1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
|
11 |
|
|
12 |
|
|
13 |
|
|
14 |
|
|
15 |
|
|
16 |
|
|
17 |
|
|
18 |
|
|
19 |
|
|
20 |
|
package org.xwiki.security.authorization; |
21 |
|
|
22 |
|
import javax.inject.Inject; |
23 |
|
import javax.inject.Singleton; |
24 |
|
|
25 |
|
import org.apache.commons.lang3.StringUtils; |
26 |
|
import org.slf4j.Logger; |
27 |
|
import org.xwiki.component.annotation.Component; |
28 |
|
import org.xwiki.model.reference.DocumentReference; |
29 |
|
import org.xwiki.model.reference.EntityReference; |
30 |
|
import org.xwiki.model.reference.EntityReferenceSerializer; |
31 |
|
import org.xwiki.security.SecurityReference; |
32 |
|
import org.xwiki.security.SecurityReferenceFactory; |
33 |
|
import org.xwiki.security.UserSecurityReference; |
34 |
|
import org.xwiki.security.authorization.cache.SecurityCache; |
35 |
|
import org.xwiki.security.authorization.cache.SecurityCacheLoader; |
36 |
|
import org.xwiki.security.internal.XWikiBridge; |
37 |
|
|
38 |
|
|
39 |
|
@link |
40 |
|
|
41 |
|
@version |
42 |
|
@since |
43 |
|
|
44 |
|
@Component |
45 |
|
@Singleton |
|
|
| 70.3% |
Uncovered Elements: 35 (118) |
Complexity: 43 |
Complexity Density: 0.66 |
|
46 |
|
public class DefaultAuthorizationManager implements AuthorizationManager |
47 |
|
{ |
48 |
|
|
49 |
|
@Inject |
50 |
|
private Logger logger; |
51 |
|
|
52 |
|
|
53 |
|
@Inject |
54 |
|
private SecurityCache securityCache; |
55 |
|
|
56 |
|
|
57 |
|
@Inject |
58 |
|
private SecurityCacheLoader securityCacheLoader; |
59 |
|
|
60 |
|
|
61 |
|
@Inject |
62 |
|
private SecurityReferenceFactory securityReferenceFactory; |
63 |
|
|
64 |
|
|
65 |
|
@Inject |
66 |
|
private EntityReferenceSerializer<String> entityReferenceSerializer; |
67 |
|
|
68 |
|
|
69 |
|
@Inject |
70 |
|
private XWikiBridge xwikiBridge; |
71 |
|
|
72 |
|
|
73 |
|
|
74 |
|
|
75 |
|
|
76 |
|
|
77 |
|
|
78 |
|
|
79 |
|
|
80 |
|
@param |
81 |
|
@return |
82 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
83 |
170269 |
private boolean isSuperAdmin(DocumentReference user)... |
84 |
|
{ |
85 |
170266 |
return user != null && StringUtils.equalsIgnoreCase(user.getName(), AuthorizationManager.SUPERADMIN_USER); |
86 |
|
} |
87 |
|
|
|
|
| 80% |
Uncovered Elements: 2 (10) |
Complexity: 4 |
Complexity Density: 0.67 |
|
88 |
466 |
@Override... |
89 |
|
public void checkAccess(Right right, DocumentReference userReference, EntityReference entityReference) |
90 |
|
throws AccessDeniedException |
91 |
|
{ |
92 |
466 |
try { |
93 |
466 |
if (!hasSecurityAccess(right, userReference, entityReference, true)) { |
94 |
1 |
throw new AccessDeniedException(right, userReference, entityReference); |
95 |
|
} |
96 |
|
} catch (Exception e) { |
97 |
1 |
if (e instanceof AccessDeniedException) { |
98 |
1 |
throw (AccessDeniedException) e; |
99 |
|
} else { |
100 |
0 |
throw new AccessDeniedException(right, userReference, entityReference, e); |
101 |
|
} |
102 |
|
} |
103 |
|
} |
104 |
|
|
|
|
| 25% |
Uncovered Elements: 6 (8) |
Complexity: 4 |
Complexity Density: 1 |
|
105 |
169809 |
@Override... |
106 |
|
public boolean hasAccess(Right right, DocumentReference userReference, EntityReference entityReference) |
107 |
|
{ |
108 |
169805 |
try { |
109 |
169807 |
return hasSecurityAccess(right, userReference, entityReference, false); |
110 |
|
} catch (Exception e) { |
111 |
0 |
