using authorization stacks instead of a list #1525
Conversation
| @@ -0,0 +1,95 @@ | |||
| /* | |||
There was a problem hiding this comment.
This file is refactored from the AuthorizationCheck.java class
| @@ -1,155 +0,0 @@ | |||
| /* | |||
There was a problem hiding this comment.
Refactored to:
AuthorizationEntity.javaAuthControlFlag.java
| public class AuthorizationFrameworkTest { | ||
|
|
||
| private static String pluginDirectory; | ||
|
|
There was a problem hiding this comment.
This file is heavily refactored and changed to easily form the test cases for the authorization and to support a test cases for substacks. All important test functions in the previous version have been converted to the array of parameters in the new version.
| } catch (Exception ex) { | ||
| Assert.fail("invokeRemoveAll should not throw an exception"); | ||
| } | ||
| env.setPluginStack(new AuthorizationStack(AuthControlFlag.REQUIRED, "default-stack")); |
There was a problem hiding this comment.
This is necessary because the application changes the stack at runtime directly into env and does not have its local copy in the auth. framework.
|
|
||
| private final String role; | ||
|
|
||
| private AuthControlFlag(String role) { |
There was a problem hiding this comment.
there is still a bit of schizophrenia in the naming - role vs. control flag.
There was a problem hiding this comment.
so all should be flag as in pam list?
tulinkry
force-pushed
the
auth-stacks
branch
3 times, most recently
from
a3a5643 to
e04b811
Compare
| import org.opensolaris.opengrok.configuration.Nameable; | ||
|
|
||
| /** | ||
| * |
There was a problem hiding this comment.
should have some description of the purpose
| } | ||
|
|
||
| /** | ||
| * Load all authorization checks in this stack. |
There was a problem hiding this comment.
"checks" should probably be replaced with different term.
| return SUFFICIENT.equals(this); | ||
| } | ||
|
|
||
| public static AuthControlFlag get(String flag) { |
| try { | ||
| return AuthControlFlag.valueOf(flag.toUpperCase()); | ||
| } catch (IllegalArgumentException ex) { | ||
| // role does not exist -> add some more info about which roles do exist |
| } catch (IllegalArgumentException ex) { | ||
| // role does not exist -> add some more info about which roles do exist | ||
| throw new IllegalArgumentException( | ||
| String.format("No authorization flag \"%s\", available flags are [%s]. %s", |
| * Test the given entity if it should be allowed with this authorization | ||
| * check. | ||
| * | ||
| * @param entity the given entity |
There was a problem hiding this comment.
project/group - the terminology clashes a bit here
There was a problem hiding this comment.
added a more detailed comment
| try { | ||
| /** | ||
| * The exception should not happen here as we already have an | ||
| * instance of IAuthoriazationPlugin. But is is required by the |
| * Load all authorization entities in this stack. | ||
| * | ||
| * <p> | ||
| * If the method is unable to load all the entities contained in this stack |
There was a problem hiding this comment.
does not match the code below + explain the rationale (why this is done)
There was a problem hiding this comment.
changed both code and the comment + added the purpose
| * | ||
| * @param s the entity to remove | ||
| */ | ||
| public void remove(AuthorizationEntity s) { |
There was a problem hiding this comment.
how does the unload/remove work in general w.r.t. incoming requests ? If the Configuration is being reloaded and the authorization stack deconstructed what mechanism is used to ensure that the evaluation of the request waits until the stack is fully loaded ?
There was a problem hiding this comment.
I added a synchronized block over the stack replacement and changed couple of stuff:
- the stack is copied from the configuration (not just the reference)
The reload is made like:
- construct a new copy of the configuration stack
- load plugins into this new copy
- replace the old stack with the new stack in the synchronized block (this should be fast as it's just a reference swap)
- free the old stack
| /** | ||
| * Set the plugin to all classes in this stack which requires this class in | ||
| * the configuration. This creates a new instance of the plugin for each | ||
| * class which needs it. |
|
Other than the partial comments I had this looks good, feel free to merge. |
|
Check the new addition, it should be fine by now |
| loadAllPlugins(); | ||
| loadAllPlugins(newStack); | ||
|
|
||
| // replace the stack in a synchronized block |
There was a problem hiding this comment.
explained, waiting for the travis to finish
|
Ok, merge then. |
Plugin stack
This change is to introduce the ability to a plugin stack to be a substack of another plugin stack with similar attributes as the plugins have (1):
The substack can contain an arbitrary number of
The meaning of the three keywords in (1) is not changed and is extended for the entire stacks as well.
There is a default required top level stack for the application with a name "default stack"
Plugin parameters
Another friendliness is that the plugin can now accept an arbitrary parameter included in java
Mapobject. This parameters can be configured in configuration. The parameters can be also used for the entire stack and then it is merged with the plugin specific parameters (the plugin overwrites the conflicts).However note that this is BC break as the
IAuthorizationInterfacehas changed slightly.A configuration example can be this configuration with:
Also note this parts which is how you can set the parameters to the plugin class - property setup which is a
Map.