[Major] SystemUserAction is now a normal privilege
which is added as follows: <Privilege name="ch.eitchnet.privilege.handler.SystemUserAction" policy="DefaultPrivilege"> <Allow>ch.eitchnet.privilege.test.model.TestSystemUserAction</Allow> <Deny>ch.eitchnet.privilege.test.model.TestSystemUserActionDeny</Deny> </Privilege>
This commit is contained in:
parent
4c6434f475
commit
0c7315b713
|
@ -35,7 +35,6 @@
|
|||
<Locale>en_GB</Locale>
|
||||
<Roles>
|
||||
<Role>system_admin_privileges</Role>
|
||||
<Role>system_admin_privileges2</Role>
|
||||
</Roles>
|
||||
</User>
|
||||
|
||||
|
@ -113,22 +112,17 @@
|
|||
</Role>
|
||||
|
||||
<Role name="system_admin_privileges">
|
||||
<Privilege name="ch.eitchnet.privilege.test.model.TestSystemUserAction" policy="DefaultPrivilege">
|
||||
<AllAllowed>true</AllAllowed>
|
||||
<Privilege name="ch.eitchnet.privilege.handler.SystemUserAction" policy="DefaultPrivilege">
|
||||
<Allow>ch.eitchnet.privilege.test.model.TestSystemUserAction</Allow>
|
||||
<Deny>ch.eitchnet.privilege.test.model.TestSystemUserActionDeny</Deny>
|
||||
</Privilege>
|
||||
<Privilege name="ch.eitchnet.privilege.test.model.TestSystemRestrictable" policy="DefaultPrivilege">
|
||||
<AllAllowed>true</AllAllowed>
|
||||
</Privilege>
|
||||
</Role>
|
||||
|
||||
<Role name="system_admin_privileges2">
|
||||
<Privilege name="ch.eitchnet.privilege.test.model.TestSystemUserActionDeny" policy="DefaultPrivilege">
|
||||
<AllAllowed>true</AllAllowed>
|
||||
</Privilege>
|
||||
</Role>
|
||||
|
||||
<Role name="restrictedRole">
|
||||
<Privilege name="ch.eitchnet.privilege.test.model.TestSystemUserAction" policy="DefaultPrivilege">
|
||||
<Privilege name="ch.eitchnet.privilege.handler.SystemUserAction" policy="DefaultPrivilege">
|
||||
<Allow>hello</Allow>
|
||||
<Deny>goodbye</Deny>
|
||||
</Privilege>
|
||||
|
|
|
@ -1374,8 +1374,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
privilegeNames.put(privilegeName, roleName);
|
||||
} else {
|
||||
String roleOrigin = privilegeNames.get(privilegeName);
|
||||
String msg = "User has conflicts for privilege {0} on roles {1} and {2}";
|
||||
msg = MessageFormat.format(msg, privilegeName, roleOrigin, roleName);
|
||||
String msg = "User {0} has conflicts for privilege {1} on roles {2} and {3}";
|
||||
msg = MessageFormat.format(msg, user.getUsername(), privilegeName, roleOrigin, roleName);
|
||||
conflicts.add(msg);
|
||||
}
|
||||
}
|
||||
|
@ -1434,12 +1434,12 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
if (systemUser.getUserState() != UserState.SYSTEM)
|
||||
throw new PrivilegeException(MessageFormat.format("User {0} is not a System user!", systemUsername)); //$NON-NLS-1$
|
||||
|
||||
// validate this system user may perform the given action
|
||||
String actionClassname = action.getClass().getName();
|
||||
checkPrivilege(actionClassname, systemUser);
|
||||
|
||||
// get certificate for this system user
|
||||
// get privilegeContext for this system user
|
||||
PrivilegeContext systemUserPrivilegeContext = getSystemUserPrivilegeContext(systemUsername);
|
||||
|
||||
// validate this system user may perform the given action
|
||||
systemUserPrivilegeContext.validateAction(action);
|
||||
|
||||
String sessionId = systemUserPrivilegeContext.getCertificate().getSessionId();
|
||||
this.privilegeContextMap.put(sessionId, systemUserPrivilegeContext);
|
||||
try {
|
||||
|
@ -1450,34 +1450,6 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the given user has the given privilege
|
||||
*
|
||||
* @param privilegeName
|
||||
* the name of the privilege to check on the user
|
||||
* @param user
|
||||
* the user to check for the given privilege
|
||||
*
|
||||
* @throws PrivilegeException
|
||||
* if the user does not have the privilege
|
||||
*/
|
||||
private void checkPrivilege(String privilegeName, User user) throws PrivilegeException {
|
||||
|
||||
// check each role if it has the privilege
