mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-08-07 17:49:17 +00:00
RM-2123 Use runAsAuthentication instead of actual authentication.
Check that the user the command is run as has clearance to view the classification levels, rather than the user that initiated the command. +review RM-58 git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/modules/recordsmanagement/HEAD@104729 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Tom Page
@@ -73,7 +73,7 @@ public class SecurityClearanceServiceImpl extends ServiceBaseImpl implements Sec
|
|||||||
return new SecurityClearance(null, clearanceManager.getMostSecureLevel());
|
return new SecurityClearance(null, clearanceManager.getMostSecureLevel());
|
||||||
}
|
}
|
||||||
|
|
||||||
final String currentUser = authenticationUtil.getFullyAuthenticatedUser();
|
final String currentUser = authenticationUtil.getRunAsUser();
|
||||||
ParameterCheck.mandatoryString("currentUser", currentUser);
|
ParameterCheck.mandatoryString("currentUser", currentUser);
|
||||||
|
|
||||||
return getUserSecurityClearance(currentUser);
|
return getUserSecurityClearance(currentUser);
|
||||||
|
|||||||
@@ -18,6 +18,7 @@
|
|||||||
*/
|
*/
|
||||||
package org.alfresco.module.org_alfresco_module_rm.util;
|
package org.alfresco.module.org_alfresco_module_rm.util;
|
||||||
|
|
||||||
|
import org.alfresco.repo.security.authentication.AuthenticationException;
|
||||||
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
|
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -95,4 +96,16 @@ public class AuthenticationUtil
|
|||||||
{
|
{
|
||||||
return org.alfresco.repo.security.authentication.AuthenticationUtil.isRunAsUserTheSystemUser();
|
return org.alfresco.repo.security.authentication.AuthenticationUtil.isRunAsUserTheSystemUser();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Helper method to get the user that is currently in effect for purposes of authentication. This includes any
|
||||||
|
* overlays introduced by {@link #runAs}.
|
||||||
|
*
|
||||||
|
* @return Returns the name of the user
|
||||||
|
* @throws AuthenticationException
|
||||||
|
*/
|
||||||
|
public String getRunAsUser() throws AuthenticationException
|
||||||
|
{
|
||||||
|
return org.alfresco.repo.security.authentication.AuthenticationUtil.getRunAsUser();
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -118,7 +118,7 @@ public class SecurityClearanceServiceImplUnitTest
|
|||||||
|
|
||||||
// Create the authorised user.
|
// Create the authorised user.
|
||||||
String authorisedUserName = "authorisedUser";
|
String authorisedUserName = "authorisedUser";
|
||||||
when(mockAuthenticationUtil.getFullyAuthenticatedUser()).thenReturn(authorisedUserName);
|
when(mockAuthenticationUtil.getRunAsUser()).thenReturn(authorisedUserName);
|
||||||
NodeRef authorisedPersonNode = new NodeRef(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE, authorisedUserName);
|
NodeRef authorisedPersonNode = new NodeRef(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE, authorisedUserName);
|
||||||
PersonInfo authorisedPersonInfo = new PersonInfo(authorisedPersonNode, authorisedUserName, "first", "last");
|
PersonInfo authorisedPersonInfo = new PersonInfo(authorisedPersonNode, authorisedUserName, "first", "last");
|
||||||
when(mockPersonService.getPerson(authorisedUserName, false)).thenReturn(authorisedPersonNode);
|
when(mockPersonService.getPerson(authorisedUserName, false)).thenReturn(authorisedPersonNode);
|
||||||
@@ -167,7 +167,7 @@ public class SecurityClearanceServiceImplUnitTest
|
|||||||
|
|
||||||
// Create the user attempting to use the API with "Confidential" clearance.
|
// Create the user attempting to use the API with "Confidential" clearance.
|
||||||
String userName = "unauthorisedUser";
|
String userName = "unauthorisedUser";
|
||||||
when(mockAuthenticationUtil.getFullyAuthenticatedUser()).thenReturn(userName);
|
when(mockAuthenticationUtil.getRunAsUser()).thenReturn(userName);
|
||||||
NodeRef personNode = new NodeRef(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE, userName);
|
NodeRef personNode = new NodeRef(StoreRef.STORE_REF_WORKSPACE_SPACESSTORE, userName);
|
||||||
PersonInfo personInfo = new PersonInfo(personNode, userName, "first", "last");
|
PersonInfo personInfo = new PersonInfo(personNode, userName, "first", "last");
|
||||||
when(mockPersonService.getPerson(userName, false)).thenReturn(personNode);
|
when(mockPersonService.getPerson(userName, false)).thenReturn(personNode);
|
||||||
@@ -199,7 +199,7 @@ public class SecurityClearanceServiceImplUnitTest
|
|||||||
when(mockClassificationLevelManager.findLevelById("2")).thenReturn(secret);
|
when(mockClassificationLevelManager.findLevelById("2")).thenReturn(secret);
|
||||||
|
|
||||||
createMockPerson("Cleared", "Cleared", "Cleared", "2");
|
createMockPerson("Cleared", "Cleared", "Cleared", "2");
|
||||||
when(mockAuthenticationUtil.getFullyAuthenticatedUser()).thenReturn("Uncleared");
|
when(mockAuthenticationUtil.getRunAsUser()).thenReturn("Cleared");
|
||||||
when(mockClearanceLevelManager.findLevelByClassificationLevelId("2")).thenReturn(new ClearanceLevel(secret, "Secret"));
|
when(mockClearanceLevelManager.findLevelByClassificationLevelId("2")).thenReturn(new ClearanceLevel(secret, "Secret"));
|
||||||
|
|
||||||
// The authenticated user's clearance level is high enough to view the classification.
