Example 6 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class WorkspacePolicyExtensionTest method testShouldRemoveRolesAndEmailsWhenAnyImplied.
@Test
public void testShouldRemoveRolesAndEmailsWhenAnyImplied() {
List<Permission> before = ImmutableList.of(RANDOM, ROLES, EMAILS);
doReturn(before).when(match).getPermissionList();
CollectionPermission subject = makeSubject((p) -> true);
List<Permission> after = extension.isPermittedMatchAll(subject, match).getPermissionList();
assertThat(after, is(ImmutableList.of(RANDOM)));
}
Also used :
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
Test(org.junit.Test)
Example 7 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class TestPepInterceptorActions method testMessageWithMessageAction.
@Test
public void testMessageWithMessageAction() throws SecurityServiceException {
PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
SecurityManager mockSecurityManager = mock(SecurityManager.class);
interceptor.setSecurityManager(mockSecurityManager);
Message messageWithAction = mock(Message.class);
SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
SecurityToken mockSecurityToken = mock(SecurityToken.class);
Subject mockSubject = mock(Subject.class);
assertNotNull(mockSecurityAssertion);
PowerMockito.mockStatic(SecurityAssertionStore.class);
PowerMockito.mockStatic(SecurityLogger.class);
when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
// SecurityLogger is already stubbed out
when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
when(mockSecurityToken.getToken()).thenReturn(null);
when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
MessageInfo mockMessageInfo = mock(MessageInfo.class);
when(messageWithAction.get(MessageInfo.class.getName())).thenReturn(mockMessageInfo);
when(mockMessageInfo.getExtensionAttribute(new QName(Names.WSA_NAMESPACE_WSDL_METADATA, Names.WSAW_ACTION_NAME))).thenReturn("urn:catalog:query:query-port:search");
doAnswer(new Answer<Boolean>() {
@Override
public Boolean answer(InvocationOnMock invocation) throws Throwable {
CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
assertEquals("urn:catalog:query:query-port:search", perm.getAction());
return true;
}
}).when(mockSubject).isPermitted(isA(CollectionPermission.class));
// This should work.
interceptor.handleMessage(messageWithAction);
PowerMockito.verifyStatic();
}
Also used :
SecurityManager(ddf.security.service.SecurityManager)
Message(org.apache.cxf.message.Message)
QName(javax.xml.namespace.QName)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Subject(ddf.security.Subject)
MessageInfo(org.apache.cxf.service.model.MessageInfo)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
CollectionPermission(ddf.security.permission.CollectionPermission)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Example 8 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class TestPepInterceptorActions method testMessageWithDefaultUriAction.
@Test
public void testMessageWithDefaultUriAction() throws SecurityServiceException {
PEPAuthorizingInterceptor interceptor = new PEPAuthorizingInterceptor();
SecurityManager mockSecurityManager = mock(SecurityManager.class);
interceptor.setSecurityManager(mockSecurityManager);
Message messageWithAction = mock(Message.class);
SecurityAssertion mockSecurityAssertion = mock(SecurityAssertion.class);
SecurityToken mockSecurityToken = mock(SecurityToken.class);
Subject mockSubject = mock(Subject.class);
assertNotNull(mockSecurityAssertion);
PowerMockito.mockStatic(SecurityAssertionStore.class);
PowerMockito.mockStatic(SecurityLogger.class);
when(SecurityAssertionStore.getSecurityAssertion(messageWithAction)).thenReturn(mockSecurityAssertion);
// SecurityLogger is already stubbed out
when(mockSecurityAssertion.getSecurityToken()).thenReturn(mockSecurityToken);
when(mockSecurityToken.getToken()).thenReturn(null);
when(mockSecurityManager.getSubject(mockSecurityToken)).thenReturn(mockSubject);
QName op = new QName("urn:catalog:query", "search", "ns1");
QName port = new QName("urn:catalog:query", "query-port", "ns1");
when(messageWithAction.get(MessageContext.WSDL_OPERATION)).thenReturn(op);
when(messageWithAction.get(MessageContext.WSDL_PORT)).thenReturn(port);
Exchange mockExchange = mock(Exchange.class);
BindingOperationInfo mockBOI = mock(BindingOperationInfo.class);
when(messageWithAction.getExchange()).thenReturn(mockExchange);
when(mockExchange.get(BindingOperationInfo.class)).thenReturn(mockBOI);
when(mockBOI.getExtensor(SoapOperationInfo.class)).thenReturn(null);
doAnswer(new Answer<Boolean>() {
@Override
public Boolean answer(InvocationOnMock invocation) throws Throwable {
CollectionPermission perm = (CollectionPermission) invocation.getArguments()[0];
assertEquals("urn:catalog:query:query-port:searchRequest", perm.getAction());
return true;
}
}).when(mockSubject).isPermitted(isA(CollectionPermission.class));
// This should work.
