JBoss Portal SVN: r13629 - in modules/authorization/trunk: core-components-api/src/main/java/org/jboss/security/authz/components/subject and 3 other directories. - portal-commits

Wednesday, 29 July 2009


Author: sohil.shah(a)jboss.com
Date: 2009-07-29 16:01:36 -0400 (Wed, 29 Jul 2009)
New Revision: 13629

Added:
  
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/AbstractTest.java
  
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/TestMultiPolicyStore.java
Modified:
  
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java
  
modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java
  
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java
  
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java
Log:
exo-integration inspired bug fixes
* Roles component Drools expression needed fixing
* Testing for MultiPolicy scenarios...more needed

Added:
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/AbstractTest.java
===================================================================
---
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/AbstractTest.java	
                       (rev 0)
+++
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/AbstractTest.java	2009-07-29
20:01:36 UTC (rev 13629)
@@ -0,0 +1,81 @@
+/**
+ * 
+ */
+package org.jboss.security.authz.agent.test;
+
+import java.net.URI;
+
+import junit.framework.TestCase;
+import org.apache.log4j.Logger;
+
+import org.jboss.security.authz.bootstrap.ServiceContainer;
+
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.components.action.Read;
+
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.Policy;
+import org.jboss.security.authz.model.PolicyMetaData;
+
+import org.jboss.security.authz.agent.enforcement.PolicyEnforcementPoint;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.agent.enforcement.EnforcementResponse;
+import org.jboss.security.authz.agent.provisioning.PolicyProvisioner;
+
+import org.jboss.security.authz.agent.services.CompositionContext;
+import org.jboss.security.authz.agent.services.PolicyComposer;
+
+/**
+ * @author soshah
+ *
+ */
+public abstract class AbstractTest extends TestCase 
+{
+	private static Logger log = Logger.getLogger(AbstractTest.class);
+	
+	protected PolicyComposer policyComposer;
+	protected PolicyEnforcementPoint enforcer;
+	protected PolicyProvisioner provisioner;
+	
+	public void setUp() throws Exception
+	{
+		ServiceContainer.bootstrap();		
+		
+		this.policyComposer =
(PolicyComposer)ServiceContainer.lookup("/agent/PolicyComposer");
+		this.enforcer =
(PolicyEnforcementPoint)ServiceContainer.lookup("/agent/LocalEnforcementPoint");
+		this.provisioner =
(PolicyProvisioner)ServiceContainer.lookup("/agent/LocalPolicyProvisioner");		
+	}
+	
+	protected void enforce(EnforcementContext enforcementContext, boolean mustBePermitted)
throws Exception
+	{	    
+	    EnforcementResponse response = this.enforcer.checkAccess(enforcementContext);
+	    
+    	assertNotNull(response);
+    	log.info("-----------------------------------");
+        log.info("Decision="+response.getMessage());
+        
+	    if(mustBePermitted)
+	    {	    	
+	    	assertTrue("Access must be granted!!!", response.isAccessGranted());
+	    }
+	    else
+	    {
+	    	assertFalse("Access must be denied!!!", response.isAccessGranted());
+	    }        
+	}
+	
+	protected void assertServerState() throws Exception
+	{
+		//Assert Policy State of the Server
+		Policy[] policies = this.provisioner.readAllPolicies();
+		
+		assertTrue("Policy Store must not be empty!!", (policies != null &&
policies.length >0));
+		log.info("------------------------------------------------------------------------------");
+		for(Policy policy: policies)
+		{
+			log.info(policy.generateSystemPolicy());
+		}
+	}
+}

