You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2012/04/03 14:47:28 UTC
svn commit: r1308872 - in /incubator/syncope/trunk:
client/src/main/java/org/syncope/client/util/ console/
console/src/test/java/org/syncope/console/
core/src/main/java/org/syncope/core/persistence/dao/
core/src/main/java/org/syncope/core/persistence/d...
Author: ilgrosso
Date: Tue Apr 3 12:47:28 2012
New Revision: 1308872
URL: http://svn.apache.org/viewvc?rev=1308872&view=rev
Log:
[SYNCOPE-48] Implemented correct role entitlement inheritance: needed to fix some minor related things as well
Modified:
incubator/syncope/trunk/client/src/main/java/org/syncope/client/util/ConnConfPropUtils.java
incubator/syncope/trunk/console/pom.xml
incubator/syncope/trunk/console/src/test/java/org/syncope/console/EditProfileTestITCase.java
incubator/syncope/trunk/console/src/test/java/org/syncope/console/ResourceTestITCase.java
incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/RoleDAO.java
incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/impl/RoleDAOImpl.java
incubator/syncope/trunk/core/src/main/java/org/syncope/core/security/SyncopeUserDetailsService.java
incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/AuthenticationTestITCase.java
incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/UserRequestTestITCase.java
Modified: incubator/syncope/trunk/client/src/main/java/org/syncope/client/util/ConnConfPropUtils.java
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/client/src/main/java/org/syncope/client/util/ConnConfPropUtils.java?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/client/src/main/java/org/syncope/client/util/ConnConfPropUtils.java (original)
+++ incubator/syncope/trunk/client/src/main/java/org/syncope/client/util/ConnConfPropUtils.java Tue Apr 3 12:47:28 2012
@@ -38,8 +38,11 @@ public final class ConnConfPropUtils {
public static Set<ConnConfProperty> joinConnInstanceProperties(
final Map<String, ConnConfProperty> connectorProp, final Map<String, ConnConfProperty> resourceProp) {
- connectorProp.putAll(resourceProp);
- return new HashSet<ConnConfProperty>(connectorProp.values());
+ Set<ConnConfProperty> result = new HashSet<ConnConfProperty>();
+ result.addAll(connectorProp.values());
+ result.addAll(resourceProp.values());
+
+ return result;
}
public static Map<String, ConnConfProperty> getConnConfPropertyMap(final Set<ConnConfProperty> properties) {
Modified: incubator/syncope/trunk/console/pom.xml
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/console/pom.xml?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/console/pom.xml (original)
+++ incubator/syncope/trunk/console/pom.xml Tue Apr 3 12:47:28 2012
@@ -190,7 +190,7 @@ under the License.
<plugins>
<plugin>
- <groupId>org.codehaus.groovy.maven</groupId>
+ <groupId>org.codehaus.gmaven</groupId>
<artifactId>gmaven-plugin</artifactId>
<inherited>true</inherited>
<executions>
Modified: incubator/syncope/trunk/console/src/test/java/org/syncope/console/EditProfileTestITCase.java
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/console/src/test/java/org/syncope/console/EditProfileTestITCase.java?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/console/src/test/java/org/syncope/console/EditProfileTestITCase.java (original)
+++ incubator/syncope/trunk/console/src/test/java/org/syncope/console/EditProfileTestITCase.java Tue Apr 3 12:47:28 2012
@@ -38,8 +38,7 @@ public class EditProfileTestITCase exten
selenium.click("//div/span/span/a");
- selenium
- .waitForCondition("selenium.isElementPresent(" + "\"//span[contains(text(),'Attributes')]\");", "30000");
+ selenium.waitForCondition("selenium.isElementPresent(\"//span[contains(text(),'Attributes')]\");", "30000");
selenium.click("css=a.w_close");
@@ -61,14 +60,13 @@ public class EditProfileTestITCase exten
selenium.click("name=:submit");
selenium.waitForPageToLoad("30000");
- selenium.click("css=img[alt=\"Users\"]");
+ selenium.click("css=img[alt=\"Schema\"]");
selenium.waitForPageToLoad("30000");
selenium.click("id=username");
selenium.click("//span[@id='editProfile']/a");
- selenium
