|
|
@@ -0,0 +1,638 @@
|
|
|
+package org.springframework.security.acls.domain;
|
|
|
+
|
|
|
+import java.lang.reflect.Field;
|
|
|
+import java.util.List;
|
|
|
+import java.util.Map;
|
|
|
+
|
|
|
+import junit.framework.TestCase;
|
|
|
+
|
|
|
+import org.springframework.security.Authentication;
|
|
|
+import org.springframework.security.GrantedAuthority;
|
|
|
+import org.springframework.security.GrantedAuthorityImpl;
|
|
|
+import org.springframework.security.acls.AccessControlEntry;
|
|
|
+import org.springframework.security.acls.Acl;
|
|
|
+import org.springframework.security.acls.AlreadyExistsException;
|
|
|
+import org.springframework.security.acls.AuditableAccessControlEntry;
|
|
|
+import org.springframework.security.acls.AuditableAcl;
|
|
|
+import org.springframework.security.acls.ChildrenExistException;
|
|
|
+import org.springframework.security.acls.MutableAcl;
|
|
|
+import org.springframework.security.acls.MutableAclService;
|
|
|
+import org.springframework.security.acls.NotFoundException;
|
|
|
+import org.springframework.security.acls.OwnershipAcl;
|
|
|
+import org.springframework.security.acls.Permission;
|
|
|
+import org.springframework.security.acls.objectidentity.ObjectIdentity;
|
|
|
+import org.springframework.security.acls.objectidentity.ObjectIdentityImpl;
|
|
|
+import org.springframework.security.acls.sid.GrantedAuthoritySid;
|
|
|
+import org.springframework.security.acls.sid.PrincipalSid;
|
|
|
+import org.springframework.security.acls.sid.Sid;
|
|
|
+import org.springframework.security.context.SecurityContextHolder;
|
|
|
+import org.springframework.security.providers.TestingAuthenticationToken;
|
|
|
+import org.springframework.security.util.FieldUtils;
|
|
|
+
|
|
|
+/**
|
|
|
+ * Tests for {@link AclImpl}.
|
|
|
+ *
|
|
|
+ * @author Andrei Stefan
|
|
|
+ */
|
|
|
+public class AclImplTests extends TestCase {
|
|
|
+ // ~ Methods ========================================================================================================
|
|
|
+
|
|
|
+ @Override
|
|
|
+ protected void setUp() throws Exception {
|
|
|
+ super.setUp();
|
|
|
+ }
|
|
|
+
|
|
|
+ @Override
|
|
|
+ protected void tearDown() throws Exception {
|
|
|
+ SecurityContextHolder.clearContext();
|
|
|
+ super.tearDown();
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testConstructorsRejectNullParameters() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("johndoe", "ignored",
|
|
|
+ new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_ADMINISTRATOR") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(null, new Long(1), strategy, auditLogger);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(identity, null, strategy, auditLogger);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(identity, new Long(1), null, auditLogger);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(identity, new Long(1), strategy, null);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(null, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid("johndoe"));
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(identity, null, strategy, auditLogger, null, null, true, new PrincipalSid("johndoe"));
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(identity, new Long(1), null, auditLogger, null, null, true, new PrincipalSid("johndoe"));
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(identity, new Long(1), strategy, null, null, null, true, new PrincipalSid("johndoe"));
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ Acl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, null);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testInsertAceRejectsNullParameters() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("johndoe", "ignored",
