Make central function for creating episode role ids

Instead of having the Asset Manager and Search Service
concatenate roles by themselves, there is now a general
function in common for them to use instead.

modules/asset-manager-impl/src/main/java/org/opencastproject/assetmanager/impl/AssetManagerImpl.java

@@ -28,8 +28,10 @@
 import static org.opencastproject.mediapackage.MediaPackageSupport.Filters.isNotPublication;
 import static org.opencastproject.mediapackage.MediaPackageSupport.getFileName;
 import static org.opencastproject.mediapackage.MediaPackageSupport.getMediaPackageElementId;
+import static org.opencastproject.security.api.SecurityConstants.EPISODE_ROLE_ID_PREFIX;
 import static org.opencastproject.security.api.SecurityConstants.GLOBAL_ADMIN_ROLE;
 import static org.opencastproject.security.api.SecurityConstants.GLOBAL_CAPTURE_AGENT_ROLE;
+import static org.opencastproject.security.util.SecurityUtil.getEpisodeRoleId;
 
 import org.opencastproject.assetmanager.api.Asset;
 import org.opencastproject.assetmanager.api.AssetId;
@@ -174,7 +176,6 @@ enum AdminRole {
 
   private static final String MANIFEST_DEFAULT_NAME = "manifest";
 
-  private static final String ACL_ID_PREFIX_EPISODE = "ROLE_EPISODE_";
   private static final String CONFIG_EPISODE_ID_ROLE = "org.opencastproject.episode.id.role.access";
   private static boolean episodeIdRole = false;
 
@@ -1068,8 +1069,9 @@ private Predicate mkAuthPredicate(final String action) {
     return securityService.getUser().getRoles().stream()
             .filter(roleFilter)
             .map((role) -> {
-              if (episodeIdRole && role.getName().startsWith(ACL_ID_PREFIX_EPISODE)) {
-                return q.mediapackageId().eq(StringUtils.substringBetween(role.getName(), ACL_ID_PREFIX_EPISODE, "_"));
+              if (episodeIdRole && role.getName().startsWith(EPISODE_ROLE_ID_PREFIX)) {
+                return q.mediapackageId().eq(StringUtils.substringBetween(
+                    role.getName(), EPISODE_ROLE_ID_PREFIX + "_", "_"));
               } else {
                 return q.property(Value.BOOLEAN, SECURITY_NAMESPACE, mkPropertyName(role.getName(), action)).eq(true);
               }
@@ -1104,7 +1106,7 @@ private boolean isAuthorized(final String mediaPackageId, final String action) {
         }
         // check episode role id
         User user = securityService.getUser();
-        if (episodeIdRole && user.hasRole(ACL_ID_PREFIX_EPISODE + mediaPackageId + "_" + action.toUpperCase())) {
+        if (episodeIdRole && user.hasRole(getEpisodeRoleId(mediaPackageId, action))) {
           return true;
         }
         // check acl rules

modules/common/src/main/java/org/opencastproject/security/api/SecurityConstants.java

@@ -62,4 +62,7 @@ public interface SecurityConstants {
   /** The administrator user configuration option */
   String GLOBAL_ADMIN_USER_PROPERTY = "org.opencastproject.security.admin.user";
 
+  /** The prefix for episode role ids */
+  String EPISODE_ROLE_ID_PREFIX = "ROLE_EPISODE";
+
 }

modules/common/src/main/java/org/opencastproject/security/util/SecurityUtil.java

@@ -22,6 +22,7 @@
 package org.opencastproject.security.util;
 
 import static org.apache.commons.lang3.StringUtils.isBlank;
+import static org.opencastproject.security.api.SecurityConstants.EPISODE_ROLE_ID_PREFIX;
 import static org.opencastproject.security.api.SecurityConstants.GLOBAL_ADMIN_ROLE;
 import static org.opencastproject.security.api.SecurityConstants.GLOBAL_ANONYMOUS_USERNAME;
 import static org.opencastproject.security.api.SecurityConstants.GLOBAL_CAPTURE_AGENT_ROLE;
@@ -200,4 +201,15 @@ private static String sanitizeCaName(final String ca) {
   public static String getCaptureAgentRole(final String agentId) {
     return GLOBAL_CAPTURE_AGENT_ROLE + "_" + sanitizeCaName(agentId);
   }
+
+  /**
+   * Get the episode role id for a mediapackage and an action
+   *
+   * @param mediaPackageId the id of the mediapackage
+   * @param action the action as a string
+   * @return the role
+   */
+  public static String getEpisodeRoleId(final String mediaPackageId, final String action) {
+    return EPISODE_ROLE_ID_PREFIX + "_" + mediaPackageId + "_" + action.toUpperCase();
+  }
 }

modules/search-service-impl/src/main/java/org/opencastproject/search/impl/persistence/SearchServiceDatabaseImpl.java

