1 |
|
|
2 |
|
|
3 |
|
|
4 |
|
|
5 |
|
|
6 |
|
|
7 |
|
|
8 |
|
|
9 |
|
|
10 |
|
|
11 |
|
|
12 |
|
|
13 |
|
|
14 |
|
|
15 |
|
|
16 |
|
|
17 |
|
|
18 |
|
|
19 |
|
|
20 |
|
package org.xwiki.security.authorization.cache.internal; |
21 |
|
|
22 |
|
import java.util.ArrayDeque; |
23 |
|
import java.util.ArrayList; |
24 |
|
import java.util.Collection; |
25 |
|
import java.util.Collections; |
26 |
|
import java.util.Deque; |
27 |
|
import java.util.HashSet; |
28 |
|
import java.util.LinkedList; |
29 |
|
import java.util.List; |
30 |
|
|
31 |
|
import javax.inject.Inject; |
32 |
|
import javax.inject.Provider; |
33 |
|
import javax.inject.Singleton; |
34 |
|
|
35 |
|
import org.slf4j.Logger; |
36 |
|
import org.xwiki.component.annotation.Component; |
37 |
|
import org.xwiki.security.GroupSecurityReference; |
38 |
|
import org.xwiki.security.SecurityReference; |
39 |
|
import org.xwiki.security.UserSecurityReference; |
40 |
|
import org.xwiki.security.authorization.AuthorizationException; |
41 |
|
import org.xwiki.security.authorization.AuthorizationSettler; |
42 |
|
import org.xwiki.security.authorization.Right; |
43 |
|
import org.xwiki.security.authorization.SecurityAccessEntry; |
44 |
|
import org.xwiki.security.authorization.SecurityEntryReader; |
45 |
|
import org.xwiki.security.authorization.SecurityRule; |
46 |
|
import org.xwiki.security.authorization.SecurityRuleEntry; |
47 |
|
import org.xwiki.security.authorization.cache.ConflictingInsertionException; |
48 |
|
import org.xwiki.security.authorization.cache.ParentEntryEvictedException; |
49 |
|
import org.xwiki.security.authorization.cache.SecurityCacheLoader; |
50 |
|
import org.xwiki.security.authorization.cache.SecurityCacheRulesInvalidator; |
51 |
|
import org.xwiki.security.authorization.internal.AbstractSecurityRuleEntry; |
52 |
|
import org.xwiki.security.internal.UserBridge; |
53 |
|
|
54 |
|
|
55 |
|
|
56 |
|
|
57 |
|
@link |
58 |
|
|
59 |
|
@link |
60 |
|
|
61 |
|
|
62 |
|
@version |
63 |
|
@since |
64 |
|
|
65 |
|
@Component |
66 |
|
@Singleton |
|
|
| 85.8% |
Uncovered Elements: 22 (155) |
Complexity: 31 |
Complexity Density: 0.29 |
|
67 |
|
public class DefaultSecurityCacheLoader implements SecurityCacheLoader |
68 |
|
{ |
69 |
|
|
70 |
|
private static final int MAX_RETRIES = 5; |
71 |
|
|
72 |
|
|
73 |
|
@Inject |
74 |
|
private Logger logger; |
75 |
|
|
76 |
|
|
77 |
|
@Inject |
78 |
|
private SecurityCache securityCache; |
79 |
|
|
80 |
|
|
81 |
|
@Inject |
82 |
|
private SecurityCacheRulesInvalidator rulesInvalidator; |
83 |
|
|
84 |
|
|
85 |
|
@Inject |
86 |
|
private SecurityEntryReader securityEntryReader; |
87 |
|
|
88 |
|
|
89 |
|
@Inject |
90 |
|
private UserBridge userBridge; |
91 |
|
|
92 |
|
|
93 |
|
@Inject |
94 |
|
private Provider<AuthorizationSettler> authorizationSettlerProvider; |
95 |
|
|
96 |
|
|
97 |
|
|
98 |
|
|
|
|
| 0% |
Uncovered Elements: 8 (8) |
Complexity: 4 |
Complexity Density: 1 |
|
99 |
|
private final class EmptySecurityRuleEntry extends AbstractSecurityRuleEntry |
100 |
|
{ |
101 |
|
|
102 |
|
private final SecurityReference reference; |
103 |
|
|
104 |
|
|
105 |
|
@param |
106 |
|
