Added permissions configuration for newly created AIPs

roda-core/roda-core/src/main/java/org/roda/core/model/ModelService.java

@@ -108,7 +108,6 @@
 import org.roda.core.data.v2.ip.metadata.PreservationMetadata;
 import org.roda.core.data.v2.ip.metadata.PreservationMetadata.PreservationMetadataType;
 import org.roda.core.data.v2.jobs.Job;
-import org.roda.core.data.v2.jobs.PluginInfo;
 import org.roda.core.data.v2.jobs.PluginState;
 import org.roda.core.data.v2.jobs.Report;
 import org.roda.core.data.v2.log.LogEntry;
@@ -131,8 +130,6 @@
 import org.roda.core.model.utils.ResourceListUtils;
 import org.roda.core.model.utils.ResourceParseUtils;
 import org.roda.core.model.utils.UserUtility;
-import org.roda.core.plugins.Plugin;
-import org.roda.core.plugins.PluginHelper;
 import org.roda.core.storage.Binary;
 import org.roda.core.storage.BinaryVersion;
 import org.roda.core.storage.ContentPayload;
@@ -352,9 +349,8 @@ public AIP createAIP(String parentId, String type, Permissions permissions, List
     AIPState state = AIPState.ACTIVE;
     Directory directory = storage.createRandomDirectory(DefaultStoragePath.parse(RodaConstants.STORAGE_CONTAINER_AIP));
     String id = directory.getStoragePath().getName();
-    Permissions inheritedPermissions = this.addParentPermissions(permissions, parentId);
 
-    AIP aip = new AIP(id, parentId, type, state, inheritedPermissions, createdBy);
+    AIP aip = new AIP(id, parentId, type, state, permissions, createdBy);
 
     aip.setGhost(isGhost);
     aip.setIngestSIPIds(ingestSIPIds);
@@ -394,9 +390,8 @@ public AIP createAIP(AIPState state, String parentId, String type, Permissions p
 
     Directory directory = storage.createRandomDirectory(DefaultStoragePath.parse(RodaConstants.STORAGE_CONTAINER_AIP));
     String id = directory.getStoragePath().getName();
-    Permissions inheritedPermissions = this.addParentPermissions(permissions, parentId);
 
-    AIP aip = new AIP(id, parentId, type, state, inheritedPermissions, createdBy);
+    AIP aip = new AIP(id, parentId, type, state, permissions, createdBy);
     // Instance Id Management
     aip.setInstanceId(RODAInstanceUtils.getLocalInstanceIdentifier());
     createAIPMetadata(aip);
@@ -415,9 +410,8 @@ public AIP createAIP(AIPState state, String parentId, String type, Permissions p
 
     Directory directory = storage.createRandomDirectory(DefaultStoragePath.parse(RodaConstants.STORAGE_CONTAINER_AIP));
     String id = directory.getStoragePath().getName();
-    Permissions inheritedPermissions = this.addParentPermissions(permissions, parentId);
 
-    AIP aip = new AIP(id, parentId, type, state, inheritedPermissions, createdBy).setIngestSIPIds(ingestSIPIds)
+    AIP aip = new AIP(id, parentId, type, state, permissions, createdBy).setIngestSIPIds(ingestSIPIds)
       .setIngestJobId(ingestJobId).setIngestSIPUUID(ingestSIPUUID);
     // Instance Id Management
     aip.setInstanceId(RODAInstanceUtils.getLocalInstanceIdentifier());

