From 2141edb57afde7d23364cf6b6a809e35322b536d Mon Sep 17 00:00:00 2001 From: JoelProminic Date: Tue, 12 Nov 2024 16:34:28 -0600 Subject: [PATCH] Updated display rules and agent logic to be based on configured roles (allow_roles_*). #65 --- .../java/CategoryAgents/CategoryCreate.java | 4 + .../java/CategoryAgents/CategoryDelete.java | 4 + .../java/CategoryAgents/CategoryRead.java | 4 + .../java/CategoryAgents/CategoryUpdate.java | 4 + .../CustomBookmarkCreate.java | 4 + .../CustomBookmarkDelete.java | 4 + .../CustomBookmarkRead.java | 4 + .../CustomBookmarkUpdate.java | 4 + .../CustomBookmarkAgents/DatabaseRead.java | 4 + .../DocumentationFormCreate.java | 4 + .../DocumentationFormDelete.java | 4 + .../DocumentationFormRead.java | 4 + .../DocumentationFormUpdate.java | 4 + .../GenesisDirectoryCreate.java | 4 + .../GenesisDirectoryDelete.java | 4 + .../GenesisDirectoryRead.java | 4 + .../GenesisDirectoryUpdate.java | 4 + .../main/java/auth/RoleRestrictedAgent.java | 9 +- .../src/main/java/auth/SecurityBuilder.java | 11 +- .../main/java/auth/SimpleRoleSecurity.java | 86 +++++++++++++- .../main/java/auth/XMLAuthenticationTest.java | 28 +++-- .../src/main/java/config/ConfigRead.java | 4 + .../src/main/java/genesis/GenesisInstall.java | 5 + .../src/main/java/genesis/GenesisRead.java | 4 + .../groovy/auth/SimpleRoleSecuritySpec.groovy | 110 +++++++++++++++--- 25 files changed, 292 insertions(+), 33 deletions(-) diff --git a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryCreate.java b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryCreate.java index 13d4da5..78fa4fe 100644 --- a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryCreate.java +++ b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryCreate.java @@ -13,6 +13,10 @@ */ public class CategoryCreate extends CategoryCreateBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryDelete.java b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryDelete.java index fb1bab2..6c42f12 100644 --- a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryDelete.java +++ b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryDelete.java @@ -13,6 +13,10 @@ */ public class CategoryDelete extends CategoryDeleteBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryRead.java b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryRead.java index 6040e60..1bd4e1d 100644 --- a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryRead.java +++ b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryRead.java @@ -15,6 +15,10 @@ */ public class CategoryRead extends CategoryReadBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryUpdate.java b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryUpdate.java index 2eaf63e..052d2fa 100644 --- a/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryUpdate.java +++ b/Super.Human.Portal_Agents/src/main/java/CategoryAgents/CategoryUpdate.java @@ -13,6 +13,10 @@ */ public class CategoryUpdate extends CategoryUpdateBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkCreate.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkCreate.java index 1ce691f..ea81ecd 100644 --- a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkCreate.java +++ b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkCreate.java @@ -18,6 +18,10 @@ */ public class CustomBookmarkCreate extends CustomBookmarkCreateBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR); } diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkDelete.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkDelete.java index f1d43ad..0ac5c2c 100644 --- a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkDelete.java +++ b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkDelete.java @@ -12,6 +12,10 @@ */ public class CustomBookmarkDelete extends CustomBookmarkDeleteBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR); } diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkRead.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkRead.java index 1283006..84ea209 100644 --- a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkRead.java +++ b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkRead.java @@ -24,6 +24,10 @@ */ public class CustomBookmarkRead extends CustomBookmarkReadBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_BOOKMARKS_VIEW; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkUpdate.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkUpdate.java index 71dcab1..13bcb0f 100644 --- a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkUpdate.java +++ b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/CustomBookmarkUpdate.java @@ -26,6 +26,10 @@ */ public class CustomBookmarkUpdate extends CustomBookmarkUpdateBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR); } diff --git a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/DatabaseRead.java b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/DatabaseRead.java index 7265cef..00f0908 100644 --- a/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/DatabaseRead.java +++ b/Super.Human.Portal_Agents/src/main/java/CustomBookmarkAgents/DatabaseRead.java @@ -34,6 +34,10 @@ public class DatabaseRead extends CRUDAgentBase implements RoleRestrictedAgent protected Map > bookmarkCache = null; + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_BROWSE_MY_SERVER; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormCreate.java b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormCreate.java index 8453ffa..c7506a3 100644 --- a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormCreate.java +++ b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormCreate.java @@ -13,6 +13,10 @@ */ public class DocumentationFormCreate extends DocumentationFormCreateBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormDelete.java b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormDelete.java index ada6a0b..c8e723b 100644 --- a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormDelete.java +++ b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormDelete.java @@ -13,6 +13,10 @@ */ public class DocumentationFormDelete extends DocumentationFormDeleteBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormRead.java b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormRead.java index bc71cbb..df42ab9 100644 --- a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormRead.java +++ b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormRead.java @@ -13,6 +13,10 @@ */ public class DocumentationFormRead extends DocumentationFormReadBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormUpdate.java b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormUpdate.java index e2945b7..9e878a5 100644 --- a/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormUpdate.java +++ b/Super.Human.Portal_Agents/src/main/java/DocumentationFormAgents/DocumentationFormUpdate.java @@ -13,6 +13,10 @@ */ public class DocumentationFormUpdate extends DocumentationFormUpdateBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryCreate.java b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryCreate.java index f77af20..38483b8 100644 --- a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryCreate.java +++ b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryCreate.java @@ -14,6 +14,10 @@ */ public class GenesisDirectoryCreate extends GenesisDirectoryCreateBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_GENESIS_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR); } diff --git a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryDelete.java b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryDelete.java index 337526d..13dd8b3 100644 --- a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryDelete.java +++ b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryDelete.java @@ -12,6 +12,10 @@ */ public class GenesisDirectoryDelete extends GenesisDirectoryDeleteBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_GENESIS_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR); } diff --git a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryRead.java b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryRead.java index 9237e06..18b705e 100644 --- a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryRead.java +++ b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryRead.java @@ -14,6 +14,10 @@ */ public class GenesisDirectoryRead extends GenesisDirectoryReadBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_GENESIS_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR); } diff --git a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryUpdate.java b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryUpdate.java index 