org.springframework.security.acls.domain.PrincipalSid Java Examples

@Test
void testGetAllAvailableSids() {
  User user = mock(User.class);
  when(user.getUsername()).thenReturn("username");
  doReturn(true)
      .when(userPermissionEvaluator)
      .hasPermission(new EntityTypeIdentity(UserMetadata.USER), READ_DATA);
  doReturn(true)
      .when(userPermissionEvaluator)
      .hasPermission(new EntityTypeIdentity(RoleMetadata.ROLE), READ_DATA);
  when(userService.getUsers()).thenReturn(Collections.singletonList(user));

  Role role = mock(Role.class);
  when(role.getString(RoleMetadata.NAME)).thenReturn("role1");
  List<Entity> roles = Collections.singletonList(role);
  when(dataService.findAll(RoleMetadata.ROLE)).thenReturn(roles.stream());
  assertEquals(
      newHashSet(
          new GrantedAuthoritySid("ROLE_role1"),
          new GrantedAuthoritySid("ROLE_ANONYMOUS"),
          new PrincipalSid("username")),
      userRoleTools.getAllAvailableSids());
}
 

private Map<String, Integer> getProjectPermission(String project) {
    Map<String, Integer> SidWithPermission = new TreeMap<>(String.CASE_INSENSITIVE_ORDER);

    String uuid = ProjectManager.getInstance(KylinConfig.getInstanceFromEnv()).getProject(project).getUuid();
    AclEntity ae = getAclEntity(AclEntityType.PROJECT_INSTANCE, uuid);
    Acl acl = getAcl(ae);
    if (acl != null && acl.getEntries() != null) {
        List<AccessControlEntry> aces = acl.getEntries();
        for (AccessControlEntry ace : aces) {
            Sid sid = ace.getSid();
            if (sid instanceof PrincipalSid) {
                String principal = ((PrincipalSid) sid).getPrincipal();
                SidWithPermission.put(principal, ace.getPermission().getMask());
            }
            if (sid instanceof GrantedAuthoritySid) {
                String grantedAuthority = ((GrantedAuthoritySid) sid).getGrantedAuthority();
                SidWithPermission.put(grantedAuthority, ace.getPermission().getMask());
            }
        }
    }
    return SidWithPermission;
}
 

public List<String> getAllAclSids(Acl acl, String type) {
    if (null == acl) {
        return Collections.emptyList();
    }

    List<String> result = new ArrayList<>();
    for (AccessControlEntry ace : acl.getEntries()) {
        String name = null;
        if (type.equalsIgnoreCase(MetadataConstants.TYPE_USER) && ace.getSid() instanceof PrincipalSid) {
            name = ((PrincipalSid) ace.getSid()).getPrincipal();
        }
        if (type.equalsIgnoreCase(MetadataConstants.TYPE_GROUP) && ace.getSid() instanceof GrantedAuthoritySid) {
            name = ((GrantedAuthoritySid) ace.getSid()).getGrantedAuthority();
        }
        if (!StringUtils.isBlank(name)) {
            result.add(name);
        }
    }
    return result;
}
 

@Test
void testCreatePermission() {
  setSu();
  ObjectIdentity objectIdentity = new ObjectIdentityImpl("type", "identifier");
  Sid sid = new PrincipalSid("user");

  MutableAcl acl = mock(MutableAcl.class);
  when(acl.getOwner()).thenReturn(sid);
  when(mutableAclService.readAclById(objectIdentity)).thenReturn(acl);

  Permission permission = Permission.create(objectIdentity, sid, PermissionSet.WRITE);

  when(mutableAclClassService.getAclClassTypes()).thenReturn(singletonList("type"));

  permissionServiceDecorator.createPermission(permission);
  verify(permissionService).createPermission(permission);
  resetContext();
}
 

