use of org.springframework.security.acls.model.AccessControlEntry in project Gemma by PavlidisLab.
the class SecurityServiceTest method testRemoveMultipleAcesFromPrivateExpressionExperiment.
/*
* Tests an unlikely scenario?? but if there is an acl that was duplicated with same principal, permission and
* object then both acls can be deleted.
*/
@Test
public void testRemoveMultipleAcesFromPrivateExpressionExperiment() {
// make private experiment
ExpressionExperiment ee = super.getTestPersistentBasicExpressionExperiment();
this.securityService.makePrivate(ee);
// add user and add the user to a group
String username = "salmonid";
String groupName = "fish" + this.randomName();
this.makeUser(username);
this.securityService.makeOwnedByUser(ee, username);
assertTrue(this.securityService.isEditableByUser(ee, username));
this.runAsUser(username);
this.securityService.createGroup(groupName);
// get the basic acls
MutableAcl acl = aclTestUtils.getAcl(ee);
int numberOfAces = acl.getEntries().size();
// make readable by group add first ACE read for group and check added
this.securityService.makeReadableByGroup(ee, groupName);
MutableAcl aclAfterReadableAdded = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces + 1, aclAfterReadableAdded.getEntries().size());
// force the addition of duplicate ACE read, fish group on the same experiment. Note that in the current
// implementation this only adds one - we already avoid duplicates.
List<GrantedAuthority> groupAuthorities = this.userManager.findGroupAuthorities(groupName);
GrantedAuthority ga = groupAuthorities.get(0);
aclAfterReadableAdded.insertAce(aclAfterReadableAdded.getEntries().size(), BasePermission.READ, new AclGrantedAuthoritySid(this.userManager.getRolePrefix() + ga), true);
this.aclTestUtils.update(aclAfterReadableAdded);
MutableAcl aclAfterReadableAddedDuplicate = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces + 1, aclAfterReadableAddedDuplicate.getEntries().size());
// remove the ace now and check removed permission completely.
this.securityService.makeUnreadableByGroup(ee, groupName);
MutableAcl aclAfterReadableAddedDuplicateRemoval = aclTestUtils.getAcl(ee);
assertEquals(numberOfAces, aclAfterReadableAddedDuplicateRemoval.getEntries().size());
List<AccessControlEntry> entriesAfterDelete = aclAfterReadableAddedDuplicateRemoval.getEntries();
assertEquals(numberOfAces, entriesAfterDelete.size());
// also check that the right ACE check the principals
Collection<String> principals = new ArrayList<>();
principals.add("AclGrantedAuthoritySid[GROUP_ADMIN]");
principals.add("AclGrantedAuthoritySid[GROUP_AGENT]");
principals.add("AclPrincipalSid[salmonid]");
principals.add("AclPrincipalSid[salmonid]");
for (AccessControlEntry accessControl : entriesAfterDelete) {
Sid sid = accessControl.getSid();
assertTrue(principals.contains(sid.toString()));
// remove it once in case found in case of duplicates
principals.remove(sid.toString());
}
// clean up the groups
this.userManager.deleteGroup(groupName);
// userManager.deleteUser( username );
}
use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.
the class AccessControlImplEntryTests method testAccessControlEntryImplGetters.
@Test
public void testAccessControlEntryImplGetters() {
Acl mockAcl = mock(Acl.class);
Sid sid = new PrincipalSid("johndoe");
// Create a sample entry
AccessControlEntry ace = new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true);
// and check every get() method
assertThat(ace.getId()).isEqualTo(1L);
assertThat(ace.getAcl()).isEqualTo(mockAcl);
assertThat(ace.getSid()).isEqualTo(sid);
assertThat(ace.isGranting()).isTrue();
assertThat(ace.getPermission()).isEqualTo(BasePermission.ADMINISTRATION);
assertThat(((AuditableAccessControlEntry) ace).isAuditFailure()).isTrue();
assertThat(((AuditableAccessControlEntry) ace).isAuditSuccess()).isTrue();
}
use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.
the class DefaultPermissionGrantingStrategy method isGranted.
