[ofbiz-framework] branch release17.12 updated: Revert "Fixed: Error in user impersonation with sub permission (OFBIZ-11342)"

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release17.12 updated: Revert "Fixed: Error in user impersonation with sub permission (OFBIZ-11342)"

pgil
This is an automated email from the ASF dual-hosted git repository.

pgil pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new cf16126  Revert "Fixed: Error in user impersonation with sub permission (OFBIZ-11342)"
cf16126 is described below

commit cf1612644e4e4880f9a33d2328f42e361e72ffca
Author: Gil Portenseigne <[hidden email]>
AuthorDate: Wed Feb 12 12:22:59 2020 +0100

    Revert "Fixed: Error in user impersonation with sub permission (OFBIZ-11342)"
   
    This reverts commit 73b7abbd
---
 .../org/apache/ofbiz/security/SecurityUtil.java    | 168 ---------------------
 .../apache/ofbiz/security/SecurityUtilTest.java    |  47 ------
 2 files changed, 215 deletions(-)

diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java
deleted file mode 100644
index 37aa15f..0000000
--- a/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java
+++ /dev/null
@@ -1,168 +0,0 @@
-/*******************************************************************************
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- *******************************************************************************/
-package org.apache.ofbiz.security;
-
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Collectors;
-import org.apache.ofbiz.base.util.Debug;
-import org.apache.ofbiz.base.util.StringUtil;
-import org.apache.ofbiz.base.util.UtilMisc;
-import org.apache.ofbiz.base.util.UtilValidate;
-import org.apache.ofbiz.entity.Delegator;
-import org.apache.ofbiz.entity.GenericEntityException;
-import org.apache.ofbiz.entity.GenericValue;
-import org.apache.ofbiz.entity.condition.EntityCondition;
-import org.apache.ofbiz.entity.condition.EntityOperator;
-import org.apache.ofbiz.entity.util.EntityQuery;
-import org.apache.ofbiz.entity.util.EntityUtil;
-import org.apache.ofbiz.service.ServiceUtil;
-import org.apache.ofbiz.webapp.control.JWTManager;
-
-/**
- * A <code>Security</code> util.
- */
-public final class SecurityUtil {
-
-    public static final String module = SecurityUtil.class.getName();
-    private static final List<String> adminPermissions = UtilMisc.toList(
-            "IMPERSONATE_ADMIN",
-            "ARTIFACT_INFO_VIEW",
-            "SERVICE_MAINT",
-            "ENTITY_MAINT",
-            "UTIL_CACHE_VIEW",
-            "UTIL_DEBUG_VIEW");
-
-    /**
-     * Return true if given userLogin possess at least one of the adminPermission
-     *
-     * @param delegator
-     * @param userLoginId
-     * @return
-     */
-    public static boolean hasUserLoginAdminPermission(Delegator delegator, String userLoginId) {
-        if (UtilValidate.isEmpty(userLoginId)) return false;
-        try {
-            return EntityQuery.use(delegator)
-                    .from("UserLoginAndPermission")
-                    .where(EntityCondition.makeCondition(
-                            EntityCondition.makeCondition("userLoginId", userLoginId),
-                            EntityCondition.makeCondition("permissionId", EntityOperator.IN, adminPermissions)))
-                    .filterByDate("fromDate", "thruDate", "permissionFromDate", "permissionThruDate")
-                    .queryCount() != 0;
-        } catch (GenericEntityException e) {
-            Debug.logError("Failed to resolve user permissions", module);
-        }
-        return false;
-    }
-
-    /**
-     * Return the list of missing permission, if toUserLoginId has more permission thant userLoginId, emptyList either.
-     *
-     * @param delegator
-     * @param userLoginId
-     * @param toUserLoginId
-     * @return
-     */
-    public static List<String> hasUserLoginMorePermissionThan(Delegator delegator, String userLoginId, String toUserLoginId) {
-        ArrayList<String> returnList = new ArrayList<>();
-        if (UtilValidate.isEmpty(userLoginId) || UtilValidate.isEmpty(toUserLoginId)) return returnList;
-        List<String> userLoginPermissionIds;
-        List<String> toUserLoginPermissionIds;
-        try {
-            userLoginPermissionIds = EntityUtil.getFieldListFromEntityList(
-                    EntityQuery.use(delegator)
-                            .from("UserLoginAndPermission")
-                            .where("userLoginId", userLoginId)
-                            .filterByDate("fromDate", "thruDate", "permissionFromDate", "permissionThruDate")
-                            .queryList(), "permissionId", true);
-            toUserLoginPermissionIds = EntityUtil.getFieldListFromEntityList(
-                    EntityQuery.use(delegator)
-                            .from("UserLoginAndPermission")
-                            .where("userLoginId", toUserLoginId)
-                            .filterByDate("fromDate", "thruDate", "permissionFromDate", "permissionThruDate")
-                            .queryList(), "permissionId", true);