3a6e763..5c75430 100644 --- a/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryUpdate.java +++ b/Super.Human.Portal_Agents/src/main/java/GenesisDirectoryAgents/GenesisDirectoryUpdate.java @@ -12,6 +12,10 @@ */ public class GenesisDirectoryUpdate extends GenesisDirectoryUpdateBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_GENESIS_MANAGE; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR); } diff --git a/Super.Human.Portal_Agents/src/main/java/auth/RoleRestrictedAgent.java b/Super.Human.Portal_Agents/src/main/java/auth/RoleRestrictedAgent.java index 34735e5..7733aae 100644 --- a/Super.Human.Portal_Agents/src/main/java/auth/RoleRestrictedAgent.java +++ b/Super.Human.Portal_Agents/src/main/java/auth/RoleRestrictedAgent.java @@ -10,7 +10,14 @@ public interface RoleRestrictedAgent { /** - * Get the allowed roles for the agent. Should be used when building the securityi + * Get an ID that will be used to lookup the role restrictions for this agent. + * If not null, this will have priority over {@link #getAllowedRoles()}. + */ + public String getRoleRestrictionID(); + + /** + * Get the allowed roles for the agent. Should be used when building the security. + * Lower priority than getRoleRestrictionID */ public Collection getAllowedRoles(); diff --git a/Super.Human.Portal_Agents/src/main/java/auth/SecurityBuilder.java b/Super.Human.Portal_Agents/src/main/java/auth/SecurityBuilder.java index b0bf2b8..55f7d1d 100644 --- a/Super.Human.Portal_Agents/src/main/java/auth/SecurityBuilder.java +++ b/Super.Human.Portal_Agents/src/main/java/auth/SecurityBuilder.java @@ -16,8 +16,17 @@ public class SecurityBuilder { public static final String ROLE_ADMINISTRATOR = "Administrator"; + public static final String RESTRICT_DOCUMENTATION_VIEW = "viewDocumentation"; + public static final String RESTRICT_DOCUMENTATION_MANAGE = "manageDocumentation"; + public static final String RESTRICT_APPS_VIEW = "viewInstalledApps"; + public static final String RESTRICT_APPS_INSTALL = "installApps"; + public static final String RESTRICT_BOOKMARKS_VIEW = "viewBookmarks"; + public static final String RESTRICT_BOOKMARKS_MANAGE = "manageBookmarks"; + public static final String RESTRICT_BROWSE_MY_SERVER = "browseMyServer"; + public static final String RESTRICT_GENESIS_MANAGE = "additionalGenesis"; + public static SecurityInterface buildInstance(Database roleDatabase, RoleRestrictedAgent agent, Session session, LogInterface log) { - return new SimpleRoleSecurity(roleDatabase, agent.getAllowedRoles(), session, log); + return new SimpleRoleSecurity(roleDatabase, agent.getRoleRestrictionID(), agent.getAllowedRoles(), session, log); } public static Collection buildList(String role1) { diff --git a/Super.Human.Portal_Agents/src/main/java/auth/SimpleRoleSecurity.java b/Super.Human.Portal_Agents/src/main/java/auth/SimpleRoleSecurity.java index e6b5dbd..3d4257f 100644 --- a/Super.Human.Portal_Agents/src/main/java/auth/SimpleRoleSecurity.java +++ b/Super.Human.Portal_Agents/src/main/java/auth/SimpleRoleSecurity.java @@ -50,8 +50,9 @@ public class SimpleRoleSecurity extends SecurityInterface { protected LogInterface log = null; - protected Set allowedRoles = new TreeSet(); + protected Set allowedRoles = null; // Initialize when loaded. new TreeSet(); protected Set userRoles = new TreeSet(); + protected String roleRestrictionID = null; protected Database roleDatabase = null; protected Collection userLookupKeys = new ArrayList(); @@ -125,6 +126,33 @@ public SimpleRoleSecurity(Database roleDatabase, Collection roles, Sessi } } + /** + * Initialize the security with a list of roles. + * Add additional roles with {@link #addAllowedRole(String)}. + * @param roleDatabase the role configuration database + * @param session the session + * @param log the log + */ + public SimpleRoleSecurity(Database roleDatabase, String roleRestrictionID, Collection roles, Session session, LogInterface log) + { + this(roleDatabase, session, log); + if (!DominoUtils.isValueEmpty(roleRestrictionID)){ + log.dbg("Using role restriction ID for agent security."); + this.roleRestrictionID = roleRestrictionID; + // initialize role list dynamically to avoid Domino calls in test cases + } + else { + if (null != roles && roles.size() > 0) { + for (String role : roles) { + addAllowedRole(role); + } + } + else { + log.err("No roles