Examples of org.apache.wiki.auth.authorize.Group

• org.apache.wiki.auth.authorize.Group

  Groups are a specialized type of ad-hoc role used by the wiki system. Unlike externally-provided roles (such as those provided by an LDAP server or web container), JSPWiki groups can be created dynamically by wiki users, without requiring special container privileges or administrator intervention. They are designed to provide a lightweight role-based access control system that complements existing role systems.

  Group names are case-insensitive, and have a few naming restrictions, which are enforced by the {@link GroupManager}:

  • Groups cannot have the same name as a built-in Role (e.g., "Admin", "Authenticated" etc.)
  • Groups cannot have the same name as an existing user

  Note: prior to JSPWiki 2.4.19, Group was an interface; it is now a concrete, final class.

  Groups are related to {@link GroupPrincipal}s. A GroupPrincipal, when injected into the Principal set of a WikiSession's Subject, means that the user is a member of a Group of the same name -- it is, in essence, an "authorization token." GroupPrincipals, unlike Groups, are thread-safe, lightweight and immutable. That's why we use them in Subjects rather than the Groups themselves.

  @since 2.3

   }

    public void testParseGroup() throws WikiSecurityException
    {
        String members = "Biff";
        Group group = m_groupMgr.parseGroup( "Group1", members, true );
        assertEquals( 1, group.members().length );
        assertTrue ( group.isMember( new WikiPrincipal( "Biff" ) ) );

        members = "Biff \n SteveAustin \n FredFlintstone";
        group = m_groupMgr.parseGroup( "Group2", members, true );
        assertEquals( 3, group.members().length );
        assertTrue ( group.isMember( new WikiPrincipal( "Biff" ) ) );
        assertTrue ( group.isMember( new WikiPrincipal( "SteveAustin" ) ) );
        assertTrue ( group.isMember( new WikiPrincipal( "FredFlintstone" ) ) );
    }

        {
            // It's not a problem if we get here...
        }
        m_trap.clearEvents();

        Group group = m_groupMgr.parseGroup( "Events", "", true );
        m_groupMgr.setGroup( m_session, group );
        WikiSecurityEvent event;
        group = m_groupMgr.getGroup( "Events" );
        group.add( new WikiPrincipal( "Alice" ) );
        group.add( new WikiPrincipal( "Bob" ) );
        group.add( new WikiPrincipal( "Charlie" ) );

        // We should see a GROUP_ADD event
        WikiSecurityEvent[] events = m_trap.events();
        assertEquals( 1, events.length );
        event = events[0];

            userDb.save( profile );
        }

        // Create a new admin group
        GroupManager groupMgr = m_engine.getGroupManager();
        Group group = null;
        try
        {
            group = groupMgr.getGroup( ADMIN_GROUP );
            group.add( new WikiPrincipal( ADMIN_NAME ) );
        }
        catch ( NoSuchPrincipalException e )
        {
            group = groupMgr.parseGroup( ADMIN_GROUP, ADMIN_NAME, true );
        }

            {
                switch (e.getType() )
                {
                    case WikiSecurityEvent.GROUP_ADD:
                    {
                        Group group = (Group)e.getTarget();
                        if ( isInGroup( group ) )
                        {
                            m_subject.getPrincipals().add( group.getPrincipal() );
                        }
                        break;
                    }
                    case WikiSecurityEvent.GROUP_REMOVE:
                    {
                        Group group = (Group)e.getTarget();
                        if ( m_subject.getPrincipals().contains( group.getPrincipal() ) )
                        {
                            m_subject.getPrincipals().remove( group.getPrincipal() );
                        }
                        break;
                    }
                    case WikiSecurityEvent.GROUP_CLEAR_GROUPS:
                    {

        GroupManager manager = m_engine.getGroupManager();
        SecurityEventTrap trap = new SecurityEventTrap();
        manager.addWikiEventListener( trap );

        // Create two groups; one with Janne in it, and one without
        Group groupTest1 = m_groupMgr.parseGroup( "Test1", "JanneJalkanen \n Bob \n Charlie", true );
        m_groupMgr.setGroup( m_session, groupTest1 );
        groupTest1 = m_groupMgr.getGroup( "Test1" );
        Principal principalTest1 = groupTest1.getPrincipal();