this.logger.error(String.format("Failed to load rights for user [%s] on [%s].", |
112 |
0 |
(userReference == null) ? AuthorizationException.NULL_USER : userReference, |
113 |
0 |
(entityReference == null) ? AuthorizationException.NULL_ENTITY : entityReference), e); |
114 |
0 |
return false; |
115 |
|
} |
116 |
|
} |
117 |
|
|
118 |
|
|
119 |
|
|
120 |
|
|
121 |
|
|
122 |
|
@link |
123 |
|
|
124 |
|
@param |
125 |
|
@param |
126 |
|
@param |
127 |
|
@param@link |
128 |
|
|
129 |
|
@return |
130 |
|
@throws |
131 |
|
|
|
|
| 76.5% |
Uncovered Elements: 4 (17) |
Complexity: 9 |
Complexity Density: 1 |
|
132 |
170254 |
private boolean hasSecurityAccess(Right right, DocumentReference userReference, EntityReference entityReference,... |
133 |
|
boolean check) |
134 |
|
throws AuthorizationException |
135 |
|
{ |
136 |
170262 |
if (isSuperAdmin(userReference)) { |
137 |
108684 |
return true; |
138 |
|
} |
139 |
|
|
140 |
61576 |
if (right == null || right == Right.ILLEGAL) { |
141 |
116 |
if (check) { |
142 |
0 |
logDeny(userReference, entityReference, right, "no such right"); |
143 |
|
} |
144 |
116 |
return false; |
145 |
|
} |
146 |
|
|
147 |
61459 |
if ((!right.isReadOnly() && xwikiBridge.isWikiReadOnly()) |
148 |
|
|| (userReference == null && xwikiBridge.needsAuthentication(right))) { |
149 |
0 |
return false; |
150 |
|
} |
151 |
|
|
152 |
61460 |
return evaluateSecurityAccess(right, userReference, entityReference, check); |
153 |
|
} |
154 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (11) |
Complexity: 4 |
Complexity Density: 0.57 |
|
155 |
61458 |
private boolean evaluateSecurityAccess(Right right, DocumentReference userReference,... |
156 |
|
EntityReference entityReference, boolean check) |
157 |
|
throws AuthorizationException |
158 |
|
{ |
159 |
61458 |
SecurityAccess securityAccess = getAccess( |
160 |
|
securityReferenceFactory.newUserReference(userReference), |
161 |
|
securityReferenceFactory.newEntityReference(entityReference) |
162 |
|
); |
163 |
|
|
164 |
61462 |
RuleState access = securityAccess.get(right); |
165 |
61462 |
String info = check ? "security checkpoint" : "access inquiry"; |
166 |
61462 |
if (check && access != RuleState.ALLOW) { |
167 |
1 |
logDeny(userReference, entityReference, right, info); |
168 |
|
} else { |
169 |
61461 |
logAccess(access, userReference, entityReference, right, info, true); |
170 |
|
} |
171 |
61462 |
return access == RuleState.ALLOW; |
172 |
|
} |
173 |
|
|
|
|
| 0% |
Uncovered Elements: 10 (10) |
Complexity: 4 |
Complexity Density: 0.5 |
|
174 |
0 |
@Override... |
175 |
|
public Right register(RightDescription rightDescription) throws UnableToRegisterRightException |
176 |
|
{ |
177 |
0 |
try { |
178 |
0 |
Right newRight = new Right(rightDescription); |
179 |
|
|
180 |
0 |
securityCache.remove(securityReferenceFactory.newEntityReference(xwikiBridge.getMainWikiReference())); |
181 |
0 |
return newRight; |
182 |
|
} catch (Throwable e) { |
183 |
0 |
Right right = Right.toRight(rightDescription.getName()); |
184 |
0 |
if (right != Right.ILLEGAL && right.like(rightDescription)) { |
185 |
0 |
return right; |
186 |
|
} |
187 |
0 |
throw new UnableToRegisterRightException(rightDescription, e); |
188 |
|
} |
189 |
|
} |
190 |
|
|
191 |
|
|
192 |
|
|
193 |
|
|
194 |
|
@param |
195 |
|
@param |
196 |
|
@return |
197 |
|
@exception |
198 |
|
|
|
|
| 80% |
Uncovered Elements: 6 (30) |
Complexity: 6 |
Complexity Density: 0.3 |
