Search in sources :

Example 1 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project Gemma by PavlidisLab.

the class SecurityServiceTest method testRemoveMultipleAcesFromPrivateExpressionExperiment.

/*
     * Tests an unlikely scenario?? but if there is an acl that was duplicated with same principal, permission and
     * object then both acls can be deleted.
     */
@Test
public void testRemoveMultipleAcesFromPrivateExpressionExperiment() {
    // make private experiment
    ExpressionExperiment ee = super.getTestPersistentBasicExpressionExperiment();
    this.securityService.makePrivate(ee);
    // add user and add the user to a group
    String username = "salmonid";
    String groupName = "fish" + this.randomName();
    this.makeUser(username);
    this.securityService.makeOwnedByUser(ee, username);
    assertTrue(this.securityService.isEditableByUser(ee, username));
    this.runAsUser(username);
    this.securityService.createGroup(groupName);
    // get the basic acls
    MutableAcl acl = aclTestUtils.getAcl(ee);
    int numberOfAces = acl.getEntries().size();
    // make readable by group add first ACE read for group and check added
    this.securityService.makeReadableByGroup(ee, groupName);
    MutableAcl aclAfterReadableAdded = aclTestUtils.getAcl(ee);
    assertEquals(numberOfAces + 1, aclAfterReadableAdded.getEntries().size());
    // force the addition of duplicate ACE read, fish group on the same experiment. Note that in the current
    // implementation this only adds one - we already avoid duplicates.
    List<GrantedAuthority> groupAuthorities = this.userManager.findGroupAuthorities(groupName);
    GrantedAuthority ga = groupAuthorities.get(0);
    aclAfterReadableAdded.insertAce(aclAfterReadableAdded.getEntries().size(), BasePermission.READ, new AclGrantedAuthoritySid(this.userManager.getRolePrefix() + ga), true);
    this.aclTestUtils.update(aclAfterReadableAdded);
    MutableAcl aclAfterReadableAddedDuplicate = aclTestUtils.getAcl(ee);
    assertEquals(numberOfAces + 1, aclAfterReadableAddedDuplicate.getEntries().size());
    // remove the ace now and check removed permission completely.
    this.securityService.makeUnreadableByGroup(ee, groupName);
    MutableAcl aclAfterReadableAddedDuplicateRemoval = aclTestUtils.getAcl(ee);
    assertEquals(numberOfAces, aclAfterReadableAddedDuplicateRemoval.getEntries().size());
    List<AccessControlEntry> entriesAfterDelete = aclAfterReadableAddedDuplicateRemoval.getEntries();
    assertEquals(numberOfAces, entriesAfterDelete.size());
    // also check that the right ACE check the principals
    Collection<String> principals = new ArrayList<>();
    principals.add("AclGrantedAuthoritySid[GROUP_ADMIN]");
    principals.add("AclGrantedAuthoritySid[GROUP_AGENT]");
    principals.add("AclPrincipalSid[salmonid]");
    principals.add("AclPrincipalSid[salmonid]");
    for (AccessControlEntry accessControl : entriesAfterDelete) {
        Sid sid = accessControl.getSid();
        assertTrue(principals.contains(sid.toString()));
        // remove it once in case found in case of duplicates
        principals.remove(sid.toString());
    }
    // clean up the groups
    this.userManager.deleteGroup(groupName);
// userManager.deleteUser( username );
}
Also used : GrantedAuthority(org.springframework.security.core.GrantedAuthority) AclGrantedAuthoritySid(gemma.gsec.acl.domain.AclGrantedAuthoritySid) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) MutableAcl(org.springframework.security.acls.model.MutableAcl) ExpressionExperiment(ubic.gemma.model.expression.experiment.ExpressionExperiment) AclPrincipalSid(gemma.gsec.acl.domain.AclPrincipalSid) AclGrantedAuthoritySid(gemma.gsec.acl.domain.AclGrantedAuthoritySid) Sid(org.springframework.security.acls.model.Sid) BaseSpringContextTest(ubic.gemma.core.testing.BaseSpringContextTest) Test(org.junit.Test)

Example 2 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.

the class AccessControlImplEntryTests method testAccessControlEntryImplGetters.

