Package org.springframework.security.acls.domain

Source Code of org.springframework.security.acls.domain.AclImplementationSecurityCheckTests

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
package org.springframework.security.acls.domain;

import static org.junit.Assert.*;

import org.junit.*;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.acls.model.Acl;
import org.springframework.security.acls.model.MutableAcl;
import org.springframework.security.acls.model.NotFoundException;
import org.springframework.security.acls.model.ObjectIdentity;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;

/**
* Test class for {@link AclAuthorizationStrategyImpl} and {@link AclImpl}
* security checks.
*
* @author Andrei Stefan
*/
public class AclImplementationSecurityCheckTests {
    private static final String TARGET_CLASS = "org.springframework.security.acls.TargetObject";

    //~ Methods ========================================================================================================

    @Before
    public void setUp() throws Exception {
        SecurityContextHolder.clearContext();
    }

    @After
    public void tearDown() throws Exception {
        SecurityContextHolder.clearContext();
    }

    @Test
    public void testSecurityCheckNoACEs() throws Exception {
        Authentication auth = new TestingAuthenticationToken("user", "password","ROLE_GENERAL","ROLE_AUDITING","ROLE_OWNERSHIP");
        auth.setAuthenticated(true);
        SecurityContextHolder.getContext().setAuthentication(auth);

        ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, new Long(100));
        AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
                new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
                new SimpleGrantedAuthority("ROLE_GENERAL"));

        Acl acl = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());

        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_GENERAL);
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_AUDITING);
        aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);

        // Create another authorization strategy
        AclAuthorizationStrategy aclAuthorizationStrategy2 = new AclAuthorizationStrategyImpl(
                new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority("ROLE_TWO"),
                new SimpleGrantedAuthority("ROLE_THREE"));
        Acl acl2 = new AclImpl(identity, new Long(1), aclAuthorizationStrategy2, new ConsoleAuditLogger());
        // Check access in case the principal has no authorization rights
        try {
            aclAuthorizationStrategy2.securityCheck(acl2, AclAuthorizationStrategy.CHANGE_GENERAL);
            fail("It should have thrown NotFoundException");
        }
        catch (NotFoundException expected) {
        }
        try {
            aclAuthorizationStrategy2.securityCheck(acl2, AclAuthorizationStrategy.CHANGE_AUDITING);
            fail("It should have thrown NotFoundException");
        }
        catch (NotFoundException expected) {
        }
        try {
            aclAuthorizationStrategy2.securityCheck(acl2, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
            fail("It should have thrown NotFoundException");
        }
        catch (NotFoundException expected) {
        }
    }

    @Test
    public void testSecurityCheckWithMultipleACEs() throws Exception {
        // Create a simple authentication with ROLE_GENERAL
        Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
        auth.setAuthenticated(true);
        SecurityContextHolder.getContext().setAuthentication(auth);

        ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, new Long(100));
        // Authorization strategy will require a different role for each access
        AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
                new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
                new SimpleGrantedAuthority("ROLE_GENERAL"));

        // Let's give the principal the ADMINISTRATION permission, without
        // granting access
        MutableAcl aclFirstDeny = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
        aclFirstDeny.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);

        // The CHANGE_GENERAL test should pass as the principal has ROLE_GENERAL
        aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_GENERAL);

        // The CHANGE_AUDITING and CHANGE_OWNERSHIP should fail since the
        // principal doesn't have these authorities,
        // nor granting access
        try {
            aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
            fail("It should have thrown AccessDeniedException");
        }
        catch (AccessDeniedException expected) {
        }
        try {
            aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
            fail("It should have thrown AccessDeniedException");
        }
        catch (AccessDeniedException expected) {
        }

        // Add granting access to this principal
        aclFirstDeny.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
        // and try again for CHANGE_AUDITING - the first ACE's granting flag
        // (false) will deny this access
        try {
            aclAuthorizationStrategy.securityCheck(aclFirstDeny, AclAuthorizationStrategy.CHANGE_AUDITING);
            fail("It should have thrown AccessDeniedException");
        }
        catch (AccessDeniedException expected) {
        }

        // Create another ACL and give the principal the ADMINISTRATION
        // permission, with granting access
        MutableAcl aclFirstAllow = new AclImpl(identity, new Long(1), aclAuthorizationStrategy,
                new ConsoleAuditLogger());
        aclFirstAllow.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);

        // The CHANGE_AUDITING test should pass as there is one ACE with
        // granting access

        aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);

        // Add a deny ACE and test again for CHANGE_AUDITING
        aclFirstAllow.insertAce(1, BasePermission.ADMINISTRATION, new PrincipalSid(auth), false);
        try {
            aclAuthorizationStrategy.securityCheck(aclFirstAllow, AclAuthorizationStrategy.CHANGE_AUDITING);
            assertTrue(true);
        }
        catch (AccessDeniedException notExpected) {
            fail("It shouldn't have thrown AccessDeniedException");
        }

