Author: sohil.shah(a)jboss.com
Date: 2009-07-31 16:23:34 -0400 (Fri, 31 Jul 2009)
New Revision: 13647
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossIntegrationSharedPageACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationGroupPageACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPageNavACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPortalConfigACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationUserPageACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/User.java
Removed:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPolicyProvisioner.java
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java
Log:
Provisioning Phase integration
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml 2009-07-30
22:10:50 UTC (rev 13646)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/META-INF/authz-config.xml 2009-07-31
20:23:34 UTC (rev 13647)
@@ -3,9 +3,23 @@
<deployment
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:jboss:bean-deployer:2.0
bean-deployer_2_0.xsd"
xmlns="urn:jboss:bean-deployer:2.0">
- <bean name="/exo/jboss/PolicyProvisioner"
class="org.exoplatform.portal.jboss.security.provisioning.ExoPolicyProvisioner">
+ <bean name="/exo/jboss/PolicyProvisioner"
class="org.exoplatform.portal.jboss.security.provisioning.ExoPolicyProvisioner">
<property name="policyProvisioner">
<inject bean="/agent/LocalPolicyProvisioner"/>
</property>
+ <property name="superuser">root</property>
+ <!--
+ TODO: change the values from whatever:/platform/administrators and
whatever:/organization/management/executive-board
+ to *:/platform/administrators and *:/organization/management/executive-board
+ once a custom Roles component is implemented
+ -->
+ <property name="portalCreatorGroups">
+ <list class="java.util.ArrayList"
elementClass="java.lang.String">
+ <value>whatever:/platform/administrators</value>
+ <value>whatever:/organization/management/executive-board</value>
+ </list>
+ </property>
+ <property name="guestGroup">/platform/guests</property>
+ <property
name="navigationCreatorMembershipType">manager</property>
</bean>
</deployment>
\ No newline at end of file
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java 2009-07-30
22:10:50 UTC (rev 13646)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/main/java/org/exoplatform/portal/jboss/security/provisioning/ExoPolicyProvisioner.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -3,14 +3,29 @@
*/
package org.exoplatform.portal.jboss.security.provisioning;
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.util.List;
+
import org.apache.log4j.Logger;
+import org.exoplatform.portal.config.UserACL;
import org.exoplatform.portal.config.model.PortalConfig;
import org.exoplatform.portal.config.model.PageNavigation;
import org.exoplatform.portal.config.model.Page;
+import org.exoplatform.portal.jboss.security.components.CreatePortal;
+import org.exoplatform.portal.jboss.security.components.OwnerType;
import org.jboss.security.authz.agent.provisioning.PolicyProvisioner;
import org.jboss.security.authz.agent.provisioning.ProvisioningException;
+import org.jboss.security.authz.agent.services.CompositionContext;
+import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.action.Write;
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.Policy;
/**
* @author soshah
@@ -22,6 +37,12 @@
private PolicyProvisioner policyProvisioner;
+ //Some static system configuration
+ private String superuser;
+ private List<String> portalCreatorGroups;
+ private String guestGroup;
+ private String navigationCreatorMembershipType;
+
public ExoPolicyProvisioner()
{
@@ -29,16 +50,23 @@
public void start()
{
- log.info("----------------------------------------------------------------");
- log.info("Exo-JBoss Policy Provisioner successfully
started..............."+this.policyProvisioner);
- log.info("----------------------------------------------------------------");
+ this.initializePolicyRepository();
+
+ log.debug("----------------------------------------------------------------");
+ log.debug("Exo-JBoss Policy Provisioner successfully
started..............."+this.policyProvisioner);
+ log.debug("----------------------------------------------------------------");
}
public void stop()
{
}
-
+
+ public void debug()
+ {
+ this.printPolicyRepository();
+ }
+ //----------------------------------------------------------------------------------------------------------------------------------------------------------------------
public PolicyProvisioner getPolicyProvisioner()
{
return policyProvisioner;
@@ -48,19 +76,361 @@
{
this.policyProvisioner = policyProvisioner;
}
- //---------------------------------------------------------------------------------------------------------------------------------------------------------------------
- public void provision(PortalConfig portal) throws ProvisioningException
+
+ public String getSuperuser()
{
+ return superuser;
+ }
+
+ public void setSuperuser(String superuser)
+ {
+ this.superuser = superuser;
+ }
+ public List<String> getPortalCreatorGroups()
+ {
+ return portalCreatorGroups;
}
+
+ public void setPortalCreatorGroups(List<String> portalCreatorGroups)
+ {
+ this.portalCreatorGroups = portalCreatorGroups;
+ }
- public void provision(PageNavigation nav) throws ProvisioningException
+
+ public String getGuestGroup()
{
+ return guestGroup;
+ }
+
+ public void setGuestGroup(String guestGroup)
+ {
+ this.guestGroup = guestGroup;
+ }
+ public String getNavigationCreatorMembershipType()
+ {
+ return navigationCreatorMembershipType;
}
+
+ public void setNavigationCreatorMembershipType(
+ String navigationCreatorMembershipType)
+ {
+ this.navigationCreatorMembershipType = navigationCreatorMembershipType;
+ }
+ //---------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ public void provision(PortalConfig portal) throws ProvisioningException
+ {
+ try
+ {
+ CompositionContext context = new CompositionContext();
+
+ // SetUp Portal Resource to be protected
+ URIResource target = new URIResource();
+ target.setUri(new URI("portal://"+portal.getName()));
+ context.setPolicyTarget(target);
+
+ // Super User Rule
+ org.jboss.security.authz.components.subject.Identity superuser = new
