[Major] SystemUserAction is now a normal privilege

which is added as follows: <Privilege name="ch.eitchnet.privilege.handler.SystemUserAction" policy="DefaultPrivilege"> <Allow>ch.eitchnet.privilege.test.model.TestSystemUserAction</Allow> <Deny>ch.eitchnet.privilege.test.model.TestSystemUserActionDeny</Deny> </Privilege>
2015-06-03 23:25:30 +02:00 · 2015-06-03 23:25:30 +02:00 · 0c7315b713
parent 4c6434f475
commit 0c7315b713
7 changed files with 40 additions and 63 deletions
--- a/config/PrivilegeModel.xml
+++ b/config/PrivilegeModel.xml
@ -35,7 +35,6 @@
 			<Locale>en_GB</Locale>
 			<Roles>
 				<Role>system_admin_privileges</Role>
-				<Role>system_admin_privileges2</Role>
 			</Roles>
 		</User>

@ -113,22 +112,17 @@
 		</Role>

 		<Role name="system_admin_privileges">
-			<Privilege name="ch.eitchnet.privilege.test.model.TestSystemUserAction" policy="DefaultPrivilege">
-				<AllAllowed>true</AllAllowed>
+			<Privilege name="ch.eitchnet.privilege.handler.SystemUserAction" policy="DefaultPrivilege">
+				<Allow>ch.eitchnet.privilege.test.model.TestSystemUserAction</Allow>
+				<Deny>ch.eitchnet.privilege.test.model.TestSystemUserActionDeny</Deny>
 			</Privilege>
 			<Privilege name="ch.eitchnet.privilege.test.model.TestSystemRestrictable" policy="DefaultPrivilege">
 				<AllAllowed>true</AllAllowed>
 			</Privilege>
 		</Role>

-		<Role name="system_admin_privileges2">
-			<Privilege name="ch.eitchnet.privilege.test.model.TestSystemUserActionDeny" policy="DefaultPrivilege">
-				<AllAllowed>true</AllAllowed>
-			</Privilege>
-		</Role>
-
 		<Role name="restrictedRole">
-			<Privilege name="ch.eitchnet.privilege.test.model.TestSystemUserAction" policy="DefaultPrivilege">
+			<Privilege name="ch.eitchnet.privilege.handler.SystemUserAction" policy="DefaultPrivilege">
 				<Allow>hello</Allow>
 				<Deny>goodbye</Deny>
 			</Privilege>
--- a/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java
+++ b/src/main/java/ch/eitchnet/privilege/handler/DefaultPrivilegeHandler.java
@ -1374,8 +1374,8 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 					privilegeNames.put(privilegeName, roleName);
 				} else {
 					String roleOrigin = privilegeNames.get(privilegeName);
-					String msg = "User has conflicts for privilege {0} on roles {1} and {2}";
-					msg = MessageFormat.format(msg, privilegeName, roleOrigin, roleName);
+					String msg = "User {0} has conflicts for privilege {1} on roles {2} and {3}";
+					msg = MessageFormat.format(msg, user.getUsername(), privilegeName, roleOrigin, roleName);
 					conflicts.add(msg);
 				}
 			}
@ -1434,12 +1434,12 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		if (systemUser.getUserState() != UserState.SYSTEM)
 			throw new PrivilegeException(MessageFormat.format("User {0} is not a System user!", systemUsername)); //$NON-NLS-1$

-		// validate this system user may perform the given action
-		String actionClassname = action.getClass().getName();
-		checkPrivilege(actionClassname, systemUser);
-
-		// get certificate for this system user
+		// get privilegeContext for this system user
 		PrivilegeContext systemUserPrivilegeContext = getSystemUserPrivilegeContext(systemUsername);
+
+		// validate this system user may perform the given action
+		systemUserPrivilegeContext.validateAction(action);
+
 		String sessionId = systemUserPrivilegeContext.getCertificate().getSessionId();
 		this.privilegeContextMap.put(sessionId, systemUserPrivilegeContext);
 		try {
@ -1450,34 +1450,6 @@ public class DefaultPrivilegeHandler implements PrivilegeHandler {
 		}
 	}

