Examples with Permission org.apache.shiro.authz.Permission used on opensource projects

Example 36 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class AuthzRealmTest method testIsPermittedOneMultiple.

@Test
public void testIsPermittedOneMultiple() throws PdpException {
    permissionList.clear();
    KeyValuePermission kvp = new KeyValuePermissionImpl("country", Arrays.asList("AUS", "CAN", "GBR"));
    permissionList.add(kvp);
    String ruleClaim = "FineAccessControls";
    String countryClaim = "CountryOfAffiliation";
    // create a new user here with multiple country permissions to test
    List<Permission> permissions = new ArrayList<Permission>();
    KeyValuePermission rulePermission = new KeyValuePermissionImpl(ruleClaim);
    rulePermission.addValue("A");
    rulePermission.addValue("B");
    permissions.add(rulePermission);
    KeyValuePermission countryPermission = new KeyValuePermissionImpl(countryClaim);
    countryPermission.addValue("USA");
    countryPermission.addValue("AUS");
    permissions.add(countryPermission);
    SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo();
    authorizationInfo.addObjectPermission(rulePermission);
    authorizationInfo.addObjectPermission(countryPermission);
    authorizationInfo.addRole("admin");
    AuthzRealm testRealm = new AuthzRealm("src/test/resources/policies", new XmlParser()) {

        @Override
        public AuthorizationInfo getAuthorizationInfo(PrincipalCollection principals) {
            return authorizationInfo;
        }
    };
    testRealm.setSecurityLogger(mock(SecurityLogger.class));
    testRealm.setMatchOneMappings(Arrays.asList("CountryOfAffiliation=country"));
    testRealm.setMatchAllMappings(Arrays.asList("FineAccessControls=rule"));
    testRealm.setRolePermissionResolver(roleString -> Arrays.asList(new KeyValuePermissionImpl("role", Arrays.asList(roleString))));
    boolean[] permittedArray = testRealm.isPermitted(mockSubjectPrincipal, permissionList);
    for (boolean permitted : permittedArray) {
        Assert.assertEquals(true, permitted);
    }
}

Example 37 with Permission

use of org.apache.shiro.authz.Permission in project airpal by airbnb.

the class ExampleLDAPRealm method doGetAuthorizationInfo.

@Override
protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
    Set<String> roles = Sets.newHashSet("user");
    Set<Permission> permissions = Sets.newHashSet();
    Collection<AllowAllUser> principalsCollection = principals.byType(AllowAllUser.class);
    if (principalsCollection.isEmpty()) {
        throw new AuthorizationException("No principals!");
    }
    for (AllowAllUser user : principalsCollection) {
        for (UserGroup userGroup : groups) {
            if (userGroup.representedByGroupStrings(user.getGroups())) {
                permissions.addAll(userGroup.getPermissions());
                break;
            }
        }
    }
    SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(roles);
    authorizationInfo.setObjectPermissions(permissions);
    return authorizationInfo;
}

Example 38 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class OperationPluginTest method makeDecision.

private Answer<Boolean> makeDecision() {
    Map<String, List<String>> testRoleMap = new HashMap<String, List<String>>();
    List<String> testRoles = new ArrayList<String>();
    testRoles.add("A");
    testRoles.add("B");
    testRoleMap.put("Roles", testRoles);
    final KeyValueCollectionPermission testUserPermission = new PermissionsImpl().buildKeyValueCollectionPermission(CollectionPermission.READ_ACTION, testRoleMap);
    return new Answer<Boolean>() {

        @Override
        public Boolean answer(InvocationOnMock invocation) {
            Object[] args = invocation.getArguments();
            Permission incomingPermission = (Permission) args[1];
            return testUserPermission.implies(incomingPermission);
        }
    };
}

Example 39 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class MatchOneCollectionPermission method implies.

/**
 * Overrides the implies method to handle checking for the existence of one attribute - the "match
 * one" scenario rather than the "match all" behavior of the overridden classes. Specifically,
 * this permission will imply another permission if that permission matches at least one of our
 * permission attributes.
 *
 * @param p the permission to check for behavior/functionality comparison.
 * @return {@code true} if this current instance <em>implies</em> the specified {@code Permission}
 *     argument, {@code false} otherwise.
 */
@Override
public boolean implies(Permission p) {
    if (permissionList.isEmpty()) {
        return false;
    }
    if (p instanceof CollectionPermission) {
        for (Permission perm : ((CollectionPermission) p).getPermissionList()) {
            boolean result = false;
            for (Permission ourPerm : permissionList) {
                // the permission.
                if (ourPerm instanceof KeyValuePermission) {
                    for (String value : ((KeyValuePermission) ourPerm).getValues()) {
                        // Since this is "match one" we know that only one of these values needs
                        // to match in order
                        // for the entire permission at that key to be implied
                        // So here we loop through all of the values assigned to that key and
                        // create new
                        // single valued key value permissions
                        KeyValuePermission kvp = new KeyValuePermissionImpl(((KeyValuePermission) ourPerm).getKey());
                        kvp.addValue(value);
                        if (perm.implies(kvp)) {
                            result = true;
                            break;
                        }
                    }
                // Currently we use key value permissions for everything. However, we still need
                // to be able to handle
                // permissions other than KV, so this else block will serve as the catch all for
                // everything else.
                } else {
                    // the implies to make it match one
                    if (perm.implies(ourPerm)) {
                        result = true;
                        break;
                    }
                }
            }
            if (!result) {
                return false;
            }
        }
        return true;
    }
    // default catch all permission check
    for (Permission permission : permissionList) {
        // to make it match one
        if (p.implies(permission)) {
            return true;
        }
    }
    return false;
}

Example 40 with Permission

use of org.apache.shiro.authz.Permission in project ddf by codice.

the class AuthzRealm method isPermitted.

/**
 * Checks if the corresponding Subject/user implies the given Permissions and returns a boolean
 * array indicating which permissions are implied.
 *
 * <p>
 *
 * <p>More specifically, this method should determine if each <tt>Permission</tt> in the array is
 * {@link Permission#implies(Permission) implied} by permissions already associated with the
 * subject.
 *
 * <p>
 *
 * <p>This is primarily a performance-enhancing method to help reduce the number of {@link
 * #isPermitted} invocations over the wire in client/server systems.
 *
 * @param subjectPrincipal the application-specific subject/user identifier.
 * @param permissions the permissions that are being checked.
 * @return an array of booleans whose indices correspond to the index of the permissions in the
 *     given list. A true value at an index indicates the user is permitted for for the associated
 *     <tt>Permission</tt> object in the list. A false value at an index indicates otherwise.
 */
@Override
public boolean[] isPermitted(PrincipalCollection subjectPrincipal, List<Permission> permissions) {
    boolean[] results = new boolean[permissions.size()];
    AuthorizationInfo authorizationInfo = getAuthorizationInfo(subjectPrincipal);
    List<Permission> expandedPermissions = expandPermissions(permissions);
    int i = 0;
    for (Permission permission : expandedPermissions) {
        results[i++] = isPermitted(subjectPrincipal, permission, authorizationInfo);
    }
    return results;
}