/**
* Determines authorization. The order of the <code>permission</code> and
* <code>sid</code> arguments is <em>extremely important</em>! The method will iterate
* through each of the <code>permission</code>s in the order specified. For each
* iteration, all of the <code>sid</code>s will be considered, again in the order they
* are presented. A search will then be performed for the first
* {@link AccessControlEntry} object that directly matches that
* <code>permission:sid</code> combination. When the <em>first full match</em> is
* found (ie an ACE that has the SID currently being searched for and the exact
* permission bit mask being search for), the grant or deny flag for that ACE will
* prevail. If the ACE specifies to grant access, the method will return
* <code>true</code>. If the ACE specifies to deny access, the loop will stop and the
* next <code>permission</code> iteration will be performed. If each permission
* indicates to deny access, the first deny ACE found will be considered the reason
* for the failure (as it was the first match found, and is therefore the one most
* logically requiring changes - although not always). If absolutely no matching ACE
* was found at all for any permission, the parent ACL will be tried (provided that
* there is a parent and {@link Acl#isEntriesInheriting()} is <code>true</code>. The
* parent ACL will also scan its parent and so on. If ultimately no matching ACE is
* found, a <code>NotFoundException</code> will be thrown and the caller will need to
* decide how to handle the permission check. Similarly, if any of the SID arguments
* presented to the method were not loaded by the ACL,
* <code>UnloadedSidException</code> will be thrown.
* @param permission the exact permissions to scan for (order is important)
* @param sids the exact SIDs to scan for (order is important)
* @param administrativeMode if <code>true</code> denotes the query is for
* administrative purposes and no auditing will be undertaken
* @return <code>true</code> if one of the permissions has been granted,
* <code>false</code> if one of the permissions has been specifically revoked
* @throws NotFoundException if an exact ACE for one of the permission bit masks and
* SID combination could not be found
*/
@Override
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException {
List<AccessControlEntry> aces = acl.getEntries();
AccessControlEntry firstRejection = null;
for (Permission p : permission) {
for (Sid sid : sids) {
// Attempt to find exact match for this permission mask and SID
boolean scanNextSid = true;
for (AccessControlEntry ace : aces) {
if (isGranted(ace, p) && ace.getSid().equals(sid)) {
// prevail
if (ace.isGranting()) {
// Success
if (!administrativeMode) {
this.auditLogger.logIfNeeded(true, ace);
}
return true;
}
// (this permission is 100% rejected for this SID)
if (firstRejection == null) {
// Store first rejection for auditing reasons
firstRejection = ace;
}
// helps break the loop
scanNextSid = false;
// exit aces loop
break;
}
}
if (!scanNextSid) {
// exit SID for loop (now try next permission)
break;
}
}
}
if (firstRejection != null) {
// other ACEs were found that granted a different permission
if (!administrativeMode) {
this.auditLogger.logIfNeeded(false, firstRejection);
}
return false;
}
// No matches have been found so far
if (acl.isEntriesInheriting() && (acl.getParentAcl() != null)) {
// We have a parent, so let them try to find a matching ACE
return acl.getParentAcl().isGranted(permission, sids, false);
}
// We either have no parent, or we're the uppermost parent
throw new NotFoundException("Unable to locate a matching ACE for passed permissions and SIDs");
}
use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.
the class ContactManagerBackend method deletePermission.
public void deletePermission(Contact contact, Sid recipient, Permission permission) {
ObjectIdentity oid = new ObjectIdentityImpl(Contact.class, contact.getId());
MutableAcl acl = (MutableAcl) mutableAclService.readAclById(oid);
// Remove all permissions associated with this particular recipient (string
// equality to KISS)
List<AccessControlEntry> entries = acl.getEntries();
for (int i = 0; i < entries.size(); i++) {
if (entries.get(i).getSid().equals(recipient) && entries.get(i).getPermission().equals(permission)) {
acl.deleteAce(i);
}
}
mutableAclService.updateAcl(acl);
if (logger.isDebugEnabled()) {
logger.debug("Deleted contact " + contact + " ACL permissions for recipient " + recipient);
}
}
use of org.springframework.security.acls.model.AccessControlEntry in project ArachneCentralAPI by OHDSI.
the class DefaultPermissionGrantingStrategy method isGranted.
