zydronium/screwturn-4
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[completed:539] Fixed AuthChecker for wrong beahviour in namespace permissions if group has global grant permissions.

Browse source
This commit is contained in:
Matteo Tomasini 2011-08-18 16:39:50 +02:00
parent 262086e997
commit 2191bdcd22
3 changed files with 131 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

4
AssemblyVersion.cs
View file

@ -16,5 +16,5 @@ using System.Reflection;
// //
// You can specify all the values or you can default the Revision and Build Numbers // You can specify all the values or you can default the Revision and Build Numbers
// by using the '*' as shown below: // by using the '*' as shown below:
[assembly: AssemblyVersion("3.0.5.602")] [assembly: AssemblyVersion("3.0.5.603")]
[assembly: AssemblyFileVersion("3.0.5.602")] [assembly: AssemblyFileVersion("3.0.5.603")]

90
Core-Tests/AuthCheckerTests.cs
View file

@ -1115,6 +1115,96 @@ namespace ScrewTurn.Wiki.Tests {
Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be denied"); Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be denied");
} }
[Test]
public void CheckActionForPage_GrantGroupFullControl_DenyGroupExplicitNamespace_ExceptReadPages() {
List<AclEntry> entries = new List<AclEntry>();
entries.Add(new AclEntry(Actions.ForGlobals.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Grant));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix + "NS1", Actions.ForNamespaces.ReadPages, "G.Group", Value.Grant));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix + "NS1", Actions.FullControl, "G.Group", Value.Deny));
Collectors.SettingsProvider = MockProvider(entries);
Assert.IsFalse(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be denied");
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ReadPage, "User", new string[] { "Group" }), "Permission should be granted");
}
[Test]
public void CheckActionForPage_GrantGroupFullControl_DenyGroupNamespaceEscalator_ExceptReadPages() {
List<AclEntry> entries = new List<AclEntry>();
entries.Add(new AclEntry(Actions.ForGlobals.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Grant));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix, Actions.ForNamespaces.ReadPages, "G.Group", Value.Grant));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Deny));
Collectors.SettingsProvider = MockProvider(entries);
Assert.IsFalse(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be denied");
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ReadPage, "User", new string[] { "Group" }), "Permission should be granted");
}
[Test]
public void CheckActionForPage_DenyGroupFullControl_GrantGroupExplicitNamespace() {
List<AclEntry> entries = new List<AclEntry>();
entries.Add(new AclEntry(Actions.ForGlobals.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Deny));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix + "NS1", Actions.FullControl, "G.Group", Value.Grant));
Collectors.SettingsProvider = MockProvider(entries);
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be granted");
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ReadPage, "User", new string[] { "Group" }), "Permission should be granted");
}
[Test]
public void CheckActionForPage_DenyGroupFullControl_GrantGroupNamespaceEscalator() {
List<AclEntry> entries = new List<AclEntry>();
entries.Add(new AclEntry(Actions.ForGlobals.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Deny));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Grant));
Collectors.SettingsProvider = MockProvider(entries);
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be granted");
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ReadPage, "User", new string[] { "Group" }), "Permission should be granted");
}
[Test]
public void CheckActionForPage_DenyGroupFullControl_GrantGroupReadPagesExplicitNamespace() {
List<AclEntry> entries = new List<AclEntry>();
entries.Add(new AclEntry(Actions.ForGlobals.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Deny));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix + "NS1", Actions.ForNamespaces.ReadPages, "G.Group", Value.Grant));
Collectors.SettingsProvider = MockProvider(entries);
Assert.IsFalse(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be denied");
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ReadPage, "User", new string[] { "Group" }), "Permission should be granted");
}
[Test]
public void CheckActionForPage_DenyGroupFullControl_GrantGroupReadPagesNamespaceEscalator() {
List<AclEntry> entries = new List<AclEntry>();
entries.Add(new AclEntry(Actions.ForGlobals.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Deny));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix, Actions.ForNamespaces.ReadPages, "G.Group", Value.Grant));
Collectors.SettingsProvider = MockProvider(entries);
Assert.IsFalse(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be denied");
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ReadPage, "User", new string[] { "Group" }), "Permission should be granted");
}
[Test]
public void CheckActionForPage_DenyGroupFullControl_GrantGroupReadPagesExplicitNamespaceLocalEscalator() {
List<AclEntry> entries = new List<AclEntry>();
entries.Add(new AclEntry(Actions.ForGlobals.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Deny));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix + "NS1", Actions.ForNamespaces.ManagePages, "G.Group", Value.Grant));
Collectors.SettingsProvider = MockProvider(entries);
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be granted");
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ReadPage, "User", new string[] { "Group" }), "Permission should be granted");
}
[Test]
public void CheckActionForPage_DenyGroupFullControl_GrantGroupReadPagesNamespaceEscalatorLocalEscalator() {
List<AclEntry> entries = new List<AclEntry>();
entries.Add(new AclEntry(Actions.ForGlobals.ResourceMasterPrefix, Actions.FullControl, "G.Group", Value.Deny));
entries.Add(new AclEntry(Actions.ForNamespaces.ResourceMasterPrefix, Actions.ForNamespaces.ManagePages, "G.Group", Value.Grant));
Collectors.SettingsProvider = MockProvider(entries);
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ModifyPage, "User", new string[] { "Group" }), "Permission should be granted");
Assert.IsTrue(AuthChecker.CheckActionForPage(new PageInfo(NameTools.GetFullName("NS1", "Page"), null, DateTime.Now), Actions.ForPages.ReadPage, "User", new string[] { "Group" }), "Permission should be granted");
}
[Test] [Test]
public void CheckActionForPage_GrantUserRootEscalator_DenyGroupExplicitPage() { public void CheckActionForPage_GrantUserRootEscalator_DenyGroupExplicitPage() {
List<AclEntry> entries = new List<AclEntry>(); List<AclEntry> entries = new List<AclEntry>();