roda-core/roda-core/src/main/java/org/roda/core/plugins/PluginHelper.java

@@ -19,7 +19,6 @@
 import java.util.Collections;
 import java.util.Date;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -85,12 +84,14 @@
 import org.roda.core.data.v2.risks.Risk;
 import org.roda.core.data.v2.risks.RiskIncidence;
 import org.roda.core.data.v2.user.RODAMember;
+import org.roda.core.data.v2.user.User;
 import org.roda.core.data.v2.validation.ValidationException;
 import org.roda.core.index.IndexService;
 import org.roda.core.index.utils.IterableIndexResult;
 import org.roda.core.model.LiteRODAObjectFactory;
 import org.roda.core.model.ModelService;
 import org.roda.core.model.utils.ModelUtils;
+import org.roda.core.plugins.base.ingest.PermissionUtils;
 import org.roda.core.plugins.base.maintenance.reindex.ReindexAIPPlugin;
 import org.roda.core.plugins.base.maintenance.reindex.ReindexActionLogPlugin;
 import org.roda.core.plugins.base.maintenance.reindex.ReindexDIPPlugin;
@@ -156,8 +157,7 @@ public static <T extends IsRODAObject> Report processObjects(Plugin<T> plugin,
         } catch (Throwable e) {
           LOGGER.error("Unexpected exception during 'objectsLogic' execution", e);
           jobPluginInfo.setSourceObjectsProcessedWithFailure(
-              jobPluginInfo.getSourceObjectsCount()
-                  - jobPluginInfo.getSourceObjectsProcessedWithSuccess());
+            jobPluginInfo.getSourceObjectsCount() - jobPluginInfo.getSourceObjectsProcessedWithSuccess());
           exceptionOccurred = e;
         }
       }
@@ -793,13 +793,18 @@ private static Optional<String> createGhost(String ancestor, Optional<String> pa
     String username = getJobUsername(jobId, index);
 
     Permissions permissions = new Permissions();
-    permissions.setUserPermissions(username,
-      new HashSet<>(Arrays.asList(Permissions.PermissionType.CREATE, Permissions.PermissionType.READ,
-        Permissions.PermissionType.UPDATE, Permissions.PermissionType.DELETE, Permissions.PermissionType.GRANT)));
+
+    User user = model.retrieveUser(username);
+
+    if (parent.isPresent()) {
+      permissions = model.retrieveAIP(parent.get()).getPermissions();
+    }
+
+    Permissions finalPermissions = PermissionUtils.calculatePermissions(user, Optional.of(permissions));
 
     boolean isGhost = true;
-    AIP ghostAIP = model.createAIP(parent.orElse(null), "", permissions, Arrays.asList(ancestor), jobId, true, username,
-      isGhost);
+    AIP ghostAIP = model.createAIP(parent.orElse(null), "", finalPermissions, Arrays.asList(ancestor), jobId, true,
+      username, isGhost);
 
     return Optional.ofNullable(ghostAIP.getId());
   }

roda-core/roda-core/src/main/java/org/roda/core/plugins/base/ingest/BagitToAIPPlugin.java

@@ -28,9 +28,9 @@
 import org.roda.core.model.ModelService;
 import org.roda.core.plugins.Plugin;
 import org.roda.core.plugins.PluginException;
+import org.roda.core.plugins.PluginHelper;
 import org.roda.core.plugins.RODAObjectProcessingLogic;
 import org.roda.core.plugins.orchestrate.JobPluginInfo;
-import org.roda.core.plugins.PluginHelper;
 import org.roda.core.storage.StorageService;
 import org.roda_project.commons_ip.model.ParseException;
 import org.roda_project.commons_ip.model.SIP;
@@ -118,7 +118,7 @@ private void processTransferredResource(IndexService index, ModelService model,
 
       AIP aipCreated = BagitToAIPPluginUtils.bagitToAip(bagit, model, METADATA_FILE,
         Arrays.asList(transferredResource.getName()), reportItem.getJobId(), computedParentId, job.getUsername(),
-        PermissionUtils.getIngestPermissions(job.getUsername()), transferredResource.getUUID());
+        transferredResource.getUUID());
 
       PluginHelper.createSubmission(model, createSubmission, bagitPath, aipCreated.getId());
 

roda-core/roda-core/src/main/java/org/roda/core/plugins/base/ingest/BagitToAIPPluginUtils.java