|
|
|
| 0% |
Uncovered Elements: 1 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
107 |
0 |
private EmptySecurityRuleEntry(SecurityReference reference)... |
108 |
|
{ |
109 |
0 |
this.reference = reference; |
110 |
|
} |
111 |
|
|
112 |
|
|
113 |
|
@return |
114 |
|
|
|
|
| 0% |
Uncovered Elements: 1 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
115 |
0 |
@Override... |
116 |
|
public SecurityReference getReference() |
117 |
|
{ |
118 |
0 |
return reference; |
119 |
|
} |
120 |
|
|
121 |
|
|
122 |
|
@return |
123 |
|
|
|
|
| 0% |
Uncovered Elements: 1 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
124 |
0 |
@Override... |
125 |
|
public Collection<SecurityRule> getRules() |
126 |
|
{ |
127 |
0 |
return Collections.emptyList(); |
128 |
|
} |
129 |
|
|
|
|
| 0% |
Uncovered Elements: 1 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
130 |
0 |
@Override... |
131 |
|
public boolean isEmpty() |
132 |
|
{ |
133 |
0 |
return true; |
134 |
|
} |
135 |
|
} |
136 |
|
|
|
|
| 75% |
Uncovered Elements: 5 (20) |
Complexity: 5 |
Complexity Density: 0.31 |
|
137 |
2400 |
@Override... |
138 |
|
public SecurityAccessEntry load(UserSecurityReference user, SecurityReference entity) |
139 |
|
throws AuthorizationException |
140 |
|
{ |
141 |
2400 |
int retries = 0; |
142 |
|
|
143 |
2400 |
while (true) { |
144 |
2404 |
rulesInvalidator.suspend(); |
145 |
|
|
146 |
2404 |
try { |
147 |
2404 |
retries++; |
148 |
2404 |
return loadRequiredEntries(user, entity); |
149 |
|
} catch (ParentEntryEvictedException e) { |
150 |
0 |
if (retries < MAX_RETRIES) { |
151 |
0 |
this.logger.debug("The parent entry was evicted. Have tried {} times. Trying again...", retries); |
152 |
0 |
continue; |
153 |
|
} |
154 |
|
} catch (ConflictingInsertionException e) { |
155 |
5 |
if (retries < MAX_RETRIES) { |
156 |
4 |
this.logger.debug("There were conflicting insertions. Have tried {} times. Retrying...", retries); |
157 |
4 |
continue; |
158 |
|
} |
159 |
|
} finally { |
160 |
2404 |
rulesInvalidator.resume(); |
161 |
|
} |
162 |
1 |
String message = String.format("Failed to load the cache in %d attempts. Giving up.", retries); |
163 |
1 |
this.logger.error(message); |
164 |
1 |
throw new AuthorizationException(user.getOriginalDocumentReference(), |
165 |
|
entity.getOriginalReference(), message); |
166 |
|
} |
167 |
|
} |
168 |
|
|
169 |
|
|
170 |
|
|
171 |
|
|
172 |
|
|
173 |
|
@param |
174 |
|
@param |
175 |
|
@return |
176 |
|
@throws |
177 |
|
@throws |
178 |
|
@throws |
179 |
|
|
|
|
| 66.7% |
Uncovered Elements: 2 (6) |
Complexity: 2 |
Complexity Density: 0.5 |
|
180 |
2404 |
private SecurityAccessEntry loadRequiredEntries(UserSecurityReference user, SecurityReference entity)... |
181 |
|
throws ParentEntryEvictedException, ConflictingInsertionException, AuthorizationException |
182 |
|
{ |
183 |
|
|
184 |
2404 |
if (entity == null) { |
185 |
0 |
return authorizationSettlerProvider.get().settle(user, |
186 |
|
loadUserEntry(user, user.getWikiReference(), null), null); |
187 |
|
} |
188 |
|
|
189 |
|
|
190 |
2404 |
Deque<SecurityRuleEntry> ruleEntries = getRules(entity); |
191 |
|
|
192 |