org.jboss.security.authz.components.subject.Identity();
+ superuser.setName(this.superuser);
+ context.addPolicyRule(Effect.PERMIT, new Write(), superuser);
+
+ // Read Access
+ if (portal.getAccessPermissions() != null
+ && portal.getAccessPermissions().length > 0)
+ {
+ Roles readRoles = new Roles();
+ String[] accessPermissions = portal.getAccessPermissions();
+ for (String accessPermission : accessPermissions)
+ {
+ if(!this.isGuestGroup(accessPermission))
+ {
+ readRoles.addName(accessPermission);
+ }
+ else
+ {
+ // Guest Group
+ Roles guest = new Roles();
+ guest.addName("*:"+this.guestGroup);
+ guest.addName(Roles.ANONYMOUS);
+ guest.setMustMatchAll(true);
+ context.addPolicyRule(Effect.PERMIT, new Read(), guest,
"allowExpression");
+ }
+ }
+ if(!readRoles.isEmpty())
+ {
+ context.addPolicyRule(Effect.PERMIT, new Read(), readRoles,
+ "allowExpression");
+ }
+ }
+ // Write Access
+ String editPermission = portal.getEditPermission();
+ if (editPermission != null && editPermission.trim().length() > 0)
+ {
+ Roles writeRoles = new Roles();
+
+ if(!this.isGuestGroup(editPermission))
+ {
+ writeRoles.addName(editPermission);
+ context.addPolicyRule(Effect.PERMIT, new Write(), writeRoles,
+ "allowExpression");
+ }
+ else
+ {
+ // Guest Group
+ Roles guest = new Roles();
+ guest.addName("*:"+this.guestGroup);
+ guest.addName(Roles.ANONYMOUS);
+ guest.setMustMatchAll(true);
+ context.addPolicyRule(Effect.PERMIT, new Write(), guest,
"allowExpression");
+ }
+ }
+
+ //Provision the Policy for this Portal
+ this.policyProvisioner.composeAndDeploy(context);
+ }
+ catch(URISyntaxException uriexception)
+ {
+ throw new ProvisioningException(uriexception);
+ }
+ }
+
public void provision(Page page) throws ProvisioningException
{
+ try
+ {
+ CompositionContext context = new CompositionContext();
+
+ // SetUp Resource
+ URIResource target = new URIResource();
+ target.setUri(new URI("page://"+page.getName()));
+ context.setPolicyTarget(target);
+
+ //SuperUser Access
+ org.jboss.security.authz.components.subject.Identity superuser = new
org.jboss.security.authz.components.subject.Identity();
+ superuser.setName(this.superuser);
+ context.addPolicyRule(Effect.PERMIT, new Write(), superuser);
+
+ // Read Access
+ if (page.getAccessPermissions() != null
+ && page.getAccessPermissions().length > 0)
+ {
+ Roles readRoles = new Roles();
+ String[] accessPermissions = page.getAccessPermissions();
+ for (String accessPermission : accessPermissions)
+ {
+ if(!this.isGuestGroup(accessPermission))
+ {
+ readRoles.addName(accessPermission);
+ }
+ else
+ {
+ // Guest Group
+ Roles guest = new Roles();
+ guest.addName("*:"+this.guestGroup);
+ guest.addName(Roles.ANONYMOUS);
+ guest.setMustMatchAll(true);
+ context.addPolicyRule(Effect.PERMIT, new Read(), guest,
"allowExpression");
+ }
+ }
+ if(!readRoles.isEmpty())
+ {
+ context.addPolicyRule(Effect.PERMIT, new Read(), readRoles,
+ "allowExpression");
+ }
+ }
+
+ // Write Access
+ String editPermission = page.getEditPermission();
+ if (editPermission != null && editPermission.trim().length() > 0)
+ {
+ Roles writeRoles = new Roles();
+
+ if(!this.isGuestGroup(editPermission))
+ {
+ writeRoles.addName(editPermission);
+ context.addPolicyRule(Effect.PERMIT, new Write(), writeRoles,
+ "allowExpression");
+ }
+ else
+ {
+ // Guest Group
+ Roles guest = new Roles();
+ guest.addName("*:"+this.guestGroup);
+ guest.addName(Roles.ANONYMOUS);
+ guest.setMustMatchAll(true);
+ context.addPolicyRule(Effect.PERMIT, new Write(), guest,
"allowExpression");
+ }
+
+ }
+
+
+ // SetUp OwnerType based Rules
+ if (page.getOwnerType().equals(PortalConfig.USER_TYPE))
+ {
+ OwnerType ownerType = new OwnerType();
+ ownerType.setType(PortalConfig.USER_TYPE);
+
+ Identity identity = new Identity();
+ identity.setName(page.getOwnerId());
+
+ context.addPolicyRule(Effect.PERMIT, ownerType, identity);
+ }
+
+ this.policyProvisioner.composeAndDeploy(context);
+ }
+ catch(URISyntaxException uriexception)
+ {
+ throw new ProvisioningException(uriexception);
+ }
+ }
+
+ public void provision(PageNavigation pageNavigation) throws ProvisioningException
+ {
+ try
+ {
+ // Setup the Context for the Composition with these components
+ CompositionContext context = new CompositionContext();
+
+ // SetUp Resource
+ URIResource target = new URIResource();
+ target.setUri(new URI("pagenav://"+pageNavigation.getDescription()));
+ context.setPolicyTarget(target);
+
+ // Super User
+ org.jboss.security.authz.components.subject.Identity superuser = new
org.jboss.security.authz.components.subject.Identity();
+ superuser.setName(this.superuser);
+ context.addPolicyRule(Effect.PERMIT, new Write(), superuser);
+
+ if(pageNavigation.getOwnerType().equals(PortalConfig.GROUP_TYPE))
+ {
+ Roles roles = new Roles();
+ StringBuilder buffer = new
StringBuilder(this.navigationCreatorMembershipType+":");
+ if(pageNavigation.getOwnerId().startsWith("/"))
+ {
+ buffer.append(pageNavigation.getOwnerId());
+ }
+ else
+ {
+ buffer.append("/"+pageNavigation.getOwnerId());
+ }
+ String roleName = buffer.toString();
+
+ if(!this.isGuestGroup(roleName))
+ {
+ roles.addName(roleName);
+ context.addPolicyRule(Effect.PERMIT, new Write(), roles,
+ "allowExpression");
+ }
+ else
+ {
+ // Guest Group
+ Roles guest = new Roles();
+ guest.addName("*:"+this.guestGroup);
+ guest.addName(Roles.ANONYMOUS);
+ guest.setMustMatchAll(true);
+ context.addPolicyRule(Effect.PERMIT, new Write(), guest,
"allowExpression");
+ }
+ }
+ else if(pageNavigation.getOwnerType().equals(PortalConfig.USER_TYPE))
+ {
+ Identity identity = new Identity();
+ identity.setName(pageNavigation.getOwnerId());
+ context.addPolicyRule(Effect.PERMIT, new Write(), identity);
+ }
+
+ this.policyProvisioner.composeAndDeploy(context);
+ }
+ catch(URISyntaxException uriexception)
+ {
+ throw new ProvisioningException(uriexception);
+ }
+ }
+ //----------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ private void initializePolicyRepository()
+ {
+ try
+ {
+ //TODO: first introspect the PolicyRepository to make sure the CreatePortal policy is
not already provisioned
+
+ CompositionContext context = new CompositionContext();
+
+ //Using the custom "CreatePortal" "Security Component"
