hydra-access-controls 0.0.2 → 0.0.3

data/lib/hydra/datastream.rb

@@ -2,5 +2,6 @@ module Hydra
   module Datastream
     extend ActiveSupport::Autoload
     autoload :RightsMetadata
+    autoload :InheritableRightsMetadata
   end
 end

data/lib/hydra/datastream/inheritable_rights_metadata.rb

@@ -0,0 +1,22 @@
+require 'active_support/core_ext/string'
+module Hydra
+  module Datastream
+    # Implements Hydra RightsMetadata XML terminology for asserting access permissions
+    class InheritableRightsMetadata < Hydra::Datastream::RightsMetadata    
+  
+      @terminology = Hydra::Datastream::RightsMetadata.terminology
+  
+      def to_solr(solr_doc=Hash.new)
+        solr_doc["inheritable_access_t"] = access.machine.group.val + access.machine.person.val
+        solr_doc["inheritable_discover_access_group_t"] = discover_access.machine.group
+        solr_doc["inheritable_discover_access_person_t"] = discover_access.machine.person
+        solr_doc["inheritable_read_access_group_t"] = read_access.machine.group
+        solr_doc["inheritable_read_access_person_t"] = read_access.machine.person
+        solr_doc["inheritable_edit_access_group_t"] = edit_access.machine.group
+        solr_doc["inheritable_edit_access_person_t"] = edit_access.machine.person
+        solr_doc["inheritable_embargo_release_date_dt"] = embargo_release_date
+        return solr_doc
+      end
+    end
+  end
+end

