protected WorkspaceAccessLimits intersection(WorkspaceAccessLimits a, WorkspaceAccessLimits b) { CatalogMode mode = intersection(a.getMode(), b.getMode()); return new WorkspaceAccessLimits( mode, a.isReadable() && b.isReadable(), a.isWritable() && b.isWritable(), a.isAdminable() && b.isAdminable()); }
public WorkspaceAccessLimits(CatalogMode mode, boolean readable, boolean writable) { this(mode, readable, writable, isAuthenticatedAsAdmin()); }
public void IGNOREtestCiteWorkspaceAccess() { if (!IS_GEOFENCE_AVAILABLE) { return; } UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken("cite", "cite"); // check workspace access on cite WorkspaceInfo citeWS = catalog.getWorkspaceByName(MockData.CITE_PREFIX); WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, citeWS); assertTrue(wl.isReadable()); assertTrue(wl.isWritable()); // check workspace access on any other but not cite and sf (should fail) WorkspaceInfo cdfWS = catalog.getWorkspaceByName(MockData.CDF_PREFIX); wl = accessManager.getAccessLimits(user, cdfWS); assertFalse(wl.isReadable()); assertFalse(wl.isWritable()); // check workspace access on sf (should work, we can do at least a getmap) WorkspaceInfo sfWS = catalog.getWorkspaceByName(MockData.SF_PREFIX); wl = accessManager.getAccessLimits(user, sfWS); assertTrue(wl.isReadable()); assertTrue(wl.isWritable()); }
WorkspaceAccessLimits wl = (WorkspaceAccessLimits) limits; if (wl != null) { if (wl.isAdminable()) { canRead = canWrite = true; } else { canRead = wl.isReadable(); canWrite = wl.isWritable(); if (wl == null || !wl.isAdminable()) { canRead = canWrite = false; if (wl != null && !wl.isAdminable()) { canRead = false; WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, ws); if (wl != null) { if (!wl.isAdminable()) { canRead = false;
@Override public WorkspaceAccessLimits getAccessLimits(Authentication user, WorkspaceInfo workspace) { if (hideWorkspace(workspace)) { return new WorkspaceAccessLimits(CatalogMode.HIDE, false, false, false); } else { return super.getAccessLimits(user, workspace); } }
/** Check if the current user has any admin privilege on at least one workspace. */ boolean isWorkspaceAdmin(Authentication authentication) { Catalog catalog = getSecurityManager().getCatalog(); // the secure catalog builds and owns the ResourceAccessManager SecureCatalogImpl secureCatalog = GeoServerApplication.get().getBeanOfType(SecureCatalogImpl.class); ResourceAccessManager manager = secureCatalog.getResourceAccessManager(); if (manager != null) { for (WorkspaceInfo workspace : catalog.getWorkspaces()) { WorkspaceAccessLimits accessLimits = manager.getAccessLimits(authentication, workspace); if (accessLimits != null && accessLimits.isAdminable()) { return true; } } } return false; } }
@Test public void testCiteWorkspaceAccess() { if (!IS_GEOFENCE_AVAILABLE) { return; } UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken("cite", "cite"); // check workspace access on cite WorkspaceInfo citeWS = catalog.getWorkspaceByName(MockData.CITE_PREFIX); WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, citeWS); assertTrue(wl.isReadable()); assertTrue(wl.isWritable()); // check workspace access on any other but not cite and sf (should fail) WorkspaceInfo cdfWS = catalog.getWorkspaceByName(MockData.CDF_PREFIX); wl = accessManager.getAccessLimits(user, cdfWS); assertFalse(wl.isReadable()); assertFalse(wl.isWritable()); // check workspace access on sf (should work, we can do at least a getmap) WorkspaceInfo sfWS = catalog.getWorkspaceByName(MockData.SF_PREFIX); wl = accessManager.getAccessLimits(user, sfWS); assertTrue(wl.isReadable()); assertTrue(wl.isWritable()); }
private boolean canAccess( ResourceAccessManager manager, Authentication user, WorkspaceInfo catalogInfo, AccessMode mode) { WorkspaceAccessLimits limits = manager.getAccessLimits(user, catalogInfo); if (limits == null) { return true; } else if (mode == AccessMode.READ) { return limits.isReadable(); } else if (mode == AccessMode.WRITE) { return limits.isWritable(); } else if (mode == AccessMode.ADMIN) { return limits.isAdminable(); } else { throw new RuntimeException("Unknown access mode " + mode); } } }
