From 2e1d81ef2e76ed757d99749ba3420e8570390265 Mon Sep 17 00:00:00 2001
From: Alexandru Balan <alexandru.balan@ness.com>
Date: Mon, 3 Aug 2015 08:43:40 +0000
Subject: [PATCH] RM-2391 - Added capability checking to the AuditLog Get REST
 API. Added a unit test. Minor changes on the Share side to forward the
 forbidden status.

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/BRANCHES/V2.2@109401 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 .../rm-webscript-context.xml                  |  2 +
 .../script/AuditLogGet.java                   | 54 +++++++++++++-
 .../legacy/webscript/AuditRestApiTest.java    | 72 +++++++++++++++++++
 .../test/util/BaseRMWebScriptTestCase.java    |  7 +-
 4 files changed, 133 insertions(+), 2 deletions(-)
 create mode 100644 rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/legacy/webscript/AuditRestApiTest.java

diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-webscript-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-webscript-context.xml
index c815e3e411..637551ea30 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-webscript-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/rm-webscript-context.xml
@@ -536,6 +536,8 @@
         <property name="recordsManagementAuditService" ref="RecordsManagementAuditService"/>
         <property name="contentStreamer" ref="webscript.content.streamer" />
         <property name="namespaceService" ref="namespaceService" />
+        <property name="capabilityService" ref="CapabilityService" />
+        <property name="filePlanService" ref="FilePlanService" />
     </bean>
 
    <!-- REST impl for GET Class Definitions for RM/DM -->
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/AuditLogGet.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/AuditLogGet.java
index 6cf968f99c..3acdbd1197 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/AuditLogGet.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/script/AuditLogGet.java
@@ -21,9 +21,17 @@ package org.alfresco.module.org_alfresco_module_rm.script;
 import java.io.File;
 import java.io.IOException;
 
+import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditQueryParameters;
+import org.alfresco.module.org_alfresco_module_rm.audit.RecordsManagementAuditService.ReportFormat;
+import org.alfresco.module.org_alfresco_module_rm.capability.CapabilityService;
+import org.alfresco.module.org_alfresco_module_rm.fileplan.FilePlanService;
 import org.alfresco.repo.web.scripts.content.ContentStreamer;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.service.cmr.security.AccessStatus;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.extensions.webscripts.Status;
+import org.springframework.extensions.webscripts.WebScriptException;
 import org.springframework.extensions.webscripts.WebScriptRequest;
 import org.springframework.extensions.webscripts.WebScriptResponse;
 
@@ -39,9 +47,16 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
     private static Log logger = LogFactory.getLog(AuditLogGet.class);
 
     private static final String PARAM_EXPORT = "export";
+    private static final String ACCESS_AUDIT_CAPABILITY = "AccessAudit";
 
     /** Content Streamer */
     protected ContentStreamer contentStreamer;
+    
+    /** Capability service */
+    protected CapabilityService capabilityService;
+
+    /** File plan service */
+    protected FilePlanService filePlanService;
 
     /**
      * @param contentStreamer
@@ -50,6 +65,24 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
     {
         this.contentStreamer = contentStreamer;
     }
+    
+    /**
+     * 
+     * @param capabilityService Capability Service
+     */
+    public void setCapabilityService(CapabilityService capabilityService)
+    {
+        this.capabilityService = capabilityService;
+    }
+    
+    /**
+     * 
+     * @param capabilityService Capability Service
+     */
+    public void setFilePlanService(FilePlanService filePlanService)
+    {
+        this.filePlanService = filePlanService;
+    }
 
     @Override
     public void execute(WebScriptRequest req, WebScriptResponse res) throws IOException
@@ -58,8 +91,16 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
 
         try
         {
+            
+            RecordsManagementAuditQueryParameters queryParams = parseQueryParameters(req);
+            ReportFormat reportFormat = parseReportFormat(req);
+
+            if( !userCanAccessAudit(queryParams) )
+            {
+                throw new WebScriptException(Status.STATUS_FORBIDDEN, "Access denied because the user does not have the Access Audit capability");
+            }
             // parse the parameters and get a file containing the audit trail
-            auditTrail = this.rmAuditService.getAuditTrailFile(parseQueryParameters(req), parseReportFormat(req));
+            auditTrail = this.rmAuditService.getAuditTrailFile(queryParams, reportFormat);
 
