Examples with AccessControlEntry org.springframework.security.acls.model.AccessControlEntry used on opensource projects

Example 6 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.

the class AclImpl method toString.

@Override
public String toString() {
    StringBuilder sb = new StringBuilder();
    sb.append("AclImpl[");
    sb.append("id: ").append(this.id).append("; ");
    sb.append("objectIdentity: ").append(this.objectIdentity).append("; ");
    sb.append("owner: ").append(this.owner).append("; ");
    int count = 0;
    for (AccessControlEntry ace : this.aces) {
        count++;
        if (count == 1) {
            sb.append("\n");
        }
        sb.append(ace).append("\n");
    }
    if (count == 0) {
        sb.append("no ACEs; ");
    }
    sb.append("inheriting: ").append(this.entriesInheriting).append("; ");
    sb.append("parent: ").append((this.parentAcl == null) ? "Null" : this.parentAcl.getObjectIdentity().toString());
    sb.append("; ");
    sb.append("aclAuthorizationStrategy: ").append(this.aclAuthorizationStrategy).append("; ");
    sb.append("permissionGrantingStrategy: ").append(this.permissionGrantingStrategy);
    sb.append("]");
    return sb.toString();
}

Example 7 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.

the class AuditLoggerTests method nonAuditableAceIsIgnored.

@Test
public void nonAuditableAceIsIgnored() {
    AccessControlEntry ace = mock(AccessControlEntry.class);
    this.logger.logIfNeeded(true, ace);
    assertThat(this.bytes.size()).isZero();
}

Example 8 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.

the class JdbcMutableAclServiceTests method testLifecycle.

