From 4ffdde6417391fb4ec80a36c53dc2223059b1969 Mon Sep 17 00:00:00 2001 From: Sebastian Sdorra Date: Wed, 13 Mar 2019 12:12:06 +0100 Subject: [PATCH] fixes AdministrationContext with user admin flag --- .../security/AdministrationContextMarker.java | 8 ++++ .../security/AdministrationContextRealm.java | 42 +++++++++++++++++++ .../DefaultAdministrationContext.java | 3 +- .../AdministrationContextRealmTest.java | 34 +++++++++++++++ 4 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextMarker.java create mode 100644 scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextRealm.java create mode 100644 scm-webapp/src/test/java/sonia/scm/web/security/AdministrationContextRealmTest.java diff --git a/scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextMarker.java b/scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextMarker.java new file mode 100644 index 0000000000..f24b5020ce --- /dev/null +++ b/scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextMarker.java @@ -0,0 +1,8 @@ +package sonia.scm.web.security; + +final class AdministrationContextMarker { + + static final AdministrationContextMarker MARKER = new AdministrationContextMarker(); + + private AdministrationContextMarker() {} +} diff --git a/scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextRealm.java b/scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextRealm.java new file mode 100644 index 0000000000..7a4a345af4 --- /dev/null +++ b/scm-webapp/src/main/java/sonia/scm/web/security/AdministrationContextRealm.java @@ -0,0 +1,42 @@ +package sonia.scm.web.security; + +import com.google.common.collect.Sets; +import org.apache.shiro.authc.AuthenticationException; +import org.apache.shiro.authc.AuthenticationInfo; +import org.apache.shiro.authc.AuthenticationToken; +import org.apache.shiro.authz.AuthorizationInfo; +import org.apache.shiro.authz.SimpleAuthorizationInfo; +import org.apache.shiro.realm.AuthorizingRealm; +import org.apache.shiro.subject.PrincipalCollection; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import sonia.scm.plugin.Extension; +import sonia.scm.security.Role; + +@Extension +public class AdministrationContextRealm extends AuthorizingRealm { + + private static final Logger LOG = LoggerFactory.getLogger(AdministrationContextRealm.class); + + public AdministrationContextRealm() { + setName(DefaultAdministrationContext.REALM); + } + + @Override + protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) { + AdministrationContextMarker marker = principals.oneByType(AdministrationContextMarker.class); + if (marker == AdministrationContextMarker.MARKER) { + LOG.info("assign admin permissions to admin context user {}", principals.getPrimaryPrincipal()); + SimpleAuthorizationInfo authorizationInfo = new SimpleAuthorizationInfo(Sets.newHashSet(Role.USER, Role.ADMIN)); + authorizationInfo.setStringPermissions(Sets.newHashSet("*")); + return authorizationInfo; + } + return null; + } + + @Override + protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) { + // we make no authentication we do only authorization + return null; + } +} diff --git a/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java b/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java index 46c6c5de00..02f4bf0814 100644 --- a/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java +++ b/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java @@ -75,7 +75,7 @@ public class DefaultAdministrationContext implements AdministrationContext "/sonia/scm/web/security/system-account.xml"; /** Field description */ - private static final String REALM = "AdminRealm"; + static final String REALM = "AdminRealm"; /** the logger for DefaultAdministrationContext */ private static final Logger logger = @@ -174,6 +174,7 @@ public class DefaultAdministrationContext implements AdministrationContext collection.add(adminUser.getId(), REALM); collection.add(adminUser, REALM); collection.add(new GroupNames(), REALM); + collection.add(AdministrationContextMarker.MARKER, REALM); return collection; } diff --git a/scm-webapp/src/test/java/sonia/scm/web/security/AdministrationContextRealmTest.java b/scm-webapp/src/test/java/sonia/scm/web/security/AdministrationContextRealmTest.java new file mode 100644 index 0000000000..ad504433d8 --- /dev/null +++ b/scm-webapp/src/test/java/sonia/scm/web/security/AdministrationContextRealmTest.java @@ -0,0 +1,34 @@ +package sonia.scm.web.security; + +import org.apache.shiro.authz.AuthorizationInfo; +import org.apache.shiro.subject.SimplePrincipalCollection; +import org.junit.jupiter.api.Test; + +import static org.assertj.core.api.Assertions.assertThat; + +class AdministrationContextRealmTest { + + private AdministrationContextRealm realm = new AdministrationContextRealm(); + + @Test + void shouldAssignAdminPermissions() { + SimplePrincipalCollection collection = new SimplePrincipalCollection(); + collection.add("scm-system", DefaultAdministrationContext.REALM); + collection.add(AdministrationContextMarker.MARKER, DefaultAdministrationContext.REALM); + + AuthorizationInfo authorizationInfo = realm.doGetAuthorizationInfo(collection); + + assertThat(authorizationInfo.getStringPermissions()).containsOnly("*"); + } + + @Test + void shouldReturnNull() { + SimplePrincipalCollection collection = new SimplePrincipalCollection(); + collection.add("scm-system", DefaultAdministrationContext.REALM); + + AuthorizationInfo authorizationInfo = realm.doGetAuthorizationInfo(collection); + + assertThat(authorizationInfo).isNull(); + } + +}