Nemcio/SCM-Manager
1
0
Fork 0
mirror of https://github.com/scm-manager/scm-manager.git synced 2025-11-08 06:25:45 +01:00
Code Issues Packages Projects Releases Activity

use ssp for user and repository permission checks

Browse Source
This commit is contained in:
Sebastian Sdorra
2016-12-06 22:04:13 +01:00
parent a5d2cfc7b1
commit 26ece65363
13 changed files with 70 additions and 776 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pom.xml
View File

@@ -82,6 +82,15 @@
<name>scm-manager release repository</name> <name>scm-manager release repository</name>
<url>http://maven.scm-manager.org/nexus/content/groups/public</url> <url>http://maven.scm-manager.org/nexus/content/groups/public</url>
</repository> </repository>
<repository>
<id>ossrh</id>
<url>https://oss.sonatype.org/content/repositories/snapshots</url>
<snapshots>
<enabled>true</enabled>
<updatePolicy>daily</updatePolicy>
</snapshots>
</repository>
</repositories> </repositories>
@@ -493,6 +502,7 @@
<jetty.version>9.2.10.v20150310</jetty.version> <jetty.version>9.2.10.v20150310</jetty.version>
<!-- security libraries --> <!-- security libraries -->
<ssp.version>1.0.0-SNAPSHOT</ssp.version>
<shiro.version>1.2.3</shiro.version> <shiro.version>1.2.3</shiro.version>
<!-- repostitory libraries --> <!-- repostitory libraries -->

13
scm-core/pom.xml
View File

@@ -114,6 +114,19 @@
<scope>provided</scope> <scope>provided</scope>
</dependency> </dependency>
<dependency>
<groupId>com.github.sdorra</groupId>
<artifactId>ssp-lib</artifactId>
<version>${ssp.version}</version>
</dependency>
<dependency>
<groupId>com.github.sdorra</groupId>
<artifactId>ssp-processor</artifactId>
<version>${ssp.version}</version>
<optional>true</optional>
</dependency>
<!-- test --> <!-- test -->
<dependency> <dependency>

5
scm-core/src/main/java/sonia/scm/group/Group.java
View File

@@ -35,6 +35,8 @@ package sonia.scm.group;
//~--- non-JDK imports -------------------------------------------------------- //~--- non-JDK imports --------------------------------------------------------
import com.github.sdorra.ssp.PermissionObject;
import com.github.sdorra.ssp.StaticPermissions;
import com.google.common.base.Objects; import com.google.common.base.Objects;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
@@ -60,10 +62,11 @@ import javax.xml.bind.annotation.XmlRootElement;
* *
* @author Sebastian Sdorra * @author Sebastian Sdorra
*/ */
@StaticPermissions("group")
@XmlRootElement(name = "groups") @XmlRootElement(name = "groups")
@XmlAccessorType(XmlAccessType.FIELD) @XmlAccessorType(XmlAccessType.FIELD)
public class Group extends BasicPropertiesAware public class Group extends BasicPropertiesAware
implements ModelObject, Iterable<String> implements ModelObject, Iterable<String>, PermissionObject
{ {
/** Field description */ /** Field description */

8
scm-core/src/main/java/sonia/scm/repository/Repository.java
View File

@@ -35,6 +35,8 @@ package sonia.scm.repository;
//~--- non-JDK imports -------------------------------------------------------- //~--- non-JDK imports --------------------------------------------------------
import com.github.sdorra.ssp.PermissionObject;
import com.github.sdorra.ssp.StaticPermissions;
import com.google.common.base.Objects; import com.google.common.base.Objects;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
@@ -61,9 +63,13 @@ import javax.xml.bind.annotation.XmlRootElement;
* *
* @author Sebastian Sdorra * @author Sebastian Sdorra
*/ */
@StaticPermissions(
value = "repository",
permissions = {"read", "write", "modify", "delete", "healthCheck"}
)
@XmlAccessorType(XmlAccessType.FIELD) @XmlAccessorType(XmlAccessType.FIELD)
@XmlRootElement(name = "repositories") @XmlRootElement(name = "repositories")
public class Repository extends BasicPropertiesAware implements ModelObject public class Repository extends BasicPropertiesAware implements ModelObject, PermissionObject
{ {
/** Field description */ /** Field description */

272
scm-core/src/main/java/sonia/scm/repository/RepositoryPermissions.java
View File

