Examples with SecurityRule org.xwiki.security.authorization.SecurityRule used on opensource projects

Example 1 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultSecurityEntryReader method getSecurityRules.

/**
 * Read right objects from an XWikiDocument and return them as XWikiSecurityRule.
 * @param documentReference reference to document to read
 * @param classReference reference to the right class to read
 * @param wikiReference reference to the wiki of the document
 * @return a collection of rules read from the document
 * @throws AuthorizationException on error reading object from the document
 */
private Collection<SecurityRule> getSecurityRules(DocumentReference documentReference, DocumentReference classReference, WikiReference wikiReference) throws AuthorizationException {
    boolean isGlobalRightsReference = isGlobalRightsReference(documentReference);
    boolean isGlobalRightRequested = classReference.getName().equals(XWikiConstants.GLOBAL_CLASSNAME);
    XWikiDocument doc = getDocument(documentReference);
    // Get implied rules (creator, owner, global rights restriction)
    List<SecurityRule> securityRules = getImpliedRules(documentReference, doc, isGlobalRightsReference, isGlobalRightRequested);
    if (doc == null) {
        return securityRules;
    }
    // Convert existing rules on the entity
    List<BaseObject> baseObjects = doc.getXObjects(classReference);
    if (baseObjects != null) {
        for (BaseObject obj : baseObjects) {
            if (obj != null) {
                SecurityRule rule;
                try {
                    // Thanks to the resolver, the users and groups listed by the rights object, inherit
                    // the wiki from the document, unless explicitly given.
                    rule = XWikiSecurityRule.createNewRule(obj, resolver, wikiReference, isGlobalRightsReference && !isGlobalRightRequested);
                } catch (IllegalArgumentException e) {
                    // Do not add badly formed security rules.
                    continue;
                }
                securityRules.add(rule);
            }
        }
    }
    return securityRules;
}

Example 2 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultAuthorizationSettlerTest method testSettleTieResolutionPolicy.

@Test
public void testSettleTieResolutionPolicy() throws Exception {
    SecurityRule allowAllTestRightsUserAndAnotherGroup = getMockedSecurityRule("allowAllTestRightsUserAndAnotherGroup", Arrays.asList(userRef), Arrays.asList(anotherGroupRef), allTestRights, ALLOW);
    SecurityRule denyAllTestRightsUserAndAnotherGroup = getMockedSecurityRule("denyAllTestRightsUserAndAnotherGroup", Arrays.asList(userRef), Arrays.asList(anotherGroupRef), allTestRights, DENY);
    SecurityRule denyAllTestRightsAnotherUserAndGroup = getMockedSecurityRule("denyAllTestRightsAnotherUserAndGroup", Arrays.asList(anotherUserRef), Arrays.asList(groupRef), allTestRights, DENY);
    Deque<SecurityRuleEntry> conflictAllowDenySameTarget = getMockedSecurityRuleEntries("conflictAllowDenySameTarget", docRef, Arrays.asList(Arrays.asList(allowAllTestRightsUserAndAnotherGroup, denyAllTestRightsUserAndAnotherGroup)));
    Deque<SecurityRuleEntry> conflictDenyAllowSameTarget = getMockedSecurityRuleEntries("conflictDenyAllowSameTarget", docRef, Arrays.asList(Arrays.asList(denyAllTestRightsUserAndAnotherGroup, allowAllTestRightsUserAndAnotherGroup)));
    Deque<SecurityRuleEntry> conflictAllowDenyUserGroup = getMockedSecurityRuleEntries("conflictAllowDenyUserGroup", docRef, Arrays.asList(Arrays.asList(allowAllTestRightsUserAndAnotherGroup, denyAllTestRightsAnotherUserAndGroup)));
    Deque<SecurityRuleEntry> conflictDenyAllowUserGroup = getMockedSecurityRuleEntries("conflictDenyAllowUserGroup", docRef, Arrays.asList(Arrays.asList(denyAllTestRightsAnotherUserAndGroup, allowAllTestRightsUserAndAnotherGroup)));
    XWikiSecurityAccess allowAccess = defaultAccess.clone();
    for (Right right : allTestRights) {
        allowAccess.allow(right);
    }
    XWikiSecurityAccess denyAccess = defaultAccess.clone();
    for (Right right : allTestRights) {
        denyAccess.deny(right);
    }
    XWikiSecurityAccess tieAccess = defaultAccess.clone();
    for (Right right : allTestRights) {
        tieAccess.set(right, right.getTieResolutionPolicy());
    }
    assertAccess("When allowed right for user is denied for same user in another rule, use tie resolution policy", userRef, docRef, tieAccess, authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenySameTarget));
    assertAccess("When denied right for user is allowed for same user in another rule, use tie resolution policy", userRef, docRef, tieAccess, authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictDenyAllowSameTarget));
    assertAccess("When allowed right for group is denied for same group in another rule, use tie resolution policy", anotherUserRef, docRef, tieAccess, authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenySameTarget));
    assertAccess("When denied right for group is allowed for same group in another rule, use tie resolution policy", anotherUserRef, docRef, tieAccess, authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictDenyAllowSameTarget));
    assertAccess("When allowed right for user is denied for its group in another rule, allow it.", userRef, docRef, allowAccess, authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictAllowDenyUserGroup));
    assertAccess("When allowed right for group is denied for one of its user in another rule, deny it.", anotherUserRef, docRef, denyAccess, authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictAllowDenyUserGroup));
    assertAccess("When denied right for group is allowed for one of its user in another rule, allow it.", userRef, docRef, allowAccess, authorizationSettler.settle(userRef, Arrays.asList(groupRef), conflictDenyAllowUserGroup));
    assertAccess("When denied right for user is allowed for its group in another rule, deny it.", anotherUserRef, docRef, denyAccess, authorizationSettler.settle(anotherUserRef, Arrays.asList(anotherGroupRef), conflictDenyAllowUserGroup));
}

