public Object generateAllAceResponses(Acl acl) { List<AccessEntryResponse> result = new ArrayList<AccessEntryResponse>(); while (acl != null) { for (AccessControlEntry ace : acl.getEntries()) { result.add(new AccessEntryResponse(ace.getId(), ace.getSid(), ace.getPermission(), ace.isGranting())); } acl = acl.getParentAcl(); } return result; }
assertThat(acl).isEqualTo(acl.getEntries().get(0).getAcl()); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission()); assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST1")); assertThat(acl).isEqualTo(acl.getEntries().get(1).getAcl()); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(1).getPermission()); assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST2")); assertThat(acl.getEntries()).hasSize(3); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission()); assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST1")); assertThat(BasePermission.WRITE).isEqualTo(acl.getEntries().get(1).getPermission()); assertThat(acl.getEntries().get(1).getSid()).isEqualTo( new GrantedAuthoritySid( "ROLE_TEST3")); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(2).getPermission()); assertThat(acl.getEntries().get(2).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST2"));
public LegacyAceInfo(AccessControlEntry ace) { super(); this.sidInfo = new SidInfo(ace.getSid()); this.permissionMask = ace.getPermission().getMask(); }
if ((ace.getPermission().getMask() == p.getMask()) && ace.getSid().equals(sid)) { if (ace.isGranting()) {
public List<String> getAllAclSids(Acl acl, String type) { if (null == acl) { return Collections.emptyList(); } List<String> result = new ArrayList<>(); for (AccessControlEntry ace : acl.getEntries()) { String name = null; if (type.equalsIgnoreCase(MetadataConstants.TYPE_USER) && ace.getSid() instanceof PrincipalSid) { name = ((PrincipalSid) ace.getSid()).getPrincipal(); } if (type.equalsIgnoreCase(MetadataConstants.TYPE_GROUP) && ace.getSid() instanceof GrantedAuthoritySid) { name = ((GrantedAuthoritySid) ace.getSid()).getGrantedAuthority(); } if (!StringUtils.isBlank(name)) { result.add(name); } } return result; }
@Test public void updatedAceValuesAreCorrectlyReflectedInAcl() throws Exception { Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_GENERAL"); auth.setAuthenticated(true); SecurityContextHolder.getContext().setAuthentication(auth); MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null, false, new PrincipalSid("joe")); MockAclService service = new MockAclService(); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(2, BasePermission.CREATE, new PrincipalSid("ben"), true); service.updateAcl(acl); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission()); assertThat(BasePermission.WRITE).isEqualTo(acl.getEntries().get(1).getPermission()); assertThat(BasePermission.CREATE).isEqualTo(acl.getEntries().get(2).getPermission()); // Change each permission acl.updateAce(0, BasePermission.CREATE); acl.updateAce(1, BasePermission.DELETE); acl.updateAce(2, BasePermission.READ); // Check the change was successfully made assertThat(BasePermission.CREATE).isEqualTo(acl.getEntries().get(0).getPermission()); assertThat(BasePermission.DELETE).isEqualTo(acl.getEntries().get(1).getPermission()); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(2).getPermission()); }
public boolean isGranting() { return ace.isGranting(); }
/** * copy field values from specified entity * @param entry * @return */ public Builder from(AccessControlEntry entry) { super.from(entry); this.acl = entry.getAcl(); return this; }
/** * Check if this <tt>permission</tt> is granted for specified <tt>sid</tt> * * @param sid sid to check permission for it * @param ace entry with security information (for sids) * @param permission permission to check * @param isCheckAllowedGrant flag that indicates what type of grant need to * be checked - 'allowed' (true) or 'restricted' (false) * @return <code>true</code> if this entry has specified <tt>permission</tt> * and type of grant. */ private boolean isGrantedForSid(Sid sid, AccessControlEntry ace, Permission permission, boolean isCheckAllowedGrant) { return ace.isGranting() == isCheckAllowedGrant && permission.equals(ace.getPermission()) && ((UniversalSid)sid).getSidId().equals(((UniversalSid)ace.getSid()).getSidId()); }
private Map<String, Integer> getProjectPermission(String project) { Map<String, Integer> SidWithPermission = new HashMap<>(); String uuid = ProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(project).getUuid(); AclEntity ae = getAclEntity(AclEntityType.PROJECT_INSTANCE, uuid); Acl acl = getAcl(ae); if (acl != null && acl.getEntries() != null) { List<AccessControlEntry> aces = acl.getEntries(); for (AccessControlEntry ace : aces) { Sid sid = ace.getSid(); if (sid instanceof PrincipalSid) { String principal = ((PrincipalSid) sid).getPrincipal(); SidWithPermission.put(principal, ace.getPermission().getMask()); } if (sid instanceof GrantedAuthoritySid) { String grantedAuthority = ((GrantedAuthoritySid) sid).getGrantedAuthority(); SidWithPermission.put(grantedAuthority, ace.getPermission().getMask()); } } } return SidWithPermission; }
private List<Sid> getAllSids(String project) { List<Sid> allSids = new ArrayList<>(); ProjectInstance prj = projectService.getProjectManager().getProject(project); AclEntity ae = accessService.getAclEntity("ProjectInstance", prj.getUuid()); Acl acl = accessService.getAcl(ae); if (acl != null && acl.getEntries() != null) { for (AccessControlEntry ace : acl.getEntries()) { allSids.add(ace.getSid()); } } return allSids; }