@Test
public void testAccessControlEntryImplGetters() {
    Acl mockAcl = mock(Acl.class);
    Sid sid = new PrincipalSid("johndoe");
    // Create a sample entry
    AccessControlEntry ace = new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true);
    // and check every get() method
    assertThat(ace.getId()).isEqualTo(1L);
    assertThat(ace.getAcl()).isEqualTo(mockAcl);
    assertThat(ace.getSid()).isEqualTo(sid);
    assertThat(ace.isGranting()).isTrue();
    assertThat(ace.getPermission()).isEqualTo(BasePermission.ADMINISTRATION);
    assertThat(((AuditableAccessControlEntry) ace).isAuditFailure()).isTrue();
    assertThat(((AuditableAccessControlEntry) ace).isAuditSuccess()).isTrue();
}
Also used : AuditableAccessControlEntry(org.springframework.security.acls.model.AuditableAccessControlEntry) AuditableAccessControlEntry(org.springframework.security.acls.model.AuditableAccessControlEntry) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) Acl(org.springframework.security.acls.model.Acl) Sid(org.springframework.security.acls.model.Sid) Test(org.junit.jupiter.api.Test)

Example 3 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.

the class DefaultPermissionGrantingStrategy method isGranted.

/**
 * Determines authorization. The order of the <code>permission</code> and
 * <code>sid</code> arguments is <em>extremely important</em>! The method will iterate
 * through each of the <code>permission</code>s in the order specified. For each
 * iteration, all of the <code>sid</code>s will be considered, again in the order they
 * are presented. A search will then be performed for the first
 * {@link AccessControlEntry} object that directly matches that
 * <code>permission:sid</code> combination. When the <em>first full match</em> is
 * found (ie an ACE that has the SID currently being searched for and the exact
 * permission bit mask being search for), the grant or deny flag for that ACE will
 * prevail. If the ACE specifies to grant access, the method will return
 * <code>true</code>. If the ACE specifies to deny access, the loop will stop and the
 * next <code>permission</code> iteration will be performed. If each permission
 * indicates to deny access, the first deny ACE found will be considered the reason
 * for the failure (as it was the first match found, and is therefore the one most
 * logically requiring changes - although not always). If absolutely no matching ACE
 * was found at all for any permission, the parent ACL will be tried (provided that
 * there is a parent and {@link Acl#isEntriesInheriting()} is <code>true</code>. The
 * parent ACL will also scan its parent and so on. If ultimately no matching ACE is
 * found, a <code>NotFoundException</code> will be thrown and the caller will need to
 * decide how to handle the permission check. Similarly, if any of the SID arguments
 * presented to the method were not loaded by the ACL,
 * <code>UnloadedSidException</code> will be thrown.
 * @param permission the exact permissions to scan for (order is important)
 * @param sids the exact SIDs to scan for (order is important)
 * @param administrativeMode if <code>true</code> denotes the query is for
 * administrative purposes and no auditing will be undertaken
 * @return <code>true</code> if one of the permissions has been granted,
 * <code>false</code> if one of the permissions has been specifically revoked
 * @throws NotFoundException if an exact ACE for one of the permission bit masks and
 * SID combination could not be found
 */
@Override
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException {
    List<AccessControlEntry> aces = acl.getEntries();
    AccessControlEntry firstRejection = null;
    for (Permission p : permission) {
        for (Sid sid : sids) {
            // Attempt to find exact match for this permission mask and SID
            boolean scanNextSid = true;
            for (AccessControlEntry ace : aces) {
                if (isGranted(ace, p) && ace.getSid().equals(sid)) {
                    // prevail
                    if (ace.isGranting()) {
                        // Success
                        if (!administrativeMode) {
                            this.auditLogger.logIfNeeded(true, ace);
                        }
                        return true;
                    }
                    // (this permission is 100% rejected for this SID)
                    if (firstRejection == null) {
                        // Store first rejection for auditing reasons
                        firstRejection = ace;
                    }
                    // helps break the loop
                    scanNextSid = false;
                    // exit aces loop
                    break;
                }
            }
            if (!scanNextSid) {
                // exit SID for loop (now try next permission)
                break;
            }
        }
    }
    if (firstRejection != null) {
        // other ACEs were found that granted a different permission
        if (!administrativeMode) {
            this.auditLogger.logIfNeeded(false, firstRejection);
        }
        return false;
    }
    // No matches have been found so far
    if (acl.isEntriesInheriting() && (acl.getParentAcl() != null)) {
        // We have a parent, so let them try to find a matching ACE
        return acl.getParentAcl().isGranted(permission, sids, false);
    }
    // We either have no parent, or we're the uppermost parent
    throw new NotFoundException("Unable to locate a matching ACE for passed permissions and SIDs");
}
Also used : Permission(org.springframework.security.acls.model.Permission) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) NotFoundException(org.springframework.security.acls.model.NotFoundException) Sid(org.springframework.security.acls.model.Sid)

