boolean canAccess(Authentication user, AccessMode mode) { return node == null || node.canAccess(user, mode); }
private boolean canAccess(Authentication user, SecureTreeNode node) { boolean access = node.canAccess(user, AccessMode.READ); if (access && AdminRequest.get() != null) { // admin request, we need to check if we can also admin those return node.canAccess(user, AccessMode.ADMIN); } else { return access; } }
/** * Returns true if the user can access the specified node, or one of the nodes below it * * <p>the specified nodes * * @param node * @param user * @param mode * @return */ private boolean canAccessChild(SecureTreeNode node, Authentication user, AccessMode mode) { if (node.canAccess(user, mode)) { return true; } for (SecureTreeNode child : node.getChildren().values()) { if (canAccessChild(child, user, mode)) { return true; } } return false; }
return parent.canAccess(user, mode);
public boolean canAccess(Authentication user, WorkspaceInfo workspace, AccessMode mode) { checkPropertyFile(); SecureTreeNode node = root.getDeepestNode(new String[] {workspace.getName()}); if (node.canAccess(user, mode)) { return true; } // perform a drill down search, we still allow access to the workspace // if there is anything inside the workspace that can be read (otherwise // we are denying access to everything below it, which is not the spirit of the // tree override design) if (mode == AccessMode.READ && canAccessChild(node, user, mode)) { return true; } else { return false; } }
String[] path = getLayerGroupPath(layerGroup); SecureTreeNode node = root.getDeepestNode(path); boolean catalogNodeAllowsAccess = node.canAccess(user, AccessMode.READ); boolean allowAccess; if (node != null && !catalogNodeAllowsAccess) {
boolean rulesAllowAccess = securityNode.canAccess(user, mode); if (catalogNodeDepth == SecureTreeNode.RESOURCE_DEPTH || !layerGroupContainmentCheckRequired()) {
@Override public ProcessAccessLimits getAccessLimits(Authentication user, String namespace) { SecureTreeNode node = dao.getSecurityTreeRoot().getDeepestNode(new String[] {namespace}); return new ProcessAccessLimits( dao.getMode(), node.canAccess(user, AccessMode.READ), namespace); }
@Test public void testPublicRead() throws Exception { SecureTreeNode root = buildTree("publicRead.properties"); assertEquals(0, root.children.size()); assertEquals(SecureTreeNode.EVERYBODY, root.getAuthorizedRoles(AccessMode.READ)); final Set<String> writeRoles = root.getAuthorizedRoles(AccessMode.WRITE); assertEquals(1, writeRoles.size()); assertTrue(writeRoles.contains("WRITER")); assertTrue(root.canAccess(anonymous, AccessMode.READ)); assertFalse(root.canAccess(anonymous, AccessMode.WRITE)); assertTrue(root.canAccess(roUser, AccessMode.READ)); assertFalse(root.canAccess(roUser, AccessMode.WRITE)); assertTrue(root.canAccess(rwUser, AccessMode.READ)); assertTrue(root.canAccess(rwUser, AccessMode.WRITE)); }
@Test public void testLockedDown() throws Exception { SecureTreeNode root = buildTree("lockedDown.properties"); assertEquals(0, root.children.size()); final Set<String> readRoles = root.getAuthorizedRoles(AccessMode.READ); assertEquals(1, readRoles.size()); assertTrue(readRoles.contains("WRITER")); final Set<String> writeRoles = root.getAuthorizedRoles(AccessMode.WRITE); assertEquals(1, writeRoles.size()); assertTrue(writeRoles.contains("WRITER")); assertFalse(root.canAccess(anonymous, AccessMode.READ)); assertFalse(root.canAccess(anonymous, AccessMode.WRITE)); assertFalse(root.canAccess(roUser, AccessMode.READ)); assertFalse(root.canAccess(roUser, AccessMode.WRITE)); assertTrue(root.canAccess(rwUser, AccessMode.READ)); assertTrue(root.canAccess(rwUser, AccessMode.WRITE)); }
@Override public ProcessAccessLimits getAccessLimits(Authentication user, Name process) { SecureTreeNode node = dao.getSecurityTreeRoot() .getDeepestNode( new String[] {process.getNamespaceURI(), process.getLocalPart()}); return new ProcessAccessLimits( dao.getMode(), node.canAccess(user, AccessMode.READ), process.toString()); } }
@Test public void testWideOpen() throws Exception { SecureTreeNode root = buildTree("wideOpen.properties"); assertEquals(0, root.children.size()); // we have he "*" rules assertEquals(1, root.getAuthorizedRoles(AccessMode.READ).size()); assertEquals(1, root.getAuthorizedRoles(AccessMode.WRITE).size()); assertTrue(root.canAccess(anonymous, AccessMode.READ)); assertTrue(root.canAccess(anonymous, AccessMode.WRITE)); }
assertFalse(root.canAccess(anonymous, AccessMode.READ)); assertFalse(root.canAccess(anonymous, AccessMode.WRITE)); assertTrue(topp.canAccess(anonymous, AccessMode.READ)); assertFalse(states.canAccess(anonymous, AccessMode.READ)); assertTrue(landmarks.canAccess(anonymous, AccessMode.READ)); assertFalse(landmarks.canAccess(anonymous, AccessMode.WRITE)); assertFalse(bases.canAccess(anonymous, AccessMode.READ)); assertTrue(root.canAccess(roUser, AccessMode.READ)); assertFalse(root.canAccess(roUser, AccessMode.WRITE)); assertTrue(topp.canAccess(roUser, AccessMode.READ)); assertTrue(states.canAccess(roUser, AccessMode.READ)); assertTrue(landmarks.canAccess(roUser, AccessMode.READ)); assertFalse(landmarks.canAccess(roUser, AccessMode.WRITE)); assertFalse(bases.canAccess(roUser, AccessMode.READ)); assertTrue(root.canAccess(rwUser, AccessMode.READ)); assertFalse(root.canAccess(rwUser, AccessMode.WRITE)); assertTrue(topp.canAccess(rwUser, AccessMode.READ)); assertTrue(states.canAccess(rwUser, AccessMode.WRITE)); assertTrue(landmarks.canAccess(rwUser, AccessMode.READ)); assertTrue(landmarks.canAccess(rwUser, AccessMode.WRITE)); assertFalse(bases.canAccess(rwUser, AccessMode.READ)); assertFalse(root.canAccess(milUser, AccessMode.READ)); assertFalse(root.canAccess(milUser, AccessMode.WRITE)); assertTrue(topp.canAccess(milUser, AccessMode.READ)); assertFalse(states.canAccess(milUser, AccessMode.WRITE)); assertTrue(landmarks.canAccess(milUser, AccessMode.READ));
@Test public void testEmptyRoot() { SecureTreeNode root = new SecureTreeNode(); // smoke tests assertNull(root.getChild("NotThere")); assertEquals(SecureTreeNode.EVERYBODY, root.getAuthorizedRoles(AccessMode.READ)); assertEquals(SecureTreeNode.EVERYBODY, root.getAuthorizedRoles(AccessMode.WRITE)); // empty, deepest node is itself SecureTreeNode node = root.getDeepestNode(new String[] {"a", "b"}); assertSame(root, node); // allows access to everyone assertTrue(root.canAccess(anonymous, AccessMode.WRITE)); assertTrue(root.canAccess(anonymous, AccessMode.READ)); // make sure this includes not having a current user as well assertTrue(root.canAccess(null, AccessMode.WRITE)); assertTrue(root.canAccess(null, AccessMode.READ)); } }