use of gemma.gsec.acl.domain.AclGrantedAuthoritySid in project Gemma by PavlidisLab.
the class SecurityServiceTest method testRemoveMultipleAcesFromPrivateExpressionExperiment.
/*
* Tests an unlikely scenario?? but if there is an acl that was duplicated with same principal, permission and
* object then both acls can be deleted.
*/
@Test
public void testRemoveMultipleAcesFromPrivateExpressionExperiment() {
// make private experiment
ExpressionExperiment ee = super.getTestPersistentBasicExpressionExperiment();
this.securityService.makePrivate(ee);
// add user and add the user to a group
String username = "salmonid";
String groupName = "fish" + this.randomName();
this.makeUser(username);
this.securityService.makeOwnedByUser(ee, username);
assertTrue(this.securityService.isEditableByUser(ee, username));
this.runAsUser(username);
this.securityService.createGroup(groupName);
// get the basic acls
MutableAcl acl = aclTestUtils.getAcl(ee);
int numberOfAces = acl.getEntries().size();
// make readable by group add first ACE read for group and check added
this.securityService.makeReadableByGroup(ee, groupName);
MutableAcl aclAfterReadableAdded = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces + 1, aclAfterReadableAdded.getEntries().size());
// force the addition of duplicate ACE read, fish group on the same experiment. Note that in the current
// implementation this only adds one - we already avoid duplicates.
List<GrantedAuthority> groupAuthorities = this.userManager.findGroupAuthorities(groupName);
GrantedAuthority ga = groupAuthorities.get(0);
aclAfterReadableAdded.insertAce(aclAfterReadableAdded.getEntries().size(), BasePermission.READ, new AclGrantedAuthoritySid(this.userManager.getRolePrefix() + ga), true);
this.aclTestUtils.update(aclAfterReadableAdded);
MutableAcl aclAfterReadableAddedDuplicate = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces + 1, aclAfterReadableAddedDuplicate.getEntries().size());
// remove the ace now and check removed permission completely.
this.securityService.makeUnreadableByGroup(ee, groupName);
MutableAcl aclAfterReadableAddedDuplicateRemoval = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces, aclAfterReadableAddedDuplicateRemoval.getEntries().size());
List<AccessControlEntry> entriesAfterDelete = aclAfterReadableAddedDuplicateRemoval.getEntries();
assertEquals(numberOfAces, entriesAfterDelete.size());
// also check that the right ACE check the principals
Collection<String> principals = new ArrayList<>();
principals.add("AclGrantedAuthoritySid[GROUP_ADMIN]");
principals.add("AclGrantedAuthoritySid[GROUP_AGENT]");
principals.add("AclPrincipalSid[salmonid]");
principals.add("AclPrincipalSid[salmonid]");
for (AccessControlEntry accessControl : entriesAfterDelete) {
Sid sid = accessControl.getSid();
assertTrue(principals.contains(sid.toString()));
// remove it once in case found in case of duplicates
principals.remove(sid.toString());
}
// clean up the groups
this.userManager.deleteGroup(groupName);
// userManager.deleteUser( username );
}
use of gemma.gsec.acl.domain.AclGrantedAuthoritySid in project Gemma by PavlidisLab.
the class EntityUtils method getPermissions.
/**
* Checks ACL related properties from the AclObjectIdentity.
* Some of the code is adapted from {@link gemma.gsec.util.SecurityUtil}, but allows usage without an Acl object.
*
* @param aoi the acl object identity of an object whose permissions are to be checked.
* @return an array of booleans that represent permissions of currently logged in user as follows:
* <ol>
* <li>is object public</li>
* <li>can user write to object</li>
* <li>is object shared</li>
* </ol>
* (note that actual indexing in the array starts at 0).
*/
public static boolean[] getPermissions(AclObjectIdentity aoi) {
boolean isPublic = false;
boolean canWrite = false;
boolean isShared = false;
for (AclEntry ace : aoi.getEntries()) {
if (SecurityUtil.isUserAdmin()) {
canWrite = true;
} else if (SecurityUtil.isUserAnonymous()) {
canWrite = false;
} else {
if (ace.getMask() == BasePermission.WRITE.getMask() || ace.getMask() == BasePermission.ADMINISTRATION.getMask()) {
Sid sid = ace.getSid();
if (sid instanceof AclGrantedAuthoritySid) {
// noinspection unused //FIXME if user is in granted group then he can write probably
String grantedAuthority = ((AclGrantedAuthoritySid) sid).getGrantedAuthority();
} else if (sid instanceof AclPrincipalSid) {
if (((AclPrincipalSid) sid).getPrincipal().equals(SecurityUtil.getCurrentUsername())) {
canWrite = true;
}
}
}
}
// Check public and shared - code adapted from SecurityUtils, only we do not hold an ACL object.
if (ace.getPermission().equals(BasePermission.READ)) {
Sid sid = ace.getSid();
if (sid instanceof AclGrantedAuthoritySid) {
String grantedAuthority = ((AclGrantedAuthoritySid) sid).getGrantedAuthority();
if (grantedAuthority.equals(AuthorityConstants.IS_AUTHENTICATED_ANONYMOUSLY) && ace.isGranting()) {
isPublic = true;
}
if (grantedAuthority.startsWith("GROUP_") && ace.isGranting()) {
if (!grantedAuthority.equals(AuthorityConstants.AGENT_GROUP_AUTHORITY) && !grantedAuthority.equals(AuthorityConstants.ADMIN_GROUP_AUTHORITY)) {
isShared = true;
}
}
}
}
}
return new boolean[] { isPublic, canWrite, isShared };
}
use of gemma.gsec.acl.domain.AclGrantedAuthoritySid in project Gemma by PavlidisLab.
the class UserServiceImpl method delete.
@Override
public void delete(UserGroup group) {
String groupName = group.getName();
if (!this.groupExists(groupName)) {
throw new IllegalArgumentException("No group with that name: " + groupName);
}
/*
* make sure this isn't one of the special groups
*/
if (groupName.equals(AuthorityConstants.USER_GROUP_NAME) || groupName.equals(AuthorityConstants.ADMIN_GROUP_NAME) || groupName.equals(AuthorityConstants.AGENT_GROUP_NAME)) {
throw new IllegalArgumentException("Cannot remove that group, it is required for system operation.");
}
if (!securityService.isOwnedByCurrentUser(this.findGroupByName(groupName)) && !SecurityUtil.isUserAdmin()) {
throw new AccessDeniedException("Only administrator or owner of a group can remove it");
}
String authority = securityService.getGroupAuthorityNameFromGroupName(groupName);
this.userGroupDao.remove((ubic.gemma.model.common.auditAndSecurity.UserGroup) group);
/*
* clean up acls that use this group...do that last!
*/
aclService.deleteSid(new AclGrantedAuthoritySid(authority));
}
Aggregations