interceptor.handleMessage(messageWithAction);
PowerMockito.verifyStatic();
}
Also used :
BindingOperationInfo(org.apache.cxf.service.model.BindingOperationInfo)
SecurityManager(ddf.security.service.SecurityManager)
Message(org.apache.cxf.message.Message)
QName(javax.xml.namespace.QName)
SecurityAssertion(ddf.security.assertion.SecurityAssertion)
Subject(ddf.security.Subject)
SecurityToken(org.apache.cxf.ws.security.tokenstore.SecurityToken)
Exchange(org.apache.cxf.message.Exchange)
InvocationOnMock(org.mockito.invocation.InvocationOnMock)
CollectionPermission(ddf.security.permission.CollectionPermission)
PrepareForTest(org.powermock.core.classloader.annotations.PrepareForTest)
Test(org.junit.Test)
Example 9 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class AuthzRealmTest method testAddRemoveSetPolicyExtension.
@Test
public void testAddRemoveSetPolicyExtension() {
PolicyExtension policyExtension = new PolicyExtension() {
@Override
public KeyValueCollectionPermission isPermittedMatchAll(CollectionPermission subjectAllCollection, KeyValueCollectionPermission matchAllCollection) {
throw new NullPointerException();
}
@Override
public KeyValueCollectionPermission isPermittedMatchOne(CollectionPermission subjectAllCollection, KeyValueCollectionPermission matchOneCollection) {
throw new NullPointerException();
}
};
testRealm.addPolicyExtension(policyExtension);
testRealm.removePolicyExtension(policyExtension);
testRealm.setPolicyExtensions(Arrays.asList(policyExtension));
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
PolicyExtension(ddf.security.policy.extension.PolicyExtension)
Test(org.junit.Test)
Example 10 with CollectionPermission
use of ddf.security.permission.CollectionPermission in project ddf by codice.
the class AuthzRealm method isPermitted.
/**
* Checks if the corresponding Subject/user contained within the AuthorizationInfo object
* implies the given Permission.
*
* @param permission the permission being checked.
* @param authorizationInfo the application-specific subject/user identifier.
* @return true if the user is permitted
*/
private boolean isPermitted(PrincipalCollection subjectPrincipal, Permission permission, AuthorizationInfo authorizationInfo) {
Collection<Permission> perms = getPermissions(authorizationInfo);
String curUser = "<user>";
if (subjectPrincipal != null && subjectPrincipal.getPrimaryPrincipal() != null) {
curUser = subjectPrincipal.getPrimaryPrincipal().toString();
}
if (!CollectionUtils.isEmpty(perms)) {
if (permission instanceof KeyValuePermission) {
permission = new KeyValueCollectionPermission(CollectionPermission.UNKNOWN_ACTION, (KeyValuePermission) permission);
LOGGER.debug("Should not execute subject.isPermitted with KeyValuePermission. Instead create a KeyValueCollectionPermission with an action.");
}
if (permission != null && permission instanceof KeyValueCollectionPermission) {
KeyValueCollectionPermission kvcp = (KeyValueCollectionPermission) permission;
List<KeyValuePermission> keyValuePermissions = kvcp.getKeyValuePermissionList();
List<KeyValuePermission> matchOnePermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPermissions = new ArrayList<>();
List<KeyValuePermission> matchAllPreXacmlPermissions = new ArrayList<>();
for (KeyValuePermission keyValuePermission : keyValuePermissions) {
String metacardKey = keyValuePermission.getKey();
// user specified this key in the match all list - remap key
if (matchAllMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermission(matchAllMap.get(metacardKey), keyValuePermission.getValues());
matchAllPermissions.add(kvp);
// user specified this key in the match one list - remap key
} else if (matchOneMap.containsKey(metacardKey)) {
KeyValuePermission kvp = new KeyValuePermission(matchOneMap.get(metacardKey), keyValuePermission.getValues());
matchOnePermissions.add(kvp);
// this key was not specified in either - default to match all with the
