private void verifyCanWrite(final Set<IRI> modes, final Session session, final String path) { if (!modes.contains(ACL.Write)) { LOGGER.warn("User: {} cannot Write to {}", session.getAgent(), path); if (Trellis.AnonymousAgent.equals(session.getAgent())) { throw new NotAuthorizedException(challenges.get(0), challenges.subList(1, challenges.size()).toArray()); } throw new ForbiddenException(); } LOGGER.debug("User: {} can write to {}", session.getAgent(), path); }
@Override public Set<IRI> getAccessModes(final IRI identifier, final Session session) { requireNonNull(session, "A non-null session must be provided!"); if (Trellis.AdministratorAgent.equals(session.getAgent())) { return unmodifiableSet(allModes); } final Set<IRI> cachedModes = cache.get(getCacheKey(identifier, session.getAgent()), k -> getAuthz(identifier, session.getAgent())); return session.getDelegatedBy().map(delegate -> { final Set<IRI> delegatedModes = new HashSet<>(cache.get(getCacheKey(identifier, delegate), k -> getAuthz(identifier, delegate))); delegatedModes.retainAll(cachedModes); return unmodifiableSet(delegatedModes); }).orElseGet(() -> unmodifiableSet(cachedModes)); }
private List<Quad> auditData(final IRI subject, final Session session, final List<IRI> types) { final List<Quad> data = new ArrayList<>(); final BlankNode bnode = rdf.createBlankNode(); data.add(rdf.createQuad(PreferAudit, subject, PROV.wasGeneratedBy, bnode)); types.forEach(t -> data.add(rdf.createQuad(PreferAudit, bnode, type, t))); data.add(rdf.createQuad(PreferAudit, bnode, PROV.wasAssociatedWith, session.getAgent())); data.add(rdf.createQuad(PreferAudit, bnode, PROV.atTime, rdf.createLiteral(session.getCreated().toString(), XSD.dateTime))); session.getDelegatedBy().ifPresent(delegate -> data.add(rdf.createQuad(PreferAudit, bnode, PROV.actedOnBehalfOf, delegate))); return data; } }
@Test public void testHttpSession() { final Instant time = now(); final Session session = new HttpSession(); assertEquals(Trellis.AnonymousAgent, session.getAgent(), "Incorrect agent in default session!"); assertFalse(session.getDelegatedBy().isPresent(), "Unexpected delegatedBy property!"); assertTrue(session.getIdentifier().getIRIString().startsWith(TRELLIS_SESSION_PREFIX), "ID has wrong prefix!"); final Session session2 = new HttpSession(); assertNotEquals(session.getIdentifier(), session2.getIdentifier(), "Session identifiers aren't unique!"); assertFalse(session.getCreated().isBefore(time), "Session date precedes its creation!"); assertFalse(session.getCreated().isAfter(session2.getCreated()), "Session date is out of order!"); } }
private void verifyCanAppend(final Set<IRI> modes, final Session session, final String path) { if (!modes.contains(ACL.Append) && !modes.contains(ACL.Write)) { LOGGER.warn("User: {} cannot Append to {}", session.getAgent(), path); if (Trellis.AnonymousAgent.equals(session.getAgent())) { throw new NotAuthorizedException(challenges.get(0), challenges.subList(1, challenges.size()).toArray()); } throw new ForbiddenException(); } LOGGER.debug("User: {} can append to {}", session.getAgent(), path); }
@Test public void testDelegate1() { when(mockSession.getAgent()).thenReturn(agentIRI); when(mockSession.getDelegatedBy()).thenReturn(of(acoburnIRI)); assertAll("Test delegated read access 1", checkNoneCanRead()); assertAll("Test delegated write access 1", checkNoneCanWrite()); }
@BeforeEach public void setUp() { initMocks(this); when(mockSession.getAgent()).thenReturn(Trellis.AnonymousAgent); when(mockSession.getCreated()).thenReturn(created); when(mockSession.getDelegatedBy()).thenReturn(empty()); }
private void verifyCanRead(final Set<IRI> modes, final Session session, final String path) { if (!modes.contains(ACL.Read)) { LOGGER.warn("User: {} cannot Read from {}", session.getAgent(), path); if (Trellis.AnonymousAgent.equals(session.getAgent())) { throw new NotAuthorizedException(challenges.get(0), challenges.subList(1, challenges.size()).toArray()); } throw new ForbiddenException(); } LOGGER.debug("User: {} can read {}", session.getAgent(), path); } }
