protected String defaultString( String name ) { return String.format( "%s{ username=%s, accessMode=%s }", name, subject().username(), mode() ); }
public void assertAllows( Function<AccessMode,Boolean> allows, String mode ) { AccessMode accessMode = securityContext().mode(); if ( !allows.apply( accessMode ) ) { throw accessMode.onViolation( format( "%s operations are not allowed for %s.", mode, securityContext().description() ) ); } }
@Override public AnyValue functionCall( int id, AnyValue[] arguments ) throws ProcedureException { if ( !ktx.securityContext().mode().allowsReads() ) { throw ktx.securityContext().mode().onViolation( format( "Read operations are not allowed for %s.", ktx.securityContext().description() ) ); } return callFunction( id, arguments, new RestrictedAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
@Override public UserAggregator aggregationFunction( QualifiedName name ) throws ProcedureException { if ( !ktx.securityContext().mode().allowsReads() ) { throw ktx.securityContext().mode().onViolation( format( "Read operations are not allowed for %s.", ktx.securityContext().description() ) ); } return aggregationFunction( name, new RestrictedAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
@Override public UserAggregator aggregationFunction( int id ) throws ProcedureException { if ( !ktx.securityContext().mode().allowsReads() ) { throw ktx.securityContext().mode().onViolation( format( "Read operations are not allowed for %s.", ktx.securityContext().description() ) ); } return aggregationFunction( id, new RestrictedAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
@Override public AnyValue functionCall( QualifiedName name, AnyValue[] arguments ) throws ProcedureException { if ( !ktx.securityContext().mode().allowsReads() ) { throw ktx.securityContext().mode().onViolation( format( "Read operations are not allowed for %s.", ktx.securityContext().description() ) ); } return callFunction( name, arguments, new RestrictedAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
@Override public RawIterator<Object[],ProcedureException> procedureCallWriteOverride( QualifiedName name, Object[] arguments ) throws ProcedureException { return callProcedure( name, arguments, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.TOKEN_WRITE ) ); }
@Override public AnyValue functionCallOverride( int id, AnyValue[] arguments ) throws ProcedureException { return callFunction( id, arguments, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
@Override public RawIterator<Object[],ProcedureException> procedureCallReadOverride( int id, Object[] arguments ) throws ProcedureException { return callProcedure( id, arguments, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
@Override public RawIterator<Object[],ProcedureException> procedureCallWriteOverride( int id, Object[] arguments ) throws ProcedureException { return callProcedure( id, arguments, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.TOKEN_WRITE ) ); }
@Override public RawIterator<Object[],ProcedureException> procedureCallSchemaOverride( int id, Object[] arguments ) throws ProcedureException { return callProcedure( id, arguments, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.FULL ) ); }
@Override public RawIterator<Object[],ProcedureException> procedureCallSchemaOverride( QualifiedName name, Object[] arguments ) throws ProcedureException { return callProcedure( name, arguments, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.FULL ) ); }
@Override public UserAggregator aggregationFunctionOverride( QualifiedName name ) throws ProcedureException { return aggregationFunction( name, new OverriddenAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
private boolean hasForbiddenProperties( IndexReference index ) { AccessMode mode = ktx.securityContext().mode(); for ( int prop : index.properties() ) { if ( !mode.allowsPropertyReads( prop ) ) { return true; } } return false; }
@Override public Iterator<NamedToken> propertyKeyGetAllTokens() { ktx.assertOpen(); AccessMode mode = ktx.securityContext().mode(); return Iterators.stream( tokenHolders.propertyKeyTokens().getAllTokens().iterator() ) .filter( propKey -> mode.allowsPropertyReads( propKey.id() ) ) .iterator(); }
@Override public RawIterator<Object[],ProcedureException> procedureCallRead( int id, Object[] arguments ) throws ProcedureException { AccessMode accessMode = ktx.securityContext().mode(); if ( !accessMode.allowsReads() ) { throw accessMode.onViolation( format( "Read operations are not allowed for %s.", ktx.securityContext().description() ) ); } return callProcedure( id, arguments, new RestrictedAccessMode( ktx.securityContext().mode(), AccessMode.Static.READ ) ); }
@Override public RawIterator<Object[],ProcedureException> procedureCallSchema( int id, Object[] arguments ) throws ProcedureException { AccessMode accessMode = ktx.securityContext().mode(); if ( !accessMode.allowsSchemaWrites() ) { throw accessMode.onViolation( format( "Schema operations are not allowed for %s.", ktx.securityContext().description() ) ); } return callProcedure( id, arguments, new RestrictedAccessMode( ktx.securityContext().mode(), AccessMode.Static.FULL ) ); }
public void assertCredentialsNotExpired() { if ( subject().getAuthenticationResult().equals( AuthenticationResult.PASSWORD_CHANGE_REQUIRED ) ) { throw mode().onViolation( PERMISSION_DENIED ); } }
@Test public void shouldMakeNiceDescriptionOverridden() { SecurityContext overridden = context.withMode( new OverriddenAccessMode( context.mode(), AccessMode.Static.READ ) ); assertThat( overridden.description(), equalTo( "user 'johan' with FULL overridden by READ" ) ); }
@Test public void shouldMakeNiceDescriptionAuthDisabledAndRestricted() { SecurityContext disabled = SecurityContext.AUTH_DISABLED; SecurityContext restricted = disabled.withMode( new RestrictedAccessMode( disabled.mode(), AccessMode.Static.READ ) ); assertThat( restricted.description(), equalTo( "AUTH_DISABLED with FULL restricted to READ" ) ); }