Skip to content

Commit

Permalink
Refactor for alternate implmentations of FedoraUserSecurityContext
Browse files Browse the repository at this point in the history 
Partial resolution of: https://jira.duraspace.org/browse/FCREPO-1714
  • Loading branch information
@mohideen
mohideen authored and Andrew Woods committed Sep 2, 2015
1 parent b03c4ea commit 3b03cc1
Show file tree
Hide file tree
Showing 9 changed files with 99 additions and 45 deletions.
15 changes: 15 additions & 0 deletions fcrepo-auth-common/pom.xml
View file
Expand Up @@ -159,6 +159,21 @@
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
</plugin>
<plugin>
<artifactId>maven-jar-plugin</artifactId>
<executions>
<execution>
<goals>
<goal>test-jar</goal>
</goals>
</execution>
</executions>
<configuration>
<excludes>
<exclude>logback-test.xml</exclude>
</excludes>
</configuration>
</plugin>
<plugin>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
Expand Down
9 changes: 8 additions & 1 deletion fcrepo-auth-common/src/main/java/org/fcrepo/auth/common/FedoraAuthorizationDelegate.java
View file
Expand Up @@ -78,7 +78,7 @@ public interface FedoraAuthorizationDelegate {
* @return true if the given session has permission at absPath for all of
* the given actions, or false otherwise
*/
boolean hasPermission(Session session, Path absPath, String[] actions);
public boolean hasPermission(Session session, Path absPath, String[] actions);

/**
* The principal that this delegate uses to represent the public "EVERYONE" user.
Expand All @@ -87,4 +87,11 @@ public interface FedoraAuthorizationDelegate {
*/
public Principal getEveryonePrincipal();

/**
* Get an instance of FedoraUserSecurityContext that is compatible with the auth module.
* @param userPrincipal the user principal associated with this security context
* @return auth module compatible instance of FedoraUserSecurityContext
*/
public FedoraUserSecurityContext getFedoraUserSecurityContext(final Principal userPrincipal);

}
18 changes: 14 additions & 4 deletions fcrepo-auth-common/src/main/java/org/fcrepo/auth/common/FedoraUserSecurityContext.java
View file
Expand Up @@ -37,9 +37,9 @@ public class FedoraUserSecurityContext implements SecurityContext,
private static final Logger LOGGER = LoggerFactory
.getLogger(FedoraUserSecurityContext.class);

private Principal userPrincipal = null;
protected Principal userPrincipal = null;

private FedoraAuthorizationDelegate fad = null;
protected FedoraAuthorizationDelegate fad = null;

private boolean loggedIn = true;

Expand All @@ -50,7 +50,7 @@ public class FedoraUserSecurityContext implements SecurityContext,
* context
* @param fad the authorization delegate
*/
protected FedoraUserSecurityContext(final Principal userPrincipal,
public FedoraUserSecurityContext(final Principal userPrincipal,
final FedoraAuthorizationDelegate fad) {
this.fad = fad;
this.userPrincipal = userPrincipal;
Expand Down Expand Up @@ -82,13 +82,22 @@ public final String getUserName() {
return getEffectiveUserPrincipal().getName();
}

/**
* Getter for loggedIn
*
* @return loggedIn
*/
protected boolean isLoggedIn() {
return loggedIn;
}

/**
* {@inheritDoc}
*
* @see SecurityContext#hasRole(String)
*/
@Override
public final boolean hasRole(final String roleName) {
public boolean hasRole(final String roleName) {
// Under this custom PEP regime, all users have modeshape read and write
// roles.
if ("read".equals(roleName)) {
Expand Down Expand Up @@ -133,6 +142,7 @@ public void logout() {
@Override
public boolean hasPermission(final Context context, final Path absPath,
final String... actions) {
LOGGER.debug("Verifying hasPermission on path: {} for: {}", absPath, String.join(",", actions));
if (!this.loggedIn) {
return false;
}
Expand Down
3 changes: 1 addition & 2 deletions ...h-common/src/main/java/org/fcrepo/auth/common/ServletContainerAuthenticationProvider.java
View file
Expand Up @@ -162,8 +162,7 @@ public ExecutionContext authenticate(final Credentials credentials,

