Add support for hierarchical roles.
Signed-off-by: Lukasz Dywicki <luke@code-house.org>
git-svn-id: https://svn.apache.org/repos/asf/karaf/webconsole/trunk@1239114 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/core/src/main/java/org/apache/karaf/webconsole/core/internal/WebConsoleApplication.java b/core/src/main/java/org/apache/karaf/webconsole/core/internal/WebConsoleApplication.java
index 874cc8f..a5a53cb 100644
--- a/core/src/main/java/org/apache/karaf/webconsole/core/internal/WebConsoleApplication.java
+++ b/core/src/main/java/org/apache/karaf/webconsole/core/internal/WebConsoleApplication.java
@@ -18,9 +18,11 @@
import org.apache.karaf.webconsole.core.dashboard.DashboardPage;
import org.apache.karaf.webconsole.core.page.LoginPage;
+import org.apache.karaf.webconsole.core.security.HierarchicalRoleCheckingStrategy;
import org.apache.karaf.webconsole.core.security.KarafJaasWebSession;
import org.apache.wicket.authentication.AuthenticatedWebApplication;
import org.apache.wicket.authentication.AuthenticatedWebSession;
+import org.apache.wicket.authorization.strategies.role.RoleAuthorizationStrategy;
import org.apache.wicket.markup.html.WebPage;
import org.apache.wicket.markup.html.pages.AccessDeniedPage;
import org.apache.wicket.markup.html.pages.PageExpiredErrorPage;
@@ -44,6 +46,8 @@
getApplicationSettings().setAccessDeniedPage(AccessDeniedPage.class);
getApplicationSettings().setPageExpiredErrorPage(PageExpiredErrorPage.class);
+
+ getSecuritySettings().setAuthorizationStrategy(new RoleAuthorizationStrategy(new HierarchicalRoleCheckingStrategy()));
}
/**
diff --git a/core/src/main/java/org/apache/karaf/webconsole/core/page/SecuredPage.java b/core/src/main/java/org/apache/karaf/webconsole/core/page/SecuredPage.java
index 6904e2d..886eb30 100644
--- a/core/src/main/java/org/apache/karaf/webconsole/core/page/SecuredPage.java
+++ b/core/src/main/java/org/apache/karaf/webconsole/core/page/SecuredPage.java
@@ -22,10 +22,10 @@
import org.apache.karaf.webconsole.core.navigation.ConsoleTabProvider;
import org.apache.karaf.webconsole.core.navigation.markup.NavigationPanel;
import org.apache.karaf.webconsole.core.preferences.PreferencesPage;
+import org.apache.karaf.webconsole.core.security.SecuredPageLink;
import org.apache.karaf.webconsole.core.security.WebConsoleSession;
import org.apache.wicket.authorization.strategies.role.annotations.AuthorizeInstantiation;
import org.apache.wicket.markup.html.basic.Label;
-import org.apache.wicket.markup.html.link.BookmarkablePageLink;
import org.apache.wicket.markup.html.link.Link;
import org.apache.wicket.model.LoadableDetachableModel;
import org.apache.wicket.model.StringResourceModel;
@@ -56,7 +56,7 @@
add(new AvatarImage("avatar", preferences.getUserPreferences(username)));
add(new Label("username", username));
- add(new BookmarkablePageLink<PreferencesPage>("preferencesLink", PreferencesPage.class));
+ add(new SecuredPageLink<PreferencesPage>("preferencesLink", PreferencesPage.class));
Link<Void> aLink = new Link<Void>("logoutLink") {
@Override
diff --git a/core/src/main/java/org/apache/karaf/webconsole/core/security/HierarchicalRoleCheckingStrategy.java b/core/src/main/java/org/apache/karaf/webconsole/core/security/HierarchicalRoleCheckingStrategy.java
new file mode 100644
index 0000000..f5cb917
--- /dev/null
+++ b/core/src/main/java/org/apache/karaf/webconsole/core/security/HierarchicalRoleCheckingStrategy.java
@@ -0,0 +1,36 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.karaf.webconsole.core.security;
+
+import org.apache.wicket.authentication.AuthenticatedWebSession;
+import org.apache.wicket.authorization.strategies.role.IRoleCheckingStrategy;
+import org.apache.wicket.authorization.strategies.role.Roles;
+
+/**
+ * Role checking strategy which follow the hierarchy.