/**
* Determines authorization. The order of the <code>permission</code> and
* <code>sid</code> arguments is <em>extremely important</em>! The method will iterate
* through each of the <code>permission</code>s in the order specified. For each
* iteration, all of the <code>sid</code>s will be considered, again in the order they
* are presented. A search will then be performed for the first
* {@link AccessControlEntry} object that directly matches that
* <code>permission:sid</code> combination. When the <em>first full match</em> is
* found (ie an ACE that has the SID currently being searched for and the exact
* permission bit mask being search for), the grant or deny flag for that ACE will
* prevail. If the ACE specifies to grant access, the method will return
* <code>true</code>. If the ACE specifies to deny access, the loop will stop and the
* next <code>permission</code> iteration will be performed. If each permission
* indicates to deny access, the first deny ACE found will be considered the reason
* for the failure (as it was the first match found, and is therefore the one most
* logically requiring changes - although not always). If absolutely no matching ACE
* was found at all for any permission, the parent ACL will be tried (provided that
* there is a parent and {@link Acl#isEntriesInheriting()} is <code>true</code>. The
* parent ACL will also scan its parent and so on. If ultimately no matching ACE is
* found, a <code>NotFoundException</code> will be thrown and the caller will need to
* decide how to handle the permission check. Similarly, if any of the SID arguments
* presented to the method were not loaded by the ACL,
* <code>UnloadedSidException</code> will be thrown.
*
* @param permission the exact permissions to scan for (order is important)
* @param sids the exact SIDs to scan for (order is important)
* @param administrativeMode if <code>true</code> denotes the query is for
* administrative purposes and no auditing will be undertaken
* @return <code>true</code> if one of the permissions has been granted,
* <code>false</code> if one of the permissions has been specifically revoked
* @throws NotFoundException if an exact ACE for one of the permission bit masks and
* SID combination could not be found
*/
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException {
final List<AccessControlEntry> aces = acl.getEntries();
AccessControlEntry firstRejection = null;
for (Permission p : permission) {
for (Sid sid : sids) {
// Attempt to find exact match for this permission mask and SID
boolean scanNextSid = true;
for (AccessControlEntry ace : aces) {
if (((ace.getPermission().getMask() & p.getMask()) == ace.getPermission().getMask()) && ace.getSid().equals(sid)) {
// prevail
if (ace.isGranting()) {
// Success
if (!administrativeMode) {
auditLogger.logIfNeeded(true, ace);
}
return true;
}
// (this permission is 100% rejected for this SID)
if (firstRejection == null) {
// Store first rejection for auditing reasons
firstRejection = ace;
}
// helps break the loop
scanNextSid = false;
// exit aces loop
break;
}
}
if (!scanNextSid) {
// exit SID for loop (now try next permission)
break;
}
}
}
if (firstRejection != null) {
// other ACEs were found that granted a different permission
if (!administrativeMode) {
auditLogger.logIfNeeded(false, firstRejection);
}
return false;
}
// No matches have been found so far
if (acl.isEntriesInheriting() && (acl.getParentAcl() != null)) {
// We have a parent, so let them try to find a matching ACE
return acl.getParentAcl().isGranted(permission, sids, false);
} else {
// We either have no parent, or we're the uppermost parent
throw new NotFoundException("Unable to locate a matching ACE for passed permissions and SIDs");
}
}
Aggregations