diff --git a/node/src/main/kotlin/net/corda/node/internal/DefaultCordaRpcPermissions.kt b/node/src/main/kotlin/net/corda/node/internal/DefaultCordaRpcPermissions.kt deleted file mode 100644 index dccec894e7..0000000000 --- a/node/src/main/kotlin/net/corda/node/internal/DefaultCordaRpcPermissions.kt +++ /dev/null @@ -1,25 +0,0 @@ -package net.corda.node.internal - -import net.corda.core.flows.FlowLogic -import net.corda.core.messaging.CordaRPCOps -import net.corda.node.services.Permissions.Companion.all -import net.corda.node.services.Permissions.Companion.startFlow -import net.corda.node.services.Permissions.Companion.invokeRpc -import kotlin.reflect.KVisibility -import kotlin.reflect.full.declaredMemberFunctions - -object DefaultCordaRpcPermissions { - - private val invokePermissions = CordaRPCOps::class.declaredMemberFunctions.filter { it.visibility == KVisibility.PUBLIC }.associate { it.name to setOf(invokeRpc(it), all()) } - private val startFlowPermissions = setOf("startFlow", "startFlowDynamic", "startTrackedFlow", "startTrackedFlowDynamic").associate { it to this::startFlowPermission } - - fun permissionsAllowing(methodName: String, args: List): Set { - - val invoke = invokePermissions[methodName] ?: emptySet() - val start = startFlowPermissions[methodName]?.invoke(args) - return if (start != null) invoke + start else invoke - } - - @Suppress("UNCHECKED_CAST") - private fun startFlowPermission(args: List): String = if (args[0] is Class<*>) startFlow(args[0] as Class>) else startFlow(args[0] as String) -} \ No newline at end of file diff --git a/node/src/main/kotlin/net/corda/node/internal/RpcAuthorisationProxy.kt b/node/src/main/kotlin/net/corda/node/internal/RpcAuthorisationProxy.kt index d2f0f8afc1..1264935c26 100644 --- a/node/src/main/kotlin/net/corda/node/internal/RpcAuthorisationProxy.kt +++ b/node/src/main/kotlin/net/corda/node/internal/RpcAuthorisationProxy.kt @@ -19,7 +19,7 @@ import java.io.InputStream import java.security.PublicKey // TODO change to KFunction reference after Kotlin fixes https://youtrack.jetbrains.com/issue/KT-12140 -class RpcAuthorisationProxy(private val implementation: CordaRPCOps, private val context: () -> RpcAuthContext, private val permissionsAllowing: (methodName: String, args: List) -> Set) : CordaRPCOps { +class RpcAuthorisationProxy(private val implementation: CordaRPCOps, private val context: () -> RpcAuthContext) : CordaRPCOps { override fun uploadAttachmentWithMetadata(jar: InputStream, uploader: String, filename: String): SecureHash = guard("uploadAttachmentWithMetadata") { implementation.uploadAttachmentWithMetadata(jar, uploader, filename) diff --git a/node/src/main/kotlin/net/corda/node/internal/SecureCordaRPCOps.kt b/node/src/main/kotlin/net/corda/node/internal/SecureCordaRPCOps.kt index 8394c35ae9..0a7d9e9ce1 100644 --- a/node/src/main/kotlin/net/corda/node/internal/SecureCordaRPCOps.kt +++ b/node/src/main/kotlin/net/corda/node/internal/SecureCordaRPCOps.kt @@ -14,7 +14,7 @@ class SecureCordaRPCOps(services: ServiceHubInternal, smm: StateMachineManager, database: CordaPersistence, flowStarter: FlowStarter, - val unsafe: CordaRPCOps = CordaRPCOpsImpl(services, smm, database, flowStarter)) : CordaRPCOps by RpcAuthorisationProxy(unsafe, ::rpcContext, DefaultCordaRpcPermissions::permissionsAllowing) { + val unsafe: CordaRPCOps = CordaRPCOpsImpl(services, smm, database, flowStarter)) : CordaRPCOps by RpcAuthorisationProxy(unsafe, ::rpcContext) { /** * Returns the RPC protocol version, which is the same the node's Platform Version. Exists since version 1 so guaranteed diff --git a/node/src/main/kotlin/net/corda/node/internal/security/RPCSecurityManagerImpl.kt b/node/src/main/kotlin/net/corda/node/internal/security/RPCSecurityManagerImpl.kt index e667d673b7..2237cc1547 100644 --- a/node/src/main/kotlin/net/corda/node/internal/security/RPCSecurityManagerImpl.kt +++ b/node/src/main/kotlin/net/corda/node/internal/security/RPCSecurityManagerImpl.kt @@ -103,7 +103,7 @@ class RPCSecurityManagerImpl(config: AuthServiceConfig) : RPCSecurityManager { } } -/** +/* * Provide a representation of RPC permissions based on Apache Shiro permissions framework. * A permission represents a set of actions: for example, the set of all RPC invocations, or the set * of RPC invocations acting on a given class of Flows in input. A permission `implies` another one if @@ -128,7 +128,7 @@ private class RPCPermission : DomainPermission { constructor() : super() } -/** +/* * A [org.apache.shiro.authz.permission.PermissionResolver] implementation for RPC permissions. * Provides a method to construct an [RPCPermission] instance from its string representation * in the form used by a Node admin. @@ -141,7 +141,6 @@ private class RPCPermission : DomainPermission { * * - `StartFlow.$FlowClassName`: allowing to call a `startFlow*` RPC method targeting a Flow instance * of a given class - * */ private object RPCPermissionResolver : PermissionResolver { @@ -253,7 +252,7 @@ private class NodeJdbcRealm(config: SecurityConfiguration.AuthService.DataSource private typealias ShiroCache = org.apache.shiro.cache.Cache -/** +/* * Adapts a [com.google.common.cache.Cache] to a [org.apache.shiro.cache.Cache] implementation. */ private fun Cache.toShiroCache(name: String) = object : ShiroCache { @@ -285,7 +284,7 @@ private fun Cache.toShiroCache(name: String) = object : ShiroCache< override fun toString() = "Guava cache adapter [$impl]" } -/** +/* * Implementation of [org.apache.shiro.cache.CacheManager] based on * cache implementation in [com.google.common.cache] */