@@ -1,272 +0,0 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.repository;
//~--- non-JDK imports --------------------------------------------------------
import sonia.scm.security.PermissionActionCheck;
import sonia.scm.security.PermissionCheck;
/**
* Permission checks for repository related permissions.
*
* @author Sebastian Sdorra
* @since 2.0.0
*/
public final class RepositoryPermissions
{
/** create permission */
public static final String ACTION_CREATE = "create";
/** delete permission */
public static final String ACTION_DELETE = "delete";
/** modify permission */
public static final String ACTION_MODIFY = "modify";
/** health check permission implies modify permission */
public static final String ACTION_HC = "hc,".concat(ACTION_MODIFY);
/** read permission */
public static final String ACTION_READ = "read";
/** write permission */
public static final String ACTION_WRITE = "write";
/** permission separator */
public static final String SEPARATOR = ":";
/** permission action separator */
public static final String SEPERATOR_ACTION = ",";
/** permission main type */
public static final String TYPE = "repository";
//~--- constructors ---------------------------------------------------------
private RepositoryPermissions() {}
//~--- methods --------------------------------------------------------------
/**
* Returns permission check for create action.
*
* @return permission check for create action
*/
public static PermissionCheck create()
{
return check(ACTION_CREATE);
}
/**
* Returns permission check for delete action.
*
* @param r repository for permission check
*
* @return permission check for delete action
*/
public static PermissionCheck delete(Repository r)
{
return delete(r.getId());
}
/**
* Returns permission check for delete action.
*
* @param id id of repository for permission check
*
* @return permission check for delete action
*/
public static PermissionCheck delete(String id)
{
return check(ACTION_DELETE.concat(SEPARATOR).concat(id));
}
/**
* Returns permission action check for delete action.
*
* @return permission action check for delete action
*/
public static PermissionActionCheck<Repository> delete()
{
return actionCheck(ACTION_DELETE);
}
/**
* Returns permission check for health check action.
*
* @param id id of repository for permission check
*
* @return permission check for health check action
*/
public static PermissionCheck healthCheck(String id)
{
return check(ACTION_HC.concat(SEPARATOR).concat(id));
}
/**
* Returns permission action check for health check action.
*
* @return permission action check for health check action.
*/
public static PermissionActionCheck<Repository> healthCheck()
{
return new PermissionActionCheck<>(
TYPE.concat(SEPARATOR).concat(ACTION_HC));
}
/**
* Returns permission check for health check action.
*
* @param r repository for permission check
*
* @return permission check for health check action
*/
public static PermissionCheck healthCheck(Repository r)
{
return healthCheck(r.getId());
}
/**
* Returns permission action check for modify action.
*
* @param r repository for permission check
*
* @return permission action check for modify action
*/
public static PermissionCheck modify(Repository r)
{
return modify(r.getId());
}
/**
* Returns permission action check for modify action.
*
*
* @param id id of repository for permission check
*
* @return permission action check for modify action
*/
public static PermissionCheck modify(String id)
{
return check(ACTION_MODIFY.concat(SEPARATOR).concat(id));
}
/**
* Returns permission action check for modify action.
*
* @return permission action check for modify action
*/
public static PermissionActionCheck<Repository> modify()
{
return actionCheck(ACTION_MODIFY);
}
/**
* Returns permission check for read action.
*
* @param id id of repository for permission check
*
* @return permission check for read action
*/
public static PermissionCheck read(String id)
{
return check(ACTION_READ.concat(SEPARATOR).concat(id));
}
/**
* Returns permission check for read action.
*
* @param r repository for permission check
*
* @return permission check for read action
*/
public static PermissionCheck read(Repository r)
{
return read(r.getId());
}
/**
* Returns permission action check for read action.
*
* @return permission action check for read action
*/
public static PermissionActionCheck<Repository> read()
{
return actionCheck(ACTION_READ);
}
/**
* Returns permission check for write action.
*
* @param id id of repository for permission check
*
* @return permission check for write action
*/
public static PermissionCheck write(String id)
{
return check(ACTION_WRITE.concat(SEPARATOR).concat(id));
}
/**
* Returns permission check for write action.
*
* @param r repository for permission check
*
* @return permission check for write action
*/
public static PermissionCheck write(Repository r)
{
return write(r.getId());
}
/**
* Return permission action check for write action.
*
* @return permission action check for write action
*/
public static PermissionActionCheck<Repository> write()
{
return actionCheck(ACTION_WRITE);
}
private static PermissionActionCheck<Repository> actionCheck(String action)
{
return new PermissionActionCheck<>(TYPE.concat(SEPARATOR).concat(action));
}
private static PermissionCheck check(String permission)
{
return new PermissionCheck(TYPE.concat(SEPARATOR).concat(permission));
}
}