+ */
+public class HierarchicalRoleCheckingStrategy implements IRoleCheckingStrategy {
+
+ public boolean hasAnyRole(Roles roles) {
+ HierarchicalRoles assigned = new HierarchicalRoles(AuthenticatedWebSession.get().getRoles());
+
+ HierarchicalRoles requested = new HierarchicalRoles(roles);
+
+ return assigned.hasAnyRole(requested);
+ }
+
+}
diff --git a/core/src/main/java/org/apache/karaf/webconsole/core/security/HierarchicalRoles.java b/core/src/main/java/org/apache/karaf/webconsole/core/security/HierarchicalRoles.java
new file mode 100644
index 0000000..b8dc226
--- /dev/null
+++ b/core/src/main/java/org/apache/karaf/webconsole/core/security/HierarchicalRoles.java
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.karaf.webconsole.core.security;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.TreeMap;
+
+import org.apache.wicket.authorization.strategies.role.Roles;
+
+/**
+ * An extension of roles to support hierarchical roles. Hierarchy is created by
+ * splitting dahses in the role names.
+ *
+ * The role checking follow the structure with one exception. If assgidned roles
+ * do not have a "specific" extension then check will pass. For example, if user
+ * have assigned role "test-role" and component requires role "test-role-one"
+ * then user will be authorized.
+ */
+public class HierarchicalRoles {
+
+ /**
+ * Helper class.
+ */
+ class Node {
+
+ private Map<String, Node> nodes = new TreeMap<String, Node>();
+
+ private String name;
+
+ public Node(String name) {
+ this.name = name;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public Map<String, Node> getNodes() {
+ return nodes;
+ }
+ }
+
+ /**
+ * Assgined roles.
+ */
+ private Map<String, Node> nodes = new TreeMap<String, Node>();
+
+ public HierarchicalRoles(Roles roles) {
+ for (String role : roles) {
+ String[] path = role.split("-");
+
+ createNode(nodes, new ArrayList<String>(Arrays.asList(path)));
+ }
+ }
+
+ public HierarchicalRoles() {
+ this(new Roles());
+ }
+
+ public HierarchicalRoles(String roles) {
+ this(new Roles(roles));
+ }
+
+ private void createNode(Map<String, Node> nodes, List<String> path) {
+ String name = path.remove(0);
+
+ if (!nodes.containsKey(name)) {
+ nodes.put(name, new Node(name));
+ }
+
+ if (path.size() >= 1) {
+ createNode(nodes.get(name).nodes, path);
+ }
+ }
+
+ public boolean hasAnyRole(HierarchicalRoles requested) {
+ //
+ if (requested.getNodes().isEmpty()) {
+ return true;
+ }
+
+ Map<String, Node> requestedNodes = requested.getNodes();
+
+ return matchesAny(nodes, requestedNodes);
+ }
+
+ private static boolean matchesAny(Map<String, Node> assignedNodes, Map<String, Node> requestedNodes) {
+ boolean match = false;
+ for (Node node : requestedNodes.values()) {
+ Node assigned = assignedNodes.get(node.getName());
+ if (assigned != null) {
+ if (assigned.getNodes().size() > 0) {
+ match = matchesAny(assigned.getNodes(), node.getNodes());
+ } else {
+ match = true;
+ }
+ }
+ }
+
+ return match;
+ }
+
+ public Map<String, Node> getNodes() {
+ return Collections.unmodifiableMap(nodes);
+ }
+}
+
diff --git a/core/src/main/java/org/apache/karaf/webconsole/core/security/SecuredPageLink.java b/core/src/main/java/org/apache/karaf/webconsole/core/security/SecuredPageLink.java
new file mode 100644
index 0000000..8b1b47e
--- /dev/null
+++ b/core/src/main/java/org/apache/karaf/webconsole/core/security/SecuredPageLink.java
@@ -0,0 +1,24 @@
+package org.apache.karaf.webconsole.core.security;
+
+import org.apache.karaf.webconsole.core.page.SecuredPage;
+import org.apache.wicket.PageParameters;
+import org.apache.wicket.authentication.AuthenticatedWebSession;
+import org.apache.wicket.markup.html.link.BookmarkablePageLink;
+
+public class SecuredPageLink<T extends SecuredPage> extends BookmarkablePageLink<T> {
+
+ public SecuredPageLink(String id, Class<T> pageClass) {
+ this(id, pageClass, null);
+ }
+
+ public SecuredPageLink(String id, Class<T> pageClass, PageParameters parameters) {
+ super(id, pageClass, parameters);
+ }
+
+ @Override
+ public boolean isVisible() {
+ AuthenticatedWebSession session = AuthenticatedWebSession.get();
+ return session.getAuthorizationStrategy().isInstantiationAuthorized(getPageClass());
+ }
+
+}
diff --git a/core/src/test/java/org/apache/karaf/webconsole/core/security/HierarchicalRolesTest.java b/core/src/test/java/org/apache/karaf/webconsole/core/security/HierarchicalRolesTest.java
new file mode 100644
index 0000000..d765d3c
--- /dev/null
+++ b/core/src/test/java/org/apache/karaf/webconsole/core/security/HierarchicalRolesTest.java
@@ -0,0 +1,113 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with this
+ * work for additional information regarding copyright ownership. The ASF
+ * licenses this file to You under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ * License for the specific language governing permissions and limitations under
+ * the License.