@Test public void testDelegate2() { when(mockSession.getAgent()).thenReturn(acoburnIRI); when(mockSession.getDelegatedBy()).thenReturn(of(agentIRI)); assertAll("Test delegated read access 2", checkNoneCanRead()); assertAll("Test delegated write access 2", checkNoneCanWrite()); }
@BeforeEach public void setUp() { initMocks(this); when(mockSession.getAgent()).thenReturn(Trellis.AnonymousAgent); when(mockSession.getCreated()).thenReturn(created); when(mockSession.getDelegatedBy()).thenReturn(of(Trellis.AdministratorAgent)); }
private void verifyCanControl(final Set<IRI> modes, final Session session, final String path) { if (!modes.contains(ACL.Control)) { LOGGER.warn("User: {} cannot Control {}", session.getAgent(), path); if (Trellis.AnonymousAgent.equals(session.getAgent())) { throw new NotAuthorizedException(challenges.get(0), challenges.subList(1, challenges.size()).toArray()); } throw new ForbiddenException(); } LOGGER.debug("User: {} can control {}", session.getAgent(), path); }
@Test public void testDelegate3() { when(mockSession.getAgent()).thenReturn(agentIRI); when(mockSession.getDelegatedBy()).thenReturn(of(addisonIRI)); assertAll("Test delegated writabliity for " + agentIRI + " via " + addisonIRI, checkCanWrite(resourceIRI), checkCanWrite(childIRI), checkCannotWrite(parentIRI), checkCannotWrite(rootIRI)); assertAll(checkAllCanRead()); }
private Executable checkCanRead(final IRI id) { return () -> assertTrue(testService.getAccessModes(id, mockSession).contains(ACL.Read), mockSession.getAgent() + " cannot Read from " + id); }
@Test public void testCacheCanWrite3() { final AccessControlService testCacheService = new WebACService(mockResourceService, mockCache); when(mockSession.getAgent()).thenReturn(agentIRI); when(mockSession.getDelegatedBy()).thenReturn(of(addisonIRI)); assertAll("Check delegated writability with cache", checkCanWrite(testCacheService, nonexistentIRI), checkCanWrite(testCacheService, resourceIRI), checkCanWrite(testCacheService, childIRI), checkCannotWrite(testCacheService, parentIRI), checkCannotWrite(testCacheService, rootIRI)); }
private Executable checkCanWrite(final IRI id) { return () -> assertTrue(testService.getAccessModes(id, mockSession).contains(ACL.Write), mockSession.getAgent() + " cannot Write to " + id); }
@BeforeEach @SuppressWarnings("unchecked") public void setUp() { initMocks(this); testService = new WebACService(mockResourceService); when(mockCache.get(anyString(), any(Function.class))).thenAnswer(inv -> { final String key = inv.getArgument(0); final Function<String, String> mapper = inv.getArgument(1); return mapper.apply(key); }); setUpResourceService(); setUpChildResource(); setUpRootResource(); setUpMemberResource(); when(mockResource.hasAcl()).thenReturn(false); when(mockResource.getIdentifier()).thenReturn(resourceIRI); when(mockResource.getInteractionModel()).thenReturn(LDP.RDFSource); when(mockResource.getMembershipResource()).thenReturn(empty()); when(mockParentResource.hasAcl()).thenReturn(false); when(mockParentResource.getIdentifier()).thenReturn(parentIRI); when(mockParentResource.getInteractionModel()).thenReturn(LDP.Container); when(mockParentResource.getMembershipResource()).thenReturn(empty()); when(mockSession.getAgent()).thenReturn(agentIRI); when(mockSession.getDelegatedBy()).thenReturn(empty()); }
private Executable checkCanAppend(final IRI id) { return () -> assertTrue(testService.getAccessModes(id, mockSession).contains(ACL.Append), mockSession.getAgent() + " cannot Append to " + id); } }
private Executable checkCannotWrite(final AccessControlService svc, final IRI id) { return () -> assertFalse(svc.getAccessModes(id, mockSession).contains(ACL.Write), mockSession.getAgent() + " can Write to " + id); }
private Executable checkCanWrite(final AccessControlService svc, final IRI id) { return () -> assertTrue(svc.getAccessModes(id, mockSession).contains(ACL.Write), mockSession.getAgent() + " cannot Write to " + id); }
private Executable checkCannotWrite(final IRI id) { return () -> assertFalse(testService.getAccessModes(id, mockSession).contains(ACL.Write), mockSession.getAgent() + " can Write to " + id); }