1. Project Clover database Tue Dec 20 2016 21:24:09 CET
  2. Package org.xwiki.security.authorization.internal

File PrioritizingAuthorizationSettler.java

 

Coverage histogram

../../../../../img/srcFileCovDistChart0.png
83% of files have more coverage

Code metrics

22
38
5
1
185
102
16
0.42
7.6
5
3.2

Classes

Class Line # Actions
PrioritizingAuthorizationSettler 55 38 0% 16 65
0.00%
 

Contributing tests

No tests hitting this source file were found.

Source view

1    /*
2    * See the NOTICE file distributed with this work for additional
3    * information regarding copyright ownership.
4    *
5    * This is free software; you can redistribute it and/or modify it
6    * under the terms of the GNU Lesser General Public License as
7    * published by the Free Software Foundation; either version 2.1 of
8    * the License, or (at your option) any later version.
9    *
10    * This software is distributed in the hope that it will be useful,
11    * but WITHOUT ANY WARRANTY; without even the implied warranty of
12    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13    * Lesser General Public License for more details.
14    *
15    * You should have received a copy of the GNU Lesser General Public
16    * License along with this software; if not, write to the Free
17    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
18    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
19    */
20    package org.xwiki.security.authorization.internal;
21   
22    import java.util.Collection;
23    import java.util.Map;
24    import java.util.Set;
25   
26    import javax.inject.Named;
27    import javax.inject.Singleton;
28   
29    import org.xwiki.component.annotation.Component;
30    import org.xwiki.security.GroupSecurityReference;
31    import org.xwiki.security.SecurityReference;
32    import org.xwiki.security.UserSecurityReference;
33    import org.xwiki.security.authorization.Right;
34    import org.xwiki.security.authorization.RightMap;
35    import org.xwiki.security.authorization.RuleState;
36    import org.xwiki.security.authorization.SecurityRule;
37    import org.xwiki.security.authorization.SecurityRuleEntry;
38   
39    import static org.xwiki.security.authorization.RuleState.ALLOW;
40    import static org.xwiki.security.authorization.RuleState.UNDETERMINED;
41   
42    /**
43    * An implementation for the {@link org.xwiki.security.authorization.AuthorizationSettler}.
44    * Provide similar decision as the old xwiki right service, but consider rules at the same
45    * level by prioritizing user rules, over group rules and all group rules in this order.
46    *
47    * IMPORTANT NOTE: This experimental settler is current unmaintained and untested. Use at you own risk.
48    *
49    * @version $Id: 3035132a2698f05158fb73c0d1a044fa4a0b5566 $
50    * @since 4.0M2
51    */
52    @Component
53    @Named("priority")
54    @Singleton
 
55    public class PrioritizingAuthorizationSettler extends AbstractAuthorizationSettler
56    {
57    /** Priority of rights specified for users. */
58    private static final int USER_PRIORITY = Integer.MAX_VALUE;
59   
60    /** Priority of rights specified for "all group". */
61    private static final int ALL_GROUP_PRIORITY = 0;
62   
 
63  0 toggle @Override
64    protected XWikiSecurityAccess settle(UserSecurityReference user, Collection<GroupSecurityReference> groups,
65    SecurityRuleEntry entry, Policies policies)
66    {
67  0 XWikiSecurityAccess access = new XWikiSecurityAccess();
68  0 Map<Right, Integer> priorities = new RightMap<Integer>();
69  0 SecurityReference reference = entry.getReference();
70  0 Set<Right> enabledRights = Right.getEnabledRights(reference.getSecurityType());
71   
72    // Evaluate rules from current level
73  0 for (Right right : enabledRights) {
74  0 for (SecurityRule obj : entry.getRules()) {
75  0 if (obj.match(right)) {
76  0 resolveLevel(right, user, groups, obj, access, policies, priorities);
77  0 if (access.get(right) == ALLOW) {
78  0 implyRights(right, access, reference, policies, priorities);
79    }
80    }
81    }
82    }
83   
84  0 return access;
85    }
86   
87    /**
88    * Add implied rights of the given right into the current access.
89    *
90    * @param right the right to imply right for.
91    * @param access the access to be augmented (modified and returned).
92    * @param reference the reference to imply rights for.
93    * @param policies the current security policies.
94    * @param priorities A map of current priorities of each rights in the current accumulated access result.
95    */
 
96  0 toggle private void implyRights(Right right, XWikiSecurityAccess access, SecurityReference reference,
97    Policies policies, Map<Right, Integer> priorities)
98    {
99  0 Set<Right> impliedRights = right.getImpliedRights();
100  0 if (impliedRights != null) {
101  0 for (Right enabledRight : Right.getEnabledRights(reference.getSecurityType())) {
102  0 if (impliedRights.contains(enabledRight)) {
103    // set the policies of the implied right to the policies of the original right
104  0 policies.set(enabledRight, right);
105  0 resolveConflict(ALLOW, enabledRight, access, policies, priorities.get(right), priorities);
106    }
107    }
108    }
109    }
110   
111    /**
112    * Update the resulting {@code access} to include the rule state defined by the given {@link SecurityRule}
113    * for the given user and group, and the requested {@link Right}.
114    *
115    * @param right The right to settle.
116    * @param user The user to check.
117    * @param groups The groups where the user is a member.
118    * @param rule The currently considered rule.
119    * @param access The accumulated access result during interpretation of rules.
120    * @param policies the current security policies.
121    * @param priorities A map of current priorities of each rights in the current accumulated access result.
122    *
123    */
 
124  0 toggle private void resolveLevel(Right right,
125    UserSecurityReference user, Collection<GroupSecurityReference> groups, SecurityRule rule,
126    XWikiSecurityAccess access, Policies policies, Map<Right, Integer> priorities)
127    {
128  0 RuleState state = rule.getState();
129  0 if (state == UNDETERMINED) {
130  0 return;
131    }
132   
133  0 if (rule.match(user)) {
134  0 resolveConflict(state, right, access, policies, USER_PRIORITY, priorities);
135    } else {
136  0 for (GroupSecurityReference group : groups) {
137  0 if (rule.match(group)) {
138  0 resolveConflict(state, right, access, policies, getPriority(group), priorities);
139  0 break;
140    }
141    }
142    }
143    }
144   
145    /**
146    * Resolve conflicting rights within the current level in the document hierarchy.
147    *
148    * @param state The state to consider setting.
149    * @param right The right that is being concerned.
150    * @param access The accumulated access result.
151    * @param policies the current security policies.
152    * @param priority The priority to use for this particular right match.
153    * @param priorities A map of current priorities of each rights in the current accumulated access level.
154    */
 
155  0 toggle private void resolveConflict(RuleState state, Right right, XWikiSecurityAccess access, Policies policies,
156    int priority, Map<Right, Integer> priorities)
157    {
158  0 if (access.get(right) == UNDETERMINED) {
159  0 access.set(right, state);
160  0 priorities.put(right, priority);
161  0 return;
162    }
163  0 if (access.get(right) != state) {
164  0 if (priority > priorities.get(right)) {
165  0 access.set(right, state);
166  0 priorities.put(right, priority);
167    } else {
168  0 access.set(right, policies.getTieResolutionPolicy(right));
169    }
170    }
171    }
172   
173    /**
174    * @param group A group identifier.
175    * @return the priority for the group.
176    */
 
177  0 toggle private int getPriority(GroupSecurityReference group)
178    {
179  0 if (group.getName().equals("XWikiAllGroup")) {
180  0 return ALL_GROUP_PRIORITY;
181    } else {
182  0 return ALL_GROUP_PRIORITY + 1;
183    }
184    }
185    }