true, new PrincipalSid("joe")); MockAclService service = new MockAclService(); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true); service.updateAcl(acl); assertThat(1).isEqualTo(acl.getId()); assertThat(identity).isEqualTo(acl.getObjectIdentity()); assertThat(new PrincipalSid("joe")).isEqualTo(acl.getOwner()); assertThat(acl.getParentAcl()).isNull(); assertThat(acl.isEntriesInheriting()).isTrue(); assertThat(acl.getEntries()).hasSize(2); acl.setParent(parentAcl); assertThat(parentAcl).isEqualTo(acl.getParentAcl()); acl.setEntriesInheriting(false); assertThat(acl.isEntriesInheriting()).isFalse(); acl.setOwner(new PrincipalSid("ben")); assertThat(new PrincipalSid("ben")).isEqualTo(acl.getOwner());
middleParent.setParent(topParent); child.setParent(middleParent); topParent.insertAce(0, BasePermission.READ, new PrincipalSid(auth), true); topParent.insertAce(1, BasePermission.WRITE, new PrincipalSid(auth), false); middleParent.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), true); child.insertAce(0, BasePermission.DELETE, new PrincipalSid(auth), false); assertThat(topParent.getId()).isNotNull(); assertThat(middleParent.getId()).isNotNull(); assertThat(child.getId()).isNotNull(); assertThat(topParent.getParentAcl()).isNull(); assertThat(middleParent.getParentAcl().getObjectIdentity()).isEqualTo(getTopParentOid()); assertThat(child.getParentAcl().getObjectIdentity()).isEqualTo(getMiddleParentOid()); assertThat(topParent.getEntries()).hasSize(2); assertThat(middleParent.getEntries()).hasSize(1); assertThat(child.getEntries()).hasSize(1); assertThat(topParent.isGranted(read, pSid, false)).isTrue(); assertThat(topParent.isGranted(write, pSid, false)).isFalse(); assertThat(middleParent.isGranted(delete, pSid, false)).isTrue(); assertThat(child.isGranted(delete, pSid, false)).isFalse(); child.isGranted(Arrays.asList(BasePermission.ADMINISTRATION), pSid, false); fail("Should have thrown NotFoundException"); assertThat(child.isGranted(read, pSid, false)).isTrue();
if ((cached == null) || !cached.isSidLoaded(sids)) { parentIdsToLookup.add(new Long(parentId)); acls.put(cached.getId(), cached);
public void putInCache(MutableAcl acl) { Assert.notNull(acl, "Acl required"); Assert.notNull(acl.getObjectIdentity(), "ObjectIdentity required"); Assert.notNull(acl.getId(), "ID required"); if ((acl.getParentAcl() != null) && (acl.getParentAcl() instanceof MutableAcl)) { putInCache((MutableAcl) acl.getParentAcl()); } cache.put(acl.getObjectIdentity(), acl); cache.put(acl.getId(), acl); }
public void evictFromCache(Serializable pk) { Assert.notNull(pk, "Primary key (identifier) required"); MutableAcl acl = getFromCache(pk); if (acl != null) { cache.remove(acl.getId()); cache.remove(acl.getObjectIdentity()); } }
/** * Updates an existing acl_object_identity row, with new information presented in the * passed MutableAcl object. Also will create an acl_sid entry if needed for the Sid * that owns the MutableAcl. * * @param acl to modify (a row must already exist in acl_object_identity) * * @throws NotFoundException if the ACL could not be found to update. */ protected void updateObjectIdentity(MutableAcl acl) { Long parentId = null; if (acl.getParentAcl() != null) { Assert.isInstanceOf(ObjectIdentityImpl.class, acl.getParentAcl() .getObjectIdentity(), "Implementation only supports ObjectIdentityImpl"); ObjectIdentityImpl oii = (ObjectIdentityImpl) acl.getParentAcl() .getObjectIdentity(); parentId = retrieveObjectIdentityPrimaryKey(oii); } Assert.notNull(acl.getOwner(), "Owner is required in this implementation"); Long ownerSid = createOrRetrieveSidPrimaryKey(acl.getOwner(), true); int count = jdbcOperations.update(updateObjectIdentity, parentId, ownerSid, Boolean.valueOf(acl.isEntriesInheriting()), acl.getId()); if (count != 1) { throw new NotFoundException("Unable to locate ACL to update"); } }