@Transactional
public MutableAclRecord init(AclEntity ae, Permission initPermission) {
    MutableAclRecord acl = null;
    ObjectIdentity objectIdentity = new ObjectIdentityImpl(ae);

    try {
        // Create acl record for secured domain object.
        acl = (MutableAclRecord) aclService.createAcl(objectIdentity);
    } catch (AlreadyExistsException e) {
        acl = aclService.readAcl(objectIdentity);
    }

    if (null != initPermission) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        PrincipalSid sid = new PrincipalSid(auth);
        acl = grant(ae, initPermission, sid);
    }

    return acl;
}
 

@Test
void testCreatePermissions() {
  setSu();
  ObjectIdentity objectIdentity = new ObjectIdentityImpl("type", "identifier");
  Sid sid = new PrincipalSid("user");

  MutableAcl acl = mock(MutableAcl.class);
  when(acl.getOwner()).thenReturn(sid);
  when(mutableAclService.readAclById(objectIdentity)).thenReturn(acl);
  when(mutableAclClassService.getAclClassTypes()).thenReturn(singletonList("type"));

  Permission permission = Permission.create(objectIdentity, sid, PermissionSet.WRITE);
  permissionServiceDecorator.createPermissions(Collections.singleton(permission));
  verify(permissionService).createPermissions(Collections.singleton(permission));
  resetContext();
}
 

@Test
void testUpdatePermission() {
  setUser();
  ObjectIdentity objectIdentity = new ObjectIdentityImpl("type", "identifier");
  Sid sid = new PrincipalSid("user");

  MutableAcl acl = mock(MutableAcl.class);
  when(acl.getOwner()).thenReturn(sid);
  when(mutableAclService.readAclById(objectIdentity)).thenReturn(acl);

  when(mutableAclClassService.getAclClassTypes()).thenReturn(singletonList("type"));

  Permission permission = Permission.create(objectIdentity, sid, PermissionSet.WRITE);
  permissionServiceDecorator.updatePermission(permission);
  verify(permissionService).updatePermission(permission);
  resetContext();
}
 

@Test
public void testBatchUpsertAce() {
    switchToAdmin();
    ObjectIdentity oid = oid("acl");
    MutableAclRecord acl = (MutableAclRecord) aclService.createAcl(oid);
    final Map<Sid, Permission> sidToPerm = new HashMap<>();
    for (int i = 0; i < 10; i++) {
        sidToPerm.put(new PrincipalSid("u" + i), AclPermission.ADMINISTRATION);
    }
    aclService.batchUpsertAce(acl, sidToPerm);

    for (Acl a : aclService.readAclsById(Collections.singletonList(oid)).values()) {
        List<AccessControlEntry> e = a.getEntries();
        Assert.assertEquals(10, e.size());
        for (int i = 0; i < e.size(); i++) {
            Assert.assertEquals(new PrincipalSid("u" + i), e.get(i).getSid());
        }
    }
}
 

@Override
public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException {
    Assert.notNull(objectIdentity, "Object Identity required");

    // Check this object identity hasn't already been persisted
    if (retrieveObjectIdentityPrimaryKey(objectIdentity) != null) {
        throw new AlreadyExistsException("Object identity '" + objectIdentity + "' already exists");
    }

    // Need to retrieve the current principal, in order to know who "owns" this ACL (can be changed later on)
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    PrincipalSid sid = new PrincipalSid(auth);

    // Create the acl_object_identity row
    createObjectIdentity(objectIdentity, sid);

    // Retrieve the ACL via superclass (ensures cache registration, proper retrieval etc)
    Acl acl = readAclById(objectIdentity);
    Assert.isInstanceOf(MutableAcl.class, acl, "MutableAcl should be been returned");

    return (MutableAcl) acl;
}
 

@Test
void testGetSids() {
  List<Sid> expected =
      Arrays.asList(
          new PrincipalSid("user1"),
          new PrincipalSid("user2"),
          new GrantedAuthoritySid("ROLE_role1"),
          new GrantedAuthoritySid("ROLE_role2"));

