Search in sources :

Example 31 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class JdbcMutableAclServiceTests method testLifecycle.

@Test
@Transactional
public void testLifecycle() {
    SecurityContextHolder.getContext().setAuthentication(auth);
    MutableAcl topParent = jdbcMutableAclService.createAcl(topParentOid);
    MutableAcl middleParent = jdbcMutableAclService.createAcl(middleParentOid);
    MutableAcl child = jdbcMutableAclService.createAcl(childOid);
    // Specify the inheritance hierarchy
    middleParent.setParent(topParent);
    child.setParent(middleParent);
    // Now let's add a couple of permissions
    topParent.insertAce(0, BasePermission.READ, new PrincipalSid(auth), true);
    topParent.insertAce(1, BasePermission.WRITE, new PrincipalSid(auth), false);
    middleParent.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), true);
    child.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), false);
    // Explicitly save the changed ACL
    jdbcMutableAclService.updateAcl(topParent);
    jdbcMutableAclService.updateAcl(middleParent);
    jdbcMutableAclService.updateAcl(child);
    // Let's check if we can read them back correctly
    Map<ObjectIdentity, Acl> map = jdbcMutableAclService.readAclsById(Arrays.asList(topParentOid, middleParentOid, childOid));
    assertThat(map).hasSize(3);
    // Replace our current objects with their retrieved versions
    topParent = (MutableAcl) map.get(topParentOid);
    middleParent = (MutableAcl) map.get(middleParentOid);
    child = (MutableAcl) map.get(childOid);
    // Check the retrieved versions has IDs
    assertThat(topParent.getId()).isNotNull();
    assertThat(middleParent.getId()).isNotNull();
    assertThat(child.getId()).isNotNull();
    // Check their parents were correctly persisted
    assertThat(topParent.getParentAcl()).isNull();
    assertThat(middleParent.getParentAcl().getObjectIdentity()).isEqualTo(topParentOid);
    assertThat(child.getParentAcl().getObjectIdentity()).isEqualTo(middleParentOid);
    // Check their ACEs were correctly persisted
    assertThat(topParent.getEntries()).hasSize(2);
    assertThat(middleParent.getEntries()).hasSize(1);
    assertThat(child.getEntries()).hasSize(1);
    // Check the retrieved rights are correct
    List<Permission> read = Arrays.asList(BasePermission.READ);
    List<Permission> write = Arrays.asList(BasePermission.WRITE);
    List<Permission> delete = Arrays.asList(BasePermission.DELETE);
    List<Sid> pSid = Arrays.asList((Sid) new PrincipalSid(auth));
    assertThat(topParent.isGranted(read, pSid, false)).isTrue();
    assertThat(topParent.isGranted(write, pSid, false)).isFalse();
    assertThat(middleParent.isGranted(delete, pSid, false)).isTrue();
    assertThat(child.isGranted(delete, pSid, false)).isFalse();
    try {
        child.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), pSid, false);
        fail("Should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // Now check the inherited rights (when not explicitly overridden) also look OK
    assertThat(child.isGranted(read, pSid, false)).isTrue();
    assertThat(child.isGranted(write, pSid, false)).isFalse();
    assertThat(child.isGranted(delete, pSid, false)).isFalse();
    // Next change the child so it doesn't inherit permissions from above
    child.setEntriesInheriting(false);
    jdbcMutableAclService.updateAcl(child);
    child = (MutableAcl) jdbcMutableAclService.readAclById(childOid);
    assertThat(child.isEntriesInheriting()).isFalse();
    // Check the child permissions no longer inherit
    assertThat(child.isGranted(delete, pSid, true)).isFalse();
    try {
        child.isGranted(read, pSid, true);
        fail("Should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    try {
        child.isGranted(write, pSid, true);
        fail("Should have thrown NotFoundException");
    } catch (NotFoundException expected) {
    }
    // Let's add an identical permission to the child, but it'll appear AFTER the
    // current permission, so has no impact
    child.insertAce(1, BasePermission.DELETE, new PrincipalSid(auth), true);
    // Let's also add another permission to the child
    child.insertAce(2, BasePermission.CREATE, new PrincipalSid(auth), true);
    // Save the changed child
    jdbcMutableAclService.updateAcl(child);
    child = (MutableAcl) jdbcMutableAclService.readAclById(childOid);
    assertThat(child.getEntries()).hasSize(3);
    // Output permissions
    for (int i = 0; i < child.getEntries().size(); i++) {
        System.out.println(child.getEntries().get(i));
    }
    // Check the permissions are as they should be
    // as earlier permission
    assertThat(child.isGranted(delete, pSid, true)).isFalse();
    // overrode
    assertThat(child.isGranted(Arrays.asList(BasePermission.CREATE), pSid, true)).isTrue();
    // Now check the first ACE (index 0) really is DELETE for our Sid and is
    // non-granting
    AccessControlEntry entry = child.getEntries().get(0);
    assertThat(entry.getPermission().getMask()).isEqualTo(BasePermission.DELETE.getMask());
    assertThat(entry.getSid()).isEqualTo(new PrincipalSid(auth));
    assertThat(entry.isGranting()).isFalse();
    assertThat(entry.getId()).isNotNull();
    // Now delete that first ACE
    child.deleteAce(0);
    // Save and check it worked
    child = jdbcMutableAclService.updateAcl(child);
    assertThat(child.getEntries()).hasSize(2);
    assertThat(child.isGranted(delete, pSid, false)).isTrue();
    SecurityContextHolder.clearContext();
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Permission(org.springframework.security.acls.model.Permission) BasePermission(org.springframework.security.acls.domain.BasePermission) CumulativePermission(org.springframework.security.acls.domain.CumulativePermission) NotFoundException(org.springframework.security.acls.model.NotFoundException) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) MutableAcl(org.springframework.security.acls.model.MutableAcl) MutableAcl(org.springframework.security.acls.model.MutableAcl) Acl(org.springframework.security.acls.model.Acl) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) CustomSid(org.springframework.security.acls.sid.CustomSid) Sid(org.springframework.security.acls.model.Sid) GrantedAuthoritySid(org.springframework.security.acls.domain.GrantedAuthoritySid) PrincipalSid(org.springframework.security.acls.domain.PrincipalSid) Test(org.junit.Test) Transactional(org.springframework.transaction.annotation.Transactional)

