Author: sohil.shah(a)jboss.com
Date: 2009-07-29 16:01:36 -0400 (Wed, 29 Jul 2009)
New Revision: 13629
Added:
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/AbstractTest.java
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/TestMultiPolicyStore.java
Modified:
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java
modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java
Log:
exo-integration inspired bug fixes
* Roles component Drools expression needed fixing
* Testing for MultiPolicy scenarios...more needed
Added:
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/AbstractTest.java
===================================================================
---
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/AbstractTest.java
(rev 0)
+++
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/AbstractTest.java 2009-07-29
20:01:36 UTC (rev 13629)
@@ -0,0 +1,81 @@
+/**
+ *
+ */
+package org.jboss.security.authz.agent.test;
+
+import java.net.URI;
+
+import junit.framework.TestCase;
+import org.apache.log4j.Logger;
+
+import org.jboss.security.authz.bootstrap.ServiceContainer;
+
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.components.action.Read;
+
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.PolicyMetaData;
+
+import org.jboss.security.authz.agent.enforcement.PolicyEnforcementPoint;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.agent.enforcement.EnforcementResponse;
+import org.jboss.security.authz.agent.provisioning.PolicyProvisioner;
+
+import org.jboss.security.authz.agent.services.CompositionContext;
+import org.jboss.security.authz.agent.services.PolicyComposer;
+
+/**
+ * @author soshah
+ *
+ */
+public abstract class AbstractTest extends TestCase
+{
+ private static Logger log = Logger.getLogger(AbstractTest.class);
+
+ protected PolicyComposer policyComposer;
+ protected PolicyEnforcementPoint enforcer;
+ protected PolicyProvisioner provisioner;
+
+ public void setUp() throws Exception
+ {
+ ServiceContainer.bootstrap();
+
+ this.policyComposer =
(PolicyComposer)ServiceContainer.lookup("/agent/PolicyComposer");
+ this.enforcer =
(PolicyEnforcementPoint)ServiceContainer.lookup("/agent/LocalEnforcementPoint");
+ this.provisioner =
(PolicyProvisioner)ServiceContainer.lookup("/agent/LocalPolicyProvisioner");
+ }
+
+ protected void enforce(EnforcementContext enforcementContext, boolean mustBePermitted)
throws Exception
+ {
+ EnforcementResponse response = this.enforcer.checkAccess(enforcementContext);
+
+ assertNotNull(response);
+ log.info("-----------------------------------");
+ log.info("Decision="+response.getMessage());
+
+ if(mustBePermitted)
+ {
+ assertTrue("Access must be granted!!!", response.isAccessGranted());
+ }
+ else
+ {
+ assertFalse("Access must be denied!!!", response.isAccessGranted());
+ }
+ }
+
+ protected void assertServerState() throws Exception
+ {
+ //Assert Policy State of the Server
+ Policy[] policies = this.provisioner.readAllPolicies();
+
+ assertTrue("Policy Store must not be empty!!", (policies != null &&
policies.length >0));
+ log.info("------------------------------------------------------------------------------");
+ for(Policy policy: policies)
+ {
+ log.info(policy.generateSystemPolicy());
+ }
+ }
+}
Added:
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/TestMultiPolicyStore.java
===================================================================
---
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/TestMultiPolicyStore.java
(rev 0)
+++
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/TestMultiPolicyStore.java 2009-07-29
20:01:36 UTC (rev 13629)
@@ -0,0 +1,99 @@
+/**
+ *
+ */
+package org.jboss.security.authz.agent.test;
+
+import java.net.URI;
+
+import org.apache.log4j.Logger;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.agent.services.CompositionContext;
+import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.PolicyMetaData;
+
+/**
+ * @author soshah
+ *
+ */
+public class TestMultiPolicyStore extends AbstractTest
+{
+ private static Logger log = Logger.getLogger(TestMultiPolicyStore.class);
+
+ public void setUp() throws Exception
+ {
+ super.setUp();
+ this.provisionOnStartup();
+ }
+
+ public void testPolicyStoreInit() throws Exception
+ {
+ this.assertServerState();
+
+ //Perform Enforcement
+ this.enforce(this.createEnforcementContext("/blah0", new Read()), true);
+ this.enforce(this.createEnforcementContext("/blah1", new Read()), false);
+ }
+ //---------------------------------------------------------------------------------------------------------------------------------------------------------------
+ private void provisionOnStartup() throws Exception
+ {
+ for(int i=0; i<2; i++)
+ {
+ URIResource resource = new URIResource();
+ resource.setUri(new URI("/blah"+i));
+
+ Read action = new Read();
+
+ Identity identity = new Identity();
+ identity.setName("root");
+
+ Roles sysadmin = new Roles();
