You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by vt...@apache.org on 2004/03/18 05:02:58 UTC
svn commit: rev 9579 - in incubator/directory/janus/trunk: core/impl/src/java/org/apache/janus/authorization core/impl/src/java/org/apache/janus/authorization/policy core/impl/src/test/org/apache/janus/authorization/policy sandbox/src/java/org/apache/janus/script/xml sandbox/src/test/org/apache/janus/script/xml
Author: vtence
Date: Wed Mar 17 20:02:56 2004
New Revision: 9579
Modified:
incubator/directory/janus/trunk/core/impl/src/java/org/apache/janus/authorization/BasicPermission.java
incubator/directory/janus/trunk/core/impl/src/java/org/apache/janus/authorization/policy/DefaultPolicyContext.java
incubator/directory/janus/trunk/core/impl/src/test/org/apache/janus/authorization/policy/DefaultPolicyContextTest.java
incubator/directory/janus/trunk/sandbox/src/java/org/apache/janus/script/xml/Dom4JRoleManagerBuilder.java
incubator/directory/janus/trunk/sandbox/src/test/org/apache/janus/script/xml/Dom4JRoleManagerBuilderTest.java
Log:
o Fixed unchecked policy behaviour
Modified: incubator/directory/janus/trunk/core/impl/src/java/org/apache/janus/authorization/BasicPermission.java
==============================================================================
--- incubator/directory/janus/trunk/core/impl/src/java/org/apache/janus/authorization/BasicPermission.java (original)
+++ incubator/directory/janus/trunk/core/impl/src/java/org/apache/janus/authorization/BasicPermission.java Wed Mar 17 20:02:56 2004
@@ -21,7 +21,7 @@
*/
public class BasicPermission extends AbstractPermission
{
- private static final String[] NO_ACTIONS = new String[0];
+ protected static final String[] NO_ACTIONS = new String[0];
public BasicPermission( String resource )
{
Modified: incubator/directory/janus/trunk/core/impl/src/java/org/apache/janus/authorization/policy/DefaultPolicyContext.java
==============================================================================
--- incubator/directory/janus/trunk/core/impl/src/java/org/apache/janus/authorization/policy/DefaultPolicyContext.java (original)
+++ incubator/directory/janus/trunk/core/impl/src/java/org/apache/janus/authorization/policy/DefaultPolicyContext.java Wed Mar 17 20:02:56 2004
@@ -30,17 +30,22 @@
public class DefaultPolicyContext implements PolicyContext
{
private final PermissionCollection m_excludedPermissions;
+ private final PermissionCollection m_uncheckedPermissions;
private final Set m_roles;
- public DefaultPolicyContext( Set roles, Collection excludedPermissions )
+ protected DefaultPolicyContext( Set roles,
+ Collection excludedPermissions,
+ Collection uncheckedPermissions )
{
m_roles = new HashSet( roles );
m_excludedPermissions = new PermissionCollection( excludedPermissions );
+ m_uncheckedPermissions = new PermissionCollection( uncheckedPermissions );
}
public boolean checkPermission( String roleName, Permission permission )
{
if (m_excludedPermissions.dependsOn( permission )) return false;
+ if (m_uncheckedPermissions.implies( permission )) return true;
for ( Iterator it = m_roles.iterator(); it.hasNext(); )
{
@@ -48,19 +53,14 @@
if (role.is( roleName )) return role.implies( permission );
}
- return true;
+ return false;
}
public boolean requiresPriviledges( Permission permission )
{
- if (m_excludedPermissions.implies( permission )) return true;
+ if (m_excludedPermissions.dependsOn( permission )) return true;
+ if (m_uncheckedPermissions.implies( permission )) return false;
- for ( Iterator it = m_roles.iterator(); it.hasNext(); )
- {
- final RoleEntry role = (RoleEntry) it.next();
- if (role.implies( permission )) return true;
- }
-
- return false;
+ return true;
}
}
Modified: incubator/directory/janus/trunk/core/impl/src/test/org/apache/janus/authorization/policy/DefaultPolicyContextTest.java
==============================================================================
--- incubator/directory/janus/trunk/core/impl/src/test/org/apache/janus/authorization/policy/DefaultPolicyContextTest.java (original)
