From dc5bdcf157fe241dd4de99e3b0d3f57e8e0f607e Mon Sep 17 00:00:00 2001 From: Georgy Litvinov Date: Thu, 21 Dec 2023 11:35:44 +0100 Subject: [PATCH] fixes and test improvements for policy template hide not related property --- ...iesNotRelatedToSelfEditorTemplateTest.java | 159 +++++++++++++++++- .../template_hide_not_related_property.n3 | 8 + 2 files changed, 158 insertions(+), 9 deletions(-) diff --git a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java index 8b338853ae..5883b1a391 100644 --- a/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java +++ b/api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/policy/HidePropertiesNotRelatedToSelfEditorTemplateTest.java @@ -1,13 +1,36 @@ package edu.cornell.mannlib.vitro.webapp.auth.policy; -import static edu.cornell.mannlib.vitro.webapp.dao.VitroVocabulary.AUTH_INDIVIDUAL_PREFIX; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.DATA_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_DATA_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.FAUX_OBJECT_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType.OBJECT_PROPERTY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.DISPLAY; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation.PUBLISH; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.NOT_RELATED; +import static edu.cornell.mannlib.vitro.webapp.auth.attributes.NamedKeyComponent.PROPERTY_EXCLUSION; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.INCONCLUSIVE; +import static edu.cornell.mannlib.vitro.webapp.auth.policy.ifaces.DecisionResult.UNAUTHORIZED; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import java.util.Arrays; import java.util.Collection; import java.util.Collections; +import java.util.Set; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessObjectType; +import edu.cornell.mannlib.vitro.webapp.auth.attributes.AccessOperation; +import edu.cornell.mannlib.vitro.webapp.auth.objects.AccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.DataPropertyStatementAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxDataPropertyStatementAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.FauxObjectPropertyStatementAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.objects.ObjectPropertyStatementAccessObject; +import edu.cornell.mannlib.vitro.webapp.auth.requestedAction.SimpleAuthorizationRequest; +import edu.cornell.mannlib.vitro.webapp.beans.FauxProperty; +import edu.cornell.mannlib.vitro.webapp.beans.Property; +import edu.cornell.mannlib.vitro.webapp.rdfservice.adapters.VitroModelFactory; +import org.apache.jena.ontology.OntModel; +import org.apache.jena.shared.Lock; import org.junit.Test; import org.junit.runner.RunWith; import org.junit.runners.Parameterized; @@ -16,28 +39,146 @@ public class HidePropertiesNotRelatedToSelfEditorTemplateTest extends PolicyTest { public static final String POLICY_PATH = USER_ACCOUNTS_HOME_FIRSTTIME + "template_hide_not_related_property.n3"; + public static final String TEST_DATA = RESOURCES_RULES_PREFIX + "exclude_from_display_test_data.n3"; + private static final String TEST_ENTITY = "test:alice"; + private static final String OBJECT_ENTITY = "test:orange"; + private static final String TEST_PROPERTY = "test:has"; + private static final String OTHER_PROPERTY = "test:seen"; @org.junit.runners.Parameterized.Parameter(0) - public String dataSetName; + public AccessOperation ao; + + @org.junit.runners.Parameterized.Parameter(1) + public AccessObjectType type; + + @org.junit.runners.Parameterized.Parameter(2) + public String roleUri; + + @org.junit.runners.Parameterized.Parameter(3) + public int rulesCount; + + @org.junit.runners.Parameterized.Parameter(4) + public Set attrCount; @Test public void testLoadPolicy() { load(POLICY_PATH); - load(RESOURCES_RULES_PREFIX + "hide_entities_value_set.n3"); - String policyPrefix = AUTH_INDIVIDUAL_PREFIX + "hide-not-related-property/"; - String dataSetUri = policyPrefix + dataSetName; + OntModel dataModel = VitroModelFactory.createOntologyModel(); + try { + dataModel.enterCriticalSection(Lock.WRITE); + dataModel.read(TEST_DATA); + } finally { + dataModel.leaveCriticalSection(); + } + EntityPolicyController.grantAccess(TEST_PROPERTY, type, ao, roleUri, NOT_RELATED.toString(), + PROPERTY_EXCLUSION.toString()); + + String dataSetUri = loader.getDataSetUriByKey(PROPERTY_EXCLUSION.toString(), NOT_RELATED.toString(), + ao.toString(), type.toString(), roleUri); DynamicPolicy policy = loader.loadPolicyFromTemplateDataSet(dataSetUri); assertTrue(policy != null); assertEquals(5000, policy.getPriority()); countRulesAndAttributes(policy, 1, Collections.singleton(5)); + policyDeniesAccess(policy, dataModel); + policyNotAffectsOtherTypes(policy, dataModel); + policyNotAffectsOtherEntities(policy, dataModel); + policyNotAffectsOtherOperations(policy, dataModel); + policyNotAffectsOtherRoles(policy, dataModel); + policyNotAffectsRelatedIndividuals(policy, dataModel); + } + + private