-        } catch (GenericEntityException e) {
-            Debug.logError("Failed to resolve user permissions", module);
-            return returnList;
-        }
-
-        if (UtilValidate.isEmpty(userLoginPermissionIds)) return toUserLoginPermissionIds;
-        if (UtilValidate.isEmpty(toUserLoginPermissionIds)) return returnList;
-
-        //Resolve all ADMIN permissions associated with the origin user
-        List<String> adminPermissions = userLoginPermissionIds.stream()
-                .filter(perm -> perm.endsWith("_ADMIN"))
-                .map(perm -> StringUtil.replaceString(perm, "_ADMIN", ""))
-                .collect(Collectors.toList());
-
-        // if toUserLoginPermissionIds contains at least one permission that is not in admin permission or userLoginPermissionIds
-        // return the list of missing permission
-        return toUserLoginPermissionIds.stream()
-                .filter(perm ->
-                        !userLoginPermissionIds.contains(perm)
-                        && !checkMultiLevelAdminPermissionValidity(adminPermissions, perm))
-                .collect(Collectors.toList());
-    }
-
-    /**
-     * Return if an admin permission is valid for the given list of permissions.
-     *
-     * @param permissionIds List of admin permission value without "_ADMIN" suffix
-     * @param permission permission to be checked with its suffix
-     *
-     */
-    public static boolean checkMultiLevelAdminPermissionValidity(List<String> permissionIds, String permission) {
-        while (permission.lastIndexOf("_") != -1) {
-            permission = permission.substring(0, permission.lastIndexOf("_"));
-            if (permissionIds.contains(permission)) return true;
-        }
-        return false;
-    }
-
-    /**
-     * Return a JWToken for authenticate a userLogin with salt the token by userLoginId and currentPassword
-     */
-    public static String generateJwtToAuthenticateUserLogin(Delegator delegator, String userLoginId)
-    throws GenericEntityException {
-        GenericValue userLogin = EntityQuery.use(delegator).from("UserLogin").where("userLoginId", userLoginId).queryOne();
-        Map<String, String> claims = UtilMisc.toMap("userLoginId", userLogin.getString("userLoginId"));
-        return JWTManager.createJwt(delegator, claims,
-                userLogin.getString("userLoginId") + userLogin.getString("currentPassword"), - 1);
-    }
-
-    /**
-     * For a jwtToken and userLoginId check the coherence between them
-     */
-    public static boolean authenticateUserLoginByJWT(Delegator delegator, String userLoginId, String jwtToken) {
-        if (UtilValidate.isNotEmpty(jwtToken)) {
-            try {
-                GenericValue userLogin = EntityQuery.use(delegator).from("UserLogin").where("userLoginId", userLoginId).queryOne();
-                Map<String, Object> claims = JWTManager.validateToken(delegator, jwtToken,
-                        userLogin.getString("userLoginId") + userLogin.getString("currentPassword"));
-                return (! ServiceUtil.isError(claims)) && userLoginId.equals(claims.get("userLoginId"));
-            } catch (GenericEntityException e) {
-                Debug.logWarning("failed to validate a jwToken for user " + userLoginId, module);
-            }
-        }
-        return false;
-    }
-}
diff --git a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
deleted file mode 100644
index 5f9b339..0000000
--- a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java
+++ /dev/null
@@ -1,47 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements.  See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership.  The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License.  You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied.  See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.ofbiz.security;
-
-import java.util.Arrays;
-import java.util.List;
-
-import org.junit.Test;
-
-import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.assertFalse;
-
-public class SecurityUtilTest {
-    @Test
-    public void basicAdminPermissionTesting() {
-        List<String> adminPermissions = Arrays.asList("PARTYMGR", "EXAMPLE", "ACCTG_PREF");
-        assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "PARTYMGR_CREATE"));
-        assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "EXAMPLE_CREATE "));
-        assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "EXAMPLE_ADMIN"));
-        assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "ACCTG_ADMIN"));
-    }
-
-    @Test
-    public void multiLevelAdminPermissionTesting() {
-        List<String> adminPermissions = Arrays.asList("PARTYMGR", "EXAMPLE", "ACCTG_PREF");
-        assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "PARTYMGR_CME_CREATE"));
-        assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(
-                    adminPermissions, "EXAMPLE_WITH_MULTI_LEVEL_ADMIN"));
-        assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "ACCTG_ADMIN"));
-    }
-}