Пример #1
0
  private ResourceState createACE(
      String createdResourceURI, SecurityContext securityContext, AutoRuleConfig autoRuleConfig) {
    DBObject dbObject = new BasicDBObject();
    dbObject.put(ACE_REALM, securityContext.getRealm());
    dbObject.put(ACE_USER_ID, securityContext.getSubject());
    dbObject.put(ACE_RESOURCE_PATH, createdResourceURI);
    dbObject.put(ACE_ACTIONS, autoRuleConfig.getAutoAddedOwnerPermissions().toArray());
    dbObject.put(ACE_PERMITTED, true);
    this.aclCollection.insert(dbObject);

    log.debug("Created ACE: " + dbObject);

    ResourceState createdState = new DefaultResourceState();
    for (String key : dbObject.keySet()) {
      createdState.putProperty(key, dbObject.get(key));
    }
    return createdState;
  }
Пример #2
0
  public AuthzDecision isAuthorized(RequestContext req) {
    RequestType reqType = req.requestType();
    ResourcePath resourcePath = req.resourcePath();
    SecurityContext securityContext = req.securityContext();

    BasicDBObject query = new BasicDBObject();
    query.put(ACE_REALM, securityContext.getRealm());
    query.put(ACE_RESOURCE_PATH, resourcePath.toString());
    query.put(ACE_ACTIONS, reqType.toString());

    // Pass if we find rule for either "userId" or some of his roles
    List<DBObject> userRolesCondition = new LinkedList<>();
    userRolesCondition.add(new BasicDBObject(ACE_USER_ID, securityContext.getSubject()));
    if (securityContext.getRoles() != null) {
      for (String role : securityContext.getRoles()) {
        userRolesCondition.add(new BasicDBObject(ACE_ROLE_NAME, role));
      }
    }
    query.put("$or", userRolesCondition);

    if (log.isTraceEnabled()) {
      log.trace("Sending ACE query: " + query);
    }

    DBCursor results = this.aclCollection.find(query);

    AuthzDecision decision = AuthzDecision.IGNORE;
    for (DBObject result : results) {
      boolean currentDec = (Boolean) result.get(ACE_PERMITTED);

      // For now, always merge. No rule priorities...
      AuthzDecision currentDecision = currentDec ? AuthzDecision.ACCEPT : AuthzDecision.REJECT;
      decision = decision.mergeDecision(currentDecision);

      if (log.isTraceEnabled()) {
        log.trace("Found result: " + result);
      }
    }
    return decision;
  }