1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.security.authorization.internal

File DefaultAuthorizationSettler.java

 

Coverage histogram

../../../../../img/srcFileCovDistChart10.png
0% of files have more coverage

Code metrics

30
44
4
1
175
98
19
0.43
11
4
4.75

Classes

Class Line # Actions
DefaultAuthorizationSettler 48 44 0% 19 2
0.97435997.4%
 

Contributing tests

This file is covered by 38 tests. .

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.security.authorization.internal;
21   
22    import java.util.Collection;
23    import java.util.Set;
24   
25    import javax.inject.Singleton;
26   
27    import org.xwiki.component.annotation.Component;
28    import org.xwiki.security.GroupSecurityReference;
29    import org.xwiki.security.UserSecurityReference;
30    import org.xwiki.security.authorization.Right;
31    import org.xwiki.security.authorization.RightSet;
32    import org.xwiki.security.authorization.RuleState;
33    import org.xwiki.security.authorization.SecurityRule;
34    import org.xwiki.security.authorization.SecurityRuleEntry;
35   
36    import static org.xwiki.security.authorization.RuleState.ALLOW;
37    import static org.xwiki.security.authorization.RuleState.UNDETERMINED;
38   
39    /**
40    * The default implementation for the {@link org.xwiki.security.authorization.AuthorizationSettler}.
41    * Provide similar decision as the old xwiki right service.
42    *
43    * @version $Id: 114e89ada3f68334c191c3a90a3619ba23f94356 $
44    * @since 4.0M2
45    */
46    @Component
47    @Singleton
 
48    public class DefaultAuthorizationSettler extends AbstractAuthorizationSettler
49    {
 
50  6370 toggle @Override
51    protected XWikiSecurityAccess settle(UserSecurityReference user, Collection<GroupSecurityReference> groups,
52    SecurityRuleEntry entry, Policies policies)
53    {
54  6371 Set<Right> enabledRights = Right.getEnabledRights(entry.getReference().getSecurityType());
55  6370 Set<Right> fromUser = new RightSet();
56  6371 Set<Right> allowed = new RightSet();
57   
58  6371 XWikiSecurityAccess access = new XWikiSecurityAccess();
59   
60    // Evaluate rules from current entity
61  6370 for (Right right : enabledRights) {
62  51100 for (SecurityRule rule : entry.getRules()) {
63  74117 if (rule.match(right)) {
64  7646 if (rule.getState() == ALLOW) {
65  5638 allowed.add(right);
66    }
67  7646 resolveLevel(right, user, groups, rule, access, policies, fromUser);
68  7646 if (access.get(right) == ALLOW) {
69  1385 implyRights(right, access, enabledRights, policies, fromUser);
70    }
71    }
72    }
73    }
74   
75    // The same behavior as the old implementation. I.e., an allow means implicit deny for everyone else.
76  6371 for (Right right : allowed) {
77  5268 if (access.get(right) == UNDETERMINED) {
78  4028 access.deny(right);
79    }
80    }
81   
82  6371 return access;
83    }
84   
85    /**
86    * Add implied rights of the given right into the current access.
87    *
88    * @param right the right to imply right for.
89    * @param access the access to be augmented (modified and returned).
90    * @param enabledRights the set of right that could be allowed for the current reference
91    * @param policies the current security policies.
92    * @param fromUser the set of right that have been set by a user rule.
93    */
 
94  1385 toggle private void implyRights(Right right, XWikiSecurityAccess access, Set<Right> enabledRights, Policies policies,
95    Set<Right> fromUser)
96    {
97  1385 Set<Right> impliedRights = right.getImpliedRights();
98  1385 if (impliedRights != null) {
99  363 for (Right enabledRight : enabledRights) {
100  2767 if (impliedRights.contains(enabledRight)) {
101    // set the policies of the implied right to the policies of the original right
102  977 policies.set(enabledRight, right);
103  977 if (fromUser.contains(enabledRight) == fromUser.contains(right)) {
104    // Conflict Implied user/group right, user/group right
105  693 resolveConflict(ALLOW, enabledRight, access, policies);
106  284 } else if (fromUser.contains(right)) {
107    // Implied user right win over group right
108  258 access.set(enabledRight, ALLOW);
109  258 fromUser.add(enabledRight);
110    }
111    }
112    }
113    }
114    }
115   
116    /**
117    * Update the resulting {@code access} to include the rule state defined by the given {@link SecurityRule}
118    * for the given user and group, and the requested {@link Right}.
119    *
120    * @param right The right to settle.
121    * @param user The user to check.
122    * @param groups The groups where the user is a member.
123    * @param rule The currently considered rule.
124    * @param access The accumulated access result.
125    * @param policies the current security policies.
126    * @param fromUser the set of right that have been set by a user rule.
127    */
 
128  7646 toggle private void resolveLevel(Right right, UserSecurityReference user, Collection<GroupSecurityReference> groups,
129    SecurityRule rule, XWikiSecurityAccess access, Policies policies, Set<Right> fromUser)
130    {
131  7647 RuleState state = rule.getState();
132   
133  7645 if (state == UNDETERMINED) {
134  0 return;
135    }
136   
137  7647 if (rule.match(user)) {
138  2390 if (!fromUser.contains(right)) {
139    // User right win over group right
140  2341 access.set(right, state);
141  2341 fromUser.add(right);
142    } else {
143    // Conflict between user rights
144  49 resolveConflict(state, right, access, policies);
145    }
146  5257 } else if (!fromUser.contains(right)) {
147  4730 for (GroupSecurityReference group : groups) {
148  2634 if (rule.match(group)) {
149    // Conflict between group rights
150  311 resolveConflict(state, right, access, policies);
151  311 break;
152    }
153    }
154    }
155    }
156   
157    /**
158    * Resolve conflicting rights within the current level in the document hierarchy.
159    *
160    * @param state The state to consider setting.
161    * @param right The right that is being concerned.
162    * @param access The accumulated result.
163    * @param policies the current security policies.
164    */
 
165  1053 toggle private void resolveConflict(RuleState state, Right right, XWikiSecurityAccess access, Policies policies)
166    {
167  1053 if (access.get(right) == UNDETERMINED) {
168  256 access.set(right, state);
169  256 return;
170    }
171  797 if (access.get(right) != state) {
172  197 access.set(right, policies.getTieResolutionPolicy(right));
173    }
174    }
175    }