define AuthorizationCollector as extension point with multiple implmentations

2025-11-08 22:45:45 +01:00 · 2019-02-18 18:01:11 +01:00
parent 1a6e0dff8f
commit aec66c023a
7 changed files with 91 additions and 52 deletions
--- a/scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultAuthorizationCollector.java
@@ -36,6 +36,7 @@ package sonia.scm.security;
 //~--- non-JDK imports --------------------------------------------------------

 import com.github.legman.Subscribe;
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.Objects;
 import com.google.common.base.Preconditions;
 import com.google.common.collect.ImmutableSet;
@@ -118,8 +119,8 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
   *
   * @return
   */
-  @Override
-  public AuthorizationInfo collect()
+  @VisibleForTesting
+  AuthorizationInfo collect()
  {
    AuthorizationInfo authorizationInfo;
    Subject subject = SecurityUtils.getSubject();
@@ -143,6 +144,7 @@ public class DefaultAuthorizationCollector implements AuthorizationCollector
   *
   * @return
   */
+  @Override
  public AuthorizationInfo collect(PrincipalCollection principals)
  {
    Preconditions.checkNotNull(principals, "principals parameter is required");
--- a/scm-webapp/src/main/java/sonia/scm/security/DefaultRealm.java
+++ b/scm-webapp/src/main/java/sonia/scm/security/DefaultRealm.java
@@ -42,9 +42,11 @@ import org.apache.shiro.authc.UsernamePasswordToken;
 import org.apache.shiro.authc.credential.PasswordMatcher;
 import org.apache.shiro.authc.credential.PasswordService;
 import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.authz.SimpleAuthorizationInfo;
 import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;

+import org.apache.shiro.subject.SimplePrincipalCollection;
 import sonia.scm.group.GroupNames;
 import sonia.scm.plugin.Extension;

@@ -56,6 +58,8 @@ import javax.inject.Singleton;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;

+import java.util.Set;
+
 /**
 * Default authorizing realm.
 *
@@ -85,14 +89,13 @@ public class DefaultRealm extends AuthorizingRealm
   *
   *
   * @param service
-   * @param collector
+   * @param authorizationCollectors
   * @param helperFactory
   */
  @Inject
-  public DefaultRealm(PasswordService service,
-    DefaultAuthorizationCollector collector, DAORealmHelperFactory helperFactory)
+  public DefaultRealm(PasswordService service, Set<AuthorizationCollector> authorizationCollectors, DAORealmHelperFactory helperFactory)
  {
-    this.collector = collector;
+    this.authorizationCollectors = authorizationCollectors;
    this.helper = helperFactory.create(REALM);

    PasswordMatcher matcher = new PasswordMatcher();
@@ -133,8 +136,7 @@ public class DefaultRealm extends AuthorizingRealm
  @Override
  protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals)
  {
-    AuthorizationInfo info = collector.collect(principals);
-    
+    AuthorizationInfo info = collectors(principals);
    Scope scope = principals.oneByType(Scope.class);
    if (scope != null && ! scope.isEmpty()) {
      LOG.trace("filter permissions by scope {}", scope);
@@ -144,13 +146,36 @@ public class DefaultRealm extends AuthorizingRealm
      }
      return filtered;
    } else if (LOG.isTraceEnabled()) {
-      LOG.trace("principal does not contain scope informations, returning all permissions");
+      LOG.trace("principal does not contain scope information, returning all permissions");
      log(principals, info, null);
    }
    
    return info;
  }
-  
+
+  private AuthorizationInfo collectors(PrincipalCollection principals) {
+    SimpleAuthorizationInfo merged = new SimpleAuthorizationInfo();
+    for (AuthorizationCollector collector : authorizationCollectors) {
+      AuthorizationInfo authorizationInfo = collector.collect(principals);
+      merge(merged, authorizationInfo);
+    }
+    return merged;
+  }
+
+  private void merge(SimpleAuthorizationInfo merged, AuthorizationInfo authorizationInfo) {
+    if (authorizationInfo != null) {
+      if (authorizationInfo.getRoles() != null) {
+        merged.addRoles(authorizationInfo.getRoles());
+      }
+      if (authorizationInfo.getObjectPermissions() != null) {
+        merged.addObjectPermissions(authorizationInfo.getObjectPermissions());
+      }
+      if (authorizationInfo.getStringPermissions() != null) {
+        merged.addStringPermissions(authorizationInfo.getStringPermissions());
+      }
+    }
+  }
+
  private void log( PrincipalCollection collection, AuthorizationInfo original, AuthorizationInfo filtered ) {
    StringBuilder buffer = new StringBuilder("authorization summary: ");
    
@@ -190,8 +215,8 @@ public class DefaultRealm extends AuthorizingRealm

  //~--- fields ---------------------------------------------------------------

-  /** default authorization collector */
-  private final DefaultAuthorizationCollector collector;
+  /** set of authorization collector */
+  private final Set<AuthorizationCollector> authorizationCollectors;

  /** realm helper */
  private final DAORealmHelper helper;