Added:
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/TestMultiPolicyStore.java
===================================================================
---
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/TestMultiPolicyStore.java	
                       (rev 0)
+++
modules/authorization/trunk/agent/src/test/java/org/jboss/security/authz/agent/test/TestMultiPolicyStore.java	2009-07-29
20:01:36 UTC (rev 13629)
@@ -0,0 +1,99 @@
+/**
+ * 
+ */
+package org.jboss.security.authz.agent.test;
+
+import java.net.URI;
+
+import org.apache.log4j.Logger;
+import org.jboss.security.authz.agent.enforcement.EnforcementContext;
+import org.jboss.security.authz.agent.services.CompositionContext;
+import org.jboss.security.authz.components.action.Read;
+import org.jboss.security.authz.components.resource.URIResource;
+import org.jboss.security.authz.components.subject.Roles;
+import org.jboss.security.authz.components.subject.Identity;
+import org.jboss.security.authz.model.Effect;
+import org.jboss.security.authz.model.PolicyMetaData;
+
+/**
+ * @author soshah
+ *
+ */
+public class TestMultiPolicyStore extends AbstractTest
+{
+	private static Logger log = Logger.getLogger(TestMultiPolicyStore.class);
+	
+	public void setUp() throws Exception
+	{
+		super.setUp();
+		this.provisionOnStartup();
+	}
+	
+	public void testPolicyStoreInit() throws Exception
+	{
+		this.assertServerState();
+		
+		//Perform Enforcement
+		this.enforce(this.createEnforcementContext("/blah0", new Read()), true);
+		this.enforce(this.createEnforcementContext("/blah1", new Read()), false);
+	}
+	//---------------------------------------------------------------------------------------------------------------------------------------------------------------
+	private void provisionOnStartup() throws Exception
+	{
+		for(int i=0; i<2; i++)
+		{
+			URIResource resource = new URIResource();
+			resource.setUri(new URI("/blah"+i));	
+			
+			Read action = new Read();
+			
+			Identity identity = new Identity();
+			identity.setName("root");
+			
+			Roles sysadmin = new Roles();
+			sysadmin.addName("sysadmin");
+			
+			
+			Roles allowedRoles = new Roles();
+			allowedRoles.addName("user");
+			
+			//Setup the Context for the Composition with these components		
+			CompositionContext context = new CompositionContext();
+			context.setPolicyTarget(resource);
+			if(i == 0)
+			{
+				context.addPolicyRule(Effect.PERMIT, action, allowedRoles,
"allowExpression");
+			}
+			context.addPolicyRule(Effect.PERMIT, action, sysadmin, "allowExpression");
+			context.addPolicyRule(Effect.PERMIT, action, identity);
+					
+			//Store the policy into the Policy Server
+			PolicyMetaData policyMetaData = this.policyComposer.compose(context);
+			this.provisioner.newPolicy(policyMetaData);
+		}
+	}
+	
+	private EnforcementContext createEnforcementContext(String resource, Read action) throws
Exception
+    {            
+        // Create an EnforcementContext
+		EnforcementContext context = new EnforcementContext();
+
+		// Create Resource
+		URIResource protectedResource = new URIResource();
+		protectedResource.setUri(new URI(resource));
+		context.setAttribute("uri-resource", protectedResource);
+
+		// Create Subjects
+		Roles roles = new Roles();
+		roles.addName("user");
+		context.setAttribute("roles", roles);
+		Identity identity = new Identity();
+		identity.setName(&quot;blah(a)blah.com&quot;);
+		context.setAttribute("identity", identity);
+
+		// Create Action
+		context.setAttribute("action", action);
+
+		return context;
+    }
+}

Modified:
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java
===================================================================
---
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java	2009-07-29
17:06:25 UTC (rev 13628)
+++
modules/authorization/trunk/core-components-api/src/main/java/org/jboss/security/authz/components/subject/Roles.java	2009-07-29
20:01:36 UTC (rev 13629)
@@ -52,25 +52,25 @@
 public class Roles
 {
 	//make it package-level access so that unit tests can test these rules
-    static final String allowRule = 
+    protected static final String allowRule = 
     "import java.util.HashSet\n"+
     "rule \"{0}\"\n"+
     "when\n"+
     "$ruleName: String()\n"+
     "$roles: HashSet()\n"+
-    "eval($ruleName.contains(\"roles://allowRule\"))\n"+
+    "eval($ruleName.contains(\"{0}\"))\n"+
     "eval({1})\n"+
     "then\n"+
       "insert(Boolean.TRUE);\n"+
     "end\n";
     
-    static final String denyRule = 
+    protected static final String denyRule = 
     "import java.util.HashSet\n"+
     "rule \"{0}\"\n"+
     "when\n"+
     "$ruleName: String()\n"+
     "$roles: HashSet()\n"+
-    "eval($ruleName.contains(\"roles://denyRule\"))\n"+
+    "eval($ruleName.contains(\"{0}\"))\n"+
     "eval({1})\n"+
     "then\n"+
       "insert(Boolean.TRUE);\n"+
@@ -87,6 +87,8 @@
    @SecurityContextData
    private Set<String> names;
    