+ CreatePortal action = new CreatePortal();
+ URIResource resource = new URIResource();
+ resource.setUri(new URI(action.getName()));
+ context.setPolicyTarget(resource);
+
+ // Super User... Supers Users have access to everything
+ org.jboss.security.authz.components.subject.Identity superuser = new
org.jboss.security.authz.components.subject.Identity();
+ superuser.setName(this.superuser);
+ context.addPolicyRule(Effect.PERMIT, action, superuser);
+
+ // PortalCreators Group....
+ if(this.portalCreatorGroups != null && !this.portalCreatorGroups.isEmpty())
+ {
+ Roles portalCreators = new Roles();
+
+ for(String portalCreatorGroup: this.portalCreatorGroups)
+ {
+ portalCreators.addName(portalCreatorGroup);
+ }
+
+ context.addPolicyRule(Effect.PERMIT, action, portalCreators,
+ "allowExpression");
+ }
+
+ this.policyProvisioner.composeAndDeploy(context);
+ }
+ catch(Throwable t)
+ {
+ log.error(this, t);
+ throw new RuntimeException(t);
+ }
+ }
+
+ private void printPolicyRepository()
+ {
+ try
+ {
+ //Assert Policy State of the Server
+ Policy[] policies = this.policyProvisioner.readAllPolicies();
+
+ if(policies != null)
+ {
+ log.info("------------------------------------------------------------------------------");
+ for(Policy storedPolicy: policies)
+ {
+ log.info(storedPolicy.generateSystemPolicy());
+ }
+ }
+ }
+ catch(Throwable t)
+ {
+ log.error(this, t);
+ throw new RuntimeException(t);
+ }
+ }
+
+ private boolean isGuestGroup(String accessStr)
+ {
+ UserACL.Permission permission = new UserACL.Permission();
+ permission.setPermissionExpression(accessStr);
+ if(permission.getGroupId().equals(this.guestGroup))
+ {
+ return true;
+ }
+
+ if(accessStr.indexOf('*') == -1 && accessStr.equals(this.guestGroup))
+ {
+ return true;
+ }
+
+
+ return false;
}
}
+
+
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java 2009-07-30
22:10:50 UTC (rev 13646)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractIntegrationTest.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -7,10 +7,15 @@
import org.apache.log4j.Logger;
import org.exoplatform.test.BasicTestCase;
+import org.exoplatform.portal.jboss.security.provisioning.ExoPolicyProvisioner;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.agent.enforcement.EnforcementResponse;
+import org.jboss.security.authz.agent.enforcement.PolicyEnforcementPoint;
import org.jboss.security.authz.bootstrap.ServiceContainer;
+
/**
* @author soshah
*
@@ -18,9 +23,48 @@
public class JBossAbstractIntegrationTest extends BasicTestCase
{
private static Logger log = Logger.getLogger(JBossAbstractIntegrationTest.class);
+
+ User root, administrator, manager, user, guest;
+
+ ExoPolicyProvisioner exoPolicyProvisioner;
+ PolicyEnforcementPoint enforcer;
protected void setUp() throws Exception
{
- ServiceContainer.bootstrap();
+ ServiceContainer.bootstrap();
+
+ this.enforcer = (PolicyEnforcementPoint) ServiceContainer
+ .lookup("/agent/LocalEnforcementPoint");
+ this.exoPolicyProvisioner =
(ExoPolicyProvisioner)ServiceContainer.lookup("/exo/jboss/PolicyProvisioner");
+
+ this.root = new User(this.exoPolicyProvisioner.getSuperuser());
+
+ this.administrator = new User("administrator");
+ this.administrator.addMembership("whatever",
"/platform/administrators");
+
+ this.manager = new User("manager");
+ this.manager.addMembership("manager", "/manageable");
+
+ this.user = new User("user");
+
+ this.guest = new User(null);
}
+
+ protected void enforce(EnforcementContext enforcementContext, boolean mustBePermitted)
throws Exception
+ {
+ EnforcementResponse response = this.enforcer.checkAccess(enforcementContext);
+
+ assertNotNull(response);
+ log.info("-----------------------------------");
+ log.info("Decision="+response.getMessage());
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", response.isAccessGranted());
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", response.isAccessGranted());
+ }
+ }
}
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java 2009-07-30
22:10:50 UTC (rev 13646)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossAbstractTestUserACL.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -3,18 +3,9 @@
*/
package org.exoplatform.portal.config.security.jboss;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Set;
-
import org.apache.log4j.Logger;
import org.exoplatform.portal.config.UserACL;
-import org.exoplatform.services.security.ConversationState;
-import org.exoplatform.services.security.Identity;
-import org.exoplatform.services.security.MembershipEntry;
import org.exoplatform.test.BasicTestCase;
import org.jboss.security.authz.bootstrap.ServiceContainer;
@@ -120,65 +111,5 @@
}
return false;
- }
- //----------------------------------------------------------------------------------------------------------------------------------------------------------------------
- public class User
- {
- private final Identity identity;
-
- private User(String id) {
- if (id != null) {
- Collection<String> roles = Collections.emptySet();
- Set<MembershipEntry> memberships = new HashSet<MembershipEntry>();
- identity = new Identity(id, memberships, roles);
- } else {
- identity = null;
- }
- }
-
- public String getId() {
- return identity != null ? identity.getUserId() : null;
- }
-
- public void addMembership(String type, String group) {
- identity.getMemberships().add(new MembershipEntry(group, type));
- }
-
- public void removeMembership(String type, String group) {
- for (Iterator<MembershipEntry> i =
identity.getMemberships().iterator();i.hasNext();) {
- MembershipEntry membership = i.next();
- if (type == null || type.equals(membership.getMembershipType())) {
- if (group == null || group.equals(membership.getGroup())) {
- i.remove();
- }
- }
- }
- }
-
- public Collection<MembershipEntry> getMemberships()
- {
- if(this.identity != null)
- {
- return this.identity.getMemberships();
- }
- return null;
- }
-
- public void removeMembershipByType(String type) {
- removeMembership(type, null);
- }
-
- public void removeMembershipByGroup(String group) {
- removeMembership(null, group);
- }
-
- public void run(Runnable runnable) {
- ConversationState.setCurrent(new ConversationState(identity));
