Examples with WikiPage org.apache.wiki.WikiPage used on opensource projects

Example 46 with WikiPage

use of org.apache.wiki.WikiPage in project jspwiki by apache.

the class AuthorizationManager method checkPermission.

/**
 * Returns <code>true</code> or <code>false</code>, depending on
 * whether a Permission is allowed for the Subject associated with
 * a supplied WikiSession. The access control algorithm works this way:
 * <ol>
 * <li>The {@link org.apache.wiki.auth.acl.Acl} for the page is obtained</li>
 * <li>The Subject associated with the current
 * {@link org.apache.wiki.WikiSession} is obtained</li>
 * <li>If the Subject's Principal set includes the Role Principal that is
 * the administrator group, always allow the Permission</li>
 * <li>For all permissions, check to see if the Permission is allowed according
 * to the default security policy. If it isn't, deny the permission and halt
 * further processing.</li>
 * <li>If there is an Acl, get the list of Principals assigned this
 * Permission in the Acl: these will be role, group or user Principals, or
 * {@link org.apache.wiki.auth.acl.UnresolvedPrincipal}s (see below).
 * Then iterate through the Subject's Principal set and determine whether
 * the user (Subject) possesses any one of these specified Roles or
 * Principals. The matching process delegates to
 * {@link #hasRoleOrPrincipal(WikiSession, Principal)}.
 * </ol>
 * <p>
 * Note that when iterating through the Acl's list of authorized Principals,
 * it is possible that one or more of the Acl's Principal entries are of
 * type <code>UnresolvedPrincipal</code>. This means that the last time
 * the ACL was read, the Principal (user, built-in Role, authorizer Role, or
 * wiki Group) could not be resolved: the Role was not valid, the user
 * wasn't found in the UserDatabase, or the Group wasn't known to (e.g.,
 * cached) in the GroupManager. If an <code>UnresolvedPrincipal</code> is
 * encountered, this method will attempt to resolve it first <em>before</em>
 * checking to see if the Subject possesses this principal, by calling
 * {@link #resolvePrincipal(String)}. If the (re-)resolution does not
 * succeed, the access check for the principal will fail by definition (the
 * Subject should never contain UnresolvedPrincipals).
 * </p>
 * <p>
 * If security not set to JAAS, will return true.
 * </p>
 * @param session the current wiki session
 * @param permission the Permission being checked
 * @see #hasRoleOrPrincipal(WikiSession, Principal)
 * @return the result of the Permission check
 */
public boolean checkPermission(WikiSession session, Permission permission) {
    // 
    if (session == null || permission == null) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, null, permission);
        return false;
    }
    Principal user = session.getLoginPrincipal();
    // Always allow the action if user has AllPermission
    Permission allPermission = new AllPermission(m_engine.getApplicationName());
    boolean hasAllPermission = checkStaticPermission(session, allPermission);
    if (hasAllPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // If the user doesn't have *at least* the permission
    // granted by policy, return false.
    boolean hasPolicyPermission = checkStaticPermission(session, permission);
    if (!hasPolicyPermission) {
        fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
        return false;
    }
    // If this isn't a PagePermission, it's allowed
    if (!(permission instanceof PagePermission)) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // If the page or ACL is null, it's allowed.
    // 
    String pageName = ((PagePermission) permission).getPage();
    WikiPage page = m_engine.getPage(pageName);
    Acl acl = (page == null) ? null : m_engine.getAclManager().getPermissions(page);
    if (page == null || acl == null || acl.isEmpty()) {
        fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
        return true;
    }
    // 
    // Next, iterate through the Principal objects assigned
    // this permission. If the context's subject possesses
    // any of these, the action is allowed.
    Principal[] aclPrincipals = acl.findPrincipals(permission);
    log.debug("Checking ACL entries...");
    log.debug("Acl for this page is: " + acl);
    log.debug("Checking for principal: " + Arrays.toString(aclPrincipals));
    log.debug("Permission: " + permission);
    for (Principal aclPrincipal : aclPrincipals) {
        // try to resolve it here & correct the Acl
        if (aclPrincipal instanceof UnresolvedPrincipal) {
            AclEntry aclEntry = acl.getEntry(aclPrincipal);
            aclPrincipal = resolvePrincipal(aclPrincipal.getName());
            if (aclEntry != null && !(aclPrincipal instanceof UnresolvedPrincipal)) {
                aclEntry.setPrincipal(aclPrincipal);
            }
        }
        if (hasRoleOrPrincipal(session, aclPrincipal)) {
            fireEvent(WikiSecurityEvent.ACCESS_ALLOWED, user, permission);
            return true;
        }
    }
    fireEvent(WikiSecurityEvent.ACCESS_DENIED, user, permission);
    return false;
}

Example 47 with WikiPage

use of org.apache.wiki.WikiPage in project jspwiki by apache.

the class AuthorizationManagerTest method testRoleAcl.