121
scm-core/src/main/java/sonia/scm/security/PermissionActionCheck.java
View File

@@ -1,121 +0,0 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import sonia.scm.ModelObject;
/**
*
* @author Sebastian Sdorra
* @param <T>
*
* @since 2.0.0
*/
public final class PermissionActionCheck<T extends ModelObject>
{
/**
* Constructs ...
*
* @param typedAction
*/
public PermissionActionCheck(String typedAction)
{
this.prefix = typedAction.concat(":");
this.subject = SecurityUtils.getSubject();
}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*
* @param id
*/
public void check(String id)
{
subject.checkPermission(prefix.concat(id));
}
/**
* Method description
*
*
* @param item
*/
public void check(T item)
{
subject.checkPermission(prefix.concat(item.getId()));
}
//~--- get methods ----------------------------------------------------------
/**
* Method description
*
*
* @param id
*
* @return
*/
public boolean isPermitted(String id)
{
return subject.isPermitted(prefix.concat(id));
}
/**
* Method description
*
*
* @param item
*
* @return
*/
public boolean isPermitted(T item)
{
return subject.isPermitted(prefix.concat(item.getId()));
}
//~--- fields ---------------------------------------------------------------
/** Field description */
private final String prefix;
/** Field description */
private final Subject subject;
}

85
scm-core/src/main/java/sonia/scm/security/PermissionCheck.java
View File

@@ -1,85 +0,0 @@
/**
* Copyright (c) 2014, Sebastian Sdorra All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer. 2. Redistributions in
* binary form must reproduce the above copyright notice, this list of
* conditions and the following disclaimer in the documentation and/or other
* materials provided with the distribution. 3. Neither the name of SCM-Manager;
* nor the names of its contributors may be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.security;
//~--- non-JDK imports --------------------------------------------------------
import org.apache.shiro.SecurityUtils;
/**
*
* @author Sebastian Sdorra
* @since 2.0.0
*/
public final class PermissionCheck
{
/**
* Constructs ...
*
*
* @param permission
*/
public PermissionCheck(String permission)
{
this.permission = permission;
}
//~--- methods --------------------------------------------------------------
/**
* Method description
*
*/
public void check()
{
SecurityUtils.getSubject().checkPermission(permission);
}
//~--- get methods ----------------------------------------------------------
/**
* Method description
*
*
* @return
*/
public boolean isPermitted()
{
return SecurityUtils.getSubject().isPermitted(permission);
}
//~--- fields ---------------------------------------------------------------
/** Field description */
private final String permission;
}

5
scm-core/src/main/java/sonia/scm/user/User.java
View File

@@ -35,6 +35,8 @@ package sonia.scm.user;
//~--- non-JDK imports -------------------------------------------------------- //~--- non-JDK imports --------------------------------------------------------
import com.github.sdorra.ssp.PermissionObject;
import com.github.sdorra.ssp.StaticPermissions;
import com.google.common.base.Objects; import com.google.common.base.Objects;
import sonia.scm.BasicPropertiesAware; import sonia.scm.BasicPropertiesAware;
@@ -54,9 +56,10 @@ import javax.xml.bind.annotation.XmlRootElement;
* *
* @author Sebastian Sdorra * @author Sebastian Sdorra
*/ */
@StaticPermissions("user")
@XmlRootElement(name = "users") @XmlRootElement(name = "users")
@XmlAccessorType(XmlAccessType.FIELD) @XmlAccessorType(XmlAccessType.FIELD)
public class User extends BasicPropertiesAware implements Principal, ModelObject public class User extends BasicPropertiesAware implements Principal, ModelObject, PermissionObject
{ {
/** Field description */ /** Field description */

224
scm-core/src/test/java/sonia/scm/repository/RepositoryPermissionsTest.java
View File

