| security.java |
1 package hudsonfog.voc.system;
2
3 import com.fogx.webdav.DavResource;
4 import com.fogx.webdav.DavClass;
5 import com.fogx.webdav.DavBean;
6 import com.fogx.webdav.DavProperty;
7 import static com.fogx.webdav.DavProperty.*;
8 import com.fogx.webdav.packages.DavBeanPackage;
9 import com.fogx.webdav.util.DavResourceSupport;
10 import com.fogx.webdav.util.UrlUtil;
11 import java.util.Date;
12 import java.util.Map;
13 import java.util.HashMap;
14 import java.util.List;
15 import java.util.Collections;
16 import java.util.Arrays;
17
18 import hudsonfog.voc.model.company.*;
19 import hudsonfog.voc.system.classusage.*;
20 import hudsonfog.voc.system.primitiveTypes.*;
21 import hudsonfog.voc.system.fog.*;
22 import hudsonfog.voc.system.security.*;
23 import hudsonfog.voc.system.XMLSchema.*;
24
25 import hudsonfog.voc.system.fog.*;
26
27
28 public abstract class security {
29
30 /*
31 * TODO do we need to split 'By subscription' to organizational and personal subscribers?
32 * why changed isPrivate to accessLevel
33 * 1. needed to add 'By Subscription'
34 * 2. needed to make CollaborationPoint AccessControl for the project Container Managed Security
35 * (case: when deciding security for comments since comment delegates to forum and forum did not
36 * have isPrivate since CollaborationPoint was not implementing AccessControl). It used to work
37 * since we issued PROPFIND depth 0 for containerUri
38 */
39 @DavClass._avoidIndexing
40 @DavClass._viewCols("userId, contact, banned, denyRemoteAccess")
41 public static class User {
42 @_maxSize(50)
43 @_resourceLink
44 @k public String userId; //* unique id of this User account
45 @_notSearchable
46 @r public password password; //* password - please choose carefully and do not forget
47 @_containerMember
48 @_immutable
49 @_delegatedAccessControl
50 @r public Contact contact; //* person that owns this User account
51 @_readOnly
52 @_allowRoles("admin")
53 public Long registrationDate = writeJS("registrationDate ? registrationDate : new Date().getTime()"); //* date when user registered
54 @_maxSize(25)
55 @_readOnly
56 @_allowRoles("admin")
57 public String registrationIp = writeJS("registrationIp ? registrationIp : getRequest().getRemoteAddr()"); //* internet address from which registration was made
58 @_allowRoles("admin")
59 public Boolean deleted; //* deleted user
60 @_allowRoles("admin")
61 public Boolean banned; //* user is banned from this site
62 public Boolean imperialMeasurementSystem; //* user preference of a measurement system: metric/imperial(english)
63 public LanguageCode language; //* user preference for the language (two-letter ISO language code)
64 @_maxSize(4000)
65 @_avoidDisplaying
66 @_allowRoles("self, admin")
67 public href loginPage; //* Initial page that will show up upon login - you can reset it from the File menu
68 @_maxSize(4000)
69 @_avoidDisplaying
70 @_allowRoles("self, admin")
71 public href mobileLoginPage; // = WRITE_JS(setMobileLoginPage()) ; //(loginPage == null) ? 'readOnlyProperties.html?-$action=showproperties&uri=' + encodeURIComponent(getRelativeUri(contact)) : loginPage); //* Staring page that will show up at login - you can reset it from the menu
72 @_allowRoles("admin")
73 public Boolean denyAccess; //* this user can not login - used to allow clockin/clockout but not login into the system
74 @_allowRoles("admin")
75 public Boolean denyRemoteAccess; //* this user can login only on local network
76 public String cvsUserId; //* id in cvs version control system
77 @_notSearchable
78 public password cvsPassword;
79 @_avoidDisplaying
80 public String deviceId; //* ex. cell phone
81 @_avoidDisplaying
82 public String activationCode; //* temporary code for password retrieval
83 @_avoidDisplaying
84 public dateTime activationCodeTime; //* temporary code timestamp
85 }
86
87 @DavClass._label("User")
88 @DavClass._aView