|
// The authenticated user's clearance level is high enough to view the classification.
|
||||||
@@ -220,7 +220,7 @@ public class SecurityClearanceServiceImplUnitTest
|
|||||||
when(mockClassificationLevelManager.findLevelById("2")).thenReturn(secret);
|
when(mockClassificationLevelManager.findLevelById("2")).thenReturn(secret);
|
||||||
|
|
||||||
createMockPerson("Uncleared", "Uncleared", "Uncleared", ClassificationLevelManager.UNCLASSIFIED_ID);
|
createMockPerson("Uncleared", "Uncleared", "Uncleared", ClassificationLevelManager.UNCLASSIFIED_ID);
|
||||||
when(mockAuthenticationUtil.getFullyAuthenticatedUser()).thenReturn("Uncleared");
|
when(mockAuthenticationUtil.getRunAsUser()).thenReturn("Uncleared");
|
||||||
when(mockClearanceLevelManager.findLevelByClassificationLevelId(ClassificationLevelManager.UNCLASSIFIED_ID)).thenReturn(ClearanceLevelManager.NO_CLEARANCE);
|
when(mockClearanceLevelManager.findLevelByClassificationLevelId(ClassificationLevelManager.UNCLASSIFIED_ID)).thenReturn(ClearanceLevelManager.NO_CLEARANCE);
|
||||||
|
|
||||||
// The authenticated user's clearance level not high enough.
|
// The authenticated user's clearance level not high enough.
|
||||||
@@ -238,8 +238,8 @@ public class SecurityClearanceServiceImplUnitTest
|
|||||||
@Test public void isCurrentUserClearedForClassification_classificationNotFound()
|
@Test public void isCurrentUserClearedForClassification_classificationNotFound()
|
||||||
{
|
{
|
||||||
ClassificationLevel topSecret = new ClassificationLevel("1", "TopSecret");
|
ClassificationLevel topSecret = new ClassificationLevel("1", "TopSecret");
|
||||||
createMockPerson("Uncleared", "Uncleared", "Uncleared", "1");
|
createMockPerson("Cleared", "Cleared", "Cleared", "1");
|
||||||
when(mockAuthenticationUtil.getFullyAuthenticatedUser()).thenReturn("Uncleared");
|
when(mockAuthenticationUtil.getRunAsUser()).thenReturn("Cleared");
|
||||||
when(mockClearanceLevelManager.findLevelByClassificationLevelId("1")).thenReturn(new ClearanceLevel(topSecret, "TopSecret"));
|
when(mockClearanceLevelManager.findLevelByClassificationLevelId("1")).thenReturn(new ClearanceLevel(topSecret, "TopSecret"));
|
||||||
// Set up the made up classification.
|
// Set up the made up classification.
|
||||||
String madeUpId = "Made Up Id";
|
String madeUpId = "Made Up Id";
|
||||||
|
|||||||
@@ -22,8 +22,8 @@ package org.alfresco.module.org_alfresco_module_rm.test.util;
|
|||||||
import static org.mockito.Matchers.any;
|
import static org.mockito.Matchers.any;
|
||||||
import static org.mockito.Matchers.anyString;
|
import static org.mockito.Matchers.anyString;
|
||||||
import static org.mockito.Mockito.doAnswer;
|
import static org.mockito.Mockito.doAnswer;
|
||||||
import static org.mockito.Mockito.doReturn;
|
|
||||||
import static org.mockito.Mockito.reset;
|
import static org.mockito.Mockito.reset;
|
||||||
|
import static org.mockito.Mockito.when;
|
||||||
|
|
||||||
import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
|
import org.alfresco.module.org_alfresco_module_rm.util.AuthenticationUtil;
|
||||||
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
|
import org.alfresco.repo.security.authentication.AuthenticationUtil.RunAsWork;
|
||||||
@@ -87,8 +87,9 @@ public class MockAuthenticationUtilHelper
|
|||||||
|
|
||||||
}).when(mockAuthenticationUtil).<Object> runAs(any(RunAsWork.class), anyString());
|
}).when(mockAuthenticationUtil).<Object> runAs(any(RunAsWork.class), anyString());
|
||||||
|
|
||||||
doReturn("admin").when(mockAuthenticationUtil).getAdminUserName();
|
when(mockAuthenticationUtil.getAdminUserName()).thenReturn("admin");
|
||||||
doReturn(fullyAuthenticatedUser).when(mockAuthenticationUtil).getFullyAuthenticatedUser();
|
when(mockAuthenticationUtil.getFullyAuthenticatedUser()).thenReturn(fullyAuthenticatedUser);
|
||||||
doReturn("system").when(mockAuthenticationUtil).getSystemUserName();
|
when(mockAuthenticationUtil.getRunAsUser()).thenReturn(fullyAuthenticatedUser);
|
||||||
|
when(mockAuthenticationUtil.getSystemUserName()).thenReturn("system");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user