Example 1 with CaseSensitiveWildcardPermission
use of org.graylog.security.permissions.CaseSensitiveWildcardPermission in project graylog2-server by Graylog2.
the class DefaultPermissionAndRoleResolver method resolvePermissionsForPrincipal.
@Override
public Set<Permission> resolvePermissionsForPrincipal(GRN principal) {
final Set<GrantDTO> grants = grantService.getForGranteesOrGlobal(resolveGrantees(principal));
final ImmutableSet.Builder<Permission> permissionsBuilder = ImmutableSet.builder();
for (GrantDTO grant : grants) {
final Optional<CapabilityDescriptor> capability = builtinCapabilities.get(grant.capability());
if (capability.isPresent()) {
final Set<GRN> targets = resolveTargets(grant.target());
for (String permission : capability.get().permissions()) {
for (GRN target : targets) {
if (target.isPermissionApplicable(permission)) {
// Possible solution: Don't use strings for the constants
if (permission.equals(RestPermissions.ENTITY_OWN)) {
permissionsBuilder.add(GRNPermission.create(permission, target));
} else {
permissionsBuilder.add(new CaseSensitiveWildcardPermission(permission + ":" + target.entity()));
}
}
}
}
} else {
logger.warn("Couldn't find capability <{}>", grant.capability());
}
}
return permissionsBuilder.build();
}
Also used :
GRN(org.graylog.grn.GRN)
ImmutableSet(com.google.common.collect.ImmutableSet)
Permission(org.apache.shiro.authz.Permission)
GRNPermission(org.graylog.security.permissions.GRNPermission)
CaseSensitiveWildcardPermission(org.graylog.security.permissions.CaseSensitiveWildcardPermission)
CaseSensitiveWildcardPermission(org.graylog.security.permissions.CaseSensitiveWildcardPermission)
Example 2 with CaseSensitiveWildcardPermission
use of org.graylog.security.permissions.CaseSensitiveWildcardPermission in project graylog2-server by Graylog2.
the class UserImplTest method getObjectPermissions.
@Test
public void getObjectPermissions() {
final Permissions permissions = new Permissions(Collections.emptySet());
final List<String> customPermissions = ImmutableList.of("subject:action", "*");
final Map<String, Object> fields = ImmutableMap.of(UserImpl.USERNAME, "foobar", UserImpl.PERMISSIONS, customPermissions);
user = new UserImpl(passwordAlgorithmFactory, permissions, fields);
final Set<Permission> userSelfEditPermissions = permissions.userSelfEditPermissions("foobar").stream().map(CaseSensitiveWildcardPermission::new).collect(Collectors.toSet());
assertThat(user.getObjectPermissions()).containsAll(userSelfEditPermissions).contains(new CaseSensitiveWildcardPermission("subject:action")).extracting("class").containsOnlyOnce(AllPermission.class);
}
Also used :
Permissions(org.graylog2.shared.security.Permissions)
Permission(org.apache.shiro.authz.Permission)
AllPermission(org.apache.shiro.authz.permission.AllPermission)
CaseSensitiveWildcardPermission(org.graylog.security.permissions.CaseSensitiveWildcardPermission)
CaseSensitiveWildcardPermission(org.graylog.security.permissions.CaseSensitiveWildcardPermission)
Test(org.junit.Test)
Example 3 with CaseSensitiveWildcardPermission
use of org.graylog.security.permissions.CaseSensitiveWildcardPermission in project graylog2-server by Graylog2.
the class UserServiceImplTest method testGetPermissionsForUser.
@Test
public void testGetPermissionsForUser() throws Exception {
final InMemoryRolePermissionResolver permissionResolver = mock(InMemoryRolePermissionResolver.class);
final GRNRegistry grnRegistry = GRNRegistry.createWithBuiltinTypes();
final UserService userService = new UserServiceImpl(mongoConnection, configuration, roleService, accessTokenService, userFactory, permissionResolver, serverEventBus, grnRegistry, permissionAndRoleResolver);
final UserImplFactory factory = new UserImplFactory(new Configuration(), permissions);
final UserImpl user = factory.create(new HashMap<>());
user.setName("user");
final Role role = createRole("Foo");
user.setRoleIds(Collections.singleton(role.getId()));
user.setPermissions(Collections.singletonList("hello:world"));
when(permissionResolver.resolveStringPermission(role.getId())).thenReturn(Collections.singleton("foo:bar"));
final GRNPermission ownerShipPermission = GRNPermission.create(RestPermissions.ENTITY_OWN, grnRegistry.newGRN(GRNTypes.DASHBOARD, "1234"));
final GRN userGRN = grnRegistry.ofUser(user);
when(permissionAndRoleResolver.resolvePermissionsForPrincipal(userGRN)).thenReturn(ImmutableSet.of(new CaseSensitiveWildcardPermission("perm:from:grant"), ownerShipPermission));
final String roleId = "12345";
when(permissionAndRoleResolver.resolveRolesForPrincipal(userGRN)).thenReturn(ImmutableSet.of(roleId));
when(permissionResolver.resolveStringPermission(roleId)).thenReturn(ImmutableSet.of("perm:from:role"));
assertThat(userService.getPermissionsForUser(user).stream().map(p -> p instanceof CaseSensitiveWildcardPermission ? p.toString() : p).collect(Collectors.toSet())).containsExactlyInAnyOrder("users:passwordchange:user", "users:edit:user", "foo:bar", "hello:world", "users:tokenlist:user", "users:tokencreate:user", "users:tokenremove:user", "perm:from:grant", ownerShipPermission, "perm:from:role");
