[jboss-svn-commits] JBL Code SVN: r21173 - in labs/jbossrules/trunk: drools-guvnor/src/main/java/org/drools/guvnor/server/security and 3 other directories.
jboss-svn-commits at lists.jboss.org
jboss-svn-commits at lists.jboss.org
Tue Jul 22 11:32:02 EDT 2008
Author: jervisliu
Date: 2008-07-22 11:32:01 -0400 (Tue, 22 Jul 2008)
New Revision: 21173
Modified:
labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/ServiceImplementation.java
labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/security/CategoryBasedPermissionResolver.java
labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/security/PackageBasedPermissionResolver.java
labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/ServiceImplementationTest.java
labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/security/MockIdentity.java
labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/security/PackageBasedPermissionResolverTest.java
labs/jbossrules/trunk/drools-repository/src/main/java/org/drools/repository/RulesRepository.java
Log:
check permission for load/save asset. Details can be found in the javadoc. Added more tests.
Modified: labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/ServiceImplementation.java
===================================================================
--- labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/ServiceImplementation.java 2008-07-22 14:59:30 UTC (rev 21172)
+++ labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/ServiceImplementation.java 2008-07-22 15:32:01 UTC (rev 21173)
@@ -326,23 +326,30 @@
@WebRemote
@Restrict("#{identity.loggedIn}")
+ /**
+ * loadRuleListForCategories
+ *
+ * Role-based Authorization check: This method can be accessed if user has
+ * following permissions:
+ * 1. The user has Analyst role and this role has permission to access the category
+ * Or.
+ * 2. The user has one of the following roles: package.readonly|package.admin|package.developer.
+ * In this case, this method only returns assets that belong to packages the role has at least
+ * package.readonly permission to access.
+ */
public TableDataResult loadRuleListForCategories(String categoryPath,
int skip, int numRows, String tableConfig)
throws SerializableException {
// love you
// long time = System.currentTimeMillis();
- // First check the user has permission to access this categoryPath. This
- // check only applies to
- // ANALYST role, always return true for
- // admin|package.admin|package.dev|package.readonly roles.
- // We will then use AssetItemFilter to enforce package-based
- // permissions.
+ // First check the user has permission to access this categoryPath.
if (Contexts.isSessionContextActive()) {
Identity.instance().checkPermission(
new CategoryPathType(categoryPath), null);
}
+ //use AssetItemFilter to enforce package-based permissions.
RepositoryFilter filter = new AssetItemFilter();
AssetPageList list = repository.findAssetsByCategory(categoryPath,
false, skip, numRows, filter);
@@ -378,6 +385,14 @@
/**
* This actually does the hard work of loading up an asset based on its
* format.
+ *
+ * Role-based Authorization check: This method can be accessed if user has
+ * following permissions:
+ * 1. The user has Analyst role and this role has permission to access the category
+ * which the asset belongs to.
+ * Or.
+ * 2. The user has package.readonly role (or package.admin, package.developer)
+ * and this role has permission to access the package which the asset belongs to.
*/
@WebRemote
@Restrict("#{identity.loggedIn}")
@@ -394,6 +409,22 @@
Identity.instance().checkPermission(
new PackageNameType(asset.metaData.packageName),
RoleTypes.PACKAGE_READONLY);
+
+ boolean passed = false;
+ RuntimeException exception = null;
+ for(String cat : asset.metaData.categories) {
+ try {
+ Identity.instance().checkPermission(
+ new CategoryPathType(cat),
+ RoleTypes.ANALYST);
+ passed = true;
+ } catch (RuntimeException e) {
+ exception = e;
+ }
+ }
+ if(!passed) {
+ throw exception;
+ }
}
// get package header
@@ -476,11 +507,38 @@
@WebRemote
@Restrict("#{identity.loggedIn}")
+ /**
+ *
+ * Role-based Authorization check: This method can be accessed if user has
+ * following permissions:
+ * 1. The user has Analyst role and this role has permission to access the category
+ * which the asset belongs to.
+ * Or.
+ * 2. The user has package.readonly role (or package.admin, package.developer)
+ * and this role has permission to access the package which the asset belongs to.