- try {
- runnable.run();
- } finally {
- ConversationState.setCurrent(null);
- }
- }
- }
+ }
}
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossIntegrationSharedPageACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossIntegrationSharedPageACL.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/JBossIntegrationSharedPageACL.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -0,0 +1,371 @@
+/**
+ *
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import java.net.URI;
+import java.util.Collection;
+
+import org.exoplatform.portal.config.model.Page;
+import org.exoplatform.services.security.MembershipEntry;
+
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.action.Write;
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.components.subject.Roles;
+
+/**
+ * @author soshah
+ *
+ */
+public abstract class JBossIntegrationSharedPageACL extends
+ JBossAbstractIntegrationTest
+{
+ protected abstract String getOwnerType();
+
+ public void testPage() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[0]);
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ // Assert
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page),
+ false);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), false);
+ this.enforce(this.writePageEnforcementContext(this.user, page), false);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), false);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page),
+ false);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), false);
+ this.enforce(this.readPageEnforcementContext(this.user, page), false);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), false);
+ }
+
+ public void testPageAccessibleByEveryone() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[] { "Everyone" });
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ // Assert
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page),
+ false);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), false);
+ this.enforce(this.writePageEnforcementContext(this.user, page), false);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), false);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page),
+ true);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), true);
+ this.enforce(this.readPageEnforcementContext(this.user, page), true);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), true);
+ }
+
+ public void testPageEditableByEveryone() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[0]);
+ page.setEditPermission("Everyone");
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ // Assert
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page), true);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), true);
+ this.enforce(this.writePageEnforcementContext(this.user, page), true);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), true);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page), true);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), true);
+ this.enforce(this.readPageEnforcementContext(this.user, page), true);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), true);
+ }
+
+ public void testPageAccessibleByGuests() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[]{this.exoPolicyProvisioner.getGuestGroup()});
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ // Assert
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), false);
+ this.enforce(this.writePageEnforcementContext(this.user, page), false);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), false);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), false);
+ this.enforce(this.readPageEnforcementContext(this.user, page), false);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), true);
+ }
+
+ public void testPageEditableByGuests() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[0]);
+ page.setEditPermission(this.exoPolicyProvisioner.getGuestGroup());
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ // Assert
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), false);
+ this.enforce(this.writePageEnforcementContext(this.user, page), false);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), true);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), false);
+ this.enforce(this.readPageEnforcementContext(this.user, page), false);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), true);
+ }
+
+ public void testPageAccessibleByEveryOneAndGuests() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[]{"Everyone",
this.exoPolicyProvisioner.getGuestGroup()});
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ // Assert
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), false);
+ this.enforce(this.writePageEnforcementContext(this.user, page), false);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), false);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page), true);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), true);
+ this.enforce(this.readPageEnforcementContext(this.user, page), true);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), true);
+ }
+
+ public void testPageAccessibleByGuestsOnly() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[]{this.exoPolicyProvisioner.getGuestGroup()});
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ // Assert
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), false);
+ this.enforce(this.writePageEnforcementContext(this.user, page), false);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), false);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), false);
+ this.enforce(this.readPageEnforcementContext(this.user, page), false);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), true);
+ }
+
+ public void testPageWithAccessPermission() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[]{"manager:/manageable"});
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), false);
+ this.enforce(this.writePageEnforcementContext(this.user, page), false);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), false);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), true);
+ this.enforce(this.readPageEnforcementContext(this.user, page), false);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), false);
+