data/lib/hydra/policy_aware_ability.rb

@@ -0,0 +1,128 @@
+# Repeats access controls evaluation methods, but checks against a governing "Policy" object (or "Collection" object) that provides inherited access controls.
+module Hydra::PolicyAwareAbility
+  
+  # Extends Hydra::Ability.test_edit to try policy controls if object-level controls deny access
+  def test_edit(pid, user, session)
+    result = super
+    if result 
+      return result
+    else
+      return test_edit_from_policy(pid, user, session)
+    end
+  end
+  
+  # Extends Hydra::Ability.test_read to try policy controls if object-level controls deny access
+  def test_read(pid, user, session)
+    result = super
+    if result 
+      return result
+    else
+      return test_read_from_policy(pid, user, session)
+    end
+  end
+  
+  # Returns the pid of policy object (is_governed_by) for the specified object
+  # Assumes that the policy object is associated by an is_governed_by relationship (Whis is stored as "is_governed_by_s" in object's solr document)
+  # Returns nil if no policy associated with the object
+  def policy_pid_for(object_pid)
+    return @policy_pid if @policy_pid
+    solr_result = ActiveFedora::Base.find_with_conditions({:id=>object_pid}, :fl=>'is_governed_by_s')
+    begin
+      @policy_pid = value_from_solr_field(solr_result, 'is_governed_by_s').first.gsub("info:fedora/", "")
+    rescue NoMethodError
+      @policy_pid = nil
+    end
+    return @policy_pid
+  end
+  
+  # Returns the permissions solr document for policy_pid
+  # The document is stored in an instance variable, so calling this multiple times will only query solr once.
+  # To force reload, set @policy_permissions_solr_document to nil
+  def policy_permissions_doc(policy_pid)
+    return @policy_permissions_solr_document if @policy_permissions_solr_document
+    response, @policy_permissions_solr_document = get_permissions_solr_response_for_doc_id(policy_pid)
+    @policy_permissions_solr_document
+  end
+  
+  # Tests whether the object's governing policy object grants edit access for the current user
+  def test_edit_from_policy(object_pid, user, session)    
+    policy_pid = policy_pid_for(object_pid)
+    if policy_pid.nil?
+      return false
+    else
+      logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide EDIT permissions for #{user_key(user)}?")
+      group_intersection = user_groups(user, session) & edit_groups_from_policy( policy_pid )
+      result = !group_intersection.empty? || edit_persons_from_policy( policy_pid ).include?(user_key(user))
+      logger.debug("[CANCAN] -policy- decision: #{result}")
+      return result
+    end
+  end   
+  
+  # Tests whether the object's governing policy object grants read access for the current user
+  def test_read_from_policy(object_pid, user, session)
+    policy_pid = policy_pid_for(object_pid)
+    if policy_pid.nil?
+      return false
+    else
+      logger.debug("[CANCAN] -policy- Does the POLICY #{policy_pid} provide READ permissions for #{user_key(user)}?")
+      group_intersection = user_groups(user, session) & read_groups_from_policy( policy_pid )
+      result = !group_intersection.empty? || read_persons_from_policy( policy_pid ).include?(user_key(user))
+      logger.debug("[CANCAN] -policy- decision: #{result}")
+      result
+    end
+  end 
+  
+  # Returns the list of groups granted edit access by the policy object identified by policy_pid
+  def edit_groups_from_policy(policy_pid)
+    policy_permissions = policy_permissions_doc(policy_pid)
+    edit_group_field = Hydra.config[:permissions][:inheritable][:edit][:group]
+    eg = ((policy_permissions == nil || policy_permissions.fetch(edit_group_field,nil) == nil) ? [] : policy_permissions.fetch(edit_group_field,nil))
+    logger.debug("[CANCAN] -policy- edit_groups: #{eg.inspect}")
+    return eg
+  end
+
+  # Returns the list of groups granted read access by the policy object identified by policy_pid
+  # Note: edit implies read, so read_groups is the union of edit and read groups
+  def read_groups_from_policy(policy_pid)
+    policy_permissions = policy_permissions_doc(policy_pid)
+    read_group_field = Hydra.config[:permissions][:inheritable][:read][:group]
+    rg = edit_groups_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_group_field,nil) == nil) ? [] : policy_permissions.fetch(read_group_field,nil))
+    logger.debug("[CANCAN] -policy- read_groups: #{rg.inspect}")
+    return rg
+  end
+
+  # Returns the list of individuals granted edit access by the policy object identified by policy_pid
+  def edit_persons_from_policy(policy_pid)
+    policy_permissions = policy_permissions_doc(policy_pid)
+    edit_person_field = Hydra.config[:permissions][:inheritable][:edit][:individual]
+    ep = ((policy_permissions == nil || policy_permissions.fetch(edit_person_field,nil) == nil) ? [] : policy_permissions.fetch(edit_person_field,nil))
+    logger.debug("[CANCAN] -policy- edit_persons: #{ep.inspect}")
+    return ep
+  end
+
+  # Returns the list of individuals granted read access by the policy object identified by policy_pid
+  # Noate: edit implies read, so read_persons is the union of edit and read persons
+  def read_persons_from_policy(policy_pid)
+    policy_permissions = policy_permissions_doc(policy_pid)
+    read_individual_field = Hydra.config[:permissions][:inheritable][:read][:individual]
+    rp = edit_persons_from_policy(policy_pid) | ((policy_permissions == nil || policy_permissions.fetch(read_individual_field,nil) == nil) ? [] : policy_permissions.fetch(read_individual_field,nil))
+    logger.debug("[CANCAN] -policy- read_persons: #{rp.inspect}")
+    return rp
+  end
+  
+  private
+  
+  # Grabs the value of field_name from solr_result
+  # @example
+  #   solr_result = Multiresimage.find_with_conditions({:id=>object_pid}, :fl=>'is_governed_by_s')
+  #   value_from_solr_field(solr_result, 'is_governed_by_s')
+  #   => ["info:fedora/changeme:2278"]
+  def value_from_solr_field(solr_result, field_name)
+    field_from_result = solr_result.select {|x| x.has_key?(field_name)}.first
+    if field_from_result.nil?
+      return nil
+    else
+      return field_from_result[field_name]
+    end
+  end
+end

