예제 #1
0
  @Test
  public void testUpdateConfiguration() throws Exception {
    // READ request to storage
    RequestContext.Builder storageReq =
        new RequestContext.Builder()
            .requestType(RequestType.READ)
            .resourcePath(new ResourcePath("/testApp/storage"));
    assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
    assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.ACCEPT);
    assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.REJECT);

    // Find and remove storage rule
    RequestContext reqCtx = new RequestContext.Builder();
    ResourceState config = client.read(reqCtx, "/admin/applications/testApp/resources/uri-policy");
    List<ResourceState> rules =
        (List<ResourceState>) config.getProperty(URIPolicyConfigResource.RULES_PROPERTY);

    ResourceState storageRule = null;
    for (ResourceState rule : rules) {
      if (rule.getProperty("uriPattern").equals("/testApp/storage*")) {
        storageRule = rule;
        break;
      }
    }
    Assert.assertNotNull(storageRule);
    rules.remove(storageRule);

    // Update config with removed storage rule
    client.update(reqCtx, "/admin/applications/testApp/resources/uri-policy", config);

    // READ request to storage
    assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
    assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.IGNORE);
    assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.IGNORE);

    // Remove section about deniedUsers and add it back
    storageRule.removeProperty("deniedUsers");
    rules.add(storageRule);
    client.update(reqCtx, "/admin/applications/testApp/resources/uri-policy", config);

    // READ request to storage now allowed even for 'evil'
    assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
    assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.ACCEPT);
    assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.ACCEPT);
  }
예제 #2
0
  @Test
  public void testAuthorizationRequest() throws Exception {
    // Request to 'client' page
    RequestContext.Builder clientReq =
        new RequestContext.Builder()
            .requestType(RequestType.READ)
            .resourcePath(new ResourcePath("/testApp/client/some"));
    assertAuthzDecision(clientReq.securityContext(anonymous), AuthzDecision.ACCEPT);
    assertAuthzDecision(clientReq.securityContext(user), AuthzDecision.ACCEPT);
    assertAuthzDecision(clientReq.securityContext(evil), AuthzDecision.ACCEPT);

    // request to /app/some
    RequestContext.Builder appReq =
        new RequestContext.Builder()
            .requestType(RequestType.READ)
            .resourcePath(new ResourcePath("/testApp/app/some"));
    assertAuthzDecision(appReq.securityContext(anonymous), AuthzDecision.IGNORE);
    assertAuthzDecision(appReq.securityContext(user), AuthzDecision.IGNORE);
    assertAuthzDecision(appReq.securityContext(evil), AuthzDecision.IGNORE);

    // request to /app/some
    RequestContext.Builder appIndexReq =
        new RequestContext.Builder()
            .requestType(RequestType.READ)
            .resourcePath(new ResourcePath("/testApp/app/index.html"));
    assertAuthzDecision(appIndexReq.securityContext(anonymous), AuthzDecision.ACCEPT);
    assertAuthzDecision(appIndexReq.securityContext(user), AuthzDecision.ACCEPT);
    assertAuthzDecision(appIndexReq.securityContext(evil), AuthzDecision.ACCEPT);

    // READ request to storage
    RequestContext.Builder storageReq =
        new RequestContext.Builder()
            .requestType(RequestType.READ)
            .resourcePath(new ResourcePath("/testApp/storage"));
    assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
    assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.ACCEPT);
    assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.REJECT);

    // READ some collection in storage
    storageReq.resourcePath(new ResourcePath("/testApp/storage/todomvc"));
    assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
    assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.ACCEPT);
    assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.REJECT);

    // CREATE request to storage
    storageReq.requestType(RequestType.CREATE);
    assertAuthzDecision(storageReq.securityContext(anonymous), AuthzDecision.IGNORE);
    assertAuthzDecision(storageReq.securityContext(user), AuthzDecision.IGNORE);
    assertAuthzDecision(storageReq.securityContext(evil), AuthzDecision.IGNORE);
  }