assertThat(topParent.getId()).isNotNull(); assertThat(middleParent.getId()).isNotNull(); assertThat(child.getId()).isNotNull(); assertThat(topParent.getParentAcl()).isNull(); assertThat(middleParent.getParentAcl().getObjectIdentity()).isEqualTo(topParentOid); assertThat(child.getParentAcl().getObjectIdentity()).isEqualTo(middleParentOid); assertThat(topParent.getEntries()).hasSize(2); assertThat(middleParent.getEntries()).hasSize(1); assertThat(child.getEntries()).hasSize(1); assertThat(topParent.getObjectIdentity()).isEqualTo(topParentOid); assertThat(middleParent.getObjectIdentity()).isEqualTo(middleParentOid); assertThat(child.getObjectIdentity()).isEqualTo(childOid); assertThat(topParent.isEntriesInheriting()).isTrue(); assertThat(Long.valueOf(1)).isEqualTo(topParent.getId()); assertThat(new PrincipalSid("ben")).isEqualTo(topParent.getOwner()); assertThat(Long.valueOf(1)).isEqualTo(topParent.getEntries().get(0).getId()); assertThat(topParent.getEntries().get(0).getPermission()).isEqualTo(BasePermission.READ); assertThat(topParent.getEntries().get(0).getSid()).isEqualTo(new PrincipalSid("ben")); assertThat(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isAuditFailure()).isFalse(); assertThat(((AuditableAccessControlEntry) topParent.getEntries().get(0)).isAuditSuccess()).isFalse(); assertThat((topParent.getEntries().get(0)).isGranting()).isTrue(); assertThat(Long.valueOf(2)).isEqualTo(topParent.getEntries().get(1).getId()); assertThat(topParent.getEntries().get(1).getPermission()).isEqualTo(BasePermission.WRITE); assertThat(topParent.getEntries().get(1).getSid()).isEqualTo(new PrincipalSid("ben"));
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true); service.updateAcl(acl); assertThat(acl.getEntries()).hasSize(1); assertThat(acl).isEqualTo(acl.getEntries().get(0).getAcl()); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission()); assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST1")); acl.insertAce(1, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true); service.updateAcl(acl); assertThat(acl.getEntries()).hasSize(2); assertThat(acl).isEqualTo(acl.getEntries().get(1).getAcl()); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(1).getPermission()); assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST2")); acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_TEST3"), false); service.updateAcl(acl); assertThat(acl.getEntries()).hasSize(3); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission()); assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST1")); assertThat(BasePermission.WRITE).isEqualTo(acl.getEntries().get(1).getPermission()); assertThat(acl.getEntries().get(1).getSid()).isEqualTo( new GrantedAuthoritySid( "ROLE_TEST3"));
acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true); acl.insertAce(1, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true); acl.insertAce(2, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST3"), true); service.updateAcl(acl); acl.deleteAce(0); assertThat(acl.getEntries()).hasSize(2); assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST2")); assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST3")); acl.insertAce(2, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST4"), true); service.updateAcl(acl); acl.deleteAce(1); assertThat(acl.getEntries()).hasSize(2); assertThat(acl.getEntries().get(0).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST2")); assertThat(acl.getEntries().get(1).getSid()).isEqualTo(new GrantedAuthoritySid( "ROLE_TEST4")); acl.deleteAce(1); acl.deleteAce(0); assertThat(acl.getEntries()).isEmpty();
MutableAcl child = jdbcMutableAclService.createAcl(new ObjectIdentityImpl( TARGET_CLASS, Long.valueOf(2))); child.setParent(parent); jdbcMutableAclService.updateAcl(child); parent.insertAce(0, BasePermission.ADMINISTRATION, new GrantedAuthoritySid( "ROLE_ADMINISTRATOR"), true); jdbcMutableAclService.updateAcl(parent); parent.insertAce(1, BasePermission.DELETE, new PrincipalSid("terry"), true); jdbcMutableAclService.updateAcl(parent); TARGET_CLASS, Long.valueOf(2))); parent = (MutableAcl) child.getParentAcl(); assertThat(parent.getEntries()).hasSize(2); assertThat(parent.getEntries().get(0).getPermission().getMask()).isEqualTo(16); assertThat(parent.getEntries() .get(0).getSid()).isEqualTo(new GrantedAuthoritySid("ROLE_ADMINISTRATOR")); assertThat(parent.getEntries().get(1).getPermission().getMask()).isEqualTo(8); assertThat(parent.getEntries().get(1).getSid()).isEqualTo(new PrincipalSid("terry"));
