@Test
public void testReadRolesInSchema() throws Exception {
final MondrianCatalogHelper helper =
(MondrianCatalogHelper) PentahoSystem.get(IMondrianCatalogService.class);
Assert.assertNotNull(helper);
MondrianCatalog mc =
SecurityHelper.getInstance()
.runAsUser(
"admin",
new Callable<MondrianCatalog>() {
@Override
public MondrianCatalog call() throws Exception {
return helper.getCatalog("SteelWheelsRoles", PentahoSessionHolder.getSession());
}
});
Assert.assertNotNull(mc);
MondrianSchema ms = mc.getSchema();
Assert.assertNotNull(ms);
String[] roleNames = ms.getRoleNames();
Assert.assertNotNull(roleNames);
Assert.assertEquals(2, roleNames.length);
Assert.assertEquals("Role1", roleNames[0]);
Assert.assertEquals("Role2", roleNames[1]);
}
@Test
public void testMondrianOneToOneUserRoleListMapper() throws Exception {
final IConnectionUserRoleMapper mapper = new MondrianOneToOneUserRoleListMapper();
try {
String[] roles =
SecurityHelper.getInstance()
.runAsUser(
"simplebob",
new Callable<String[]>() {
@Override
public String[] call() throws Exception {
return mapper.mapConnectionRoles(
PentahoSessionHolder.getSession(), "SteelWheelsRoles");
}
});
Assert.assertNotNull(roles);
Assert.assertEquals(2, roles.length);
Assert.assertEquals("Role1", roles[0]);
Assert.assertEquals("Role2", roles[1]);
} catch (PentahoAccessControlException e) {
Assert.fail(e.getMessage());
}
}
/**
* Returns whether the current user is an administrator
*
* @return "true" or "false"
*/
@GET
@Path("/isAdministrator")
public Response isAdministrator() {
return Response.ok(
"" + (SecurityHelper.getInstance().isPentahoAdministrator(getPentahoSession())))
.build();
}
/**
* Logs in with given username.
*
* @param username username of user
* @param tenantId tenant to which this user belongs
* @tenantAdmin true to add the tenant admin authority to the user's roles
*/
protected void login(final String username, final ITenant tenant, String[] roles) {
StandaloneSession pentahoSession =
new StandaloneSession(tenantedUserNameUtils.getPrincipleId(tenant, username));
pentahoSession.setAuthenticated(
tenant.getId(), tenantedUserNameUtils.getPrincipleId(tenant, username));
PentahoSessionHolder.setSession(pentahoSession);
pentahoSession.setAttribute(IPentahoSession.TENANT_ID_KEY, tenant.getId());
final String password = "******";
List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>();
for (String roleName : roles) {
authList.add(
new GrantedAuthorityImpl(tenantedRoleNameUtils.getPrincipleId(tenant, roleName)));
}
GrantedAuthority[] authorities = authList.toArray(new GrantedAuthority[0]);
UserDetails userDetails = new User(username, password, true, true, true, true, authorities);
Authentication auth =
new UsernamePasswordAuthenticationToken(userDetails, password, authorities);
PentahoSessionHolder.setSession(pentahoSession);
// this line necessary for Spring Security's MethodSecurityInterceptor
SecurityContextHolder.getContext().setAuthentication(auth);
SecurityHelper.getInstance().becomeUser(tenantedUserNameUtils.getPrincipleId(tenant, username));
SecurityContextHolder.getContext().setAuthentication(auth);
}
@Before
public void setUp() throws Exception {
repository = mock(IUnifiedRepository.class);
session = mock(IPentahoSession.class);
when(session.getName()).thenReturn("test");
PentahoSessionHolder.setSession(session);
userSettings =
new HashMap<String, Serializable>() {
{
put(USER_SETTING_NAME_1, USER_SETTING_VALUE_1);
put(UserSettingService.SETTING_PREFIX + COMMON_SETTING_NAME, COMMON_USER_SETTING_VALUE);
put(USER_SETTING_NAME_2, USER_SETTING_VALUE_2);
put(UserSettingService.SETTING_PREFIX + USER_SETTING_NAME_3, USER_SETTING_VALUE_3);
}
};
globalSettings =
new HashMap<String, Serializable>() {
{
put(GLOBAL_SETTING_NAME_1, GLOBAL_SETTING_VALUE_1);
put(
UserSettingService.SETTING_PREFIX + COMMON_SETTING_NAME,
COMMON_GLOBAL_SETTING_VALUE);
put(GLOBAL_SETTING_NAME_2, GLOBAL_SETTING_VALUE_2);
put(UserSettingService.SETTING_PREFIX + GLOBAL_SETTING_NAME_3, GLOBAL_SETTING_VALUE_3);
}
};
when(repository.getFileMetadata(eq(USER_FOLDER_ID))).thenReturn(userSettings);