58
Core/AuthChecker.cs
View file

@ -38,11 +38,15 @@ namespace ScrewTurn.Wiki {
if(currentUser == "admin") return true; if(currentUser == "admin") return true;
return LocalCheckActionForGlobals(action, currentUser, groups) == Authorization.Granted;
}
private static Authorization LocalCheckActionForGlobals(string action, string currentUser, string[] groups) {
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForGlobals.ResourceMasterPrefix); AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForGlobals.ResourceMasterPrefix);
Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForGlobals.ResourceMasterPrefix, action, Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForGlobals.ResourceMasterPrefix, action,
AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
return auth == Authorization.Granted; return auth;
} }
/// <summary> /// <summary>
@ -52,8 +56,9 @@ namespace ScrewTurn.Wiki {
/// <param name="action">The action the user is attempting to perform.</param> /// <param name="action">The action the user is attempting to perform.</param>
/// <param name="currentUser">The current user.</param> /// <param name="currentUser">The current user.</param>
/// <param name="groups">The groups the user is member of.</param> /// <param name="groups">The groups the user is member of.</param>
/// <param name="localEscalator"><c>true</c> is the method is called in a local escalator process.</param>
/// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns> /// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns>
public static bool CheckActionForNamespace(NamespaceInfo nspace, string action, string currentUser, string[] groups) { public static bool CheckActionForNamespace(NamespaceInfo nspace, string action, string currentUser, string[] groups, bool localEscalator = false) {
if(action == null) throw new ArgumentNullException("action"); if(action == null) throw new ArgumentNullException("action");
if(action.Length == 0) throw new ArgumentException("Action cannot be empty", "action"); if(action.Length == 0) throw new ArgumentException("Action cannot be empty", "action");
if(!AuthTools.IsValidAction(action, Actions.ForNamespaces.All)) throw new ArgumentException("Invalid action", "action"); if(!AuthTools.IsValidAction(action, Actions.ForNamespaces.All)) throw new ArgumentException("Invalid action", "action");
@ -65,6 +70,10 @@ namespace ScrewTurn.Wiki {
if(currentUser == "admin") return true; if(currentUser == "admin") return true;
return LocalCheckActionForNamespace(nspace, action, currentUser, groups, localEscalator) == Authorization.Granted;
}
private static Authorization LocalCheckActionForNamespace(NamespaceInfo nspace, string action, string currentUser, string[] groups, bool localEscalator = false) {
string namespaceName = nspace != null ? nspace.Name : ""; string namespaceName = nspace != null ? nspace.Name : "";
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource( AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(
@ -73,33 +82,33 @@ namespace ScrewTurn.Wiki {
Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForNamespaces.ResourceMasterPrefix + namespaceName, Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForNamespaces.ResourceMasterPrefix + namespaceName,
action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); action, AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
if(auth != Authorization.Unknown) return auth == Authorization.Granted; if(localEscalator || auth != Authorization.Unknown) return auth;
// Try local escalators // Try local escalators
string[] localEscalators = null; string[] localEscalators = null;
if(Actions.ForNamespaces.LocalEscalators.TryGetValue(action, out localEscalators)) { if(Actions.ForNamespaces.LocalEscalators.TryGetValue(action, out localEscalators)) {
foreach(string localAction in localEscalators) { foreach(string localAction in localEscalators) {
bool authorized = CheckActionForNamespace(nspace, localAction, currentUser, groups); Authorization authorization = LocalCheckActionForNamespace(nspace, localAction, currentUser, groups, true);
if(authorized) return true; if(authorization != Authorization.Unknown) return authorization;
} }
} }
// Try root escalation // Try root escalation
if(nspace != null) { if(nspace != null) {
bool authorized = CheckActionForNamespace(null, action, currentUser, groups); Authorization authorization = LocalCheckActionForNamespace(null, action, currentUser, groups);
if(authorized) return true; if(authorization != Authorization.Unknown) return authorization;
} }
// Try global escalators // Try global escalators
string[] globalEscalators = null; string[] globalEscalators = null;
if(Actions.ForNamespaces.GlobalEscalators.TryGetValue(action, out globalEscalators)) { if(Actions.ForNamespaces.GlobalEscalators.TryGetValue(action, out globalEscalators)) {
foreach(string globalAction in globalEscalators) { foreach(string globalAction in globalEscalators) {
