@Before
public void setUp() {
caller = Caller.createCaller(null);
ControlledProcessState processState = new ControlledProcessState(false);
processState.setRunning();
environment = new Environment(processState, ProcessType.EMBEDDED_SERVER);
}
@Before
public void setUp() {
caller = Caller.createCaller(null);
ControlledProcessState processState = new ControlledProcessState(false);
processState.setRunning();
environment = new Environment(processState, ProcessType.EMBEDDED_SERVER);
TestPermissionFactory testPermissionFactory = new TestPermissionFactory();
authorizer = new ManagementPermissionAuthorizer(testPermissionFactory, testPermissionFactory);
}
private Set<String> mapRoles(final Caller caller) {
Set<String> mappedRoles = new HashSet<String>();
boolean traceEnabled = ACCESS_LOGGER.isTraceEnabled();
if (caller.hasSubject()) {
Map<String, AuthorizerConfiguration.RoleMapping> rolesToCheck;
if (authorizerConfiguration.isMapUsingRealmRoles()) {
rolesToCheck =
new HashMap<String, AuthorizerConfiguration.RoleMapping>(
authorizerConfiguration.getRoleMappings());
Set<String> realmRoles = caller.getAssociatedRoles();
for (String current : realmRoles) {
String roleName = current.toUpperCase(Locale.ENGLISH);
if (rolesToCheck.containsKey(roleName)) {
AuthorizerConfiguration.RoleMapping roleMapping = rolesToCheck.remove(roleName);
AuthorizerConfiguration.MappingPrincipal exclusion = roleMapping.isExcluded(caller);
if (exclusion == null) {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' assigned role '%s' due to realm assignment and no exclusion in role mapping definition.",
caller.getName(), roleName);
}
mappedRoles.add(roleName);
} else {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' NOT assigned role '%s' despite realm assignment due to exclusion match against %s.",
caller.getName(), roleName, exclusion);
}
}
} else {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' assigned role '%s' due to realm assignment and no role mapping to check for exclusion.",
caller.getName(), roleName);
}
mappedRoles.add(roleName);
}
}
} else {
// A clone is not needed here as the whole set of values is to be iterated with no need for
// removal.
rolesToCheck = authorizerConfiguration.getRoleMappings();
}
for (AuthorizerConfiguration.RoleMapping current : rolesToCheck.values()) {
boolean includeAll = current.includeAllAuthedUsers();
AuthorizerConfiguration.MappingPrincipal inclusion =
includeAll == false ? current.isIncluded(caller) : null;
if (includeAll || inclusion != null) {
AuthorizerConfiguration.MappingPrincipal exclusion = current.isExcluded(caller);
if (exclusion == null) {
if (traceEnabled) {
if (includeAll) {
ACCESS_LOGGER.tracef(
"User '%s' assiged role '%s' due to include-all set on role.",
caller.getName(), current.getName());
} else {
ACCESS_LOGGER.tracef(
"User '%s' assiged role '%s' due to match on inclusion %s",
caller.getName(), current.getName(), inclusion);
}
}
mappedRoles.add(current.getName());
} else {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' denied membership of role '%s' due to exclusion %s",
caller.getName(), current.getName(), exclusion);
}
}
} else {
if (traceEnabled) {
ACCESS_LOGGER.tracef(
"User '%s' not assigned role '%s' as no match on the include definition of the role mapping.",
caller.getName(), current.getName());
}
}
}
} else {
/*
* If the IN-VM code does not have the required permission a SecurityException will be thrown.
*
* At the moment clients should not be making speculation requests so in a correctly configured installation this
* check should pass with no error.
*/
checkPermission(RUN_AS_IN_VM_ROLE);
ACCESS_LOGGER.tracef(
"Assigning role '%s' for call with no assigned Subject (An IN-VM Call).", IN_VM_ROLE);
mappedRoles.add(IN_VM_ROLE);
}
if (traceEnabled) {
StringBuilder sb =
new StringBuilder("User '").append(caller.getName()).append("' Assigned Roles { ");
for (String current : mappedRoles) {
sb.append("'").append(current).append("' ");
}
sb.append("}");
ACCESS_LOGGER.trace(sb.toString());
}
// TODO - We could consider something along the lines of a WeakHashMap to hold this result keyed
// on the Caller.
// The contents of the Caller are not expected to change during a call and we could clear the
// cache on a config change.
return Collections.unmodifiableSet(mappedRoles);
}
