Example 1 with AclPrincipalSid
use of gemma.gsec.acl.domain.AclPrincipalSid in project Gemma by PavlidisLab.
the class AclAdviceTest method testArrayDesignAclsUser.
@Test
public void testArrayDesignAclsUser() {
String userName = "testuser" + RandomStringUtils.randomAlphabetic(3);
this.makeUser(userName);
this.runAsUser(userName);
ArrayDesign ad = this.getTestPersistentArrayDesign(2, true, false, false);
aclTestUtils.checkHasAcl(ad);
aclTestUtils.checkHasAces(ad);
Sid owner = securityService.getOwner(ad);
assertEquals(userName, ((AclPrincipalSid) owner).getPrincipal());
arrayDesignService.update(ad);
assertEquals(userName, ((AclPrincipalSid) owner).getPrincipal());
arrayDesignService.remove(ad);
aclTestUtils.checkDeletedAcl(ad);
}
Also used :
ArrayDesign(ubic.gemma.model.expression.arrayDesign.ArrayDesign)
AclPrincipalSid(gemma.gsec.acl.domain.AclPrincipalSid)
Sid(org.springframework.security.acls.model.Sid)
BaseSpringContextTest(ubic.gemma.core.testing.BaseSpringContextTest)
Test(org.junit.Test)
Example 2 with AclPrincipalSid
use of gemma.gsec.acl.domain.AclPrincipalSid in project Gemma by PavlidisLab.
the class AclAdviceTest method testArrayDesignAcls.
/*
* Create Array design, check ACLs are put on correctly and removed when the design is removed. Array Designs are
* _simple_ compared to EEs!
*/
@Test
public void testArrayDesignAcls() {
// need to modify
ArrayDesign ad = this.getTestPersistentArrayDesign(2, true, false, false);
aclTestUtils.checkHasAcl(ad);
aclTestUtils.checkHasAces(ad);
Sid owner = securityService.getOwner(ad);
assertEquals("administrator", ((AclPrincipalSid) owner).getPrincipal());
arrayDesignService.remove(ad);
aclTestUtils.checkDeletedAcl(ad);
}
Also used :
ArrayDesign(ubic.gemma.model.expression.arrayDesign.ArrayDesign)
AclPrincipalSid(gemma.gsec.acl.domain.AclPrincipalSid)
Sid(org.springframework.security.acls.model.Sid)
BaseSpringContextTest(ubic.gemma.core.testing.BaseSpringContextTest)
Test(org.junit.Test)
Example 3 with AclPrincipalSid
use of gemma.gsec.acl.domain.AclPrincipalSid in project Gemma by PavlidisLab.
the class SecurityServiceTest method testSetOwner.
@Test
public void testSetOwner() {
ExpressionExperiment ee = super.getTestPersistentBasicExpressionExperiment();
this.securityService.makePrivate(ee);
String username = "first_" + this.randomName();
this.makeUser(username);
this.securityService.setOwner(ee, username);
Sid owner = this.securityService.getOwner(ee);
assertTrue(owner instanceof AclPrincipalSid);
assertEquals(username, ((AclPrincipalSid) owner).getPrincipal());
}
Also used :
AclPrincipalSid(gemma.gsec.acl.domain.AclPrincipalSid)
ExpressionExperiment(ubic.gemma.model.expression.experiment.ExpressionExperiment)
AclPrincipalSid(gemma.gsec.acl.domain.AclPrincipalSid)
AclGrantedAuthoritySid(gemma.gsec.acl.domain.AclGrantedAuthoritySid)
Sid(org.springframework.security.acls.model.Sid)
BaseSpringContextTest(ubic.gemma.core.testing.BaseSpringContextTest)
Test(org.junit.Test)
Example 4 with AclPrincipalSid
use of gemma.gsec.acl.domain.AclPrincipalSid in project Gemma by PavlidisLab.
the class SecurityServiceTest method testRemoveMultipleAcesFromPrivateExpressionExperiment.
/*
* Tests an unlikely scenario?? but if there is an acl that was duplicated with same principal, permission and
* object then both acls can be deleted.
*/
@Test
public void testRemoveMultipleAcesFromPrivateExpressionExperiment() {
// make private experiment
ExpressionExperiment ee = super.getTestPersistentBasicExpressionExperiment();
this.securityService.makePrivate(ee);
// add user and add the user to a group
String username = "salmonid";
String groupName = "fish" + this.randomName();
this.makeUser(username);
this.securityService.makeOwnedByUser(ee, username);
assertTrue(this.securityService.isEditableByUser(ee, username));
this.runAsUser(username);
this.securityService.createGroup(groupName);
// get the basic acls
MutableAcl acl = aclTestUtils.getAcl(ee);
int numberOfAces = acl.getEntries().size();
// make readable by group add first ACE read for group and check added
this.securityService.makeReadableByGroup(ee, groupName);
MutableAcl aclAfterReadableAdded = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces + 1, aclAfterReadableAdded.getEntries().size());
// force the addition of duplicate ACE read, fish group on the same experiment. Note that in the current
// implementation this only adds one - we already avoid duplicates.
