unit tests coverage

Coverage report

%line %branch

org.apache.jetspeed.page.PageManagerSecurityUtils
0%

0%

1
/*

2
* Licensed to the Apache Software Foundation (ASF) under one or more

3
* contributor license agreements. See the NOTICE file distributed with

4
* this work for additional information regarding copyright ownership.

5
* The ASF licenses this file to You under the Apache License, Version 2.0

6
* (the "License"); you may not use this file except in compliance with

7
* the License. You may obtain a copy of the License at

8
*

9
* http://www.apache.org/licenses/LICENSE-2.0

10
*

11
* Unless required by applicable law or agreed to in writing, software

12
* distributed under the License is distributed on an "AS IS" BASIS,

13
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

14
* See the License for the specific language governing permissions and

15
* limitations under the License.

16
*/

17
package org.apache.jetspeed.page;

18

19
import java.security.AccessController;

20
import java.security.Principal;

21
import java.util.ArrayList;

22
import java.util.Iterator;

23
import java.util.LinkedList;

24
import java.util.List;

25

26
import javax.security.auth.Subject;

27

28
import org.apache.jetspeed.JetspeedActions;

29
import org.apache.jetspeed.om.page.SecurityConstraintImpl;

30
import org.apache.jetspeed.om.page.SecurityConstraintsDef;

31
import org.apache.jetspeed.page.document.DocumentException;

32
import org.apache.jetspeed.security.GroupPrincipal;

33
import org.apache.jetspeed.security.JSSubject;

34
import org.apache.jetspeed.security.RolePrincipal;

35
import org.apache.jetspeed.security.UserPrincipal;

36

37

38
/**

39
* PageManagerUtils

40
*

41
* @author <a href="mailto:taylor@apache.org">David Sean Taylor</a>

42
* @version $Id: $

43
*/

44 0
public class PageManagerSecurityUtils

45
{

46
public static boolean checkConstraint(SecurityConstraintsDef def, String actions)

47
throws DocumentException

48
{

49 0
List viewActionList = SecurityConstraintImpl.parseCSVList(actions);

50 0
List otherActionsList = null;

51 0
if (viewActionList.size() == 1)

52
{

53 0
if (!viewActionList.contains(JetspeedActions.VIEW))

54
{

55 0
otherActionsList = viewActionList;

56 0
viewActionList = null;

57
}

58
}

59
else

60
{

61 0
otherActionsList = viewActionList;

62 0
viewActionList = null;

63 0
if (otherActionsList.remove(JetspeedActions.VIEW))

64
{

65 0
viewActionList = new ArrayList(1);

66 0
viewActionList.add(JetspeedActions.VIEW);

67
}

68
}

69

70
// get current request context subject

71 0
Subject subject = JSSubject.getSubject(AccessController.getContext());

72 0
if (subject == null)

73
{

74 0
throw new SecurityException("Security Consraint Check: Missing JSSubject");

75
}

76

77
// get user/group/role principal names

78 0
List userPrincipals = null;

79 0
List rolePrincipals = null;

80 0
List groupPrincipals = null;

81 0
Iterator principals = subject.getPrincipals().iterator();

82 0
while (principals.hasNext())

83
{

84 0
Principal principal = (Principal) principals.next();

85 0
if (principal instanceof UserPrincipal)

86
{

87 0
if (userPrincipals == null)

88
{

89 0
userPrincipals = new LinkedList();

90
}

91 0
userPrincipals.add(principal.getName());

92
}

93 0
else if (principal instanceof RolePrincipal)

94
{

95 0
if (rolePrincipals == null)

96
{

97 0
rolePrincipals = new LinkedList();

98
}

99 0
rolePrincipals.add(principal.getName());

100
}

101 0
else if (principal instanceof GroupPrincipal)

102
{

103 0
if (groupPrincipals == null)

104
{

105 0
groupPrincipals = new LinkedList();

106
}

107 0
groupPrincipals.add(principal.getName());

108
}

109 0
}

110

111 0
boolean result = false;

112

113
// check constraints using parsed action and access lists

114 0
if (viewActionList != null)

115
{

116 0
result = checkConstraints(viewActionList, userPrincipals, rolePrincipals, groupPrincipals, def);

117
}

118 0
if (otherActionsList != null)

119
{

120 0
result = checkConstraints(otherActionsList, userPrincipals, rolePrincipals, groupPrincipals, def);

121
}

122 0
return result;

123
}

124
/**

125
* check access for the constraints list of a security constraints definition

126
*

127
* @param actions given actions

128
* @param userPrincipals set of user principals

129
* @param rolePrincipals set of role principals

130
* @param groupPrincipals set oof group principals

131
* @param def the security constraint definition

132
* @throws SecurityException

133
*/

134
public static boolean checkConstraints(List actions, List userPrincipals, List rolePrincipals, List groupPrincipals, SecurityConstraintsDef def)

