List of usage examples for org.springframework.security.acls.model AccessControlEntry getSid
Sid getSid();
From source file:ubic.gemma.core.security.authorization.SecurityServiceTest.java
@Test public void testRemoveMultipleAcesFromPrivateExpressionExperiment() { // make private experiment ExpressionExperiment ee = super.getTestPersistentBasicExpressionExperiment(); this.securityService.makePrivate(ee); // add user and add the user to a group String username = "salmonid"; String groupName = "fish" + this.randomName(); this.makeUser(username); this.securityService.makeOwnedByUser(ee, username); assertTrue(this.securityService.isEditableByUser(ee, username)); this.runAsUser(username); this.securityService.createGroup(groupName); // get the basic acls MutableAcl acl = aclTestUtils.getAcl(ee); int numberOfAces = acl.getEntries().size(); // make readable by group add first ACE read for group and check added this.securityService.makeReadableByGroup(ee, groupName); MutableAcl aclAfterReadableAdded = aclTestUtils.getAcl(ee); assertEquals(numberOfAces + 1, aclAfterReadableAdded.getEntries().size()); // force the addition of duplicate ACE read, fish group on the same experiment. Note that in the current // implementation this only adds one - we already avoid duplicates. List<GrantedAuthority> groupAuthorities = this.userManager.findGroupAuthorities(groupName); GrantedAuthority ga = groupAuthorities.get(0); aclAfterReadableAdded.insertAce(aclAfterReadableAdded.getEntries().size(), BasePermission.READ, new AclGrantedAuthoritySid(this.userManager.getRolePrefix() + ga), true); this.aclTestUtils.update(aclAfterReadableAdded); MutableAcl aclAfterReadableAddedDuplicate = aclTestUtils.getAcl(ee); assertEquals(numberOfAces + 1, aclAfterReadableAddedDuplicate.getEntries().size()); // remove the ace now and check removed permission completely. this.securityService.makeUnreadableByGroup(ee, groupName); MutableAcl aclAfterReadableAddedDuplicateRemoval = aclTestUtils.getAcl(ee); assertEquals(numberOfAces, aclAfterReadableAddedDuplicateRemoval.getEntries().size()); List<AccessControlEntry> entriesAfterDelete = aclAfterReadableAddedDuplicateRemoval.getEntries(); assertEquals(numberOfAces, entriesAfterDelete.size()); // also check that the right ACE check the principals Collection<String> principals = new ArrayList<>(); principals.add("AclGrantedAuthoritySid[GROUP_ADMIN]"); principals.add("AclGrantedAuthoritySid[GROUP_AGENT]"); principals.add("AclPrincipalSid[salmonid]"); principals.add("AclPrincipalSid[salmonid]"); for (AccessControlEntry accessControl : entriesAfterDelete) { Sid sid = accessControl.getSid(); assertTrue(principals.contains(sid.toString())); // remove it once in case found in case of duplicates principals.remove(sid.toString()); }/*from w w w. j a va 2 s . c o m*/ // clean up the groups this.userManager.deleteGroup(groupName); // userManager.deleteUser( username ); }
From source file:ubic.gemma.security.authorization.acl.AclAdvice.java
/** * When setting the parent, we check to see if we can delete the ACEs on the 'child', if any. This is because we * want permissions to be managed by the parent. Check that the ACEs on the child are exactly equivalent to the ones * on the parent./*from w w w .j av a 2s.co m*/ * * @param parentAcl -- careful with the order! * @param object * @param acl * @param true if ACEs were cleared. */ private boolean maybeClearACEsOnChild(Securable object, MutableAcl childAcl, Acl parentAcl) { int aceCount = childAcl.getEntries().size(); if (aceCount == 0) { if (parentAcl.getEntries().size() == 0) { throw new IllegalStateException("Either the child or the parent has to have ACEs"); } return false; } if (parentAcl.getEntries().size() == aceCount) { boolean oktoClearACEs = true; // check for exact match of all ACEs for (AccessControlEntry ace : parentAcl.getEntries()) { boolean found = false; for (AccessControlEntry childAce : childAcl.getEntries()) { if (childAce.getPermission().equals(ace.getPermission()) && childAce.getSid().equals(ace.getSid())) { found = true; break; } } if (!found) { oktoClearACEs = false; break; } } if (oktoClearACEs) { if (log.isTraceEnabled()) log.trace("Erasing ACEs from child " + object); while (childAcl.getEntries().size() > 0) { childAcl.deleteAce(0); } return true; } } return false; }
From source file:ubic.gemma.security.SecurityServiceImpl.java
/** * Method removes just one acl and then informs calling method the number of acls to remove * /*from w ww .j av a 2 s. c om*/ * @param object The object to remove the permissions from * @param permission The permission to remove * @param authority e.g. "GROUP_JOESLAB" * @return Number of acl records that need removing */ private int removeOneGrantedAuthority(Securable object, Permission permission, String authority) { int numberAclsToRemove = 0; MutableAcl acl = getAcl(object); if (acl == null) { throw new IllegalArgumentException("makePrivate is only valid for objects that have an ACL"); } List<Integer> toremove = new Vector<Integer>(); for (int i = 0; i < acl.getEntries().size(); i++) { AccessControlEntry entry = acl.getEntries().get(i); if (!entry.getPermission().equals(permission)) { continue; } Sid sid = entry.getSid(); if (sid instanceof GrantedAuthoritySid) { if (((GrantedAuthoritySid) sid).getGrantedAuthority().equals(authority)) { toremove.add(i); } } } if (toremove.isEmpty()) { // this can happen commonly, no big deal. if (log.isDebugEnabled()) log.debug("No changes, didn't remove: " + authority); } else if (toremove.size() >= 1) { numberAclsToRemove = toremove.size(); // take the first acl acl.deleteAce(toremove.iterator().next()); aclService.updateAcl(acl); } return numberAclsToRemove; }