data/lib/hydra/policy_aware_access_controls_enforcement.rb

@@ -0,0 +1,70 @@
+# Repeats access controls evaluation methods, but checks against a governing "Policy" object (or "Collection" object) that provides inherited access controls.
+module Hydra::PolicyAwareAccessControlsEnforcement
+  
+  # Extends Hydra::AccessControlsEnforcement.apply_gated_discovery to reflect policy-provided access
+  # appends the result of policy_clauses into the :fq
+  def apply_gated_discovery(solr_parameters, user_parameters)
+    super
+    additional_clauses = policy_clauses
+    unless additional_clauses.nil? || additional_clauses.empty?
+      solr_parameters[:fq].first << " OR " + policy_clauses
+      logger.debug("POLICY-aware Solr parameters: #{ solr_parameters.inspect }")
+    end
+  end
+  
+  # returns solr query for finding all objects whose policies grant discover access to current_user
+  def policy_clauses 
+    policy_pids = policies_with_access
+    return nil if policy_pids.empty?
+    '(' + policy_pids.map {|pid| "is_governed_by_s:info\\:fedora/#{pid.gsub(/:/, '\\\\:')}"}.join(' OR ') + ')'
+  end
+  
+  
+  # find all the policies that grant discover/read/edit permissions to this user or any of it's groups
+  def policies_with_access
+    #### TODO -- Memoize this and put it in the session?
+    return [] unless current_user
+    user_access_filters = []
+    # Grant access based on user id & role
+    unless current_user.nil?
+      user_access_filters += apply_policy_role_permissions(discovery_permissions)
+      user_access_filters += apply_policy_individual_permissions(discovery_permissions)
+    end
+    result = policy_class.find_with_conditions( user_access_filters.join(" OR "), :fl => "id" )
+    logger.debug "get policies: #{result}\n\n"
+    result.map {|h| h['id']}
+  end
+  
+  
+  def apply_policy_role_permissions(permission_types)
+      # for roles
+      user_access_filters = []
+      ::RoleMapper.roles(user_key).each_with_index do |role, i|
+        discovery_permissions.each do |type|
+          user_access_filters << "inheritable_#{type}_access_group_t:#{role}"
+        end
+      end
+      user_access_filters
+  end
+
+  def apply_policy_individual_permissions(permission_types)
+      # for individual person access
+      user_access_filters = []
+      discovery_permissions.each do |type|
+        user_access_filters << "inheritable_#{type}_access_person_t:#{user_key}"        
+      end
+      user_access_filters
+  end
+  
+  # Returns the Model used for AdminPolicy objects.
+  # You can set this by overriding this method or setting Hydra.config[:permissions][:policy_class]
+  # Defults to Hydra::AdminPolicy
+  def policy_class
+    if Hydra.config[:permissions][:policy_class].nil?
+      return Hydra::AdminPolicy
+    else
+      return Hydra.config[:permissions][:policy_class]
+    end
+  end
+  
+end

data/lib/hydra/role_mapper_behavior.rb

@@ -7,8 +7,21 @@ module Hydra::RoleMapperBehavior
     def role_names
       map.keys
     end
-    def roles(username)
-      byname[username]||[]
+    
+    # 
+    # @param user_or_uid either the User object or user id
+    # If you pass in a nil User object (ie. user isn't logged in), or a uid that doesn't exist, it will return an empty array
+    def roles(user_or_uid)
+      if user_or_uid.kind_of?(String)
+        user = User.find_by_user_key(user_or_uid)
+        user_id = user_or_uid
+      elsif user_or_uid.kind_of?(User) && !user_or_uid.uid.nil?  
+        user = user_or_uid
+        user_id = user.user_key
+      end
+      array = byname[user_id]||[]
+      array = array << 'registered' unless (user.nil? || user.new_record?) 
+      array
     end
     
     def whois(r)
@@ -28,6 +41,7 @@ module Hydra::RoleMapperBehavior
         memo
       end
     end
+    
   end
 end
 