@Test
public void testRoleAcl() throws Exception {
    // Create test page & attachment
    String src = "[{ALLOW edit Authenticated}] ";
    m_engine.saveText("Test", src);
    WikiPage p = m_engine.getPage("Test");
    Permission view = PermissionFactory.getPagePermission(p, "view");
    Permission edit = PermissionFactory.getPagePermission(p, "edit");
    // Create session with authenticated user 'Alice', who can read & edit
    WikiSession session;
    session = WikiSessionTest.authenticatedSession(m_engine, Users.ALICE, Users.ALICE_PASS);
    Assert.assertTrue("Alice view Test", m_auth.checkPermission(session, view));
    Assert.assertTrue("Alice edit Test", m_auth.checkPermission(session, edit));
    // Create session with asserted user 'Bob', who can't read or edit (not in ACL)
    session = WikiSessionTest.assertedSession(m_engine, Users.BOB);
    Assert.assertFalse("Bob !view Test", m_auth.checkPermission(session, view));
    Assert.assertFalse("Bob !edit Test", m_auth.checkPermission(session, edit));
    // Cleanup
    try {
        m_engine.deletePage("Test");
    } catch (ProviderException e) {
        Assert.assertTrue(false);
    }
}

Example 48 with WikiPage

use of org.apache.wiki.WikiPage in project jspwiki by apache.

the class UserManagerTest method testSetRenamedUserProfile.

