private ManagementResourceRegistration getDummyRegistration() {
return ManagementResourceRegistration.Factory.create(
new DescriptionProvider() {
@Override
public ModelNode getModelDescription(Locale locale) {
return new ModelNode();
}
});
}
/** @author Ladislav Thon <*****@*****.**> */
public class DefaultPermissionFactoryTestCase {
private static final ManagementResourceRegistration ROOT_RR =
ManagementResourceRegistration.Factory.create(
new SimpleResourceDefinition(null, new NonResolvingResourceDescriptionResolver()) {
@Override
public List<AccessConstraintDefinition> getAccessConstraints() {
return Collections.emptyList();
}
});
private static final AuthorizerConfiguration PERMISSIVE;
private static final AuthorizerConfiguration REJECTING;
static {
PERMISSIVE = new WritableAuthorizerConfiguration(StandardRBACAuthorizer.AUTHORIZER_DESCRIPTION);
WritableAuthorizerConfiguration rejecting =
new WritableAuthorizerConfiguration(StandardRBACAuthorizer.AUTHORIZER_DESCRIPTION);
rejecting.setPermissionCombinationPolicy(CombinationPolicy.REJECTING);
REJECTING = rejecting;
}
private Caller caller;
private Environment environment;
@Before
public void setUp() {
caller = Caller.createCaller(null);
ControlledProcessState processState = new ControlledProcessState(false);
processState.setRunning();
environment = new Environment(processState, ProcessType.EMBEDDED_SERVER);
}
@Test
public void testSingleRoleRejectingCombinationPolicy() {
testResourceSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.MONITOR, true);
testResourceSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.OPERATOR, false);
testAttributeSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.MONITOR, true);
testAttributeSingleRole(REJECTING, StandardRole.MONITOR, StandardRole.OPERATOR, false);
}
@Test
public void testSingleRolePermissiveCombinationPolicy() {
testResourceSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.MONITOR, true);
testResourceSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.OPERATOR, false);
testAttributeSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.MONITOR, true);
testAttributeSingleRole(PERMISSIVE, StandardRole.MONITOR, StandardRole.OPERATOR, false);
}
@Test
public void testSingleUserRoleMoreAllowedRoles() {
testResource(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR},
new StandardRole[] {StandardRole.MONITOR, StandardRole.ADMINISTRATOR},
true);
testResource(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR},
new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR},
false);
testAttribute(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR},
new StandardRole[] {StandardRole.MONITOR, StandardRole.ADMINISTRATOR},
true);
testAttribute(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR},
new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR},
false);
}
@Test
public void testMoreUserRolesSingleAllowedRole() {
testResource(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.MONITOR},
true);
testResource(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.OPERATOR},
true);
testResource(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.ADMINISTRATOR},
false);
testAttribute(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.MONITOR},
true);
testAttribute(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.OPERATOR},
true);
testAttribute(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.ADMINISTRATOR},
false);
}
@Test
public void testMoreUserRolesMoreAllowedRoles() {
testResource(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
true);
testResource(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR},
true);
testResource(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.ADMINISTRATOR, StandardRole.AUDITOR},
false);
testAttribute(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
true);
testAttribute(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.OPERATOR, StandardRole.ADMINISTRATOR},
true);
testAttribute(
PERMISSIVE,
new StandardRole[] {StandardRole.MONITOR, StandardRole.OPERATOR},
new StandardRole[] {StandardRole.ADMINISTRATOR, StandardRole.AUDITOR},
false);
}
private void testResourceSingleRole(
AuthorizerConfiguration authorizerConfiguration,
StandardRole userRole,
StandardRole allowedRole,
boolean accessExpectation) {
