Examples with MutableAcl org.springframework.security.acls.model.MutableAcl used on opensource projects

Example 51 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class AclImplTests method gettersAndSettersAreConsistent.

@Test
public void gettersAndSettersAreConsistent() {
    Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_GENERAL");
    auth.setAuthenticated(true);
    SecurityContextHolder.getContext().setAuthentication(auth);
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, (100));
    ObjectIdentity identity2 = new ObjectIdentityImpl(TARGET_CLASS, (101));
    MutableAcl acl = new AclImpl(identity, 1, this.authzStrategy, this.pgs, null, null, true, new PrincipalSid("joe"));
    MutableAcl parentAcl = new AclImpl(identity2, 2, this.authzStrategy, this.pgs, null, null, true, new PrincipalSid("joe"));
    MockAclService service = new MockAclService();
    acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
    acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
    service.updateAcl(acl);
    assertThat(1).isEqualTo(acl.getId());
    assertThat(identity).isEqualTo(acl.getObjectIdentity());
    assertThat(new PrincipalSid("joe")).isEqualTo(acl.getOwner());
    assertThat(acl.getParentAcl()).isNull();
    assertThat(acl.isEntriesInheriting()).isTrue();
    assertThat(acl.getEntries()).hasSize(2);
    acl.setParent(parentAcl);
    assertThat(parentAcl).isEqualTo(acl.getParentAcl());
    acl.setEntriesInheriting(false);
    assertThat(acl.isEntriesInheriting()).isFalse();
    acl.setOwner(new PrincipalSid("ben"));
    assertThat(new PrincipalSid("ben")).isEqualTo(acl.getOwner());
}

Example 52 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class AclImplTests method isGrantingRejectsEmptyParameters.

@Test
public void isGrantingRejectsEmptyParameters() {
    MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true, new PrincipalSid("joe"));
    Sid ben = new PrincipalSid("ben");
    assertThatIllegalArgumentException().isThrownBy(() -> acl.isGranted(new ArrayList<>(0), Arrays.asList(ben), false));
    assertThatIllegalArgumentException().isThrownBy(() -> acl.isGranted(READ, new ArrayList<>(0), false));
}

Example 53 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class SpringCacheBasedAclCacheTests method cacheOperationsAclWithoutParent.

@SuppressWarnings("rawtypes")
@Test
public void cacheOperationsAclWithoutParent() {
    Cache cache = getCache();
    Map realCache = (Map) cache.getNativeCache();
    ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100L);
    AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL"));
    AuditLogger auditLogger = new ConsoleAuditLogger();
    PermissionGrantingStrategy permissionGrantingStrategy = new DefaultPermissionGrantingStrategy(auditLogger);
    SpringCacheBasedAclCache myCache = new SpringCacheBasedAclCache(cache, permissionGrantingStrategy, aclAuthorizationStrategy);
    MutableAcl acl = new AclImpl(identity, 1L, aclAuthorizationStrategy, auditLogger);
    assertThat(realCache).isEmpty();
    myCache.putInCache(acl);
    // Check we can get from cache the same objects we put in
    assertThat(acl).isEqualTo(myCache.getFromCache(1L));
    assertThat(acl).isEqualTo(myCache.getFromCache(identity));
    // Put another object in cache
    ObjectIdentity identity2 = new ObjectIdentityImpl(TARGET_CLASS, 101L);
    MutableAcl acl2 = new AclImpl(identity2, 2L, aclAuthorizationStrategy, new ConsoleAuditLogger());
    myCache.putInCache(acl2);
    // Try to evict an entry that doesn't exist
    myCache.evictFromCache(3L);
    myCache.evictFromCache(new ObjectIdentityImpl(TARGET_CLASS, 102L));
    assertThat(realCache).hasSize(4);
    myCache.evictFromCache(1L);
    assertThat(realCache).hasSize(2);
    // Check the second object inserted
    assertThat(acl2).isEqualTo(myCache.getFromCache(2L));
    assertThat(acl2).isEqualTo(myCache.getFromCache(identity2));
    myCache.evictFromCache(identity2);
    assertThat(realCache).isEmpty();
}

Example 54 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class JdbcMutableAclServiceTests method testLifecycle.

