@Before
 public void setUp() {
   caller = Caller.createCaller(null);
   ControlledProcessState processState = new ControlledProcessState(false);
   processState.setRunning();
   environment = new Environment(processState, ProcessType.EMBEDDED_SERVER);
 }
 @Before
 public void setUp() {
   caller = Caller.createCaller(null);
   ControlledProcessState processState = new ControlledProcessState(false);
   processState.setRunning();
   environment = new Environment(processState, ProcessType.EMBEDDED_SERVER);
   TestPermissionFactory testPermissionFactory = new TestPermissionFactory();
   authorizer = new ManagementPermissionAuthorizer(testPermissionFactory, testPermissionFactory);
 }
Пример #3
0
  private Set<String> mapRoles(final Caller caller) {
    Set<String> mappedRoles = new HashSet<String>();

    boolean traceEnabled = ACCESS_LOGGER.isTraceEnabled();

    if (caller.hasSubject()) {
      Map<String, AuthorizerConfiguration.RoleMapping> rolesToCheck;
      if (authorizerConfiguration.isMapUsingRealmRoles()) {
        rolesToCheck =
            new HashMap<String, AuthorizerConfiguration.RoleMapping>(
                authorizerConfiguration.getRoleMappings());
        Set<String> realmRoles = caller.getAssociatedRoles();
        for (String current : realmRoles) {
          String roleName = current.toUpperCase(Locale.ENGLISH);
          if (rolesToCheck.containsKey(roleName)) {
            AuthorizerConfiguration.RoleMapping roleMapping = rolesToCheck.remove(roleName);
            AuthorizerConfiguration.MappingPrincipal exclusion = roleMapping.isExcluded(caller);
            if (exclusion == null) {
              if (traceEnabled) {
                ACCESS_LOGGER.tracef(
                    "User '%s' assigned role '%s' due to realm assignment and no exclusion in role mapping definition.",
                    caller.getName(), roleName);
              }
              mappedRoles.add(roleName);
            } else {
              if (traceEnabled) {
                ACCESS_LOGGER.tracef(
                    "User '%s' NOT assigned role '%s' despite realm assignment due to exclusion match against %s.",
                    caller.getName(), roleName, exclusion);
              }
            }
          } else {
            if (traceEnabled) {
              ACCESS_LOGGER.tracef(
                  "User '%s' assigned role '%s' due to realm assignment and no role mapping to check for exclusion.",
                  caller.getName(), roleName);
            }
            mappedRoles.add(roleName);
          }
        }
      } else {
        // A clone is not needed here as the whole set of values is to be iterated with no need for
        // removal.
        rolesToCheck = authorizerConfiguration.getRoleMappings();
      }

      for (AuthorizerConfiguration.RoleMapping current : rolesToCheck.values()) {
        boolean includeAll = current.includeAllAuthedUsers();
        AuthorizerConfiguration.MappingPrincipal inclusion =
            includeAll == false ? current.isIncluded(caller) : null;
        if (includeAll || inclusion != null) {
          AuthorizerConfiguration.MappingPrincipal exclusion = current.isExcluded(caller);
          if (exclusion == null) {
            if (traceEnabled) {
              if (includeAll) {
                ACCESS_LOGGER.tracef(
                    "User '%s' assiged role '%s' due to include-all set on role.",
                    caller.getName(), current.getName());
              } else {
                ACCESS_LOGGER.tracef(
                    "User '%s' assiged role '%s' due to match on inclusion %s",
                    caller.getName(), current.getName(), inclusion);
              }
            }
            mappedRoles.add(current.getName());
          } else {
            if (traceEnabled) {
              ACCESS_LOGGER.tracef(
                  "User '%s' denied membership of role '%s' due to exclusion %s",
                  caller.getName(), current.getName(), exclusion);
            }
          }
        } else {
          if (traceEnabled) {
            ACCESS_LOGGER.tracef(
                "User '%s' not assigned role '%s' as no match on the include definition of the role mapping.",
                caller.getName(), current.getName());
          }
        }
      }
    } else {
      /*
       * If the IN-VM code does not have the required permission a SecurityException will be thrown.
       *
       * At the moment clients should not be making speculation requests so in a correctly configured installation this
       * check should pass with no error.
       */
      checkPermission(RUN_AS_IN_VM_ROLE);
      ACCESS_LOGGER.tracef(
          "Assigning role '%s' for call with no assigned Subject (An IN-VM Call).", IN_VM_ROLE);

      mappedRoles.add(IN_VM_ROLE);
    }

    if (traceEnabled) {
      StringBuilder sb =
          new StringBuilder("User '").append(caller.getName()).append("' Assigned Roles { ");
      for (String current : mappedRoles) {
        sb.append("'").append(current).append("' ");
      }
      sb.append("}");
      ACCESS_LOGGER.trace(sb.toString());
    }

    // TODO - We could consider something along the lines of a WeakHashMap to hold this result keyed
    // on the Caller.
    // The contents of the Caller are not expected to change during a call and we could clear the
    // cache on a config change.
    return Collections.unmodifiableSet(mappedRoles);
  }