|
|
|
+ new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_ADMINISTRATOR") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ try {
|
|
|
+ acl.insertAce(new Long(1), null, new GrantedAuthoritySid("ROLE_IGNORED"), true);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ acl.insertAce(new Long(1), BasePermission.READ, null, true);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testInsertAceAddsElementAtCorrectIndex() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("johndoe", "ignored",
|
|
|
+ new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_ADMINISTRATOR") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ MockAclService service = new MockAclService();
|
|
|
+
|
|
|
+ // Insert one permission
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
|
|
|
+ service.updateAcl(acl);
|
|
|
+ // Check it was successfully added
|
|
|
+ assertEquals(1, acl.getEntries().length);
|
|
|
+ assertEquals(acl.getEntries()[0].getAcl(), acl);
|
|
|
+ assertEquals(acl.getEntries()[0].getPermission(), BasePermission.READ);
|
|
|
+ assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST1"));
|
|
|
+
|
|
|
+ // Add a second permission
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
|
|
|
+ service.updateAcl(acl);
|
|
|
+ // Check it was added on the last position
|
|
|
+ assertEquals(2, acl.getEntries().length);
|
|
|
+ assertEquals(acl.getEntries()[1].getAcl(), acl);
|
|
|
+ assertEquals(acl.getEntries()[1].getPermission(), BasePermission.READ);
|
|
|
+ assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST2"));
|
|
|
+
|
|
|
+ // Add a third permission, after the first one
|
|
|
+ acl.insertAce(acl.getEntries()[0].getId(), BasePermission.WRITE, new GrantedAuthoritySid("ROLE_TEST3"), false);
|
|
|
+ service.updateAcl(acl);
|
|
|
+ assertEquals(3, acl.getEntries().length);
|
|
|
+ // Check the third entry was added between the two existent ones
|
|
|
+ assertEquals(acl.getEntries()[0].getPermission(), BasePermission.READ);
|
|
|
+ assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST1"));
|
|
|
+ assertEquals(acl.getEntries()[1].getPermission(), BasePermission.WRITE);
|
|
|
+ assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST3"));
|
|
|
+ assertEquals(acl.getEntries()[2].getPermission(), BasePermission.READ);
|
|
|
+ assertEquals(acl.getEntries()[2].getSid(), new GrantedAuthoritySid("ROLE_TEST2"));
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testInsertAceFailsForInexistentElement() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("johndoe", "ignored",
|
|
|
+ new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_ADMINISTRATOR") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ MockAclService service = new MockAclService();
|
|
|
+
|
|
|
+ // Insert one permission
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
|
|
|
+ service.updateAcl(acl);
|
|
|
+
|
|
|
+ try {
|
|
|
+ acl.insertAce(new Long(5), BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
|
|
|
+ fail("It should have thrown NotFoundException");
|
|
|
+ }
|
|
|
+ catch (NotFoundException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testDeleteAceKeepsInitialOrdering() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("johndoe", "ignored",
|
|
|
+ new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_ADMINISTRATOR") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ MockAclService service = new MockAclService();
|
|
|
+
|
|
|
+ // Add several permissions
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST1"), true);