+ */
public String checkinVersion(RuleAsset asset) throws SerializableException {
+
if (Contexts.isSessionContextActive()) {
Identity.instance().checkPermission(
new PackageNameType(asset.metaData.packageName),
- RoleTypes.PACKAGE_DEVELOPER);
+ RoleTypes.PACKAGE_READONLY);
+
+ boolean passed = false;
+ RuntimeException exception = null;
+ for(String cat : asset.metaData.categories) {
+ try {
+ Identity.instance().checkPermission(
+ new CategoryPathType(cat),
+ RoleTypes.ANALYST);
+ passed = true;
+ } catch (RuntimeException e) {
+ exception = e;
+ }
+ }
+ if(!passed) {
+ throw exception;
+ }
}
log.info("USER:" + repository.getSession().getUserID()
Modified: labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/security/CategoryBasedPermissionResolver.java
===================================================================
--- labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/security/CategoryBasedPermissionResolver.java 2008-07-22 14:59:30 UTC (rev 21172)
+++ labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/security/CategoryBasedPermissionResolver.java 2008-07-22 15:32:01 UTC (rev 21173)
@@ -31,7 +31,16 @@
import org.jboss.seam.security.permission.PermissionResolver;
/**
- * Resolves category-based permissions.
+ * PermissionResolvers are chained together to resolve permission check, the check returns true if
+ * one of the PermissionResolvers in the chain returns true.
+ *
+ * This PermissionResolver resolves category-based permissions. It returns true under following situations:
+ * 1. The user is admin
+ * Or
+ * 2. The user has at least one analyst role, and at least one of the analyst role has access to requested category path.
+ * Or
+ * 3. The user does not have any Analyst role(eg, the user only has other roles like package.admin|package.developer|package.readonly)
+ *
*
* @author Jervis Liu
*/
@@ -47,13 +56,27 @@
public void create() {
}
- public boolean hasPermission(Object target, String action) {
+ /**
+ * check permission
+ *
+ * @param requestedCategoryPath
+ * the requestedCategoryPath must be an instance of CategoryPathType,
+ * otherwise return false;
+ * @param requestedRole
+ * the requestedRole must be an instance of String, its value has to be one of the
+ * followings: admin|analyst|package.admin|package.developer|package.readonly,
+ * otherwise return false;
+ * @return true if the permission can be granted on the requested category path with the
+ * requested role; return false otherwise.
+ *
+ */
+ public boolean hasPermission(Object requestedCategoryPath, String requestedRole) {
List<RoleBasedPermission> permissions = (List<RoleBasedPermission>) Contexts
.getSessionContext().get("packageBasedPermission");
String requestedPath;
- if (target instanceof CategoryPathType) {
- requestedPath = ((CategoryPathType)target).getCategoryPath();
+ if (requestedCategoryPath instanceof CategoryPathType) {
+ requestedPath = ((CategoryPathType)requestedCategoryPath).getCategoryPath();
} else {
// CategoryBasedPermissionResolver only grants permissions based on categoryPath.
// Return false if the input is not a categoryPath, as this will be the reponsibility
@@ -66,11 +89,11 @@
return true;
}
- //category path based permission check only applies to analyst role. For all the other
- //roles(admin|package.admin|package.dev|package.readonly) we always grant permisssion.
+ //category path based permission check only applies to analyst role. If there is no Analyst
+ //role (eg, only other roles like admin|package.admin|package.dev|package.readonly) we always grant permisssion.
boolean isPermitted = true;
+ //return true when there is no analyst role, or one of the analyst role has permission to acccess this category
for (RoleBasedPermission pbp : permissions) {
- //the permission check only applies to the analyst role
if (RoleTypes.ANALYST.equals(pbp.getRole())) {
isPermitted = false;
if(isPermitted(requestedPath, pbp.getCategoryPath())) {
Modified: labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/security/PackageBasedPermissionResolver.java
===================================================================
--- labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/security/PackageBasedPermissionResolver.java 2008-07-22 14:59:30 UTC (rev 21172)
+++ labs/jbossrules/trunk/drools-guvnor/src/main/java/org/drools/guvnor/server/security/PackageBasedPermissionResolver.java 2008-07-22 15:32:01 UTC (rev 21173)
@@ -31,7 +31,17 @@
import org.jboss.seam.security.permission.PermissionResolver;
/**
- * Resolves package-based permissions. A user might have differnt permissions on different packages.