@Test @Transactional public void cumulativePermissions() { Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_ADMINISTRATOR"); auth.setAuthenticated(true); SecurityContextHolder.getContext().setAuthentication(auth); ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(110)); MutableAcl topParent = jdbcMutableAclService.createAcl(topParentOid); // Add an ACE permission entry Permission cm = new CumulativePermission().set(BasePermission.READ).set( BasePermission.ADMINISTRATION); assertThat(cm.getMask()).isEqualTo(17); Sid benSid = new PrincipalSid(auth); topParent.insertAce(0, cm, benSid, true); assertThat(topParent.getEntries()).hasSize(1); // Explicitly save the changed ACL topParent = jdbcMutableAclService.updateAcl(topParent); // Check the mask was retrieved correctly assertThat(topParent.getEntries().get(0).getPermission().getMask()).isEqualTo(17); assertThat(topParent.isGranted(Arrays.asList(cm), Arrays.asList(benSid), true)).isTrue(); SecurityContextHolder.clearContext(); }
/** * Ensures the specified permissions are granted for the sid. * * @param sid to modify the ACL for * @param permissions that should be granted */ public void allow( Sid sid, List<Permission> permissions ) { for ( Permission aclPermission : permissions ) { List<AccessControlEntry> aces = acl.getEntries(); int index = aces.size(); AccessControlEntry ace = findAce( aces, sid, aclPermission ); if ( ace != null && !ace.isGranting() ) { index = aces.indexOf( ace ); acl.deleteAce( index ); ace = null; } if ( ace == null ) { acl.insertAce( index, aclPermission, sid, true ); } } }
public List<AccessEntryResponse> generateAceResponsesByFuzzMatching(Acl acl, String nameSeg, boolean isCaseSensitive) { if (null == acl) { return Collections.emptyList(); } List<AccessEntryResponse> result = new ArrayList<AccessEntryResponse>(); for (AccessControlEntry ace : acl.getEntries()) { if (nameSeg != null && !needAdd(nameSeg, isCaseSensitive, getName(ace.getSid()))) { continue; } result.add(new AccessEntryResponse(ace.getId(), ace.getSid(), ace.getPermission(), ace.isGranting())); } return result; }
/** * Gets {@link org.jtalks.jcommune.model.dto.GroupsPermissions} for provided {@link org.jtalks.common.model.entity.Entity}. * * @param permissions the list of permissions to get * @param entity the entity to get for * @return {@link org.jtalks.jcommune.model.dto.GroupsPermissions} for provided {@link org.jtalks.common.model.entity.Entity} */ public GroupsPermissions getPermissionsMapFor(List<JtalksPermission> permissions, Entity entity) { GroupsPermissions groupsPermissions = new GroupsPermissions(permissions); List<GroupAce> groupAces = aclManager.getGroupPermissionsOn(entity); for (JtalksPermission permission : permissions) { for (GroupAce groupAce : groupAces) { if (groupAce.getPermissionMask() == permission.getMask()) { groupsPermissions.add(permission, getGroup(groupAce), groupAce.isGranting()); } } for (AccessControlEntry controlEntry : aclUtil.getAclFor(entity).getEntries()) { if (controlEntry.getPermission().equals(permission) && ((UniversalSid)controlEntry.getSid()).getSidId().equals(UserSid.createAnonymous().getSidId())) { groupsPermissions.add(permission, AnonymousGroup.ANONYMOUS_GROUP, controlEntry.isGranting()); } } } return groupsPermissions; }
assertThat(parent.getEntries().get(0).getPermission().getMask()).isEqualTo(16); assertThat(parent.getEntries() .get(0).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_ADMINISTRATOR")); assertThat(parent.getEntries().get(1).getPermission().getMask()).isEqualTo(8); assertThat(parent.getEntries().get(1).getSid()).isEqualTo(new PrincipalSid("terry"));
@Transactional @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#ae, 'ADMINISTRATION')") public MutableAclRecord revoke(AclEntity ae, int accessEntryIndex) { Message msg = MsgPicker.getMsg(); if (ae == null) throw new BadRequestException(msg.getACL_DOMAIN_NOT_FOUND()); MutableAclRecord acl = aclService.readAcl(new ObjectIdentityImpl(ae)); Sid sid = acl.getAclRecord().getAccessControlEntryAt(accessEntryIndex).getSid(); secureOwner(acl, sid); return aclService.upsertAce(acl, sid, null); }
public int getPermissionMask() { return ace.getPermission().getMask(); }
/** * Ensures the specified permissions are denied for the sid. * * @param sid to modify the ACL for * @param permissions that should be denied */ public void deny( Sid sid, List<Permission> permissions ) { for ( Permission aclPermission : permissions ) { List<AccessControlEntry> aces = acl.getEntries(); int index = aces.size(); AccessControlEntry ace = findAce( aces, sid, aclPermission ); if ( ace != null && ace.isGranting() ) { index = aces.indexOf( ace ); acl.deleteAce( index ); ace = null; } if ( ace == null ) { acl.insertAce( index, aclPermission, sid, false ); } } }
@Test public void testAccessControlEntryImplGetters() { Acl mockAcl = mock(Acl.class); Sid sid = new PrincipalSid("johndoe"); // Create a sample entry AccessControlEntry ace = new AccessControlEntryImpl(Long.valueOf(1), mockAcl, sid, BasePermission.ADMINISTRATION, true, true, true); // and check every get() method assertThat(ace.getId()).isEqualTo(new Long(1)); assertThat(ace.getAcl()).isEqualTo(mockAcl); assertThat(ace.getSid()).isEqualTo(sid); assertThat(ace.isGranting()).isTrue(); assertThat(ace.getPermission()).isEqualTo(BasePermission.ADMINISTRATION); assertThat(((AuditableAccessControlEntry) ace).isAuditFailure()).isTrue(); assertThat(((AuditableAccessControlEntry) ace).isAuditSuccess()).isTrue(); }