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST2"), true);
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST3"), true);
|
|
|
+ service.updateAcl(acl);
|
|
|
+
|
|
|
+ // Delete first permission and check the order of the remaining permissions is kept
|
|
|
+ acl.deleteAce(new Long(1));
|
|
|
+ assertEquals(2, acl.getEntries().length);
|
|
|
+ assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST2"));
|
|
|
+ assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST3"));
|
|
|
+
|
|
|
+ // Add one more permission and remove the permission in the middle
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_TEST4"), true);
|
|
|
+ service.updateAcl(acl);
|
|
|
+ acl.deleteAce(new Long(2));
|
|
|
+ assertEquals(2, acl.getEntries().length);
|
|
|
+ assertEquals(acl.getEntries()[0].getSid(), new GrantedAuthoritySid("ROLE_TEST2"));
|
|
|
+ assertEquals(acl.getEntries()[1].getSid(), new GrantedAuthoritySid("ROLE_TEST4"));
|
|
|
+
|
|
|
+ // Remove remaining permissions
|
|
|
+ acl.deleteAce(new Long(1));
|
|
|
+ acl.deleteAce(new Long(3));
|
|
|
+ assertEquals(0, acl.getEntries().length);
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testDeleteAceFailsForInexistentElement() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("johndoe", "ignored",
|
|
|
+ new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_ADMINISTRATOR") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ try {
|
|
|
+ acl.deleteAce(new Long(1));
|
|
|
+ fail("It should have thrown NotFoundException");
|
|
|
+ }
|
|
|
+ catch (NotFoundException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testIsGrantingRejectsEmptyParameters() throws Exception {
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+
|
|
|
+ try {
|
|
|
+ acl.isGranted(new Permission[] {}, new Sid[] { new PrincipalSid("ben") }, false);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ acl.isGranted(new Permission[] { BasePermission.READ }, new Sid[] {}, false);
|
|
|
+ fail("It should have thrown IllegalArgumentException");
|
|
|
+ }
|
|
|
+ catch (IllegalArgumentException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testIsGrantingGrantsAccessForAclWithNoParent() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("ben", "ignored", new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL"), new GrantedAuthorityImpl("ROLE_GUEST") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity rootOid = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+
|
|
|
+ // Create an ACL which owner is not the authenticated principal
|
|
|
+ MutableAcl rootAcl = new AclImpl(rootOid, new Long(1), strategy, auditLogger, null, null, false, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+
|
|
|
+ // Grant some permissions
|
|
|
+ rootAcl.insertAce(null, BasePermission.READ, new PrincipalSid("ben"), false);
|
|
|
+ rootAcl.insertAce(null, BasePermission.WRITE, new PrincipalSid("scott"), true);
|
|
|
+ rootAcl.insertAce(null, BasePermission.WRITE, new PrincipalSid("rod"), false);
|
|
|
+ rootAcl.insertAce(null, BasePermission.WRITE, new GrantedAuthoritySid("WRITE_ACCESS_ROLE"), true);
|
|
|
+
|
|
|
+ // Check permissions granting
|
|
|
+ Permission[] permissions = new Permission[] { BasePermission.READ, BasePermission.CREATE };
|
|
|
+ Sid[] sids = new Sid[] { new PrincipalSid("ben"), new GrantedAuthoritySid("ROLE_GUEST") };
|
|
|
+ assertFalse(rootAcl.isGranted(permissions, sids, false));
|
|
|
+ try {
|
|
|
+ rootAcl.isGranted(permissions, new Sid[] { new PrincipalSid("scott") }, false);
|
|
|
+ fail("It should have thrown NotFoundException");
|
|
|
+ }
|
|
|