+ */
+package org.apache.karaf.webconsole.core.security;
+
+import static junit.framework.Assert.*;
+
+import java.util.Map;
+
+import org.apache.karaf.webconsole.core.security.HierarchicalRoles.Node;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.BlockJUnit4ClassRunner;
+
+/**
+ * Tests role inheritance and matching.
+ */
+@RunWith(BlockJUnit4ClassRunner.class)
+public class HierarchicalRolesTest {
+
+ @Test
+ public void testEmptyRoles() {
+ HierarchicalRoles roles = new HierarchicalRoles();
+ HierarchicalRoles requested = new HierarchicalRoles("test-user");
+
+ assertEquals(0, roles.getNodes().size());
+ assertFalse(roles.hasAnyRole(requested));
+ assertTrue(requested.hasAnyRole(roles));
+ }
+
+ @Test
+ public void testHierarchy() {
+ HierarchicalRoles roles = new HierarchicalRoles("test-user, test-dev, test-operator");
+
+ Map<String, Node> nodes = roles.getNodes();
+ assertEquals(1, nodes.size());
+
+ nodes = nodes.get("test").getNodes();
+ assertEquals(3, nodes.size());
+
+ assertTrue(nodes.containsKey("user"));
+ assertTrue(nodes.containsKey("dev"));
+ assertTrue(nodes.containsKey("operator"));
+ }
+
+ @Test
+ public void testMultipleHierarchy() {
+ HierarchicalRoles roles = new HierarchicalRoles("test-user, user-one, user-two, test-mock");
+
+ Map<String, Node> nodes = roles.getNodes();
+ assertEquals(2, nodes.size());
+
+ Map<String, Node> testNodes = nodes.get("test").getNodes();
+ assertEquals(2, testNodes.size());
+
+ assertTrue(testNodes.containsKey("user"));
+ assertTrue(testNodes.containsKey("mock"));
+
+ Map<String, Node> userNodes = nodes.get("user").getNodes();
+ assertEquals(2, userNodes.size());
+
+ assertTrue(userNodes.containsKey("one"));
+ assertTrue(userNodes.containsKey("two"));
+ }
+
+ @Test
+ public void testHierarchyMatching() {
+ HierarchicalRoles assigned = new HierarchicalRoles("test");
+ HierarchicalRoles requested = new HierarchicalRoles("test-user");
+
+ assertTrue(assigned.hasAnyRole(requested));
+ assertFalse(requested.hasAnyRole(assigned));
+ }
+
+ @Test
+ public void testTwoLevelHierarchyMatching() {
+ HierarchicalRoles assigned = new HierarchicalRoles("test-user");
+ HierarchicalRoles requested = new HierarchicalRoles("test-user-one,test-user-two,test-user-four");
+
+ assertTrue(assigned.hasAnyRole(requested));
+ assertFalse(requested.hasAnyRole(assigned));
+
+ assigned = new HierarchicalRoles("test-user2");
+ assertFalse(assigned.hasAnyRole(requested));
+ assertFalse(requested.hasAnyRole(assigned));
+
+ assigned = new HierarchicalRoles("test-user-one");
+ assertTrue(assigned.hasAnyRole(requested));
+ assertTrue(requested.hasAnyRole(assigned));
+ }
+
+ @Test
+ public void testMatching() {
+ HierarchicalRoles assigned = new HierarchicalRoles("test");
+ HierarchicalRoles requested = new HierarchicalRoles("test");
+
+ assertTrue(assigned.hasAnyRole(requested));
+ assertTrue(requested.hasAnyRole(assigned));
+ }
+}