Merge pull request #240 from zanata/rhbz1021357

rhbz1021357 - Insert the authenticated person into the Security Rules' context for asynchronous processes.
zanata · Oct 22, 2013 · 3184d8b · 3184d8b
2 parents b49c2b4 + 8aaeff4
commit 3184d8b
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 4 deletions.
diff --git a/zanata-war/src/main/java/org/zanata/action/AuthenticationEvents.java b/zanata-war/src/main/java/org/zanata/action/AuthenticationEvents.java
@@ -49,6 +49,10 @@ public class AuthenticationEvents implements Serializable {
     @Observer(JpaIdentityStore.EVENT_USER_AUTHENTICATED)
     public void loginSuccessful(HAccount account) {
         log.info("Account {0} authenticated", account.getUsername());
+        injectAuthenticatedPersonIntoWorkingMemory(account);
+    }
+
+    public void injectAuthenticatedPersonIntoWorkingMemory(HAccount account) {
         HPerson authenticatedPerson = account.getPerson();
         // insert authenticatedPerson for use in security.drl rules
         RuleBasedPermissionResolver.instance().getSecurityContext()

diff --git a/zanata-war/src/main/java/org/zanata/async/AsynchronousTaskExecutor.java b/zanata-war/src/main/java/org/zanata/async/AsynchronousTaskExecutor.java
@@ -24,6 +24,7 @@
 
 import javax.security.auth.Subject;
 
+import org.jboss.seam.Component;
 import org.jboss.seam.ScopeType;
 import org.jboss.seam.annotations.AutoCreate;
 import org.jboss.seam.annotations.Name;
@@ -32,14 +33,16 @@
 import org.jboss.seam.security.RunAsOperation;
 
 import lombok.extern.slf4j.Slf4j;
+import org.zanata.action.AuthenticationEvents;
+import org.zanata.dao.AccountDAO;
+import org.zanata.model.HAccount;
 
 /**
  * This class executes a Runnable Process asynchronously. Do not use this class
  * directly. Use {@link org.zanata.async.TaskExecutor} instead as this is just a
  * wrapper to make sure Seam can run the task in the background.
  * {@link TaskExecutor} is able to do this as well as return an instance of the
  * task handle to keep track of the task's progress.
- *
  * @author Carlos Munoz <a
  *         href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
  */
@@ -48,16 +51,27 @@
 @AutoCreate
 @Slf4j
 public class AsynchronousTaskExecutor {
+
+    /**
+     * Runs the provided task asynchronously with the given security
+     * constraints.
+     *
+     * @param task Task to run asynchronously.
+     * @param runAsPpal Security Principal to tun the task.
+     * @param runAsSubject Security Subject to run the task.
+     * @param username The username to run the task.
+     */
     @Asynchronous
     public <V, H extends AsyncTaskHandle<V>> void runAsynchronously(
             final AsyncTask<V, H> task, final Principal runAsPpal,
-            final Subject runAsSubject) {
+            final Subject runAsSubject, final String username) {
         AsyncUtils.outject(task.getHandle(), ScopeType.EVENT);
 
         RunAsOperation runAsOp = new RunAsOperation() {
             @Override
             public void execute() {
                 try {
+                    prepareSecurityContext(username);
                     V returnValue = task.call();
                     task.getHandle().set(returnValue);
                 } catch (Exception t) {
@@ -82,4 +96,26 @@ public Subject getSubject() {
         runAsOp.run();
     }
 
+    /**
+     * Prepares the Drools security context so that it contains all the
+     * necessary facts for security checking.
+     */
+    private static void prepareSecurityContext(String username) {
+        /*
+         * TODO This should be changed to not need the username. There should be
+         * a way to simulate a login for asyn tasks, or at least to inherit the
+         * caller's context
+         */
+        if( username != null ) {
+            // Only if it's an authenticated task should it try and do this
+            // injection
+            AccountDAO accountDAO =
+                (AccountDAO) Component.getInstance(AccountDAO.class);
+            AuthenticationEvents authEvts =
+                (AuthenticationEvents) Component
+                    .getInstance(AuthenticationEvents.class);
+            HAccount authenticatedAccount = accountDAO.getByUsername(username);
+            authEvts.injectAuthenticatedPersonIntoWorkingMemory(authenticatedAccount);
+        }
+    }
 }
diff --git a/zanata-war/src/main/java/org/zanata/async/TaskExecutor.java b/zanata-war/src/main/java/org/zanata/async/TaskExecutor.java
@@ -61,8 +61,9 @@ public <V, H extends AsyncTaskHandle<V>> AsyncTaskHandle<V> startTask(
         }
 
         Identity identity = Identity.instance();
-        asynchronousTaskExecutor.runAsynchronously(task,
-                identity.getPrincipal(), identity.getSubject());
+        asynchronousTaskExecutor.runAsynchronously(task, identity
+                .getPrincipal(), identity.getSubject(),
+                identity.getCredentials().getUsername());
         return handle;
     }