Example 32 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class JdbcMutableAclService method clearCacheIncludingChildren.

private void clearCacheIncludingChildren(ObjectIdentity objectIdentity) {
    Assert.notNull(objectIdentity, "ObjectIdentity required");
    List<ObjectIdentity> children = findChildren(objectIdentity);
    if (children != null) {
        for (ObjectIdentity child : children) {
            clearCacheIncludingChildren(child);
        }
    }
    aclCache.evictFromCache(objectIdentity);
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity)

Example 33 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class JdbcMutableAclService method deleteAcl.

public void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren) throws ChildrenExistException {
    Assert.notNull(objectIdentity, "Object Identity required");
    Assert.notNull(objectIdentity.getIdentifier(), "Object Identity doesn't provide an identifier");
    if (deleteChildren) {
        List<ObjectIdentity> children = findChildren(objectIdentity);
        if (children != null) {
            for (ObjectIdentity child : children) {
                deleteAcl(child, true);
            }
        }
    } else {
        if (!foreignKeysInDatabase) {
            // We need to perform a manual verification for what a FK would normally
            // do
            // We generally don't do this, in the interests of deadlock management
            List<ObjectIdentity> children = findChildren(objectIdentity);
            if (children != null) {
                throw new ChildrenExistException("Cannot delete '" + objectIdentity + "' (has " + children.size() + " children)");
            }
        }
    }
    Long oidPrimaryKey = retrieveObjectIdentityPrimaryKey(objectIdentity);
    // Delete this ACL's ACEs in the acl_entry table
    deleteEntries(oidPrimaryKey);
    // Delete this ACL's acl_object_identity row
    deleteObjectIdentity(oidPrimaryKey);
    // Clear the cache
    aclCache.evictFromCache(objectIdentity);
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) ChildrenExistException(org.springframework.security.acls.model.ChildrenExistException)

Example 34 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class AclPermissionEvaluatorTests method resolvePermissionNonEnglishLocale.