- .waitForCondition("selenium.isElementPresent(" + "\"//span[contains(text(),'Attributes')]\");", "30000");
+ selenium.waitForCondition("selenium.isElementPresent(\"//span[contains(text(),'Attributes')]\");", "30000");
assertTrue(selenium.isElementPresent("//input[@value='user1']"));
Modified: incubator/syncope/trunk/console/src/test/java/org/syncope/console/ResourceTestITCase.java
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/console/src/test/java/org/syncope/console/ResourceTestITCase.java?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/console/src/test/java/org/syncope/console/ResourceTestITCase.java (original)
+++ incubator/syncope/trunk/console/src/test/java/org/syncope/console/ResourceTestITCase.java Tue Apr 3 12:47:28 2012
@@ -97,8 +97,7 @@ public class ResourceTestITCase extends
selenium.waitForCondition("selenium.isElementPresent(\"//div[@id='tabs']\");", "30000");
- selenium
- .click("//*[@id=\"users-contain\"]//" + "*[span=\"ws-target-resource-delete\"]/../td[4]/span/span[7]/a");
+ selenium.click("//*[@id=\"users-contain\"]//*[span=\"ws-target-resource-delete\"]/../td[4]/span/span[7]/a");
selenium.waitForCondition("selenium.isElementPresent("
+ "\"//form/div[2]/div/span/div/div/div/label[text()='Name']\");", "30000");
Modified: incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/RoleDAO.java
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/RoleDAO.java?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/RoleDAO.java (original)
+++ incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/RoleDAO.java Tue Apr 3 12:47:28 2012
@@ -19,6 +19,7 @@
package org.syncope.core.persistence.dao;
import java.util.List;
+import java.util.Set;
import org.syncope.core.persistence.beans.Entitlement;
import org.syncope.core.persistence.beans.ExternalResource;
import org.syncope.core.persistence.beans.membership.Membership;
@@ -39,6 +40,8 @@ public interface RoleDAO extends DAO {
List<SyncopeRole> findChildren(Long roleId);
+ Set<SyncopeRole> findAncestors(SyncopeRole role);
+
List<SyncopeRole> findAll();
List<Membership> findMemberships(SyncopeRole role);
Modified: incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/impl/RoleDAOImpl.java
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/impl/RoleDAOImpl.java?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/impl/RoleDAOImpl.java (original)
+++ incubator/syncope/trunk/core/src/main/java/org/syncope/core/persistence/dao/impl/RoleDAOImpl.java Tue Apr 3 12:47:28 2012
@@ -18,7 +18,9 @@
*/
package org.syncope.core.persistence.dao.impl;
+import java.util.HashSet;
import java.util.List;
+import java.util.Set;
import javax.persistence.NoResultException;
import javax.persistence.Query;
import javax.persistence.TypedQuery;
@@ -105,6 +107,20 @@ public class RoleDAOImpl extends Abstrac
return query.getResultList();
}
+ private void findAncestors(final Set<SyncopeRole> result, final SyncopeRole role) {
+ if (role.getParent() != null && !result.contains(role.getParent())) {
+ result.add(role.getParent());
+ findAncestors(result, role.getParent());
+ }
+ }
+
+ @Override
+ public Set<SyncopeRole> findAncestors(final SyncopeRole role) {
+ Set<SyncopeRole> result = new HashSet<SyncopeRole>();
+ findAncestors(result, role);
+ return result;
+ }
+
@Override
public List<SyncopeRole> findAll() {
Query query = entityManager.createQuery("SELECT e FROM SyncopeRole e");
Modified: incubator/syncope/trunk/core/src/main/java/org/syncope/core/security/SyncopeUserDetailsService.java
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/core/src/main/java/org/syncope/core/security/SyncopeUserDetailsService.java?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/core/src/main/java/org/syncope/core/security/SyncopeUserDetailsService.java (original)
+++ incubator/syncope/trunk/core/src/main/java/org/syncope/core/security/SyncopeUserDetailsService.java Tue Apr 3 12:47:28 2012
@@ -72,11 +72,10 @@ public class SyncopeUserDetailsService i
throw new UsernameNotFoundException("Could not find any user with id " + username);
}
- // Give entitlements based on roles owned by user,
- // considering role inheritance as well