|
|
193 |
2404 |
return loadAccessEntries(user, entity, ruleEntries); |
194 |
|
} |
195 |
|
|
196 |
|
|
197 |
|
|
198 |
|
|
199 |
|
|
200 |
|
@param |
201 |
|
@param |
202 |
|
@param |
203 |
|
@return |
204 |
|
@throws |
205 |
|
@throws |
206 |
|
@throws |
207 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (12) |
Complexity: 4 |
Complexity Density: 0.5 |
|
208 |
2404 |
private SecurityAccessEntry loadAccessEntries(UserSecurityReference user, SecurityReference entity,... |
209 |
|
Deque<SecurityRuleEntry> ruleEntries) |
210 |
|
throws ParentEntryEvictedException, ConflictingInsertionException, AuthorizationException |
211 |
|
{ |
212 |
|
|
213 |
2404 |
SecurityReference userWiki = user.getWikiReference(); |
214 |
|
|
215 |
2404 |
SecurityReference entityWiki = user.isGlobal() ? entity.getWikiReference() : null; |
216 |
2404 |
if (entityWiki != null && userWiki.equals(entityWiki)) { |
217 |
2308 |
entityWiki = null; |
218 |
|
} |
219 |
|
|
220 |
|
|
221 |
2404 |
Collection<GroupSecurityReference> groups = loadUserEntry(user, userWiki, entityWiki); |
222 |
|
|
223 |
|
|
224 |
2404 |
SecurityAccessEntry accessEntry = authorizationSettlerProvider.get().settle(user, groups, ruleEntries); |
225 |
|
|
226 |
|
|
227 |
2404 |
securityCache.add(accessEntry, entityWiki); |
228 |
|
|
229 |
|
|
230 |
2399 |
return accessEntry; |
231 |
|
} |
232 |
|
|
233 |
|
|
234 |
|
|
235 |
|
|
236 |
|
|
237 |
|
|
238 |
|
@param |
239 |
|
@param |
240 |
|
@param |
241 |
|
|
242 |
|
|
243 |
|
@return |
244 |
|
@throws |
245 |
|
@throws |
246 |
|
@throws |
247 |
|
|
|
|
| 93.6% |
Uncovered Elements: 3 (47) |
Complexity: 8 |
Complexity Density: 0.24 |
|
248 |
2404 |
private Collection<GroupSecurityReference> loadUserEntry(UserSecurityReference user, SecurityReference userWiki,... |
249 |
|
SecurityReference entityWiki) |
250 |
|
throws ParentEntryEvictedException, ConflictingInsertionException, AuthorizationException |
251 |
|
{ |
252 |
|
|
253 |
2404 |
Collection<GroupSecurityReference> groups = securityCache.getGroupsFor(user, entityWiki); |
254 |
2404 |
if (groups != null) { |
255 |
|
|
256 |
1166 |
return groups; |
257 |
|
} |
258 |
|
|
259 |
|
|
260 |
1238 |
groups = new HashSet<GroupSecurityReference>(); |
261 |
|
|
262 |
|
|
263 |
1238 |
if (user.getOriginalReference() == null) { |
264 |
1064 |
if (securityCache.get(user) == null) { |
265 |
|
|
266 |
0 |
getRules(user); |
267 |
|
} |
268 |
1064 |
if (entityWiki != null) { |
269 |
|
|
270 |
2 |
securityCache.add(new DefaultSecurityShadowEntry(user, entityWiki), null); |
271 |
|
} |
272 |
1064 |
return groups; |
273 |
|
} |
274 |
|
|
275 |
|
|
276 |
|
|
277 |
|
|
278 |
174 |
if (entityWiki != null) { |
279 |
|
|
280 |
|
|
281 |
23 |
Collection<GroupSecurityReference> globalGroups = securityCache.getGroupsFor(user, null); |
282 |
23 |
Collection<GroupSecurityReference> immediateGroups; |
283 |
23 |
if (globalGroups == null) { |
284 |
|
|
285 |
8 |
globalGroups = new HashSet<>(); |
286 |
8 |
immediateGroups = loadUserGroups(user, userWiki, globalGroups); |
287 |
8 |
loadUserEntry(user, immediateGroups); |
288 |
|
} else { |
289 |
15 |