@@ -20,6 +20,7 @@
 import org.roda.core.data.v2.ip.AIPState;
 import org.roda.core.data.v2.ip.Permissions;
 import org.roda.core.data.v2.ip.Representation;
+import org.roda.core.data.v2.user.User;
 import org.roda.core.model.ModelService;
 import org.roda.core.storage.ContentPayload;
 import org.roda.core.storage.StringContentPayload;
@@ -41,7 +42,7 @@ private BagitToAIPPluginUtils() {
   }
 
   public static AIP bagitToAip(SIP bagit, ModelService model, String metadataFilename, List<String> ingestSIPIds,
-    String ingestJobId, Optional<String> computedParentId, String createdBy, Permissions permissions,
+    String ingestJobId, Optional<String> computedParentId, String createdBy,
     String ingestSIPUUID) throws RequestNotValidException, NotFoundException, GenericException, AlreadyExistsException,
     AuthorizationDeniedException {
 
@@ -52,9 +53,18 @@ public static AIP bagitToAip(SIP bagit, ModelService model, String metadataFilen
 
     AIPState state = AIPState.INGEST_PROCESSING;
     String aipType = RodaConstants.AIP_TYPE_MIXED;
+    Permissions permissions = new Permissions();
     boolean notify = false;
 
-    AIP aip = model.createAIP(state, computedParentId.orElse(null), aipType, permissions, ingestSIPUUID, ingestSIPIds,
+    User user = model.retrieveUser(createdBy);
+
+    if (computedParentId.isPresent()){
+      permissions = model.retrieveAIP(computedParentId.get()).getPermissions();
+    }
+
+    Permissions finalPermissions = PermissionUtils.calculatePermissions(user, Optional.of(permissions));
+
+    AIP aip = model.createAIP(state, computedParentId.orElse(null), aipType, finalPermissions, ingestSIPUUID, ingestSIPIds,
       ingestJobId, notify, createdBy);
 
     model.createDescriptiveMetadata(aip.getId(), metadataFilename, metadataAsPayload, METADATA_TYPE, METADATA_VERSION,

roda-core/roda-core/src/main/java/org/roda/core/plugins/base/ingest/EARKSIP2ToAIPPlugin.java

@@ -47,9 +47,9 @@
 import org.roda.core.model.ModelService;
 import org.roda.core.plugins.Plugin;
 import org.roda.core.plugins.PluginException;
+import org.roda.core.plugins.PluginHelper;
 import org.roda.core.plugins.RODAObjectProcessingLogic;
 import org.roda.core.plugins.orchestrate.JobPluginInfo;
-import org.roda.core.plugins.PluginHelper;
 import org.roda.core.storage.StorageService;
 import org.roda.core.storage.fs.FSUtils;
 import org.roda_project.commons_ip.model.ParseException;
@@ -203,8 +203,8 @@ private AIP processNewSIP(IndexService index, ModelService model, Report reportI
     throws NotFoundException, GenericException, RequestNotValidException, AuthorizationDeniedException,
     AlreadyExistsException, ValidationException, IOException, LockingException {
     String jobUsername = PluginHelper.getJobUsername(this, index);
-    return EARKSIP2ToAIPPluginUtils.earkSIPToAIP(sip, jobUsername, PermissionUtils.getIngestPermissions(jobUsername),
-      model, sip.getIds(), reportItem.getJobId(), computedParentId, ingestSIPUUID, this);
+    return EARKSIP2ToAIPPluginUtils.earkSIPToAIP(sip, jobUsername, model, sip.getIds(), reportItem.getJobId(),
+      computedParentId, ingestSIPUUID, this);
   }
 
   private AIP processUpdateSIP(IndexService index, ModelService model, StorageService storage, SIP sip,

roda-core/roda-core/src/main/java/org/roda/core/plugins/base/ingest/EARKSIP2ToAIPPluginUtils.java

@@ -7,7 +7,6 @@
  */
 package org.roda.core.plugins.base.ingest;
 