+ // Give entitlements based on roles owned by user, and their ancestors
Set<SyncopeRole> roles = new HashSet<SyncopeRole>(user.getRoles());
- for (Long roleId : user.getRoleIds()) {
- roles.addAll(roleDAO.findChildren(roleId));
+ for (SyncopeRole role : user.getRoles()) {
+ roles.addAll(roleDAO.findAncestors(role));
}
for (SyncopeRole role : roles) {
for (Entitlement entitlement : role.getEntitlements()) {
Modified: incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/AuthenticationTestITCase.java
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/AuthenticationTestITCase.java?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/AuthenticationTestITCase.java (original)
+++ incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/AuthenticationTestITCase.java Tue Apr 3 12:47:28 2012
@@ -99,8 +99,8 @@ public class AuthenticationTestITCase ex
assertNotNull(schemaTO);
// 4. read the schema created above (as user) - success
- PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate
- .getRequestFactory());
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
requestFactory.getAuthScope(), new UsernamePasswordCredentials(userTO.getUsername(), "password123"));
@@ -142,8 +142,8 @@ public class AuthenticationTestITCase ex
userTO = restTemplate.postForObject(BASE_URL + "user/create", userTO, UserTO.class);
assertNotNull(userTO);
- PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate
- .getRequestFactory());
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
requestFactory.getAuthScope(), new UsernamePasswordCredentials(userTO.getUsername(), "password123"));
@@ -181,8 +181,8 @@ public class AuthenticationTestITCase ex
userTO = restTemplate.postForObject(BASE_URL + "user/create", userTO, UserTO.class);
assertNotNull(userTO);
- PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate
- .getRequestFactory());
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
requestFactory.getAuthScope(), new UsernamePasswordCredentials(userTO.getUsername(), "password123"));
@@ -231,13 +231,13 @@ public class AuthenticationTestITCase ex
userTO = restTemplate.postForObject(BASE_URL + "user/create", userTO, UserTO.class);
assertNotNull(userTO);
- PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate
- .getRequestFactory());
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
requestFactory.getAuthScope(), new UsernamePasswordCredentials(userTO.getUsername(), "password123"));
- UserTO readUserTO = restTemplate.getForObject(BASE_URL + "user/read/{userId}.json", UserTO.class, userTO
- .getId());
+ UserTO readUserTO =
+ restTemplate.getForObject(BASE_URL + "user/read/{userId}.json", UserTO.class, userTO.getId());
assertNotNull(readUserTO);
assertNotNull(readUserTO.getFailedLogins());
@@ -299,8 +299,8 @@ public class AuthenticationTestITCase ex
userTO = restTemplate.postForObject(BASE_URL + "user/create", userTO, UserTO.class);
assertNotNull(userTO);
- PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate
- .getRequestFactory());
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
requestFactory.getAuthScope(), new UsernamePasswordCredentials(userTO.getUsername(), "password123"));
@@ -407,4 +407,52 @@ public class AuthenticationTestITCase ex
assertNotNull(userTO);
assertEquals(Integer.valueOf(0), userTO.getFailedLogins());
}
+
+ @Test
+ public void issueSYNCOPE48() {
+ // Parent role, able to create users with role 1
+ RoleTO parentRole = new RoleTO();
+ parentRole.setName("parentAdminRole");
+ parentRole.addEntitlement("USER_CREATE");
+ parentRole.addEntitlement("ROLE_1");
+ parentRole.setParent(1L);
+
+ parentRole = restTemplate.postForObject(BASE_URL + "role/create", parentRole, RoleTO.class);
+ assertNotNull(parentRole);
+
+ // Child role, with no entitlements
+ RoleTO childRole = new RoleTO();
+ childRole.setName("childAdminRole");
+ childRole.setParent(parentRole.getId());
+
+ childRole = restTemplate.postForObject(BASE_URL + "role/create", childRole, RoleTO.class);
+ assertNotNull(childRole);
+
+ // User with child role, created by admin
+ UserTO role1Admin = UserTestITCase.getSampleTO("syncope48admin@apache.org");
+ role1Admin.setPassword("password");