+ * PermissionResolvers are chained together to resolve permission check, the check returns true if
+ * one of the PermissionResolvers in the chain returns true.
+ *
+ * This PermissionResolver resolves package-based permissions. It returns true under following situations:
+ * 1. The user is admin
+ * Or
+ * 2. The user has one of the following roles package.admin|package.developer|package.readonly on the requested
+ * package, and requested role requires lower privilege than assigned role(I.e., package.admin>package.developer>package.readonly)
+ * Or
+ * 3. The user is Analyst
+ *
*
* @author Jervis Liu
*/
@@ -47,20 +57,34 @@
public void create() {
}
- public boolean hasPermission(Object target, String action) {
+ /**
+ * check permission
+ *
+ * @param requestedPackage
+ * the requestedPackage must be an instance of PackageUUIDType or PackageNameType,
+ * otherwise return false;
+ * @param requestedRole
+ * the requestedRole must be an instance of String, its value has to be one of the
+ * followings: admin|analyst|package.admin|package.developer|package.readonly,
+ * otherwise return false;
+ * @return true if the permission can be granted on the requested packaged with the
+ * requested role; return false otherwise.
+ *
+ */
+ public boolean hasPermission(Object requestedPackage, String requestedRole) {
List<RoleBasedPermission> permissions = (List<RoleBasedPermission>) Contexts
.getSessionContext().get("packageBasedPermission");
String targetUUDI = "";
- if (target instanceof PackageUUIDType) {
- targetUUDI = ((PackageUUIDType) target).getUUID();
- } else if (target instanceof PackageNameType) {
+ if (requestedPackage instanceof PackageUUIDType) {
+ targetUUDI = ((PackageUUIDType) requestedPackage).getUUID();
+ } else if (requestedPackage instanceof PackageNameType) {
try {
ServiceImplementation si = (ServiceImplementation) Component
.getInstance("org.drools.guvnor.client.rpc.RepositoryService");
PackageItem source = si.repository
- .loadPackage(((PackageNameType) target)
+ .loadPackage(((PackageNameType) requestedPackage)
.getPackageName());
targetUUDI = source.getUUID();
} catch (RulesRepositoryException e) {
@@ -79,12 +103,15 @@
return true;
}
+ //package based permission check only applies to admin|package.admin|package.dev|package.readonly role.
+ //For Analyst we always grant permisssion.
for (RoleBasedPermission pbp : permissions) {
- //only when the user has the permission to perform the specific action on this package
- if (targetUUDI.equalsIgnoreCase(pbp.getPackageUUID())
- && isPermitted(action, pbp.getRole())) {
+ if (RoleTypes.ANALYST.equals(pbp.getRole())) {
return true;
- }
+ } else if (targetUUDI.equalsIgnoreCase(pbp.getPackageUUID())
+ && isPermitted(requestedRole, pbp.getRole())) {
+ return true;
+ }
}
return false;
@@ -94,19 +121,19 @@
if (RoleTypes.PACKAGE_ADMIN.equalsIgnoreCase(role)) {
return true;
} else if (RoleTypes.PACKAGE_DEVELOPER.equalsIgnoreCase(role)) {
- if ("package.admin".equalsIgnoreCase(requestedAction)) {
+ if (RoleTypes.PACKAGE_ADMIN.equalsIgnoreCase(requestedAction)) {
return false;
- } else if ("package.developer".equalsIgnoreCase(requestedAction)) {
+ } else if (RoleTypes.PACKAGE_DEVELOPER.equalsIgnoreCase(requestedAction)) {
return true;
- } else if ("package.readonly".equalsIgnoreCase(requestedAction)) {
+ } else if (RoleTypes.PACKAGE_READONLY.equalsIgnoreCase(requestedAction)) {
return true;
}
} else if (RoleTypes.PACKAGE_READONLY.equalsIgnoreCase(role)) {
- if ("package.admin".equalsIgnoreCase(requestedAction)) {
+ if (RoleTypes.PACKAGE_ADMIN.equalsIgnoreCase(requestedAction)) {
return false;
- } else if ("package.developer".equalsIgnoreCase(requestedAction)) {
+ } else if (RoleTypes.PACKAGE_DEVELOPER.equalsIgnoreCase(requestedAction)) {
return false;
- } else if ("package.readonly".equalsIgnoreCase(requestedAction)) {
+ } else if (RoleTypes.PACKAGE_READONLY.equalsIgnoreCase(requestedAction)) {
return true;
}
}
Modified: labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/ServiceImplementationTest.java