-	/**
-	 * Checks if the given user has the given privilege
-	 * 
-	 * @param privilegeName
-	 *            the name of the privilege to check on the user
-	 * @param user
-	 *            the user to check for the given privilege
-	 * 
-	 * @throws PrivilegeException
-	 *             if the user does not have the privilege
-	 */
-	private void checkPrivilege(String privilegeName, User user) throws PrivilegeException {
-
-		// check each role if it has the privilege
-		for (String roleName : user.getRoles()) {
-
-			Role role = this.persistenceHandler.getRole(roleName);
-
-			// on the first occurrence of our privilege, stop
-			if (role.hasPrivilege(privilegeName))
-				return;
-		}
-
-		// default throw exception, as the user does not have the privilege
-		String msg = MessageFormat.format("User {0} does not have Privilege {1}", user.getUsername(), privilegeName); //$NON-NLS-1$
-		throw new PrivilegeException(msg);
-	}
-
 	/**
 	 * Returns the {@link Certificate} for the given system username. If it does not yet exist, then it is created by
 	 * authenticating the system user
--- a/src/main/java/ch/eitchnet/privilege/handler/SystemUserAction.java
+++ b/src/main/java/ch/eitchnet/privilege/handler/SystemUserAction.java
@ -17,6 +17,7 @@ package ch.eitchnet.privilege.handler;

 import ch.eitchnet.privilege.model.Certificate;
 import ch.eitchnet.privilege.model.PrivilegeContext;
+import ch.eitchnet.privilege.model.Restrictable;

 /**
 * With this interface system actions, which are to be performed in an automated fashion, i.e. by cron jobs, can be
@ -25,7 +26,17 @@ import ch.eitchnet.privilege.model.PrivilegeContext;
 * 
 * @author Robert von Burg <eitch@eitchnet.ch>
 */
-public interface SystemUserAction {
+public abstract class SystemUserAction implements Restrictable {
+
+	@Override
+	public String getPrivilegeName() {
+		return SystemUserAction.class.getName();
+	}
+
+	@Override
+	public Object getPrivilegeValue() {
+		return this.getClass().getName();
+	}

 	/**
 	 * This method will be called by the {@link PrivilegeHandler} when an authorized {@link Certificate} has been
@ -37,5 +48,5 @@ public interface SystemUserAction {
 	 * @param privilegeContext
 	 *            the {@link PrivilegeContext} which was generated for a valid system user
 	 */
-	public void execute(PrivilegeContext privilegeContext);
+	public abstract void execute(PrivilegeContext privilegeContext);
 }
--- a/src/test/java/ch/eitchnet/privilege/test/PrivilegeTest.java
+++ b/src/test/java/ch/eitchnet/privilege/test/PrivilegeTest.java
@ -259,7 +259,7 @@ public class PrivilegeTest {
 	public void testPerformSystemRestrictableFailPrivilege() throws Exception {
 		this.exception.expect(PrivilegeException.class);
 		this.exception
-				.expectMessage("User system_admin does not have Privilege ch.eitchnet.privilege.test.model.TestSystemUserActionDeny");
+				.expectMessage("User system_admin does not have the privilege ch.eitchnet.privilege.handler.SystemUserAction");
 		try {
 			// create the action to be performed as a system user
 			TestSystemUserActionDeny action = new TestSystemUserActionDeny();
@ -278,7 +278,7 @@ public class PrivilegeTest {
 	public void testPerformSystemRestrictableFailNoAdditionalPrivilege() throws Exception {
 		this.exception.expect(PrivilegeException.class);
 		this.exception
-				.expectMessage("User system_admin2 does not have the privilege ch.eitchnet.privilege.test.model.TestRestrictable");
+				.expectMessage("User system_admin2 does not have the privilege ch.eitchnet.privilege.handler.SystemUserAction needed for Restrictable ch.eitchnet.privilege.test.model.TestSystemUserActionDeny");
 		try {
 			// create the action to be performed as a system user
 			TestSystemUserActionDeny action = new TestSystemUserActionDeny();
@ -429,7 +429,7 @@ public class PrivilegeTest {
 	@Test
 	public void shouldDetectPrivilegeConflict1() {
 		exception.expect(PrivilegeException.class);
-		exception.expectMessage("User has conflicts for privilege ");
+		exception.expectMessage("User admin has conflicts for privilege ");
 		try {
 			login(ADMIN, ArraysHelper.copyOf(PASS_ADMIN));
 			Certificate certificate = this.ctx.getCertificate();
@ -444,7 +444,7 @@ public class PrivilegeTest {
 	@Test
 	public void shouldDetectPrivilegeConflict2() {
 		exception.expect(PrivilegeException.class);
-		exception.expectMessage("User has conflicts for privilege ");
+		exception.expectMessage("User admin has conflicts for privilege ");
 		try {
 			login(ADMIN, ArraysHelper.copyOf(PASS_ADMIN));
 			Certificate certificate = this.ctx.getCertificate();
--- a/src/test/java/ch/eitchnet/privilege/test/XmlTest.java
+++ b/src/test/java/ch/eitchnet/privilege/test/XmlTest.java
@ -170,7 +170,7 @@ public class XmlTest {
 		assertNotNull(roles);

 		assertEquals(3, users.size());
-		assertEquals(7, roles.size());
+		assertEquals(6, roles.size());

