Examples with UserSecurityReference org.xwiki.security.UserSecurityReference used on opensource projects

Example 6 with UserSecurityReference

use of org.xwiki.security.UserSecurityReference in project xwiki-platform by xwiki.

the class DefaultSecurityCacheLoader method loadUserEntry.

/**
 * Load rules for a user/group into the cache with relations to immediate groups. Groups should be already loaded,
 * else a ParentEntryEvictedException will be thrown. The parent chain of the loaded user will be loaded as needed.
 *
 * @param user The user/group to load.
 * @param groups The collection of groups associated with the user/group
 * @throws ParentEntryEvictedException if any of the parent entries of the group were evicted.
 * @throws ConflictingInsertionException When different threads have inserted conflicting entries into the cache.
 * @throws org.xwiki.security.authorization.AuthorizationException on error.
 */
private void loadUserEntry(UserSecurityReference user, Collection<GroupSecurityReference> groups) throws ParentEntryEvictedException, ConflictingInsertionException, AuthorizationException {
    // Make sure the parent of the user document is loaded.
    Deque<SecurityReference> chain = user.getReversedSecurityReferenceChain();
    chain.removeLast();
    for (SecurityReference ref : chain) {
        SecurityRuleEntry entry = securityCache.get(ref);
        if (entry == null) {
            entry = securityEntryReader.read(ref);
            securityCache.add(entry);
        }
    }
    SecurityRuleEntry entry = securityEntryReader.read(user);
    securityCache.add(entry, groups);
}

Example 7 with UserSecurityReference

use of org.xwiki.security.UserSecurityReference in project xwiki-platform by xwiki.

the class DefaultSecurityCacheLoader method loadAccessEntries.

/**
 * Load group entries, and user entries required, to settle the access, settle it,
 * add this decision into the cache and return the access.
 *
 * @param user The user to check access for.
 * @param entity The lowest entity providing security rules on the path of the entity to check access for.
 * @param ruleEntries The rule entries associated with the above entity.
 * @return The access for the user at the entity (equivalent to the one of the entity to check access for).
 * @throws ParentEntryEvictedException If one of the parent entries are evicted before the load is completed.
 * @throws ConflictingInsertionException When different threads have inserted conflicting entries into the cache.
 * @throws org.xwiki.security.authorization.AuthorizationException On error.
 */
private SecurityAccessEntry loadAccessEntries(UserSecurityReference user, SecurityReference entity, Deque<SecurityRuleEntry> ruleEntries) throws ParentEntryEvictedException, ConflictingInsertionException, AuthorizationException {
    // userWiki is the wiki of the user
    SecurityReference userWiki = user.getWikiReference();
    // entityWiki is the wiki of the entity when the user is global and the entity is local
    SecurityReference entityWiki = user.isGlobal() ? entity.getWikiReference() : null;
    if (entityWiki != null && userWiki.equals(entityWiki)) {
        entityWiki = null;
    }
    // Load user and related groups into the cache (global and shadowed locals) as needed
    Collection<GroupSecurityReference> groups = loadUserEntry(user, userWiki, entityWiki);
    // Settle the access
    SecurityAccessEntry accessEntry = authorizationSettlerProvider.get().settle(user, groups, ruleEntries);
    // Store the result into the cache
    securityCache.add(accessEntry, entityWiki);
    // Return the result
    return accessEntry;
}

Example 8 with UserSecurityReference

use of org.xwiki.security.UserSecurityReference in project xwiki-platform by xwiki.

the class PrioritizingAuthorizationSettler method settle.

@Override
protected XWikiSecurityAccess settle(UserSecurityReference user, Collection<GroupSecurityReference> groups, SecurityRuleEntry entry, Policies policies) {
    XWikiSecurityAccess access = new XWikiSecurityAccess();
    Map<Right, Integer> priorities = new RightMap<Integer>();
    SecurityReference reference = entry.getReference();
    Set<Right> enabledRights = Right.getEnabledRights(reference.getSecurityType());
    // Evaluate rules from current level
    for (Right right : enabledRights) {
        for (SecurityRule obj : entry.getRules()) {
            if (obj.match(right)) {
                resolveLevel(right, user, groups, obj, access, policies, priorities);
                if (access.get(right) == ALLOW) {
                    implyRights(right, access, reference, policies, priorities);
                }
            }
        }
    }
    return access;
}

Example 9 with UserSecurityReference

use of org.xwiki.security.UserSecurityReference in project xwiki-platform by xwiki.

the class DefaultAuthorizationManager method getAccess.