+ catch (NotFoundException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ assertTrue(rootAcl.isGranted(new Permission[] { BasePermission.WRITE }, new Sid[] { new PrincipalSid("scott") },
|
|
|
+ false));
|
|
|
+ assertFalse(rootAcl.isGranted(new Permission[] { BasePermission.WRITE }, new Sid[] { new PrincipalSid("rod"),
|
|
|
+ new GrantedAuthoritySid("WRITE_ACCESS_ROLE") }, false));
|
|
|
+ assertTrue(rootAcl.isGranted(new Permission[] { BasePermission.WRITE }, new Sid[] {
|
|
|
+ new GrantedAuthoritySid("WRITE_ACCESS_ROLE"), new PrincipalSid("rod") }, false));
|
|
|
+ try {
|
|
|
+ // Change the type of the Sid and check the granting process
|
|
|
+ rootAcl.isGranted(new Permission[] { BasePermission.WRITE }, new Sid[] { new GrantedAuthoritySid("rod"),
|
|
|
+ new PrincipalSid("WRITE_ACCESS_ROLE") }, false);
|
|
|
+ fail("It should have thrown NotFoundException");
|
|
|
+ }
|
|
|
+ catch (NotFoundException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testIsGrantingGrantsAccessForInheritableAcls() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("ben", "ignored",
|
|
|
+ new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity grandParentOid = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ ObjectIdentity parentOid1 = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(101));
|
|
|
+ ObjectIdentity parentOid2 = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(102));
|
|
|
+ ObjectIdentity childOid1 = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(103));
|
|
|
+ ObjectIdentity childOid2 = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(104));
|
|
|
+
|
|
|
+ // Create ACLs
|
|
|
+ MutableAcl grandParentAcl = new AclImpl(grandParentOid, new Long(1), strategy, auditLogger, null, null, false,
|
|
|
+ new PrincipalSid("johndoe"));
|
|
|
+ MutableAcl parentAcl1 = new AclImpl(parentOid1, new Long(2), strategy, auditLogger, null, null, true,
|
|
|
+ new PrincipalSid("johndoe"));
|
|
|
+ MutableAcl parentAcl2 = new AclImpl(parentOid2, new Long(3), strategy, auditLogger, null, null, true,
|
|
|
+ new PrincipalSid("johndoe"));
|
|
|
+ MutableAcl childAcl1 = new AclImpl(childOid1, new Long(4), strategy, auditLogger, null, null, true,
|
|
|
+ new PrincipalSid("johndoe"));
|
|
|
+ MutableAcl childAcl2 = new AclImpl(childOid2, new Long(4), strategy, auditLogger, null, null, false,
|
|
|
+ new PrincipalSid("johndoe"));
|
|
|
+
|
|
|
+ // Create hierarchies
|
|
|
+ childAcl2.setParent(childAcl1);
|
|
|
+ childAcl1.setParent(parentAcl1);
|
|
|
+ parentAcl2.setParent(grandParentAcl);
|
|
|
+ parentAcl1.setParent(grandParentAcl);
|
|
|
+
|
|
|
+ // Add some permissions
|
|
|
+ grandParentAcl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
|
|
|
+ grandParentAcl.insertAce(null, BasePermission.WRITE, new PrincipalSid("ben"), true);
|
|
|
+ grandParentAcl.insertAce(null, BasePermission.DELETE, new PrincipalSid("ben"), false);
|
|
|
+ grandParentAcl.insertAce(null, BasePermission.DELETE, new PrincipalSid("scott"), true);
|
|
|
+ parentAcl1.insertAce(null, BasePermission.READ, new PrincipalSid("scott"), true);
|
|
|
+ parentAcl1.insertAce(null, BasePermission.DELETE, new PrincipalSid("scott"), false);
|
|
|
+ parentAcl2.insertAce(null, BasePermission.CREATE, new PrincipalSid("ben"), true);
|
|
|
+ childAcl1.insertAce(null, BasePermission.CREATE, new PrincipalSid("scott"), true);
|
|
|
+
|
|
|
+ // Check granting process for parent1
|
|
|
+ assertTrue(parentAcl1.isGranted(new Permission[] { BasePermission.READ }, new Sid[] { new PrincipalSid("scott") },
|
|
|
+ false));
|
|
|
+ assertTrue(parentAcl1.isGranted(new Permission[] { BasePermission.READ }, new Sid[] { new GrantedAuthoritySid(