when(repository.getFileMetadata(eq(TENANT_FOLDER_ID))).thenReturn(globalSettings);
final RepositoryFile tenantRepositoryFile = mock(RepositoryFile.class);
when(tenantRepositoryFile.getId()).thenReturn(TENANT_FOLDER_ID);
when(repository.getFile(eq(ClientRepositoryPaths.getEtcFolderPath())))
.thenReturn(tenantRepositoryFile);
final RepositoryFile userRepositoryFile = mock(RepositoryFile.class);
when(userRepositoryFile.getId()).thenReturn(USER_FOLDER_ID);
when(repository.getFile(eq(ClientRepositoryPaths.getUserHomeFolderPath(session.getName()))))
.thenReturn(userRepositoryFile);
securityHelper = mock(ISecurityHelper.class);
when(securityHelper.runAsSystem(any(Callable.class)))
.thenAnswer(
new Answer<Object>() {
@Override
public Object answer(InvocationOnMock invocation) throws Throwable {
final Callable callable = (Callable) invocation.getArguments()[0];
if (callable != null) {
return callable.call();
}
return null;
}
});
SecurityHelper.setMockInstance(securityHelper);
userSettingService = new UserSettingService(repository);
userSettingService.init(session);
}
public List<String> getPermittedRoleList(IPentahoSession session) {
List<String> roleList = new ArrayList<String>();
Authentication auth = SecurityHelper.getAuthentication(session, true);
IPluginResourceLoader resLoader = PentahoSystem.get(IPluginResourceLoader.class, null);
String roles = null;
try {
roles =
resLoader.getPluginSetting(getClass(), "settings/data-access-view-roles"); // $NON-NLS-1$
} catch (Exception e) {
e.printStackTrace();
}
if (roles != null) {
String roleArr[] = roles.split(","); // $NON-NLS-1$
for (String role : roleArr) {
for (GrantedAuthority userRole : auth.getAuthorities()) {
if (role != null && role.trim().equals(userRole.getAuthority())) {
roleList.add(role);
}
}
}
}
return roleList;
}
@Test
public void testLookupMapUserRoleListMapper() throws Exception {
Map<String, String> lookup = new HashMap<String, String>();
lookup.put("ceo", "Role1");
lookup.put("Not Pentaho", "Role2");
lookup.put("Not Mondrian or Pentaho", "Role3");
final MondrianLookupMapUserRoleListMapper mapper = new MondrianLookupMapUserRoleListMapper();
mapper.setLookupMap(lookup);
try {
String[] roles =
SecurityHelper.getInstance()
.runAsUser(
"admin",
new Callable<String[]>() {
@Override
public String[] call() throws Exception {
return mapper.mapConnectionRoles(
PentahoSessionHolder.getSession(), "SteelWheelsRoles");
}
});
Assert.assertNotNull(roles);
Assert.assertEquals(1, roles.length);
Assert.assertEquals("Role1", roles[0]);
} catch (PentahoAccessControlException e) {
Assert.fail(e.getMessage());
}
}
@Test
public void testMondrianUserSessionUserRoleListMapper() throws Exception {
final MondrianUserSessionUserRoleListMapper mapper =
new MondrianUserSessionUserRoleListMapper();
mapper.setSessionProperty("rolesAttribute");
try {
String[] roles =
SecurityHelper.getInstance()
.runAsUser(
"admin",
new Callable<String[]>() {
@Override
public String[] call() throws Exception {
IPentahoSession session = PentahoSessionHolder.getSession();
session.setAttribute(
"rolesAttribute",
new Object[] {"mondrianRole1", "mondrianRole2", "mondrianRole3"});
return mapper.mapConnectionRoles(session, "SteelWheelsRoles");
}
});
Assert.assertNotNull(roles);
Assert.assertEquals(3, roles.length);
Assert.assertEquals("mondrianRole1", roles[0]);
Assert.assertEquals("mondrianRole2", roles[1]);
Assert.assertEquals("mondrianRole3", roles[2]);
} catch (PentahoAccessControlException e) {
Assert.fail(e.getMessage());
}
}
@Test
public void testNoMatchLookupMapUserRoleListMapper() throws Exception {
Map<String, String> lookup = new HashMap<String, String>();
lookup.put("No Match", "Role1");
lookup.put("No Match Here Either", "Role2");
final MondrianLookupMapUserRoleListMapper mapper = new MondrianLookupMapUserRoleListMapper();
mapper.setLookupMap(lookup);
mapper.setFailOnEmptyRoleList(true);
try {
SecurityHelper.getInstance()
.runAsUser(
"admin",
new Callable<String[]>() {
@Override
public String[] call() throws Exception {
return mapper.mapConnectionRoles(
PentahoSessionHolder.getSession(), "SteelWheelsRoles");
}
});
Assert.fail();
} catch (PentahoAccessControlException e) {
// no op.
