Coverage Report

Coverage Report - org.acegisecurity.acls.domain.AclAuthorizationStrategyImpl

Classes in this File

Line Coverage

Branch Coverage

Complexity

AclAuthorizationStrategyImpl

39%

33%

5.667

 /* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
 
 package org.acegisecurity.acls.domain;
 
 import org.acegisecurity.AccessDeniedException;
 import org.acegisecurity.Authentication;
 import org.acegisecurity.GrantedAuthority;
 
 import org.acegisecurity.acls.Acl;
 import org.acegisecurity.acls.Permission;
 import org.acegisecurity.acls.sid.PrincipalSid;
 import org.acegisecurity.acls.sid.Sid;
 import org.acegisecurity.acls.sid.SidRetrievalStrategy;
 import org.acegisecurity.acls.sid.SidRetrievalStrategyImpl;
 
 import org.acegisecurity.context.SecurityContextHolder;
 
 import org.springframework.util.Assert;
 
 
 /**
  * Default implementation of {@link AclAuthorizationStrategy}.<p>Permission will be granted provided the current
  * principal is either the owner (as defined by the ACL), has {@link BasePermission#ADMINISTRATION} (as defined by the
  * ACL and via a {@link Sid} retrieved for the current principal via {@link #sidRetrievalStrategy}), or if the current
  * principal holds the relevant system-wide {@link GrantedAuthority} and injected into the constructor.</p>
  *
  * @author Ben Alex
  * @version $Id: AclAuthorizationStrategyImpl.java 1784 2007-02-24 21:00:24Z luke_t $
  */
 public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
     //~ Instance fields ================================================================================================
 
     private GrantedAuthority gaGeneralChanges;
     private GrantedAuthority gaModifyAuditing;
     private GrantedAuthority gaTakeOwnership;
     private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
 
     //~ Constructors ===================================================================================================
 
 /**
      * Constructor. The only mandatory parameter relates to the system-wide {@link GrantedAuthority} instances that
      * can be held to always permit ACL changes.
      *
      * @param auths an array of <code>GrantedAuthority</code>s that have
      * special permissions (index 0 is the authority needed to change
      * ownership, index 1 is the authority needed to modify auditing details,
      * index 2 is the authority needed to change other ACL and ACE details) (required)
      */
     public AclAuthorizationStrategyImpl(GrantedAuthority[] auths) {
         Assert.notEmpty(auths, "GrantedAuthority[] with three elements required");
         Assert.isTrue(auths.length == 3, "GrantedAuthority[] with three elements required");
         this.gaTakeOwnership = auths[0];
         this.gaModifyAuditing = auths[1];
         this.gaGeneralChanges = auths[2];
     }
 
     //~ Methods ========================================================================================================
 
     public void securityCheck(Acl acl, int changeType) {
         if ((SecurityContextHolder.getContext() == null)
             || (SecurityContextHolder.getContext().getAuthentication() == null)
             || !SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
             throw new AccessDeniedException("Authenticated principal required to operate with ACLs");
         }
 
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
 
         // Check if authorized by virtue of ACL ownership
         Sid currentUser = new PrincipalSid(authentication);
 
         if (currentUser.equals(acl.getOwner())
                 && ((changeType == CHANGE_GENERAL) || (changeType == CHANGE_OWNERSHIP))) {
             return;
         }
 
         // Not authorized by ACL ownership; try via adminstrative permissions
         GrantedAuthority requiredAuthority = null;
 
         if (changeType == CHANGE_AUDITING) {
             requiredAuthority = this.gaModifyAuditing;
         } else if (changeType == CHANGE_GENERAL) {
             requiredAuthority = this.gaGeneralChanges;
         } else if (changeType == CHANGE_OWNERSHIP) {
             requiredAuthority = this.gaTakeOwnership;
         } else {
             throw new IllegalArgumentException("Unknown change type");
         }
 
         // Iterate this principal's authorities to determine right
         GrantedAuthority[] auths = authentication.getAuthorities();
 
         for (int i = 0; i < auths.length; i++) {
             if (requiredAuthority.equals(auths[i])) {
                 return;
             }
         }
 
         // Try to get permission via ACEs within the ACL
         Sid[] sids = sidRetrievalStrategy.getSids(authentication);
 
         if (acl.isGranted(new Permission[] {BasePermission.ADMINISTRATION}, sids, false)) {
             return;
         }
 
         throw new AccessDeniedException(
             "Principal does not have required ACL permissions to perform requested operation");
     }
 
     public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) {
         Assert.notNull(sidRetrievalStrategy, "SidRetrievalStrategy required");
         this.sidRetrievalStrategy = sidRetrievalStrategy;
     }
 }