+++ incubator/directory/janus/trunk/core/impl/src/test/org/apache/janus/authorization/policy/DefaultPolicyContextTest.java Wed Mar 17 20:02:56 2004
@@ -25,12 +25,16 @@
import java.util.Set;
/**
+ * test: addition of excluded statement
+ * test: addition of role statement
+ *
* @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
*/
public class DefaultPolicyContextTest extends TestCase
{
private DefaultPolicyContext m_policyContext;
private Set m_excludedPermissions;
+ private Set m_uncheckedPermissions;
private Set m_roles;
public static void main( String[] args )
@@ -41,12 +45,14 @@
protected void setUp() throws Exception
{
m_excludedPermissions = new HashSet();
+ m_uncheckedPermissions = new HashSet();
m_roles = new HashSet();
}
public void testUncheckedPermissionRequiresNoPriviledge()
{
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_uncheckedPermissions.add( new UncheckedPermission() );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertFalse( "Permission is unchecked but requires priviledges", m_policyContext.requiresPriviledges( new UncheckedPermission() ) );
}
@@ -54,7 +60,7 @@
public void testExcludedPermissionRequiresPriviledges()
{
m_excludedPermissions.add( new ExcludedPermission() );
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertTrue( "Permission is excluded but requires no priviledge", m_policyContext.requiresPriviledges( new ExcludedPermission() ) );
}
@@ -65,14 +71,15 @@
permissions.add( new CheckedPermission() );
RoleEntry role = new RoleEntry( "member", permissions );
m_roles.add( role );
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertTrue( "Permission is checked but requires no priviledge", m_policyContext.requiresPriviledges( new CheckedPermission() ) );
}
public void testUncheckedPermissionIsGranted()
{
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_uncheckedPermissions.add( new UncheckedPermission() );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertTrue( "Permission is unchecked yet was denied", m_policyContext.checkPermission( "guest", new UncheckedPermission() ) );
}
@@ -80,16 +87,14 @@
public void testExcludedPermissionIsDenied()
{
m_excludedPermissions.add( new ExcludedPermission() );
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertFalse( "Permission is excluded yet was granted", m_policyContext.checkPermission( "admin", new ExcludedPermission() ) );
}
public void testRoleWithNoPermissionGrantsNothing()
{
- RoleEntry role = new RoleEntry( "member", new HashSet() );
- m_roles.add( role );
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertFalse( "Role has no permission yet it granted one", m_policyContext.checkPermission( "member", new CheckedPermission() ) );
}
@@ -100,7 +105,7 @@
permissions.add( new CheckedPermission() );
RoleEntry role = new RoleEntry( "member", permissions );
m_roles.add( role );
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertTrue( "Role has permission yet it denied it", m_policyContext.checkPermission( "member", new CheckedPermission() ) );
}
@@ -112,28 +117,69 @@
permissions.add( new CheckedPermission() );
RoleEntry role = new RoleEntry( "member", permissions );
m_roles.add( role );
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertFalse( "Excluded statement did not overrule role statement", m_policyContext.checkPermission( "member", new CheckedPermission() ) );
+ }
+ public void testExcludedStatementHasPrecedenceOverUncheckedStatement()
+ {
+ m_excludedPermissions.add( new UncheckedPermission() );
+ m_uncheckedPermissions.add( new UncheckedPermission() );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
+
+ assertFalse( "Permission should not be granted", m_policyContext.checkPermission( "member", new UncheckedPermission() ) );
+ assertTrue( "Permission should require priviledge", m_policyContext.requiresPriviledges( new UncheckedPermission() ) );
}
- public void testImpliedPermissionIsGranted()
+ public void testPermissionImpliedByCheckedPermissionIsGranted()
{
Set permissions = new HashSet();
permissions.add( new FullPermission() );
