Author: bleny Date: 2010-10-05 18:34:28 +0200 (Tue, 05 Oct 2010) New Revision: 388 Url: http://nuiton.org/repositories/revision/wikitty/388 Log: removing dead code ; refactoring ; some javadoc Modified: trunk/wikitty-api/src/main/java/org/nuiton/wikitty/WikittyServiceSecurity.java trunk/wikitty-api/src/test/java/org/nuiton/wikitty/layers/WikittyServiceSecurityTest.java Modified: trunk/wikitty-api/src/main/java/org/nuiton/wikitty/WikittyServiceSecurity.java =================================================================== --- trunk/wikitty-api/src/main/java/org/nuiton/wikitty/WikittyServiceSecurity.java 2010-10-05 14:23:14 UTC (rev 387) +++ trunk/wikitty-api/src/main/java/org/nuiton/wikitty/WikittyServiceSecurity.java 2010-10-05 16:34:28 UTC (rev 388) @@ -39,31 +39,6 @@ public WikittyServiceSecurity(WikittyService ws) { this.ws = ws; - -// Wikitty appAdminGroup = getAppAdminGroup(null); -// -// if (WikittyGroupHelper.getMembers(appAdminGroup) == null) { -// // first time boot -// ws.storeExtension(null, WikittyUserAbstract.extensions); -// ws.storeExtension(null, SecurityTokenAbstract.extensions); -// ws.storeExtension(null, WikittyGroupAbstract.extensions); -// -// // create the appAdmin account -// Wikitty appAdmin = new WikittyImpl(); -// WikittyUserHelper.addExtension(appAdmin); -// WikittyUserHelper.setLogin(appAdmin, APPADMIN_LOGIN); -// WikittyUserHelper.setPassword(appAdmin, APPADMIN_PASSWORD); -// ws.store(null, appAdmin); -// - -// -// // login as admin to add some security polices -// String adminToken = login(APPADMIN_LOGIN, APPADMIN_PASSWORD); -// -// // FIXME 20100923 bleny make all tokens unwritable, except for app admin -// -// logout(adminToken); -// } } @Override @@ -121,10 +96,20 @@ } } + /** + * @return a wikitty id + */ protected String extensionToWikittySecurityId(String extensionName) { return String.format("WikittySecurity:%s", extensionName); } + /** create an new account. + * create a new account, require to be appAdmin or anonymous if security + * is not yet enabled + * @param securityToken token (null for anonymous, or a token of an appAdmin) + * @param login the login of the account to be created + * @param password the password of the account to be created + */ public void createAccount(String securityToken, String login, String password) { String userId = getUserId(securityToken); boolean creationAllowed = userIsAnonymousOrAppAdmin(securityToken, userId); @@ -149,6 +134,12 @@ } } + /** get the id of a user given his login. + * + * @param securityToken a token + * @param login the login of the user to search for + * @return a wikitty id + */ public String getUserWikittyId(String securityToken, String login) { getUserId(securityToken); String userWikittyId = null; @@ -160,9 +151,33 @@ return userWikittyId; } - /** */ - public Wikitty addWikittyAuthorisation(String securityToken, + /** if app-admin group exists, return true if given userId is app-admin + * if app-admin group doesn't exists, return true if user is anonymous + */ + protected boolean userIsAnonymousOrAppAdmin(String securityToken, String userId) { + boolean userIsAnonymousOrAppAdmin = false; + + if (getAppAdminGroup(securityToken) == null) { + if (securityToken == null) { + // user is anonymous + userIsAnonymousOrAppAdmin = true; + } + } else { + if (isAppAdmin(securityToken, userId)) { + // user is appAdmin + userIsAnonymousOrAppAdmin = true; + } + } + + return userIsAnonymousOrAppAdmin; + } + + /** add a <strong>level 2</strong> security policy on the given extension. */ + public Wikitty addExtensionAuthorisation(String securityToken, WikittyExtension extension) { + + // TODO 20101005 bleny merge into storeExtensionAuthorisation by adding an extension paramater ? + String userId = getUserId(securityToken); boolean creationAllowed = userIsAnonymousOrAppAdmin(securityToken, userId); @@ -186,37 +201,6 @@ } } - protected boolean userIsAnonymousOrAppAdmin(String securityToken, String userId) { - boolean userIsAnonymousOrAppAdmin = false; - /* - if (securityToken == null) { - // user is anonymous - userIsAnonymousOrAppAdmin = true; - } else { - if (getAppAdminGroup(securityToken) != null) { - if ( isAppAdmin(securityToken, userId)) { - // user is appAdmin - userIsAnonymousOrAppAdmin = true; - } - } - } - */ - - if (getAppAdminGroup(securityToken) == null) { - if (securityToken == null) { - // user is anonymous - userIsAnonymousOrAppAdmin = true; - } - } else { - if (isAppAdmin(securityToken, userId)) { - // user is appAdmin - userIsAnonymousOrAppAdmin = true; - } - } - - return userIsAnonymousOrAppAdmin; - } - /** restore the wikitty authorisation attached to given extension. * * @return a wikitty with WikittyAuthorisation extension, or null if given @@ -250,44 +234,33 @@ } return wikittyAuthorisation; } - + + /** + * + * @param securityToken token with rights to