@@ -26,6 +26,7 @@
 import static org.opencastproject.security.api.Permissions.Action.READ;
 import static org.opencastproject.security.api.Permissions.Action.WRITE;
 import static org.opencastproject.security.api.SecurityConstants.GLOBAL_CAPTURE_AGENT_ROLE;
+import static org.opencastproject.security.util.SecurityUtil.getEpisodeRoleId;
 
 import org.opencastproject.db.DBSession;
 import org.opencastproject.db.DBSessionFactory;
@@ -84,8 +85,6 @@ public class SearchServiceDatabaseImpl implements SearchServiceDatabase {
   /** Logging utilities */
   private static final Logger logger = LoggerFactory.getLogger(SearchServiceDatabaseImpl.class);
 
-  private static final String ACL_ID_PREFIX_EPISODE = "ROLE_EPISODE_";
-
   /** Factory used to create {@link EntityManager}s for transactions */
   protected EntityManagerFactory emf;
 
@@ -175,7 +174,7 @@ public void deleteMediaPackage(String mediaPackageId, Date deletionDate) throws
 
         // allow ca users to retract live publications without putting them into the ACL
         User user = securityService.getUser();
-        if (!user.hasRole(ACL_ID_PREFIX_EPISODE + mediaPackageId + "_" + WRITE.toString().toUpperCase())) {
+        if (!user.hasRole(getEpisodeRoleId(mediaPackageId, WRITE.toString()))) {
           if (!(searchMp.isLive() && currentUser.hasRole(GLOBAL_CAPTURE_AGENT_ROLE)) && accessControlXml != null) {
             AccessControlList acl = AccessControlParser.parseAcl(accessControlXml);
             if (!AccessControlUtil.isAuthorized(acl, currentUser, currentOrg, WRITE.toString())) {
@@ -354,7 +353,7 @@ public void storeMediaPackage(MediaPackage mediaPackage, AccessControlList acl,
           // Ensure this user is allowed to update this media package
           // If user has ROLE_EPISODE_<ID>_WRITE, no further permission checks are necessary
           User user = securityService.getUser();
-          if (!user.hasRole(ACL_ID_PREFIX_EPISODE + mediaPackageId + "_" + WRITE.toString().toUpperCase())) {
+          if (!user.hasRole(getEpisodeRoleId(mediaPackageId, WRITE.toString()))) {
             String accessControlXml = entity.get().getAccessControl();
             if (accessControlXml != null && entity.get().getDeletionDate() == null) {
               AccessControlList accessList = AccessControlParser.parseAcl(accessControlXml);
@@ -402,7 +401,7 @@ public MediaPackage getMediaPackage(String mediaPackageId)
         User user = securityService.getUser();
         final String[] suffix = { READ.toString(), CONTRIBUTE.toString(), WRITE.toString() };
         for (var action : suffix) {
-          if (user.hasRole(ACL_ID_PREFIX_EPISODE + mediaPackageId + "_" + action.toUpperCase())) {
+          if (user.hasRole(getEpisodeRoleId(mediaPackageId, action))) {
             return MediaPackageParser.getFromXml(episodeEntity.get().getMediaPackageXML());
           }
         }
@@ -444,7 +443,7 @@ public Date getModificationDate(String mediaPackageId) throws NotFoundException,
         }
         // Ensure this user is allowed to read this media package
         User user = securityService.getUser();
-        if (!user.hasRole(ACL_ID_PREFIX_EPISODE + mediaPackageId + "_" + READ.toString().toUpperCase())) {
+        if (!user.hasRole(getEpisodeRoleId(mediaPackageId, READ.toString()))) {
           String accessControlXml = searchEntity.get().getAccessControl();
           if (accessControlXml != null) {
             AccessControlList acl = AccessControlParser.parseAcl(accessControlXml);
@@ -481,7 +480,7 @@ public Date getDeletionDate(String mediaPackageId) throws NotFoundException, Sea
         }
         // Ensure this user is allowed to read this media package
         User user = securityService.getUser();
-        if (!user.hasRole(ACL_ID_PREFIX_EPISODE + mediaPackageId + "_" + READ.toString().toUpperCase())) {
+        if (!user.hasRole(getEpisodeRoleId(mediaPackageId, READ.toString()))) {
           String accessControlXml = searchEntity.get().getAccessControl();
           if (accessControlXml != null) {
             AccessControlList acl = AccessControlParser.parseAcl(accessControlXml);
@@ -518,7 +517,7 @@ public String getOrganizationId(String mediaPackageId) throws NotFoundException,
         }
         // Ensure this user is allowed to read this media package
         User user = securityService.getUser();
-        if (!user.hasRole(ACL_ID_PREFIX_EPISODE + mediaPackageId + "_" + READ.toString().toUpperCase())) {
+        if (!user.hasRole(getEpisodeRoleId(mediaPackageId, READ.toString()))) {
           String accessControlXml = searchEntity.get().getAccessControl();
           if (accessControlXml != null) {
             AccessControlList acl = AccessControlParser.parseAcl(accessControlXml);