nuxeo · andreinechaev · Oct 13, 2021 · Oct 11, 2021
diff --git a/nuxeo-ai-config/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/AIRoot.java b/nuxeo-ai-config/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/AIRoot.java
@@ -18,6 +18,9 @@
  */
 package org.nuxeo.ecm.restapi.server.jaxrs;
 
+import static org.nuxeo.ai.AIConstants.INSIGHT_PREFIX;
+import static org.nuxeo.ai.AIConstants.LIBRARIANS_GROUP_SUFFIX;
+import static org.nuxeo.ai.AIConstants.MANAGERS_GROUP_SUFFIX;
 import static org.nuxeo.ai.listeners.ContinuousExportListener.NUXEO_AI_CONTINUOUS_EXPORT_ENABLE;
 
 import java.io.IOException;
@@ -55,36 +58,27 @@
 @WebObject(type = "aicore")
 public class AIRoot extends DefaultObject {
 
-    public static final String DATASOURCE_CONF_VAR = "nuxeo.ai.insight.datasource.label";
+    private static final Logger log = LogManager.getLogger(AIRoot.class);
 
     protected static final ObjectMapper MAPPER;
 
-    static {
-        MAPPER = new ObjectMapper();
-        MAPPER.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
-    }
-
     protected static final TypeReference<Map<String, String>> NUXEO_CONF_REF = new TypeReference<Map<String, String>>() {
     };
 
-    private static final Logger log = LogManager.getLogger(AIRoot.class);
-
-    public static final String PROJECT_ID_VAR = "nuxeo.ai.insight.client.projectid";
-
-    public static final String MANAGERS_GROUP_SUFFIX = "-managers";
-
-    public static final String LIBRARIANS_GROUP_SUFFIX = "-librarians";
+    public static final String DATASOURCE_CONF_VAR = "nuxeo.ai.insight.datasource.label";
 
-    public static final String INSIGHT_PREFIX = "insight";
+    static {
+        MAPPER = new ObjectMapper();
+        MAPPER.configure(SerializationFeature.FAIL_ON_EMPTY_BEANS, false);
+    }
 
     @POST
     @Path("config")
     @Consumes(MediaType.APPLICATION_JSON)
     @Produces(MediaType.APPLICATION_JSON)
     public Response setNuxeoConfVars(String conf) throws JsonProcessingException {
         Map<String, String> confMap = MAPPER.readValue(conf, NUXEO_CONF_REF);
-        if (!(ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX) || ctx.getPrincipal()
-                                                                                          .isAdministrator())) {
+        if (!(isManager() || isAdministrator())) {
             return Response.status(Response.Status.UNAUTHORIZED).build();
         }
         try {
@@ -121,8 +115,7 @@ public Response isExportActivated() {
     public Response setThresholdsFromJSON(String thresholdsJSON) throws JsonProcessingException {
         ThresholdConfiguratorDescriptor thresholds = MAPPER.readValue(thresholdsJSON,
                 ThresholdConfiguratorDescriptor.class);
-        if (!(ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX) || ctx.getPrincipal()
-                                                                                          .isAdministrator())) {
+        if (!(isManager() || isAdministrator())) {
             return Response.status(Response.Status.UNAUTHORIZED).build();
         }
 
@@ -144,8 +137,7 @@ public Response setThresholdsFromXML(@PathParam("docType") String docType, Strin
             throw new WebApplicationException(
                     Response.status(Response.Status.BAD_REQUEST).entity("docType parameter is mandatory").build());
         }
-        if (!(ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX) || ctx.getPrincipal()
-                                                                                          .isAdministrator())) {
+        if (!(isManager() || isAdministrator())) {
             return Response.status(Response.Status.UNAUTHORIZED).build();
         }
         try {
@@ -164,8 +156,7 @@ public Response removeThreshold(@PathParam("docType") String docType) {
             throw new WebApplicationException(
                     Response.status(Response.Status.BAD_REQUEST).entity("docType parameter is mandatory").build());
         }
-        if (!(ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX) || ctx.getPrincipal()
-                                                                                          .isAdministrator())) {
+        if (!(isManager() || isAdministrator())) {
             return Response.status(Response.Status.UNAUTHORIZED).build();
         }
         try {
@@ -181,8 +172,7 @@ public Response removeThreshold(@PathParam("docType") String docType) {
     @Path("extension/thresholds")
     @Produces(MediaType.APPLICATION_XML)
     public Response getAllThresholds() {
-        if (!(ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX) || ctx.getPrincipal()
-                                                                                          .isAdministrator())) {
+        if (!(isManager() || isAdministrator())) {
             return Response.status(Response.Status.UNAUTHORIZED).build();
         }
         try {
@@ -217,7 +207,7 @@ public Response setModelFromXML(@PathParam("modelId") String modelId, String mod
     @Path("extension/models")
     @Produces(MediaType.APPLICATION_JSON)
     public Response getAllModels() {
-        if (!ctx.getPrincipal().isAdministrator()) {
+        if (!isAdministrator()) {
             return Response.status(Response.Status.UNAUTHORIZED).build();
         }
 