@Test
@Transactional
public void testLifecycle() {
    SecurityContextHolder.getContext().setAuthentication(this.auth);
    MutableAcl topParent = this.jdbcMutableAclService.createAcl(getTopParentOid());
    MutableAcl middleParent = this.jdbcMutableAclService.createAcl(getMiddleParentOid());
    MutableAcl child = this.jdbcMutableAclService.createAcl(getChildOid());
    // Specify the inheritance hierarchy
    middleParent.setParent(topParent);
    child.setParent(middleParent);
    // Now let's add a couple of permissions
    topParent.insertAce(0, BasePermission.READ, new PrincipalSid(this.auth), true);
    topParent.insertAce(1, BasePermission.WRITE, new PrincipalSid(this.auth), false);
    middleParent.insertAce(0, BasePermission.DELETE, new PrincipalSid(this.auth), true);
    child.insertAce(0, BasePermission.DELETE, new PrincipalSid(this.auth), false);
    // Explicitly save the changed ACL
    this.jdbcMutableAclService.updateAcl(topParent);
    this.jdbcMutableAclService.updateAcl(middleParent);
    this.jdbcMutableAclService.updateAcl(child);
    // Let's check if we can read them back correctly
    Map<ObjectIdentity, Acl> map = this.jdbcMutableAclService.readAclsById(Arrays.asList(getTopParentOid(), getMiddleParentOid(), getChildOid()));
    assertThat(map).hasSize(3);
    // Get the retrieved versions
    MutableAcl retrievedTopParent = (MutableAcl) map.get(getTopParentOid());
    MutableAcl retrievedMiddleParent = (MutableAcl) map.get(getMiddleParentOid());
    MutableAcl retrievedChild = (MutableAcl) map.get(getChildOid());
    // Check the retrieved versions has IDs
    assertThat(retrievedTopParent.getId()).isNotNull();
    assertThat(retrievedMiddleParent.getId()).isNotNull();
    assertThat(retrievedChild.getId()).isNotNull();
    // Check their parents were correctly persisted
    assertThat(retrievedTopParent.getParentAcl()).isNull();
    assertThat(retrievedMiddleParent.getParentAcl().getObjectIdentity()).isEqualTo(getTopParentOid());
    assertThat(retrievedChild.getParentAcl().getObjectIdentity()).isEqualTo(getMiddleParentOid());
    // Check their ACEs were correctly persisted
    assertThat(retrievedTopParent.getEntries()).hasSize(2);
    assertThat(retrievedMiddleParent.getEntries()).hasSize(1);
    assertThat(retrievedChild.getEntries()).hasSize(1);
    // Check the retrieved rights are correct
    List<Permission> read = Arrays.asList(BasePermission.READ);
    List<Permission> write = Arrays.asList(BasePermission.WRITE);
    List<Permission> delete = Arrays.asList(BasePermission.DELETE);
    List<Sid> pSid = Arrays.asList((Sid) new PrincipalSid(this.auth));
    assertThat(retrievedTopParent.isGranted(read, pSid, false)).isTrue();
    assertThat(retrievedTopParent.isGranted(write, pSid, false)).isFalse();
    assertThat(retrievedMiddleParent.isGranted(delete, pSid, false)).isTrue();
    assertThat(retrievedChild.isGranted(delete, pSid, false)).isFalse();
    assertThatExceptionOfType(NotFoundException.class).isThrownBy(() -> retrievedChild.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), pSid, false));
    // Now check the inherited rights (when not explicitly overridden) also look OK
    assertThat(retrievedChild.isGranted(read, pSid, false)).isTrue();
    assertThat(retrievedChild.isGranted(write, pSid, false)).isFalse();
    assertThat(retrievedChild.isGranted(delete, pSid, false)).isFalse();
    // Next change the child so it doesn't inherit permissions from above
    retrievedChild.setEntriesInheriting(false);
    this.jdbcMutableAclService.updateAcl(retrievedChild);
    MutableAcl nonInheritingChild = (MutableAcl) this.jdbcMutableAclService.readAclById(getChildOid());
    assertThat(nonInheritingChild.isEntriesInheriting()).isFalse();
    // Check the child permissions no longer inherit
    assertThat(nonInheritingChild.isGranted(delete, pSid, true)).isFalse();
    assertThatExceptionOfType(NotFoundException.class).isThrownBy(() -> nonInheritingChild.isGranted(read, pSid, true));
    assertThatExceptionOfType(NotFoundException.class).isThrownBy(() -> nonInheritingChild.isGranted(write, pSid, true));
    // Let's add an identical permission to the child, but it'll appear AFTER the
    // current permission, so has no impact
    nonInheritingChild.insertAce(1, BasePermission.DELETE, new PrincipalSid(this.auth), true);
    // Let's also add another permission to the child
    nonInheritingChild.insertAce(2, BasePermission.CREATE, new PrincipalSid(this.auth), true);
    // Save the changed child
    this.jdbcMutableAclService.updateAcl(nonInheritingChild);
    MutableAcl retrievedNonInheritingChild = (MutableAcl) this.jdbcMutableAclService.readAclById(getChildOid());
    assertThat(retrievedNonInheritingChild.getEntries()).hasSize(3);
    // Output permissions
    for (int i = 0; i < retrievedNonInheritingChild.getEntries().size(); i++) {
        System.out.println(retrievedNonInheritingChild.getEntries().get(i));
    }
    // Check the permissions are as they should be
    // as
    assertThat(retrievedNonInheritingChild.isGranted(delete, pSid, true)).isFalse();
    // earlier
    // permission
    // overrode
    assertThat(retrievedNonInheritingChild.isGranted(Arrays.asList(BasePermission.CREATE), pSid, true)).isTrue();
    // Now check the first ACE (index 0) really is DELETE for our Sid and is
    // non-granting
    AccessControlEntry entry = retrievedNonInheritingChild.getEntries().get(0);
    assertThat(entry.getPermission().getMask()).isEqualTo(BasePermission.DELETE.getMask());
    assertThat(entry.getSid()).isEqualTo(new PrincipalSid(this.auth));
    assertThat(entry.isGranting()).isFalse();
    assertThat(entry.getId()).isNotNull();
    // Now delete that first ACE
    retrievedNonInheritingChild.deleteAce(0);
    // Save and check it worked
    MutableAcl savedChild = this.jdbcMutableAclService.updateAcl(retrievedNonInheritingChild);
    assertThat(savedChild.getEntries()).hasSize(2);
    assertThat(savedChild.isGranted(delete, pSid, false)).isTrue();
    SecurityContextHolder.clearContext();
}

Example 9 with AccessControlEntry

use of org.springframework.security.acls.model.AccessControlEntry in project spring-security by spring-projects.

the class AccessControlImplEntryTests method testEquals.

@Test
public void testEquals() {
    final Acl mockAcl = mock(Acl.class);
    final ObjectIdentity oid = mock(ObjectIdentity.class);
    given(mockAcl.getObjectIdentity()).willReturn(oid);
    Sid sid = new PrincipalSid("johndoe");
    AccessControlEntry ace = new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true);
    assertThat(ace).isNotNull();
    assertThat(ace).isNotEqualTo(100L);
    assertThat(ace).isEqualTo(ace);
    assertThat(ace).isEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(2L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, new PrincipalSid("scott"), BasePermission.ADMINISTRATION, true, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.WRITE, true, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, false, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, false, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(1L, mockAcl, sid, BasePermission.ADMINISTRATION, true, true, false));
}