@@ -1,224 +0,0 @@
/**
* Copyright (c) 2014, Sebastian Sdorra
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* 1. Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* 3. Neither the name of SCM-Manager; nor the names of its
* contributors may be used to endorse or promote products derived from this
* software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
* ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* http://bitbucket.org/sdorra/scm-manager
*
*/
package sonia.scm.repository;
import com.github.sdorra.shiro.ShiroRule;
import com.github.sdorra.shiro.SubjectAware;
import java.util.function.Supplier;
import org.apache.shiro.authz.UnauthorizedException;
import org.junit.Test;
import static org.junit.Assert.*;
import org.junit.Rule;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import static org.mockito.Mockito.*;
import org.mockito.runners.MockitoJUnitRunner;
import sonia.scm.security.PermissionActionCheck;
import sonia.scm.security.PermissionCheck;
/**
* Unit tests for {@link RepositoryPermissions}.
*
* @author Sebastian Sdorra
*/
@RunWith(MockitoJUnitRunner.class)
@SubjectAware(configuration = "classpath:sonia/scm/repository/repository-permissions.ini")
public class RepositoryPermissionsTest {
@Mock
private Repository repository;
/**
* Shiro rule.
*/
@Rule
public ShiroRule shiro = new ShiroRule();
/**
* Test permission checks with id successful.
*/
@Test
@SubjectAware(username = "permitted", password = "secret")
public void testPermissionCheckWithId() {
assertPermissionCheckId(RepositoryPermissions::read);
assertPermissionCheckId(RepositoryPermissions::write);
assertPermissionCheckId(RepositoryPermissions::delete);
assertPermissionCheckId(RepositoryPermissions::modify);
assertPermissionCheckId(RepositoryPermissions::healthCheck);
}
/**
* Test permission checks with id successful.
*/
@Test
@SubjectAware(username = "permitted", password = "secret")
public void testPermissionActionCheck() {
assertPermissionActionCheck(RepositoryPermissions::read);
assertPermissionActionCheck(RepositoryPermissions::write);
assertPermissionActionCheck(RepositoryPermissions::delete);
assertPermissionActionCheck(RepositoryPermissions::modify);
assertPermissionActionCheck(RepositoryPermissions::healthCheck);
}
@Test
@SubjectAware(username = "notpermitted", password = "secret")
public void testPermissionActionCheckWithoutRequired() {
assertFailedPermissionActionCheck(RepositoryPermissions::read);
assertFailedPermissionActionCheck(RepositoryPermissions::write);
assertFailedPermissionActionCheck(RepositoryPermissions::delete);
assertFailedPermissionActionCheck(RepositoryPermissions::modify);
assertFailedPermissionActionCheck(RepositoryPermissions::healthCheck);
}
/**
* Test permission checks with repository successful.
*/
@Test
@SubjectAware(username = "permitted", password = "secret")
public void testPermissionCheckWithRepository() {
assertPermissionCheckRepository(RepositoryPermissions::read);
assertPermissionCheckRepository(RepositoryPermissions::write);
assertPermissionCheckRepository(RepositoryPermissions::delete);
assertPermissionCheckRepository(RepositoryPermissions::modify);
assertPermissionCheckRepository(RepositoryPermissions::healthCheck);
}
/**
* Test permission checks with id and without the required permissions.
*/
@Test
@SubjectAware(username = "notpermitted", password = "secret")
public void testPermissionCheckWithIdAndWithoutRequiredPermissions() {
assertFailedPermissionCheckId(RepositoryPermissions::read);
assertFailedPermissionCheckId(RepositoryPermissions::write);
assertFailedPermissionCheckId(RepositoryPermissions::delete);
assertFailedPermissionCheckId(RepositoryPermissions::modify);
assertFailedPermissionCheckId(RepositoryPermissions::healthCheck);
}
/**
* Tests permission checks with repository and without the required permissions.
*/
@Test
@SubjectAware(username = "notpermitted", password = "secret")
public void testPermissionCheckWithRepositoryAndWithoutRequiredPermissions() {
assertFailedPermissionCheckRepository(RepositoryPermissions::read);
assertFailedPermissionCheckRepository(RepositoryPermissions::write);
assertFailedPermissionCheckRepository(RepositoryPermissions::delete);
assertFailedPermissionCheckRepository(RepositoryPermissions::modify);
assertFailedPermissionCheckRepository(RepositoryPermissions::healthCheck);
}
private void assertFailedPermissionCheckRepository(RepositoryPermissionChecker<Repository> checker) {
when(repository.getId()).thenReturn("abc");
assertFailedPermissionCheck(checker.get(repository));
}
private void assertFailedPermissionCheckId(RepositoryPermissionChecker<String> checker) {
assertFailedPermissionCheck(checker.get("abc"));
}
private void assertFailedPermissionCheck(PermissionCheck check) {
assertNotNull(check);
assertFalse(check.isPermitted());
boolean fail = false;
try {
check.check();
}
catch (UnauthorizedException ex) {
fail = true;
}
assertTrue(fail);
}
private void assertPermissionCheckRepository(RepositoryPermissionChecker<Repository> checker) {
when(repository.getId()).thenReturn("abc");
assertPermissionCheck(checker.get(repository));
}
private void assertPermissionCheckId(RepositoryPermissionChecker<String> checker) {
assertPermissionCheck(checker.get("abc"));
}
private void assertPermissionCheck(PermissionCheck check) {
assertNotNull(check);
assertTrue(check.isPermitted());
check.check();
}
private void assertPermissionActionCheck(Supplier<PermissionActionCheck<Repository>> supplier) {
assertPermissionActionCheck(supplier.get());
}
private void assertFailedPermissionActionCheck(Supplier<PermissionActionCheck<Repository>> supplier) {
assertFailedPermissionActionCheck(supplier.get());
}
private void assertFailedPermissionActionCheck(PermissionActionCheck<Repository> check) {
assertNotNull(check);
assertFalse(check.isPermitted("abc"));
boolean fail = false;
try {
check.check("abc");
}
catch (UnauthorizedException ex) {
fail = true;
}
assertTrue(fail);
fail = false;
when(repository.getId()).thenReturn("abc");
assertFalse(check.isPermitted(repository));
try {
check.check(repository);
}
catch (UnauthorizedException ex) {
fail = true;
}
assertTrue(fail);
}
private void assertPermissionActionCheck(PermissionActionCheck<Repository> check) {
assertNotNull(check);
assertTrue(check.isPermitted("abc"));
check.check("abc");
when(repository.getId()).thenReturn("abc");
assertTrue(check.isPermitted(repository));
check.check(repository);
}
@FunctionalInterface
private static interface RepositoryPermissionChecker<T> {
public PermissionCheck get(T type);
}
}