 		// assert model

@ -249,16 +249,16 @@ public class XmlTest {
 		assertEquals(2, systemAdminPrivileges.getPrivilegeNames().size());
 		assertThat(
 				systemAdminPrivileges.getPrivilegeNames(),
-				containsInAnyOrder("ch.eitchnet.privilege.test.model.TestSystemUserAction",
+				containsInAnyOrder("ch.eitchnet.privilege.handler.SystemUserAction",
 						"ch.eitchnet.privilege.test.model.TestSystemRestrictable"));

 		IPrivilege testSystemUserAction = systemAdminPrivileges
-				.getPrivilege("ch.eitchnet.privilege.test.model.TestSystemUserAction");
-		assertEquals("ch.eitchnet.privilege.test.model.TestSystemUserAction", testSystemUserAction.getName());
+				.getPrivilege("ch.eitchnet.privilege.handler.SystemUserAction");
+		assertEquals("ch.eitchnet.privilege.handler.SystemUserAction", testSystemUserAction.getName());
 		assertEquals("DefaultPrivilege", testSystemUserAction.getPolicy());
-		assertTrue(testSystemUserAction.isAllAllowed());
-		assertEquals(0, testSystemUserAction.getAllowList().size());
-		assertEquals(0, testSystemUserAction.getDenyList().size());
+		assertFalse(testSystemUserAction.isAllAllowed());
+		assertEquals(1, testSystemUserAction.getAllowList().size());
+		assertEquals(1, testSystemUserAction.getDenyList().size());

 		IPrivilege testSystemRestrictable = systemAdminPrivileges
 				.getPrivilege("ch.eitchnet.privilege.test.model.TestSystemRestrictable");
@ -273,11 +273,11 @@ public class XmlTest {
 		assertEquals("restrictedRole", restrictedRole.getName());
 		assertEquals(1, restrictedRole.getPrivilegeNames().size());
 		assertThat(restrictedRole.getPrivilegeNames(),
-				containsInAnyOrder("ch.eitchnet.privilege.test.model.TestSystemUserAction"));
+				containsInAnyOrder("ch.eitchnet.privilege.handler.SystemUserAction"));

 		IPrivilege testSystemUserAction2 = restrictedRole
-				.getPrivilege("ch.eitchnet.privilege.test.model.TestSystemUserAction");
-		assertEquals("ch.eitchnet.privilege.test.model.TestSystemUserAction", testSystemUserAction2.getName());
+				.getPrivilege("ch.eitchnet.privilege.handler.SystemUserAction");
+		assertEquals("ch.eitchnet.privilege.handler.SystemUserAction", testSystemUserAction2.getName());
 		assertEquals("DefaultPrivilege", testSystemUserAction2.getPolicy());
 		assertFalse(testSystemUserAction2.isAllAllowed());
 		assertEquals(1, testSystemUserAction2.getAllowList().size());
--- a/src/test/java/ch/eitchnet/privilege/test/model/TestSystemUserAction.java
+++ b/src/test/java/ch/eitchnet/privilege/test/model/TestSystemUserAction.java
@ -22,7 +22,7 @@ import ch.eitchnet.privilege.model.PrivilegeContext;
 * @author Robert von Burg <eitch@eitchnet.ch>
 * 
 */
-public class TestSystemUserAction implements SystemUserAction {
+public class TestSystemUserAction extends SystemUserAction {

 	@Override
 	public void execute(PrivilegeContext context) {
--- a/src/test/java/ch/eitchnet/privilege/test/model/TestSystemUserActionDeny.java
+++ b/src/test/java/ch/eitchnet/privilege/test/model/TestSystemUserActionDeny.java
@ -22,7 +22,7 @@ import ch.eitchnet.privilege.model.PrivilegeContext;
 * @author Robert von Burg <eitch@eitchnet.ch>
 * 
 */
-public class TestSystemUserActionDeny implements SystemUserAction {
+public class TestSystemUserActionDeny extends SystemUserAction {

 	@Override
 	public void execute(PrivilegeContext privilegeContext) {