        Group groupTest2 = m_groupMgr.parseGroup( "Test2", "Alice \n Bob \n Charlie", true );
        m_groupMgr.setGroup( m_session, groupTest2 );
        groupTest2 = m_groupMgr.getGroup( "Test2" );
        Principal principalTest2 = groupTest2.getPrincipal();

        // We should see two security events (one for each group create)
        // We should also see a GroupPrincipal for group Test1, but not Test2
        assertEquals( 2, trap.events().length );
        assertTrue( session.hasPrincipal( principalTest1 ) );
        assertFalse( session.hasPrincipal( principalTest2 ) );

        // If we remove Test1, the GroupPrincipal should disappear
        m_groupMgr.removeGroup( "Test1" );
        assertFalse( session.hasPrincipal( principalTest1 ) );
        assertFalse( session.hasPrincipal( principalTest2 ) );

        // Now, add 'JanneJalkanen' to Test2 group manually; we should see the
        // GroupPrincipal
        groupTest2.add( new WikiPrincipal( "JanneJalkanen" ) );
        m_groupMgr.setGroup( session, groupTest2 );
        assertFalse( session.hasPrincipal( principalTest1 ) );
        assertTrue( session.hasPrincipal( principalTest2 ) );

        // Remove 'JanneJalkenen' manually; the GroupPrincipal should disappear
        groupTest2.remove( new WikiPrincipal( "JanneJalkanen" ) );
        m_groupMgr.setGroup( session, groupTest2 );
        assertFalse( session.hasPrincipal( principalTest1 ) );
        assertFalse( session.hasPrincipal( principalTest2 ) );

        // Clean up

      assertEquals( oldName, profile.getFullname() );
      assertEquals( oldUserCount+1, m_db.getWikiNames().length );
      assertTrue( session.isAuthenticated() );

      // Setup Step 2: create a new group with our test user in it
      Group group = groupManager.parseGroup( m_groupName, "Alice \n Bob \n Charlie \n " + oldLogin + "\n" + oldName, true );
      groupManager.setGroup( session, group );

      // 2a. Make sure the group is created with the user in it, and the role is added to the Subject
      assertEquals( oldGroupCount+1, groupManager.getRoles().length );
      assertTrue  ( group.isMember( new WikiPrincipal( oldLogin ) ) );
      assertTrue  ( group.isMember( new WikiPrincipal( oldName  ) ) );
      assertFalse ( group.isMember( new WikiPrincipal( newLogin ) ) );
      assertFalse ( group.isMember( new WikiPrincipal( newName  ) ) );
      assertTrue  ( groupManager.isUserInRole( session, group.getPrincipal() ) );

      // Setup Step 3: create a new page with our test user in the ACL
      String pageName = "TestPage" + now;
      m_engine.saveText( pageName, "Test text. [{ALLOW view " + oldName + ", " + oldLogin + ", Alice}] More text." );

      // 3a. Make sure the page got saved, and that ONLY our test user has permission to read it.
      WikiPage p = m_engine.getPage( pageName );
      assertEquals ( oldPageCount+1, pageManager.getTotalPageCount() );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldLogin ) ) );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldName  ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newLogin ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newName  ) ) );
      assertTrue   ( "Test User view page", authManager.checkPermission( session, PermissionFactory.getPagePermission( p, "view" ) ) );
      WikiSession bobSession = WikiSessionTest.authenticatedSession( m_engine, Users.BOB, Users.BOB_PASS );
      assertFalse  ( "Bob !view page", authManager.checkPermission( bobSession, PermissionFactory.getPagePermission( p, "view" ) ) );

      // Setup Step 4: change the user name in the profile and see what happens
      profile = m_db.newProfile();
      profile.setEmail    ( "jspwiki.tests@mailinator.com" );
      profile.setLoginName( oldLogin );
      profile.setFullname ( newName );
      profile.setPassword ( "password" );
      m_mgr.setUserProfile( session, profile );