  Query query = mock(Query.class);

  doReturn(query).when(query).eq(RoleMetadata.NAME, "role1");
  doReturn(query).when(query).eq(RoleMetadata.NAME, "role2");
  doReturn(mock(Role.class)).when(query).findOne();

  doReturn(mock(User.class)).when(userService).getUser("user1");
  doReturn(mock(User.class)).when(userService).getUser("user2");

  when(dataService.query(RoleMetadata.ROLE, Role.class)).thenReturn(query);
  when(query.findOne()).thenReturn(mock(Role.class));

  assertTrue(
      userRoleTools
          .getSids(Arrays.asList("user1", "user2"), Arrays.asList("role1", "role2"))
          .containsAll(expected));
}
 

@Test
void testGetInheritedPermissions() {
  Sid user = mock(PrincipalSid.class);
  Sid role1Sid = new GrantedAuthoritySid("ROLE_role1");
  Sid role2Sid = new GrantedAuthoritySid("ROLE_role2");
  Sid role3Sid = new GrantedAuthoritySid("ROLE_role3");

  // Acl setup
  Acl parentPackageAcl =
      PermissionTestUtils.getSinglePermissionAcl(role3Sid, 16, "parentPackageAcl");
  Acl packageAcl =
      PermissionTestUtils.getSinglePermissionAcl(user, 4, "packageAcl", parentPackageAcl);
  Acl entityAcl =
      PermissionTestUtils.getSinglePermissionAcl(role2Sid, 8, "entityAcl", packageAcl);

  doReturn(Arrays.asList(role1Sid, role2Sid)).when(userRoleTools).getRolesForSid(user);
  doReturn(singletonList(role3Sid)).when(userRoleTools).getRolesForSid(role1Sid);

  InheritedPermissionsResult expected =
      getInheritedPermissionsResult(packageAcl, parentPackageAcl, role1Sid, role2Sid, role3Sid);

  assertEquals(expected, resolver.getInheritedPermissionsResults(entityAcl, user));
}
 

@Test
void testAddStream() {
  EntityIdentity entityIdentity = new EntityIdentity("MyQuestionnaire", "id");
  when(entity.getString("owner")).thenReturn("username");
  when(entity.getIdValue()).thenReturn("id");
  when(entity.getEntityType()).thenReturn(entityType);
  when(entityType.getId()).thenReturn("MyQuestionnaire");
  AclImpl acl = new AclImpl(entityIdentity, 1, authorizationStrategy, auditLogger);
  acl.insertAce(0, PermissionSet.WRITE, new PrincipalSid("otheruser"), true);
  when(mutableAclService.readAclById(entityIdentity)).thenReturn(acl);

  ownershipDecorator.add(Stream.of(entity));

  verify(delegate).add(streamCaptor.capture());
  assertEquals(singletonList(entity), streamCaptor.getValue().collect(toList()));
  verify(mutableAclService).updateAcl(acl);
  PrincipalSid ownerSid = new PrincipalSid("username");
  assertEquals(ownerSid, acl.getOwner());
  assertEquals(1, acl.getEntries().size());
  AccessControlEntry ace = acl.getEntries().get(0);
  assertEquals(ownerSid, ace.getSid());
  assertEquals(WRITE, ace.getPermission());
  assertTrue(ace.isGranting());
}
 

@Override
public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException {
    Assert.notNull(objectIdentity, "Object Identity required");

    // Check this object identity hasn't already been persisted
    if (retrieveObjectIdentityPrimaryKey(objectIdentity) != null) {
        throw new AlreadyExistsException("Object identity '" + objectIdentity + "' already exists");
    }

    // Need to retrieve the current principal, in order to know who "owns" this ACL (can be changed later on)
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    PrincipalSid sid = new PrincipalSid(auth);

    // Create the acl_object_identity row
    createObjectIdentity(objectIdentity, sid);