89 @DavClass._uniquePropertySet("password")
90 @DavClass._filterView
91 public static class UserWithUniquePassword extends User {
92 @k@s public String userId; //* unique id of this User account
93 @r@s public password password; //* password - please choose carefully and do not forget
94 @r@s public Contact contact; //* person that owns this User account
95 @h@s public Long registrationDate;
96 @h@s public String registrationIp;
97 @h@s public Boolean deleted;
98 @h@s public Boolean banned;
99 @h@s public Boolean imperialMeasurementSystem;
100 @h@s public LanguageCode language;
101 @h@s public href loginPage;
102 @h@s public href mobileLoginPage;
103 @h@s public Boolean denyAccess;
104 @h@s public Boolean denyRemoteAccess;
105 @h@s public String cvsUserId;
106 @h@s public password cvsPassword;
107 @h@s public String deviceId;
108 @h@s public String activationCode;
109 @h@s public dateTime activationCodeTime;
110 }
111
112 public static enum LanguageCode {
113 en, ru, de, fr, it, sv, pt, es, zh;
114 }
115
116 public static class Credentials {
117 @_maxSize(50)
118 @k public String id; //* unique id of the user
119 public password pwd;
120 @r public WebSite webSiteUri;
121 }
122
123 public static class ClassToAcl {
124 @_maxSize(25)
125 @k public String classId;
126 public DavClass forClass;
127 public Acl forAcl;
128 }
129
130 public static class Acl {
131 @_maxSize(25)
132 @k public String aclId;
133 @_backLink("inAcl")
134 public Ace[] entries;
135 @_backLink("forAcl")
136 public ClassToAcl[] cl;
137 }
138
139 public static class Ace {
140 @_maxSize(25)
141 @k public String aceId;
142 public Acl inAcl;
143 @_maxSize(50)
144 public String fromProperty;
145 public DavProperty toProperty;
146 public DavClass group;
147 public Boolean permissionToRead;
148 public Boolean permissionToWrite;
149 public Boolean permissionToDelete;
150 }
151
152 /*
153 * Consider the following use cases:
154 * 1. any new CollaborationPoint should provide read access based on 'Standard' security
155 * 'Standard' security is your organization is mentioned in this resource or you are
156 * personally a creator of this resource or controlled by class annotations such as
157 * 'validUser' or 'skipAccessControl';
158 * ex. Standard CRM Issue(s) are seen only by relevant organization;
159 * SoftwareIssue(s) are seen by all valid users
160 *
161 * 2. Issue should by default get 'SiteOwner' access;
162 * 3. Workplace should by default get 'By subscription' access;
163 *
164 */
165 public static interface AccessControl {
166 @_icon("icons/lock.gif")
167 @_allowRoles("owner")
168 public AccessLevel accessLevel = null; //* if 'site owner' - will be shown only to internal people.
169 }
170
171 public static enum AccessLevel {
172 Standard, @_label("Site owner") SiteOwner;
173 }
174
175 /**
176 * Host-based authentication. Specify via semicolon a list of rules (use the same syntax for both allow and deny rules).
177 */
178 public static class HostBasedAuthentication {
179 @_autoincrement
180 @_readOnly
181 @k public Integer id;
182 @_maxSize(2000)
183 public String allowRules; //* e.g. 192.168.0.;.hudsonfog.com;loopback
184 @_maxSize(2000)
185 public String denyRules; //* e.g. 192.168.0.0;mail.hudsonfog.com;.hudsonfog.org
186 public Contact contact; //* if rules allow access, then login as this Contact
187 }
188
189 /**
190 * Represents a host that was detected to be a Robot - a program that reads information from the web site for search indexing or other purposes.
191 * Typical robots are Googlebot, Yahoo Slurp. Since robots can create an enormous load on the site - we detect them and guard some
192 * parts of the site that robots do not really need to see (Developers can use DavServletRequest.isRobot())
193 */
194 public static class Robot {
195 @k public String ip;
196 public String hostName;
197 public String userAgent;
198 }
199 }
200