data/lib/hydra/user.rb

@@ -0,0 +1,42 @@
+# Injects behaviors into User model so that it will work with Hydra Access Controls
+# By default, this module assumes you are using the User model created by Blacklight, which uses Devise.
+# To integrate your own User implementation into Hydra, override this Module or define your own User model in app/models/user.rb within your Hydra head.
+require 'deprecation'
+module Hydra::User
+  extend Deprecation
+  
+  def self.included(klass)
+    # Other modules to auto-include
+    klass.extend(ClassMethods)
+  end
+
+  # This method should display the unique identifier for this user as defined by devise.
+  # The unique identifier is what access controls will be enforced against. 
+  def user_key
+    send(Devise.authentication_keys.first)
+  end
+  
+  module ClassMethods
+    # This method should find User objects using the user_key you've chosen.
+    # By default, uses the unique identifier specified in by devise authentication_keys (ie. find_by_id, or find_by_email).  
+    # You must have that find method implemented on your user class, or must override find_by_user_key
+    def find_by_user_key(key)
+      self.send("find_by_#{Devise.authentication_keys.first}".to_sym, key)
+    end
+  end
+
+  # This method should display the unique identifier for this user
+  # the unique identifier is what access controls will be enforced against. 
+  def unique_id
+    return to_s
+  end
+  deprecation_deprecate :unique_id
+
+
+  # For backwards compatibility with the Rails2 User models in Hydra/Blacklight
+  def login
+    return unique_id
+  end
+  deprecation_deprecate :login
+  
+end

data/lib/tasks/hydra-access-controls.rake

@@ -0,0 +1,18 @@
+namespace "hydra-access" do
+  desc "Run Continuous Integration"
+  task "ci" do
+    require 'jettywrapper'
+    jetty_params = Jettywrapper.load_config.merge(
+        {:jetty_home => File.expand_path(File.dirname(__FILE__) + '/../../jetty'),
+          :startup_wait => 15, 
+          :jetty_port => ENV['TEST_JETTY_PORT'] || 8983
+        }
+    )
+    Rake::Task['jetty:config'].invoke
+    error = nil
+    error = Jettywrapper.wrap(jetty_params) do
+      Rake::Task['spec'].invoke
+    end
+    raise "test failures: #{error}" if error
+  end
+end

data/lib/tasks/hydra_jetty.rake

@@ -0,0 +1,55 @@
+# re-using hydra_jetty.rake from hydra-head
+
+namespace :jetty do
+  desc "Apply all configs to Testing Server (relies on hydra:jetty:config tasks unless you override it)"
+  task :config do
+    Rake::Task["hydra:jetty:config"].invoke
+  end
+end
+
+namespace :hydra do
+  namespace :jetty do
+    desc "Copies the default Solr & Fedora configs into the bundled Hydra Testing Server"
+    task :config do
+      Rake::Task["hydra:jetty:config_fedora"].invoke
+      Rake::Task["hydra:jetty:config_solr"].invoke
+    end
+    
+    desc "Copies the contents of solr_conf into the Solr development-core and test-core of Testing Server"
+    task :config_solr do
+      FileList['solr_conf/conf/*'].each do |f|  
+        cp("#{f}", 'jetty/solr/development-core/conf/', :verbose => true)
+        cp("#{f}", 'jetty/solr/test-core/conf/', :verbose => true)
+      end
+    end
+
+    desc "Copies a custom fedora config for the bundled Hydra Testing Server"
+    task :config_fedora do
+      # load a custom fedora.fcfg - 
+      if defined?(Rails.root)
+        app_root = Rails.root
+      else
+        app_root = File.join(File.dirname(__FILE__),"..")
+      end
+       
+      fcfg = File.join(app_root,"fedora_conf","conf","development","fedora.fcfg")
+      if File.exists?(fcfg)
+        puts "copying over development/fedora.fcfg"
+        cp("#{fcfg}", 'jetty/fedora/default/server/config/', :verbose => true)
+      else
+        puts "#{fcfg} file not found -- skipping fedora config"
+      end
+      fcfg = File.join(app_root,"fedora_conf","conf","test","fedora.fcfg")
+      if File.exists?(fcfg)
+        puts "copying over test/fedora.fcfg"
+        cp("#{fcfg}", 'jetty/fedora/test/server/config/', :verbose => true)
+      else
+        puts "#{fcfg} file not found -- skipping fedora config"
+      end
+    end
+
+    desc "Copies the default SOLR config files and starts up the fedora instance."
+    task :load => [:config, 'jetty:start']
+
+  end
+end