+ //TODO: test with *:/manageable once wild card based custom Roles component is
implemented
+ }
+
+ public void testPageWithEditPermission() throws Exception
+ {
+ Page page = new Page();
+ page.setName("index");
+ page.setOwnerType(this.getOwnerType());
+ page.setOwnerId("foo");
+ page.setAccessPermissions(new String[0]);
+ page.setEditPermission("manager:/manageable");
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(page);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePageEnforcementContext(this.root, page), true);
+ this.enforce(this.writePageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.writePageEnforcementContext(this.manager, page), true);
+ this.enforce(this.writePageEnforcementContext(this.user, page), false);
+ this.enforce(this.writePageEnforcementContext(this.guest, page), false);
+
+ this.enforce(this.readPageEnforcementContext(this.root, page), true);
+ this.enforce(this.readPageEnforcementContext(this.administrator, page), false);
+ this.enforce(this.readPageEnforcementContext(this.manager, page), true);
+ this.enforce(this.readPageEnforcementContext(this.user, page), false);
+ this.enforce(this.readPageEnforcementContext(this.guest, page), false);
+
+ //TODO: test with *:/manageable once wild card based custom Roles component is
implemented
+ }
+ //
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ /**
+ * Enforcement Phase: Creates an EnforcementContext for an incoming request
+ * that is trying to "Read the Page Object". The EnforcementContext is
+ * populated with "Security Components" whose state comes from the state of
+ * the application for the incoming thread
+ */
+ private EnforcementContext readPageEnforcementContext(User user, Page page)
+ throws Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = this.accessPageEnforcementContext(user, page);
+
+ // Create Action
+ context.setAttribute("action", new Read());
+
+ return context;
+ }
+
+ /**
+ * Enforcement Phase: Creates an EnforcementContext for an incoming request
+ * that is trying to "Edit the Portal Object". The EnforcementContext is
+ * populated with "Security Components" whose state comes from the state of
+ * the application for the incoming thread
+ */
+ private EnforcementContext writePageEnforcementContext(User user, Page page)
+ throws Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = this.accessPageEnforcementContext(user, page);
+
+ // Create Action
+ context.setAttribute("action", new Write());
+
+ return context;
+ }
+
+ private EnforcementContext accessPageEnforcementContext(User user, Page page)
+ throws Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = new EnforcementContext();
+
+ // Create Resource
+ URIResource portalRes = new URIResource();
+ portalRes.setUri(new URI("page://"+page.getName()));
+ context.setAttribute("resource", portalRes);
+
+ // Create Identity
+ Identity identity = new Identity();
+ if (user.getId() != null)
+ {
+ identity.setName(user.getId());
+ context.setAttribute("identity", identity);
+ }
+
+ // Create Roles
+ Roles roles = new Roles();
+ Collection<MembershipEntry> memberships = user.getMemberships();
+ if (memberships != null && !memberships.isEmpty())
+ {
+ for (MembershipEntry membership : memberships)
+ {
+ roles.addName(membership.toString());
+ }
+ }
+ else
+ {
+ // Check to see if this is guest access
+ if (user.getId() == null)
+ {
+ // This is a guest user
+ //TODO: chage this to something like whatever:guestGroup once custom Roles component
is used
+ roles.addName("*:"+this.exoPolicyProvisioner.getGuestGroup());
+
+ roles.addName(Roles.ANONYMOUS);
+ }
+ }
+ roles.addName("Everyone");
+ context.setAttribute("roles", roles);
+
+ return context;
+ }
+}
Modified:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java 2009-07-30
22:10:50 UTC (rev 13646)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossCreatePortalACL.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -23,12 +23,9 @@
import org.exoplatform.services.security.MembershipEntry;
import org.jboss.security.authz.agent.enforcement.EnforcementContext;
-import org.jboss.security.authz.agent.services.CompositionContext;
import org.jboss.security.authz.components.resource.URIResource;
import org.jboss.security.authz.components.subject.Roles;
import org.jboss.security.authz.components.subject.Identity;
-import org.jboss.security.authz.model.Effect;
-import org.jboss.security.authz.model.PolicyMetaData;
/**
* @author soshah
@@ -38,7 +35,6 @@
{
public void testCreatePortal() throws Exception
{
- this.provisionCreatePortalPolicy(false);
this.dumpPolicyRepository();
// Generate an EnforcementContext to see if the superuser and administrator
@@ -51,76 +47,7 @@
// user are allowed to create a Portal..Result: They shouldn't be
this.enforce(this.createPortalEnforcementContext(this.manager), false);
this.enforce(this.createPortalEnforcementContext(this.user), false);
- }
-
- public void testCreatePortalGuestAllowed() throws Exception
- {
- this.provisionCreatePortalPolicy(true);
- this.dumpPolicyRepository();
-
- // Generate an EnforcementContext to see if the superuser and administrator
- // are allowed to create a Portal...Result: They should be
- this.enforce(this.createPortalEnforcementContext(this.root), true);
- this.enforce(this.createPortalEnforcementContext(this.administrator), true);
- this.enforce(this.createPortalEnforcementContext(this.guest), true);
-
- // Generate an EnforcementContext to see if a standard manager and a regular
- // user are allowed to create a Portal..Result: They shouldn't be
- this.enforce(this.createPortalEnforcementContext(this.manager), false);
- this.enforce(this.createPortalEnforcementContext(this.user), false);
- }
- //
---------------------------------------------------------------------------------------------------------------------------------------------------------------
- /**
- * Provisioning Phase: Provisions the Policy for Portal Creation. The Policy
- * Structure is created using "Security Components" whose state is populated
- * from appropriate System configuration values
- */
- private void provisionCreatePortalPolicy(boolean guestAllowed) throws Exception
- {
- CompositionContext context = new CompositionContext();