// same key value
} else {
//creating a KeyValuePermission list to try to quick match all of these permissions
//if that fails, then XACML will try to match them
//this covers the case where attributes on the user match up perfectly with the permissions being implied
//this also allows the xacml permissions to run through the policy extensions
matchAllPreXacmlPermissions.add(keyValuePermission);
}
}
CollectionPermission subjectAllCollection = new CollectionPermission(CollectionPermission.UNKNOWN_ACTION, perms);
KeyValueCollectionPermission matchAllCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPermissions);
KeyValueCollectionPermission matchAllPreXacmlCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
KeyValueCollectionPermission matchOneCollection = new KeyValueCollectionPermission(kvcp.getAction(), matchOnePermissions);
matchAllCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllCollection);
matchAllPreXacmlCollection = isPermittedByExtensionAll(subjectAllCollection, matchAllPreXacmlCollection);
matchOneCollection = isPermittedByExtensionOne(subjectAllCollection, matchOneCollection);
MatchOneCollectionPermission subjectOneCollection = new MatchOneCollectionPermission(perms);
boolean matchAll = subjectAllCollection.implies(matchAllCollection);
boolean matchAllXacml = subjectAllCollection.implies(matchAllPreXacmlCollection);
boolean matchOne = subjectOneCollection.implies(matchOneCollection);
if (!matchAll || !matchOne) {
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
}
//if we weren't able to automatically imply these permissions, call out to XACML
if (!matchAllXacml) {
KeyValueCollectionPermission xacmlPermissions = new KeyValueCollectionPermission(kvcp.getAction(), matchAllPreXacmlPermissions);
matchAllXacml = xacmlPdp.isPermitted(curUser, authorizationInfo, xacmlPermissions);
if (!matchAllXacml) {
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied via XACML.");
}
}
return matchAll && matchOne && matchAllXacml;
}
for (Permission perm : perms) {
if (permission != null && perm.implies(permission)) {
return true;
}
}
}
SecurityLogger.audit(PERMISSION_FINISH_1_MSG + curUser + PERMISSION_FINISH_2_MSG + permission + "] is not implied.");
return false;
}
Also used :
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Permission(org.apache.shiro.authz.Permission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
ArrayList(java.util.ArrayList)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
CollectionPermission(ddf.security.permission.CollectionPermission)
KeyValueCollectionPermission(ddf.security.permission.KeyValueCollectionPermission)
MatchOneCollectionPermission(ddf.security.permission.MatchOneCollectionPermission)
KeyValuePermission(ddf.security.permission.KeyValuePermission)
Aggregations
CollectionPermission (ddf.security.permission.CollectionPermission)21
Test (org.junit.Test)16
KeyValueCollectionPermission (ddf.security.permission.KeyValueCollectionPermission)13
KeyValuePermission (ddf.security.permission.KeyValuePermission)12
Permission (org.apache.shiro.authz.Permission)10
Subject (ddf.security.Subject)5
SecurityAssertion (ddf.security.assertion.SecurityAssertion)5
SecurityManager (ddf.security.service.SecurityManager)4
Message (org.apache.cxf.message.Message)4
SecurityToken (org.apache.cxf.ws.security.tokenstore.SecurityToken)4
InvocationOnMock (org.mockito.invocation.InvocationOnMock)4
PrepareForTest (org.powermock.core.classloader.annotations.PrepareForTest)4
ArrayList (java.util.ArrayList)3
QName (javax.xml.namespace.QName)3
Exchange (org.apache.cxf.message.Exchange)3
BindingOperationInfo (org.apache.cxf.service.model.BindingOperationInfo)3
ContextPolicy (org.codice.ddf.security.policy.context.ContextPolicy)3
PolicyExtension (ddf.security.policy.extension.PolicyExtension)2
List (java.util.List)2
ImmutableMap (com.google.common.collect.ImmutableMap)1