===================================================================
--- labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/ServiceImplementationTest.java 2008-07-22 14:59:30 UTC (rev 21172)
+++ labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/ServiceImplementationTest.java 2008-07-22 15:32:01 UTC (rev 21173)
@@ -20,8 +20,10 @@
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
+import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
+import java.util.Map;
import junit.framework.TestCase;
@@ -64,6 +66,12 @@
import org.drools.guvnor.client.rpc.ValidatedResponse;
import org.drools.guvnor.client.rulelist.AssetItemGrid;
import org.drools.guvnor.server.ServiceImplementation;
+import org.drools.guvnor.server.security.CategoryBasedPermissionResolver;
+import org.drools.guvnor.server.security.MockIdentity;
+import org.drools.guvnor.server.security.PackageBasedPermissionResolver;
+import org.drools.guvnor.server.security.PackageNameType;
+import org.drools.guvnor.server.security.RoleBasedPermission;
+import org.drools.guvnor.server.security.RoleTypes;
import org.drools.guvnor.server.util.BRXMLPersistence;
import org.drools.guvnor.server.util.IO;
import org.drools.guvnor.server.util.ScenarioXMLPersistence;
@@ -79,6 +87,9 @@
import org.drools.util.BinaryRuleBaseLoader;
import org.drools.util.DateUtils;
import org.drools.util.DroolsStreamUtils;
+import org.jboss.seam.contexts.Contexts;
+import org.jboss.seam.contexts.Lifecycle;
+import org.jboss.seam.security.AuthorizationException;
import com.google.gwt.user.client.rpc.IsSerializable;
import com.google.gwt.user.client.rpc.SerializableException;
@@ -342,6 +353,293 @@
assertTrue(asset.content instanceof RuleContentText);
}
+ public void testLoadRuleAssetWithRoleBasedAuthrozationAnalyst() throws Exception {
+ try {
+ ServiceImplementation impl = getService();
+ impl.repository.createPackage(
+ "testLoadRuleAssetWithRoleBasedAuthrozation", "desc");
+ impl.createCategory("",
+ "testLoadRuleAssetWithRoleBasedAuthrozationCat1",
+ "this is a cat");
+ impl.createCategory("",
+ "testLoadRuleAssetWithRoleBasedAuthrozationCat2",
+ "this is a cat");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testLoadRuleAssetWithRoleBasedAuthrozationCat1",
+ "testLoadRuleAssetWithRoleBasedAuthrozation", "drl");
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation2",
+ "description",
+ "testLoadRuleAssetWithRoleBasedAuthrozationCat2",
+ "testLoadRuleAssetWithRoleBasedAuthrozation", "drl");
+
+ TableDataResult res = impl.loadRuleListForCategories(
+ "testLoadRuleAssetWithRoleBasedAuthrozationCat1", 0, -1,
+ AssetItemGrid.RULE_LIST_TABLE_ID);
+ assertEquals(1, res.data.length);
+ assertEquals(1, res.total);
+ assertFalse(res.hasNext);
+
+ TableDataRow row = res.data[0];
+ String uuid = row.id;
+
+ TableDataResult res2 = impl.loadRuleListForCategories(
+ "testLoadRuleAssetWithRoleBasedAuthrozationCat2", 0, -1,
+ AssetItemGrid.RULE_LIST_TABLE_ID);
+ assertEquals(1, res.data.length);
+ assertEquals(1, res.total);
+ assertFalse(res.hasNext);
+
+ TableDataRow row2 = res2.data[0];
+ String uuid2 = row2.id;
+
+ // Mock up SEAM contexts
+ Map application = new HashMap<String, Object>();
+ Lifecycle.beginApplication(application);
+ Lifecycle.beginCall();
+ MockIdentity midentity = new MockIdentity();
+ // this makes Identity.hasRole("admin") return false
+ midentity.setHasRole(false);
+ midentity.addPermissionResolver(new PackageBasedPermissionResolver());
+ midentity.addPermissionResolver(new CategoryBasedPermissionResolver());
+
+ Contexts.getSessionContext().set(
+ "org.jboss.seam.security.identity", midentity);
+ Contexts.getSessionContext().set(
+ "org.drools.guvnor.client.rpc.RepositoryService", impl);
+
+ List<RoleBasedPermission> pbps = new ArrayList<RoleBasedPermission>();
+ pbps.add(new RoleBasedPermission("jervis", RoleTypes.ANALYST, null,
+ "testLoadRuleAssetWithRoleBasedAuthrozationCat1"));
+ Contexts.getSessionContext().set("packageBasedPermission", pbps);
+
+