    // Retrieve the ACL via superclass (ensures cache registration, proper retrieval etc)
    Acl acl = readAclById(objectIdentity);
    Assert.isInstanceOf(MutableAcl.class, acl, "MutableAcl should be been returned");

    return (MutableAcl) acl;
}
 

@Transactional
public MutableAclRecord init(AclEntity ae, Permission initPermission) {
    MutableAclRecord acl = null;
    ObjectIdentity objectIdentity = new ObjectIdentityImpl(ae);

    try {
        // Create acl record for secured domain object.
        acl = (MutableAclRecord) aclService.createAcl(objectIdentity);
    } catch (AlreadyExistsException e) {
        acl = aclService.readAcl(objectIdentity);
    }

    if (null != initPermission) {
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        PrincipalSid sid = new PrincipalSid(auth);
        acl = grant(ae, initPermission, sid);
    }

    return acl;
}
 

@Test
void testAdd() {
  EntityIdentity entityIdentity = new EntityIdentity("MyQuestionnaire", "id");
  when(entity.getString("owner")).thenReturn("username");
  when(entity.getIdValue()).thenReturn("id");
  when(entity.getEntityType()).thenReturn(entityType);
  when(entityType.getId()).thenReturn("MyQuestionnaire");
  AclImpl acl = new AclImpl(entityIdentity, 1, authorizationStrategy, auditLogger);
  acl.insertAce(0, PermissionSet.WRITE, new PrincipalSid("otheruser"), true);
  when(mutableAclService.readAclById(entityIdentity)).thenReturn(acl);

  ownershipDecorator.add(entity);

  verify(delegate).add(entity);
  verify(mutableAclService).updateAcl(acl);
  PrincipalSid ownerSid = new PrincipalSid("username");
  assertEquals(ownerSid, acl.getOwner());
  assertEquals(1, acl.getEntries().size());
  AccessControlEntry ace = acl.getEntries().get(0);
  assertEquals(ownerSid, ace.getSid());
  assertEquals(WRITE, ace.getPermission());
  assertTrue(ace.isGranting());
}
 

@Test
public void testBatchUpsertAce() {
    switchToAdmin();
    ObjectIdentity oid = oid("acl");
    MutableAclRecord acl = (MutableAclRecord) aclService.createAcl(oid);
    final Map<Sid, Permission> sidToPerm = new HashMap<>();
    for (int i = 0; i < 10; i++) {
        sidToPerm.put(new PrincipalSid("u" + i), AclPermission.ADMINISTRATION);
    }
    aclService.batchUpsertAce(acl, sidToPerm);

    for (Acl a : aclService.readAclsById(Collections.singletonList(oid)).values()) {
        List<AccessControlEntry> e = a.getEntries();
        Assert.assertEquals(10, e.size());
        for (int i = 0; i < e.size(); i++) {
            Assert.assertEquals(new PrincipalSid("u" + i), e.get(i).getSid());
        }
    }
}
 

/**
 * Fix null tenant for principals and validate.
 * @param sid
 * @param <T>
 * @return
 */
@SuppressWarnings("unchecked")
public static <T extends TenantSid> T fixTenant(T sid) {
    if(sid == null) {
        return sid;
    }
    final String tenant = sid.getTenant();
    if(sid instanceof GrantedAuthoritySid && tenant == null) {
        return sid;
    }
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    ExtendedUserDetails eud = (ExtendedUserDetails) auth.getPrincipal();
    final String authTenant = eud.getTenant();
    if(authTenant.equals(tenant)) {
        return sid;
    }
    if(tenant == null) {
        return (T) TenantPrincipalSid.from((PrincipalSid) sid);
    }
    if(!ROOT_TENANT.equals(authTenant)) {
        // we must check tenancy access through TenantHierarchy, but now we does not have any full tenancy support
        throw new IllegalArgumentException("Sid " + sid + " has incorrect tenant: " + tenant + " it allow only for root tenant.");
    }
    return sid;
}
 