135
throws DocumentException

136
{

137

138 0
List checkConstraints = def.getSecurityConstraints();

139
// SecurityConstraint c =(SecurityConstraint)constraints.next();

140
// skip missing or empty constraints: permit all access

141
//List checkConstraints = getAllSecurityConstraints(pageSecurity);

142 0
if ((checkConstraints != null) && !checkConstraints.isEmpty())

143
{

144
// test each action, constraints check passes only

145
// if all actions are permitted for principals

146 0
Iterator actionsIter = actions.iterator();

147 0
while (actionsIter.hasNext())

148
{

149
// check each action:

150
// - if any actions explicity permitted, (including owner),

151
// assume no permissions are permitted by default

152
// - if all constraints do not specify a permission, assume

153
// access is permitted by default

154 0
String action = (String)actionsIter.next();

155 0
boolean actionPermitted = false;

156 0
boolean actionNotPermitted = false;

157 0
boolean anyActionsPermitted = true; // TODO:(getOwner() != null);

158

159
// check against constraints

160 0
Iterator checkConstraintsIter = checkConstraints.iterator();

161 0
while (checkConstraintsIter.hasNext())

162
{

163 0
SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();

164

165
// if permissions specified, attempt to match constraint

166 0
if (constraint.getPermissions() != null)

167
{

168
// explicit actions permitted

169 0
anyActionsPermitted = true;

170

171
// test action permission match and user/role/group principal match

172 0
if (constraint.actionMatch(action) &&

173
constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))

174
{

175 0
actionPermitted = true;

176 0
break;

177
}

178
}

179
else

180
{

181
// permissions not specified: not permitted if any principal matched

182 0
if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))

183
{

184 0
actionNotPermitted = true;

185 0
break;

186
}

187
}

188 0
}

189

190
// fail if any action not permitted

191 0
if ((!actionPermitted && anyActionsPermitted) || actionNotPermitted)

192
{

193
//throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");

194 0
return false;

195
}

196 0
}

197 0
}

198
else

199
{

200
// fail for any action if owner specified

201
// since no other constraints were found

202 0
if (/*(getOwner() != null) && */ !actions.isEmpty())

203
{

204
//String action = (String)actions.get(0);

205
//throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");

206 0
return false;

207
}

208
}

209 0
return true;

210
}

211
}

This report is generated by jcoverage, Maven and Maven JCoverage Plugin.