Example 4 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.

the class ContactManagerBackend method deletePermission.

public void deletePermission(Contact contact, Sid recipient, Permission permission) {
    ObjectIdentity oid = new ObjectIdentityImpl(Contact.class, contact.getId());
    MutableAcl acl = (MutableAcl) mutableAclService.readAclById(oid);
    // Remove all permissions associated with this particular recipient (string
    // equality to KISS)
    List<AccessControlEntry> entries = acl.getEntries();
    for (int i = 0; i < entries.size(); i++) {
        if (entries.get(i).getSid().equals(recipient) && entries.get(i).getPermission().equals(permission)) {
            acl.deleteAce(i);
        }
    }
    mutableAclService.updateAcl(acl);
    if (logger.isDebugEnabled()) {
        logger.debug("Deleted contact " + contact + " ACL permissions for recipient " + recipient);
    }
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) ObjectIdentityImpl(org.springframework.security.acls.domain.ObjectIdentityImpl) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) MutableAcl(org.springframework.security.acls.model.MutableAcl)

Example 5 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project ArachneCentralAPI by OHDSI.

the class DefaultPermissionGrantingStrategy method isGranted.

/**
 * Determines authorization. The order of the <code>permission</code> and
 * <code>sid</code> arguments is <em>extremely important</em>! The method will iterate
 * through each of the <code>permission</code>s in the order specified. For each
 * iteration, all of the <code>sid</code>s will be considered, again in the order they
 * are presented. A search will then be performed for the first
 * {@link AccessControlEntry} object that directly matches that
 * <code>permission:sid</code> combination. When the <em>first full match</em> is
 * found (ie an ACE that has the SID currently being searched for and the exact
 * permission bit mask being search for), the grant or deny flag for that ACE will
 * prevail. If the ACE specifies to grant access, the method will return
 * <code>true</code>. If the ACE specifies to deny access, the loop will stop and the
 * next <code>permission</code> iteration will be performed. If each permission
 * indicates to deny access, the first deny ACE found will be considered the reason
 * for the failure (as it was the first match found, and is therefore the one most
 * logically requiring changes - although not always). If absolutely no matching ACE
 * was found at all for any permission, the parent ACL will be tried (provided that
 * there is a parent and {@link Acl#isEntriesInheriting()} is <code>true</code>. The
 * parent ACL will also scan its parent and so on. If ultimately no matching ACE is
 * found, a <code>NotFoundException</code> will be thrown and the caller will need to
 * decide how to handle the permission check. Similarly, if any of the SID arguments
 * presented to the method were not loaded by the ACL,
 * <code>UnloadedSidException</code> will be thrown.
 *
 * @param permission         the exact permissions to scan for (order is important)
 * @param sids               the exact SIDs to scan for (order is important)
 * @param administrativeMode if <code>true</code> denotes the query is for
 *                           administrative purposes and no auditing will be undertaken
 * @return <code>true</code> if one of the permissions has been granted,
 * <code>false</code> if one of the permissions has been specifically revoked
 * @throws NotFoundException if an exact ACE for one of the permission bit masks and
 *                           SID combination could not be found
 */