immediateGroups = securityCache.getImmediateGroupsFor(user); |
290 |
|
} |
291 |
23 |
groups.addAll(globalGroups); |
292 |
|
|
293 |
|
|
294 |
|
|
295 |
23 |
for (GroupSecurityReference group : globalGroups) { |
296 |
|
|
297 |
5 |
Collection<GroupSecurityReference> localGroups = securityCache.getGroupsFor(group, entityWiki); |
298 |
5 |
if (localGroups == null) { |
299 |
|
|
300 |
|
|
301 |
5 |
localGroups = new HashSet<>(); |
302 |
5 |
securityCache.add(new DefaultSecurityShadowEntry(group, entityWiki), |
303 |
|
loadUserGroups(group, entityWiki, localGroups)); |
304 |
|
} |
305 |
5 |
groups.addAll(localGroups); |
306 |
|
} |
307 |
|
|
308 |
23 |
Collection<GroupSecurityReference> localGroups = new HashSet<>(); |
309 |
23 |
immediateGroups.addAll(loadUserGroups(user, entityWiki, localGroups)); |
310 |
|
|
311 |
23 |
securityCache.add(new DefaultSecurityShadowEntry(user, entityWiki), immediateGroups); |
312 |
23 |
groups.addAll(localGroups); |
313 |
|
} else { |
314 |
|
|
315 |
|
|
316 |
|
|
317 |
151 |
Collection<GroupSecurityReference> localGroups = new HashSet<>(); |
318 |
151 |
loadUserEntry(user, loadUserGroups(user, userWiki, localGroups)); |
319 |
151 |
groups.addAll(localGroups); |
320 |
|
} |
321 |
|
|
322 |
|
|
323 |
174 |
return groups; |
324 |
|
} |
325 |
|
|
326 |
|
|
327 |
|
|
328 |
|
|
329 |
|
@param |
330 |
|
@param |
331 |
|
@param |
332 |
|
|
333 |
|
@return |
334 |
|
@throws |
335 |
|
@throws |
336 |
|
@throws |
337 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (1) |
Complexity: 1 |
Complexity Density: 1 |
|
338 |
187 |
private Collection<GroupSecurityReference> loadUserGroups(UserSecurityReference user, SecurityReference wiki,... |
339 |
|
Collection<GroupSecurityReference> allGroups) |
340 |
|
throws ParentEntryEvictedException, ConflictingInsertionException, AuthorizationException |
341 |
|
{ |
342 |
187 |
return loadUserGroups(user, wiki, allGroups, new ArrayDeque<GroupSecurityReference>()); |
343 |
|
} |
344 |
|
|
|
|
| 82.1% |
Uncovered Elements: 5 (28) |
Complexity: 5 |
Complexity Density: 0.25 |
|
345 |
237 |
private Collection<GroupSecurityReference> loadUserGroups(UserSecurityReference user, SecurityReference wiki,... |
346 |
|
Collection<GroupSecurityReference> allGroups, Deque<GroupSecurityReference> branchGroups) |
347 |
|
throws ParentEntryEvictedException, ConflictingInsertionException, AuthorizationException |
348 |
|
{ |
349 |
|
|
350 |
238 |
Collection<GroupSecurityReference> groups = userBridge.getAllGroupsFor(user, wiki.getOriginalWikiReference()); |
351 |
|
|
352 |
238 |
Collection<GroupSecurityReference> immediateGroup = new ArrayList<GroupSecurityReference>(); |
353 |
|
|
354 |
|
|
355 |
238 |
for (GroupSecurityReference group : groups) { |
356 |
|
|
357 |
102 |
if (!branchGroups.contains(group)) { |
358 |
|
|
359 |
102 |
Collection<GroupSecurityReference> groupsOfGroup = securityCache.getGroupsFor(group, null); |
360 |
|
|
361 |
102 |
if (groupsOfGroup == null) { |
362 |
|
|
363 |
51 |
immediateGroup.add(group); |
364 |
|
|
365 |
|
|
366 |
51 |
branchGroups.push(group); |
367 |
51 |
loadUserEntry(group, loadUserGroups(group, wiki, allGroups, branchGroups)); |