+ //now lets see if we can access this asset with the permissions
+ RuleAsset asset = impl.loadRuleAsset(uuid);
+ try {
+ asset = impl.loadRuleAsset(uuid2);
+ fail("Did not catch expected exception");
+ } catch (AuthorizationException e) {
+ }
+ } finally {
+ Lifecycle.endApplication();
+ }
+ }
+
+ public void testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonly() throws Exception {
+ try {
+ ServiceImplementation impl = getService();
+ impl.repository.createPackage(
+ "testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyPack1", "desc");
+ impl.createCategory("",
+ "testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyCat1",
+ "this is a cat");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyCat1",
+ "testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyPack1", "drl");
+
+ impl.repository.createPackage(
+ "testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyPack2", "desc");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyCat1",
+ "testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyPack2", "drl");
+
+
+ TableDataResult res = impl.loadRuleListForCategories(
+ "testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyCat1", 0, -1,
+ AssetItemGrid.RULE_LIST_TABLE_ID);
+ TableDataRow row = res.data[0];
+ String uuid = row.id;
+ PackageItem source = impl.repository
+ .loadPackage("testLoadRuleAssetWithRoleBasedAuthrozationPackageReadonlyPack1");
+ String package1Uuid = source.getUUID();
+
+ TableDataRow row2 = res.data[1];
+ String uuid2 = row2.id;
+
+ // Mock up SEAM contexts
+ Map application = new HashMap<String, Object>();
+ Lifecycle.beginApplication(application);
+ Lifecycle.beginCall();
+ MockIdentity midentity = new MockIdentity();
+ // this makes Identity.hasRole("admin") return false
+ midentity.setHasRole(false);
+ midentity.addPermissionResolver(new PackageBasedPermissionResolver());
+ midentity.addPermissionResolver(new CategoryBasedPermissionResolver());
+
+ Contexts.getSessionContext().set(
+ "org.jboss.seam.security.identity", midentity);
+ Contexts.getSessionContext().set(
+ "org.drools.guvnor.client.rpc.RepositoryService", impl);
+
+ List<RoleBasedPermission> pbps = new ArrayList<RoleBasedPermission>();
+ pbps.add(new RoleBasedPermission("jervis",
+ RoleTypes.PACKAGE_READONLY,
+ package1Uuid, null));
+
+ Contexts.getSessionContext().set("packageBasedPermission", pbps);
+
+ //now lets see if we can access this asset with the permissions
+ RuleAsset asset = impl.loadRuleAsset(uuid);
+ try {
+ asset = impl.loadRuleAsset(uuid2);
+ fail("Did not catch expected exception");
+ } catch (AuthorizationException e) {
+ }
+ } finally {
+ Lifecycle.endApplication();
+ }
+ }
+
+ public void testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonly() throws Exception {
+ try {
+ ServiceImplementation impl = getService();
+ impl.repository.createPackage(
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyPack1", "desc");
+ impl.createCategory("",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyCat1",
+ "this is a cat");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyCat1",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyPack1", "drl");
+
+ impl.repository.createPackage(
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyPack2", "desc");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyCat1",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyPack2", "drl");
+
+ impl.repository.createPackage(
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyPack3", "desc");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyCat1",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyPack3", "drl");
+
+ PackageItem source = impl.repository.loadPackage("testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyPack1");
+ String package1Uuid = source.getUUID();
+ source = impl.repository.loadPackage("testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyPack2");
+ String package2Uuid = source.getUUID();
+
+ // Mock up SEAM contexts
+ Map application = new HashMap<String, Object>();
+ Lifecycle.beginApplication(application);