testResource(
authorizerConfiguration,
new StandardRole[] {userRole},
new StandardRole[] {allowedRole},
accessExpectation);
}
private void testAttributeSingleRole(
AuthorizerConfiguration authorizerConfiguration,
StandardRole userRole,
StandardRole allowedRole,
boolean accessExpectation) {
testAttribute(
authorizerConfiguration,
new StandardRole[] {userRole},
new StandardRole[] {allowedRole},
accessExpectation);
}
private void testResource(
AuthorizerConfiguration authorizerConfiguration,
StandardRole[] userRoles,
StandardRole[] allowedRoles,
boolean accessExpectation) {
ConstraintFactory constraintFactory = new TestConstraintFactory(allowedRoles);
TestRoleMapper roleMapper = new TestRoleMapper(userRoles);
DefaultPermissionFactory permissionFactory =
new DefaultPermissionFactory(
roleMapper, Collections.singleton(constraintFactory), authorizerConfiguration);
Action action = new Action(null, null, EnumSet.of(Action.ActionEffect.ADDRESS));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
PermissionCollection userPermissions =
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
PermissionCollection requiredPermissions =
permissionFactory.getRequiredPermissions(action, targetResource);
for (Permission requiredPermission : toSet(requiredPermissions)) {
assertEquals(accessExpectation, userPermissions.implies(requiredPermission));
}
}
private void testAttribute(
AuthorizerConfiguration authorizerConfiguration,
StandardRole[] userRoles,
StandardRole[] allowedRoles,
boolean accessExpectation) {
ConstraintFactory constraintFactory = new TestConstraintFactory(allowedRoles);
TestRoleMapper roleMapper = new TestRoleMapper(userRoles);
DefaultPermissionFactory permissionFactory =
new DefaultPermissionFactory(
roleMapper, Collections.singleton(constraintFactory), authorizerConfiguration);
Action action = new Action(null, null, EnumSet.of(Action.ActionEffect.ADDRESS));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
TargetAttribute targetAttribute =
new TargetAttribute("test", null, new ModelNode(), targetResource);
PermissionCollection userPermissions =
permissionFactory.getUserPermissions(caller, environment, action, targetAttribute);
PermissionCollection requiredPermissions =
permissionFactory.getRequiredPermissions(action, targetAttribute);
for (Permission requiredPermission : toSet(requiredPermissions)) {
assertEquals(accessExpectation, userPermissions.implies(requiredPermission));
}
}
@Test
public void testRoleCombinationRejecting() {
Action action =
new Action(
null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
DefaultPermissionFactory permissionFactory = null;
try {
permissionFactory =
new DefaultPermissionFactory(
new TestRoleMapper(), Collections.<ConstraintFactory>emptySet(), REJECTING);
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
} catch (Exception e) {
fail();
}
try {
permissionFactory =
new DefaultPermissionFactory(
new TestRoleMapper(StandardRole.MONITOR),
Collections.<ConstraintFactory>emptySet(),
REJECTING);
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
} catch (Exception e) {
fail();
}
permissionFactory =
new DefaultPermissionFactory(
new TestRoleMapper(StandardRole.MONITOR, StandardRole.DEPLOYER), REJECTING);
try {
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
fail();
} catch (Exception e) {
/* expected */
}
permissionFactory =
new DefaultPermissionFactory(
new TestRoleMapper(StandardRole.MONITOR, StandardRole.DEPLOYER, StandardRole.AUDITOR),
Collections.<ConstraintFactory>emptySet(),
REJECTING);
try {
permissionFactory.getUserPermissions(caller, environment, action, targetResource);
fail();
} catch (Exception e) {
/* expected */
}
}
// ---
private static Set<Permission> toSet(PermissionCollection permissionCollection) {
Set<Permission> result = new HashSet<>();
Enumeration<Permission> elements = permissionCollection.elements();
while (elements.hasMoreElements()) {
result.add(elements.nextElement());
}
return Collections.unmodifiableSet(result);
}
private static final class TestRoleMapper implements RoleMapper {
private final Set<String> roles;
private TestRoleMapper(StandardRole... roles) {
Set<String> stringRoles = new HashSet<>();
for (StandardRole role : roles) {
stringRoles.add(role.name());
}
this.roles = Collections.unmodifiableSet(stringRoles);
