From 4a74892f07da41e36bac884888e829c029aacbc7 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 12 Dec 2024 13:12:01 +0100 Subject: [PATCH 1/5] Created policy data sets for publish operations on properties by users with public role --- .../vedit/controller/BaseEditController.java | 10 --- .../vedit/controller/OperationController.java | 3 - .../template_access_allowed_property.n3 | 72 +++++++++++++++++++ 3 files changed, 72 insertions(+), 13 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java index 93a27e0e97..2bd19cd68e 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/BaseEditController.java @@ -246,12 +246,6 @@ protected static void addAccessAttributes(HttpServletRequest req, String entityU for (RoleInfo role : roles) { RoleInfo roleCopy = role.clone(); roleInfos.add(roleCopy); - if (isPublicForbiddenOperation(operation)) { - if (roleCopy.isPublic) { - roleCopy.setEnabled(false); - roleCopy.setGranted(false); - } - } } getRolePolicyInformation(entityURI, aot, namedKeys, operation, roleInfos); } @@ -359,10 +353,6 @@ protected static void addNotRelatedPropertySuppressions(HttpServletRequest req, req.setAttribute(PROPERTY_SUPPRESSIONS_NOT_RELATED, propertySuppressionsToRoles); } - static boolean isPublicForbiddenOperation(AccessOperation operation) { - return operation.equals(AccessOperation.PUBLISH); - } - public static class RoleInfo { String uri; String label; diff --git a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java index db98ba2a97..e7266b608c 100644 --- a/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java +++ b/api/src/main/java/edu/cornell/mannlib/vedit/controller/OperationController.java @@ -244,9 +244,6 @@ private void updateEntityPermissions(HttpServletRequest request, String entityUr String operationGroupName = ao.toString().toLowerCase(); Set selectedRoles = getSelectedRoles(request, operationGroupName); for (RoleInfo role : roles) { - if (role.isPublic() && isPublicForbiddenOperation(ao)) { - continue; - } if (selectedRoles.contains(role.getUri())) { EntityPolicyController.grantAccess(entityUri, aot, ao, role.getUri()); } else { diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 index a4f4be4415..9fd8953162 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 @@ -30,18 +30,22 @@ access:hasDataSet :CuratorDisplayFauxDataPropertyDataSet ; access:hasDataSet :AdminDisplayFauxDataPropertyDataSet ; + access:hasDataSet :PublicPublishObjectPropertyDataSet ; access:hasDataSet :EditorPublishObjectPropertyDataSet ; access:hasDataSet :CuratorPublishObjectPropertyDataSet ; access:hasDataSet :AdminPublishObjectPropertyDataSet ; + access:hasDataSet :PublicPublishDataPropertyDataSet ; access:hasDataSet :EditorPublishDataPropertyDataSet ; access:hasDataSet :CuratorPublishDataPropertyDataSet ; access:hasDataSet :AdminPublishDataPropertyDataSet ; + access:hasDataSet :PublicPublishFauxObjectPropertyDataSet ; access:hasDataSet :EditorPublishFauxObjectPropertyDataSet ; access:hasDataSet :CuratorPublishFauxObjectPropertyDataSet ; access:hasDataSet :AdminPublishFauxObjectPropertyDataSet ; + access:hasDataSet :PublicPublishFauxDataPropertyDataSet ; access:hasDataSet :EditorPublishFauxDataPropertyDataSet ; access:hasDataSet :CuratorPublishFauxDataPropertyDataSet ; access:hasDataSet :AdminPublishFauxDataPropertyDataSet ; @@ -1583,6 +1587,19 @@ ### Publish object property data sets +:PublicPublishObjectPropertyDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishObjectPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:ObjectPropertyValueSet ; + access:hasRelatedValueSet access-individual:ObjectPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishObjectPropertyValueSet . + +:PublicPublishObjectPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:ObjectProperty ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + :EditorPublishObjectPropertyDataSet a access:DataSet ; access:hasDataSetKey :EditorPublishObjectPropertyDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; @@ -1624,6 +1641,19 @@ ### Publish data property data sets +:PublicPublishDataPropertyDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishDataPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:DataPropertyValueSet ; + access:hasRelatedValueSet access-individual:DataPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishDataPropertyValueSet . + +:PublicPublishDataPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:DataProperty ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + :EditorPublishDataPropertyDataSet a access:DataSet ; access:hasDataSetKey :EditorPublishDataPropertyDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; @@ -1665,6 +1695,19 @@ ### Publish faux object property data sets +:PublicPublishFauxObjectPropertyDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishFauxObjectPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:FauxObjectPropertyValueSet ; + access:hasRelatedValueSet access-individual:FauxObjectPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishFauxObjectPropertyValueSet . + +:PublicPublishFauxObjectPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:FauxObjectProperty ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + :EditorPublishFauxObjectPropertyDataSet a access:DataSet ; access:hasDataSetKey :EditorPublishFauxObjectPropertyDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; @@ -1706,6 +1749,19 @@ ### Publish faux data property data sets +:PublicPublishFauxDataPropertyDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishFauxDataPropertyDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:FauxDataPropertyValueSet ; + access:hasRelatedValueSet access-individual:FauxDataPropertyStatementValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishFauxDataPropertyValueSet . + +:PublicPublishFauxDataPropertyDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:FauxDataProperty ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + :EditorPublishFauxDataPropertyDataSet a access:DataSet ; access:hasDataSetKey :EditorPublishFauxDataPropertyDataSetKey ; access:hasRelatedValueSet access-individual:EditorRoleValueSet ; @@ -1817,18 +1873,22 @@ access:values :CuratorDisplayFauxDataPropertyValueSet ; access:values :AdminDisplayFauxDataPropertyValueSet ; + access:values :PublicPublishObjectPropertyValueSet ; access:values :EditorPublishObjectPropertyValueSet ; access:values :CuratorPublishObjectPropertyValueSet ; access:values :AdminPublishObjectPropertyValueSet ; + access:values :PublicPublishDataPropertyValueSet ; access:values :EditorPublishDataPropertyValueSet ; access:values :CuratorPublishDataPropertyValueSet ; access:values :AdminPublishDataPropertyValueSet ; + access:values :PublicPublishFauxObjectPropertyValueSet ; access:values :EditorPublishFauxObjectPropertyValueSet ; access:values :CuratorPublishFauxObjectPropertyValueSet ; access:values :AdminPublishFauxObjectPropertyValueSet ; + access:values :PublicPublishFauxDataPropertyValueSet ; access:values :EditorPublishFauxDataPropertyValueSet ; access:values :CuratorPublishFauxDataPropertyValueSet ; access:values :AdminPublishFauxDataPropertyValueSet ; @@ -1917,18 +1977,22 @@ access:values :CuratorDisplayFauxDataPropertyValueSet ; access:values :AdminDisplayFauxDataPropertyValueSet ; + access:values :PublicPublishObjectPropertyValueSet ; access:values :EditorPublishObjectPropertyValueSet ; access:values :CuratorPublishObjectPropertyValueSet ; access:values :AdminPublishObjectPropertyValueSet ; + access:values :PublicPublishDataPropertyValueSet ; access:values :EditorPublishDataPropertyValueSet ; access:values :CuratorPublishDataPropertyValueSet ; access:values :AdminPublishDataPropertyValueSet ; + access:values :PublicPublishFauxObjectPropertyValueSet ; access:values :EditorPublishFauxObjectPropertyValueSet ; access:values :CuratorPublishFauxObjectPropertyValueSet ; access:values :AdminPublishFauxObjectPropertyValueSet ; + access:values :PublicPublishFauxDataPropertyValueSet ; access:values :EditorPublishFauxDataPropertyValueSet ; access:values :CuratorPublishFauxDataPropertyValueSet ; access:values :AdminPublishFauxDataPropertyValueSet ; @@ -2139,6 +2203,8 @@ :AdminDisplayFauxDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxDataProperty . +:PublicPublishObjectPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:ObjectProperty . :EditorPublishObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:ObjectProperty . :CuratorPublishObjectPropertyValueSet a access:ValueSet ; @@ -2146,6 +2212,8 @@ :AdminPublishObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:ObjectProperty . +:PublicPublishDataPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:DataProperty . :EditorPublishDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:DataProperty . :CuratorPublishDataPropertyValueSet a access:ValueSet ; @@ -2153,6 +2221,8 @@ :AdminPublishDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:DataProperty . +:PublicPublishFauxObjectPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:FauxObjectProperty . :EditorPublishFauxObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxObjectProperty . :CuratorPublishFauxObjectPropertyValueSet a access:ValueSet ; @@ -2160,6 +2230,8 @@ :AdminPublishFauxObjectPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxObjectProperty . +:PublicPublishFauxDataPropertyValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:FauxDataProperty . :EditorPublishFauxDataPropertyValueSet a access:ValueSet ; access:containsElementsOfType access-individual:FauxDataProperty . :CuratorPublishFauxDataPropertyValueSet a access:ValueSet ; From 98b1397f384dc8b03c921d36aa85d9288da45aad Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 12 Dec 2024 13:39:48 +0100 Subject: [PATCH 2/5] Fixed authorization migration --- .../webapp/migration/auth/AnnotationMigrator.java | 5 +---- .../vitro/webapp/migration/auth/AuthMigrator.java | 10 +++++++--- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java index e4cea2785c..6f420f3a19 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java @@ -191,10 +191,7 @@ private static Long[] updatePolicyDatasets(AccessObjectType aot, EntityPolicyController.getDataValueStatements(entityUri, aot, ao, rolesToAdd, additions); Set rolesToRemove = new HashSet<>(ALL_ROLES); rolesToRemove.removeAll(rolesToAdd); - // Don't remove public publish and update data sets, as there are no public policies for that - // operation - // groups - if (OperationGroup.PUBLISH_GROUP.equals(og) || OperationGroup.UPDATE_GROUP.equals(og)) { + if (OperationGroup.UPDATE_GROUP.equals(og)) { rolesToRemove.remove(ROLE_PUBLIC_URI); } if (!rolesToRemove.isEmpty()) { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java index 4deda945a4..f41923ea41 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java @@ -32,6 +32,7 @@ public class AuthMigrator implements ServletContextListener { + private static final long CURRENT_VERSION = 2; private static final Log log = LogFactory.getLog(AuthMigrator.class); protected static final Set ALL_ROLES = new HashSet( Arrays.asList(ROLE_ADMIN_URI, ROLE_CURATOR_URI, ROLE_EDITOR_URI, ROLE_SELF_EDITOR_URI, ROLE_PUBLIC_URI)); @@ -72,6 +73,10 @@ public void contextInitialized(ServletContextEvent sce) { if (!isMigrationRequired()) { return; } + runCompleteMigration(sce, begin); + } + + private void runCompleteMigration(ServletContextEvent sce, long begin) { ServletContext ctx = sce.getServletContext(); StartupStatus ss = StartupStatus.getBean(ctx); log.info("Started authorization configuration update"); @@ -97,7 +102,7 @@ protected void convertAuthorizationConfiguration() { } migrateSimplePermissions(); removeVersion(getVersion()); - setVersion(1L); + setVersion(CURRENT_VERSION); } private void migrateSimplePermissions() { @@ -112,7 +117,7 @@ private void migrateAnnotationConfiguation() { } private boolean isMigrationRequired() { - if (getVersion() == 0L) { + if (getVersion() < 1) { return true; } return false; @@ -120,7 +125,6 @@ private boolean isMigrationRequired() { protected long getVersion() { long version = 0L; - try { ResultSet rs = RDFServiceUtils.sparqlSelectQuery(VERSION_QUERY, configurationRdfService); while (rs.hasNext()) { From c59b4e0c4fd1e7c25ba7716bed39890841f2108a Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Mon, 16 Dec 2024 16:36:33 +0100 Subject: [PATCH 3/5] Migration fixes, added migration from configuration version 1 to version 2. Added public publish policy dataset. --- .../migration/auth/AnnotationMigrator.java | 62 ++++++++++++++++++- .../webapp/migration/auth/AuthMigrator.java | 28 ++++++++- .../template_access_allowed_class.n3 | 19 ++++++ 3 files changed, 106 insertions(+), 3 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java index 6f420f3a19..25608560e7 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AnnotationMigrator.java @@ -1,5 +1,11 @@ package edu.cornell.mannlib.vitro.webapp.migration.auth; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.CLASS; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.DATA_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_DATA_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_OBJECT_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.OBJECT_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.OperationGroup.PUBLISH_GROUP; import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.ROLE_ADMIN_URI; import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.ROLE_CURATOR_URI; import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.ROLE_EDITOR_URI; @@ -89,6 +95,34 @@ protected void migrateConfiguration() { PolicyLoader.getInstance().loadPolicies(); } + protected void updatePublicPublishPermissions() { + Set group = Collections.singleton(PUBLISH_GROUP); + Set role = Collections.singleton(ROLE_PUBLIC_URI); + + log.info("Started annotation configuration conversion"); + Map>> opConfigs = getObjectPropertyAnnotations(); + log.info(String.format("Found %s object property annotation configurations", opConfigs.size())); + Map>> dpConfigs = getDataPropertyAnnotations(); + log.info(String.format("Found %s data property annotation configurations", dpConfigs.size())); + Map>> classConfigs = getClassAnnotations(); + log.info(String.format("Found %s class annotation configurations", classConfigs.size())); + Map>> fopConfigs = getFauxObjectPropertyAnnotations(opConfigs.keySet()); + log.info(String.format("Found %s faux object property annotation configurations", fopConfigs.size())); + Map>> fdpConfigs = getFauxDataPropertyAnnotations(dpConfigs.keySet()); + log.info(String.format("Found %s faux data property annotation configurations", fdpConfigs.size())); + + Long values = updatePolicyDatasets(OBJECT_PROPERTY, group, role, opConfigs); + log.info(String.format("Added %d values in object property datasets.", values)); + values = updatePolicyDatasets(DATA_PROPERTY, group, role, dpConfigs); + log.info(String.format("Added %d values in data property datasets.", values)); + values = updatePolicyDatasets(CLASS, group, role, classConfigs); + log.info(String.format("Added %d values in class property datasets.", values)); + values = updatePolicyDatasets(FAUX_OBJECT_PROPERTY, group, role, fopConfigs); + log.info(String.format("Added %d values in faux object property datasets.", values)); + values = updatePolicyDatasets(FAUX_DATA_PROPERTY, group, role, fdpConfigs); + log.info(String.format("Added %d values in faux data property datasets.", values)); + } + protected Map>> getFauxDataPropertyAnnotations(Set dataProperties) { String queryText = getAnnotationQuery(fauxTypeSpecificPatterns); return getFauxConfigurations(queryText, configurationRdfService, dataProperties); @@ -162,7 +196,6 @@ private void collectConfiguration(Map>> String publishAnnotation = qs.getResource("publish").getURI(); Set publishRoles = new HashSet<>(showMap.get(publishAnnotation)); - publishRoles.remove(ROLE_PUBLIC_URI); String updateAnnotation = qs.getResource("update").getURI(); Set updateRoles = new HashSet<>(showMap.get(updateAnnotation)); @@ -210,6 +243,33 @@ private static Long[] updatePolicyDatasets(AccessObjectType aot, return new Long[] { getLineCount(additions.toString()), getLineCount(removals.toString()) }; } + + private static long updatePolicyDatasets(AccessObjectType aot, Set ogs, Set roles, + Map>> configs) { + StringBuilder additions = new StringBuilder(); + for (String entityUri : configs.keySet()) { + Map> groupMap = configs.get(entityUri); + Set currentOperationGroups = new HashSet(groupMap.keySet()); + currentOperationGroups.retainAll(ogs); + for (OperationGroup og : currentOperationGroups) { + for (AccessOperation ao : OperationGroup.getOperations(og)) { + Set rolesToAdd = new HashSet(groupMap.get(og)); + rolesToAdd.retainAll(roles); + if (!rolesToAdd.isEmpty()) { + log.info(String.format("Granted access to %s %s %s for roles %s", ao, aot, entityUri, + rolesToString(rolesToAdd))); + } + EntityPolicyController.getDataValueStatements(entityUri, aot, ao, rolesToAdd, additions); + log.debug(String.format( + "Updated entity %s dataset for operation group %s access object type %s roles %s", + entityUri, og, aot, rolesToAdd)); + } + } + } + PolicyLoader.getInstance().updateAccessControlModel(additions.toString(), true); + return getLineCount(additions.toString()); + } + private static Object rolesToString(Set roles) { String result = ""; for (String roleUri : roles) { diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java index f41923ea41..9697d3cf98 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java @@ -73,7 +73,30 @@ public void contextInitialized(ServletContextEvent sce) { if (!isMigrationRequired()) { return; } - runCompleteMigration(sce, begin); + long currentVersion = getVersion(); + if (currentVersion == 0) { + runCompleteMigration(sce, begin); + } else if (currentVersion == 1) { + migratePublishPublicPermissions(sce, begin); + } + } + + private void migratePublishPublicPermissions(ServletContextEvent sce, long begin) { + ServletContext ctx = sce.getServletContext(); + StartupStatus ss = StartupStatus.getBean(ctx); + log.info("Started publish permissions authorization reconfiguration for public role"); + convertPublicPublishPermissions(); + ss.info(this, secondsSince(begin) + " seconds spent to reconfigure publish permissions for public role"); + removeVersion(getVersion()); + setVersion(CURRENT_VERSION); + log.info(String.format("Updated access control configuration to version %d", CURRENT_VERSION)); + PolicyLoader.getInstance().loadPolicies(); + log.info("Reloaded all policies after migration"); + } + + private void convertPublicPublishPermissions() { + AnnotationMigrator annotationMigrator = new AnnotationMigrator(contentRdfService, configurationRdfService); + annotationMigrator.updatePublicPublishPermissions(); } private void runCompleteMigration(ServletContextEvent sce, long begin) { @@ -103,6 +126,7 @@ protected void convertAuthorizationConfiguration() { migrateSimplePermissions(); removeVersion(getVersion()); setVersion(CURRENT_VERSION); + log.info(String.format("Updated access control configuration to version %d", CURRENT_VERSION)); } private void migrateSimplePermissions() { @@ -117,7 +141,7 @@ private void migrateAnnotationConfiguation() { } private boolean isMigrationRequired() { - if (getVersion() < 1) { + if (getVersion() < CURRENT_VERSION) { return true; } return false; diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 index d35a71c5f8..adaa110ac8 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_class.n3 @@ -20,6 +20,7 @@ access:hasDataSet :CuratorUpdateClassDataSet ; access:hasDataSet :AdminUpdateClassDataSet ; + access:hasDataSet :PublicPublishClassDataSet ; access:hasDataSet :SelfEditorPublishClassDataSet ; access:hasDataSet :EditorPublishClassDataSet ; access:hasDataSet :CuratorPublishClassDataSet ; @@ -251,6 +252,20 @@ access:hasKeyComponent access-individual:AdminRoleUri ; access:hasKeyComponent access-individual:UpdateOperation . +### Public publish class uri data sets + +:PublicPublishClassDataSet a access:DataSet ; + access:hasDataSetKey :PublicPublishClassDataSetKey ; + access:hasRelatedValueSet access-individual:PublicRoleValueSet ; + access:hasRelatedValueSet access-individual:ClassValueSet ; + access:hasRelatedValueSet access-individual:PublishOperationValueSet ; + access:hasRelatedValueSet :PublicPublishClassValueSet . + +:PublicPublishClassDataSetKey a access:DataSetKey ; + access:hasKeyComponent access-individual:Class ; + access:hasKeyComponent access-individual:PublicRoleUri ; + access:hasKeyComponent access-individual:PublishOperation . + ### Self editor publish class uri data sets :SelfEditorPublishClassDataSet a access:DataSet ; @@ -348,6 +363,7 @@ access:values :EditorPublishClassValueSet ; access:values :EditorDisplayClassValueSet ; access:values :EditorUpdateClassValueSet ; + access:values :PublicPublishClassValueSet ; access:values :SelfEditorPublishClassValueSet ; access:values :SelfEditorDisplayClassValueSet ; access:values :SelfEditorUpdateClassValueSet ; @@ -382,6 +398,9 @@ :EditorUpdateClassValueSet a access:ValueSet ; access:containsElementsOfType access-individual:Class . +:PublicPublishClassValueSet a access:ValueSet ; + access:containsElementsOfType access-individual:Class . + :SelfEditorPublishClassValueSet a access:ValueSet ; access:containsElementsOfType access-individual:Class . From 5e64d88e138d9417bb8fea74b91f49b453da96ab Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Fri, 14 Feb 2025 11:08:18 +0100 Subject: [PATCH 4/5] allowed access to rdfs:label and rdf:type properties --- .../allowed_entities_admin_publish_object_property.n3 | 7 +++++++ ...llowed_entities_curator_publish_object_property.n3 | 7 +++++++ ...allowed_entities_editor_publish_object_property.n3 | 7 +++++++ .../allowed_entities_public_publish_data_property.n3 | 7 +++++++ ...allowed_entities_public_publish_object_property.n3 | 7 +++++++ ...ed_entities_self_editor_publish_object_property.n3 | 7 +++++++ .../firsttime/template_access_allowed_property.n3 | 11 +++++------ 7 files changed, 47 insertions(+), 6 deletions(-) create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_publish_object_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_publish_object_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_publish_object_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_publish_data_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_publish_object_property.n3 create mode 100644 home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_publish_object_property.n3 diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_publish_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_publish_object_property.n3 new file mode 100644 index 0000000000..574f606589 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_admin_publish_object_property.n3 @@ -0,0 +1,7 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix access: . +@prefix : . + +:AdminPublishObjectPropertyValueSet access:value + . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_publish_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_publish_object_property.n3 new file mode 100644 index 0000000000..46bf17179e --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_curator_publish_object_property.n3 @@ -0,0 +1,7 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix : . +@prefix access: . + +:CuratorPublishObjectPropertyValueSet access:value + . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_publish_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_publish_object_property.n3 new file mode 100644 index 0000000000..e11bfca352 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_editor_publish_object_property.n3 @@ -0,0 +1,7 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix : . +@prefix access: . + +:EditorPublishObjectPropertyValueSet access:value + . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_publish_data_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_publish_data_property.n3 new file mode 100644 index 0000000000..c426a19ae3 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_publish_data_property.n3 @@ -0,0 +1,7 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix : . +@prefix access: . + +:PublicPublishDataPropertyValueSet access:value + . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_publish_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_publish_object_property.n3 new file mode 100644 index 0000000000..868a6dac4e --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_public_publish_object_property.n3 @@ -0,0 +1,7 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix : . +@prefix access: . + +:PublicPublishObjectPropertyValueSet access:value + . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_publish_object_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_publish_object_property.n3 new file mode 100644 index 0000000000..73c7e79fe1 --- /dev/null +++ b/home/src/main/resources/rdf/accessControl/firsttime/allowed_entities_self_editor_publish_object_property.n3 @@ -0,0 +1,7 @@ +# $This file is distributed under the terms of the license in LICENSE$ + +@prefix : . +@prefix access: . + +:SelfEditorPublishObjectPropertyValueSet access:value + . diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 index 9fd8953162..1994413319 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_access_allowed_property.n3 @@ -164,7 +164,6 @@ :RoleDisplayObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ; access:relatedCheck :AccessObjectUriContainsInDataSet ; access:relatedCheck :StatementPredicateEquals ; - access:value rdfs:label ; access:containsElementsOfType access-individual:ObjectProperty . #Role PublishObjectProperty data set template @@ -193,7 +192,7 @@ :RolePublishObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ; access:relatedCheck :AccessObjectUriContainsInDataSet ; access:relatedCheck :StatementPredicateEquals ; - access:value rdfs:label ; + access:value ; access:containsElementsOfType access-individual:ObjectProperty . #Role AddObjectProperty data set template @@ -222,7 +221,6 @@ :RoleAddObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ; access:relatedCheck :AccessObjectUriContainsInDataSet ; access:relatedCheck :StatementPredicateEquals ; - access:value rdfs:label ; access:containsElementsOfType access-individual:ObjectProperty . #Role DropObjectProperty data set template @@ -251,7 +249,6 @@ :RoleDropObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ; access:relatedCheck :AccessObjectUriContainsInDataSet ; access:relatedCheck :StatementPredicateEquals ; - access:value rdfs:label ; access:containsElementsOfType access-individual:ObjectProperty . #Role EditObjectProperty data set template @@ -280,7 +277,6 @@ :RoleEditObjectPropertyEntityValueSetTemplate a access:ValueSetTemplate ; access:relatedCheck :AccessObjectUriContainsInDataSet ; access:relatedCheck :StatementPredicateEquals ; - access:value rdfs:label ; access:containsElementsOfType access-individual:ObjectProperty . #Role DisplayDataProperty data set template @@ -310,6 +306,9 @@ access:relatedCheck :AccessObjectUriContainsInDataSet ; access:relatedCheck :StatementPredicateEquals ; # access:value access-individual:defaultUri ; + access:value ; + access:value ; + access:value ; access:containsElementsOfType access-individual:DataProperty . #Role PublishDataProperty data set template @@ -338,7 +337,7 @@ :RolePublishDataPropertyEntityValueSetTemplate a access:ValueSetTemplate ; access:relatedCheck :AccessObjectUriContainsInDataSet ; access:relatedCheck :StatementPredicateEquals ; -# access:value access-individual:defaultUri ; + access:value ; access:containsElementsOfType access-individual:DataProperty . #Role AddDataProperty data set template From 6043533fb79fe24a82979a03da7fa9c703f0a996 Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 20 Feb 2025 15:56:07 +0100 Subject: [PATCH 5/5] refactored AuthMigrator to avoid multiple getVersion calls --- .../webapp/migration/auth/AuthMigrator.java | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java index 9697d3cf98..0cb366fa70 100644 --- a/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java +++ b/api/src/main/java/edu/cornell/mannlib/vitro/webapp/migration/auth/AuthMigrator.java @@ -70,24 +70,24 @@ public void contextInitialized(ServletContextEvent sce) { modelAccess = ModelAccess.getInstance(); initialize(modelAccess.getRDFService(WhichService.CONTENT), modelAccess.getRDFService(WhichService.CONFIGURATION)); - if (!isMigrationRequired()) { + long version = getVersion(); + if (!isMigrationRequired(version)) { return; } - long currentVersion = getVersion(); - if (currentVersion == 0) { - runCompleteMigration(sce, begin); - } else if (currentVersion == 1) { - migratePublishPublicPermissions(sce, begin); + if (version == 0) { + runCompleteMigration(sce, begin, version); + } else if (version == 1) { + migratePublishPublicPermissions(sce, begin, version); } } - private void migratePublishPublicPermissions(ServletContextEvent sce, long begin) { + private void migratePublishPublicPermissions(ServletContextEvent sce, long begin, long version) { ServletContext ctx = sce.getServletContext(); StartupStatus ss = StartupStatus.getBean(ctx); log.info("Started publish permissions authorization reconfiguration for public role"); convertPublicPublishPermissions(); ss.info(this, secondsSince(begin) + " seconds spent to reconfigure publish permissions for public role"); - removeVersion(getVersion()); + removeVersion(version); setVersion(CURRENT_VERSION); log.info(String.format("Updated access control configuration to version %d", CURRENT_VERSION)); PolicyLoader.getInstance().loadPolicies(); @@ -99,11 +99,11 @@ private void convertPublicPublishPermissions() { annotationMigrator.updatePublicPublishPermissions(); } - private void runCompleteMigration(ServletContextEvent sce, long begin) { + private void runCompleteMigration(ServletContextEvent sce, long begin, long version) { ServletContext ctx = sce.getServletContext(); StartupStatus ss = StartupStatus.getBean(ctx); log.info("Started authorization configuration update"); - convertAuthorizationConfiguration(); + convertAuthorizationConfiguration(version); log.info("Finished authorization configuration update"); ss.info(this, secondsSince(begin) + " seconds to migrate auth models"); log.info("Reload all policies after migration"); @@ -115,7 +115,7 @@ protected void initialize(RDFService content, RDFService configuration) { configurationRdfService = configuration; } - protected void convertAuthorizationConfiguration() { + protected void convertAuthorizationConfiguration(long version) { OntModel userAccountsModel = modelAccess.getOntModelSelector().getUserAccountsModel(); ArmMigrator armMigrator = new ArmMigrator(contentRdfService, configurationRdfService, userAccountsModel); if (armMigrator.isArmConfiguation()) { @@ -124,7 +124,7 @@ protected void convertAuthorizationConfiguration() { migrateAnnotationConfiguation(); } migrateSimplePermissions(); - removeVersion(getVersion()); + removeVersion(version); setVersion(CURRENT_VERSION); log.info(String.format("Updated access control configuration to version %d", CURRENT_VERSION)); } @@ -140,8 +140,8 @@ private void migrateAnnotationConfiguation() { annotationMigrator.migrateConfiguration(); } - private boolean isMigrationRequired() { - if (getVersion() < CURRENT_VERSION) { + private boolean isMigrationRequired(long version) { + if (version < CURRENT_VERSION) { return true; } return false;