-
- // Using the custom "CreatePortal" "Security Component"
- CreatePortal action = new CreatePortal();
- URIResource resource = new URIResource();
- resource.setUri(new URI(action.getName()));
- context.setPolicyTarget(resource);
-
- // Super User... Supers Users have access to everything
- org.jboss.security.authz.components.subject.Identity superuser = new
org.jboss.security.authz.components.subject.Identity();
- superuser.setName(this.root.getId()); // Provided via system configuration
- context.addPolicyRule(Effect.PERMIT, action, superuser);
-
- if(guestAllowed)
- {
- // Guest Group
- Roles guest = new Roles();
- guest.addName("*:"+this.guestGroup_);
- guest.addName(Roles.ANONYMOUS);
- guest.setMustMatchAll(true);
- context.addPolicyRule(Effect.PERMIT, action, guest, "allowExpression");
- }
-
- // PortalCreators Group....
- // TODO: replace whatever:/platform/administrators, and
- // whatever:/organization/management/executive-board
- // with *:/platform/administrators, and
- // *:/organization/management/executive-board once custom Roles component is
- // implemented
- Roles portalCreators = new Roles();
- // portalCreators.addName("*:/platform/administrators"); //Provided via
- // system configuration
- // portalCreators.addName("*:/organization/management/executive-board");
- // //Provided via system configuration
- portalCreators.addName("whatever:/platform/administrators");
- portalCreators.addName("whatever:/organization/management/executive-board");
- context.addPolicyRule(Effect.PERMIT, action, portalCreators,
- "allowExpression");
-
- // Store the policy into the Policy Server
- PolicyMetaData policyMetaData = this.policyComposer.compose(context);
- this.provisioner.newPolicy(policyMetaData);
- }
-
+ }
//
----------------------------------------------------------------------------------------------------------------------------------------------------------------
/**
* Enforcement Phase: Creates an EnforcementContext for an incoming request
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationGroupPageACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationGroupPageACL.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationGroupPageACL.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -0,0 +1,18 @@
+/**
+ *
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import org.exoplatform.portal.config.model.PortalConfig;
+
+/**
+ * @author soshah
+ *
+ */
+public class TestJBossIntegrationGroupPageACL extends JBossIntegrationSharedPageACL
+{
+ public String getOwnerType()
+ {
+ return PortalConfig.GROUP_TYPE;
+ }
+}
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPageNavACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPageNavACL.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPageNavACL.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2003-2007 eXo Platform SAS.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Affero General Public License
+ * as published by the Free Software Foundation; either version 3
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not,
see<http://www.gnu.org/licenses/>.
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import org.exoplatform.portal.config.model.PageNavigation;
+import java.util.Collection;
+import java.net.URI;
+
+import org.exoplatform.portal.config.model.PortalConfig;
+import org.exoplatform.services.security.MembershipEntry;
+
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.components.action.Write;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+
+/**
+ *
+ * @author soshah
+ *
+ */
+public class TestJBossIntegrationPageNavACL extends JBossAbstractIntegrationTest
+{
+
+ public void testNavEditByManagerGroup() throws Exception
+ {
+ PageNavigation nav = new PageNavigation();
+ nav.setDescription("testPageNavigation");
+ nav.setOwnerType(PortalConfig.GROUP_TYPE);
+ nav.setOwnerId("manageable");
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(nav);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePageNavEnforcementContext(this.root, nav), true);
+ this.enforce(this.writePageNavEnforcementContext(this.administrator, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.manager, nav), true);
+ this.enforce(this.writePageNavEnforcementContext(this.user, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.guest, nav), false);
+ }
+
+ public void testNavEditByFooGroup() throws Exception
+ {
+ PageNavigation nav = new PageNavigation();
+ nav.setDescription("testPageNavigation");
+ nav.setOwnerType(PortalConfig.GROUP_TYPE);
+ nav.setOwnerId("foo");
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(nav);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePageNavEnforcementContext(this.root, nav), true);
+ this.enforce(this.writePageNavEnforcementContext(this.administrator, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.manager, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.user, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.guest, nav), false);
+ }
+
+ public void testNavEditByUser() throws Exception
+ {
+ PageNavigation nav = new PageNavigation();
+ nav.setDescription("testPageNavigation");
+ nav.setOwnerType(PortalConfig.USER_TYPE);
+ nav.setOwnerId("user");
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(nav);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePageNavEnforcementContext(this.root, nav), true);
+ this.enforce(this.writePageNavEnforcementContext(this.administrator, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.manager, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.user, nav), true);
+ this.enforce(this.writePageNavEnforcementContext(this.guest, nav), false);
+ }
+
+ public void testNavEditByGuest() throws Exception
+ {
+ PageNavigation nav = new PageNavigation();
+ nav.setDescription("testPageNavigation");
+ nav.setOwnerType(PortalConfig.GROUP_TYPE);
+ nav.setOwnerId(this.exoPolicyProvisioner.getGuestGroup());
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(nav);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePageNavEnforcementContext(this.root, nav), true);
+ this.enforce(this.writePageNavEnforcementContext(this.administrator, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.manager, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.user, nav), false);