2
scm-webapp/src/main/java/sonia/scm/plugin/MultiParentClassLoader.java
View File

@@ -74,7 +74,7 @@ public class MultiParentClassLoader extends ClassLoader
public MultiParentClassLoader(Collection<? extends ClassLoader> parents) public MultiParentClassLoader(Collection<? extends ClassLoader> parents)
{ {
super(null); super(null);
this.parents = new CopyOnWriteArrayList<>(parents); this.parents = new CopyOnWriteArrayList<ClassLoader>(parents);
} }
//~--- get methods ---------------------------------------------------------- //~--- get methods ----------------------------------------------------------

2
scm-webapp/src/main/java/sonia/scm/repository/DefaultRepositoryManager.java
View File

@@ -35,6 +35,7 @@ package sonia.scm.repository;
//~--- non-JDK imports -------------------------------------------------------- //~--- non-JDK imports --------------------------------------------------------
import com.github.sdorra.ssp.PermissionActionCheck;
import com.google.common.base.Strings; import com.google.common.base.Strings;
import com.google.common.collect.Lists; import com.google.common.collect.Lists;
import com.google.common.util.concurrent.ThreadFactoryBuilder; import com.google.common.util.concurrent.ThreadFactoryBuilder;
@@ -53,7 +54,6 @@ import sonia.scm.SCMContextProvider;
import sonia.scm.Type; import sonia.scm.Type;
import sonia.scm.config.ScmConfiguration; import sonia.scm.config.ScmConfiguration;
import sonia.scm.security.KeyGenerator; import sonia.scm.security.KeyGenerator;
import sonia.scm.security.PermissionActionCheck;
import sonia.scm.util.AssertUtil; import sonia.scm.util.AssertUtil;
import sonia.scm.util.CollectionAppender; import sonia.scm.util.CollectionAppender;
import sonia.scm.util.HttpUtil; import sonia.scm.util.HttpUtil;

