SecureTreeNode buildAuthorizationTree(DataAccessRuleDAO dao) { SecureTreeNode root = new SecureTreeNode(); } else { SecureTreeNode ws = root.getChild(workspace); if (ws == null) { ws = root.addChild(workspace); node = ws; } else { SecureTreeNode layerNode = ws.getChild(layer); if (layerNode == null) { layerNode = ws.addChild(layer); if (node.getAuthorizedRoles(accessMode) != null && node.getAuthorizedRoles(accessMode).size() > 0 && node != root) { LOGGER.warning( + " is overriding another rule targetting the same resource"); node.setAuthorizedRoles(accessMode, rule.getRoles());
public boolean canAccess(Authentication user, WorkspaceInfo workspace, AccessMode mode) { checkPropertyFile(); SecureTreeNode node = root.getDeepestNode(new String[] {workspace.getName()}); if (node.canAccess(user, mode)) { return true; } // perform a drill down search, we still allow access to the workspace // if there is anything inside the workspace that can be read (otherwise // we are denying access to everything below it, which is not the spirit of the // tree override design) if (mode == AccessMode.READ && canAccessChild(node, user, mode)) { return true; } else { return false; } }
/** * Returns true if the user can access the specified node, or one of the nodes below it * * <p>the specified nodes * * @param node * @param user * @param mode * @return */ private boolean canAccessChild(SecureTreeNode node, Authentication user, AccessMode mode) { if (node.canAccess(user, mode)) { return true; } for (SecureTreeNode child : node.getChildren().values()) { if (canAccessChild(child, user, mode)) { return true; } } return false; }
/** * Adds a child to this path element * * @param name */ public SecureTreeNode addChild(String name) { if (getChild(name) != null) throw new IllegalArgumentException( "This pathElement " + name + " is already among my children"); SecureTreeNode child = new SecureTreeNode(this); children.put(name, child); return child; }
Set<String> roles = getAuthorizedRoles(mode); return parent.canAccess(user, mode);
@Test public void testEmptyRoot() { SecureTreeNode root = new SecureTreeNode(); // smoke tests assertNull(root.getChild("NotThere")); assertEquals(SecureTreeNode.EVERYBODY, root.getAuthorizedRoles(AccessMode.READ)); assertEquals(SecureTreeNode.EVERYBODY, root.getAuthorizedRoles(AccessMode.WRITE)); // empty, deepest node is itself SecureTreeNode node = root.getDeepestNode(new String[] {"a", "b"}); assertSame(root, node); // allows access to everyone assertTrue(root.canAccess(anonymous, AccessMode.WRITE)); assertTrue(root.canAccess(anonymous, AccessMode.READ)); // make sure this includes not having a current user as well assertTrue(root.canAccess(null, AccessMode.WRITE)); assertTrue(root.canAccess(null, AccessMode.READ)); } }
SecureTreeNode securityNode = root.getDeepestNode(new String[] {workspace, resourceName}); int catalogNodeDepth = securityNode.getDepth(); boolean rulesAllowAccess = securityNode.canAccess(user, mode); if (catalogNodeDepth == SecureTreeNode.RESOURCE_DEPTH || !layerGroupContainmentCheckRequired()) { return (node != null && node.getDepth() > catalogNodeDepth) || (sg.getMode() == Mode.OPAQUE_CONTAINER); })