}
mapper.setFailOnEmptyRoleList(false);
try {
String[] roles =
SecurityHelper.getInstance()
.runAsUser(
"admin",
new Callable<String[]>() {
@Override
public String[] call() throws Exception {
return mapper.mapConnectionRoles(
PentahoSessionHolder.getSession(), "SteelWheelsRoles");
}
});
Assert.assertNull(roles);
} catch (PentahoAccessControlException e) {
Assert.fail(e.getMessage());
}
}
private String generateInMemoryDatasourcesXml() {
try {
return SecurityHelper.getInstance()
.runAsSystem(
new Callable<String>() {
public String call() throws Exception {
return mondrianCatalogService.generateInMemoryDatasourcesXml(repo);
}
});
} catch (Exception e) {
PentahoXmlaServlet.logger.error(e);
throw new RuntimeException(e);
}
}
@Test
public void testNoMatchMondrianOneToOneUserRoleListMapper() throws Exception {
final MondrianOneToOneUserRoleListMapper mapper = new MondrianOneToOneUserRoleListMapper();
mapper.setFailOnEmptyRoleList(true);
try {
SecurityHelper.getInstance()
.runAsUser(
"admin",
new Callable<String[]>() {
@Override
public String[] call() throws Exception {
return mapper.mapConnectionRoles(
PentahoSessionHolder.getSession(), "SteelWheelsRoles");
}
});
Assert.fail();
} catch (PentahoAccessControlException e) {
// No op.
}
mapper.setFailOnEmptyRoleList(false);
try {
String[] roles =
SecurityHelper.getInstance()
.runAsUser(
"simplebob",
new Callable<String[]>() {
@Override
public String[] call() throws Exception {
return mapper.mapConnectionRoles(
PentahoSessionHolder.getSession(), "SteelWheelsRoles");
}
});
Assert.assertArrayEquals(new String[] {"Role1", "Role2"}, roles);
} catch (PentahoAccessControlException e) {
Assert.fail(e.getMessage());
}
}
@SuppressWarnings("deprecation")
public void testVoter() throws Exception {
SecurityHelper.getInstance()
.runAsUser(
"suzy",
new Callable<Void>() {
@Override
public Void call() throws Exception {
RepositoryFile testFile =
new RepositoryFile("Test Folder", null, null); // $NON-NLS-1$
Map<IPermissionRecipient, IPermissionMask> perms =
new LinkedHashMap<IPermissionRecipient, IPermissionMask>();
perms.put(
new SimpleUser("suzy"),
new SimplePermissionMask(IPentahoAclEntry.PERM_EXECUTE));
perms.put(
new SimpleRole("ROLE_CTO"),
new SimplePermissionMask(IPentahoAclEntry.PERM_SUBSCRIBE));
perms.put(
new SimpleRole("ROLE_IS"),
new SimplePermissionMask(IPentahoAclEntry.PERM_ADMINISTRATION));
SpringSecurityPermissionMgr.instance().setPermissions(perms, testFile);
PentahoBasicAclVoter voter = new PentahoBasicAclVoter();
assertTrue(
voter.hasAccess(
PentahoSessionHolder.getSession(),
testFile,
IPentahoAclEntry.PERM_EXECUTE));
assertTrue(
voter.hasAccess(
PentahoSessionHolder.getSession(),
testFile,
IPentahoAclEntry.PERM_SUBSCRIBE));
assertTrue(
voter.hasAccess(
PentahoSessionHolder.getSession(),
testFile,
IPentahoAclEntry.PERM_ADMINISTRATION));
PentahoAclEntry entry =
voter.getEffectiveAcl(PentahoSessionHolder.getSession(), testFile);
assertNotNull(entry);
assertEquals(entry.printPermissionsBlock(), "XSCUDP"); // $NON-NLS-1$
return null;
}
});
}
private String getDatasourcesXml() {
final Callable<String> call =
new Callable<String>() {
public String call() throws Exception {
return generateInMemoryDatasourcesXml();
}
};
try {
if (isSecurityEnabled()) {
return SecurityHelper.getInstance().runAsSystem(call);
} else {
return call.call();
}
} catch (Exception e) {
throw new IOlapServiceException(e);
}
}
@Test
public void testReadRolesInPlatform() throws Exception {
SecurityHelper.getInstance()
.runAsUser(
"admin",
new Callable<Void>() {
@Override
public Void call() throws Exception {
Authentication auth = SecurityHelper.getInstance().getAuthentication();
Assert.assertNotNull(auth);
GrantedAuthority[] gAuths = auth.getAuthorities();
Assert.assertNotNull(gAuths);
Assert.assertEquals(3, gAuths.length);
Assert.assertEquals("ceo", gAuths[0].getAuthority());
Assert.assertEquals("Admin", gAuths[1].getAuthority());
Assert.assertEquals("Authenticated", gAuths[2].getAuthority());
return null;
}
});
}
@Test
public void testNoMatchMondrianUserSessionUserRoleListMapper() throws Exception {
final MondrianUserSessionUserRoleListMapper mapper =
new MondrianUserSessionUserRoleListMapper();
mapper.setSessionProperty("rolesAttribute");
try {
String[] roles =
SecurityHelper.getInstance()
.runAsUser(
"admin",
new Callable<String[]>() {
@Override
public String[] call() throws Exception {
return mapper.mapConnectionRoles(
PentahoSessionHolder.getSession(), "SteelWheelsRoles");
}
});
Assert.assertNull(roles);
} catch (PentahoAccessControlException e) {
Assert.fail(e.getMessage());
}
}
/** Initializes the cache. Only the cache specific to the sesison's locale will be populated. */
protected void initCache(IPentahoSession session) {
final List<Catalog> cache = getCache(session);
final boolean needUpdate;
final Lock readLock = cacheLock.readLock();
try {
readLock.lock();
// Check if the cache is empty.