6
scm-webapp/src/main/java/sonia/scm/repository/HealthChecker.java
View File

@@ -33,6 +33,7 @@ package sonia.scm.repository;
//~--- non-JDK imports -------------------------------------------------------- //~--- non-JDK imports --------------------------------------------------------
import com.github.sdorra.ssp.PermissionActionCheck;
import com.google.common.collect.ImmutableList; import com.google.common.collect.ImmutableList;
import com.google.inject.Inject; import com.google.inject.Inject;
@@ -43,7 +44,6 @@ import org.slf4j.LoggerFactory;
import java.io.IOException; import java.io.IOException;
import java.util.Set; import java.util.Set;
import sonia.scm.security.PermissionActionCheck;
/** /**
* *
@@ -91,7 +91,7 @@ public final class HealthChecker
public void check(String id) public void check(String id)
throws RepositoryNotFoundException, RepositoryException, IOException throws RepositoryNotFoundException, RepositoryException, IOException
{ {
RepositoryPermissions.healthCheck(id); RepositoryPermissions.healthCheck(id).check();
Repository repository = repositoryManager.get(id); Repository repository = repositoryManager.get(id);
@@ -116,7 +116,7 @@ public final class HealthChecker
public void check(Repository repository) public void check(Repository repository)
throws RepositoryException, IOException throws RepositoryException, IOException
{ {
RepositoryPermissions.healthCheck(repository); RepositoryPermissions.healthCheck(repository).check();
doCheck(repository); doCheck(repository);
} }