SecureTreeNode topp = root.getChild("topp"); assertNotNull(topp); assertEquals(3, topp.children.size()); SecureTreeNode states = topp.getChild("states"); SecureTreeNode landmarks = topp.getChild("landmarks"); SecureTreeNode bases = topp.getChild("bases"); assertNotNull(states); assertNotNull(landmarks); assertFalse(root.canAccess(anonymous, AccessMode.READ)); assertFalse(root.canAccess(anonymous, AccessMode.WRITE)); assertTrue(topp.canAccess(anonymous, AccessMode.READ)); assertFalse(states.canAccess(anonymous, AccessMode.READ)); assertTrue(landmarks.canAccess(anonymous, AccessMode.READ)); assertFalse(landmarks.canAccess(anonymous, AccessMode.WRITE)); assertFalse(bases.canAccess(anonymous, AccessMode.READ)); assertTrue(root.canAccess(roUser, AccessMode.READ)); assertFalse(root.canAccess(roUser, AccessMode.WRITE)); assertTrue(topp.canAccess(roUser, AccessMode.READ)); assertTrue(states.canAccess(roUser, AccessMode.READ)); assertTrue(landmarks.canAccess(roUser, AccessMode.READ)); assertFalse(landmarks.canAccess(roUser, AccessMode.WRITE)); assertFalse(bases.canAccess(roUser, AccessMode.READ)); assertTrue(root.canAccess(rwUser, AccessMode.READ)); assertFalse(root.canAccess(rwUser, AccessMode.WRITE)); assertTrue(topp.canAccess(rwUser, AccessMode.READ)); assertTrue(states.canAccess(rwUser, AccessMode.WRITE));
boolean canAccess(Authentication user, AccessMode mode) { return node == null || node.canAccess(user, mode); }
/** * Utility method that drills down from the current node using the specified list of child * names, and returns an element only if it fully matches the provided path * * @param pathElements */ public SecureTreeNode getNode(String... pathElements) { SecureTreeNode curr = this; for (int i = 0; i < pathElements.length; i++) { final SecureTreeNode next = curr.getChild(pathElements[i]); if (next == null) { return null; } else { curr = next; } } return curr; }
List<Filter> exceptions = new ArrayList<>(); for (Map.Entry<String, SecureTreeNode> entry : root.getChildren().entrySet()) { String wsName = entry.getKey(); SecureTreeNode node = entry.getValue(); for (Map.Entry<String, SecureTreeNode> wsEntry : root.getChildren().entrySet()) { String wsName = wsEntry.getKey(); SecureTreeNode wsNode = wsEntry.getValue(); wsNode.getChildren().entrySet()) { String layerName = layerEntry.getKey(); SecureTreeNode layerNode = layerEntry.getValue(); List<Filter> exceptions = new ArrayList<>(); for (Map.Entry<String, SecureTreeNode> entry : root.getChildren().entrySet()) { String wsName = entry.getKey(); SecureTreeNode node = entry.getValue();
@Test public void testWideOpen() throws Exception { SecureTreeNode root = buildTree("wideOpen.properties"); assertEquals(0, root.children.size()); // we have he "*" rules assertEquals(1, root.getAuthorizedRoles(AccessMode.READ).size()); assertEquals(1, root.getAuthorizedRoles(AccessMode.WRITE).size()); assertTrue(root.canAccess(anonymous, AccessMode.READ)); assertTrue(root.canAccess(anonymous, AccessMode.WRITE)); }
private boolean canAccess(Authentication user, SecureTreeNode node) { boolean access = node.canAccess(user, AccessMode.READ); if (access && AdminRequest.get() != null) { // admin request, we need to check if we can also admin those return node.canAccess(user, AccessMode.ADMIN); } else { return access; } }
/** * Utility method that drills down from the current node using the specified list of child * names, and returns the latest element found along that path (might not be correspondent to * the full path specified, security paths can be incomplete, the definition of the parent * applies to the missing children as well) * * @param pathElements */ public SecureTreeNode getDeepestNode(String... pathElements) { SecureTreeNode curr = this; SecureTreeNode result = this; for (int i = 0; i < pathElements.length; i++) { final SecureTreeNode next = curr.getChild(pathElements[i]); if (next == null) { return result; } else { curr = next; // don't return info about a node that has no explicit // rule associated, the parent will do if (curr.authorizedRoles != null && !curr.authorizedRoles.isEmpty()) { result = curr; } } } return curr; }