if (cache.size() == 0) {
needUpdate = true;
} else {
needUpdate = false;
}
} finally {
readLock.unlock();
}
if (needUpdate) {
final Lock writeLock = cacheLock.writeLock();
try {
writeLock.lock();
// First clear the cache
cache.clear();
final Callable<Void> call =
new Callable<Void>() {
public Void call() throws Exception {
// Now build the cache. Use the system session in the holder.
for (String name : getHelper().getHostedCatalogs()) {
try {
addCatalogToCache(PentahoSessionHolder.getSession(), name);
} catch (Throwable t) {
LOG.error("Failed to initialize the cache for OLAP connection " + name, t);
}
}
for (String name : getHelper().getOlap4jServers()) {
try {
addCatalogToCache(PentahoSessionHolder.getSession(), name);
} catch (Throwable t) {
LOG.error("Failed to initialize the cache for OLAP connection " + name, t);
}
}
return null;
}
};
if (isSecurityEnabled()) {
SecurityHelper.getInstance().runAsSystem(call);
} else {
call.call();
}
// Sort it all.
Collections.sort(
cache,
new Comparator<IOlapService.Catalog>() {
public int compare(Catalog o1, Catalog o2) {
return o1.name.compareTo(o2.name);
}
});
} catch (Throwable t) {
LOG.error("Failed to initialize the connection cache", t);
throw new IOlapServiceException(t);
} finally {
writeLock.unlock();
}
}
}
/**
* Utility method for access negotiation. For performance, not all files will be checked against
* the supplied voter.
*
* @param aFile
* @param actionOperation
* @param session
* @return
*/
public static boolean hasAccess(
final IAclSolutionFile aFile, final int actionOperation, final IPentahoSession session) {
if (aFile == null) {
return false;
}
if (!aFile.isDirectory()) {
List extensionList = PentahoSystem.getACLFileExtensionList();
String fName = aFile.getFileName();
int posn = fName.lastIndexOf('.');
if (posn >= 0) {
if (extensionList.indexOf(fName.substring(posn)) < 0) {
// Non-acl'd file. Return true.
return true;
}
} else {
// Untyped file. Allow access.
return true;
}
}
IAclVoter voter = PentahoSystem.get(IAclVoter.class, session);
int aclMask = -1;
switch (actionOperation) {
case ISolutionRepository.ACTION_EXECUTE:
{
aclMask = IPentahoAclEntry.PERM_EXECUTE;
break;
}
case ISolutionRepository.ACTION_ADMIN:
{
// aclMask = PentahoAclEntry.ADMINISTRATION;
// break;
return SecurityHelper.isPentahoAdministrator(session);
}
case ISolutionRepository.ACTION_SUBSCRIBE:
{
aclMask = IPentahoAclEntry.PERM_SUBSCRIBE;
break;
}
case ISolutionRepository.ACTION_CREATE:
{
aclMask = IPentahoAclEntry.PERM_CREATE;
break;
}
case ISolutionRepository.ACTION_UPDATE:
{
aclMask = IPentahoAclEntry.PERM_UPDATE;
break;
}
case ISolutionRepository.ACTION_DELETE:
{
aclMask = IPentahoAclEntry.PERM_DELETE;
break;
}
case ISolutionRepository.ACTION_SHARE:
{
aclMask = IPentahoAclEntry.PERM_UPDATE_PERMS;
break;
}
default:
{
aclMask = IPentahoAclEntry.PERM_EXECUTE;
break;
}
}
return voter.hasAccess(session, aFile, aclMask);
}