+ this.enforce(this.writePageNavEnforcementContext(this.guest, nav), true);
+ }
+ //
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
+ /**
+ * Enforcement Phase: Creates an EnforcementContext for an incoming request that is
trying to "Edit the Page Navigation Object". The EnforcementContext is populated
with
+ * "Security Components" whose state comes from the state of the application
for the incoming thread
+ */
+ private EnforcementContext writePageNavEnforcementContext(User user, PageNavigation
pageNavigation) throws Exception
+ {
+ //Create an EnforcementContext
+ EnforcementContext context = new EnforcementContext();
+
+ // Create Resource
+ URIResource portalRes = new URIResource();
+ portalRes.setUri(new URI("pagenav://"+pageNavigation.getDescription()));
+ context.setAttribute("resource", portalRes);
+
+ // Create Identity
+ Identity identity = new Identity();
+ if(user.getId() != null)
+ {
+ identity.setName(user.getId());
+ context.setAttribute("identity", identity);
+ }
+
+ //Create Roles
+ Roles roles = new Roles();
+ Collection<MembershipEntry> memberships = user.getMemberships();
+ if (memberships != null && !memberships.isEmpty())
+ {
+ for (MembershipEntry membership : memberships)
+ {
+ roles.addName(membership.toString());
+ }
+ }
+ else
+ {
+ // Check to see if this is guest access
+ if (user.getId() == null)
+ {
+ // This is a guest user
+ //TODO: chage this to something like whatever:guestGroup once custom Roles component
is used
+ roles.addName("*:"+this.exoPolicyProvisioner.getGuestGroup());
+
+ roles.addName(Roles.ANONYMOUS);
+ }
+ }
+ roles.addName("Everyone");
+ context.setAttribute("roles", roles);
+
+ context.setAttribute("action", new Write());
+
+ return context;
+ }
+}
\ No newline at end of file
Copied:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPortalConfigACL.java
(from rev 13646,
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPolicyProvisioner.java)
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPortalConfigACL.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPortalConfigACL.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -0,0 +1,248 @@
+/**
+ *
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import java.net.URI;
+import java.util.Collection;
+
+import org.exoplatform.portal.config.model.PortalConfig;
+import org.exoplatform.services.security.MembershipEntry;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.action.Write;
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.components.subject.Roles;
+
+/**
+ * @author soshah
+ *
+ */
+public class TestJBossIntegrationPortalConfigACL extends JBossAbstractIntegrationTest
+{
+ public void testPortalRootAccessOnly() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(portal);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(
+ this.writePortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.manager, portal),
+ false);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), false);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal),
+ false);
+ this
+ .enforce(this.readPortalEnforcementContext(this.manager, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), false);
+ }
+
+ public void testPortalOnlyReadAccess() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+ portal.setAccessPermissions(new String[] { "manager:/manageable" });
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(portal);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(
+ this.writePortalEnforcementContext(this.administrator, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.manager, portal),
+ false);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), false);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal),
+ false);
+ this.enforce(this.readPortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), false);
+ }
+
+ public void testPortalEditableAndReadImplied() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+ portal.setEditPermission("manager:/manageable");
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(portal);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(
+ this.writePortalEnforcementContext(this.administrator, portal), false);
+ this
+ .enforce(this.writePortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), false);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal),
+ false);
+ this.enforce(this.readPortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), false);
+ }
+
+ public void testPortalReadAndEditableExplicit() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+ portal.setAccessPermissions(new String[] { "manager:/manageable" });
+ portal.setEditPermission("manager:/manageable");
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(portal);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(
+ this.writePortalEnforcementContext(this.administrator, portal), false);
+ this
+ .enforce(this.writePortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), false);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal),
+ false);
+ this.enforce(this.readPortalEnforcementContext(this.manager, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), false);
+ }
+
+ public void testGuestAllowedEdit() throws Exception
+ {
+ PortalConfig portal = new PortalConfig();
+ portal.setName("foo");
+ portal.setEditPermission(this.exoPolicyProvisioner.getGuestGroup());
+
+ //Provision the Policy for this Resource
+ this.exoPolicyProvisioner.provision(portal);
+
+ //Debug
+ this.exoPolicyProvisioner.debug();
+
+ this.enforce(this.writePortalEnforcementContext(this.root, portal), true);
+ this.enforce(
+ this.writePortalEnforcementContext(this.administrator, portal), false);
+ this
+ .enforce(this.writePortalEnforcementContext(this.manager, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.writePortalEnforcementContext(this.guest, portal), true);
+
+ this.enforce(this.readPortalEnforcementContext(this.root, portal), true);
+ this.enforce(this.readPortalEnforcementContext(this.administrator, portal),
+ false);
+ this.enforce(this.readPortalEnforcementContext(this.manager, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.user, portal), false);