}

return repositoryContext.with(new FedoraUserSecurityContext(
userPrincipal, fad));
return repositoryContext.with(fad.getFedoraUserSecurityContext(userPrincipal));
}

/**
Expand Down
2 changes: 2 additions & 0 deletions ...mmon/src/test/java/org/fcrepo/auth/common/ServletContainerAuthenticationProviderTest.java
View file
Expand Up @@ -86,6 +86,7 @@ public void setUp() {
when(fad.getEveryonePrincipal()).thenReturn(everyone);
when(everyone.getName()).thenReturn("EVERYONE");
when(creds.getRequest()).thenReturn(request);
when(fad.getFedoraUserSecurityContext(principal)).thenReturn(new FedoraUserSecurityContext(principal, fad));
context = new ExecutionContext();
sessionAttributes = new HashMap<>();
}
Expand Down Expand Up @@ -235,6 +236,7 @@ public void testAuthenticateNoUserPrincipal() {
provider.setFad(fad);

when(request.getUserPrincipal()).thenReturn(null);
when(fad.getFedoraUserSecurityContext(null)).thenReturn(new FedoraUserSecurityContext(null, fad));

evaluateDefaultAuthenticateCase(provider, 1);
}
Expand Down
34 changes: 19 additions & 15 deletions ...h-common/src/test/java/org/fcrepo/auth/integration/ContainerRolesPrincipalProviderIT.java
View file
Expand Up @@ -15,13 +15,28 @@
*/
package org.fcrepo.auth.integration;

import org.apache.http.auth.BasicUserPrincipal;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import static org.slf4j.LoggerFactory.getLogger;

import java.security.Principal;

import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import javax.servlet.http.HttpServletRequest;

import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
import org.fcrepo.auth.common.FedoraUserSecurityContext;
import org.fcrepo.auth.common.ServletContainerAuthenticationProvider;
import org.fcrepo.kernel.modeshape.services.ContainerServiceImpl;
import org.fcrepo.kernel.api.services.ContainerService;
import org.fcrepo.kernel.modeshape.services.ContainerServiceImpl;

import org.apache.http.auth.BasicUserPrincipal;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
Expand All @@ -33,19 +48,6 @@
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import javax.servlet.http.HttpServletRequest;

import static org.mockito.Matchers.any;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import static org.slf4j.LoggerFactory.getLogger;

/**
* @author osmandin
*/
Expand Down Expand Up @@ -80,8 +82,10 @@ public void testEmptyPrincipalProvider() throws RepositoryException {
request.isUserInRole(Mockito
.eq(ServletContainerAuthenticationProvider.FEDORA_USER_ROLE)))
.thenReturn(true);
final FedoraUserSecurityContext context = new FedoraUserSecurityContext(request.getUserPrincipal(), fad);
Mockito.reset(fad);
when(fad.hasPermission(any(Session.class), any(Path.class), any(String[].class))).thenReturn(true);
when(fad.getFedoraUserSecurityContext(any(Principal.class))).thenReturn(context);

final ServletCredentials credentials =
new ServletCredentials(request);
Expand Down
34 changes: 19 additions & 15 deletions ...-auth-common/src/test/java/org/fcrepo/auth/integration/HttpHeaderPrincipalProviderIT.java
View file
Expand Up @@ -15,13 +15,28 @@
*/
package org.fcrepo.auth.integration;

import org.apache.http.auth.BasicUserPrincipal;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import static org.slf4j.LoggerFactory.getLogger;

import java.security.Principal;

import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import javax.servlet.http.HttpServletRequest;

import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
import org.fcrepo.auth.common.FedoraUserSecurityContext;
import org.fcrepo.auth.common.ServletContainerAuthenticationProvider;
import org.fcrepo.kernel.modeshape.services.ContainerServiceImpl;
import org.fcrepo.kernel.api.services.ContainerService;
import org.fcrepo.kernel.modeshape.services.ContainerServiceImpl;

import org.apache.http.auth.BasicUserPrincipal;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
Expand All @@ -33,19 +48,6 @@
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import javax.servlet.http.HttpServletRequest;

import static org.mockito.Matchers.any;
import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.when;
import static org.slf4j.LoggerFactory.getLogger;