data/solr_conf/conf/schema.xml

@@ -0,0 +1,124 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!-- 
+IMPORTANT
+This copy of the solr schema is only used in the context of testing hydra-head.  If you want to make changes available to individual hydra heads, you must apply them to the template in lib/generators/hydra/templates/solr_config
+-->
+<schema name="Hydra" version="1.1">
+  <!-- For complete comments from the Solr project example schema.xml:
+      http://svn.apache.org/viewvc/lucene/dev/trunk/solr/example/solr/conf/schema.xml?view=markup
+    See also:  
+      http://wiki.apache.org/solr/SchemaXml
+  -->
+  <types>
+    <fieldType name="string" class="solr.StrField" sortMissingLast="true" omitNorms="true"/>
+    <fieldType name="boolean" class="solr.BoolField" sortMissingLast="true" omitNorms="true"/>
+    <fieldType name="integer" class="solr.IntField" omitNorms="true"/>
+    <fieldType name="long" class="solr.LongField" omitNorms="true"/>
+    <fieldType name="float" class="solr.FloatField" omitNorms="true"/>
+    <fieldType name="double" class="solr.DoubleField" omitNorms="true"/>
+    <fieldType name="sint" class="solr.SortableIntField" sortMissingLast="true" omitNorms="true"/>
+    <fieldType name="slong" class="solr.SortableLongField" sortMissingLast="true" omitNorms="true"/>
+    <fieldType name="sfloat" class="solr.SortableFloatField" sortMissingLast="true" omitNorms="true"/>
+    <fieldType name="sdouble" class="solr.SortableDoubleField" sortMissingLast="true" omitNorms="true"/>
+    <fieldType name="date" class="solr.DateField" sortMissingLast="true" omitNorms="true"/>
+    <fieldType name="random" class="solr.RandomSortField" indexed="true" />
+    
+    <fieldType name="text_ws" class="solr.TextField" positionIncrementGap="100">
+      <analyzer>
+        <tokenizer class="solr.WhitespaceTokenizerFactory"/>
+      </analyzer>
+    </fieldType>
+
+    <fieldType name="text" class="solr.TextField" positionIncrementGap="100">
+      <analyzer type="index">
+        <tokenizer class="solr.WhitespaceTokenizerFactory"/>
+        <filter class="solr.StopFilterFactory"
+                ignoreCase="true"
+                words="stopwords.txt"
+                enablePositionIncrements="true"
+                />
+        <filter class="solr.WordDelimiterFilterFactory" generateWordParts="1" generateNumberParts="1" catenateWords="1" catenateNumbers="1" catenateAll="0" splitOnCaseChange="1"/>
+        <filter class="solr.LowerCaseFilterFactory"/>
+        <filter class="solr.EnglishPorterFilterFactory" protected="protwords.txt"/>
+        <filter class="solr.RemoveDuplicatesTokenFilterFactory"/>
+      </analyzer>
+      <analyzer type="query">
+        <tokenizer class="solr.WhitespaceTokenizerFactory"/>
+        <filter class="solr.SynonymFilterFactory" synonyms="synonyms.txt" ignoreCase="true" expand="true"/>
+        <filter class="solr.StopFilterFactory" ignoreCase="true" words="stopwords.txt"/>
+        <filter class="solr.WordDelimiterFilterFactory" generateWordParts="1" generateNumberParts="1" catenateWords="0" catenateNumbers="0" catenateAll="0" splitOnCaseChange="1"/>
+        <filter class="solr.LowerCaseFilterFactory"/>
+        <filter class="solr.EnglishPorterFilterFactory" protected="protwords.txt"/>
+        <filter class="solr.RemoveDuplicatesTokenFilterFactory"/>
+      </analyzer>
+    </fieldType>
+
+    <fieldType name="textTight" class="solr.TextField" positionIncrementGap="100" >
+      <analyzer>
+        <tokenizer class="solr.WhitespaceTokenizerFactory"/>