public WorkspaceAccessLimits getAccessLimits(Authentication user, WorkspaceInfo workspace) { boolean readable = canAccess(user, workspace, AccessMode.READ); boolean writable = canAccess(user, workspace, AccessMode.WRITE); boolean adminable = canAccess(user, workspace, AccessMode.ADMIN); CatalogMode mode = getMode(); if (readable && writable) { if (AdminRequest.get() == null) { // not admin request, read+write means full acesss return null; } } return new WorkspaceAccessLimits(mode, readable, writable, adminable); }
@Test public void testCiteCannotWriteOnWorkspace() { if (!IS_GEOFENCE_AVAILABLE) { return; } configManager.getConfiguration().setGrantWriteToWorkspacesToAuthenticatedUsers(false); UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken( "cite", "cite", Arrays.asList( new GrantedAuthority[] { new SimpleGrantedAuthority("ROLE_AUTHENTICATED") })); // check workspace access WorkspaceInfo citeWS = catalog.getWorkspaceByName(MockData.CITE_PREFIX); WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, citeWS); assertTrue(wl.isReadable()); assertFalse(wl.isWritable()); }
public WorkspaceAccessLimits getAccessLimits(Authentication user, WorkspaceInfo workspace) { boolean readable = delegate.canAccess(user, workspace, AccessMode.READ); boolean writable = delegate.canAccess(user, workspace, AccessMode.WRITE); boolean adminable = delegate.canAccess(user, workspace, AccessMode.ADMIN); CatalogMode mode = delegate.getMode(); if (readable && writable) { if (AdminRequest.get() == null) { // not admin request, read+write means full acesss return null; } } return new WorkspaceAccessLimits(mode, readable, writable, adminable); }
@Test public void testCiteCannotWriteOnWorkspace() { if (!IS_GEOFENCE_AVAILABLE) { return; } configManager.getConfiguration().setGrantWriteToWorkspacesToAuthenticatedUsers(false); UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken( "cite", "cite", Arrays.asList( new GrantedAuthority[] { new SimpleGrantedAuthority("ROLE_AUTHENTICATED") })); // check workspace access WorkspaceInfo citeWS = catalog.getWorkspaceByName(MockData.CITE_PREFIX); WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, citeWS); assertTrue(wl.isReadable()); assertFalse(wl.isWritable()); }
public void testSerializeWorkspaceAccessLimits() throws Exception { WorkspaceAccessLimits limits = new WorkspaceAccessLimits(CatalogMode.HIDE, true, true, true); testObjectSerialization(limits); }
@Test public void testCiteCanWriteOnWorkspace() { if (!IS_GEOFENCE_AVAILABLE) { return; } configManager.getConfiguration().setGrantWriteToWorkspacesToAuthenticatedUsers(true); UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken( "cite", "cite", Arrays.asList( new GrantedAuthority[] { new SimpleGrantedAuthority("ROLE_AUTHENTICATED") })); // check workspace access WorkspaceInfo citeWS = catalog.getWorkspaceByName(MockData.CITE_PREFIX); WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, citeWS); assertTrue(wl.isReadable()); assertTrue(wl.isWritable()); configManager.getConfiguration().setGrantWriteToWorkspacesToAuthenticatedUsers(false); }
@Override public WorkspaceAccessLimits getAccessLimits(Authentication user, WorkspaceInfo workspace) { LOGGER.log(Level.FINE, "Getting access limits for workspace {0}", workspace.getName()); if ((user != null) && !(user instanceof AnonymousAuthenticationToken)) { // shortcut, if the user is the admin, he can do everything if (isAdmin(user)) { LOGGER.log( Level.FINE, "Admin level access, returning " + "full rights for workspace {0}", workspace.getName()); return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, true); } boolean canWrite = configurationManager .getConfiguration() .isGrantWriteToWorkspacesToAuthenticatedUsers(); boolean canAdmin = isWorkspaceAdmin(user, workspace.getName()); return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, canWrite, canAdmin); } // further logic disabled because of https://github.com/geosolutions-it/geofence/issues/6 return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, false); }