public int getBatchSize() { return acl.getEntries().size(); }
@Test public void updatedAceValuesAreCorrectlyReflectedInAcl() throws Exception { Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_GENERAL"); auth.setAuthenticated(true); SecurityContextHolder.getContext().setAuthentication(auth); MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null, false, new PrincipalSid("joe")); MockAclService service = new MockAclService(); acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(1, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true); acl.insertAce(2, BasePermission.CREATE, new PrincipalSid("ben"), true); service.updateAcl(acl); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(0).getPermission()); assertThat(BasePermission.WRITE).isEqualTo(acl.getEntries().get(1).getPermission()); assertThat(BasePermission.CREATE).isEqualTo(acl.getEntries().get(2).getPermission()); // Change each permission acl.updateAce(0, BasePermission.CREATE); acl.updateAce(1, BasePermission.DELETE); acl.updateAce(2, BasePermission.READ); // Check the change was successfully made assertThat(BasePermission.CREATE).isEqualTo(acl.getEntries().get(0).getPermission()); assertThat(BasePermission.DELETE).isEqualTo(acl.getEntries().get(1).getPermission()); assertThat(BasePermission.READ).isEqualTo(acl.getEntries().get(2).getPermission()); }
public void setValues(PreparedStatement stmt, int i) throws SQLException { AccessControlEntry entry_ = acl.getEntries().get(i); Assert.isTrue(entry_ instanceof AccessControlEntryImpl, "Unknown ACE class"); AccessControlEntryImpl entry = (AccessControlEntryImpl) entry_; stmt.setLong(1, ((Long) acl.getId()).longValue()); stmt.setInt(2, i); stmt.setLong(3, createOrRetrieveSidPrimaryKey(entry.getSid(), true) .longValue()); stmt.setInt(4, entry.getPermission().getMask()); stmt.setBoolean(5, entry.isGranting()); stmt.setBoolean(6, entry.isAuditSuccess()); stmt.setBoolean(7, entry.isAuditFailure()); } });
private void resetAclRecords(Class<? extends ISecuredObject<?>> objectClass, Long securedId, Sid sid, sk.seges.acris.security.shared.user_management.domain.Permission[] permissions) { MutableAcl acl = null; AclSecuredObjectIdentityData objectIdentity = getParentObjectIdentity(objectClass, securedId); if (objectIdentity == null) { throw new SecurityException("Could not update acl entry for aclId: " + securedId + " sid: " + sid + " cause acl object identity not found!"); } try { acl = (MutableAcl) aclService.readAclById(new ObjectIdentityImpl(objectIdentity.getJavaType(), securedId)); } catch (NotFoundException e) { throw new SecurityException("Could not update acl entry for aclId: " + securedId + " sid: " + sid + " cause acl object identity not found!", e); } int authorityMask = 0; for (sk.seges.acris.security.shared.user_management.domain.Permission authority : permissions) { authorityMask |= authority.getMask(); } for (int i = 0; i < acl.getEntries().size(); i++) { acl.deleteAce(i); } acl.insertAce(0, permissionFactory.buildFromMask(authorityMask), sid, true); acl.setOwner(sid); aclService.updateAcl(acl); }
acl.setParent(parentAcl); if (parentAcl.getEntries() == null || parentAcl.getEntries().size() <= 0) { parentAcl.insertAce(0, permissionFactory.buildFromMask(authorityMask), sid, true); aclService.updateAcl(parentAcl); for (AccessControlEntry entry : acl.getEntries()) { if (!entry.getSid().equals(sid)) { aceIndex++; acl.insertAce(0, permissionFactory.buildFromMask(authorityMask), sid, true); } else { acl.deleteAce(aceIndex); acl.insertAce(aceIndex, permissionFactory.buildFromMask(authorityMask), sid, true);
@Test @Transactional public void cumulativePermissions() { Authentication auth = new TestingAuthenticationToken("ben", "ignored", "ROLE_ADMINISTRATOR"); auth.setAuthenticated(true); SecurityContextHolder.getContext().setAuthentication(auth); ObjectIdentity topParentOid = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(110)); MutableAcl topParent = jdbcMutableAclService.createAcl(topParentOid); // Add an ACE permission entry Permission cm = new CumulativePermission().set(BasePermission.READ).set( BasePermission.ADMINISTRATION); assertThat(cm.getMask()).isEqualTo(17); Sid benSid = new PrincipalSid(auth); topParent.insertAce(0, cm, benSid, true); assertThat(topParent.getEntries()).hasSize(1); // Explicitly save the changed ACL topParent = jdbcMutableAclService.updateAcl(topParent); // Check the mask was retrieved correctly assertThat(topParent.getEntries().get(0).getPermission().getMask()).isEqualTo(17); assertThat(topParent.isGranted(Arrays.asList(cm), Arrays.asList(benSid), true)).isTrue(); SecurityContextHolder.clearContext(); }