defined."); + } + } + } + /** * See {@link #isAuthorizedForRoles()}. @@ -375,7 +403,11 @@ public void refreshUserRoles() { * With the default logic, this will return true if the user has any of the specified roles. */ public boolean isAuthorizedForRoles() { - for (String allowedRole : this.allowedRoles) { + return isAuthorizedForRoles(getAllowedRoles()); + } + + public boolean isAuthorizedForRoles(Collection allowedRoles) { + for (String allowedRole : allowedRoles) { if (userRoles.contains(allowedRole)) { return true; } @@ -384,20 +416,70 @@ public boolean isAuthorizedForRoles() { return false; } + /** + * Utility for XMLAuthenticationTest to lookup restrictions for multiple IDs + */ + public boolean isAuthorizedForRoles(String roleRestrictionID) { + return isAuthorizedForRoles(getRolesByRestrictionID(roleRestrictionID)); + } + /** * Get the allowed roles for a user */ public Collection getAllowedRoles() { + // initialize dynamically when using roleRestrictionID + if (null == allowedRoles) { + if (!DominoUtils.isValueEmpty(roleRestrictionID)) { + // make sure the roles are initialized regardless + allowedRoles = new TreeSet(); + allowedRoles.addAll(getRolesByRestrictionID(roleRestrictionID)); + } + else { + log.dbg("No roles defined. Initializing empty list"); + allowedRoles = new TreeSet(); + } + } // return an independent copy to avoid edits return new TreeSet(allowedRoles); } + /** + * Lookup the allowed roles for the given roleRestrictionID + */ + public Collection getRolesByRestrictionID(String roleRestrictionID) { + TreeSet roles = new TreeSet(); + try { + String key = "allow_roles_" + roleRestrictionID; + log.dbg("Looking up roles for key '" + key + "'"); + Vector raw = ConfigurationUtils.getConfigAsVector(roleDatabase, key); + if (!DominoUtils.isListEmpty(raw)) { + for (Object curRole : raw) { + roles.add(curRole.toString()); + } + } + else { + log.err("No roles defined for key '" + key + "'"); + } + } + catch(Exception ex) { + log.err("Exception while loading roles for ID '" + roleRestrictionID + "': ", ex); + } + return roles; + } + + public String getRoleRestrictionID() { + return roleRestrictionID; + } + /** * Add an allowed role for this agent. * @param role the role to add * @return true if the role was not already added */ public boolean addAllowedRole(String role) { + if (null == allowedRoles) { + allowedRoles = new TreeSet(); + } return allowedRoles.add(role); } diff --git a/Super.Human.Portal_Agents/src/main/java/auth/XMLAuthenticationTest.java b/Super.Human.Portal_Agents/src/main/java/auth/XMLAuthenticationTest.java index 896032b..be91f97 100644 --- a/Super.Human.Portal_Agents/src/main/java/auth/XMLAuthenticationTest.java +++ b/Super.Human.Portal_Agents/src/main/java/auth/XMLAuthenticationTest.java @@ -26,6 +26,10 @@ */ public class XMLAuthenticationTest extends CRUDAgentBase implements RoleRestrictedAgent { + public String getRoleRestrictionID() { + return null; // allow all + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } @@ -211,13 +215,15 @@ else if (DominoUtils.isValueEmpty(vector.get(0).toString())) { public JSONObject getDisplayRules(Database configDatabase) { JSONObject display = new JSONObject(); - display.put("documentation", shouldDisplay(configDatabase, "documentation")); - display.put("installApps", shouldDisplay(configDatabase, "installApps")); - display.put("genesisDirectory", shouldDisplay(configDatabase, "genesisDirectory")); - display.put("viewInstalledApps", shouldDisplay(configDatabase, "viewInstalledApps")); - display.put("viewBookmarks", shouldDisplay(configDatabase, "viewBookmarks")); - display.put("manageBookmarks", shouldDisplay(configDatabase, "manageBookmarks")); - display.put("browseMyServer", shouldDisplay(configDatabase, "browseMyServer")); + display.put("documentation", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW)); + display.put("viewDocumentation", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW)); + display.put("manageDocumentation", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW)); + display.put("installApps", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_APPS_INSTALL)); + display.put("additionalGenesis", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_GENESIS_MANAGE)); + display.put("viewInstalledApps", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_APPS_VIEW)); + display.put("viewBookmarks", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_BOOKMARKS_VIEW)); + display.put("manageBookmarks", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE)); + display.put("browseMyServer", shouldDisplay(configDatabase, SecurityBuilder.RESTRICT_BROWSE_MY_SERVER)); return