+ MembershipTO membershipTO = new MembershipTO();
+ membershipTO.setRoleId(childRole.getId());
+ role1Admin.addMembership(membershipTO);
+
+ role1Admin = restTemplate.postForObject(BASE_URL + "user/create", role1Admin, UserTO.class);
+ assertNotNull(role1Admin);
+
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
+ ((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
+ requestFactory.getAuthScope(), new UsernamePasswordCredentials(role1Admin.getUsername(), "password"));
+
+ // User with role 1, created by user with child role created above
+ UserTO role1User = UserTestITCase.getSampleTO("syncope48user@apache.org");
+ membershipTO = new MembershipTO();
+ membershipTO.setRoleId(1L);
+ role1User.addMembership(membershipTO);
+
+ role1User = restTemplate.postForObject(BASE_URL + "user/create", role1User, UserTO.class);
+ assertNotNull(role1User);
+
+ // reset admin credentials for restTemplate
+ super.setupRestTemplate();
+ }
}
Modified: incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/UserRequestTestITCase.java
URL: http://svn.apache.org/viewvc/incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/UserRequestTestITCase.java?rev=1308872&r1=1308871&r2=1308872&view=diff
==============================================================================
--- incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/UserRequestTestITCase.java (original)
+++ incubator/syncope/trunk/core/src/test/java/org/syncope/core/rest/UserRequestTestITCase.java Tue Apr 3 12:47:28 2012
@@ -26,6 +26,7 @@ import org.apache.http.auth.UsernamePass
import org.apache.http.impl.client.DefaultHttpClient;
import org.junit.Test;
import org.springframework.http.HttpStatus;
+import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.HttpStatusCodeException;
import org.syncope.client.http.PreemptiveAuthHttpRequestFactory;
import org.syncope.client.mod.UserMod;
@@ -42,19 +43,17 @@ public class UserRequestTestITCase exten
@Test
public void selfRead() {
- PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate
- .getRequestFactory());
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
requestFactory.getAuthScope(), new UsernamePasswordCredentials("user1", "password"));
- SyncopeClientException exception = null;
try {
restTemplate.getForObject(BASE_URL + "user/read/{userId}.json", UserTO.class, 1);
fail();
- } catch (SyncopeClientCompositeErrorException e) {
- exception = e.getException(SyncopeClientExceptionType.UnauthorizedRole);
+ } catch (HttpClientErrorException e) {
+ assertEquals(HttpStatus.FORBIDDEN, e.getStatusCode());
}
- assertNotNull(exception);
UserTO userTO = restTemplate.getForObject(BASE_URL + "user/request/read/self", UserTO.class);
assertEquals("user1", userTO.getUsername());
@@ -103,8 +102,8 @@ public class UserRequestTestITCase exten
attrCond.setSchema("userId");
attrCond.setExpression("selfcreate@syncope-idm.org");
- final List<UserTO> matchingUsers = Arrays.asList(restTemplate.postForObject(BASE_URL + "user/search", NodeCond
- .getLeafCond(attrCond), UserTO[].class));
+ final List<UserTO> matchingUsers = Arrays.asList(restTemplate.postForObject(BASE_URL + "user/search", NodeCond.
+ getLeafCond(attrCond), UserTO[].class));
assertTrue(matchingUsers.isEmpty());
// 7. actually create user
@@ -136,8 +135,8 @@ public class UserRequestTestITCase exten
assertNotNull(exception);
// 3. auth as user just created
- PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate
- .getRequestFactory());
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
requestFactory.getAuthScope(), new UsernamePasswordCredentials(userTO.getUsername(), initialPassword));
@@ -194,8 +193,8 @@ public class UserRequestTestITCase exten
assertNotNull(exception);
// 3. auth as user just created
- PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate
- .getRequestFactory());
+ PreemptiveAuthHttpRequestFactory requestFactory = ((PreemptiveAuthHttpRequestFactory) restTemplate.
+ getRequestFactory());
((DefaultHttpClient) requestFactory.getHttpClient()).getCredentialsProvider().setCredentials(
requestFactory.getAuthScope(), new UsernamePasswordCredentials(userTO.getUsername(), initialPassword));