void policyNotAffectsRelatedIndividuals(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, TEST_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + ar.setEditorUris(Arrays.asList(TEST_ENTITY)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherRoles(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, TEST_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(ADMIN)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherOperations(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, TEST_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, PUBLISH); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherEntities(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, OTHER_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyNotAffectsOtherTypes(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getWrongAccessObject(targetModel); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(INCONCLUSIVE, policy.decide(ar).getDecisionResult()); + } + + private void policyDeniesAccess(DynamicPolicy policy, OntModel targetModel) { + AccessObject object = getAccessObject(targetModel, TEST_PROPERTY); + SimpleAuthorizationRequest ar = new SimpleAuthorizationRequest(object, ao); + ar.setRoleUris(Arrays.asList(roleUri)); + assertEquals(UNAUTHORIZED, policy.decide(ar).getDecisionResult()); + } + + private AccessObject getWrongAccessObject(OntModel targetModel) { + FauxProperty fauxProperty = new FauxProperty(TEST_ENTITY, TEST_PROPERTY, ""); + fauxProperty.setConfigUri(TEST_PROPERTY); + switch (type) { + case OBJECT_PROPERTY: + return new DataPropertyStatementAccessObject(targetModel, TEST_ENTITY, TEST_PROPERTY, "test"); + case DATA_PROPERTY: + return new ObjectPropertyStatementAccessObject(targetModel, TEST_ENTITY, new Property(TEST_PROPERTY), + OBJECT_ENTITY); + case FAUX_OBJECT_PROPERTY: + return new FauxDataPropertyStatementAccessObject(targetModel, TEST_ENTITY, fauxProperty, "test"); + case FAUX_DATA_PROPERTY: + return new FauxObjectPropertyStatementAccessObject(targetModel, TEST_ENTITY, fauxProperty, + OBJECT_ENTITY); + default: + return null; + } + } + + private AccessObject getAccessObject(OntModel targetModel, String property) { + FauxProperty fauxProperty = new FauxProperty(TEST_ENTITY, property, ""); + fauxProperty.setConfigUri(property); + switch (type) { + case DATA_PROPERTY: + return new DataPropertyStatementAccessObject(targetModel, TEST_ENTITY, property, "test"); + case OBJECT_PROPERTY: + return new ObjectPropertyStatementAccessObject(targetModel, TEST_ENTITY, new Property(property), + OBJECT_ENTITY); + case FAUX_DATA_PROPERTY: + return new FauxDataPropertyStatementAccessObject(targetModel, TEST_ENTITY, fauxProperty, "test"); + case FAUX_OBJECT_PROPERTY: + return new FauxObjectPropertyStatementAccessObject(targetModel, TEST_ENTITY, fauxProperty, + OBJECT_ENTITY); + default: + return null; + } } @Parameterized.Parameters public static Collection requests() { return Arrays.asList(new Object[][] { - { "SelfEditorHideNotRelatedObjectPropertyDataSet" }, - { "SelfEditorHideNotRelatedDataPropertyDataSet" }, - { "SelfEditorHideNotRelatedFauxObjectPropertyDataSet" }, - { "SelfEditorHideNotRelatedFauxDataPropertyDataSet" }, }); + { DISPLAY, DATA_PROPERTY, SELF_EDITOR, 1, num(5) }, + { DISPLAY, OBJECT_PROPERTY, SELF_EDITOR, 1, num(5) }, + { DISPLAY, FAUX_DATA_PROPERTY, SELF_EDITOR, 1, num(5) }, + { DISPLAY, FAUX_OBJECT_PROPERTY, SELF_EDITOR, 1, num(5) }, + }); + } + + private static Set num(int i) { + return Collections.singleton(i); } } diff --git a/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 b/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 index 1e934d8ac8..90bbdcad19 100644 --- a/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 +++ b/home/src/main/resources/rdf/accessControl/firsttime/template_hide_not_related_property.n3 @@ -29,6 +29,8 @@ access:hasKeyComponent access-individual:ObjectProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:PropertyExclusion ; . #Data properties @@ -45,6 +47,8 @@ access:hasKeyComponent access-individual:DataProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:PropertyExclusion ; . #Faux object properties @@ -61,6 +65,8 @@ access:hasKeyComponent access-individual:FauxObjectProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:PropertyExclusion ; . #Faux data properties @@ -77,6 +83,8 @@ access:hasKeyComponent access-individual:FauxDataProperty ; access:hasKeyComponent access-individual:SelfEditorRoleUri ; access:hasKeyComponent access-individual:DisplayOperation ; + access:hasKeyComponent access-individual:NotRelated ; + access:hasKeyComponent access-individual:PropertyExclusion ; . #Rule