@Test
public void resolvePermissionNonEnglishLocale() {
    Locale systemLocale = Locale.getDefault();
    Locale.setDefault(new Locale("tr"));
    AclService service = mock(AclService.class);
    AclPermissionEvaluator pe = new AclPermissionEvaluator(service);
    ObjectIdentity oid = mock(ObjectIdentity.class);
    ObjectIdentityRetrievalStrategy oidStrategy = mock(ObjectIdentityRetrievalStrategy.class);
    when(oidStrategy.getObjectIdentity(anyObject())).thenReturn(oid);
    pe.setObjectIdentityRetrievalStrategy(oidStrategy);
    pe.setSidRetrievalStrategy(mock(SidRetrievalStrategy.class));
    Acl acl = mock(Acl.class);
    when(service.readAclById(any(ObjectIdentity.class), anyListOf(Sid.class))).thenReturn(acl);
    when(acl.isGranted(anyListOf(Permission.class), anyListOf(Sid.class), eq(false))).thenReturn(true);
    assertThat(pe.hasPermission(mock(Authentication.class), new Object(), "write")).isTrue();
    Locale.setDefault(systemLocale);
}
Also used : Locale(java.util.Locale) ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) Authentication(org.springframework.security.core.Authentication) Permission(org.springframework.security.acls.model.Permission) ObjectIdentityRetrievalStrategy(org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy) Acl(org.springframework.security.acls.model.Acl) AclService(org.springframework.security.acls.model.AclService) SidRetrievalStrategy(org.springframework.security.acls.model.SidRetrievalStrategy) Sid(org.springframework.security.acls.model.Sid) Test(org.junit.Test)

Example 35 with ObjectIdentity

use of org.springframework.security.acls.model.ObjectIdentity in project spring-security by spring-projects.

the class AccessControlImplEntryTests method testEquals.

@Test
public void testEquals() {
    final Acl mockAcl = mock(Acl.class);
    final ObjectIdentity oid = mock(ObjectIdentity.class);
    when(mockAcl.getObjectIdentity()).thenReturn(oid);
    Sid sid = new PrincipalSid("johndoe");
    AccessControlEntry ace = new AccessControlEntryImpl(Long.valueOf(1), mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true);
    assertThat(ace).isNotNull();
    assertThat(ace).isNotEqualTo(Long.valueOf(100));
    assertThat(ace).isEqualTo(ace);
    assertThat(ace).isEqualTo(new AccessControlEntryImpl(Long.valueOf(1), mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(Long.valueOf(2), mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(Long.valueOf(1), mockAcl, new PrincipalSid("scott"), BasePermission.ADMINISTRATION, true, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(Long.valueOf(1), mockAcl, sid, BasePermission.WRITE, true, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(Long.valueOf(1), mockAcl, sid, BasePermission.ADMINISTRATION, false, true, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(Long.valueOf(1), mockAcl, sid, BasePermission.ADMINISTRATION, true, false, true));
    assertThat(ace).isNotEqualTo(new AccessControlEntryImpl(Long.valueOf(1), mockAcl, sid, BasePermission.ADMINISTRATION, true, true, false));
}
Also used : ObjectIdentity(org.springframework.security.acls.model.ObjectIdentity) AuditableAccessControlEntry(org.springframework.security.acls.model.AuditableAccessControlEntry) AccessControlEntry(org.springframework.security.acls.model.AccessControlEntry) Acl(org.springframework.security.acls.model.Acl) Sid(org.springframework.security.acls.model.Sid) Test(org.junit.Test)

Aggregations

ObjectIdentity (org.springframework.security.acls.model.ObjectIdentity)46 MutableAcl (org.springframework.security.acls.model.MutableAcl)22 Test (org.junit.Test)21 ObjectIdentityImpl (org.springframework.security.acls.domain.ObjectIdentityImpl)19 Acl (org.springframework.security.acls.model.Acl)16 Authentication (org.springframework.security.core.Authentication)12 Sid (org.springframework.security.acls.model.Sid)11 NotFoundException (org.springframework.security.acls.model.NotFoundException)10 TestingAuthenticationToken (org.springframework.security.authentication.TestingAuthenticationToken)8 SimpleGrantedAuthority (org.springframework.security.core.authority.SimpleGrantedAuthority)8 Permission (org.springframework.security.acls.model.Permission)7 PrincipalSid (org.springframework.security.acls.domain.PrincipalSid)6 Transactional (org.springframework.transaction.annotation.Transactional)5 BasePermission (org.springframework.security.acls.domain.BasePermission)4 ObjectIdentityRetrievalStrategy (org.springframework.security.acls.model.ObjectIdentityRetrievalStrategy)4 HashMap (java.util.HashMap)3 GrantedAuthoritySid (org.springframework.security.acls.domain.GrantedAuthoritySid)3 AccessControlEntry (org.springframework.security.acls.model.AccessControlEntry)3 AclService (org.springframework.security.acls.model.AclService)3 SidRetrievalStrategy (org.springframework.security.acls.model.SidRetrievalStrategy)3