@Test
@Transactional
public void testLifecycle() {
    SecurityContextHolder.getContext().setAuthentication(this.auth);
    MutableAcl topParent = this.jdbcMutableAclService.createAcl(getTopParentOid());
    MutableAcl middleParent = this.jdbcMutableAclService.createAcl(getMiddleParentOid());
    MutableAcl child = this.jdbcMutableAclService.createAcl(getChildOid());
    // Specify the inheritance hierarchy
    middleParent.setParent(topParent);
    child.setParent(middleParent);
    // Now let's add a couple of permissions
    topParent.insertAce(0, BasePermission.READ, new PrincipalSid(this.auth), true);
    topParent.insertAce(1, BasePermission.WRITE, new PrincipalSid(this.auth), false);
    middleParent.insertAce(0, BasePermission.DELETE, new PrincipalSid(this.auth), true);
    child.insertAce(0, BasePermission.DELETE, new PrincipalSid(this.auth), false);
    // Explicitly save the changed ACL
    this.jdbcMutableAclService.updateAcl(topParent);
    this.jdbcMutableAclService.updateAcl(middleParent);
    this.jdbcMutableAclService.updateAcl(child);
    // Let's check if we can read them back correctly
    Map<ObjectIdentity, Acl> map = this.jdbcMutableAclService.readAclsById(Arrays.asList(getTopParentOid(), getMiddleParentOid(), getChildOid()));
    assertThat(map).hasSize(3);
    // Get the retrieved versions
    MutableAcl retrievedTopParent = (MutableAcl) map.get(getTopParentOid());
    MutableAcl retrievedMiddleParent = (MutableAcl) map.get(getMiddleParentOid());
    MutableAcl retrievedChild = (MutableAcl) map.get(getChildOid());
    // Check the retrieved versions has IDs
    assertThat(retrievedTopParent.getId()).isNotNull();
    assertThat(retrievedMiddleParent.getId()).isNotNull();
    assertThat(retrievedChild.getId()).isNotNull();
    // Check their parents were correctly persisted
    assertThat(retrievedTopParent.getParentAcl()).isNull();
    assertThat(retrievedMiddleParent.getParentAcl().getObjectIdentity()).isEqualTo(getTopParentOid());
    assertThat(retrievedChild.getParentAcl().getObjectIdentity()).isEqualTo(getMiddleParentOid());
    // Check their ACEs were correctly persisted
    assertThat(retrievedTopParent.getEntries()).hasSize(2);
    assertThat(retrievedMiddleParent.getEntries()).hasSize(1);
    assertThat(retrievedChild.getEntries()).hasSize(1);
    // Check the retrieved rights are correct
    List<Permission> read = Arrays.asList(BasePermission.READ);
    List<Permission> write = Arrays.asList(BasePermission.WRITE);
    List<Permission> delete = Arrays.asList(BasePermission.DELETE);
    List<Sid> pSid = Arrays.asList((Sid) new PrincipalSid(this.auth));
    assertThat(retrievedTopParent.isGranted(read, pSid, false)).isTrue();
    assertThat(retrievedTopParent.isGranted(write, pSid, false)).isFalse();
    assertThat(retrievedMiddleParent.isGranted(delete, pSid, false)).isTrue();
    assertThat(retrievedChild.isGranted(delete, pSid, false)).isFalse();
    assertThatExceptionOfType(NotFoundException.class).isThrownBy(() -> retrievedChild.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), pSid, false));
    // Now check the inherited rights (when not explicitly overridden) also look OK
    assertThat(retrievedChild.isGranted(read, pSid, false)).isTrue();
    assertThat(retrievedChild.isGranted(write, pSid, false)).isFalse();
    assertThat(retrievedChild.isGranted(delete, pSid, false)).isFalse();
    // Next change the child so it doesn't inherit permissions from above
    retrievedChild.setEntriesInheriting(false);
    this.jdbcMutableAclService.updateAcl(retrievedChild);
    MutableAcl nonInheritingChild = (MutableAcl) this.jdbcMutableAclService.readAclById(getChildOid());
    assertThat(nonInheritingChild.isEntriesInheriting()).isFalse();
    // Check the child permissions no longer inherit
    assertThat(nonInheritingChild.isGranted(delete, pSid, true)).isFalse();
    assertThatExceptionOfType(NotFoundException.class).isThrownBy(() -> nonInheritingChild.isGranted(read, pSid, true));
    assertThatExceptionOfType(NotFoundException.class).isThrownBy(() -> nonInheritingChild.isGranted(write, pSid, true));
    // Let's add an identical permission to the child, but it'll appear AFTER the
    // current permission, so has no impact
    nonInheritingChild.insertAce(1, BasePermission.DELETE, new PrincipalSid(this.auth), true);
    // Let's also add another permission to the child
    nonInheritingChild.insertAce(2, BasePermission.CREATE, new PrincipalSid(this.auth), true);
    // Save the changed child
    this.jdbcMutableAclService.updateAcl(nonInheritingChild);
    MutableAcl retrievedNonInheritingChild = (MutableAcl) this.jdbcMutableAclService.readAclById(getChildOid());
    assertThat(retrievedNonInheritingChild.getEntries()).hasSize(3);
    // Output permissions
    for (int i = 0; i < retrievedNonInheritingChild.getEntries().size(); i++) {
        System.out.println(retrievedNonInheritingChild.getEntries().get(i));
    }
    // Check the permissions are as they should be
    // as
    assertThat(retrievedNonInheritingChild.isGranted(delete, pSid, true)).isFalse();
    // earlier
    // permission
    // overrode
    assertThat(retrievedNonInheritingChild.isGranted(Arrays.asList(BasePermission.CREATE), pSid, true)).isTrue();
    // Now check the first ACE (index 0) really is DELETE for our Sid and is
    // non-granting
    AccessControlEntry entry = retrievedNonInheritingChild.getEntries().get(0);
    assertThat(entry.getPermission().getMask()).isEqualTo(BasePermission.DELETE.getMask());
    assertThat(entry.getSid()).isEqualTo(new PrincipalSid(this.auth));
    assertThat(entry.isGranting()).isFalse();
    assertThat(entry.getId()).isNotNull();
    // Now delete that first ACE
    retrievedNonInheritingChild.deleteAce(0);
    // Save and check it worked
    MutableAcl savedChild = this.jdbcMutableAclService.updateAcl(retrievedNonInheritingChild);
    assertThat(savedChild.getEntries()).hasSize(2);
    assertThat(savedChild.isGranted(delete, pSid, false)).isTrue();
    SecurityContextHolder.clearContext();
}

Example 55 with MutableAcl

use of org.springframework.security.acls.model.MutableAcl in project spring-security by spring-projects.

the class AclImplTests method insertAceFailsForNonExistentElement.

@Test
public void insertAceFailsForNonExistentElement() {
    MutableAcl acl = new AclImpl(this.objectIdentity, 1, this.authzStrategy, this.pgs, null, null, true, new PrincipalSid("joe"));
    MockAclService service = new MockAclService();
    // Insert one permission
    acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
    service.updateAcl(acl);
    assertThatExceptionOfType(NotFoundException.class).isThrownBy(() -> acl.insertAce(55, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true));
}