+ sysadmin.addName("sysadmin");
+
+
+ Roles allowedRoles = new Roles();
+ allowedRoles.addName("user");
+
+ //Setup the Context for the Composition with these components
+ CompositionContext context = new CompositionContext();
+ context.setPolicyTarget(resource);
+ if(i == 0)
+ {
+ context.addPolicyRule(Effect.PERMIT, action, allowedRoles,
"allowExpression");
+ }
+ context.addPolicyRule(Effect.PERMIT, action, sysadmin, "allowExpression");
+ context.addPolicyRule(Effect.PERMIT, action, identity);
+
+ //Store the policy into the Policy Server
+ PolicyMetaData policyMetaData = this.policyComposer.compose(context);
+ this.provisioner.newPolicy(policyMetaData);
+ }
+ }
+
+ private EnforcementContext createEnforcementContext(String resource, Read action) throws
Exception
+ {
+ // Create an EnforcementContext
+ EnforcementContext context = new EnforcementContext();
+
+ // Create Resource
+ URIResource protectedResource = new URIResource();
+ protectedResource.setUri(new URI(resource));
+ context.setAttribute("uri-resource", protectedResource);
+
+ // Create Subjects
+ Roles roles = new Roles();
+ roles.addName("user");
+ context.setAttribute("roles", roles);
+ Identity identity = new Identity();
+ identity.setName("blah(a)blah.com");
+ context.setAttribute("identity", identity);
+
+ // Create Action
+ context.setAttribute("action", action);
+
+ return context;
+ }
+}
Modified:
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java
===================================================================
---
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java 2009-07-29
17:06:25 UTC (rev 13628)
+++
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java 2009-07-29
20:01:36 UTC (rev 13629)
@@ -52,25 +52,25 @@
public class Roles
{
//make it package-level access so that unit tests can test these rules
- static final String allowRule =
+ protected static final String allowRule =
"import java.util.HashSet\n"+
"rule \"{0}\"\n"+
"when\n"+
"$ruleName: String()\n"+
"$roles: HashSet()\n"+
- "eval($ruleName.contains(\"roles://allowRule\"))\n"+
+ "eval($ruleName.contains(\"{0}\"))\n"+
"eval({1})\n"+
"then\n"+
"insert(Boolean.TRUE);\n"+
"end\n";
- static final String denyRule =
+ protected static final String denyRule =
"import java.util.HashSet\n"+
"rule \"{0}\"\n"+
"when\n"+
"$ruleName: String()\n"+
"$roles: HashSet()\n"+
- "eval($ruleName.contains(\"roles://denyRule\"))\n"+
+ "eval($ruleName.contains(\"{0}\"))\n"+
"eval({1})\n"+
"then\n"+
"insert(Boolean.TRUE);\n"+
@@ -87,6 +87,8 @@
@SecurityContextData
private Set<String> names;
+ private boolean mustMatchAll=false;
+
public Roles()
{
@@ -119,6 +121,16 @@
{
return this.getNames().isEmpty();
}
+
+ public boolean isMustMatchAll()
+ {
+ return mustMatchAll;
+ }
+
+ public void setMustMatchAll(boolean mustMatchAll)
+ {
+ this.mustMatchAll = mustMatchAll;
+ }
//------------------------------------------------------------------------------------------------------------------------------------------------------------
/**
* Creates a Policy Rule suggesting the roles indicated by this object are permitted
access to the 'Resource' designated in the Policy
@@ -135,7 +147,14 @@
StringBuffer buffer = new StringBuffer();
for(String role: this.getNames())
{
- buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
|| ");
+ if(!this.mustMatchAll)
+ {
+ buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
|| ");
+ }
+ else
+ {
+ buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
&& ");
+ }
}
String condition = buffer.toString().trim();
String ruleLogic = MessageFormat.format(Roles.allowRule,
@@ -159,7 +178,14 @@
StringBuffer buffer = new StringBuffer();
for(String role: this.getNames())
{
- buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
|| ");
+ if(!this.mustMatchAll)
+ {
+ buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
|| ");
+ }
+ else
+ {
+ buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
&& ");
+ }
}
String condition = buffer.toString().trim();
String ruleLogic = MessageFormat.format(Roles.denyRule,
Modified:
modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java
===================================================================
---
modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java 2009-07-29
17:06:25 UTC (rev 13628)
+++
modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java 2009-07-29
20:01:36 UTC (rev 13629)
@@ -54,9 +54,14 @@
"import org.jboss.security.xacml.interfaces.XACMLConstants;\n";
private RuleBase activeRuleBase;
+ private String allowedRuleReference;
+ private String deniedRuleReference;
public void setUp() throws Exception
{
+ this.allowedRuleReference =
"roles://allowRule/"+GeneralTool.generateUniqueId();
+ this.deniedRuleReference =
"roles://denyRule/"+GeneralTool.generateUniqueId();
+
StringBuilder buffer = new StringBuilder();
buffer.append(rulePkg+"\n");
@@ -82,7 +87,7 @@
finally
{
source.close();
- }