-import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.util.HashMap;
@@ -34,6 +33,7 @@
 import org.roda.core.data.v2.ip.StoragePath;
 import org.roda.core.data.v2.ip.metadata.PreservationMetadata.PreservationMetadataType;
 import org.roda.core.data.v2.jobs.Report;
+import org.roda.core.data.v2.user.User;
 import org.roda.core.data.v2.validation.ValidationException;
 import org.roda.core.model.ModelService;
 import org.roda.core.model.utils.ModelUtils;
@@ -62,18 +62,26 @@ private EARKSIP2ToAIPPluginUtils() {
     // do nothing
   }
 
-  public static AIP earkSIPToAIP(SIP sip, String username, Permissions fullPermissions, ModelService model,
-    List<String> ingestSIPIds, String ingestJobId, Optional<String> parentId, String ingestSIPUUID, Plugin<?> plugin)
+  public static AIP earkSIPToAIP(SIP sip, String username, ModelService model, List<String> ingestSIPIds,
+    String ingestJobId, Optional<String> parentId, String ingestSIPUUID, Plugin<?> plugin)
     throws RequestNotValidException, NotFoundException, GenericException, AlreadyExistsException,
-    AuthorizationDeniedException, ValidationException, IOException, LockingException {
+    AuthorizationDeniedException, ValidationException, LockingException {
 
     AIPState state = AIPState.INGEST_PROCESSING;
     Permissions permissions = new Permissions();
     boolean notify = false;
 
     String aipType = getType(sip);
 
-    AIP aip = model.createAIP(state, parentId.orElse(null), aipType, permissions, ingestSIPUUID, ingestSIPIds,
+    User user = model.retrieveUser(username);
+
+    if (parentId.isPresent()){
+      permissions = model.retrieveAIP(parentId.get()).getPermissions();
+    }
+
+    Permissions finalPermissions = PermissionUtils.calculatePermissions(user, Optional.of(permissions));
+
+    AIP aip = model.createAIP(state, parentId.orElse(null), aipType, finalPermissions, ingestSIPUUID, ingestSIPIds,
       ingestJobId, notify, username);
 
     PluginHelper.acquireObjectLock(aip, plugin);
@@ -90,12 +98,6 @@ public static AIP earkSIPToAIP(SIP sip, String username, Permissions fullPermiss
     // update the AIP metadata
     AIP createdAIP = model.retrieveAIP(aip.getId());
 
-    // Set Permissions
-    Permissions readPermissions = PermissionUtils.grantReadPermissionToUserGroup(model, createdAIP,
-      aip.getPermissions());
-    Permissions finalPermissions = PermissionUtils.grantAllPermissions(username, readPermissions, fullPermissions);
-    createdAIP.setPermissions(finalPermissions);
-
     return model.updateAIP(createdAIP, username);
   }
 

roda-core/roda-core/src/main/java/org/roda/core/plugins/base/ingest/EARKSIPToAIPPlugin.java

@@ -47,9 +47,9 @@
 import org.roda.core.model.ModelService;
 import org.roda.core.plugins.Plugin;
 import org.roda.core.plugins.PluginException;
+import org.roda.core.plugins.PluginHelper;
 import org.roda.core.plugins.RODAObjectProcessingLogic;
 import org.roda.core.plugins.orchestrate.JobPluginInfo;
-import org.roda.core.plugins.PluginHelper;
 import org.roda.core.storage.StorageService;
 import org.roda.core.storage.fs.FSUtils;
 import org.roda_project.commons_ip.model.ParseException;
@@ -204,8 +204,8 @@ private AIP processNewSIP(IndexService index, ModelService model, Report reportI
     throws NotFoundException, GenericException, RequestNotValidException, AuthorizationDeniedException,
     AlreadyExistsException, ValidationException, IOException, LockingException {
     String jobUsername = PluginHelper.getJobUsername(this, index);
-    return EARKSIPToAIPPluginUtils.earkSIPToAIP(sip, jobUsername, PermissionUtils.getIngestPermissions(jobUsername),
-      model, sip.getIds(), reportItem.getJobId(), computedParentId, ingestSIPUUID, this);
+    return EARKSIPToAIPPluginUtils.earkSIPToAIP(sip, jobUsername, model, sip.getIds(), reportItem.getJobId(),
+      computedParentId, ingestSIPUUID, this);
   }
 