      // Test 1: the wiki session should have the new wiki name in Subject
      Principal[] principals = session.getPrincipals();
      assertTrue ( ArrayUtils.contains( principals, new WikiPrincipal( oldLogin ) ) );
      assertFalse( ArrayUtils.contains( principals, new WikiPrincipal( oldName  ) ) );
      assertFalse( ArrayUtils.contains( principals, new WikiPrincipal( newLogin ) ) );
      assertTrue ( ArrayUtils.contains( principals, new WikiPrincipal( newName  ) ) );

      // Test 2: our group should not contain the old name OR login name any more
      // (the full name is always used)
      group = groupManager.getGroup( m_groupName );
      assertFalse( group.isMember( new WikiPrincipal( oldLogin ) ) );
      assertFalse( group.isMember( new WikiPrincipal( oldName  ) ) );
      assertFalse( group.isMember( new WikiPrincipal( newLogin ) ) );
      assertTrue ( group.isMember( new WikiPrincipal( newName  ) ) );

      // Test 3: our page should not contain the old wiki name OR login name
      // in the ACL any more (the full name is always used)
      p = m_engine.getPage( pageName );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( oldLogin ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( oldName  ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newLogin ) ) );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( newName  ) ) );
      assertTrue( "Test User view page", authManager.checkPermission( session, PermissionFactory.getPagePermission( p, "view" ) ) );
      assertFalse( "Bob !view page", authManager.checkPermission( bobSession, PermissionFactory.getPagePermission( p, "view" ) ) );

      // Test 4: our page text should have been re-written
      // (The new full name should be in the ACL, but the login name should have been removed)
      String expectedText = "[{ALLOW view Alice," + newName + "}]\nTest text.  More text.\r\n";
      String actualText = m_engine.getText( pageName );
      assertEquals( expectedText, actualText );

      // Remove our test page
      m_engine.deletePage( pageName );

      // Setup Step 6: re-create the group with our old test user names in it
      group = groupManager.parseGroup( m_groupName, "Alice \n Bob \n Charlie \n " + oldLogin + "\n" + oldName, true );
      groupManager.setGroup( session, group );

      // Setup Step 7: Save a new page with the old login/wiki names in the ACL again
      // The test user should still be able to see the page (because the login name matches...)
      pageName = "TestPage2" + now;
      m_engine.saveText( pageName, "More test text. [{ALLOW view " + oldName + ", " + oldLogin + ", Alice}] More text." );
      p = m_engine.getPage( pageName );
      assertEquals ( oldPageCount+1, pageManager.getTotalPageCount() );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldLogin ) ) );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldName  ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newLogin ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newName  ) ) );
      assertTrue   ( "Test User view page", authManager.checkPermission( session, PermissionFactory.getPagePermission( p, "view" ) ) );
      assertFalse  ( "Bob !view page", authManager.checkPermission( bobSession, PermissionFactory.getPagePermission( p, "view" ) ) );

      // Setup Step 8: re-save the profile with the new login name
      profile = m_db.newProfile();
      profile.setEmail    ( "jspwiki.tests@mailinator.com" );
      profile.setLoginName( newLogin );
      profile.setFullname ( oldName );
      profile.setPassword ( "password" );
      m_mgr.setUserProfile( session, profile );

      // Test 5: the wiki session should have the new login name in Subject
      principals = session.getPrincipals();
      assertFalse( ArrayUtils.contains( principals, new WikiPrincipal( oldLogin ) ) );
      assertTrue ( ArrayUtils.contains( principals, new WikiPrincipal( oldName  ) ) );
      assertTrue ( ArrayUtils.contains( principals, new WikiPrincipal( newLogin ) ) );
      assertFalse( ArrayUtils.contains( principals, new WikiPrincipal( newName  ) ) );

      // Test 6: our group should not contain the old name OR login name any more
      // (the full name is always used)
      group = groupManager.getGroup( m_groupName );
      assertFalse( group.isMember( new WikiPrincipal( oldLogin ) ) );
      assertTrue ( group.isMember( new WikiPrincipal( oldName  ) ) );
      assertFalse( group.isMember( new WikiPrincipal( newLogin ) ) );
      assertFalse( group.isMember( new WikiPrincipal( newName  ) ) );