|
|
|
+ "ROLE_USER_READ") }, false));
|
|
|
+ assertTrue(parentAcl1.isGranted(new Permission[] { BasePermission.WRITE }, new Sid[] { new PrincipalSid("ben") },
|
|
|
+ false));
|
|
|
+ assertFalse(parentAcl1.isGranted(new Permission[] { BasePermission.DELETE }, new Sid[] { new PrincipalSid("ben") },
|
|
|
+ false));
|
|
|
+ assertFalse(parentAcl1.isGranted(new Permission[] { BasePermission.DELETE },
|
|
|
+ new Sid[] { new PrincipalSid("scott") }, false));
|
|
|
+
|
|
|
+ // Check granting process for parent2
|
|
|
+ assertTrue(parentAcl2.isGranted(new Permission[] { BasePermission.CREATE }, new Sid[] { new PrincipalSid("ben") },
|
|
|
+ false));
|
|
|
+ assertTrue(parentAcl2.isGranted(new Permission[] { BasePermission.WRITE }, new Sid[] { new PrincipalSid("ben") },
|
|
|
+ false));
|
|
|
+ assertFalse(parentAcl2.isGranted(new Permission[] { BasePermission.DELETE }, new Sid[] { new PrincipalSid("ben") },
|
|
|
+ false));
|
|
|
+
|
|
|
+ // Check granting process for child1
|
|
|
+ assertTrue(childAcl1.isGranted(new Permission[] { BasePermission.CREATE }, new Sid[] { new PrincipalSid("scott") },
|
|
|
+ false));
|
|
|
+ assertTrue(childAcl1.isGranted(new Permission[] { BasePermission.READ }, new Sid[] { new GrantedAuthoritySid(
|
|
|
+ "ROLE_USER_READ") }, false));
|
|
|
+ assertFalse(childAcl1.isGranted(new Permission[] { BasePermission.DELETE }, new Sid[] { new PrincipalSid("ben") },
|
|
|
+ false));
|
|
|
+
|
|
|
+ // Check granting process for child2 (doesn't inherit the permissions from its parent)
|
|
|
+ try {
|
|
|
+ assertTrue(childAcl2.isGranted(new Permission[] { BasePermission.CREATE },
|
|
|
+ new Sid[] { new PrincipalSid("scott") }, false));
|
|
|
+ fail("It should have thrown NotFoundException");
|
|
|
+ }
|
|
|
+ catch (NotFoundException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ try {
|
|
|
+ assertTrue(childAcl2.isGranted(new Permission[] { BasePermission.CREATE }, new Sid[] { new PrincipalSid(
|
|
|
+ "johndoe") }, false));
|
|
|
+ fail("It should have thrown NotFoundException");
|
|
|
+ }
|
|
|
+ catch (NotFoundException expected) {
|
|
|
+ assertTrue(true);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testUpdateAce() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("ben", "ignored",
|
|
|
+ new GrantedAuthority[] { new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, false, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ MockAclService service = new MockAclService();
|
|
|
+
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
|
|
|
+ acl.insertAce(null, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
|
|
|
+ acl.insertAce(null, BasePermission.CREATE, new PrincipalSid("ben"), true);
|
|
|
+ service.updateAcl(acl);
|
|
|
+
|
|
|
+ assertEquals(acl.getEntries()[0].getPermission(), BasePermission.READ);
|
|
|
+ assertEquals(acl.getEntries()[1].getPermission(), BasePermission.WRITE);
|
|
|
+ assertEquals(acl.getEntries()[2].getPermission(), BasePermission.CREATE);
|
|
|
+
|
|
|
+ // Change each permission
|
|
|
+ acl.updateAce(new Long(1), BasePermission.CREATE);
|
|
|
+ acl.updateAce(new Long(2), BasePermission.DELETE);
|
|
|
+ acl.updateAce(new Long(3), BasePermission.READ);
|
|
|
+
|
|
|
+ // Check the change was successfuly made
|
|
|
+ assertEquals(acl.getEntries()[0].getPermission(), BasePermission.CREATE);
|
|
|
+ assertEquals(acl.getEntries()[1].getPermission(), BasePermission.DELETE);
|
|
|
+ assertEquals(acl.getEntries()[2].getPermission(), BasePermission.READ);