   private AIP processUpdateSIP(IndexService index, ModelService model, StorageService storage, SIP sip,

roda-core/roda-core/src/main/java/org/roda/core/plugins/base/ingest/EARKSIPToAIPPluginUtils.java

@@ -7,7 +7,6 @@
  */
 package org.roda.core.plugins.base.ingest;
 
-import java.io.IOException;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -29,6 +28,7 @@
 import org.roda.core.data.v2.ip.Representation;
 import org.roda.core.data.v2.ip.metadata.PreservationMetadata.PreservationMetadataType;
 import org.roda.core.data.v2.jobs.Report;
+import org.roda.core.data.v2.user.User;
 import org.roda.core.data.v2.validation.ValidationException;
 import org.roda.core.model.ModelService;
 import org.roda.core.plugins.Plugin;
@@ -52,18 +52,26 @@ private EARKSIPToAIPPluginUtils() {
     // do nothing
   }
 
-  public static AIP earkSIPToAIP(SIP sip, String username, Permissions fullPermissions, ModelService model,
-    List<String> ingestSIPIds, String ingestJobId, Optional<String> parentId, String ingestSIPUUID, Plugin<?> plugin)
+  public static AIP earkSIPToAIP(SIP sip, String username, ModelService model, List<String> ingestSIPIds,
+    String ingestJobId, Optional<String> parentId, String ingestSIPUUID, Plugin<?> plugin)
     throws RequestNotValidException, NotFoundException, GenericException, AlreadyExistsException,
-    AuthorizationDeniedException, ValidationException, IOException, LockingException {
+    AuthorizationDeniedException, ValidationException, LockingException {
 
     AIPState state = AIPState.INGEST_PROCESSING;
     Permissions permissions = new Permissions();
     boolean notify = false;
 
     String aipType = getType(sip);
 
-    AIP aip = model.createAIP(state, parentId.orElse(null), aipType, permissions, ingestSIPUUID, ingestSIPIds,
+    User user = model.retrieveUser(username);
+
+    if (parentId.isPresent()){
+      permissions = model.retrieveAIP(parentId.get()).getPermissions();
+    }
+
+    Permissions finalPermissions = PermissionUtils.calculatePermissions(user, Optional.of(permissions));
+
+    AIP aip = model.createAIP(state, parentId.orElse(null), aipType, finalPermissions, ingestSIPUUID, ingestSIPIds,
       ingestJobId, notify, username);
 
     PluginHelper.acquireObjectLock(aip, plugin);
@@ -76,17 +84,13 @@ public static AIP earkSIPToAIP(SIP sip, String username, Permissions fullPermiss
       processIPRepresentationInformation(model, representation, aip.getId(), notify, false, username, null);
     }
 
+
     // INFO 20190509 hsilva: this is required as the previous instructions
     // update the AIP metadata
     AIP createdAIP = model.retrieveAIP(aip.getId());
 
-    // Set Permissions
-    Permissions readPermissions = PermissionUtils.grantReadPermissionToUserGroup(model, createdAIP,
-      aip.getPermissions());
-    Permissions finalPermissions = PermissionUtils.grantAllPermissions(username, readPermissions, fullPermissions);
-    createdAIP.setPermissions(finalPermissions);
-
     return model.updateAIP(createdAIP, username);
+
   }
 
   public static AIP earkSIPToAIPUpdate(SIP sip, IndexedAIP indexedAIP, ModelService model, StorageService storage,