This is an automated email from the ASF dual-hosted git repository.
pgil pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 43bfbcf Fixed: Error in user impersonation with sub permission (OFBIZ-11342) 43bfbcf is described below commit 43bfbcf4f2953280a119729cd9d211de3f22cd1f Author: Gil Portenseigne <[hidden email]> AuthorDate: Fri Feb 7 17:54:52 2020 +0100 Fixed: Error in user impersonation with sub permission (OFBIZ-11342) Add unit tests for permission control feature. Add new method to manage multilevel permission control. This allowing an user with PARTYMGR_ADMIN permission to impersonate another user with PARTYMGR_PCM_CREATE permission. --- .../org/apache/ofbiz/security/SecurityUtil.java | 19 ++++++++- .../apache/ofbiz/security/SecurityUtilTest.java | 47 ++++++++++++++++++++++ 2 files changed, 64 insertions(+), 2 deletions(-) diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java index 95dc868..37aa15f 100644 --- a/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java +++ b/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java @@ -119,11 +119,26 @@ public final class SecurityUtil { return toUserLoginPermissionIds.stream() .filter(perm -> !userLoginPermissionIds.contains(perm) - && !adminPermissions.contains(perm.substring(0, perm.lastIndexOf("_")))) + && !checkMultiLevelAdminPermissionValidity(adminPermissions, perm)) .collect(Collectors.toList()); } /** + * Return if an admin permission is valid for the given list of permissions. + * + * @param permissionIds List of admin permission value without "_ADMIN" suffix + * @param permission permission to be checked with its suffix + * + */ + public static boolean checkMultiLevelAdminPermissionValidity(List<String> permissionIds, String permission) { + while (permission.lastIndexOf("_") != -1) { + permission = permission.substring(0, permission.lastIndexOf("_")); + if (permissionIds.contains(permission)) return true; + } + return false; + } + + /** * Return a JWToken for authenticate a userLogin with salt the token by userLoginId and currentPassword */ public static String generateJwtToAuthenticateUserLogin(Delegator delegator, String userLoginId) @@ -150,4 +165,4 @@ public final class SecurityUtil { } return false; } -} \ No newline at end of file +} diff --git a/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java new file mode 100644 index 0000000..5f9b339 --- /dev/null +++ b/framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java @@ -0,0 +1,47 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.ofbiz.security; + +import java.util.Arrays; +import java.util.List; + +import org.junit.Test; + +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.assertFalse; + +public class SecurityUtilTest { + @Test + public void basicAdminPermissionTesting() { + List<String> adminPermissions = Arrays.asList("PARTYMGR", "EXAMPLE", "ACCTG_PREF"); + assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "PARTYMGR_CREATE")); + assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "EXAMPLE_CREATE ")); + assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "EXAMPLE_ADMIN")); + assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "ACCTG_ADMIN")); + } + + @Test + public void multiLevelAdminPermissionTesting() { + List<String> adminPermissions = Arrays.asList("PARTYMGR", "EXAMPLE", "ACCTG_PREF"); + assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "PARTYMGR_CME_CREATE")); + assertTrue(SecurityUtil.checkMultiLevelAdminPermissionValidity( + adminPermissions, "EXAMPLE_WITH_MULTI_LEVEL_ADMIN")); + assertFalse(SecurityUtil.checkMultiLevelAdminPermissionValidity(adminPermissions, "ACCTG_ADMIN")); + } +} |
Free forum by Nabble | Edit this page |