|
||||
for (String roleName : user.getRoles()) {
|
||||
|
||||
Role role = this.persistenceHandler.getRole(roleName);
|
||||
|
||||
// on the first occurrence of our privilege, stop
|
||||
if (role.hasPrivilege(privilegeName))
|
||||
return;
|
||||
}
|
||||
|
||||
// default throw exception, as the user does not have the privilege
|
||||
String msg = MessageFormat.format("User {0} does not have Privilege {1}", user.getUsername(), privilegeName); //$NON-NLS-1$
|
||||
throw new PrivilegeException(msg);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the {@link Certificate} for the given system username. If it does not yet exist, then it is created by
|
||||
* authenticating the system user
|
||||
|
|
|
@ -17,6 +17,7 @@ package ch.eitchnet.privilege.handler;
|
|||
|
||||
import ch.eitchnet.privilege.model.Certificate;
|
||||
import ch.eitchnet.privilege.model.PrivilegeContext;
|
||||
import ch.eitchnet.privilege.model.Restrictable;
|
||||
|
||||
/**
|
||||
* With this interface system actions, which are to be performed in an automated fashion, i.e. by cron jobs, can be
|
||||
|
@ -25,7 +26,17 @@ import ch.eitchnet.privilege.model.PrivilegeContext;
|
|||
*
|
||||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*/
|
||||
public interface SystemUserAction {
|
||||
public abstract class SystemUserAction implements Restrictable {
|
||||
|
||||
@Override
|
||||
public String getPrivilegeName() {
|
||||
return SystemUserAction.class.getName();
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getPrivilegeValue() {
|
||||
return this.getClass().getName();
|
||||
}
|
||||
|
||||
/**
|
||||
* This method will be called by the {@link PrivilegeHandler} when an authorized {@link Certificate} has been
|
||||
|
@ -37,5 +48,5 @@ public interface SystemUserAction {
|
|||
* @param privilegeContext
|
||||
* the {@link PrivilegeContext} which was generated for a valid system user
|
||||
*/
|
||||
public void execute(PrivilegeContext privilegeContext);
|
||||
public abstract void execute(PrivilegeContext privilegeContext);
|
||||
}
|
||||
|
|
|
@ -259,7 +259,7 @@ public class PrivilegeTest {
|
|||
public void testPerformSystemRestrictableFailPrivilege() throws Exception {
|
||||
this.exception.expect(PrivilegeException.class);
|
||||
this.exception
|
||||
.expectMessage("User system_admin does not have Privilege ch.eitchnet.privilege.test.model.TestSystemUserActionDeny");
|
||||
.expectMessage("User system_admin does not have the privilege ch.eitchnet.privilege.handler.SystemUserAction");
|
||||
try {
|
||||
// create the action to be performed as a system user
|
||||
TestSystemUserActionDeny action = new TestSystemUserActionDeny();
|
||||
|
@ -278,7 +278,7 @@ public class PrivilegeTest {
|
|||
public void testPerformSystemRestrictableFailNoAdditionalPrivilege() throws Exception {
|
||||
this.exception.expect(PrivilegeException.class);
|
||||
this.exception
|
||||
.expectMessage("User system_admin2 does not have the privilege ch.eitchnet.privilege.test.model.TestRestrictable");
|
||||
.expectMessage("User system_admin2 does not have the privilege ch.eitchnet.privilege.handler.SystemUserAction needed for Restrictable ch.eitchnet.privilege.test.model.TestSystemUserActionDeny");
|
||||
try {
|
||||
// create the action to be performed as a system user
|
||||
TestSystemUserActionDeny action = new TestSystemUserActionDeny();
|
||||
|
@ -429,7 +429,7 @@ public class PrivilegeTest {
|
|||
@Test
|
||||
public void shouldDetectPrivilegeConflict1() {
|
||||
exception.expect(PrivilegeException.class);
|
||||
exception.expectMessage("User has conflicts for privilege ");
|
||||
exception.expectMessage("User admin has conflicts for privilege ");
|
||||
try {
|
||||
login(ADMIN, ArraysHelper.copyOf(PASS_ADMIN));
|
||||
Certificate certificate = this.ctx.getCertificate();
|
||||
|
@ -444,7 +444,7 @@ public class PrivilegeTest {
|
|||
@Test
|
||||