}
Also used :
DateTimeZone(org.joda.time.DateTimeZone)
InMemoryRolePermissionResolver(org.graylog2.security.InMemoryRolePermissionResolver)
Mock(org.mockito.Mock)
Assertions.assertThat(org.assertj.core.api.Assertions.assertThat)
HashMap(java.util.HashMap)
GRNRegistry(org.graylog.grn.GRNRegistry)
EventBus(com.google.common.eventbus.EventBus)
DBObject(com.mongodb.DBObject)
Assertions.assertThatThrownBy(org.assertj.core.api.Assertions.assertThatThrownBy)
AccessTokenService(org.graylog2.security.AccessTokenService)
MongoDBInstance(org.graylog.testing.mongodb.MongoDBInstance)
Map(java.util.Map)
MockitoJUnit(org.mockito.junit.MockitoJUnit)
Before(org.junit.Before)
ImmutableSet(com.google.common.collect.ImmutableSet)
ImmutableMap(com.google.common.collect.ImmutableMap)
BasicDBObjectBuilder(com.mongodb.BasicDBObjectBuilder)
PasswordAlgorithmFactory(org.graylog2.security.PasswordAlgorithmFactory)
GRNTypes(org.graylog.grn.GRNTypes)
Test(org.junit.Test)
Mockito.when(org.mockito.Mockito.when)
Collectors(java.util.stream.Collectors)
Sets(com.google.common.collect.Sets)
GRN(org.graylog.grn.GRN)
List(java.util.List)
Rule(org.junit.Rule)
Configuration(org.graylog2.Configuration)
UserService(org.graylog2.shared.users.UserService)
RestPermissions(org.graylog2.shared.security.RestPermissions)
ObjectId(org.bson.types.ObjectId)
PasswordAlgorithm(org.graylog2.plugin.security.PasswordAlgorithm)
Optional(java.util.Optional)
SHA1HashPasswordAlgorithm(org.graylog2.security.hashing.SHA1HashPasswordAlgorithm)
MockitoRule(org.mockito.junit.MockitoRule)
MongoDBFixtures(org.graylog.testing.mongodb.MongoDBFixtures)
MongoConnection(org.graylog2.database.MongoConnection)
User(org.graylog2.plugin.database.users.User)
Role(org.graylog2.shared.users.Role)
GRNPermission(org.graylog.security.permissions.GRNPermission)
Permissions(org.graylog2.shared.security.Permissions)
Collections(java.util.Collections)
PermissionAndRoleResolver(org.graylog.security.PermissionAndRoleResolver)
CaseSensitiveWildcardPermission(org.graylog.security.permissions.CaseSensitiveWildcardPermission)
Mockito.mock(org.mockito.Mockito.mock)
GRN(org.graylog.grn.GRN)
GRNRegistry(org.graylog.grn.GRNRegistry)
Configuration(org.graylog2.Configuration)
UserService(org.graylog2.shared.users.UserService)
InMemoryRolePermissionResolver(org.graylog2.security.InMemoryRolePermissionResolver)
CaseSensitiveWildcardPermission(org.graylog.security.permissions.CaseSensitiveWildcardPermission)
Role(org.graylog2.shared.users.Role)
GRNPermission(org.graylog.security.permissions.GRNPermission)
Test(org.junit.Test)
Example 4 with CaseSensitiveWildcardPermission
use of org.graylog.security.permissions.CaseSensitiveWildcardPermission in project graylog2-server by Graylog2.
the class UserServiceImpl method getPermissionsForUser.
@Override
public List<Permission> getPermissionsForUser(User user) {
final GRN principal = grnRegistry.ofUser(user);
final ImmutableSet.Builder<Permission> permSet = ImmutableSet.<Permission>builder().addAll(user.getPermissions().stream().map(CaseSensitiveWildcardPermission::new).collect(Collectors.toSet())).addAll(permissionAndRoleResolver.resolvePermissionsForPrincipal(principal)).addAll(getUserPermissionsFromRoles(user).stream().map(CaseSensitiveWildcardPermission::new).collect(Collectors.toSet()));
return permSet.build().asList();
}
Also used :
GRN(org.graylog.grn.GRN)
ImmutableSet(com.google.common.collect.ImmutableSet)
WildcardPermission(org.apache.shiro.authz.permission.WildcardPermission)
GRNPermission(org.graylog.security.permissions.GRNPermission)
Permission(org.apache.shiro.authz.Permission)
CaseSensitiveWildcardPermission(org.graylog.security.permissions.CaseSensitiveWildcardPermission)
CaseSensitiveWildcardPermission(org.graylog.security.permissions.CaseSensitiveWildcardPermission)
Aggregations
CaseSensitiveWildcardPermission (org.graylog.security.permissions.CaseSensitiveWildcardPermission)4
ImmutableSet (com.google.common.collect.ImmutableSet)3
Permission (org.apache.shiro.authz.Permission)3
GRN (org.graylog.grn.GRN)3
GRNPermission (org.graylog.security.permissions.GRNPermission)3
Permissions (org.graylog2.shared.security.Permissions)2
ImmutableMap (com.google.common.collect.ImmutableMap)1
Sets (com.google.common.collect.Sets)1
EventBus (com.google.common.eventbus.EventBus)1
BasicDBObjectBuilder (com.mongodb.BasicDBObjectBuilder)1
DBObject (com.mongodb.DBObject)1
Collections (java.util.Collections)1
HashMap (java.util.HashMap)1
List (java.util.List)1
Map (java.util.Map)1
Optional (java.util.Optional)1
Collectors (java.util.stream.Collectors)1
AllPermission (org.apache.shiro.authz.permission.AllPermission)1
WildcardPermission (org.apache.shiro.authz.permission.WildcardPermission)1
Assertions.assertThat (org.assertj.core.api.Assertions.assertThat)1