@Test
public void testSetRenamedUserProfile() throws Exception {
    // First, count the number of users, groups, and pages
    int oldUserCount = m_db.getWikiNames().length;
    GroupManager groupManager = m_engine.getGroupManager();
    PageManager pageManager = m_engine.getPageManager();
    AuthorizationManager authManager = m_engine.getAuthorizationManager();
    int oldGroupCount = groupManager.getRoles().length;
    int oldPageCount = pageManager.getTotalPageCount();
    // Setup Step 1: create a new user with random name
    WikiSession session = m_engine.guestSession();
    long now = System.currentTimeMillis();
    String oldLogin = "TestLogin" + now;
    String oldName = "Test User " + now;
    String newLogin = "RenamedLogin" + now;
    String newName = "Renamed User " + now;
    UserProfile profile = m_db.newProfile();
    profile.setEmail("jspwiki.tests@mailinator.com");
    profile.setLoginName(oldLogin);
    profile.setFullname(oldName);
    profile.setPassword("password");
    m_mgr.setUserProfile(session, profile);
    // 1a. Make sure the profile saved successfully and that we're logged in
    profile = m_mgr.getUserProfile(session);
    Assert.assertEquals(oldLogin, profile.getLoginName());
    Assert.assertEquals(oldName, profile.getFullname());
    Assert.assertEquals(oldUserCount + 1, m_db.getWikiNames().length);
    Assert.assertTrue(session.isAuthenticated());
    // Setup Step 2: create a new group with our test user in it
    Group group = groupManager.parseGroup(m_groupName, "Alice \n Bob \n Charlie \n " + oldLogin + "\n" + oldName, true);
    groupManager.setGroup(session, group);
    // 2a. Make sure the group is created with the user in it, and the role is added to the Subject
    Assert.assertEquals(oldGroupCount + 1, groupManager.getRoles().length);
    Assert.assertTrue(group.isMember(new WikiPrincipal(oldLogin)));
    Assert.assertTrue(group.isMember(new WikiPrincipal(oldName)));
    Assert.assertFalse(group.isMember(new WikiPrincipal(newLogin)));
    Assert.assertFalse(group.isMember(new WikiPrincipal(newName)));
    Assert.assertTrue(groupManager.isUserInRole(session, group.getPrincipal()));
    // Setup Step 3: create a new page with our test user in the ACL
    String pageName = "TestPage" + now;
    m_engine.saveText(pageName, "Test text. [{ALLOW view " + oldName + ", " + oldLogin + ", Alice}] More text.");
    // 3a. Make sure the page got saved, and that ONLY our test user has permission to read it.
    WikiPage p = m_engine.getPage(pageName);
    Assert.assertEquals(oldPageCount + 1, pageManager.getTotalPageCount());
    Assert.assertNotNull(p.getAcl().getEntry(new WikiPrincipal(oldLogin)));
    Assert.assertNotNull(p.getAcl().getEntry(new WikiPrincipal(oldName)));
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(newLogin)));
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(newName)));
    Assert.assertTrue("Test User view page", authManager.checkPermission(session, PermissionFactory.getPagePermission(p, "view")));
    WikiSession bobSession = WikiSessionTest.authenticatedSession(m_engine, Users.BOB, Users.BOB_PASS);
    Assert.assertFalse("Bob !view page", authManager.checkPermission(bobSession, PermissionFactory.getPagePermission(p, "view")));
    // Setup Step 4: change the user name in the profile and see what happens
    profile = m_db.newProfile();
    profile.setEmail("jspwiki.tests@mailinator.com");
    profile.setLoginName(oldLogin);
    profile.setFullname(newName);
    profile.setPassword("password");
    m_mgr.setUserProfile(session, profile);
    // Test 1: the wiki session should have the new wiki name in Subject
    Principal[] principals = session.getPrincipals();
    Assert.assertTrue(ArrayUtils.contains(principals, new WikiPrincipal(oldLogin)));
    Assert.assertFalse(ArrayUtils.contains(principals, new WikiPrincipal(oldName)));
    Assert.assertFalse(ArrayUtils.contains(principals, new WikiPrincipal(newLogin)));
    Assert.assertTrue(ArrayUtils.contains(principals, new WikiPrincipal(newName)));
    // Test 2: our group should not contain the old name OR login name any more
    // (the full name is always used)
    group = groupManager.getGroup(m_groupName);
    Assert.assertFalse(group.isMember(new WikiPrincipal(oldLogin)));
    Assert.assertFalse(group.isMember(new WikiPrincipal(oldName)));
    Assert.assertFalse(group.isMember(new WikiPrincipal(newLogin)));
    Assert.assertTrue(group.isMember(new WikiPrincipal(newName)));
    // Test 3: our page should not contain the old wiki name OR login name
    // in the ACL any more (the full name is always used)
    p = m_engine.getPage(pageName);
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(oldLogin)));
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(oldName)));
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(newLogin)));
    Assert.assertNotNull(p.getAcl().getEntry(new WikiPrincipal(newName)));
    Assert.assertTrue("Test User view page", authManager.checkPermission(session, PermissionFactory.getPagePermission(p, "view")));
    Assert.assertFalse("Bob !view page", authManager.checkPermission(bobSession, PermissionFactory.getPagePermission(p, "view")));
    // Test 4: our page text should have been re-written
    // (The new full name should be in the ACL, but the login name should have been removed)
    String expectedText = "[{ALLOW view Alice," + newName + "}]\nTest text.  More text.\r\n";
    String actualText = m_engine.getText(pageName);
    Assert.assertEquals(expectedText, actualText);
    // Remove our test page
    m_engine.deletePage(pageName);
    // Setup Step 6: re-create the group with our old test user names in it
    group = groupManager.parseGroup(m_groupName, "Alice \n Bob \n Charlie \n " + oldLogin + "\n" + oldName, true);
    groupManager.setGroup(session, group);
    // Setup Step 7: Save a new page with the old login/wiki names in the ACL again
    // The test user should still be able to see the page (because the login name matches...)
    pageName = "TestPage2" + now;
    m_engine.saveText(pageName, "More test text. [{ALLOW view " + oldName + ", " + oldLogin + ", Alice}] More text.");
    p = m_engine.getPage(pageName);
    Assert.assertEquals(oldPageCount + 1, pageManager.getTotalPageCount());
    Assert.assertNotNull(p.getAcl().getEntry(new WikiPrincipal(oldLogin)));
    Assert.assertNotNull(p.getAcl().getEntry(new WikiPrincipal(oldName)));
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(newLogin)));
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(newName)));
    Assert.assertTrue("Test User view page", authManager.checkPermission(session, PermissionFactory.getPagePermission(p, "view")));
    Assert.assertFalse("Bob !view page", authManager.checkPermission(bobSession, PermissionFactory.getPagePermission(p, "view")));
    // Setup Step 8: re-save the profile with the new login name
    profile = m_db.newProfile();
    profile.setEmail("jspwiki.tests@mailinator.com");
    profile.setLoginName(newLogin);
    profile.setFullname(oldName);
    profile.setPassword("password");
    m_mgr.setUserProfile(session, profile);
    // Test 5: the wiki session should have the new login name in Subject
    principals = session.getPrincipals();
    Assert.assertFalse(ArrayUtils.contains(principals, new WikiPrincipal(oldLogin)));
    Assert.assertTrue(ArrayUtils.contains(principals, new WikiPrincipal(oldName)));
    Assert.assertTrue(ArrayUtils.contains(principals, new WikiPrincipal(newLogin)));
    Assert.assertFalse(ArrayUtils.contains(principals, new WikiPrincipal(newName)));
    // Test 6: our group should not contain the old name OR login name any more
    // (the full name is always used)
    group = groupManager.getGroup(m_groupName);
    Assert.assertFalse(group.isMember(new WikiPrincipal(oldLogin)));
    Assert.assertTrue(group.isMember(new WikiPrincipal(oldName)));
    Assert.assertFalse(group.isMember(new WikiPrincipal(newLogin)));
    Assert.assertFalse(group.isMember(new WikiPrincipal(newName)));
    // Test 7: our page should not contain the old wiki name OR login name
    // in the ACL any more (the full name is always used)
    p = m_engine.getPage(pageName);
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(oldLogin)));
    Assert.assertNotNull(p.getAcl().getEntry(new WikiPrincipal(oldName)));
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(newLogin)));
    Assert.assertNull(p.getAcl().getEntry(new WikiPrincipal(newName)));
    Assert.assertTrue("Test User view page", authManager.checkPermission(session, PermissionFactory.getPagePermission(p, "view")));
    Assert.assertFalse("Bob !view page", authManager.checkPermission(bobSession, PermissionFactory.getPagePermission(p, "view")));
    // Test 8: our page text should have been re-written
    // (The new full name should be in the ACL, but the login name should have been removed)
    expectedText = "[{ALLOW view Alice," + oldName + "}]\nMore test text.  More text.\r\n";
    actualText = m_engine.getText(pageName);
    Assert.assertEquals(expectedText, actualText);
    // CLEANUP: delete the profile; user and page; should be back to old counts
    m_db.deleteByLoginName(newLogin);
    Assert.assertEquals(oldUserCount, m_db.getWikiNames().length);
    groupManager.removeGroup(group.getName());
    Assert.assertEquals(oldGroupCount, groupManager.getRoles().length);
    m_engine.deletePage(pageName);
    Assert.assertEquals(oldPageCount, pageManager.getTotalPageCount());
}

