domainId, permissionTypeId)) { - PermissionType permissionType = new PermissionType(); - permissionType.setPermissionTypeId(permissionTypeId); - permissionType.setDomainId(domainId); - permissionType.setName("MANAGE_SHARING"); - permissionType.setDescription("Manage sharing permission type"); - sharingHandler.createPermissionType(permissionType); - logger.info("Created MANAGE_SHARING permission type for domain {}", domainId); - } + SharingHelper.createManageSharingPermissionTypeIfMissing(sharingHandler, domainId); } } diff --git a/airavata-api/src/main/java/org/apache/airavata/service/sharing/SharingHelper.java b/airavata-api/src/main/java/org/apache/airavata/service/sharing/SharingHelper.java new file mode 100644 index 0000000000..a91e988ea6 --- /dev/null +++ b/airavata-api/src/main/java/org/apache/airavata/service/sharing/SharingHelper.java @@ -0,0 +1,78 @@ +package org.apache.airavata.service.sharing; + +import org.apache.airavata.common.utils.ServerSettings; +import org.apache.airavata.model.appcatalog.gatewaygroups.GatewayGroups; +import org.apache.airavata.model.group.ResourcePermissionType; +import org.apache.airavata.registry.api.service.handler.RegistryServerHandler; +import org.apache.airavata.service.security.GatewayGroupsInitializer; +import org.apache.airavata.sharing.registry.models.Entity; +import org.apache.airavata.sharing.registry.models.PermissionType; +import org.apache.airavata.sharing.registry.server.SharingRegistryServerHandler; +import org.apache.thrift.TException; + +import java.util.Arrays; + +public class SharingHelper { + + private SharingHelper() { + // utility class + } + + public static boolean isSharingEnabled() { + try { + return ServerSettings.isEnableSharing(); + } catch (Exception e) { + return false; + } + } + + public static boolean userHasAccess(SharingRegistryServerHandler sharingHandler, + String gatewayId, String userId, String entityId, ResourcePermissionType permissionType) { + String qualifiedUserId = userId.contains("@") ? userId : userId + "@" + gatewayId; + try { + boolean hasOwnerAccess = sharingHandler.userHasAccess( + gatewayId, qualifiedUserId, entityId, gatewayId + ":" + ResourcePermissionType.OWNER); + if (permissionType.equals(ResourcePermissionType.OWNER)) return hasOwnerAccess; + return hasOwnerAccess || sharingHandler.userHasAccess( + gatewayId, qualifiedUserId, entityId, gatewayId + ":" + permissionType); + } catch (Exception e) { + throw new RuntimeException("Unable to check if user has access", e); + } + } + + public static GatewayGroups retrieveGatewayGroups(RegistryServerHandler registryHandler, String gatewayId) throws TException { + if (registryHandler.isGatewayGroupsExists(gatewayId)) { + return registryHandler.getGatewayGroups(gatewayId); + } + return GatewayGroupsInitializer.initializeGatewayGroups(gatewayId); + } + + public static void shareEntityWithAdminGatewayGroups( + SharingRegistryServerHandler sharingHandler, + RegistryServerHandler registryHandler, + Entity entity) throws TException { + String domainId = entity.getDomainId(); + GatewayGroups gatewayGroups = retrieveGatewayGroups(registryHandler, domainId); + createManageSharingPermissionTypeIfMissing(sharingHandler, domainId); + sharingHandler.shareEntityWithGroups(domainId, entity.getEntityId(), + Arrays.asList(gatewayGroups.getAdminsGroupId()), domainId + ":MANAGE_SHARING", true); + sharingHandler.shareEntityWithGroups(domainId, entity.getEntityId(), + Arrays.asList(gatewayGroups.getAdminsGroupId()), domainId + ":WRITE", true); + sharingHandler.shareEntityWithGroups(domainId, entity.getEntityId(), + Arrays.asList(gatewayGroups.getAdminsGroupId(), gatewayGroups.getReadOnlyAdminsGroupId()), + domainId + ":READ", true); + } + + public static void createManageSharingPermissionTypeIfMissing( + SharingRegistryServerHandler sharingHandler, String domainId) throws TException { + String permissionTypeId = domainId + ":MANAGE_SHARING"; + if (!sharingHandler.isPermissionExists(domainId, permissionTypeId)) { + PermissionType permissionType = new PermissionType(); + permissionType.setPermissionTypeId(permissionTypeId); + permissionType.setDomainId(domainId); + permissionType.setName("MANAGE_SHARING"); + permissionType.setDescription("Manage sharing permission type"); + sharingHandler.createPermissionType(permissionType); + } + } +}