+ Lifecycle.beginCall();
+ MockIdentity midentity = new MockIdentity();
+ // this makes Identity.hasRole("admin") return false
+ midentity.setHasRole(false);
+ midentity.addPermissionResolver(new PackageBasedPermissionResolver());
+ midentity.addPermissionResolver(new CategoryBasedPermissionResolver());
+
+ Contexts.getSessionContext().set(
+ "org.jboss.seam.security.identity", midentity);
+ Contexts.getSessionContext().set(
+ "org.drools.guvnor.client.rpc.RepositoryService", impl);
+
+ List<RoleBasedPermission> pbps = new ArrayList<RoleBasedPermission>();
+ pbps.add(new RoleBasedPermission("jervis",
+ RoleTypes.PACKAGE_READONLY,
+ package1Uuid, null));
+ pbps.add(new RoleBasedPermission("jervis",
+ RoleTypes.PACKAGE_DEVELOPER,
+ package2Uuid, null));
+
+ Contexts.getSessionContext().set("packageBasedPermission", pbps);
+
+
+ TableDataResult res = impl.loadRuleListForCategories(
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationPackageReadonlyCat1", 0, -1,
+ AssetItemGrid.RULE_LIST_TABLE_ID);
+ assertEquals(2, res.data.length);
+ } finally {
+ Lifecycle.endApplication();
+ }
+ }
+
+ public void testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalyst() throws Exception {
+ try {
+ ServiceImplementation impl = getService();
+ impl.repository.createPackage(
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystPack1", "desc");
+ impl.createCategory("",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystCat1",
+ "this is a cat");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystCat1",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystPack1", "drl");
+
+ impl.repository.createPackage(
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystPack2", "desc");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystCat1",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystPack2", "drl");
+
+ impl.repository.createPackage(
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystPack3", "desc");
+
+ impl.createNewRule("testLoadRuleAssetWithRoleBasedAuthrozation",
+ "description",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystCat1",
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystPack3", "drl");
+
+ PackageItem source = impl.repository.loadPackage("testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystPack2");
+ String package2Uuid = source.getUUID();
+ source = impl.repository.loadPackage("testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystPack3");
+ String package3Uuid = source.getUUID();
+
+ // Mock up SEAM contexts
+ Map application = new HashMap<String, Object>();
+ Lifecycle.beginApplication(application);
+ Lifecycle.beginCall();
+ MockIdentity midentity = new MockIdentity();
+ // this makes Identity.hasRole("admin") return false
+ midentity.setHasRole(false);
+ midentity.addPermissionResolver(new PackageBasedPermissionResolver());
+ midentity.addPermissionResolver(new CategoryBasedPermissionResolver());
+
+ Contexts.getSessionContext().set(
+ "org.jboss.seam.security.identity", midentity);
+ Contexts.getSessionContext().set(
+ "org.drools.guvnor.client.rpc.RepositoryService", impl);
+
+ List<RoleBasedPermission> pbps = new ArrayList<RoleBasedPermission>();
+ pbps.add(new RoleBasedPermission("jervis",
+ RoleTypes.ANALYST,
+ null, "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystCat1"));
+ pbps.add(new RoleBasedPermission("jervis",
+ RoleTypes.PACKAGE_READONLY,
+ package2Uuid, null));
+ pbps.add(new RoleBasedPermission("jervis",
+ RoleTypes.PACKAGE_DEVELOPER,
+ package3Uuid, null));
+
+ Contexts.getSessionContext().set("packageBasedPermission", pbps);
+
+
+ TableDataResult res = impl.loadRuleListForCategories(
+ "testloadRuleListForCategoriesWithRoleBasedAuthrozationAnalystCat1", 0, -1,
+ AssetItemGrid.RULE_LIST_TABLE_ID);
+ assertEquals(3, res.data.length);
+ } finally {
+ Lifecycle.endApplication();
+ }
+ }
+
+
public void testLoadAssetHistoryAndRestore() throws Exception {
ServiceImplementation impl = getService();
impl.repository.createPackage("testLoadAssetHistory", "desc");