/** * Finds the specified {@link AccessControlEntry} and removes it from the entry list of the {@link Acl}. * * @param entryToDelete the entry to remove from the {@link Acl} * @return the id of the removed entry or {@code -1} if no such entry was found */ public int delete(@Nonnull AccessControlEntry entryToDelete) { List<AccessControlEntry> aclEntries = acl.getEntries(); for (int i = 0; i < aclEntries.size(); i++) { if (aclEntries.get(i).equals(entryToDelete)) { acl.deleteAce(i); return i; } } return -1; }
@Test public void putInCacheAclWithParent() throws Exception { Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL"); auth.setAuthenticated(true); SecurityContextHolder.getContext().setAuthentication(auth); ObjectIdentity identityParent = new ObjectIdentityImpl(TARGET_CLASS, Long.valueOf(2)); AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl( new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority( "ROLE_AUDITING"), new SimpleGrantedAuthority("ROLE_GENERAL")); MutableAcl parentAcl = new AclImpl(identityParent, Long.valueOf(2), aclAuthorizationStrategy, new ConsoleAuditLogger()); acl.setParent(parentAcl); myCache.putInCache(acl); verify(cache, times(4)).put(element.capture()); List<Element> allValues = element.getAllValues(); assertThat(allValues.get(0).getKey()).isEqualTo(parentAcl.getObjectIdentity()); assertThat(allValues.get(0).getObjectValue()).isEqualTo(parentAcl); assertThat(allValues.get(1).getKey()).isEqualTo(parentAcl.getId()); assertThat(allValues.get(1).getObjectValue()).isEqualTo(parentAcl); assertThat(allValues.get(2).getKey()).isEqualTo(acl.getObjectIdentity()); assertThat(allValues.get(2).getObjectValue()).isEqualTo(acl); assertThat(allValues.get(3).getKey()).isEqualTo(acl.getId()); assertThat(allValues.get(3).getObjectValue()).isEqualTo(acl); }
@Test(expected = NotFoundException.class) public void insertAceFailsForNonExistentElement() throws Exception { MutableAcl acl = new AclImpl(objectIdentity, 1, authzStrategy, pgs, null, null, true, new PrincipalSid("joe")); MockAclService service = new MockAclService(); // Insert one permission acl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true); service.updateAcl(acl); acl.insertAce(55, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true); }
childAcl2.setParent(childAcl1); childAcl1.setParent(parentAcl1); parentAcl2.setParent(grandParentAcl); parentAcl1.setParent(grandParentAcl); grandParentAcl.insertAce(0, BasePermission.READ, new GrantedAuthoritySid( "ROLE_USER_READ"), true); grandParentAcl.insertAce(1, BasePermission.WRITE, new PrincipalSid("ben"), true); grandParentAcl .insertAce(2, BasePermission.DELETE, new PrincipalSid("ben"), false); grandParentAcl.insertAce(3, BasePermission.DELETE, new PrincipalSid("scott"), true); parentAcl1.insertAce(0, BasePermission.READ, new PrincipalSid("scott"), true); parentAcl1.insertAce(1, BasePermission.DELETE, new PrincipalSid("scott"), false); parentAcl2.insertAce(0, BasePermission.CREATE, new PrincipalSid("ben"), true); childAcl1.insertAce(0, BasePermission.CREATE, new PrincipalSid("scott"), true); assertThat(parentAcl1.isGranted(READ, SCOTT, false)).isTrue(); assertThat(parentAcl1.isGranted(READ, Arrays.asList((Sid) new GrantedAuthoritySid("ROLE_USER_READ")), false)) .isTrue(); assertThat(parentAcl1.isGranted(WRITE, BEN, false)).isTrue(); assertThat(parentAcl1.isGranted(DELETE, BEN, false)).isFalse(); assertThat(parentAcl1.isGranted(DELETE, SCOTT, false)).isFalse(); assertThat(parentAcl2.isGranted(CREATE, BEN, false)).isTrue(); assertThat(parentAcl2.isGranted(WRITE, BEN, false)).isTrue(); assertThat(parentAcl2.isGranted(DELETE, BEN, false)).isFalse();