Example 16 with AccessControlEntry
use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.
the class WorkflowServiceSolrIndex method addAuthorization.
/**
* Adds authorization fields to the solr document.
*
* @param doc
* the solr document
* @param acl
* the access control list
*/
protected void addAuthorization(SolrInputDocument doc, AccessControlList acl) {
Map<String, List<String>> permissions = new HashMap<String, List<String>>();
// Define containers for common permissions
List<String> reads = new ArrayList<String>();
permissions.put(Permissions.Action.READ.toString(), reads);
List<String> writes = new ArrayList<String>();
permissions.put(Permissions.Action.WRITE.toString(), writes);
String adminRole = securityService.getOrganization().getAdminRole();
// The admin user can read and write
if (adminRole != null) {
reads.add(adminRole);
writes.add(adminRole);
}
for (AccessControlEntry entry : acl.getEntries()) {
if (!entry.isAllow()) {
logger.warn("Workflow service does not support denial via ACL, ignoring {}", entry);
continue;
}
List<String> actionPermissions = permissions.get(entry.getAction());
if (actionPermissions == null) {
actionPermissions = new ArrayList<String>();
permissions.put(entry.getAction(), actionPermissions);
}
actionPermissions.add(entry.getRole());
}
// Write the permissions to the solr document
for (Map.Entry<String, List<String>> entry : permissions.entrySet()) {
String fieldName = ACL_KEY_PREFIX + entry.getKey();
doc.setField(fieldName, entry.getValue());
}
}
Also used :
HashMap(java.util.HashMap)
ArrayList(java.util.ArrayList)
AccessControlEntry(org.opencastproject.security.api.AccessControlEntry)
SolrDocumentList(org.apache.solr.common.SolrDocumentList)
List(java.util.List)
ArrayList(java.util.ArrayList)
AccessControlList(org.opencastproject.security.api.AccessControlList)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 17 with AccessControlEntry
use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.
the class LiveScheduleServiceImplTest method testReplaceAndDistributeAcl.
@Test
public void testReplaceAndDistributeAcl() throws Exception {
URI mpURI = LiveScheduleServiceImplTest.class.getResource("/live-mp.xml").toURI();
MediaPackage mp = MediaPackageBuilderFactory.newInstance().newMediaPackageBuilder().loadFromXml(mpURI.toURL().openStream());
Job job = createJob(1L, "anything", "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>" + "<attachment id=\"security-policy-episode\" type=\"security/xacml+episode\" xmlns=\"http://mediapackage.opencastproject.org\">" + "<mimetype>text/xml</mimetype><url>http://host/security-policy-episode.xml</url></attachment>");
EasyMock.expect(downloadDistributionService.distribute(EasyMock.anyString(), EasyMock.anyObject(MediaPackage.class), EasyMock.anyObject(String.class), EasyMock.anyBoolean())).andReturn(job).once();
EasyMock.expect(serviceRegistry.getJob(1L)).andReturn(job).anyTimes();
replayServices();
service.setDownloadDistributionService(downloadDistributionService);
AccessControlList acl = new AccessControlList(new AccessControlEntry("user", "read", true));
MediaPackage mp1 = service.replaceAndDistributeAcl(mp, acl);
Attachment[] atts = mp1.getAttachments(MediaPackageElements.XACML_POLICY_EPISODE);
Assert.assertNotNull(atts);
Assert.assertEquals(1, atts.length);
Attachment att = atts[0];
Assert.assertEquals("http://host/security-policy-episode.xml", att.getURI().toString());
Assert.assertEquals("security/xacml+episode", att.getFlavor().toString());
EasyMock.verify(downloadDistributionService);
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
MediaPackage(org.opencastproject.mediapackage.MediaPackage)
AccessControlEntry(org.opencastproject.security.api.AccessControlEntry)
Attachment(org.opencastproject.mediapackage.Attachment)
Job(org.opencastproject.job.api.Job)
URI(java.net.URI)
Test(org.junit.Test)
Example 18 with AccessControlEntry
use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.
the class XACMLSecurityTest method testSecurity.