Modified: labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/security/MockIdentity.java
===================================================================
--- labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/security/MockIdentity.java 2008-07-22 14:59:30 UTC (rev 21172)
+++ labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/security/MockIdentity.java 2008-07-22 15:32:01 UTC (rev 21173)
@@ -17,10 +17,18 @@
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
import org.jboss.seam.security.Identity;
+import org.jboss.seam.security.permission.PermissionResolver;
+import org.jboss.seam.security.permission.ResolverChain;
public class MockIdentity extends Identity {
private boolean hasRole;
+ private List<PermissionResolver> resolvers = new ArrayList<PermissionResolver>();
public boolean hasRole(String role) {
return hasRole;
@@ -29,4 +37,24 @@
public void setHasRole(boolean hasRole) {
this.hasRole = hasRole;
}
+
+ public boolean isLoggedIn(boolean attemptLogin) {
+ return true;
+ }
+
+ public boolean hasPermission(Object target, String action) {
+ for (PermissionResolver resolver : resolvers)
+ {
+ if (resolver.hasPermission(target, action))
+ {
+ return true;
+ }
+ }
+
+ return false;
+ }
+
+ public void addPermissionResolver(PermissionResolver r) {
+ resolvers.add(r);
+ }
}
\ No newline at end of file
Modified: labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/security/PackageBasedPermissionResolverTest.java
===================================================================
--- labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/security/PackageBasedPermissionResolverTest.java 2008-07-22 14:59:30 UTC (rev 21172)
+++ labs/jbossrules/trunk/drools-guvnor/src/test/java/org/drools/guvnor/server/security/PackageBasedPermissionResolverTest.java 2008-07-22 15:32:01 UTC (rev 21173)
@@ -135,6 +135,30 @@
Lifecycle.endApplication();
}
+
+ public void testAnalyst() throws Exception {
+ //Mock up SEAM contexts
+ Map application = new HashMap<String, Object>();
+ Lifecycle.beginApplication(application);
+ Lifecycle.beginCall();
+ MockIdentity midentity = new MockIdentity();
+ //this makes Identity.hasRole("admin") return false
+ midentity.setHasRole(false);
+ Contexts.getSessionContext().set("org.jboss.seam.security.identity", midentity);
+
+
+ List<RoleBasedPermission> pbps = new ArrayList<RoleBasedPermission>();
+ pbps.add(new RoleBasedPermission("jervis", RoleTypes.PACKAGE_READONLY, "47982482-7912-4881-97ec-e852494383d7", null));
+ pbps.add(new RoleBasedPermission("jervis", RoleTypes.ANALYST, null, "category1"));
+ Contexts.getSessionContext().set("packageBasedPermission", pbps);
+
+ PackageBasedPermissionResolver resolver = new PackageBasedPermissionResolver();
+
+ assertTrue(resolver.hasPermission(new PackageUUIDType("47982482-7912-4881-97ec-e852494383d7"), RoleTypes.ANALYST));
+ assertTrue(resolver.hasPermission(new PackageUUIDType("631b3d79-5b67-42fb-83da-714624970a6b"), RoleTypes.ANALYST));
+
+ Lifecycle.endApplication();
+ }
}
\ No newline at end of file
Modified: labs/jbossrules/trunk/drools-repository/src/main/java/org/drools/repository/RulesRepository.java
===================================================================
--- labs/jbossrules/trunk/drools-repository/src/main/java/org/drools/repository/RulesRepository.java 2008-07-22 14:59:30 UTC (rev 21172)
+++ labs/jbossrules/trunk/drools-repository/src/main/java/org/drools/repository/RulesRepository.java 2008-07-22 15:32:01 UTC (rev 21173)
@@ -779,7 +779,7 @@
if ( isNotSnapshot( parentNode ) && parentNode.getPrimaryNodeType().getName().equals( AssetItem.RULE_NODE_TYPE_NAME ) ) {
if ( seekArchivedAsset || !parentNode.getProperty( AssetItem.CONTENT_PROPERTY_ARCHIVE_FLAG ).getBoolean() ) {
AssetItem ai = new AssetItem( this, parentNode );
- if(filter == null || filter.accept(ai, "repackage.readonly")) {
+ if(filter == null || filter.accept(ai, "package.readonly")) {
results.add(ai);
rows++;
}
More information about the jboss-svn-commits
mailing list