private SecureTreeNode buildAuthorizationTree(Collection<WpsAccessRule> rules) { SecureTreeNode root = new SecureTreeNode(); for (WpsAccessRule rule : rules) { String group = rule.getGroupName(); } else { SecureTreeNode ws = root.getChild(group); if (ws == null) { ws = root.addChild(group); node = ws; } else { SecureTreeNode layerNode = ws.getChild(name); if (layerNode == null) layerNode = ws.addChild(name); node = layerNode; + " is overriding another rule targetting the same resource"); node.setAuthorizedRoles(AccessMode.READ, rule.getRoles()); node.setAuthorizedRoles(AccessMode.WRITE, Collections.singleton("NO_ONE")); node.setAuthorizedRoles(AccessMode.ADMIN, Collections.singleton("NO_ONE")); root.setAuthorizedRoles(AccessMode.READ, Collections.singleton("*")); root.setAuthorizedRoles(AccessMode.WRITE, Collections.singleton("NO_ONE")); root.setAuthorizedRoles(AccessMode.ADMIN, Collections.singleton("NO_ONE")); return root;
private boolean canAccess( Authentication user, LayerGroupInfo layerGroup, boolean directAccess) { String[] path = getLayerGroupPath(layerGroup); SecureTreeNode node = root.getDeepestNode(path); boolean catalogNodeAllowsAccess = node.canAccess(user, AccessMode.READ); boolean allowAccess; if (node != null && !catalogNodeAllowsAccess) {
@Test public void testPublicRead() throws Exception { SecureTreeNode root = buildTree("publicRead.properties"); assertEquals(0, root.children.size()); assertEquals(SecureTreeNode.EVERYBODY, root.getAuthorizedRoles(AccessMode.READ)); final Set<String> writeRoles = root.getAuthorizedRoles(AccessMode.WRITE); assertEquals(1, writeRoles.size()); assertTrue(writeRoles.contains("WRITER")); assertTrue(root.canAccess(anonymous, AccessMode.READ)); assertFalse(root.canAccess(anonymous, AccessMode.WRITE)); assertTrue(root.canAccess(roUser, AccessMode.READ)); assertFalse(root.canAccess(roUser, AccessMode.WRITE)); assertTrue(root.canAccess(rwUser, AccessMode.READ)); assertTrue(root.canAccess(rwUser, AccessMode.WRITE)); }
@Override public ProcessAccessLimits getAccessLimits(Authentication user, String namespace) { SecureTreeNode node = dao.getSecurityTreeRoot().getDeepestNode(new String[] {namespace}); return new ProcessAccessLimits( dao.getMode(), node.canAccess(user, AccessMode.READ), namespace); }
@Test public void testLockedDown() throws Exception { SecureTreeNode root = buildTree("lockedDown.properties"); assertEquals(0, root.children.size()); final Set<String> readRoles = root.getAuthorizedRoles(AccessMode.READ); assertEquals(1, readRoles.size()); assertTrue(readRoles.contains("WRITER")); final Set<String> writeRoles = root.getAuthorizedRoles(AccessMode.WRITE); assertEquals(1, writeRoles.size()); assertTrue(writeRoles.contains("WRITER")); assertFalse(root.canAccess(anonymous, AccessMode.READ)); assertFalse(root.canAccess(anonymous, AccessMode.WRITE)); assertFalse(root.canAccess(roUser, AccessMode.READ)); assertFalse(root.canAccess(roUser, AccessMode.WRITE)); assertTrue(root.canAccess(rwUser, AccessMode.READ)); assertTrue(root.canAccess(rwUser, AccessMode.WRITE)); }
@Override public ProcessAccessLimits getAccessLimits(Authentication user, Name process) { SecureTreeNode node = dao.getSecurityTreeRoot() .getDeepestNode( new String[] {process.getNamespaceURI(), process.getLocalPart()}); return new ProcessAccessLimits( dao.getMode(), node.canAccess(user, AccessMode.READ), process.toString()); } }