Example 49 with WikiPage

use of org.apache.wiki.WikiPage in project jspwiki by apache.

the class DefaultAclManagerTest method testPrintAcl.

@Test
public void testPrintAcl() {
    // Verify that the printed Acl for the test page is OK
    WikiPage page = m_engine.getPage("TestAclPage");
    Acl acl = m_engine.getAclManager().getPermissions(page);
    String aclString = DefaultAclManager.printAcl(acl);
    Assert.assertEquals("[{ALLOW edit Charlie,Herman}]\n", aclString);
    // Create an ACL from scratch
    acl = new AclImpl();
    AclEntry entry = new AclEntryImpl();
    entry.setPrincipal(new WikiPrincipal("Charlie"));
    entry.addPermission(PermissionFactory.getPagePermission("Main:Foo", "view"));
    entry.addPermission(PermissionFactory.getPagePermission("Main:Foo", "edit"));
    acl.addEntry(entry);
    entry = new AclEntryImpl();
    entry.setPrincipal(new WikiPrincipal("Devin"));
    entry.addPermission(PermissionFactory.getPagePermission("Main:Foo", "edit"));
    entry.addPermission(PermissionFactory.getPagePermission("Main:Foo", "delete"));
    acl.addEntry(entry);
    // Verify that the printed ACL is OK
    String expectedValue = "[{ALLOW delete Devin}]\n[{ALLOW edit Charlie,Devin}]\n[{ALLOW view Charlie}]\n";
    Assert.assertEquals(expectedValue, DefaultAclManager.printAcl(acl));
}

Example 50 with WikiPage

use of org.apache.wiki.WikiPage in project jspwiki by apache.

the class JSPWikiMarkupParserTest method testSet3.

@Test
public void testSet3() throws Exception {
    String src = "Foobar.[{SET name= Janne Jalkanen}]";
    WikiPage p = new WikiPage(testEngine, PAGE_NAME);
    String res = translate(p, src);
    Assert.assertEquals("Page text", "Foobar.", res);
    Assert.assertEquals("Janne Jalkanen", p.getAttribute("name"));
}