1		/* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
2		*
3		* Licensed under the Apache License, Version 2.0 (the "License");
4		* you may not use this file except in compliance with the License.
5		* You may obtain a copy of the License at
6		*
7		* http://www.apache.org/licenses/LICENSE-2.0
8		*
9		* Unless required by applicable law or agreed to in writing, software
10		* distributed under the License is distributed on an "AS IS" BASIS,
11		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		* See the License for the specific language governing permissions and
13		* limitations under the License.
14		*/
15
16		package org.acegisecurity.acls.domain;
17
18		import org.acegisecurity.AccessDeniedException;
19		import org.acegisecurity.Authentication;
20		import org.acegisecurity.GrantedAuthority;
21
22		import org.acegisecurity.acls.Acl;
23		import org.acegisecurity.acls.Permission;
24		import org.acegisecurity.acls.sid.PrincipalSid;
25		import org.acegisecurity.acls.sid.Sid;
26		import org.acegisecurity.acls.sid.SidRetrievalStrategy;
27		import org.acegisecurity.acls.sid.SidRetrievalStrategyImpl;
28
29		import org.acegisecurity.context.SecurityContextHolder;
30
31		import org.springframework.util.Assert;
32
33
34		/**
35		* Default implementation of {@link AclAuthorizationStrategy}.<p>Permission will be granted provided the current
36		* principal is either the owner (as defined by the ACL), has {@link BasePermission#ADMINISTRATION} (as defined by the
37		* ACL and via a {@link Sid} retrieved for the current principal via {@link #sidRetrievalStrategy}), or if the current
38		* principal holds the relevant system-wide {@link GrantedAuthority} and injected into the constructor.</p>
39		*
40		* @author Ben Alex
41		* @version $Id: AclAuthorizationStrategyImpl.java 1784 2007-02-24 21:00:24Z luke_t $
42		*/
43		public class AclAuthorizationStrategyImpl implements AclAuthorizationStrategy {
44		//~ Instance fields ================================================================================================
45
46		private GrantedAuthority gaGeneralChanges;
47		private GrantedAuthority gaModifyAuditing;
48		private GrantedAuthority gaTakeOwnership;
49	1	private SidRetrievalStrategy sidRetrievalStrategy = new SidRetrievalStrategyImpl();
50
51		//~ Constructors ===================================================================================================
52
53		/**
54		* Constructor. The only mandatory parameter relates to the system-wide {@link GrantedAuthority} instances that
55		* can be held to always permit ACL changes.
56		*
57		* @param auths an array of <code>GrantedAuthority</code>s that have
58		* special permissions (index 0 is the authority needed to change
59		* ownership, index 1 is the authority needed to modify auditing details,
60		* index 2 is the authority needed to change other ACL and ACE details) (required)
61		*/
62	1	public AclAuthorizationStrategyImpl(GrantedAuthority[] auths) {
63	1	Assert.notEmpty(auths, "GrantedAuthority[] with three elements required");
64	1	Assert.isTrue(auths.length == 3, "GrantedAuthority[] with three elements required");
65	1	this.gaTakeOwnership = auths[0];
66	1	this.gaModifyAuditing = auths[1];
67	1	this.gaGeneralChanges = auths[2];
68	1	}
69
70		//~ Methods ========================================================================================================
71
72		public void securityCheck(Acl acl, int changeType) {
73	10	if ((SecurityContextHolder.getContext() == null)
74		\|\| (SecurityContextHolder.getContext().getAuthentication() == null)
75		\|\| !SecurityContextHolder.getContext().getAuthentication().isAuthenticated()) {
76	0	throw new AccessDeniedException("Authenticated principal required to operate with ACLs");
77		}
78
79	10	Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
80
81		// Check if authorized by virtue of ACL ownership
82	10	Sid currentUser = new PrincipalSid(authentication);
83
84	10	if (currentUser.equals(acl.getOwner())
85		&& ((changeType == CHANGE_GENERAL) \|\| (changeType == CHANGE_OWNERSHIP))) {
86	10	return;
87		}
88
89		// Not authorized by ACL ownership; try via adminstrative permissions
90	0	GrantedAuthority requiredAuthority = null;
91
92	0	if (changeType == CHANGE_AUDITING) {
93	0	requiredAuthority = this.gaModifyAuditing;
94	0	} else if (changeType == CHANGE_GENERAL) {
95	0	requiredAuthority = this.gaGeneralChanges;
96	0	} else if (changeType == CHANGE_OWNERSHIP) {
97	0	requiredAuthority = this.gaTakeOwnership;
98		} else {
99	0	throw new IllegalArgumentException("Unknown change type");
100		}
101
102		// Iterate this principal's authorities to determine right
103	0	GrantedAuthority[] auths = authentication.getAuthorities();
104
105	0	for (int i = 0; i < auths.length; i++) {
106	0	if (requiredAuthority.equals(auths[i])) {
107	0	return;
108		}
109		}
110
111		// Try to get permission via ACEs within the ACL
112	0	Sid[] sids = sidRetrievalStrategy.getSids(authentication);
113
114	0	if (acl.isGranted(new Permission[] {BasePermission.ADMINISTRATION}, sids, false)) {
115	0	return;
116		}
117
118	0	throw new AccessDeniedException(
119		"Principal does not have required ACL permissions to perform requested operation");
120		}
121
122		public void setSidRetrievalStrategy(SidRetrievalStrategy sidRetrievalStrategy) {
123	0	Assert.notNull(sidRetrievalStrategy, "SidRetrievalStrategy required");
124	0	this.sidRetrievalStrategy = sidRetrievalStrategy;
125	0	}
126		}