List<GrantedAuthority> groupAuthorities = this.userManager.findGroupAuthorities(groupName);
GrantedAuthority ga = groupAuthorities.get(0);
aclAfterReadableAdded.insertAce(aclAfterReadableAdded.getEntries().size(), BasePermission.READ, new AclGrantedAuthoritySid(this.userManager.getRolePrefix() + ga), true);
this.aclTestUtils.update(aclAfterReadableAdded);
MutableAcl aclAfterReadableAddedDuplicate = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces + 1, aclAfterReadableAddedDuplicate.getEntries().size());
// remove the ace now and check removed permission completely.
this.securityService.makeUnreadableByGroup(ee, groupName);
MutableAcl aclAfterReadableAddedDuplicateRemoval = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces, aclAfterReadableAddedDuplicateRemoval.getEntries().size());
List<AccessControlEntry> entriesAfterDelete = aclAfterReadableAddedDuplicateRemoval.getEntries();
assertEquals(numberOfAces, entriesAfterDelete.size());
// also check that the right ACE check the principals
Collection<String> principals = new ArrayList<>();
principals.add("AclGrantedAuthoritySid[GROUP_ADMIN]");
principals.add("AclGrantedAuthoritySid[GROUP_AGENT]");
principals.add("AclPrincipalSid[salmonid]");
principals.add("AclPrincipalSid[salmonid]");
for (AccessControlEntry accessControl : entriesAfterDelete) {
Sid sid = accessControl.getSid();
assertTrue(principals.contains(sid.toString()));
// remove it once in case found in case of duplicates
principals.remove(sid.toString());
}
// clean up the groups
this.userManager.deleteGroup(groupName);
// userManager.deleteUser( username );
}
Also used :
GrantedAuthority(org.springframework.security.core.GrantedAuthority)
AclGrantedAuthoritySid(gemma.gsec.acl.domain.AclGrantedAuthoritySid)
AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry)
MutableAcl(org.springframework.security.acls.model.MutableAcl)
ExpressionExperiment(ubic.gemma.model.expression.experiment.ExpressionExperiment)
AclPrincipalSid(gemma.gsec.acl.domain.AclPrincipalSid)
AclGrantedAuthoritySid(gemma.gsec.acl.domain.AclGrantedAuthoritySid)
Sid(org.springframework.security.acls.model.Sid)
BaseSpringContextTest(ubic.gemma.core.testing.BaseSpringContextTest)
Test(org.junit.Test)
Example 5 with AclPrincipalSid
use of gemma.gsec.acl.domain.AclPrincipalSid in project Gemma by PavlidisLab.
the class EntityUtils method getPermissions.
/**
* Checks ACL related properties from the AclObjectIdentity.
* Some of the code is adapted from {@link gemma.gsec.util.SecurityUtil}, but allows usage without an Acl object.
*
* @param aoi the acl object identity of an object whose permissions are to be checked.
* @return an array of booleans that represent permissions of currently logged in user as follows:
* <ol>
* <li>is object public</li>
* <li>can user write to object</li>
* <li>is object shared</li>
* </ol>
* (note that actual indexing in the array starts at 0).
*/
public static boolean[] getPermissions(AclObjectIdentity aoi) {
boolean isPublic = false;
boolean canWrite = false;
boolean isShared = false;
for (AclEntry ace : aoi.getEntries()) {
if (SecurityUtil.isUserAdmin()) {
canWrite = true;
} else if (SecurityUtil.isUserAnonymous()) {
canWrite = false;
} else {
if (ace.getMask() == BasePermission.WRITE.getMask() || ace.getMask() == BasePermission.ADMINISTRATION.getMask()) {
Sid sid = ace.getSid();
if (sid instanceof AclGrantedAuthoritySid) {
// noinspection unused //FIXME if user is in granted group then he can write probably
String grantedAuthority = ((AclGrantedAuthoritySid) sid).getGrantedAuthority();
} else if (sid instanceof AclPrincipalSid) {
if (((AclPrincipalSid) sid).getPrincipal().equals(SecurityUtil.getCurrentUsername())) {
canWrite = true;
}
}
}
}
// Check public and shared - code adapted from SecurityUtils, only we do not hold an ACL object.
if (ace.getPermission().equals(BasePermission.READ)) {
Sid sid = ace.getSid();
if (sid instanceof AclGrantedAuthoritySid) {
String grantedAuthority = ((AclGrantedAuthoritySid) sid).getGrantedAuthority();
if (grantedAuthority.equals(AuthorityConstants.IS_AUTHENTICATED_ANONYMOUSLY) && ace.isGranting()) {
isPublic = true;
}
if (grantedAuthority.startsWith("GROUP_") && ace.isGranting()) {
if (!grantedAuthority.equals(AuthorityConstants.AGENT_GROUP_AUTHORITY) && !grantedAuthority.equals(AuthorityConstants.ADMIN_GROUP_AUTHORITY)) {
isShared = true;
}
}
}
}
}
return new boolean[] { isPublic, canWrite, isShared };
}
Also used :
AclPrincipalSid(gemma.gsec.acl.domain.AclPrincipalSid)
AclEntry(gemma.gsec.acl.domain.AclEntry)
AclGrantedAuthoritySid(gemma.gsec.acl.domain.AclGrantedAuthoritySid)
Sid(org.springframework.security.acls.model.Sid)
AclPrincipalSid(gemma.gsec.acl.domain.AclPrincipalSid)
AclGrantedAuthoritySid(gemma.gsec.acl.domain.AclGrantedAuthoritySid)
Aggregations
AclPrincipalSid (gemma.gsec.acl.domain.AclPrincipalSid)5
Sid (org.springframework.security.acls.model.Sid)5
Test (org.junit.Test)4
BaseSpringContextTest (ubic.gemma.core.testing.BaseSpringContextTest)4
AclGrantedAuthoritySid (gemma.gsec.acl.domain.AclGrantedAuthoritySid)3
ArrayDesign (ubic.gemma.model.expression.arrayDesign.ArrayDesign)2
ExpressionExperiment (ubic.gemma.model.expression.experiment.ExpressionExperiment)2
AclEntry (gemma.gsec.acl.domain.AclEntry)1
AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)1
MutableAcl (org.springframework.security.acls.model.MutableAcl)1
GrantedAuthority (org.springframework.security.core.GrantedAuthority)1