public void shouldDetectPrivilegeConflict2() {
|
||||
exception.expect(PrivilegeException.class);
|
||||
exception.expectMessage("User has conflicts for privilege ");
|
||||
exception.expectMessage("User admin has conflicts for privilege ");
|
||||
try {
|
||||
login(ADMIN, ArraysHelper.copyOf(PASS_ADMIN));
|
||||
Certificate certificate = this.ctx.getCertificate();
|
||||
|
|
|
@ -170,7 +170,7 @@ public class XmlTest {
|
|||
assertNotNull(roles);
|
||||
|
||||
assertEquals(3, users.size());
|
||||
assertEquals(7, roles.size());
|
||||
assertEquals(6, roles.size());
|
||||
|
||||
// assert model
|
||||
|
||||
|
@ -249,16 +249,16 @@ public class XmlTest {
|
|||
assertEquals(2, systemAdminPrivileges.getPrivilegeNames().size());
|
||||
assertThat(
|
||||
systemAdminPrivileges.getPrivilegeNames(),
|
||||
containsInAnyOrder("ch.eitchnet.privilege.test.model.TestSystemUserAction",
|
||||
containsInAnyOrder("ch.eitchnet.privilege.handler.SystemUserAction",
|
||||
"ch.eitchnet.privilege.test.model.TestSystemRestrictable"));
|
||||
|
||||
IPrivilege testSystemUserAction = systemAdminPrivileges
|
||||
.getPrivilege("ch.eitchnet.privilege.test.model.TestSystemUserAction");
|
||||
assertEquals("ch.eitchnet.privilege.test.model.TestSystemUserAction", testSystemUserAction.getName());
|
||||
.getPrivilege("ch.eitchnet.privilege.handler.SystemUserAction");
|
||||
assertEquals("ch.eitchnet.privilege.handler.SystemUserAction", testSystemUserAction.getName());
|
||||
assertEquals("DefaultPrivilege", testSystemUserAction.getPolicy());
|
||||
assertTrue(testSystemUserAction.isAllAllowed());
|
||||
assertEquals(0, testSystemUserAction.getAllowList().size());
|
||||
assertEquals(0, testSystemUserAction.getDenyList().size());
|
||||
assertFalse(testSystemUserAction.isAllAllowed());
|
||||
assertEquals(1, testSystemUserAction.getAllowList().size());
|
||||
assertEquals(1, testSystemUserAction.getDenyList().size());
|
||||
|
||||
IPrivilege testSystemRestrictable = systemAdminPrivileges
|
||||
.getPrivilege("ch.eitchnet.privilege.test.model.TestSystemRestrictable");
|
||||
|
@ -273,11 +273,11 @@ public class XmlTest {
|
|||
assertEquals("restrictedRole", restrictedRole.getName());
|
||||
assertEquals(1, restrictedRole.getPrivilegeNames().size());
|
||||
assertThat(restrictedRole.getPrivilegeNames(),
|
||||
containsInAnyOrder("ch.eitchnet.privilege.test.model.TestSystemUserAction"));
|
||||
containsInAnyOrder("ch.eitchnet.privilege.handler.SystemUserAction"));
|
||||
|
||||
IPrivilege testSystemUserAction2 = restrictedRole
|
||||
.getPrivilege("ch.eitchnet.privilege.test.model.TestSystemUserAction");
|
||||
assertEquals("ch.eitchnet.privilege.test.model.TestSystemUserAction", testSystemUserAction2.getName());
|
||||
.getPrivilege("ch.eitchnet.privilege.handler.SystemUserAction");
|
||||
assertEquals("ch.eitchnet.privilege.handler.SystemUserAction", testSystemUserAction2.getName());
|
||||
assertEquals("DefaultPrivilege", testSystemUserAction2.getPolicy());
|
||||
assertFalse(testSystemUserAction2.isAllAllowed());
|
||||
assertEquals(1, testSystemUserAction2.getAllowList().size());
|
||||
|
|
|
@ -22,7 +22,7 @@ import ch.eitchnet.privilege.model.PrivilegeContext;
|
|||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*
|
||||
*/
|
||||
public class TestSystemUserAction implements SystemUserAction {
|
||||
public class TestSystemUserAction extends SystemUserAction {
|
||||
|
||||
@Override
|
||||
public void execute(PrivilegeContext context) {
|
||||
|
|
|
@ -22,7 +22,7 @@ import ch.eitchnet.privilege.model.PrivilegeContext;
|
|||
* @author Robert von Burg <eitch@eitchnet.ch>
|
||||
*
|
||||
*/
|
||||
public class TestSystemUserActionDeny implements SystemUserAction {
|
||||
public class TestSystemUserActionDeny extends SystemUserAction {
|
||||
|
||||
@Override
|
||||
public void execute(PrivilegeContext privilegeContext) {
|
||||
|
|
Loading…
Reference in New Issue