|
199 |
61460 |
private SecurityAccess getAccess(UserSecurityReference user, SecurityReference entity)... |
200 |
|
throws AuthorizationException |
201 |
|
{ |
202 |
73689 |
for (SecurityReference ref = entity; ref != null; ref = ref.getParentSecurityReference()) { |
203 |
73688 |
if (Right.getEnabledRights(ref.getSecurityType()).isEmpty()) { |
204 |
|
|
205 |
0 |
continue; |
206 |
|
} |
207 |
73690 |
SecurityRuleEntry entry = securityCache.get(ref); |
208 |
73691 |
if (entry == null) { |
209 |
1409 |
SecurityAccess access = securityCacheLoader.load(user, entity).getAccess(); |
210 |
|
|
211 |
1409 |
this.logger.debug("1. Loaded a new entry for user {} on {} into cache: [{}]", user, entity, access); |
212 |
|
|
213 |
1409 |
return access; |
214 |
|
} |
215 |
72282 |
if (!entry.isEmpty()) { |
216 |
60053 |
SecurityAccessEntry accessEntry = securityCache.get(user, ref); |
217 |
60053 |
if (accessEntry == null) { |
218 |
990 |
SecurityAccess access = securityCacheLoader.load(user, entity).getAccess(); |
219 |
|
|
220 |
990 |
logger.debug("2. Loaded a new entry for user {} on {} into cache: [{}]", user, entity, access); |
221 |
|
|
222 |
990 |
return access; |
223 |
|
} else { |
224 |
59063 |
SecurityAccess access = accessEntry.getAccess(); |
225 |
|
|
226 |
59063 |
logger.debug("3. Got entry for user {} on {} from cache: [{}]", user, entity, access); |
227 |
|
|
228 |
59063 |
return access; |
229 |
|
} |
230 |
|
} |
231 |
|
} |
232 |
|
|
233 |
0 |
SecurityAccess access = securityCacheLoader.load(user, entity).getAccess(); |
234 |
|
|
235 |
0 |
logger.debug("4. Loaded a new default entry for user {} on {} into cache: [{}]", user, entity, access); |
236 |
|
|
237 |
0 |
return access; |
238 |
|
} |
239 |
|
|
240 |
|
|
241 |
|
|
242 |
|
@param |
243 |
|
@param |
244 |
|
@param |
245 |
|
@param |
246 |
|
@param |
247 |
|
@param |
248 |
|
|
|
|
| 71.4% |
Uncovered Elements: 6 (21) |
Complexity: 10 |
Complexity Density: 1.11 |
|
249 |
61462 |
private void logAccess(RuleState access, DocumentReference user, EntityReference entity, Right right, String info,... |
250 |
|
boolean debugLevel) |
251 |
|
{ |
252 |
61462 |
if ((debugLevel && logger.isDebugEnabled()) || (!debugLevel && logger.isInfoEnabled())) { |
253 |
1 |
String userName = (user != null) ? entityReferenceSerializer.serialize(user) |
254 |
|
: AuthorizationException.NULL_USER; |
255 |
1 |
String docName = (entity != null) ? entityReferenceSerializer.serialize(entity) |
256 |
|
: AuthorizationException.NULL_USER; |
257 |
1 |
String rightName = (right != null) ? right.getName() : "no right"; |
258 |
1 |
String accessName = (access == RuleState.ALLOW) ? "granted" : "denied"; |
259 |
1 |
String message = "[{}] access has been {} for user [{}] on [{}]: {}"; |
260 |
1 |
if (debugLevel) { |
261 |
0 |
logger.debug(message, rightName, accessName, userName, docName, info); |
262 |
|
} else { |
263 |
1 |
logger.info(message, rightName, accessName, userName, docName, info); |
264 |
|
} |
265 |
|
} |
266 |
|
} |
267 |
|
|
268 |
|
|
269 |
|
|
270 |
|
|
271 |
|
|
272 |
|
@param |
273 |
|
@param |
274 |
|
@param |
275 |
|
@param |
276 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
277 |
1 |
protected void logDeny(DocumentReference user, EntityReference entity, Right right, String info)... |
278 |
|
{ |
279 |
1 |
logAccess(RuleState.DENY, user, entity, right, info, false); |
280 |
|
} |
281 |
|
} |