+   private boolean mustMatchAll=false;
+   
    public Roles()
    {
 	   
@@ -119,6 +121,16 @@
    {
 	   return this.getNames().isEmpty();
    }
+      
+   public boolean isMustMatchAll() 
+   {
+	   return mustMatchAll;
+   }
+
+   public void setMustMatchAll(boolean mustMatchAll) 
+   {
+	   this.mustMatchAll = mustMatchAll;
+   }
   
//------------------------------------------------------------------------------------------------------------------------------------------------------------
    /**
     * Creates a Policy Rule suggesting the roles indicated by this object are permitted
access to the 'Resource' designated in the Policy
@@ -135,7 +147,14 @@
 	   StringBuffer buffer = new StringBuffer();
 	   for(String role: this.getNames())
 	   {
-		   buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
|| ");
+		   if(!this.mustMatchAll)
+		   {
+			   buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
|| ");
+		   }
+		   else
+		   {
+			   buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
&& ");
+		   }
 	   }
 	   String condition = buffer.toString().trim();
 	   String ruleLogic = MessageFormat.format(Roles.allowRule, 
@@ -159,7 +178,14 @@
 	   StringBuffer buffer = new StringBuffer();
 	   for(String role: this.getNames())
 	   {
-		   buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
|| ");
+		   if(!this.mustMatchAll)
+		   {
+			   buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
|| ");
+		   }
+		   else
+		   {
+			   buffer.append("$roles.contains(\""+role.toLowerCase()+"\")
&& ");
+		   }
 	   }
 	   String condition = buffer.toString().trim();
 	   String ruleLogic = MessageFormat.format(Roles.denyRule, 

Modified:
modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java
===================================================================
---
modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java	2009-07-29
17:06:25 UTC (rev 13628)
+++
modules/authorization/trunk/core-components-api/src/test/java/org/jboss/security/authz/components/subject/TestRolesDroolsRules.java	2009-07-29
20:01:36 UTC (rev 13629)
@@ -54,9 +54,14 @@
 	"import org.jboss.security.xacml.interfaces.XACMLConstants;\n";
 	
 	private RuleBase activeRuleBase;
+	private String allowedRuleReference;
+	private String deniedRuleReference;
 	
 	public void setUp() throws Exception
 	{
+		this.allowedRuleReference =
"roles://allowRule/"+GeneralTool.generateUniqueId();
+		this.deniedRuleReference =
"roles://denyRule/"+GeneralTool.generateUniqueId();
+		
 		StringBuilder buffer = new StringBuilder();
 			      
 		buffer.append(rulePkg+"\n");		      
@@ -82,7 +87,7 @@
 		finally
 		{
 		     source.close();
-		}
+		}				
 	}
 	
 	public void tearDown() throws Exception
@@ -96,7 +101,7 @@
 		WorkingMemory workingMemory = this.activeRuleBase.newStatefulSession();
 		
 		//SetUp the context data
-	   
workingMemory.insert("roles://allowRule/"+GeneralTool.generateUniqueId());
+	    workingMemory.insert(this.allowedRuleReference);
 	    Set roles = new HashSet();
 	    roles.add("admin");
 	    roles.add("superuser");
@@ -127,7 +132,7 @@
 		WorkingMemory workingMemory = this.activeRuleBase.newStatefulSession();
 		
 		//SetUp the context data
-	    workingMemory.insert("roles://denyRule/"+GeneralTool.generateUniqueId());
+	    workingMemory.insert(this.deniedRuleReference);
 	    Set roles = new HashSet();
 	    roles.add("anonymous");
 	    workingMemory.insert(roles);
@@ -162,7 +167,7 @@
 	   }
 	   String condition = buffer.toString().trim();
 	   String rule = MessageFormat.format(Roles.allowRule, 
-	   new Object[]{GeneralTool.generateUniqueId(), condition.substring(0,
condition.length()-2).trim()});
+	   new Object[]{this.allowedRuleReference, condition.substring(0,
condition.length()-2).trim()});
 	   
 	   return rule;
 	}
@@ -178,7 +183,7 @@
 	   }
 	   String condition = buffer.toString().trim();
 	   String rule = MessageFormat.format(Roles.denyRule, 
-	   new Object[]{GeneralTool.generateUniqueId(), condition.substring(0,
condition.length()-2).trim()});
+	   new Object[]{this.deniedRuleReference, condition.substring(0,
condition.length()-2).trim()});
 	   