/**
* @author osmandin
*/
Expand Down Expand Up @@ -80,8 +82,10 @@ public void testEmptyPrincipalProvider() throws RepositoryException {
request.isUserInRole(Mockito
.eq(ServletContainerAuthenticationProvider.FEDORA_USER_ROLE)))
.thenReturn(true);
final FedoraUserSecurityContext context = new FedoraUserSecurityContext(request.getUserPrincipal(), fad);
Mockito.reset(fad);
when(fad.hasPermission(any(Session.class), any(Path.class), any(String[].class))).thenReturn(true);
when(fad.getFedoraUserSecurityContext(any(Principal.class))).thenReturn(context);

final ServletCredentials credentials =
new ServletCredentials(request);
Expand Down
22 changes: 14 additions & 8 deletions ...o-auth-common/src/test/java/org/fcrepo/auth/integration/ModeShapeHonorsFADResponseIT.java
View file
Expand Up @@ -22,14 +22,23 @@
import static org.mockito.Mockito.when;
import static org.slf4j.LoggerFactory.getLogger;

import org.apache.http.auth.BasicUserPrincipal;
import java.security.Principal;

import javax.jcr.AccessDeniedException;
import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import javax.servlet.http.HttpServletRequest;

import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
import org.fcrepo.auth.common.FedoraUserSecurityContext;
import org.fcrepo.auth.common.ServletContainerAuthenticationProvider;
import org.fcrepo.kernel.api.exception.RepositoryRuntimeException;
import org.fcrepo.kernel.api.services.ContainerService;
import org.fcrepo.kernel.modeshape.services.ContainerServiceImpl;

import org.apache.http.auth.BasicUserPrincipal;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
Expand All @@ -42,13 +51,6 @@
import org.springframework.test.context.ContextConfiguration;
import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;

import javax.jcr.AccessDeniedException;
import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import javax.servlet.http.HttpServletRequest;

/**
* @author Gregory Jansen
*/
Expand Down Expand Up @@ -93,8 +95,10 @@ public void testPermissiveFAD() throws RepositoryException {
request.isUserInRole(Mockito
.eq(ServletContainerAuthenticationProvider.FEDORA_USER_ROLE)))
.thenReturn(true);
final FedoraUserSecurityContext context = new FedoraUserSecurityContext(request.getUserPrincipal(), fad);
Mockito.reset(fad);
when(fad.hasPermission(any(Session.class), any(Path.class), any(String[].class))).thenReturn(true);
when(fad.getFedoraUserSecurityContext(any(Principal.class))).thenReturn(context);

final ServletCredentials credentials =
new ServletCredentials(request);
Expand All @@ -118,10 +122,12 @@ public void testRestrictiveFAD() throws Throwable {
request.isUserInRole(Mockito
.eq(ServletContainerAuthenticationProvider.FEDORA_USER_ROLE)))
.thenReturn(true);
final FedoraUserSecurityContext context = new FedoraUserSecurityContext(request.getUserPrincipal(), fad);

// first permission check is for login
Mockito.reset(fad);
when(fad.hasPermission(any(Session.class), any(Path.class), any(String[].class))).thenReturn(true, false);
when(fad.getFedoraUserSecurityContext(any(Principal.class))).thenReturn(context);

final ServletCredentials credentials = new ServletCredentials(request);
final Session session = repo.login(credentials);
Expand Down
7 changes: 7 additions & 0 deletions ...n/src/test/java/org/fcrepo/auth/integration/PermitRootAndPathEndsWithPermitSuffixFAD.java
View file
Expand Up @@ -20,6 +20,8 @@
import javax.jcr.Session;

import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
import org.fcrepo.auth.common.FedoraUserSecurityContext;

import org.modeshape.jcr.value.Path;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand Down Expand Up @@ -96,4 +98,9 @@ public Principal getEveryonePrincipal() {
return EVERYONE;
}

@Override
public FedoraUserSecurityContext getFedoraUserSecurityContext(final Principal userPrincipal) {
return new FedoraUserSecurityContext(userPrincipal, this);
}

}

0 comments on commit 3b03cc1

Please sign in to comment.