/**
 * Obtain the access for the user on the given entity and load it into the cache if unavailable.
 *
 * @param user The user identity.
 * @param entity The entity.  May be of type DOCUMENT, WIKI, or SPACE.
 * @return the cached access entry.
 * @exception org.xwiki.security.authorization.AuthorizationException if an error occurs
 */
private SecurityAccess getAccess(UserSecurityReference user, SecurityReference entity) throws AuthorizationException {
    for (SecurityReference ref = entity; ref != null; ref = ref.getParentSecurityReference()) {
        if (Right.getEnabledRights(ref.getSecurityType()).isEmpty()) {
            // Skip search on entity types that will obviously have empty/useless list of rules.
            continue;
        }
        SecurityRuleEntry entry = securityCache.get(ref);
        if (entry == null) {
            SecurityAccess access = securityCacheLoader.load(user, entity).getAccess();
            this.logger.debug("1. Loaded a new entry for user {} on {} into cache: [{}]", user, entity, access);
            return access;
        }
        if (!entry.isEmpty()) {
            SecurityAccessEntry accessEntry = securityCache.get(user, ref);
            if (accessEntry == null) {
                SecurityAccess access = securityCacheLoader.load(user, entity).getAccess();
                logger.debug("2. Loaded a new entry for user {} on {} into cache: [{}]", user, entity, access);
                return access;
            } else {
                SecurityAccess access = accessEntry.getAccess();
                logger.debug("3. Got entry for user {} on {} from cache: [{}]", user, entity, access);
                return access;
            }
        }
    }
    SecurityAccess access = securityCacheLoader.load(user, entity).getAccess();
    logger.debug("4. Loaded a new default entry for user {} on {} into cache: [{}]", user, entity, access);
    return access;
}

Example 10 with UserSecurityReference

use of org.xwiki.security.UserSecurityReference in project xwiki-platform by xwiki.

the class DefaultAuthorizationManagerIntegrationTest method initialiseWikiMock.

@Override
public TestDefinition initialiseWikiMock(String filename) throws Exception {
    super.initialiseWikiMock(filename);
    when(xWikiBridge.getMainWikiReference()).thenReturn(testDefinition.getMainWiki().getWikiReference());
    when(xWikiBridge.isWikiReadOnly()).thenReturn(false);
    when(userBridge.getAllGroupsFor(any(UserSecurityReference.class), any(WikiReference.class))).thenAnswer(new Answer<Collection<GroupSecurityReference>>() {

        @Override
        public Collection<GroupSecurityReference> answer(InvocationOnMock invocationOnMock) throws Throwable {
            UserSecurityReference userReference = (UserSecurityReference) invocationOnMock.getArguments()[0];
            WikiReference wikiReference = (WikiReference) invocationOnMock.getArguments()[1];
            if (userReference.getOriginalReference() == null) {
                // Public users (not logged in) may not appears in any group
                return Collections.emptyList();
            }
            TestWiki wiki = testDefinition.getWiki(userReference.getOriginalReference().getWikiReference());
            if (wiki == null) {
                throw new AuthorizationException(String.format("Failed to get groups for user or group [%s] in wiki [%s]. Unknown wiki.", userReference, wikiReference), null);
            }
            TestUserDocument user = wiki.getUser(userReference.getName());
            if (user == null) {
                return Collections.emptyList();
            }
            Collection<GroupSecurityReference> groups = new ArrayList<GroupSecurityReference>();
            for (TestGroup group : user.getGroups()) {
                // Ensure we return only group of the requested wiki
                if (group.getGroupReference().getWikiReference().equals(wikiReference)) {
                    groups.add(securityReferenceFactory.newGroupReference(group.getGroupReference()));
                }
            }
            return groups;
        }
    });
    when(securityEntryReader.read(any(SecurityReference.class))).thenAnswer(new Answer<SecurityRuleEntry>() {

        @Override
        public SecurityRuleEntry answer(InvocationOnMock invocationOnMock) throws Throwable {
            final SecurityReference reference = (SecurityReference) invocationOnMock.getArguments()[0];
            TestEntity entity = testDefinition.searchEntity(reference);
            Collection<TestAccessRule> rules = (entity != null && entity instanceof SecureTestEntity) ? ((SecureTestEntity) entity).getAccessRules() : Collections.<TestAccessRule>emptyList();
            final Collection<SecurityRule> mockedRules = new ArrayList<SecurityRule>();
            for (final TestAccessRule rule : rules) {
                mockedRules.add(mockSecurityRule(reference, rule.getRight(), rule.getState(), rule.getUser(), rule.isUser()));
            }
            if (entity instanceof TestWiki) {
                TestWiki wiki = (TestWiki) entity;
                if (wiki.getOwner() != null) {
                    mockedRules.add(mockSecurityRule(reference, Right.ADMIN, RuleState.ALLOW, wiki.getOwner(), true));
                }
            }
            if (entity instanceof TestDocument) {
                TestDocument document = (TestDocument) entity;
                if (document.getCreator() != null) {
                    mockedRules.add(mockSecurityRule(reference, Right.CREATOR, RuleState.ALLOW, document.getCreator(), true));
                }
            }
            return new AbstractSecurityRuleEntry() {

                @Override
                public Collection<SecurityRule> getRules() {
                    return mockedRules;
                }

                @Override
                public SecurityReference getReference() {
                    return reference;
                }

                @Override
                public String toString() {
                    return String.format("Rule entry for %s containing %d rules", reference.toString(), mockedRules.size());
                }

                @Override
                public boolean equals(Object object) {
                    if (object == this) {
                        return true;
                    }
                    if (!(object instanceof SecurityRuleEntry)) {
                        return false;
                    }
                    SecurityRuleEntry other = (SecurityRuleEntry) object;
                    return compareReferenceNullSafe(other.getReference(), reference) && other.getRules().size() == mockedRules.size();
                }
            };
        }
    });
    return testDefinition;
}