@@ -237,8 +227,7 @@ public Response deleteModel(@PathParam("modelId") String modelId) {
             throw new WebApplicationException(
                     Response.status(Response.Status.BAD_REQUEST).entity("modelId parameter is mandatory").build());
         }
-        if (!(ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX) || ctx.getPrincipal()
-                                                                                          .isAdministrator())) {
+        if (!(isManager() || isAdministrator())) {
             return Response.status(Response.Status.UNAUTHORIZED).build();
         }
         try {
@@ -257,12 +246,21 @@ public Response deleteModel(@PathParam("modelId") String modelId) {
      */
     @Path("search")
     public Resource getDocumentsToAnnotate() {
-        if (!(ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX) || ctx.getPrincipal()
-                                                                                          .isMemberOf(INSIGHT_PREFIX
-                                                                                                  + LIBRARIANS_GROUP_SUFFIX)
-                || ctx.getPrincipal().isAdministrator())) {
+        if (!(isManager() || isLibrarian() || isAdministrator())) {
             return null;
         }
         return ctx.newObject(AISearchObject.TYPE);
     }
+
+    private boolean isAdministrator() {
+        return ctx.getPrincipal().isAdministrator();
+    }
+
+    private boolean isLibrarian() {
+        return ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + LIBRARIANS_GROUP_SUFFIX);
+    }
+
+    private boolean isManager() {
+        return ctx.getPrincipal().isMemberOf(INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX);
+    }
 }
diff --git a/nuxeo-ai-core/src/main/java/org/nuxeo/ai/AIConstants.java b/nuxeo-ai-core/src/main/java/org/nuxeo/ai/AIConstants.java
@@ -60,6 +60,12 @@ public class AIConstants {
 
     public static final String EXPORT_SPLIT_PARAM = "split";
 
+    public static final String MANAGERS_GROUP_SUFFIX = "-managers";
+
+    public static final String LIBRARIANS_GROUP_SUFFIX = "-librarians";
+
+    public static final String INSIGHT_PREFIX = "insight";
+
     private AIConstants() {
         // just Constants
     }

diff --git a/nuxeo-ai-model/src/main/java/org/nuxeo/ai/cloud/NuxeoCloudClient.java b/nuxeo-ai-model/src/main/java/org/nuxeo/ai/cloud/NuxeoCloudClient.java
@@ -19,6 +19,8 @@
 package org.nuxeo.ai.cloud;
 
 import static org.apache.commons.lang3.StringUtils.isAnyBlank;
+import static org.nuxeo.ai.AIConstants.INSIGHT_PREFIX;
+import static org.nuxeo.ai.AIConstants.MANAGERS_GROUP_SUFFIX;
 import static org.nuxeo.ai.adapters.DatasetExport.DATASET_EXPORT_BATCH_ID;
 import static org.nuxeo.ai.adapters.DatasetExport.DATASET_EXPORT_CORPORA_ID;
 import static org.nuxeo.ai.adapters.DatasetExport.DATASET_EXPORT_DOCUMENTS_COUNT;
@@ -172,7 +174,9 @@ protected Optional<InsightClient> configureClient(CoreSession session, @Nonnull
             JWTKeyService jwt = Framework.getService(JWTKeyService.class);
             Map<String, Serializable> claims = new HashMap<>();
             claims.put(PublicClaims.SUBJECT, session.getPrincipal().getActingUser());
-            String[] groups = { descriptor.projectId + "-managers" };
+
+            // TODO: AICORE-541 - use session to apply correct groups
+            String[] groups = { INSIGHT_PREFIX + MANAGERS_GROUP_SUFFIX };
             claims.put(NuxeoClaim.GROUP, groups);
             claims.put(JWTClaims.DATASOURCE, datasource);