@Test
public void testSecurity() throws Exception {
// Create a mediapackage and some role/action tuples
MediaPackage mediapackage = MediaPackageBuilderFactory.newInstance().newMediaPackageBuilder().createNew();
// Get default ACL
AccessControlList defaultAcl = authzService.getActiveAcl(mediapackage).getA();
Assert.assertEquals(0, defaultAcl.getEntries().size());
// Default with series
mediapackage.setSeries("123");
defaultAcl = authzService.getActiveAcl(mediapackage).getA();
Assert.assertEquals(0, defaultAcl.getEntries().size());
AccessControlList aclSeries1 = new AccessControlList();
List<AccessControlEntry> entriesSeries1 = aclSeries1.getEntries();
entriesSeries1.add(new AccessControlEntry("admin", "delete", true));
entriesSeries1.add(new AccessControlEntry("admin", "read", true));
entriesSeries1.add(new AccessControlEntry("student", "read", true));
entriesSeries1.add(new AccessControlEntry("student", "comment", true));
entriesSeries1.add(new AccessControlEntry(DefaultOrganization.DEFAULT_ORGANIZATION_ANONYMOUS, "read", true));
entriesSeries1.add(new AccessControlEntry(DefaultOrganization.DEFAULT_ORGANIZATION_ANONYMOUS, "comment", false));
AccessControlList aclSeries2 = new AccessControlList();
List<AccessControlEntry> entriesSeries2 = aclSeries2.getEntries();
entriesSeries2.add(new AccessControlEntry("admin", "delete", true));
entriesSeries2.add(new AccessControlEntry("admin", "read", true));
entriesSeries2.add(new AccessControlEntry("student", "read", false));
entriesSeries2.add(new AccessControlEntry("student", "comment", false));
entriesSeries2.add(new AccessControlEntry(DefaultOrganization.DEFAULT_ORGANIZATION_ANONYMOUS, "read", true));
entriesSeries2.add(new AccessControlEntry(DefaultOrganization.DEFAULT_ORGANIZATION_ANONYMOUS, "comment", false));
AccessControlList aclEpisode = new AccessControlList();
// Add the security policy to the mediapackage
authzService.setAcl(mediapackage, AclScope.Series, aclSeries1);
// Ensure that the permissions specified are respected by the security service
currentRoles.clear();
currentRoles.add(new JaxbRole("admin", organization, ""));
Assert.assertTrue(authzService.hasPermission(mediapackage, "delete"));
Assert.assertTrue(authzService.hasPermission(mediapackage, "read"));
Assert.assertFalse(authzService.hasPermission(mediapackage, "comment"));
currentRoles.clear();
currentRoles.add(new JaxbRole("student", organization, ""));
Assert.assertFalse(authzService.hasPermission(mediapackage, "delete"));
Assert.assertTrue(authzService.hasPermission(mediapackage, "read"));
Assert.assertTrue(authzService.hasPermission(mediapackage, "comment"));
currentRoles.clear();
currentRoles.add(new JaxbRole("admin", organization));
mediapackage = authzService.setAcl(mediapackage, AclScope.Episode, aclEpisode).getA();
Assert.assertEquals(AclScope.Episode, authzService.getActiveAcl(mediapackage).getB());
Assert.assertFalse(authzService.hasPermission(mediapackage, "delete"));
Assert.assertFalse(authzService.hasPermission(mediapackage, "read"));
Assert.assertFalse(authzService.hasPermission(mediapackage, "comment"));
mediapackage = authzService.removeAcl(mediapackage, AclScope.Episode);
AccessControlList computedAcl = authzService.getActiveAcl(mediapackage).getA();
Assert.assertEquals("ACLs are the same size?", entriesSeries1.size(), computedAcl.getEntries().size());
Assert.assertTrue("ACLs contain the same ACEs?", computedAcl.getEntries().containsAll(entriesSeries1));
authzService.setAcl(mediapackage, AclScope.Series, aclSeries2);
currentRoles.clear();
currentRoles.add(new JaxbRole("student", organization));
Assert.assertFalse(authzService.hasPermission(mediapackage, "delete"));
Assert.assertFalse(authzService.hasPermission(mediapackage, "read"));
Assert.assertFalse(authzService.hasPermission(mediapackage, "comment"));
currentRoles.clear();
currentRoles.add(new JaxbRole(DefaultOrganization.DEFAULT_ORGANIZATION_ANONYMOUS, organization, ""));
Assert.assertFalse(authzService.hasPermission(mediapackage, "delete"));
Assert.assertTrue(authzService.hasPermission(mediapackage, "read"));
Assert.assertFalse(authzService.hasPermission(mediapackage, "comment"));
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
JaxbRole(org.opencastproject.security.api.JaxbRole)
MediaPackage(org.opencastproject.mediapackage.MediaPackage)
AccessControlEntry(org.opencastproject.security.api.AccessControlEntry)
Test(org.junit.Test)
Example 19 with AccessControlEntry
use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.
the class AssetManagerWithMessagingTest method mkAssetManager.