+ }
}
public void tearDown() throws Exception
@@ -96,7 +101,7 @@
WorkingMemory workingMemory = this.activeRuleBase.newStatefulSession();
//SetUp the context data
-
workingMemory.insert("roles://allowRule/"+GeneralTool.generateUniqueId());
+ workingMemory.insert(this.allowedRuleReference);
Set roles = new HashSet();
roles.add("admin");
roles.add("superuser");
@@ -127,7 +132,7 @@
WorkingMemory workingMemory = this.activeRuleBase.newStatefulSession();
//SetUp the context data
- workingMemory.insert("roles://denyRule/"+GeneralTool.generateUniqueId());
+ workingMemory.insert(this.deniedRuleReference);
Set roles = new HashSet();
roles.add("anonymous");
workingMemory.insert(roles);
@@ -162,7 +167,7 @@
}
String condition = buffer.toString().trim();
String rule = MessageFormat.format(Roles.allowRule,
- new Object[]{GeneralTool.generateUniqueId(), condition.substring(0,
condition.length()-2).trim()});
+ new Object[]{this.allowedRuleReference, condition.substring(0,
condition.length()-2).trim()});
return rule;
}
@@ -178,7 +183,7 @@
}
String condition = buffer.toString().trim();
String rule = MessageFormat.format(Roles.denyRule,
- new Object[]{GeneralTool.generateUniqueId(), condition.substring(0,
condition.length()-2).trim()});
+ new Object[]{this.deniedRuleReference, condition.substring(0,
condition.length()-2).trim()});
return rule;
}
Modified:
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java
===================================================================
---
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java 2009-07-29
17:06:25 UTC (rev 13628)
+++
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java 2009-07-29
20:01:36 UTC (rev 13629)
@@ -89,27 +89,19 @@
assertFalse("Match(prefix/urlfoo/)",Pattern.matches(regex,
"prefix/urlfoo/"));
assertFalse("Match(/blah/prefix/url/index.html)",Pattern.matches(regex,
"/blah/prefix/url/index.html"));
- HttpResource httpResource = new HttpResource();
- httpResource.setUri(new URI("/prefix/url/*"));
-
- Roles allowedRoles = new Roles();
- allowedRoles.addName("Admin");
-
- //Setup the Context for the Composition with these components
- CompositionContext context = new CompositionContext();
- context.setPolicyTarget(httpResource);
- context.addPolicyRule(Effect.PERMIT, new Get(), allowedRoles,
"allowExpression");
+ //TODO: fix issue with duplicate matches when using concrete uris and regex uris
+ this.provision("/prefix/url/*");
+ //this.provision("/prefix/url/index.html");
- //Store the policy into the Policy Server
- PolicyMetaData policyMetaData = this.policyComposer.compose(context);
- this.provisioner.newPolicy(policyMetaData);
-
//Assert Policy State of the Server
Policy[] policies = this.provisioner.readAllPolicies();
- assertTrue("Policy Store must not be empty!!", (policies != null &&
policies.length == 1));
+ assertTrue("Policy Store must not be empty!!", (policies != null));
log.info("------------------------------------------------------------------------------");
- log.info(policies[0].generateSystemPolicy());
+ for(Policy local: policies)
+ {
+ log.info(local.generateSystemPolicy());
+ }
//Access Granted
this.enforce(this.createEnforcementContext("/prefix/url"), true);
@@ -166,4 +158,22 @@
return context;
}
+
+ private void provision(String urlPattern) throws Exception
+ {
+ HttpResource httpResource = new HttpResource();
+ httpResource.setUri(new URI(urlPattern));
+
+ Roles allowedRoles = new Roles();
+ allowedRoles.addName("Admin");
+
+ //Setup the Context for the Composition with these components
+ CompositionContext context = new CompositionContext();
+ context.setPolicyTarget(httpResource);
+ context.addPolicyRule(Effect.PERMIT, new Get(), allowedRoles,
"allowExpression");
+
+ //Store the policy into the Policy Server
+ PolicyMetaData policyMetaData = this.policyComposer.compose(context);
+ this.provisioner.newPolicy(policyMetaData);
+ }
}
Modified:
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java
===================================================================
---
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java 2009-07-29
17:06:25 UTC (rev 13628)
+++
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java 2009-07-29
20:01:36 UTC (rev 13629)
@@ -116,8 +116,9 @@
for(int i=0,size=inputs.size(); i<size; i++)
{
VariableReference reference = (VariableReference)inputs.get(i);
+ String referenceId = reference.getVariableId();
- log.debug("Firing Rule ="+reference.getVariableId());
+ log.debug("Firing Rule ="+referenceId);
//Establish a Stateful Drools Session
DroolsRuleManager ruleManager =
(DroolsRuleManager)ServiceContainer.lookup("/policy-server/DroolsRuleManager");
@@ -125,7 +126,7 @@
WorkingMemory workingMemory = ruleBase.newStatefulSession();
//Populate the WorkingMemory with Facts
- workingMemory.insert(reference.getVariableId());
+ workingMemory.insert(referenceId);
this.prepareWorkingMemory(workingMemory, context);