Examples with AclGrantedAuthoritySid gemma.gsec.acl.domain.AclGrantedAuthoritySid used on opensource projects

Example 1 with AclGrantedAuthoritySid

use of gemma.gsec.acl.domain.AclGrantedAuthoritySid in project Gemma by PavlidisLab.

the class SecurityServiceTest method testRemoveMultipleAcesFromPrivateExpressionExperiment.

/*
     * Tests an unlikely scenario?? but if there is an acl that was duplicated with same principal, permission and
     * object then both acls can be deleted.
     */
@Test
public void testRemoveMultipleAcesFromPrivateExpressionExperiment() {
    // make private experiment
    ExpressionExperiment ee = super.getTestPersistentBasicExpressionExperiment();
    this.securityService.makePrivate(ee);
    // add user and add the user to a group
    String username = "salmonid";
    String groupName = "fish" + this.randomName();
    this.makeUser(username);
    this.securityService.makeOwnedByUser(ee, username);
    assertTrue(this.securityService.isEditableByUser(ee, username));
    this.runAsUser(username);
    this.securityService.createGroup(groupName);
    // get the basic acls
    MutableAcl acl = aclTestUtils.getAcl(ee);
    int numberOfAces = acl.getEntries().size();
    // make readable by group add first ACE read for group and check added
    this.securityService.makeReadableByGroup(ee, groupName);
    MutableAcl aclAfterReadableAdded = aclTestUtils.getAcl(ee);
    assertEquals(numberOfAces + 1, aclAfterReadableAdded.getEntries().size());
    // force the addition of duplicate ACE read, fish group on the same experiment. Note that in the current
    // implementation this only adds one - we already avoid duplicates.
    List<GrantedAuthority> groupAuthorities = this.userManager.findGroupAuthorities(groupName);
    GrantedAuthority ga = groupAuthorities.get(0);
    aclAfterReadableAdded.insertAce(aclAfterReadableAdded.getEntries().size(), BasePermission.READ, new AclGrantedAuthoritySid(this.userManager.getRolePrefix() + ga), true);
    this.aclTestUtils.update(aclAfterReadableAdded);
    MutableAcl aclAfterReadableAddedDuplicate = aclTestUtils.getAcl(ee);
    assertEquals(numberOfAces + 1, aclAfterReadableAddedDuplicate.getEntries().size());
    // remove the ace now and check removed permission completely.
    this.securityService.makeUnreadableByGroup(ee, groupName);
    MutableAcl aclAfterReadableAddedDuplicateRemoval = aclTestUtils.getAcl(ee);
    assertEquals(numberOfAces, aclAfterReadableAddedDuplicateRemoval.getEntries().size());
    List<AccessControlEntry> entriesAfterDelete = aclAfterReadableAddedDuplicateRemoval.getEntries();
    assertEquals(numberOfAces, entriesAfterDelete.size());
    // also check that the right ACE check the principals
    Collection<String> principals = new ArrayList<>();
    principals.add("AclGrantedAuthoritySid[GROUP_ADMIN]");
    principals.add("AclGrantedAuthoritySid[GROUP_AGENT]");
    principals.add("AclPrincipalSid[salmonid]");
    principals.add("AclPrincipalSid[salmonid]");
    for (AccessControlEntry accessControl : entriesAfterDelete) {
        Sid sid = accessControl.getSid();
        assertTrue(principals.contains(sid.toString()));
        // remove it once in case found in case of duplicates
        principals.remove(sid.toString());
    }
    // clean up the groups
    this.userManager.deleteGroup(groupName);
// userManager.deleteUser( username );
}

Example 2 with AclGrantedAuthoritySid

use of gemma.gsec.acl.domain.AclGrantedAuthoritySid in project Gemma by PavlidisLab.

the class EntityUtils method getPermissions.

/**
 * Checks ACL related properties from the AclObjectIdentity.
 * Some of the code is adapted from {@link gemma.gsec.util.SecurityUtil}, but allows usage without an Acl object.
 *
 * @param aoi the acl object identity of an object whose permissions are to be checked.
 * @return an array of booleans that represent permissions of currently logged in user as follows:
 * <ol>
 * <li>is object public</li>
 * <li>can user write to object</li>
 * <li>is object shared</li>
 * </ol>
 * (note that actual indexing in the array starts at 0).
 */
public static boolean[] getPermissions(AclObjectIdentity aoi) {
    boolean isPublic = false;
    boolean canWrite = false;
    boolean isShared = false;
    for (AclEntry ace : aoi.getEntries()) {
        if (SecurityUtil.isUserAdmin()) {
            canWrite = true;
        } else if (SecurityUtil.isUserAnonymous()) {
            canWrite = false;
        } else {
            if (ace.getMask() == BasePermission.WRITE.getMask() || ace.getMask() == BasePermission.ADMINISTRATION.getMask()) {
                Sid sid = ace.getSid();
                if (sid instanceof AclGrantedAuthoritySid) {
                    // noinspection unused //FIXME if user is in granted group then he can write probably
                    String grantedAuthority = ((AclGrantedAuthoritySid) sid).getGrantedAuthority();
                } else if (sid instanceof AclPrincipalSid) {
                    if (((AclPrincipalSid) sid).getPrincipal().equals(SecurityUtil.getCurrentUsername())) {
                        canWrite = true;
                    }
                }
            }
        }
        // Check public and shared - code adapted from SecurityUtils, only we do not hold an ACL object.
        if (ace.getPermission().equals(BasePermission.READ)) {
            Sid sid = ace.getSid();
            if (sid instanceof AclGrantedAuthoritySid) {
                String grantedAuthority = ((AclGrantedAuthoritySid) sid).getGrantedAuthority();
                if (grantedAuthority.equals(AuthorityConstants.IS_AUTHENTICATED_ANONYMOUSLY) && ace.isGranting()) {
                    isPublic = true;
                }
                if (grantedAuthority.startsWith("GROUP_") && ace.isGranting()) {
                    if (!grantedAuthority.equals(AuthorityConstants.AGENT_GROUP_AUTHORITY) && !grantedAuthority.equals(AuthorityConstants.ADMIN_GROUP_AUTHORITY)) {
                        isShared = true;
                    }
                }
            }
        }
    }
    return new boolean[] { isPublic, canWrite, isShared };
}

Example 3 with AclGrantedAuthoritySid

use of gemma.gsec.acl.domain.AclGrantedAuthoritySid in project Gemma by PavlidisLab.

the class UserServiceImpl method delete.

@Override
public void delete(UserGroup group) {
    String groupName = group.getName();
    if (!this.groupExists(groupName)) {
        throw new IllegalArgumentException("No group with that name: " + groupName);
    }
    /*
         * make sure this isn't one of the special groups
         */
    if (groupName.equals(AuthorityConstants.USER_GROUP_NAME) || groupName.equals(AuthorityConstants.ADMIN_GROUP_NAME) || groupName.equals(AuthorityConstants.AGENT_GROUP_NAME)) {
        throw new IllegalArgumentException("Cannot remove that group, it is required for system operation.");
    }
    if (!securityService.isOwnedByCurrentUser(this.findGroupByName(groupName)) && !SecurityUtil.isUserAdmin()) {
        throw new AccessDeniedException("Only administrator or owner of a group can remove it");
    }
    String authority = securityService.getGroupAuthorityNameFromGroupName(groupName);
    this.userGroupDao.remove((ubic.gemma.model.common.auditAndSecurity.UserGroup) group);
    /*
         * clean up acls that use this group...do that last!
         */
    aclService.deleteSid(new AclGrantedAuthoritySid(authority));
}