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testUpdateAuditing() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("ben", "ignored", new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_AUDITING"), new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_OWNERSHIP"), new GrantedAuthorityImpl("ROLE_AUDITING"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, false, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ MockAclService service = new MockAclService();
|
|
|
+
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
|
|
|
+ acl.insertAce(null, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
|
|
|
+ service.updateAcl(acl);
|
|
|
+
|
|
|
+ assertFalse(((AuditableAccessControlEntry) acl.getEntries()[0]).isAuditFailure());
|
|
|
+ assertFalse(((AuditableAccessControlEntry) acl.getEntries()[1]).isAuditFailure());
|
|
|
+ assertFalse(((AuditableAccessControlEntry) acl.getEntries()[0]).isAuditSuccess());
|
|
|
+ assertFalse(((AuditableAccessControlEntry) acl.getEntries()[1]).isAuditSuccess());
|
|
|
+
|
|
|
+ // Change each permission
|
|
|
+ ((AuditableAcl) acl).updateAuditing(new Long(1), true, true);
|
|
|
+ ((AuditableAcl) acl).updateAuditing(new Long(2), true, true);
|
|
|
+
|
|
|
+ // Check the change was successfuly made
|
|
|
+ assertTrue(((AuditableAccessControlEntry) acl.getEntries()[0]).isAuditFailure());
|
|
|
+ assertTrue(((AuditableAccessControlEntry) acl.getEntries()[1]).isAuditFailure());
|
|
|
+ assertTrue(((AuditableAccessControlEntry) acl.getEntries()[0]).isAuditSuccess());
|
|
|
+ assertTrue(((AuditableAccessControlEntry) acl.getEntries()[1]).isAuditSuccess());
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testGettersSetters() throws Exception {
|
|
|
+ Authentication auth = new TestingAuthenticationToken("ben", "ignored", new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ auth.setAuthenticated(true);
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(auth);
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL"), new GrantedAuthorityImpl("ROLE_GENERAL"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+ ObjectIdentity identity2 = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(101));
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, null, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ MutableAcl parentAcl = new AclImpl(identity2, new Long(2), strategy, auditLogger, null, null, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+ MockAclService service = new MockAclService();
|
|
|
+ acl.insertAce(null, BasePermission.READ, new GrantedAuthoritySid("ROLE_USER_READ"), true);
|
|
|
+ acl.insertAce(null, BasePermission.WRITE, new GrantedAuthoritySid("ROLE_USER_READ"), true);
|
|
|
+ service.updateAcl(acl);
|
|
|
+
|
|
|
+ assertEquals(acl.getId(), new Long(1));
|
|
|
+ assertEquals(acl.getObjectIdentity(), identity);
|
|
|
+ assertEquals(acl.getOwner(), new PrincipalSid("johndoe"));
|
|
|
+ assertNull(acl.getParentAcl());
|
|
|
+ assertTrue(acl.isEntriesInheriting());
|
|
|
+ assertEquals(2, acl.getEntries().length);
|
|
|
+
|
|
|
+ acl.setParent(parentAcl);
|
|
|
+ assertEquals(acl.getParentAcl(), parentAcl);
|
|
|
+
|
|
|
+ acl.setEntriesInheriting(false);
|
|
|
+ assertFalse(acl.isEntriesInheriting());
|
|
|
+
|
|
|
+ ((OwnershipAcl) acl).setOwner(new PrincipalSid("ben"));
|
|
|
+ assertEquals(acl.getOwner(), new PrincipalSid("ben"));
|
|
|
+ }
|
|
|
+
|
|
|
+ public void testIsSidLoaded() throws Exception {
|
|
|
+ AclAuthorizationStrategyImpl strategy = new AclAuthorizationStrategyImpl(new GrantedAuthority[] {
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL"), new GrantedAuthorityImpl("ROLE_GENERAL"),
|
|
|
+ new GrantedAuthorityImpl("ROLE_GENERAL") });
|
|
|