@BeforeEach
private void beforeMethod() {
  RSQLParser rsqlParser = new RSQLParser();
  PermissionsController controller =
      new PermissionsController(
          permissionsService, rsqlParser, objectIdentityService, userRoleTools, entityHelper);
  mockMvc =
      MockMvcBuilders.standaloneSetup(controller)
          .setMessageConverters(new FormHttpMessageConverter(), gsonHttpMessageConverter)
          .build();

  user1 = new PrincipalSid("user1");
  user2 = new PrincipalSid("user2");
  role1 = new GrantedAuthoritySid("ROLE_role1");
  role2 = new GrantedAuthoritySid("ROLE_role2");

  objectIdentity = new ObjectIdentityImpl("typeId", "identifier");
}
 

/**
 * Note that position of SIDs is important
 * @param authSid
 * @param aclSid
 * @return
 */
private boolean compareSids(Sid authSid, Sid aclSid) {
    if(MultiTenancySupport.isNoTenant(aclSid)) {
        // acl sid can has no tenant, we must consider this
        // not that null tenant mean that it common rule for any GrantedAuthorities of tenants
        if(authSid instanceof GrantedAuthoritySid) {
            return (aclSid instanceof GrantedAuthoritySid) && Objects.equals(
              ((GrantedAuthoritySid) authSid).getGrantedAuthority(),
              ((GrantedAuthoritySid) aclSid).getGrantedAuthority()
            );
        }
        if(authSid instanceof PrincipalSid) {
            return (aclSid instanceof PrincipalSid) && Objects.equals(
              ((PrincipalSid) authSid).getPrincipal(),
              ((PrincipalSid) aclSid).getPrincipal()
            );
        }
    }
    // there a unsupported sids or its has tenant, compare its as usual objects
    return aclSid.equals(authSid);
}
 

@Override
public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException {
    Assert.notNull(objectIdentity, "Object Identity required");

    // Check this object identity hasn't already been persisted
    if (retrieveObjectIdentityPrimaryKey(objectIdentity) != null) {
        throw new AlreadyExistsException("Object identity '" + objectIdentity + "' already exists");
    }

    // Need to retrieve the current principal, in order to know who "owns" this ACL (can be changed later on)
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    PrincipalSid sid = new PrincipalSid(auth);

    // Create the acl_object_identity row
    createObjectIdentity(objectIdentity, sid);

    // Retrieve the ACL via superclass (ensures cache registration, proper retrieval etc)
    Acl acl = readAclById(objectIdentity);
    Assert.isInstanceOf(MutableAcl.class, acl, "MutableAcl should be been returned");

    return (MutableAcl) acl;
}
 

@Transactional
@Override
public int createEvent(Event event) {

    int result = eventDao.createEvent(event);
    event.setId(result);

    // Add new ACL Entry:
    MutableAcl acl = aclService.createAcl(new ObjectIdentityImpl(event));
    PrincipalSid sid = new PrincipalSid(userContext.getCurrentUser().getEmail());
    acl.setOwner(sid);
    acl.insertAce(0,  BasePermission.READ, sid, true);
    aclService.updateAcl(acl);

    return result;
}
 

@Override
public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException {
    Assert.notNull(objectIdentity, "Object Identity required");

    // Check this object identity hasn't already been persisted
    if (retrieveObjectIdentityPrimaryKey(objectIdentity) != null) {
        throw new AlreadyExistsException("Object identity '" + objectIdentity + "' already exists");
    }

    // Need to retrieve the current principal, in order to know who "owns" this ACL (can be changed later on)
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    PrincipalSid sid = new PrincipalSid(auth);

    // Create the acl_object_identity row
    createObjectIdentity(objectIdentity, sid);

    // Retrieve the ACL via superclass (ensures cache registration, proper retrieval etc)
    Acl acl = readAclById(objectIdentity);
    Assert.isInstanceOf(MutableAcl.class, acl, "MutableAcl should be been returned");

    return (MutableAcl) acl;
}
 

public SidInfo(Sid sid) {
    if (sid instanceof PrincipalSid) {
        this.sid = ((PrincipalSid) sid).getPrincipal();
        this.isPrincipal = true;
    } else if (sid instanceof GrantedAuthoritySid) {
        this.sid = ((GrantedAuthoritySid) sid).getGrantedAuthority();
        this.isPrincipal = false;
    }
}
 