+ this.enforce(this.readPortalEnforcementContext(this.guest, portal), true);
+ }
+ //----------------------------------------------------------------------------------------------------------------------------------------------------------------------
+ /**
+ * Enforcement Phase: Creates an EnforcementContext for an incoming request
+ * that is trying to "Read the Portal Object". The EnforcementContext is
+ * populated with "Security Components" whose state comes from the state of
+ * the application for the incoming thread
+ */
+ private EnforcementContext readPortalEnforcementContext(User user,
+ PortalConfig portal) throws Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = this.accessPortalEnforcementContext(user,
+ portal);
+
+ // Create Action
+ context.setAttribute("action", new Read());
+
+ return context;
+ }
+
+ /**
+ * Enforcement Phase: Creates an EnforcementContext for an incoming request
+ * that is trying to "Edit the Portal Object". The EnforcementContext is
+ * populated with "Security Components" whose state comes from the state of
+ * the application for the incoming thread
+ */
+ private EnforcementContext writePortalEnforcementContext(User user,
+ PortalConfig portal) throws Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = this.accessPortalEnforcementContext(user,
+ portal);
+
+ // Create Action
+ context.setAttribute("action", new Write());
+
+ return context;
+ }
+
+ private EnforcementContext accessPortalEnforcementContext(User user,
+ PortalConfig portal) throws Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = new EnforcementContext();
+
+ // Create Resource
+ URIResource portalRes = new URIResource();
+ portalRes.setUri(new URI("portal://"+portal.getName()));
+ context.setAttribute("resource", portalRes);
+
+ // Create Identity
+ Identity identity = new Identity();
+ if (user.getId() != null)
+ {
+ identity.setName(user.getId());
+ context.setAttribute("identity", identity);
+ }
+
+ // Create Roles
+ Roles roles = new Roles();
+ Collection<MembershipEntry> memberships = user.getMemberships();
+ if (memberships != null && !memberships.isEmpty())
+ {
+ for (MembershipEntry membership : memberships)
+ {
+ roles.addName(membership.toString());
+ }
+ }
+ else
+ {
+ // Check to see if this is guest access
+ if (user.getId() == null)
+ {
+ // This is a guest user
+ //TODO: chage this to something like whatever:guestGroup once custom Roles component
is used
+ roles.addName("*:"+this.exoPolicyProvisioner.getGuestGroup());
+ roles.addName(Roles.ANONYMOUS);
+ }
+ }
+ roles.addName("Everyone");
+ context.setAttribute("roles", roles);
+
+ return context;
+ }
+}
Property changes on:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationPortalConfigACL.java
___________________________________________________________________
Name: svn:mergeinfo
+
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationUserPageACL.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationUserPageACL.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossIntegrationUserPageACL.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -0,0 +1,18 @@
+/**
+ *
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import org.exoplatform.portal.config.model.PortalConfig;
+
+/**
+ * @author soshah
+ *
+ */
+public class TestJBossIntegrationUserPageACL extends JBossIntegrationSharedPageACL
+{
+ public String getOwnerType()
+ {
+ return PortalConfig.USER_TYPE;
+ }
+}
Deleted:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPolicyProvisioner.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPolicyProvisioner.java 2009-07-30
22:10:50 UTC (rev 13646)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/TestJBossPolicyProvisioner.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -1,16 +0,0 @@
-/**
- *
- */
-package org.exoplatform.portal.config.security.jboss;
-
-/**
- * @author soshah
- *
- */
-public class TestJBossPolicyProvisioner extends JBossAbstractIntegrationTest
-{
- public void testProvisionPortal() throws Exception
- {
-
- }
-}
Added:
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/User.java
===================================================================
---
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/User.java
(rev 0)
+++
jbossexo/branches/security-integration-sandbox/portal/trunk/component/portal/src/test/java/org/exoplatform/portal/config/security/jboss/User.java 2009-07-31
20:23:34 UTC (rev 13647)
@@ -0,0 +1,95 @@
+/**
+ *
+ */
+package org.exoplatform.portal.config.security.jboss;
+
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import org.exoplatform.services.security.ConversationState;
+import org.exoplatform.services.security.Identity;
+import org.exoplatform.services.security.MembershipEntry;
+
+/**
+ * @author soshah
+ *
+ */
+class User
+{
+ private final Identity identity;
+
+ User(String id)
+ {
+ if (id != null)
+ {
+ Collection<String> roles = Collections.emptySet();
+ Set<MembershipEntry> memberships = new HashSet<MembershipEntry>();
+ identity = new Identity(id, memberships, roles);
+ }
+ else
+ {
+ identity = null;
+ }
+ }
+
+ public String getId()
+ {
+ return identity != null ? identity.getUserId() : null;
+ }
+
+ public void addMembership(String type, String group)
+ {
+ identity.getMemberships().add(new MembershipEntry(group, type));
+ }
+
+ public void removeMembership(String type, String group)
+ {
+ for (Iterator<MembershipEntry> i = identity.getMemberships().iterator(); i
+ .hasNext();)
+ {
+ MembershipEntry membership = i.next();
+ if (type == null || type.equals(membership.getMembershipType()))
+ {
+ if (group == null || group.equals(membership.getGroup()))
+ {
+ i.remove();
+ }
+ }
+ }
+ }
+
+ public Collection<MembershipEntry> getMemberships()
+ {
+ if (this.identity != null)
+ {
+ return this.identity.getMemberships();
+ }
+ return null;
+ }
+
+ public void removeMembershipByType(String type)
+ {
+ removeMembership(type, null);
+ }
+
+ public void removeMembershipByGroup(String group)
+ {
+ removeMembership(null, group);
+ }
+
+ public void run(Runnable runnable)
+ {
+ ConversationState.setCurrent(new ConversationState(identity));
+ try
+ {
+ runnable.run();
+ }
+ finally
+ {
+ ConversationState.setCurrent(null);
+ }
+ }
+}