}
@Override
public Set<String> mapRoles(
Caller caller, Environment callEnvironment, Action action, TargetAttribute attribute) {
return roles;
}
@Override
public Set<String> mapRoles(
Caller caller, Environment callEnvironment, Action action, TargetResource resource) {
return roles;
}
@Override
public Set<String> mapRoles(
Caller caller, Environment callEnvironment, Set<String> operationHeaderRoles) {
return roles;
}
@Override
public boolean canRunAs(Set<String> mappedRoles, String runAsRole) {
return runAsRole != null
&& roles.contains(runAsRole)
&& mappedRoles.contains(StandardRole.SUPERUSER.toString());
}
}
private static final class TestConstraintFactory implements ConstraintFactory {
private final Set<StandardRole> allowedRoles;
private TestConstraintFactory(StandardRole... allowedRoles) {
Set<StandardRole> roles = new HashSet<>();
for (StandardRole allowedRole : allowedRoles) {
roles.add(allowedRole);
}
this.allowedRoles = Collections.unmodifiableSet(roles);
}
@Override
public Constraint getStandardUserConstraint(
StandardRole role, Action.ActionEffect actionEffect) {
boolean allowed = allowedRoles.contains(role);
return new TestConstraint(allowed);
}
@Override
public Constraint getRequiredConstraint(
Action.ActionEffect actionEffect, Action action, TargetAttribute target) {
return new TestConstraint(true);
}
@Override
public Constraint getRequiredConstraint(
Action.ActionEffect actionEffect, Action action, TargetResource target) {
return new TestConstraint(true);
}
@Override
public boolean equals(Object obj) {
return obj instanceof TestConstraintFactory;
}
@Override
public int hashCode() {
return 0;
}
@Override
public int compareTo(ConstraintFactory o) {
return this.equals(o) ? 0 : -1;
}
}
private static final class TestConstraint implements Constraint {
private final boolean allowed;
private TestConstraint(boolean allowed) {
this.allowed = allowed;
}
@Override
public boolean violates(Constraint other, Action.ActionEffect actionEffect) {
if (other instanceof TestConstraint) {
return this.allowed != ((TestConstraint) other).allowed;
}
return false;
}
@Override
public boolean replaces(Constraint other) {
return false;
}
}
}
public void start(final StartContext context) throws StartException {
if (configurationPersister == null) {
throw MESSAGES.persisterNotInjected();
}
final ServiceController<?> serviceController = context.getController();
final ServiceContainer container = serviceController.getServiceContainer();
final ServiceTarget target = context.getChildTarget();
final ExecutorService executorService = injectedExecutorService.getOptionalValue();
ManagementResourceRegistration rootResourceRegistration =
rootDescriptionProvider != null
? ManagementResourceRegistration.Factory.create(rootDescriptionProvider)
: ManagementResourceRegistration.Factory.create(rootResourceDefinition);
final ModelControllerImpl controller =
new ModelControllerImpl(
container,
target,
rootResourceRegistration,
new ContainerStateMonitor(container),
configurationPersister,
processType,
runningModeControl,
prepareStep,
processState,
executorService,
expressionResolver,
authorizer,
auditLogger);
// Initialize the model
initModel(controller.getRootResource(), controller.getRootRegistration());
this.controller = controller;
final long bootStackSize = getBootStackSize();
final Thread bootThread =
new Thread(
null,
new Runnable() {
public void run() {
try {
try {
boot(
new BootContext() {
public ServiceTarget getServiceTarget() {
return target;
}
});
} finally {
processState.setRunning();
}
} catch (Throwable t) {
container.shutdown();
if (t instanceof StackOverflowError) {
ROOT_LOGGER.errorBootingContainer(t, bootStackSize, BOOT_STACK_SIZE_PROPERTY);
} else {
ROOT_LOGGER.errorBootingContainer(t);
}
} finally {
bootThreadDone();
}
}
},
"Controller Boot Thread",
bootStackSize);
bootThread.start();
}
@Before
public void setup() {
rootRegistration =
ManagementResourceRegistration.Factory.create(new TestDescriptionProvider("RootResource"));
}
/** @author Ladislav Thon <*****@*****.**> */
public class ManagementPermissionAuthorizerTestCase {
private static final ManagementResourceRegistration ROOT_RR =
ManagementResourceRegistration.Factory.create(