368 |
51 |
branchGroups.pop(); |
369 |
|
} else { |
370 |
|
|
371 |
51 |
boolean recursionFound = false; |
372 |
51 |
for (GroupSecurityReference existingGroup : groupsOfGroup) { |
373 |
3 |
if (branchGroups.contains(existingGroup)) { |
374 |
0 |
recursionFound = true; |
375 |
0 |
break; |
376 |
|
} |
377 |
|
} |
378 |
51 |
if (!recursionFound) { |
379 |
|
|
380 |
51 |
immediateGroup.add(group); |
381 |
|
|
382 |
51 |
allGroups.addAll(groupsOfGroup); |
383 |
|
} |
384 |
|
} |
385 |
|
} |
386 |
|
} |
387 |
|
|
388 |
|
|
389 |
238 |
allGroups.addAll(immediateGroup); |
390 |
|
|
391 |
238 |
return immediateGroup; |
392 |
|
} |
393 |
|
|
394 |
|
|
395 |
|
|
396 |
|
|
397 |
|
|
398 |
|
@param |
399 |
|
@param |
400 |
|
@throws |
401 |
|
@throws |
402 |
|
@throws |
403 |
|
|
|
|
| 100% |
Uncovered Elements: 0 (11) |
Complexity: 2 |
Complexity Density: 0.22 |
|
404 |
210 |
private void loadUserEntry(UserSecurityReference user, Collection<GroupSecurityReference> groups)... |
405 |
|
throws ParentEntryEvictedException, ConflictingInsertionException, AuthorizationException |
406 |
|
{ |
407 |
|
|
408 |
210 |
Deque<SecurityReference> chain = user.getReversedSecurityReferenceChain(); |
409 |
210 |
chain.removeLast(); |
410 |
210 |
for (SecurityReference ref : chain) { |
411 |
461 |
SecurityRuleEntry entry = securityCache.get(ref); |
412 |
461 |
if (entry == null) { |
413 |
52 |
entry = securityEntryReader.read(ref); |
414 |
52 |
securityCache.add(entry); |
415 |
|
} |
416 |
|
} |
417 |
|
|
418 |
210 |
SecurityRuleEntry entry = securityEntryReader.read(user); |
419 |
210 |
securityCache.add(entry, groups); |
420 |
|
} |
421 |
|
|
422 |
|
|
423 |
|
|
424 |
|
|
425 |
|
|
426 |
|
@param |
427 |
|
@return |
428 |
|
@exception |
429 |
|
@exception |
430 |
|
|
431 |
|
@throws |
432 |
|
|
433 |
|
|
|
|
| 68.2% |
Uncovered Elements: 7 (22) |
Complexity: 4 |
Complexity Density: 0.25 |
|
434 |
2404 |
private Deque<SecurityRuleEntry> getRules(SecurityReference entity)... |
435 |
|
throws AuthorizationException, ParentEntryEvictedException, ConflictingInsertionException |
436 |
|
{ |
437 |
2404 |
Deque<SecurityRuleEntry> rules = new LinkedList<SecurityRuleEntry>(); |
438 |
2404 |
List<SecurityRuleEntry> emptyRuleEntryTail = new ArrayList<SecurityRuleEntry>(); |
439 |
2404 |
for (SecurityReference ref : entity.getReversedSecurityReferenceChain()) { |
440 |
7165 |
SecurityRuleEntry entry = securityCache.get(ref); |
441 |
7165 |
if (entry == null) { |
442 |
2093 |
if (Right.getEnabledRights(ref.getType()).isEmpty()) { |
443 |
|
|
444 |
0 |
entry = new EmptySecurityRuleEntry(ref); |
445 |
0 |
emptyRuleEntryTail.add(entry); |
446 |
|
} else { |
447 |
2093 |
entry = securityEntryReader.read(ref); |
448 |
2091 |
if (!emptyRuleEntryTail.isEmpty()) { |
449 |
|
|
450 |
0 |
for (SecurityRuleEntry emptyRuleEntry : emptyRuleEntryTail) { |
451 |
0 |
securityCache.add(emptyRuleEntry); |
452 |
|
} |
453 |
0 |
emptyRuleEntryTail.clear(); |
454 |
|
} |
455 |
2091 |
securityCache.add(entry); |
456 |
|
} |
457 |
|
} |
458 |
7165 |
rules.push(entry); |
459 |
|
} |
460 |
2404 |
return rules; |
461 |
|
} |
462 |
|
} |