@Test public void testCiteCanWriteOnWorkspace() { if (!IS_GEOFENCE_AVAILABLE) { return; } configManager.getConfiguration().setGrantWriteToWorkspacesToAuthenticatedUsers(true); UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken( "cite", "cite", Arrays.asList( new GrantedAuthority[] { new SimpleGrantedAuthority("ROLE_AUTHENTICATED") })); // check workspace access WorkspaceInfo citeWS = catalog.getWorkspaceByName(MockData.CITE_PREFIX); WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, citeWS); assertTrue(wl.isReadable()); assertTrue(wl.isWritable()); configManager.getConfiguration().setGrantWriteToWorkspacesToAuthenticatedUsers(false); }
@Override public WorkspaceAccessLimits getAccessLimits(Authentication user, WorkspaceInfo workspace) { LOGGER.log(Level.FINE, "Getting access limits for workspace {0}", workspace.getName()); if ((user != null) && !(user instanceof AnonymousAuthenticationToken)) { // shortcut, if the user is the admin, he can do everything if (isAdmin(user)) { LOGGER.log( Level.FINE, "Admin level access, returning " + "full rights for workspace {0}", workspace.getName()); return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, true); } boolean canWrite = configurationManager .getConfiguration() .isGrantWriteToWorkspacesToAuthenticatedUsers(); boolean canAdmin = isWorkspaceAdmin(user, workspace.getName()); return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, canWrite, canAdmin); } // further logic disabled because of https://github.com/geosolutions-it/geofence/issues/6 return new WorkspaceAccessLimits(DEFAULT_CATALOG_MODE, true, false); }
@Test public void testAdmin() { if (!IS_GEOFENCE_AVAILABLE) { return; } UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken( "admin", "geoserver", Arrays.asList( new GrantedAuthority[] { new SimpleGrantedAuthority("ROLE_ADMINISTRATOR") })); // check workspace access WorkspaceInfo citeWS = catalog.getWorkspaceByName(MockData.CITE_PREFIX); WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, citeWS); assertTrue(wl.isReadable()); assertTrue(wl.isWritable()); // check layer access LayerInfo layer = catalog.getLayerByName(getLayerId(MockData.BASIC_POLYGONS)); VectorAccessLimits vl = (VectorAccessLimits) accessManager.getAccessLimits(user, layer); assertEquals(Filter.INCLUDE, vl.getReadFilter()); assertEquals(Filter.INCLUDE, vl.getWriteFilter()); assertNull(vl.getReadAttributes()); assertNull(vl.getWriteAttributes()); }
@Test public void testReadOnlySource() throws Exception { ReadOnlyDataStore ro = new ReadOnlyDataStore( ds, WrapperPolicy.readOnlyHide( new WorkspaceAccessLimits(CatalogMode.HIDE, true, false, false))); SimpleFeatureSource fs = ro.getFeatureSource("blah"); // used to go boom here SimpleFeatureCollection fc = fs.getFeatures(Query.ALL); assertEquals(0, fc.size()); }
@Test public void testAdmin() { if (!IS_GEOFENCE_AVAILABLE) { return; } assertTrue(geofenceAdminService.getCountAll() > 0); RuleFilter ruleFilter = new RuleFilter(); ShortRule adminRule = geofenceAdminService.getRule(ruleFilter); UsernamePasswordAuthenticationToken user = new UsernamePasswordAuthenticationToken( "admin", "geoserver", Arrays.asList( new GrantedAuthority[] { new SimpleGrantedAuthority("ROLE_ADMINISTRATOR") })); // check workspace access WorkspaceInfo citeWS = catalog.getWorkspaceByName(MockData.CITE_PREFIX); WorkspaceAccessLimits wl = accessManager.getAccessLimits(user, citeWS); assertTrue(wl.isReadable()); assertTrue(wl.isWritable()); // check layer access LayerInfo layer = catalog.getLayerByName(getLayerId(MockData.BASIC_POLYGONS)); VectorAccessLimits vl = (VectorAccessLimits) accessManager.getAccessLimits(user, layer); assertEquals(Filter.INCLUDE, vl.getReadFilter()); assertEquals(Filter.INCLUDE, vl.getWriteFilter()); assertNull(vl.getReadAttributes()); assertNull(vl.getWriteAttributes()); }