new SimpleResourceDefinition(null, new NonResolvingResourceDescriptionResolver()) {
@Override
public List<AccessConstraintDefinition> getAccessConstraints() {
return Collections.emptyList();
}
});
private Caller caller;
private Environment environment;
private ManagementPermissionAuthorizer authorizer;
@Before
public void setUp() {
caller = Caller.createCaller(null);
ControlledProcessState processState = new ControlledProcessState(false);
processState.setRunning();
environment = new Environment(processState, ProcessType.EMBEDDED_SERVER);
TestPermissionFactory testPermissionFactory = new TestPermissionFactory();
authorizer = new ManagementPermissionAuthorizer(testPermissionFactory, testPermissionFactory);
}
@Test
public void testAuthorizerResourcePermit() {
Action action =
new Action(
null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource);
assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision());
}
@Test
public void testAuthorizerResourceDeny() {
Action action =
new Action(
null,
null,
EnumSet.of(
Action.ActionEffect.ADDRESS,
Action.ActionEffect.READ_CONFIG,
Action.ActionEffect.WRITE_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
AuthorizationResult result = authorizer.authorize(caller, environment, action, targetResource);
assertEquals(AuthorizationResult.Decision.DENY, result.getDecision());
}
@Test
public void testAuthorizerAttributePermit() {
Action action =
new Action(
null, null, EnumSet.of(Action.ActionEffect.ADDRESS, Action.ActionEffect.READ_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
TargetAttribute targetAttribute =
new TargetAttribute("test", null, new ModelNode(), targetResource);
AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute);
assertEquals(AuthorizationResult.Decision.PERMIT, result.getDecision());
}
@Test
public void testAuthorizerAttributeDeny() {
Action action =
new Action(
null,
null,
EnumSet.of(
Action.ActionEffect.ADDRESS,
Action.ActionEffect.READ_CONFIG,
Action.ActionEffect.WRITE_CONFIG));
TargetResource targetResource =
TargetResource.forStandalone(PathAddress.EMPTY_ADDRESS, ROOT_RR, null);
TargetAttribute targetAttribute =
new TargetAttribute("test", null, new ModelNode(), targetResource);
AuthorizationResult result = authorizer.authorize(caller, environment, action, targetAttribute);
assertEquals(AuthorizationResult.Decision.DENY, result.getDecision());
}
// ---
private static final class TestPermissionFactory
implements PermissionFactory, JmxPermissionFactory {
private PermissionCollection getUserPermissions() {
ManagementPermissionCollection mpc =
new ManagementPermissionCollection("test", TestManagementPermission.class);
mpc.add(new TestManagementPermission(Action.ActionEffect.ADDRESS));
mpc.add(new TestManagementPermission(Action.ActionEffect.READ_CONFIG));
mpc.add(new TestManagementPermission(Action.ActionEffect.READ_RUNTIME));
return mpc;
}
private PermissionCollection getRequiredPermissions(Action action) {
ManagementPermissionCollection mpc =
new ManagementPermissionCollection(TestManagementPermission.class);
for (Action.ActionEffect actionEffect : action.getActionEffects()) {
mpc.add(new TestManagementPermission(actionEffect));
}
return mpc;
}
@Override
public PermissionCollection getUserPermissions(
Caller caller, Environment callEnvironment, Action action, TargetAttribute target) {
return getUserPermissions();
}
@Override
public PermissionCollection getUserPermissions(
Caller caller, Environment callEnvironment, Action action, TargetResource target) {
return getUserPermissions();
}
@Override
public PermissionCollection getRequiredPermissions(Action action, TargetAttribute target) {
return getRequiredPermissions(action);
}
@Override
public PermissionCollection getRequiredPermissions(Action action, TargetResource target) {
return getRequiredPermissions(action);
}
@Override
public boolean isNonFacadeMBeansSensitive() {
return false;
}
@Override
public Set<String> getUserRoles(
Caller caller, Environment callEnvironment, Action action, TargetResource target) {
return null;
}
}
private static final class TestManagementPermission extends ManagementPermission {
private TestManagementPermission(Action.ActionEffect actionEffect) {
super("test", actionEffect);
}
@Override
public boolean implies(Permission permission) {
return equals(permission);
}
}
}