+        <filter class="solr.SynonymFilterFactory" synonyms="synonyms.txt" ignoreCase="true" expand="false"/>
+        <filter class="solr.StopFilterFactory" ignoreCase="true" words="stopwords.txt"/>
+        <filter class="solr.WordDelimiterFilterFactory" generateWordParts="0" generateNumberParts="0" catenateWords="1" catenateNumbers="1" catenateAll="0"/>
+        <filter class="solr.LowerCaseFilterFactory"/>
+        <filter class="solr.EnglishPorterFilterFactory" protected="protwords.txt"/>
+        <filter class="solr.RemoveDuplicatesTokenFilterFactory"/>
+      </analyzer>
+    </fieldType>
+
+    <fieldType name="alphaOnlySort" class="solr.TextField" sortMissingLast="true" omitNorms="true">
+      <analyzer>
+        <tokenizer class="solr.KeywordTokenizerFactory"/>
+        <filter class="solr.LowerCaseFilterFactory" />
+        <filter class="solr.TrimFilterFactory" />
+        <filter class="solr.PatternReplaceFilterFactory"
+                pattern="([^a-z])" replacement="" replace="all"
+        />
+      </analyzer>
+    </fieldType>
+
+    <fieldtype name="ignored" stored="false" indexed="false" class="solr.StrField" /> 
+
+ </types>
+
+ <!-- For complete comments from the Solr project example schema.xml:
+     http://svn.apache.org/viewvc/lucene/dev/trunk/solr/example/solr/conf/schema.xml?view=markup
+   See also:  
+     http://wiki.apache.org/solr/SchemaXml
+ -->
+ <fields>
+
+   <field name="id" type="string" indexed="true" stored="true" required="true" />
+   <field name="text" type="text" indexed="true" stored="true" multiValued="true"/>
+   <field name="timestamp" type="date" indexed="true" stored="true" default="NOW" multiValued="false"/>
+
+   <!-- format is used for facet, display, and choosing which partial to use for the show view, so it must be stored and indexed -->
+   <field name="format" type="string" indexed="true" stored="true"/>
+   <!-- pub_date is assumed by Blacklight's default configuration, so we must define it here to avoid errors -->
+   <field name="pub_date" type="string" indexed="true" stored="true" multiValued="true"/>
+   
+   <dynamicField name="*_i"  type="sint"    indexed="true"  stored="true"/>
+   <dynamicField name="*_s"  type="string"  indexed="true"  stored="true" multiValued="true"/>
+   <dynamicField name="*_l"  type="slong"   indexed="true"  stored="true"/>
+   <dynamicField name="*_t"  type="text"    indexed="true"  stored="true" multiValued="true"/>
+   <dynamicField name="*_b"  type="boolean" indexed="true"  stored="true"/>
+   <dynamicField name="*_f"  type="sfloat"  indexed="true"  stored="true"/>
+   <dynamicField name="*_d"  type="sdouble" indexed="true"  stored="true"/>
+   <dynamicField name="*_dt" type="date"    indexed="true"  stored="true"/>
+
+   <dynamicField name="random*" type="random" />
+   <!-- FIXME: Solr can't sort on a multivalued field -->
+   <dynamicField name="*_sort" type="string" indexed="true" stored="false" multiValued="true"/>
+   <!-- FIXME: generally, facet fields are not stored -->
+   <dynamicField name="*_facet" type="string" indexed="true" stored="true" multiValued="true" />
+   <dynamicField name="*_display" type="string" indexed="false" stored="true" multiValued="true" />
+
+ </fields>
+
+ <uniqueKey>id</uniqueKey>
+ <defaultSearchField>text</defaultSearchField>
+ <solrQueryParser defaultOperator="AND" />
+ <copyField source="*_facet" dest="text" />
+ <copyField source="*_t" dest="text" />
+ <copyField source="*_s" dest="text" />
+
+</schema>