1		/*
2		* Licensed to the Apache Software Foundation (ASF) under one or more
3		* contributor license agreements. See the NOTICE file distributed with
4		* this work for additional information regarding copyright ownership.
5		* The ASF licenses this file to You under the Apache License, Version 2.0
6		* (the "License"); you may not use this file except in compliance with
7		* the License. You may obtain a copy of the License at
8		*
9		* http://www.apache.org/licenses/LICENSE-2.0
10		*
11		* Unless required by applicable law or agreed to in writing, software
12		* distributed under the License is distributed on an "AS IS" BASIS,
13		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14		* See the License for the specific language governing permissions and
15		* limitations under the License.
16		*/
17		package org.apache.jetspeed.page;
18
19		import java.security.AccessController;
20		import java.security.Principal;
21		import java.util.ArrayList;
22		import java.util.Iterator;
23		import java.util.LinkedList;
24		import java.util.List;
25
26		import javax.security.auth.Subject;
27
28		import org.apache.jetspeed.JetspeedActions;
29		import org.apache.jetspeed.om.page.SecurityConstraintImpl;
30		import org.apache.jetspeed.om.page.SecurityConstraintsDef;
31		import org.apache.jetspeed.page.document.DocumentException;
32		import org.apache.jetspeed.security.GroupPrincipal;
33		import org.apache.jetspeed.security.JSSubject;
34		import org.apache.jetspeed.security.RolePrincipal;
35		import org.apache.jetspeed.security.UserPrincipal;
36
37
38		/**
39		* PageManagerUtils
40		*
41		* @author <a href="mailto:taylor@apache.org">David Sean Taylor</a>
42		* @version $Id: $
43		*/
44	0	public class PageManagerSecurityUtils
45		{
46		public static boolean checkConstraint(SecurityConstraintsDef def, String actions)
47		throws DocumentException
48		{
49	0	List viewActionList = SecurityConstraintImpl.parseCSVList(actions);
50	0	List otherActionsList = null;
51	0	if (viewActionList.size() == 1)
52		{
53	0	if (!viewActionList.contains(JetspeedActions.VIEW))
54		{
55	0	otherActionsList = viewActionList;
56	0	viewActionList = null;
57		}
58		}
59		else
60		{
61	0	otherActionsList = viewActionList;
62	0	viewActionList = null;
63	0	if (otherActionsList.remove(JetspeedActions.VIEW))
64		{
65	0	viewActionList = new ArrayList(1);
66	0	viewActionList.add(JetspeedActions.VIEW);
67		}
68		}
69
70		// get current request context subject
71	0	Subject subject = JSSubject.getSubject(AccessController.getContext());
72	0	if (subject == null)
73		{
74	0	throw new SecurityException("Security Consraint Check: Missing JSSubject");
75		}
76
77		// get user/group/role principal names
78	0	List userPrincipals = null;
79	0	List rolePrincipals = null;
80	0	List groupPrincipals = null;
81	0	Iterator principals = subject.getPrincipals().iterator();
82	0	while (principals.hasNext())
83		{
84	0	Principal principal = (Principal) principals.next();
85	0	if (principal instanceof UserPrincipal)
86		{
87	0	if (userPrincipals == null)
88		{
89	0	userPrincipals = new LinkedList();
90		}
91	0	userPrincipals.add(principal.getName());
92		}
93	0	else if (principal instanceof RolePrincipal)
94		{
95	0	if (rolePrincipals == null)
96		{
97	0	rolePrincipals = new LinkedList();
98		}
99	0	rolePrincipals.add(principal.getName());
100		}
101	0	else if (principal instanceof GroupPrincipal)
102		{
103	0	if (groupPrincipals == null)
104		{
105	0	groupPrincipals = new LinkedList();
106		}
107	0	groupPrincipals.add(principal.getName());
108		}
109	0	}
110
111	0	boolean result = false;
112
113		// check constraints using parsed action and access lists
114	0	if (viewActionList != null)
115		{
116	0	result = checkConstraints(viewActionList, userPrincipals, rolePrincipals, groupPrincipals, def);
117		}
118	0	if (otherActionsList != null)
119		{
120	0	result = checkConstraints(otherActionsList, userPrincipals, rolePrincipals, groupPrincipals, def);
121		}
122	0	return result;
123		}
124		/**
125		* check access for the constraints list of a security constraints definition
126		*
127		* @param actions given actions
128		* @param userPrincipals set of user principals
129		* @param rolePrincipals set of role principals
130		* @param groupPrincipals set oof group principals
131		* @param def the security constraint definition
132		* @throws SecurityException
133		*/
134		public static boolean checkConstraints(List actions, List userPrincipals, List rolePrincipals, List groupPrincipals, SecurityConstraintsDef def)
135		throws DocumentException
136		{
137
138	0	List checkConstraints = def.getSecurityConstraints();
139		// SecurityConstraint c =(SecurityConstraint)constraints.next();
140		// skip missing or empty constraints: permit all access
141		//List checkConstraints = getAllSecurityConstraints(pageSecurity);
142	0	if ((checkConstraints != null) && !checkConstraints.isEmpty())
143		{
144		// test each action, constraints check passes only
145		// if all actions are permitted for principals
146	0	Iterator actionsIter = actions.iterator();
147	0	while (actionsIter.hasNext())
148		{
149		// check each action:
150		// - if any actions explicity permitted, (including owner),
151		// assume no permissions are permitted by default
152		// - if all constraints do not specify a permission, assume
153		// access is permitted by default
154	0	String action = (String)actionsIter.next();
155	0	boolean actionPermitted = false;
156	0	boolean actionNotPermitted = false;
157	0	boolean anyActionsPermitted = true; // TODO:(getOwner() != null);
158
159		// check against constraints
160	0	Iterator checkConstraintsIter = checkConstraints.iterator();
161	0	while (checkConstraintsIter.hasNext())
162		{
163	0	SecurityConstraintImpl constraint = (SecurityConstraintImpl)checkConstraintsIter.next();
164
165		// if permissions specified, attempt to match constraint
166	0	if (constraint.getPermissions() != null)
167		{
168		// explicit actions permitted
169	0	anyActionsPermitted = true;
170
171		// test action permission match and user/role/group principal match
172	0	if (constraint.actionMatch(action) &&
173		constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, true))
174		{
175	0	actionPermitted = true;
176	0	break;
177		}
178		}
179		else
180		{
181		// permissions not specified: not permitted if any principal matched
182	0	if (constraint.principalsMatch(userPrincipals, rolePrincipals, groupPrincipals, false))
183		{
184	0	actionNotPermitted = true;
185	0	break;
186		}
187		}
188	0	}
189
190		// fail if any action not permitted
191	0	if ((!actionPermitted && anyActionsPermitted) \|\| actionNotPermitted)
192		{
193		//throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted.");
194	0	return false;
195		}
196	0	}
197	0	}
198		else
199		{
200		// fail for any action if owner specified
201		// since no other constraints were found
202	0	if (/(getOwner() != null) && / !actions.isEmpty())
203		{
204		//String action = (String)actions.get(0);
205		//throw new SecurityException("SecurityConstraintsImpl.checkConstraints(): Access for " + action + " not permitted, (not owner).");
206	0	return false;
207		}
208		}
209	0	return true;
210		}
211		}