Example 3 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultAuthorizationSettlerTest method getMockedSecurityRuleEntries.

private Deque<SecurityRuleEntry> getMockedSecurityRuleEntries(String name, final SecurityReference reference, final List<List<SecurityRule>> ruleEntries) {
    final Deque<SecurityReference> refs = reference.getReversedSecurityReferenceChain();
    final Deque<SecurityRuleEntry> entries = new ArrayDeque<SecurityRuleEntry>(refs.size());
    for (SecurityReference ref : refs) {
        entries.push(mock(SecurityRuleEntry.class, name + ref));
    }
    int i = 0;
    SecurityReference ref = reference;
    for (SecurityRuleEntry entry : entries) {
        List<SecurityRule> rules;
        if (i < ruleEntries.size()) {
            rules = ruleEntries.get(i);
        } else {
            rules = Collections.emptyList();
        }
        when(entry.getReference()).thenReturn(ref);
        when(entry.getRules()).thenReturn(rules);
        when(entry.isEmpty()).thenReturn(rules.size() == 0);
        ref = ref.getParentSecurityReference();
        i++;
    }
    return entries;
}

Example 4 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class DefaultAuthorizationSettlerTest method testSettleEntityTypeWithoutAnyEnabledRight.

@Test
public void testSettleEntityTypeWithoutAnyEnabledRight() throws Exception {
    SecurityRule allowAllTestRightsRulesToXuser = getMockedSecurityRule("allowAllTestRightsRulesToXuser", Collections.singletonList(xuserRef), Collections.<GroupSecurityReference>emptyList(), allTestRights, ALLOW);
    assertAccess("Allow rights to entity without any acceptable right on itself but having some (XWIKI-12552)", xuserRef, xattachmentRef, defaultAccess, authorizationSettler.settle(xuserRef, Collections.<GroupSecurityReference>emptyList(), getMockedSecurityRuleEntries("allrights", xattachmentRef, Collections.singletonList(Collections.singletonList(allowAllTestRightsRulesToXuser)))));
}

Example 5 with SecurityRule

use of org.xwiki.security.authorization.SecurityRule in project xwiki-platform by xwiki.

the class PrioritizingAuthorizationSettler method settle.

@Override
protected XWikiSecurityAccess settle(UserSecurityReference user, Collection<GroupSecurityReference> groups, SecurityRuleEntry entry, Policies policies) {
    XWikiSecurityAccess access = new XWikiSecurityAccess();
    Map<Right, Integer> priorities = new RightMap<Integer>();
    SecurityReference reference = entry.getReference();
    Set<Right> enabledRights = Right.getEnabledRights(reference.getSecurityType());
    // Evaluate rules from current level
    for (Right right : enabledRights) {
        for (SecurityRule obj : entry.getRules()) {
            if (obj.match(right)) {
                resolveLevel(right, user, groups, obj, access, policies, priorities);
                if (access.get(right) == ALLOW) {
                    implyRights(right, access, reference, policies, priorities);
                }
            }
        }
    }
    return access;
}