public boolean isGranted(Acl acl, List<Permission> permission, List<Sid> sids, boolean administrativeMode) throws NotFoundException {
    final List<AccessControlEntry> aces = acl.getEntries();
    AccessControlEntry firstRejection = null;
    for (Permission p : permission) {
        for (Sid sid : sids) {
            // Attempt to find exact match for this permission mask and SID
            boolean scanNextSid = true;
            for (AccessControlEntry ace : aces) {
                if (((ace.getPermission().getMask() & p.getMask()) == ace.getPermission().getMask()) && ace.getSid().equals(sid)) {
                    // prevail
                    if (ace.isGranting()) {
                        // Success
                        if (!administrativeMode) {
                            auditLogger.logIfNeeded(true, ace);
                        }
                        return true;
                    }
                    // (this permission is 100% rejected for this SID)
                    if (firstRejection == null) {
                        // Store first rejection for auditing reasons
                        firstRejection = ace;
                    }
                    // helps break the loop
                    scanNextSid = false;
                    // exit aces loop
                    break;
                }
            }
            if (!scanNextSid) {
                // exit SID for loop (now try next permission)
                break;
            }
        }
    }
    if (firstRejection != null) {
        // other ACEs were found that granted a different permission
        if (!administrativeMode) {
            auditLogger.logIfNeeded(false, firstRejection);
        }
        return false;
    }
    // No matches have been found so far
    if (acl.isEntriesInheriting() && (acl.getParentAcl() != null)) {
        // We have a parent, so let them try to find a matching ACE
        return acl.getParentAcl().isGranted(permission, sids, false);
    } else {
        // We either have no parent, or we're the uppermost parent
        throw new NotFoundException("Unable to locate a matching ACE for passed permissions and SIDs");
    }
}
Also used : Permission(org.springframework.security.acls.model.Permission) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) NotFoundException(org.springframework.security.acls.model.NotFoundException) Sid(org.springframework.security.acls.model.Sid)

Aggregations

AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)9 Sid (org.springframework.security.acls.model.Sid)6 Test (org.junit.jupiter.api.Test)4 Acl (org.springframework.security.acls.model.Acl)3 AuditableAccessControlEntry (org.springframework.security.acls.model.AuditableAccessControlEntry)3 MutableAcl (org.springframework.security.acls.model.MutableAcl)3 NotFoundException (org.springframework.security.acls.model.NotFoundException)3 ObjectIdentity (org.springframework.security.acls.model.ObjectIdentity)3 Permission (org.springframework.security.acls.model.Permission)3 AclGrantedAuthoritySid (gemma.gsec.acl.domain.AclGrantedAuthoritySid)1 AclPrincipalSid (gemma.gsec.acl.domain.AclPrincipalSid)1 Test (org.junit.Test)1 BasePermission (org.springframework.security.acls.domain.BasePermission)1 CumulativePermission (org.springframework.security.acls.domain.CumulativePermission)1 GrantedAuthoritySid (org.springframework.security.acls.domain.GrantedAuthoritySid)1 ObjectIdentityImpl (org.springframework.security.acls.domain.ObjectIdentityImpl)1 PrincipalSid (org.springframework.security.acls.domain.PrincipalSid)1 CustomSid (org.springframework.security.acls.sid.CustomSid)1 GrantedAuthority (org.springframework.security.core.GrantedAuthority)1 Transactional (org.springframework.transaction.annotation.Transactional)1