+ AuditLogger auditLogger = new ConsoleAuditLogger();
|
|
|
+ ObjectIdentity identity = new ObjectIdentityImpl("org.springframework.security.TargetObject", new Long(100));
|
|
|
+
|
|
|
+ Sid[] loadedSids = new Sid[] { new PrincipalSid("ben"), new GrantedAuthoritySid("ROLE_IGNORED") };
|
|
|
+ MutableAcl acl = new AclImpl(identity, new Long(1), strategy, auditLogger, null, loadedSids, true, new PrincipalSid(
|
|
|
+ "johndoe"));
|
|
|
+
|
|
|
+ assertTrue(acl.isSidLoaded(loadedSids));
|
|
|
+ assertTrue(acl.isSidLoaded(new Sid[] { new GrantedAuthoritySid("ROLE_IGNORED"), new PrincipalSid("ben") }));
|
|
|
+ assertTrue(acl.isSidLoaded(new Sid[] { new GrantedAuthoritySid("ROLE_IGNORED")}));
|
|
|
+ assertTrue(acl.isSidLoaded(new Sid[] { new PrincipalSid("ben") }));
|
|
|
+ assertTrue(acl.isSidLoaded(null));
|
|
|
+ assertTrue(acl.isSidLoaded(new Sid[] { }));
|
|
|
+ assertTrue(acl.isSidLoaded(new Sid[] { new GrantedAuthoritySid("ROLE_IGNORED"), new GrantedAuthoritySid("ROLE_IGNORED") }));
|
|
|
+ assertFalse(acl.isSidLoaded(new Sid[] { new GrantedAuthoritySid("ROLE_GENERAL"), new GrantedAuthoritySid("ROLE_IGNORED") }));
|
|
|
+ assertFalse(acl.isSidLoaded(new Sid[] { new GrantedAuthoritySid("ROLE_IGNORED"), new GrantedAuthoritySid("ROLE_GENERAL") }));
|
|
|
+ }
|
|
|
+
|
|
|
+ // ~ Inner Classes ==================================================================================================
|
|
|
+
|
|
|
+ private class MockAclService implements MutableAclService {
|
|
|
+ public MutableAcl createAcl(ObjectIdentity objectIdentity) throws AlreadyExistsException {
|
|
|
+ return null;
|
|
|
+ }
|
|
|
+
|
|
|
+ public void deleteAcl(ObjectIdentity objectIdentity, boolean deleteChildren) throws ChildrenExistException {
|
|
|
+ }
|
|
|
+
|
|
|
+ /*
|
|
|
+ * Mock implementation that populates the aces list with fully initialized AccessControlEntries
|
|
|
+ * @see org.springframework.security.acls.MutableAclService#updateAcl(org.springframework.security.acls.MutableAcl)
|
|
|
+ */
|
|
|
+ public MutableAcl updateAcl(MutableAcl acl) throws NotFoundException {
|
|
|
+ AccessControlEntry[] oldAces = acl.getEntries();
|
|
|
+ Field acesField = FieldUtils.getField(AclImpl.class, "aces");
|
|
|
+ acesField.setAccessible(true);
|
|
|
+ List newAces;
|
|
|
+ try {
|
|
|
+ newAces = (List) acesField.get(acl);
|
|
|
+ newAces.clear();
|
|
|
+
|
|
|
+ for (int i = 0; i < oldAces.length; i++) {
|
|
|
+ AccessControlEntry ac = oldAces[i];
|
|
|
+ // Just give an ID to all this acl's aces, rest of the fields are just copied
|
|
|
+ newAces.add(new AccessControlEntryImpl(new Long(i + 1), ac.getAcl(), ac.getSid(), ac.getPermission(), ac
|
|
|
+ .isGranting(), ((AuditableAccessControlEntry) ac).isAuditSuccess(),
|
|
|
+ ((AuditableAccessControlEntry) ac).isAuditFailure()));
|
|
|
+ }
|
|
|
+ }
|
|
|
+ catch (IllegalAccessException e) {
|
|
|
+ e.printStackTrace();
|
|
|
+ }
|
|
|
+
|
|
|
+ return acl;
|
|
|
+ }
|
|
|
+
|
|
|
+ public ObjectIdentity[] findChildren(ObjectIdentity parentIdentity) {
|
|
|
+ return null;
|
|
|
+ }
|
|
|
+
|
|
|
+ public Acl readAclById(ObjectIdentity object) throws NotFoundException {
|
|
|
+ return null;
|
|
|
+ }
|
|
|
+
|
|
|
+ public Acl readAclById(ObjectIdentity object, Sid[] sids) throws NotFoundException {
|
|
|
+ return null;
|
|
|
+ }
|
|
|
+
|
|
|
+ public Map readAclsById(ObjectIdentity[] objects) throws NotFoundException {
|
|
|
+ return null;
|
|
|
+ }
|
|
|
+
|
|
|
+ public Map readAclsById(ObjectIdentity[] objects, Sid[] sids) throws NotFoundException {
|
|
|
+ return null;
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
Andrei Stefan