public static Sid createUserSid(String username) {
  if (username.equals(SecurityUtils.ANONYMOUS_USERNAME)) {
    return createAnonymousSid();
  } else {
    return new PrincipalSid(username);
  }
}
 

private void addACL(AbstractSecuredEntity type) {
	if(type != null) {
		securityACLDAO.addPermission(type, new PrincipalSid(SecurityUtil.getUsername()), BasePermission.ADMINISTRATION);
		securityACLDAO.addPermission(type, new PrincipalSid(SecurityUtil.getUsername()), BasePermission.READ);
		securityACLDAO.addPermission(type, new PrincipalSid(SecurityUtil.getUsername()), BasePermission.WRITE);
		securityACLDAO.addPermission(type, new PrincipalSid(SecurityUtil.getUsername()), BasePermission.DELETE);
	
		securityACLDAO.addPermission(type, new GrantedAuthoritySid("ROLE_ADMIN"), BasePermission.ADMINISTRATION);
	}		
}
 

@Test
void testGetPermissionsForType1() {
  setUser();
  Sid sid = new PrincipalSid("user");
  permissionServiceDecorator.getPermissionsForType(
      "entity-typeId", Collections.singleton(sid), 10, 10);
  verify(permissionService)
      .getPermissionsForType("entity-typeId", Collections.singleton(sid), 10, 10);
  resetContext();
}
 

public Sid getSid(String sid, boolean isPrincepal) {
    if (isPrincepal) {
        return new PrincipalSid(sid);
    } else {
        return new GrantedAuthoritySid(sid);
    }
}
 

@Test
void testGetPermissionsForType() {
  setUser();
  Sid sid = new PrincipalSid("user");
  permissionServiceDecorator.getPermissionsForType(
      "entity-typeId", Collections.singleton(sid), false);
  verify(permissionService)
      .getPermissionsForType("entity-typeId", Collections.singleton(sid), false);
  resetContext();
}
 

@Test
void testGetPermissions() {
  setUser();
  Sid sid = new PrincipalSid("user");
  permissionServiceDecorator.getPermissions(Collections.singleton(sid), false);
  verify(permissionService).getPermissions(Collections.singleton(sid), false);
  resetContext();
}
 

@Test
void testGetRolesForSid() {
  User molgenisUser = mock(User.class);
  when(molgenisUser.getId()).thenReturn("user");
  when(userService.getUser("user")).thenReturn(molgenisUser);

  PrincipalSid user = mock(PrincipalSid.class);
  when(user.getPrincipal()).thenReturn("user");
  Role role1 = mock(Role.class);
  when(role1.getName()).thenReturn("role1");
  Role role2 = mock(Role.class);
  when(role2.getName()).thenReturn("role2");

  RoleMembership roleMembership1 = mock(RoleMembership.class);
  RoleMembership roleMembership2 = mock(RoleMembership.class);

  when(roleMembership1.getRole()).thenReturn(role1);
  when(roleMembership2.getRole()).thenReturn(role2);

  Repository userRepository = mock(Repository.class);
  Query userQuery = mock(Query.class);
  when(userQuery.eq(RoleMembershipMetadata.USER, "user")).thenReturn(userQuery);
  when(userQuery.findAll()).thenReturn(Stream.of(roleMembership1, roleMembership2));
  when(userRepository.query()).thenReturn(userQuery);
  doReturn(userRepository)
      .when(dataService)
      .getRepository(RoleMembershipMetadata.ROLE_MEMBERSHIP, RoleMembership.class);
  doReturn(true)
      .when(userPermissionEvaluator)
      .hasPermission(
          new EntityTypeIdentity(RoleMembershipMetadata.ROLE_MEMBERSHIP),
          EntityTypePermission.READ_DATA);

  List<Sid> expected =
      Arrays.asList(new GrantedAuthoritySid("ROLE_role1"), new GrantedAuthoritySid("ROLE_role2"));
  UserRoleTools userRoleTools =
      new UserRoleTools(userService, dataService, userPermissionEvaluator);
  assertEquals(expected, userRoleTools.getRolesForSid(user));
}