        // Create an ACL with no ACE
        MutableAcl aclNoACE = new AclImpl(identity, new Long(1), aclAuthorizationStrategy, new ConsoleAuditLogger());
        try {
            aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_AUDITING);
            fail("It should have thrown NotFoundException");
        }
        catch (NotFoundException expected) {
            assertTrue(true);
        }
        // and still grant access for CHANGE_GENERAL
        try {
            aclAuthorizationStrategy.securityCheck(aclNoACE, AclAuthorizationStrategy.CHANGE_GENERAL);
            assertTrue(true);
        }
        catch (NotFoundException expected) {
            fail("It shouldn't have thrown NotFoundException");
        }
    }

    @Test
    public void testSecurityCheckWithInheritableACEs() throws Exception {
        // Create a simple authentication with ROLE_GENERAL
        Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_GENERAL");
        auth.setAuthenticated(true);
        SecurityContextHolder.getContext().setAuthentication(auth);

        ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
        // Authorization strategy will require a different role for each access
        AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
                new SimpleGrantedAuthority("ROLE_ONE"), new SimpleGrantedAuthority("ROLE_TWO"),
                new SimpleGrantedAuthority("ROLE_GENERAL"));

        // Let's give the principal an ADMINISTRATION permission, with granting
        // access
        MutableAcl parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
        parentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
        MutableAcl childAcl = new AclImpl(identity, 2, aclAuthorizationStrategy, new ConsoleAuditLogger());

        // Check against the 'child' acl, which doesn't offer any authorization
        // rights on CHANGE_OWNERSHIP
        try {
            aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
            fail("It should have thrown NotFoundException");
        }
        catch (NotFoundException expected) {
            assertTrue(true);
        }

        // Link the child with its parent and test again against the
        // CHANGE_OWNERSHIP right
        childAcl.setParent(parentAcl);
        childAcl.setEntriesInheriting(true);
        try {
            aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
            assertTrue(true);
        }
        catch (NotFoundException expected) {
            fail("It shouldn't have thrown NotFoundException");
        }

        // Create a root parent and link it to the middle parent
        MutableAcl rootParentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy,
                new ConsoleAuditLogger());
        parentAcl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger());
        rootParentAcl.insertAce(0, BasePermission.ADMINISTRATION, new PrincipalSid(auth), true);
        parentAcl.setEntriesInheriting(true);
        parentAcl.setParent(rootParentAcl);
        childAcl.setParent(parentAcl);
        try {
            aclAuthorizationStrategy.securityCheck(childAcl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
            assertTrue(true);
        }
        catch (NotFoundException expected) {
            fail("It shouldn't have thrown NotFoundException");
        }
    }

    @SuppressWarnings("deprecation")
    @Test
    public void testSecurityCheckPrincipalOwner() throws Exception {
        Authentication auth = new TestingAuthenticationToken("user", "password", "ROLE_ONE");
        auth.setAuthenticated(true);
        SecurityContextHolder.getContext().setAuthentication(auth);

        ObjectIdentity identity = new ObjectIdentityImpl(TARGET_CLASS, 100);
        AclAuthorizationStrategy aclAuthorizationStrategy = new AclAuthorizationStrategyImpl(
                new SimpleGrantedAuthority("ROLE_OWNERSHIP"), new SimpleGrantedAuthority("ROLE_AUDITING"),
                new SimpleGrantedAuthority("ROLE_GENERAL"));

        Acl acl = new AclImpl(identity, 1, aclAuthorizationStrategy, new ConsoleAuditLogger(), null, null,
                false, new PrincipalSid(auth));
        try {
            aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_GENERAL);
        }
        catch (AccessDeniedException notExpected) {
            fail("It shouldn't have thrown AccessDeniedException");
        }
        try {
            aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_AUDITING);
            fail("It shouldn't have thrown AccessDeniedException");
        }
        catch (NotFoundException expected) {
        }
        try {
            aclAuthorizationStrategy.securityCheck(acl, AclAuthorizationStrategy.CHANGE_OWNERSHIP);
        }
        catch (AccessDeniedException notExpected) {
            fail("It shouldn't have thrown AccessDeniedException");
        }
    }
}
TOP

Related Classes of org.springframework.security.acls.domain.AclImplementationSecurityCheckTests

  • org.springframework.security.acls.model.Acl
  • org.springframework.security.acls.model.MutableAcl
  • org.springframework.security.acls.model.ObjectIdentity
  • org.springframework.security.authentication.TestingAuthenticationToken
  • org.springframework.security.core.Authentication
  • org.springframework.security.core.authority.SimpleGrantedAuthority
    • TOP
    Copyright © 2018 www.massapi.com. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.