display; } @@ -230,9 +236,11 @@ public JSONObject getDisplayRules(Database configDatabase) { */ public boolean shouldDisplay(Database configDatabase, String sectionID) { try { - String value = ConfigurationUtils.getConfigAsString(configDatabase, "allow_" + sectionID); - return "true".equalsIgnoreCase(value); - // treat any other value as false + // // UI Testing + // String value = ConfigurationUtils.getConfigAsString(configDatabase, "allow_" + sectionID); + // return "true".equalsIgnoreCase(value); + // // treat any other value as false + return ((SimpleRoleSecurity)getSecurity()).isAuthorizedForRoles(sectionID); } catch (Exception ex) { getLog().err("Exception when checking display rights for '" + sectionID + "'. Default to hidden"); diff --git a/Super.Human.Portal_Agents/src/main/java/config/ConfigRead.java b/Super.Human.Portal_Agents/src/main/java/config/ConfigRead.java index 4a6344c..01be25f 100644 --- a/Super.Human.Portal_Agents/src/main/java/config/ConfigRead.java +++ b/Super.Human.Portal_Agents/src/main/java/config/ConfigRead.java @@ -23,6 +23,10 @@ public class ConfigRead extends CRUDAgentBase implements RoleRestrictedAgent { protected JSONObject configJSON = null; + public String getRoleRestrictionID() { + return null; // allow all + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/main/java/genesis/GenesisInstall.java b/Super.Human.Portal_Agents/src/main/java/genesis/GenesisInstall.java index 933460d..a2137b7 100644 --- a/Super.Human.Portal_Agents/src/main/java/genesis/GenesisInstall.java +++ b/Super.Human.Portal_Agents/src/main/java/genesis/GenesisInstall.java @@ -25,6 +25,11 @@ */ public class GenesisInstall extends GenesisRead { + @Override + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_APPS_INSTALL; + } + @Override public Collection getAllowedRoles() { return SecurityBuilder.buildList(SecurityBuilder.ROLE_ADMINISTRATOR); diff --git a/Super.Human.Portal_Agents/src/main/java/genesis/GenesisRead.java b/Super.Human.Portal_Agents/src/main/java/genesis/GenesisRead.java index 57148a1..fe99073 100644 --- a/Super.Human.Portal_Agents/src/main/java/genesis/GenesisRead.java +++ b/Super.Human.Portal_Agents/src/main/java/genesis/GenesisRead.java @@ -45,6 +45,10 @@ public class GenesisRead extends CRUDAgentBase implements RoleRestrictedAgent protected LinkProcessor linkProcessor = null; + public String getRoleRestrictionID() { + return SecurityBuilder.RESTRICT_APPS_VIEW; + } + public Collection getAllowedRoles() { return SecurityBuilder.buildList(SimpleRoleSecurity.ROLE_ALL); } diff --git a/Super.Human.Portal_Agents/src/test/groovy/auth/SimpleRoleSecuritySpec.groovy b/Super.Human.Portal_Agents/src/test/groovy/auth/SimpleRoleSecuritySpec.groovy index cbfbfbb..6379180 100644 --- a/Super.Human.Portal_Agents/src/test/groovy/auth/SimpleRoleSecuritySpec.groovy +++ b/Super.Human.Portal_Agents/src/test/groovy/auth/SimpleRoleSecuritySpec.groovy @@ -33,6 +33,7 @@ import GenesisDirectoryAgents.*; */ class SimpleRoleSecuritySpec extends Specification { def roleMap = new TreeMap >(); + def restrictionMap = new TreeMap >(); private String testUser = ''; private class SimpleRoleSecurityTest extends SimpleRoleSecurity { @@ -46,6 +47,17 @@ class SimpleRoleSecuritySpec extends Specification { initializeUserRoles(); } + // public SimpleRoleSecurityTest(String user, boolean allowAnonymous, roleMap, String roleRestrictionID, allowedRoles, restrictionMap) { + // super(null, roleRestrictionID, listToStringCollection(allowedRoles), null, new DefaultLogInterface()); + // this.testUser = user; + // setAllowAnonymous(allowAnonymous); + // this.roleMap = roleMap; + // this.restrictionMap = restrictionMap; + // + // // need to regenerate the roles at this point + // initializeUserRoles(); + // } + @Override public String getUserID() { return this.testUser; @@ -85,6 +97,21 @@ class SimpleRoleSecuritySpec extends Specification { protected void initializeAllowAnonymous() { // nothing to do } + + public Collection getRolesByRestrictionID(String roleRestrictionID) { + if (null == restrictionMap) { + return new TreeSet(); + } + return listToStringCollection(restrictionMap.get(roleRestrictionID)); + } + + public static Collection listToStringCollection(list) { + Collection result = new TreeSet(); + if (null != list) { + list.each { String current -> result.add(current) }; + } + return result; + } } def cleanupSpec() { @@ -157,25 +184,70 @@ class SimpleRoleSecuritySpec extends Specification { agent | allowedRoles new ConfigRead() | ['All'] new XMLAuthenticationTest() | ['All'] - new DocumentationFormRead() | ['All'] - new DocumentationFormDelete() | ['All'] - new DocumentationFormCreate() | ['All'] - new DocumentationFormUpdate() | ['All'] - new CategoryRead() | ['All'] - new CategoryDelete() | ['All'] - new CategoryCreate() | ['All'] - new CategoryUpdate() | ['All'] - new CustomBookmarkDelete() | ['Administrator'] - new CustomBookmarkCreate() | ['Administrator'] - new CustomBookmarkUpdate() | ['Administrator'] - new CustomBookmarkRead() | ['All'] - new DatabaseRead() | ['All'] - new GenesisDirectoryUpdate() | ['Administrator'] - new GenesisDirectoryCreate() | ['Administrator'] - new GenesisDirectoryDelete() | ['Administrator'] - new GenesisDirectoryRead() | ['Administrator'] - new GenesisRead() | ['All'] - new GenesisInstall() | ['Administrator'] + // the rest were changed to useRoleRestrictionID + // new DocumentationFormRead() | ['All'] + // new DocumentationFormDelete() | ['All'] + // new DocumentationFormCreate() | ['All'] + // new DocumentationFormUpdate() | ['All'] + // new CategoryRead() | ['All'] + // new CategoryDelete() | ['All'] + // new CategoryCreate() | ['All'] + // new CategoryUpdate() | ['All'] + // new CustomBookmarkDelete() | ['Administrator'] + // new CustomBookmarkCreate() | ['Administrator'] + // new CustomBookmarkUpdate() | ['Administrator'] + // new CustomBookmarkRead() | ['All'] + // new DatabaseRead() | ['All'] + // new GenesisDirectoryUpdate() | ['Administrator'] + // new GenesisDirectoryCreate() | ['Administrator'] + // new GenesisDirectoryDelete() | ['Administrator'] + // new GenesisDirectoryRead() | ['Administrator'] + // new GenesisRead() | ['All'] + // new GenesisInstall() | ['Administrator'] + + + + } + + @Unroll + def 'Test roleRestrictionID for agent #agent.getClass()'() { + expect: + + + agent instanceof RoleRestrictedAgent + agent.getRoleRestrictionID() == roleRestrictionID + // This triggers a StackOverflowError. I think this is because of the dependency on DominoAPI instances for initialization + // SecurityInterface security = agent.checkSecurity(); + // security + // security instanceof SimpleRoleSecurity + // security.getAllowedRoles() == agent.getAllowedRoles(); + + + where: + // TODO: dynamically identify the agents from agentProperties (or AgentBase subclasses) and create instances + + agent | roleRestrictionID + new ConfigRead() | null + new XMLAuthenticationTest() | null + new DocumentationFormRead() | SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW + new DocumentationFormDelete() | SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE + new DocumentationFormCreate() | SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE + new DocumentationFormUpdate() | SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE + new CategoryRead() | SecurityBuilder.RESTRICT_DOCUMENTATION_VIEW + new CategoryDelete() | SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE + new CategoryCreate() | SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE + new CategoryUpdate() | SecurityBuilder.RESTRICT_DOCUMENTATION_MANAGE + new CustomBookmarkDelete() | SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE + new CustomBookmarkCreate() | SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE + new CustomBookmarkUpdate() | SecurityBuilder.RESTRICT_BOOKMARKS_MANAGE + new CustomBookmarkRead() | SecurityBuilder.RESTRICT_BOOKMARKS_VIEW + new DatabaseRead() | SecurityBuilder.RESTRICT_BROWSE_MY_SERVER + new GenesisDirectoryUpdate() | SecurityBuilder.RESTRICT_GENESIS_MANAGE + new GenesisDirectoryCreate() | SecurityBuilder.RESTRICT_GENESIS_MANAGE + new GenesisDirectoryDelete() | SecurityBuilder.RESTRICT_GENESIS_MANAGE + new GenesisDirectoryRead() | SecurityBuilder.RESTRICT_GENESIS_MANAGE + new GenesisRead() | SecurityBuilder.RESTRICT_APPS_VIEW + new GenesisInstall() | SecurityBuilder.RESTRICT_APPS_INSTALL