modify extension + * @param extensionRights a wikitty that has extension WikittyAuthorisation + */ public void storeExtensionAuthorisation(String securityToken, - Wikitty wikitty) { + Wikitty extensionRights) { String userId = getUserId(securityToken); - Wikitty oldVersion = ws.restore(securityToken, wikitty.getId()); + Wikitty oldVersion = ws.restore(securityToken, extensionRights.getId()); - // check that the wikitty does not have - if (WikittyAuthorisationHelper.hasExtension(wikitty)) { + // check that the extensionRights does not have + if (WikittyAuthorisationHelper.hasExtension(extensionRights)) { if (oldVersion == null) { - // if this exception is raised, you should use addWikittyAuthorisation() + // if this exception is raised, you should use addExtensionAuthorisation() throw new IllegalArgumentException("you can't store an authorisation for the fist time"); } else { if ( userIsAnonymousOrAppAdmin(securityToken, userId) || - canAdmin(securityToken, userId, null, oldVersion) ) { -// -// if (isAdmin(securityToken, userId, oldVersion, null)) { -// // admin can't change owner, admin or parent -// // putting back old values -// Object oldValue = oldVersion.getFieldAsObject( -// WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, -// WikittyAuthorisation.FIELD_WIKITTYAUTHORISATION_OWNER); -// wikitty.setField(WikittyAuthorisation.EXT_WIKITTYAUTHORISATION, -// WikittyAuthorisation.FIELD_WIKITTYAUTHORISATION_OWNER, -// oldValue); -// -// WikittyAuthorisationHelper.setOwner(wikitty, -// WikittyAuthorisationHelper.getOwner(oldVersion)); -// WikittyAuthorisationHelper.setParent(wikitty, -// WikittyAuthorisationHelper.getParent(oldVersion)); -// -// } + canAdmin(securityToken, userId, null, oldVersion) ) { - ws.store(securityToken, wikitty); + ws.store(securityToken, extensionRights); + } else { throw new SecurityException(String.format( "user %s can't admin rights for this extension", userId)); @@ -295,8 +268,8 @@ } } else { throw new IllegalArgumentException(String.format( - "wikitty %s is not a wikittyAuthorisation. It misses the extension", - wikitty)); + "extensionRights %s is not a wikittyAuthorisation. It misses the extension", + extensionRights)); } } @@ -337,7 +310,7 @@ // usual case, a user want to store a wikitty Wikitty oldVersion = ws.restore(securityToken, wikitty.getId()); - Collection<String> newExtensions = wikitty.getExtensionNames(); + Collection<String> newExtensions = new ArrayList<String>(wikitty.getExtensionNames()); if (oldVersion != null) { // we already checked the rights for those extension // re-do the check has too much cost, avoid it @@ -368,8 +341,16 @@ fqFieldDirtyName, concernedExtensionName)); } - boolean canChange; - if (WikittyAuthorisation.EXT_WIKITTYAUTHORISATION.equals(concernedExtensionName)) { + boolean fieldRequireAdminRights = // true if field is a field of WikittyAuthorisation + // concerned extension is "WikittyAuthorisation" + WikittyAuthorisation.EXT_WIKITTYAUTHORISATION.equals(concernedExtensionName) + // or concerned extension is something like "AnyExtension:WikittyAuthorisation" + || WikittyAuthorisation.EXT_WIKITTYAUTHORISATION.equals( + WikittyUtil.getMetaExtensionNameFromFQMetaExtensionName(concernedExtensionName)); + + boolean canChange; // will be true if user can modify the value of this field + // according to his level of rights + if (fieldRequireAdminRights) { canChange = canAdmin(securityToken, userId, concernedExtensionName, wikitty); } else { canChange = canWrite(securityToken, userId, concernedExtensionName, wikitty); @@ -579,8 +560,12 @@ if ( ! userIsAnonymousOrAppAdmin(securityToken, userId)) { for (WikittyExtension extension : exts) { Wikitty extensionAuthorisation = restoreExtensionAuthorisation(securityToken, extension.getName()); - if ( ! canWrite(securityToken, userId, null, extensionAuthorisation)) { - throw new SecurityException(_("user %s don't have write right for extension %s", userId, extension)); + if (extensionAuthorisation != null) { + // canWrite is true if this user can modify the field for this extension + boolean canWrite = canWrite(securityToken, userId, null, extensionAuthorisation); + if ( ! canWrite) { + throw new SecurityException(_("user %s don't have write right for extension %s", userId, extension)); + } } } } @@ -757,11 +742,9 @@ // Method helper to check right // - /** - * Recupere l'identifiant de l'utilisateur associe au securityToken - * - * @param securityToken - * @return l'identifiant de l'utilisateur, ou null si le token est invalide + /** tell who own a token (who got this token after login). + * @param securityToken the token whose owner will be returned + * @return a wikitty Id (wikitty has extension WikittyUser) */ protected String getUserId(String securityToken) { String result = null; @@ -830,7 +813,7 @@ return result; } - /** + /** true if given user