RoleEntry role = new RoleEntry( "member", permissions );
m_roles.add( role );
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertTrue( "Permission is implied by role permission yet it was denied", m_policyContext.checkPermission( "member", new ReadPermission() ) );
}
- public void testImpliyingPermissionIsDenied()
+ public void testPermissionImpliedByUncheckedPermissionIsGranted()
+ {
+ m_uncheckedPermissions.add( new FullPermission() );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
+
+ assertTrue( "Permission is implied by unchecked permission yet it was denied", m_policyContext.checkPermission( "member", new ReadPermission() ) );
+ }
+
+ public void testPermissionImpliyingExcludedPermissionIsDenied()
{
m_excludedPermissions.add( new ReadPermission() );
- m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
assertFalse( "Permission implies excluded permission yet it was granted", m_policyContext.checkPermission( "member", new FullPermission() ) );
}
+
+ public void testPermissionImpliyingExcludedPermissionRequiresPriviledges()
+ {
+ m_excludedPermissions.add( new ReadPermission() );
+ m_uncheckedPermissions.add( new FullPermission() );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
+
+ assertTrue( m_policyContext.requiresPriviledges( new FullPermission() ) );
+ }
+
+ public void testPermissionImpliedByUncheckedPermissionDoesNotRequireAnyPriviledge()
+ {
+ m_uncheckedPermissions.add( new FullPermission() );
+ m_policyContext = new DefaultPolicyContext( m_roles, m_excludedPermissions, m_uncheckedPermissions );
+
+ assertFalse( m_policyContext.requiresPriviledges( new ReadPermission() ) );
+ }
+
+// public void testAdditionOfExcludedPolicyStatement()
+// {
+// m_policyContext = new DefaultPolicyContext();
+// assertTrue( "Permission reported as not added", m_policyContext.addToExcludedPolicy( new ExcludedPermission() ) );
+// assertFalse( "Permission was granted; should have been excluded", m_policyContext.checkPermission( "guest", new ExcludedPermission() ));
+// }
}
Modified: incubator/directory/janus/trunk/sandbox/src/java/org/apache/janus/script/xml/Dom4JRoleManagerBuilder.java
==============================================================================
--- incubator/directory/janus/trunk/sandbox/src/java/org/apache/janus/script/xml/Dom4JRoleManagerBuilder.java (original)
+++ incubator/directory/janus/trunk/sandbox/src/java/org/apache/janus/script/xml/Dom4JRoleManagerBuilder.java Wed Mar 17 20:02:56 2004
@@ -16,18 +16,18 @@
*/
package org.apache.janus.script.xml;
+import java.io.IOException;
+import java.io.Reader;
+import java.security.Principal;
+import java.util.Iterator;
+import java.util.List;
+
import org.apache.janus.authentication.realm.UsernamePrincipal;
import org.apache.janus.authorization.role.MutableRoleManager;
import org.dom4j.Document;
import org.dom4j.DocumentException;
import org.dom4j.Element;
import org.dom4j.io.SAXReader;
-
-import java.io.IOException;
-import java.io.Reader;
-import java.security.Principal;
-import java.util.Iterator;
-import java.util.List;
/**
* <strong>Warning:</strong> Document is assumed to be valid.
Modified: incubator/directory/janus/trunk/sandbox/src/test/org/apache/janus/script/xml/Dom4JRoleManagerBuilderTest.java
==============================================================================
--- incubator/directory/janus/trunk/sandbox/src/test/org/apache/janus/script/xml/Dom4JRoleManagerBuilderTest.java (original)
+++ incubator/directory/janus/trunk/sandbox/src/test/org/apache/janus/script/xml/Dom4JRoleManagerBuilderTest.java Wed Mar 17 20:02:56 2004
@@ -23,6 +23,8 @@
import java.io.StringReader;
+import junit.framework.TestCase;
+
/**
* test: duplicate role
* test: duplicate principal in role
@@ -32,7 +34,7 @@
*
* @author <a href="mailto:directory-dev@incubator.apache.org">Apache Directory Project</a>
*/
-public class Dom4JRoleManagerBuilderTest extends junit.framework.TestCase
+public class Dom4JRoleManagerBuilderTest extends TestCase
{
private Mock m_mockRoleManager;