Add new security annotations for CDI

zanata-war/src/main/java/org/zanata/security/CheckLoggedInProvider.java

@@ -0,0 +1,40 @@
+/*
+ * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.security;
+
+import javax.enterprise.context.ApplicationScoped;
+
+import org.apache.deltaspike.security.api.authorization.Secures;
+import org.picketlink.Identity;
+import org.zanata.security.annotations.CheckLoggedIn;
+
+/**
+ * @author Carlos Munoz <a href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ */
+@ApplicationScoped
+public class CheckLoggedInProvider {
+
+    @Secures
+    @CheckLoggedIn
+    public boolean isLoggedIn(Identity identity) throws Exception {
+        return identity.isLoggedIn();
+    }
+}

zanata-war/src/main/java/org/zanata/security/CheckPermissionDecisionVoter.java

@@ -0,0 +1,89 @@
+/*
+ * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.security;
+
+import java.lang.annotation.Annotation;
+import java.util.List;
+import java.util.Set;
+
+import javax.enterprise.context.RequestScoped;
+import javax.inject.Inject;
+import javax.interceptor.InvocationContext;
+
+import org.apache.deltaspike.security.api.authorization.AbstractAccessDecisionVoter;
+import org.apache.deltaspike.security.api.authorization.AccessDecisionVoterContext;
+import org.apache.deltaspike.security.api.authorization.SecurityViolation;
+import org.picketlink.Identity;
+import org.zanata.security.annotations.CheckPermission;
+import org.zanata.security.annotations.PermissionTarget;
+
+import com.google.common.collect.Lists;
+
+/**
+ * @author Carlos Munoz <a
+ *         href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ */
+@RequestScoped
+public class CheckPermissionDecisionVoter extends
+        AbstractAccessDecisionVoter {
+
+    @Inject
+    private Identity identity;
+
+    @Override
+    protected void checkPermission(
+            AccessDecisionVoterContext accessDecisionVoterContext,
+            Set<SecurityViolation> violations) {
+        CheckPermission checkPermission =
+                accessDecisionVoterContext.getMetaDataFor(
+                        CheckPermission.class.getName(), CheckPermission.class);
+        if (checkPermission != null) {
+            String permissionName = checkPermission.value();
+            InvocationContext invocationCtx =
+                    accessDecisionVoterContext.<InvocationContext> getSource();
+            List permissionTargets = getPermissionTargets(invocationCtx);
+            // FIXME Use Zanata's version of identity
+            if (!identity.hasPermission(permissionTargets.toArray(),
+                    permissionName)) {
+                violations.add(newSecurityViolation("You don't have permission to do this"));
+            }
+
+        }
+    }
+
+    private List getPermissionTargets(InvocationContext ctx) {
+        List targets = Lists.newArrayList();
+        Annotation[][] paramAnnotations =
+                ctx.getMethod().getParameterAnnotations();
+        int pos = 0;
+        for (Annotation[] annotsPerParam : paramAnnotations) {
+            for (Annotation paramAnnot : annotsPerParam) {
+                if (paramAnnot instanceof PermissionTarget) {
+                    targets.add(ctx.getParameters()[pos]);
+                    break;
+                }
+            }
+            pos++;
+        }
+        return targets;
+    }
+
+}

zanata-war/src/main/java/org/zanata/security/CheckRoleDecisionVoter.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.security;
+
+import java.util.Set;
+
+import javax.enterprise.context.RequestScoped;
+
+import org.apache.deltaspike.security.api.authorization.AbstractAccessDecisionVoter;
+import org.apache.deltaspike.security.api.authorization.AccessDecisionVoterContext;
+import org.apache.deltaspike.security.api.authorization.SecurityViolation;
+import org.zanata.security.annotations.CheckRole;
+
+/**
+ * @author Carlos Munoz <a href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ */
+@RequestScoped
+public class CheckRoleDecisionVoter extends AbstractAccessDecisionVoter {
+    @Override
+    protected void checkPermission(
+            AccessDecisionVoterContext accessDecisionVoterContext,
+            Set<SecurityViolation> violations) {
+
+        CheckRole hasRole =
+                accessDecisionVoterContext.getMetaDataFor(CheckRole.class.getName(), CheckRole.class);
+        if (hasRole != null) {
+// TODO unify with PicketLink roles
+//            Role role = RoleFactory.createRole(hasRole.value());
+//
+//            SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+//            RoleGroup roleGroup = PicketBoxUtil
+//                    .getRolesFromSubject(sc.getUtil().getSubject());
+//
+//            if (!roleGroup.containsRole(role)) {
+//                violations.add(newSecurityViolation(
+//                        "You don't have the necessary access"));
+//            }
+
+            String role = hasRole.value();
+
+            // FIXME DANGER!! Do an actual role check
+            if (!role.contains("admin")) {
+                violations.add(newSecurityViolation(
+                        "You don't have the necessary access"));
+            }
+        }
+    }
+}

zanata-war/src/main/java/org/zanata/security/annotations/CheckLoggedIn.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.security.annotations;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import org.apache.deltaspike.security.api.authorization.SecurityBindingType;
+
+/**
+ * @author Carlos Munoz <a href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ElementType.TYPE, ElementType.METHOD})
+@Documented
+@SecurityBindingType
+public @interface CheckLoggedIn {
+}

zanata-war/src/main/java/org/zanata/security/annotations/CheckPermission.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.security.annotations;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import javax.enterprise.inject.Stereotype;
+
+import org.apache.deltaspike.security.api.authorization.Secured;
+import org.zanata.security.CheckPermissionDecisionVoter;
+
+/**
+ * Annotates methods and checks for the given permissions.
+ * The target of the permission check will be any method parameters annotated
+ * with {@link PermissionTarget}
+ * @author Carlos Munoz <a href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ * @see PermissionTarget
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ ElementType.TYPE, ElementType.METHOD})
+@Documented
+@Stereotype
+@Secured(CheckPermissionDecisionVoter.class)
+public @interface CheckPermission {
+    String value();
+}

zanata-war/src/main/java/org/zanata/security/annotations/CheckRole.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.security.annotations;
+
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+import javax.enterprise.inject.Stereotype;
+
+import org.apache.deltaspike.security.api.authorization.Secured;
+import org.zanata.security.CheckRoleDecisionVoter;
+
+/**
+ * @author Carlos Munoz <a href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target({ ElementType.TYPE, ElementType.METHOD})
+@Documented
+@Stereotype
+@Secured(CheckRoleDecisionVoter.class)
+public @interface CheckRole {
+    String value();
+}

zanata-war/src/main/java/org/zanata/security/annotations/PermissionTarget.java

@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014, Red Hat, Inc. and individual contributors as indicated by the
+ * @author tags. See the copyright.txt file in the distribution for a full
+ * listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the
+ * terms of the GNU Lesser General Public License as published by the Free
+ * Software Foundation; either version 2.1 of the License, or (at your option)
+ * any later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+ * FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this software; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF
+ * site: http://www.fsf.org.
+ */
+package org.zanata.security.annotations;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Marks a method parameter as a permission target in a permission check.
+ * Works only for methods annotated with {@link CheckPermission}
+ * @author Carlos Munoz <a href="mailto:camunoz@redhat.com">camunoz@redhat.com</a>
+ * @see CheckPermission
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.PARAMETER)
+public @interface PermissionTarget {
+}