 	   return rule;
 	}

Modified:
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java
===================================================================
---
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java	2009-07-29
17:06:25 UTC (rev 13628)
+++
modules/authorization/trunk/http-profile/src/test/java/org/jboss/security/authz/http/components/TestURLPattern.java	2009-07-29
20:01:36 UTC (rev 13629)
@@ -89,27 +89,19 @@
 		assertFalse("Match(prefix/urlfoo/)",Pattern.matches(regex,
"prefix/urlfoo/"));
 		assertFalse("Match(/blah/prefix/url/index.html)",Pattern.matches(regex,
"/blah/prefix/url/index.html"));
 		
-		HttpResource httpResource = new HttpResource();
-		httpResource.setUri(new URI("/prefix/url/*"));
-		
-		Roles allowedRoles = new Roles();
-		allowedRoles.addName("Admin");
-		
-		//Setup the Context for the Composition with these components		
-		CompositionContext context = new CompositionContext();
-		context.setPolicyTarget(httpResource);
-		context.addPolicyRule(Effect.PERMIT, new Get(), allowedRoles,
"allowExpression");		
+		//TODO: fix issue with duplicate matches when using concrete uris and regex uris
+		this.provision("/prefix/url/*");
+		//this.provision("/prefix/url/index.html");
 				
-		//Store the policy into the Policy Server
-		PolicyMetaData policyMetaData = this.policyComposer.compose(context);
-		this.provisioner.newPolicy(policyMetaData);	
-				
 		//Assert Policy State of the Server
 		Policy[] policies = this.provisioner.readAllPolicies();
 		
-		assertTrue("Policy Store must not be empty!!", (policies != null &&
policies.length == 1));
+		assertTrue("Policy Store must not be empty!!", (policies != null));

		log.info("------------------------------------------------------------------------------");
-		log.info(policies[0].generateSystemPolicy());
+		for(Policy local: policies)
+		{
+			log.info(local.generateSystemPolicy());
+		}
 		
 		//Access Granted				
 		this.enforce(this.createEnforcementContext("/prefix/url"), true);
@@ -166,4 +158,22 @@
 
 		return context;
     }
+	
+	private void provision(String urlPattern) throws Exception
+	{
+		HttpResource httpResource = new HttpResource();
+		httpResource.setUri(new URI(urlPattern));
+		
+		Roles allowedRoles = new Roles();
+		allowedRoles.addName("Admin");
+		
+		//Setup the Context for the Composition with these components		
+		CompositionContext context = new CompositionContext();
+		context.setPolicyTarget(httpResource);
+		context.addPolicyRule(Effect.PERMIT, new Get(), allowedRoles,
"allowExpression");		
+				
+		//Store the policy into the Policy Server
+		PolicyMetaData policyMetaData = this.policyComposer.compose(context);
+		this.provisioner.newPolicy(policyMetaData);
+	}
 }

Modified:
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java
===================================================================
---
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java	2009-07-29
17:06:25 UTC (rev 13628)
+++
modules/authorization/trunk/policy-server/src/main/java/org/jboss/security/authz/policy/server/plugin/DroolsFunction.java	2009-07-29
20:01:36 UTC (rev 13629)
@@ -116,8 +116,9 @@
     		 for(int i=0,size=inputs.size(); i<size; i++)
     		 {
     			 VariableReference reference = (VariableReference)inputs.get(i);
+    			 String referenceId = reference.getVariableId();
     			 
-    			 log.debug("Firing Rule ="+reference.getVariableId());
+    			 log.debug("Firing Rule ="+referenceId);
     			
     			 //Establish a Stateful Drools Session
     			 DroolsRuleManager ruleManager =
(DroolsRuleManager)ServiceContainer.lookup("/policy-server/DroolsRuleManager");
@@ -125,7 +126,7 @@
     			 WorkingMemory workingMemory = ruleBase.newStatefulSession();
     			 
     			 //Populate the WorkingMemory with Facts
-    		     workingMemory.insert(reference.getVariableId());
+    		     workingMemory.insert(referenceId);
     		     this.prepareWorkingMemory(workingMemory, context);
     		     
     		     


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

JBoss Portal SVN: r13629 - in modules/authorization/trunk: core-components-api/src/main/java/org/jboss/security/authz/components/subject and 3 other directories.