93
scm-webapp/src/main/java/sonia/scm/user/DefaultUserManager.java
View File

@@ -35,12 +35,10 @@ package sonia.scm.user;
//~--- non-JDK imports -------------------------------------------------------- //~--- non-JDK imports --------------------------------------------------------
import com.github.sdorra.ssp.PermissionActionCheck;
import com.google.inject.Inject; import com.google.inject.Inject;
import com.google.inject.Singleton; import com.google.inject.Singleton;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.subject.Subject;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@@ -49,12 +47,9 @@ import sonia.scm.SCMContextProvider;
import sonia.scm.TransformFilter; import sonia.scm.TransformFilter;
import sonia.scm.search.SearchRequest; import sonia.scm.search.SearchRequest;
import sonia.scm.search.SearchUtil; import sonia.scm.search.SearchUtil;
import sonia.scm.security.Role;
import sonia.scm.security.ScmSecurityException;
import sonia.scm.util.AssertUtil; import sonia.scm.util.AssertUtil;
import sonia.scm.util.CollectionAppender; import sonia.scm.util.CollectionAppender;
import sonia.scm.util.IOUtil; import sonia.scm.util.IOUtil;
import sonia.scm.util.SecurityUtil;
import sonia.scm.util.Util; import sonia.scm.util.Util;
//~--- JDK imports ------------------------------------------------------------ //~--- JDK imports ------------------------------------------------------------
@@ -99,10 +94,6 @@ public class DefaultUserManager extends AbstractUserManager
/** /**
* Constructs ... * Constructs ...
* *
<<<<<<< mine
=======
*
>>>>>>> theirs
* @param userDAO * @param userDAO
*/ */
@Inject @Inject
@@ -164,17 +155,7 @@ public class DefaultUserManager extends AbstractUserManager
logger.info("create user {} of type {}", user.getName(), user.getType()); logger.info("create user {} of type {}", user.getName(), user.getType());
} }
Subject subject = SecurityUtils.getSubject(); UserPermissions.create().check();
if (!subject.hasRole(Role.USER))
{
throw new ScmSecurityException("user is not authenticated");
}
if (!subject.hasRole(Role.ADMIN))
{
throw new ScmSecurityException("admin account is required");
}
if (userDAO.contains(user.getName())) if (userDAO.contains(user.getName()))
{ {
@@ -205,9 +186,8 @@ public class DefaultUserManager extends AbstractUserManager
logger.info("delete user {} of type {}", user.getName(), user.getType()); logger.info("delete user {} of type {}", user.getName(), user.getType());
} }
SecurityUtil.assertIsAdmin();
String name = user.getName(); String name = user.getName();
UserPermissions.delete(name).check();
if (userDAO.contains(name)) if (userDAO.contains(name))
{ {
@@ -250,28 +230,13 @@ public class DefaultUserManager extends AbstractUserManager
@Override @Override
public void modify(User user) throws UserException, IOException public void modify(User user) throws UserException, IOException
{ {
String name = user.getName();
if (logger.isInfoEnabled()) if (logger.isInfoEnabled())
{ {
logger.info("modify user {} of type {}", user.getName(), user.getType()); logger.info("modify user {} of type {}", user.getName(), user.getType());
} }
Subject subject = SecurityUtils.getSubject();
if (!subject.isAuthenticated())
{
throw new ScmSecurityException("user is not authenticated");
}
User currentUser = subject.getPrincipals().oneByType(User.class);
if (!user.getName().equals(currentUser.getName())
&&!subject.hasRole(Role.ADMIN))
{
throw new ScmSecurityException("admin account is required");
}
String name = user.getName();
UserPermissions.modify(user).check();
User oldUser = userDAO.get(name); User oldUser = userDAO.get(name);
if (oldUser != null) if (oldUser != null)
@@ -305,8 +270,7 @@ public class DefaultUserManager extends AbstractUserManager
logger.info("refresh user {} of type {}", user.getName(), user.getType()); logger.info("refresh user {} of type {}", user.getName(), user.getType());
} }
SecurityUtil.assertIsAdmin(); UserPermissions.read(user).check();
User fresh = userDAO.get(user.getName()); User fresh = userDAO.get(user.getName());
if (fresh == null) if (fresh == null)
@@ -333,24 +297,23 @@ public class DefaultUserManager extends AbstractUserManager
logger.debug("search user with query {}", searchRequest.getQuery()); logger.debug("search user with query {}", searchRequest.getQuery());
} }
return SearchUtil.search(searchRequest, userDAO.getAll(), final PermissionActionCheck<User> check = UserPermissions.read();
new TransformFilter<User>() return SearchUtil.search(searchRequest, userDAO.getAll(), new TransformFilter<User>() {
{
@Override @Override
public User accept(User user) public User accept(User user)
{ {
User result = null; User result = null;
if (check.isPermitted(user) && matches(searchRequest, user)) {
if (SearchUtil.matchesOne(searchRequest, user.getName(),
user.getDisplayName(), user.getMail()))
{
result = user.clone(); result = user.clone();
} }
return result; return result;
} }
}); });
} }
private boolean matches(SearchRequest searchRequest, User user) {
return SearchUtil.matchesOne(searchRequest, user.getName(), user.getDisplayName(), user.getMail());
}
//~--- get methods ---------------------------------------------------------- //~--- get methods ----------------------------------------------------------
@@ -365,8 +328,8 @@ public class DefaultUserManager extends AbstractUserManager
@Override @Override
public User get(String id) public User get(String id)
{ {
UserPermissions.read().check(id);
// SecurityUtil.assertIsAdmin(scurityContextProvider);
User user = userDAO.get(id); User user = userDAO.get(id);
if (user != null) if (user != null)
@@ -400,17 +363,16 @@ public class DefaultUserManager extends AbstractUserManager
@Override @Override
public Collection<User> getAll(Comparator<User> comparator) public Collection<User> getAll(Comparator<User> comparator)
{ {
SecurityUtil.assertIsAdmin(); List<User> users = new ArrayList<>();
List<User> users = new ArrayList<User>(); PermissionActionCheck<User> check = UserPermissions.read();
for (User user : userDAO.getAll()) {
for (User user : userDAO.getAll()) if (check.isPermitted(user)) {
{ users.add(user.clone());
users.add(user.clone()); }
} }
if (comparator != null) if (comparator != null) {
{
Collections.sort(users, comparator); Collections.sort(users, comparator);
} }
@@ -429,18 +391,17 @@ public class DefaultUserManager extends AbstractUserManager
* @return * @return
*/ */
@Override @Override
public Collection<User> getAll(Comparator<User> comaparator, int start, public Collection<User> getAll(Comparator<User> comaparator, int start, int limit) {
int limit) final PermissionActionCheck<User> check = UserPermissions.read();
{
SecurityUtil.assertIsAdmin();
return Util.createSubCollection(userDAO.getAll(), comaparator, return Util.createSubCollection(userDAO.getAll(), comaparator,
new CollectionAppender<User>() new CollectionAppender<User>()
{ {
@Override @Override
public void append(Collection<User> collection, User item) public void append(Collection<User> collection, User item)
{ {
collection.add(item.clone()); if (check.isPermitted(item)) {
collection.add(item.clone());
}
} }
}, start, limit); }, start, limit);
} }