             if (logger.isDebugEnabled())
             {
@@ -101,4 +142,15 @@ public class AuditLogGet extends BaseAuditRetrievalWebScript
             }
         }
     }
+
+    private boolean userCanAccessAudit(RecordsManagementAuditQueryParameters queryParams) 
+    {
+        NodeRef targetNode = queryParams.getNodeRef();
+        if( targetNode == null )
+        {
+            targetNode = filePlanService.getFilePlanBySiteId(FilePlanService.DEFAULT_RM_SITE_ID);
+        }
+        return AccessStatus.ALLOWED.equals(
+                capabilityService.getCapabilityAccessState(targetNode, ACCESS_AUDIT_CAPABILITY));
+    }
 }
\ No newline at end of file
diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/legacy/webscript/AuditRestApiTest.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/legacy/webscript/AuditRestApiTest.java
new file mode 100644
index 0000000000..d28c62d790
--- /dev/null
+++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/legacy/webscript/AuditRestApiTest.java
@@ -0,0 +1,72 @@
+package org.alfresco.module.org_alfresco_module_rm.test.legacy.webscript;
+
+import java.io.IOException;
+import java.text.MessageFormat;
+
+import org.alfresco.module.org_alfresco_module_rm.test.util.BaseRMWebScriptTestCase;
+import org.alfresco.repo.security.authentication.AuthenticationUtil;
+import org.alfresco.repo.transaction.RetryingTransactionHelper.RetryingTransactionCallback;
+import org.alfresco.service.cmr.repository.NodeRef;
+import org.alfresco.util.GUID;
+import org.springframework.extensions.webscripts.Status;
+import org.springframework.extensions.webscripts.TestWebScriptServer.GetRequest;
+
+
+public class AuditRestApiTest extends BaseRMWebScriptTestCase 
+{
+    /** URL for the REST APIs */
+    protected static final String GET_NODE_AUDITLOG_URL_FORMAT = "/api/node/{0}/rmauditlog";
+    
+    private static final String USER_WITHOUT_AUDIT_CAPABILITY = GUID.generate();
+    
+    private NodeRef record; 
+    
+    public void testAuditAccessCapability() throws IOException
+    {
+        
+        String recordAuditUrl = MessageFormat.format(GET_NODE_AUDITLOG_URL_FORMAT,record.toString().replace("://", "/"));
+
+        sendRequest(new GetRequest(recordAuditUrl), Status.STATUS_OK, AuthenticationUtil.getAdminUserName() );
+
+        sendRequest(new GetRequest(recordAuditUrl), Status.STATUS_FORBIDDEN, USER_WITHOUT_AUDIT_CAPABILITY );
+    }
+    
+    @Override
+    protected void setupTestData()
+    {
+        super.setupTestData();
+
+        retryingTransactionHelper.doInTransaction(new RetryingTransactionCallback<Object>()
+        {
+            @Override
+            public Object execute() throws Throwable
+            {
+               
+                AuthenticationUtil.setFullyAuthenticatedUser(AuthenticationUtil
+                        .getSystemUserName());
+                
+                createUser(USER_WITHOUT_AUDIT_CAPABILITY);
+                 
+                record = utils.createRecord(recordFolder, GUID.generate());
+                
+                
+                return null;
+            }
+        });
+    }
+    
+    @Override
+    protected void tearDownImpl()
+    {
+        super.tearDownImpl();
+
+        deleteUser(USER_WITHOUT_AUDIT_CAPABILITY);
+    }
+    
+    protected String getRMSiteId()
+    {
+    	return filePlanService.DEFAULT_RM_SITE_ID;
+    }
+
+
+}
diff --git a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMWebScriptTestCase.java b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMWebScriptTestCase.java
index 53fed575c1..ac9c6f6798 100644
--- a/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMWebScriptTestCase.java
+++ b/rm-server/test/java/org/alfresco/module/org_alfresco_module_rm/test/util/BaseRMWebScriptTestCase.java
@@ -279,7 +279,7 @@ public class BaseRMWebScriptTestCase extends BaseWebScriptTest
         assertNotNull("Could not create base folder", folder);
 
         // Create the site
-        siteId = GUID.generate();
+        siteId = getRMSiteId();
         siteInfo = siteService.createSite("rm-site-dashboard", siteId, "title", "descrition", SiteVisibility.PUBLIC, RecordsManagementModel.TYPE_RM_SITE);
         filePlan = siteService.getContainer(siteId, RmSiteType.COMPONENT_DOCUMENT_LIBRARY);
         assertNotNull("Site document library container was not created successfully.", filePlan);
@@ -383,4 +383,9 @@ public class BaseRMWebScriptTestCase extends BaseWebScriptTest
             authorityService.deleteAuthority(groupName, true);
         }
     }
+    
+    protected String getRMSiteId()
+    {
+    	return GUID.generate();
+    }
 }