public AssetManagerWithMessaging mkAssetManager() throws Exception {
final Workspace workspace = EasyMock.createNiceMock(Workspace.class);
EasyMock.expect(workspace.get(EasyMock.anyObject(URI.class))).andReturn(new File(getClass().getResource("/dublincore-a.xml").toURI())).anyTimes();
EasyMock.expect(workspace.read(EasyMock.anyObject(URI.class))).andAnswer(() -> getClass().getResourceAsStream("/dublincore-a.xml")).anyTimes();
EasyMock.replay(workspace);
final AuthorizationService authSvc = EasyMock.createNiceMock(AuthorizationService.class);
final AccessControlList acl = new AccessControlList(new AccessControlEntry("admin", "write", true));
EasyMock.expect(authSvc.getActiveAcl(EasyMock.<MediaPackage>anyObject())).andReturn(tuple(acl, AclScope.Episode)).anyTimes();
EasyMock.replay(authSvc);
ms = EasyMock.createMock(MessageSender.class);
return new AssetManagerWithMessaging(// message receive part is currently not under test so we can pass null values
mkAbstractAssetManager(), ms, null, authSvc, null, null, workspace, null);
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
AuthorizationService(org.opencastproject.security.api.AuthorizationService)
MessageSender(org.opencastproject.message.broker.api.MessageSender)
MediaPackage(org.opencastproject.mediapackage.MediaPackage)
AccessControlEntry(org.opencastproject.security.api.AccessControlEntry)
File(java.io.File)
Workspace(org.opencastproject.workspace.api.Workspace)
Example 20 with AccessControlEntry
use of org.opencastproject.security.api.AccessControlEntry in project opencast by opencast.
the class EventsEndpoint method addEventAce.
@POST
@Path("{eventId}/acl/{action}")
@Produces({ "application/json", "application/v1.0.0+json" })
@RestQuery(name = "addeventace", description = "Grants permission to execute action on the specified event to any user with role role. Note that this is a convenience method to avoid having to build and post a complete access control list.", returnDescription = "", pathParameters = { @RestParameter(name = "eventId", description = "The event id", isRequired = true, type = STRING), @RestParameter(name = "action", description = "The action that is allowed to be executed", isRequired = true, type = STRING) }, restParameters = { @RestParameter(name = "role", isRequired = true, description = "The role that is granted permission", type = STRING) }, reponses = { @RestResponse(description = "The permission has been created in the access control list of the specified event.", responseCode = HttpServletResponse.SC_NO_CONTENT), @RestResponse(description = "The specified event does not exist.", responseCode = HttpServletResponse.SC_NOT_FOUND) })
public Response addEventAce(@HeaderParam("Accept") String acceptHeader, @PathParam("eventId") String id, @PathParam("action") String action, @FormParam("role") String role) throws Exception {
List<AccessControlEntry> entries = new ArrayList<>();
for (final Event event : indexService.getEvent(id, externalIndex)) {
AccessControlList accessControlList = getAclFromEvent(event);
AccessControlEntry newAce = new AccessControlEntry(role, action, true);
boolean alreadyInAcl = false;
for (AccessControlEntry ace : accessControlList.getEntries()) {
if (ace.equals(newAce)) {
// We have found an identical access control entry so just return.
entries = accessControlList.getEntries();
alreadyInAcl = true;
break;
} else if (ace.getAction().equals(newAce.getAction()) && ace.getRole().equals(newAce.getRole()) && !ace.isAllow()) {
entries.add(newAce);
alreadyInAcl = true;
} else {
entries.add(ace);
}
}
if (!alreadyInAcl) {
entries.add(newAce);
}
AccessControlList withNewAce = new AccessControlList(entries);
try {
withNewAce = indexService.updateEventAcl(id, withNewAce, externalIndex);
} catch (IllegalArgumentException e) {
logger.error("Unable to update event '{}' acl entry with action '{}' and role '{}' because: {}", id, action, role, ExceptionUtils.getStackTrace(e));
return Response.status(Status.FORBIDDEN).build();
}
return ApiResponses.Json.noContent(ApiVersion.VERSION_1_0_0);
}
return ApiResponses.notFound("Cannot find an event with id '%s'.", id);
}
Also used :
AccessControlList(org.opencastproject.security.api.AccessControlList)
ArrayList(java.util.ArrayList)
AccessControlEntry(org.opencastproject.security.api.AccessControlEntry)
Event(org.opencastproject.index.service.impl.index.event.Event)
Path(javax.ws.rs.Path)
POST(javax.ws.rs.POST)
Produces(javax.ws.rs.Produces)
RestQuery(org.opencastproject.util.doc.rest.RestQuery)
Aggregations
AccessControlEntry (org.opencastproject.security.api.AccessControlEntry)38
AccessControlList (org.opencastproject.security.api.AccessControlList)30
Test (org.junit.Test)18
MediaPackage (org.opencastproject.mediapackage.MediaPackage)12
ArrayList (java.util.ArrayList)10
HashMap (java.util.HashMap)7
Job (org.opencastproject.job.api.Job)6
JaxbRole (org.opencastproject.security.api.JaxbRole)6
JobBarrier (org.opencastproject.job.api.JobBarrier)5
JaxbUser (org.opencastproject.security.api.JaxbUser)5
Date (java.util.Date)4
List (java.util.List)4
Map (java.util.Map)4
SearchQuery (org.opencastproject.search.api.SearchQuery)4
AuthorizationService (org.opencastproject.security.api.AuthorizationService)4
DefaultOrganization (org.opencastproject.security.api.DefaultOrganization)4
SecurityService (org.opencastproject.security.api.SecurityService)4
User (org.opencastproject.security.api.User)4
NotFoundException (org.opencastproject.util.NotFoundException)4
File (java.io.File)3