      // Test 7: our page should not contain the old wiki name OR login name
      // in the ACL any more (the full name is always used)
      p = m_engine.getPage( pageName );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( oldLogin ) ) );
      assertNotNull( p.getAcl().getEntry( new WikiPrincipal( oldName  ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newLogin ) ) );
      assertNull   ( p.getAcl().getEntry( new WikiPrincipal( newName  ) ) );
      assertTrue( "Test User view page", authManager.checkPermission( session, PermissionFactory.getPagePermission( p, "view" ) ) );
      assertFalse( "Bob !view page", authManager.checkPermission( bobSession, PermissionFactory.getPagePermission( p, "view" ) ) );

      // Test 8: our page text should have been re-written
      // (The new full name should be in the ACL, but the login name should have been removed)
      expectedText = "[{ALLOW view Alice," + oldName + "}]\nMore test text.  More text.\r\n";
      actualText = m_engine.getText( pageName );
      assertEquals( expectedText, actualText );

      // CLEANUP: delete the profile; user and page; should be back to old counts
      m_db.deleteByLoginName( newLogin );
      assertEquals( oldUserCount, m_db.getWikiNames().length );

      groupManager.removeGroup( group.getName() );
      assertEquals( oldGroupCount, groupManager.getRoles().length );

      m_engine.deletePage( pageName );
      assertEquals( oldPageCount, pageManager.getTotalPageCount() );
  }

            {
                switch (e.getType() )
                {
                    case WikiSecurityEvent.GROUP_ADD:
                    {
                        Group group = (Group)e.getTarget();
                        if ( isInGroup( group ) )
                        {
                            m_subject.getPrincipals().add( group.getPrincipal() );
                        }
                        break;
                    }
                    case WikiSecurityEvent.GROUP_REMOVE:
                    {
                        Group group = (Group)e.getTarget();
                        if ( m_subject.getPrincipals().contains( group.getPrincipal() ) )
                        {
                            m_subject.getPrincipals().remove( group.getPrincipal() );
                        }
                        break;
                    }
                    case WikiSecurityEvent.GROUP_CLEAR_GROUPS:
                    {

            userDb.save( profile );
        }

        // Create a new admin group
        GroupManager groupMgr = m_engine.getGroupManager();
        Group group = null;
        try
        {
            group = groupMgr.getGroup( ADMIN_GROUP );
            group.add( new WikiPrincipal( ADMIN_NAME ) );
        }
        catch ( NoSuchPrincipalException e )
        {
            group = groupMgr.parseGroup( ADMIN_GROUP, ADMIN_NAME, true );
        }

        m_acl.addEntry( ae2 );
        m_acl.addEntry( ae3 );
        m_acl.addEntry( ae4 );

        // Foo group includes Alice and Bob
        Group foo = m_groupMgr.parseGroup( "FooGroup", "", true );
        m_groupMgr.setGroup( m_session, foo );
        foo.add( uAlice );
        foo.add( uBob );
        AclEntry ag1 = new AclEntryImpl();
        ag1.setPrincipal( foo.getPrincipal() );
        ag1.addPermission( PagePermission.EDIT );
        m_aclGroup.addEntry( ag1 );
        m_groups.put( "FooGroup", foo );

        // Bar group includes Bob and Charlie
        Group bar = m_groupMgr.parseGroup( "BarGroup", "", true );
        m_groupMgr.setGroup( m_session, bar );
        bar.add( uBob );
        bar.add( uCharlie );
        AclEntry ag2 = new AclEntryImpl();
        ag2.setPrincipal( bar.getPrincipal() );
        ag2.addPermission( PagePermission.VIEW );
        m_aclGroup.addEntry( ag2 );
        m_groups.put( "BarGroup", bar );
    }

        for( int i = 0; i < array.length; i++ )
        {
            if ( array[i] instanceof GroupPrincipal )
            {
                String groupName = ((GroupPrincipal)array[i]).getName();
                Group group = m_groups.get( groupName );
                if ( group != null && group.isMember( key ) )
                {
                    return true;
                }
            }
        }