bool authorized = CheckActionForGlobals(globalAction, currentUser, groups); Authorization authorization = LocalCheckActionForGlobals(globalAction, currentUser, groups);
if(authorized) return true; if(authorization != Authorization.Unknown) return authorization;
} }
} }
return false; return Authorization.Unknown;
} }
/// <summary> /// <summary>
@ -109,8 +118,9 @@ namespace ScrewTurn.Wiki {
/// <param name="action">The action the user is attempting to perform.</param> /// <param name="action">The action the user is attempting to perform.</param>
/// <param name="currentUser">The current user.</param> /// <param name="currentUser">The current user.</param>
/// <param name="groups">The groups the user is member of.</param> /// <param name="groups">The groups the user is member of.</param>
/// <param name="localEscalator"><c>true</c> is the method is called in a local escalator process.</param>
/// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns> /// <returns><c>true</c> if the action is allowed, <c>false</c> otherwise.</returns>
public static bool CheckActionForPage(PageInfo page, string action, string currentUser, string[] groups) { public static bool CheckActionForPage(PageInfo page, string action, string currentUser, string[] groups, bool localEscalator = false) {
if(page == null) throw new ArgumentNullException("page"); if(page == null) throw new ArgumentNullException("page");
if(action == null) throw new ArgumentNullException("action"); if(action == null) throw new ArgumentNullException("action");
@ -124,18 +134,22 @@ namespace ScrewTurn.Wiki {
if(currentUser == "admin") return true; if(currentUser == "admin") return true;
return LocalCheckActionForPage(page, action, currentUser, groups, localEscalator) == Authorization.Granted;
}
private static Authorization LocalCheckActionForPage(PageInfo page, string action, string currentUser, string[] groups, bool localEscalator = false) {
AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForPages.ResourceMasterPrefix + page.FullName); AclEntry[] entries = SettingsProvider.AclManager.RetrieveEntriesForResource(Actions.ForPages.ResourceMasterPrefix + page.FullName);
Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForPages.ResourceMasterPrefix + page.FullName, action, Authorization auth = AclEvaluator.AuthorizeAction(Actions.ForPages.ResourceMasterPrefix + page.FullName, action,
AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries); AuthTools.PrepareUsername(currentUser), AuthTools.PrepareGroups(groups), entries);
if(auth != Authorization.Unknown) return auth == Authorization.Granted; if(localEscalator || auth != Authorization.Unknown) return auth;
// Try local escalators // Try local escalators
string[] localEscalators = null; string[] localEscalators = null;
if(Actions.ForPages.LocalEscalators.TryGetValue(action, out localEscalators)) { if(Actions.ForPages.LocalEscalators.TryGetValue(action, out localEscalators)) {
foreach(string localAction in localEscalators) { foreach(string localAction in localEscalators) {
bool authorized = CheckActionForPage(page, localAction, currentUser, groups); Authorization authorization = LocalCheckActionForPage(page, localAction, currentUser, groups, true);
if(authorized) return true; if(authorization != Authorization.Unknown) return authorization;
} }
} }
@ -145,8 +159,14 @@ namespace ScrewTurn.Wiki {
NamespaceInfo ns = string.IsNullOrEmpty(nsName) ? null : new NamespaceInfo(nsName, null, null); NamespaceInfo ns = string.IsNullOrEmpty(nsName) ? null : new NamespaceInfo(nsName, null, null);
if(Actions.ForPages.NamespaceEscalators.TryGetValue(action, out namespaceEscalators)) { if(Actions.ForPages.NamespaceEscalators.TryGetValue(action, out namespaceEscalators)) {
foreach(string namespaceAction in namespaceEscalators) { foreach(string namespaceAction in namespaceEscalators) {
bool authorized = CheckActionForNamespace(ns, namespaceAction, currentUser, groups); Authorization authorization = LocalCheckActionForNamespace(ns, namespaceAction, currentUser, groups, true);
if(authorized) return true; if(authorization != Authorization.Unknown) return authorization;
// Try root escalation
if(ns != null) {
authorization = LocalCheckActionForNamespace(null, namespaceAction, currentUser, groups, true);
if(authorization != Authorization.Unknown) return authorization;
}
} }
} }
@ -154,12 +174,12 @@ namespace ScrewTurn.Wiki {
string[] globalEscalators = null; string[] globalEscalators = null;
if(Actions.ForPages.GlobalEscalators.TryGetValue(action, out globalEscalators)) { if(Actions.ForPages.GlobalEscalators.TryGetValue(action, out globalEscalators)) {
foreach(string globalAction in globalEscalators) { foreach(string globalAction in globalEscalators) {
bool authorized = CheckActionForGlobals(globalAction, currentUser, groups); Authorization authorization = LocalCheckActionForGlobals(globalAction, currentUser, groups);
if(authorized) return true; if(authorization != Authorization.Unknown) return authorization;
} }
} }
return false; return Authorization.Unknown;
} }
/// <summary> /// <summary>