is owner * * @param securityToken * @param userId @@ -857,12 +840,26 @@ } return isOwner; } - + + /** {@link #isMember(String, String, Wikitty, String, boolean)} with default value */ protected boolean isMember(String securityToken, String userId, Wikitty extensionRights, String fqFieldName) { - // by default, user is considered not member if she is not in the group, so passing "false" + // by default, user is considered not member if he is not in the group, so passing "false" return isMember(securityToken, userId, extensionRights, fqFieldName, false); } + /** check if a user is listed in a level of rights + * + * @param securityToken + * @param userId the userId to look for + * @param extensionRights a wikitty with WikittyAuthorisation as extension <strong>OR</strong> meta-extension + * @param fqFieldName the field to look into, it should be one of the field of extension WikittyAuthorisation + * it has to be a FQN and may contain an extension-name if using meta-extension + * @param considerEmptyGroupAsMembership if true, an empty field value will be considered as + * "every-one is in the group". Most of the time, it will be false but true should be + * passed for "reader" level because user has right to read if he belongs to "reader" OR + * if reader is empty + * @return true if userId appear in the single/list of group/user of given field + */ protected boolean isMember(String securityToken, String userId, Wikitty extensionRights, String fqFieldName, boolean considerEmptyGroupAsMembership) { @@ -891,44 +888,7 @@ return isMember; } -// /** -// * Par defaut un objet est lisible par tous, sauf s'il a l'extension -// * d'autorisation et que la liste des readers existe et n'est pas vide -// * -// * @param userId -// * @param w -// * @return true si l'utilisateur est dans la liste des reader (ou que cette -// * liste n'existe pas ce qui indique que tout le monde est reader) -// */ -// @Deprecated -// protected boolean isReader(String securityToken, String userId, Wikitty w) { -// boolean result = true; -// if (WikittyAuthorisationHelper.isExtension(w)) { -// Set<String> groupOrUser = WikittyAuthorisationHelper.getReader(w); -// if (groupOrUser == null || groupOrUser.size() == 0) { -// // il n'y a pas de reader sur l'objet actuel, il faut regarder -// // sur le parent s'il y en a -// String parentId = WikittyAuthorisationHelper.getParent(w); -// if (parentId != null) { -// Wikitty parent = ws.restore(securityToken, parentId); -// result = isReader(securityToken, userId, parent); -// } -// } else { -// // il y a des readers sur l'objet actuel, il faut donc checker -// // comme pour les autres droits en parent aussi les parents -// result = isMember( -// securityToken, userId, w, WikittyAuthorisation.FIELD_WIKITTYAUTHORISATION_READER); -// } -// } -// return result; -// } - - /** - * Verifie si l'utilisateur est considere comme un AppAdmin - * - * @param userId - * @return - */ + /** check if a given user belong to the group of app-admins. */ protected boolean isAppAdmin(String securityToken, String userId) { Wikitty group = getAppAdminGroup(securityToken); Set<String> ids = WikittyGroupHelper.getMembers(group); @@ -962,6 +922,7 @@ } } + /** get the wikitty with extension WikittyGroup that contains all app-admin. */ protected Wikitty getAppAdminGroup(String securityToken) { Wikitty group; if (appAdminGroupId == null) { Modified: trunk/wikitty-api/src/test/java/org/nuiton/wikitty/layers/WikittyServiceSecurityTest.java =================================================================== --- trunk/wikitty-api/src/test/java/org/nuiton/wikitty/layers/WikittyServiceSecurityTest.java 2010-10-05 14:23:14 UTC (rev 387) +++ trunk/wikitty-api/src/test/java/org/nuiton/wikitty/layers/WikittyServiceSecurityTest.java 2010-10-05 16:34:28 UTC (rev 388) @@ -10,12 +10,8 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.junit.Before; -import org.junit.Ignore; import org.junit.Test; import org.nuiton.wikitty.FieldType; -import org.nuiton.wikitty.FieldType.TYPE; -import org.nuiton.wikitty.SecurityToken; -import org.nuiton.wikitty.TreeNodeAbstract; import org.nuiton.wikitty.Wikitty; import org.nuiton.wikitty.WikittyAuthorisation; import org.nuiton.wikitty.WikittyAuthorisationAbstract; @@ -62,7 +58,7 @@ securityService.createAccount(token, "admin", ""); securityService.createAccount(token, "owner", ""); - Wikitty authorizations = securityService.addWikittyAuthorisation(token, extension); + Wikitty authorizations = securityService.addExtensionAuthorisation(token, extension); WikittyAuthorisationHelper.addReader(authorizations, securityService.getUserWikittyId(token, "reader")); WikittyAuthorisationHelper.addWriter(authorizations, securityService.getUserWikittyId(token, "writer")); WikittyAuthorisationHelper.addAdmin(authorizations, securityService.getUserWikittyId(token, "admin"));