private static void makeFileNonReadable(String file) throws IOException { Path filePath = Paths.get(file); Set<String> supportedAttr = filePath.getFileSystem().supportedFileAttributeViews(); if (supportedAttr.contains("posix")) { Files.setPosixFilePermissions(filePath, PosixFilePermissions.fromString("-w--w----")); } else if (supportedAttr.contains("acl")) { UserPrincipal fileOwner = Files.getOwner(filePath); AclFileAttributeView view = Files.getFileAttributeView(filePath, AclFileAttributeView.class); AclEntry entry = AclEntry.newBuilder() .setType(AclEntryType.DENY) .setPrincipal(fileOwner) .setPermissions(AclEntryPermission.READ_DATA) .build(); List<AclEntry> acl = view.getAcl(); acl.add(0, entry); view.setAcl(acl); } }
/** * <p> * This constructor can only discern some very basic permissions. It assumes that because you have access * to this container then you have all CRUD operation access. This may not be true. More sophisticated * implementations should be able to tell the exact permissions. * </p> * <p> * There is a lone {@link CloudAclEntry} created which has the default permissions. It is of type * {@link PublicPrivateCloudPermissionsPrincipal}. * </p> * <p> * Subclasses may implement different permissions. * </p> */ public CloudAclFileAttributes(CloudAclEntryConflictChecker conflictChecker, BlobMetadata blobMetadata, BlobAccess blobAccess) { super(blobMetadata); aclSet = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, conflictChecker); CloudAclEntry<PublicPrivateCloudPermissionsPrincipal> entry = new CloudAclEntryBuilder<>(PublicPrivateCloudPermissionsPrincipal.class) .addPermissions(AclEntryPermission.READ_DATA, AclEntryPermission.WRITE_DATA, AclEntryPermission.APPEND_DATA, AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.DELETE, AclEntryPermission.DELETE_CHILD, AclEntryPermission.LIST_DIRECTORY, AclEntryPermission.READ_ACL, AclEntryPermission.WRITE_ACL, AclEntryPermission.READ_ATTRIBUTES, AclEntryPermission.READ_ATTRIBUTES) .setType(AclEntryType.ALLOW) .setPrincipal(new PublicPrivateCloudPermissionsPrincipal(blobAccess)) .build(); addAcl(AnonymousUserPrincipal.INSTANCE, entry); }
@Test public void testDoesUserHaveAccessFailsForAUserWithAnAnonymousGroupAllowRuleButAnonymousUserDenyRule() { UserPrincipal user = new TestUserImpl("user1"); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(AnonymousGroupPrincipal.INSTANCE) .build(); CloudAclEntry<UserPrincipal> entry2 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.DENY) .setPrincipal(new AnonymousUserPrincipal()) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1, entry2); Assert.assertFalse(mgr.doesUserHaveAccess(assetPermissions, user, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessFailsForAUserGroupWithAnAllowRuleAndAUserWithADenyRule() { UserPrincipal user = new TestUserImpl("user1"); CloudAclEntry<UserPrincipal> entry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.DENY) .setPrincipal(user) .build(); GroupPrincipal group1 = new TestGroupImpl("group1"); GroupPrincipal group2 = new TestGroupImpl("group2"); Set<GroupPrincipal> userGroups = Sets.newHashSet(group1, group2); CloudAclEntry<GroupPrincipal> entry2 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(group2) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1, entry2); Assert.assertFalse(mgr.doesUserHaveAccess(assetPermissions, user, userGroups, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAUserPrincipalWithMultipleCheckPermissionsAndMultipleAssetPermissionsAllowed() { UserPrincipal user = new TestUserImpl("user1"); CloudAclEntry<UserPrincipal> entry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.WRITE_ACL) .setType(AclEntryType.ALLOW) .setPrincipal(user) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, null, EnumSet.of(AclEntryPermission.ADD_FILE, AclEntryPermission.WRITE_ACL))); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, null, EnumSet.of(AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.WRITE_ACL))); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, null, EnumSet.of(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.WRITE_ACL))); }
@Test public void testDoesUserHaveAccessSucceedsForUsersGroupWithMultipleCheckPermissionsAndMultipleAssetPermissionsAllowed() { UserPrincipal user = new TestUserImpl("user1"); GroupPrincipal group1 = new TestGroupImpl("group1"); GroupPrincipal group2 = new TestGroupImpl("group2"); Set<GroupPrincipal> userGroups = Sets.newHashSet(group1, group2); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.WRITE_ACL) .setType(AclEntryType.ALLOW) .setPrincipal(group2) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, userGroups, EnumSet.of(AclEntryPermission.ADD_FILE))); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, userGroups, EnumSet.of(AclEntryPermission.ADD_FILE, AclEntryPermission.WRITE_ACL))); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, userGroups, EnumSet.of(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.WRITE_ACL))); }
@Test public void testIsConflictingAclWillDetermineThatAPublicAndPrivateCloudAclConflicts() { CloudAclEntry<PublicPrivateCloudPermissionsPrincipal> privateAccessEntry = new CloudAclEntryBuilder<PublicPrivateCloudPermissionsPrincipal>(PublicPrivateCloudPermissionsPrincipal.class) .setPrincipal(new PublicPrivateCloudPermissionsPrincipal(BlobAccess.PRIVATE)) .setType(AclEntryType.ALLOW) .build(); CloudAclEntry<PublicPrivateCloudPermissionsPrincipal> publicAccessEntry = new CloudAclEntryBuilder<PublicPrivateCloudPermissionsPrincipal>(PublicPrivateCloudPermissionsPrincipal.class) .setPrincipal(new PublicPrivateCloudPermissionsPrincipal(BlobAccess.PUBLIC_READ)) .setType(AclEntryType.ALLOW) .build(); Assert.assertFalse(checker.isConflictingAcl(privateAccessEntry, privateAccessEntry)); Assert.assertTrue(checker.isConflictingAcl(privateAccessEntry, publicAccessEntry)); Assert.assertTrue(checker.isConflictingAcl(publicAccessEntry, privateAccessEntry)); Assert.assertFalse(checker.isConflictingAcl(publicAccessEntry, publicAccessEntry)); }
@Test public void testIsConflictingAclWillDetermineThatAnAllowAndDenyForTheSamePermissionsForAUserConflicts() { UserPrincipal user1 = new TestUserImpl("user1"); UserPrincipal user2 = new TestUserImpl("user1"); CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user1) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); CloudAclEntry<UserPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user2) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.DELETE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); Assert.assertTrue(checker.isConflictingAcl(cloudAclEntry1, cloudAclEntry2)); }
@Test public void testIsConflictingAclWillDetermineThatAnAllowAndDenyForDifferentUsersDoesNotConflict() { UserPrincipal user1 = new TestUserImpl("user1"); UserPrincipal user2 = new TestUserImpl("user2"); CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user1) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); CloudAclEntry<UserPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user2) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.DELETE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); Assert.assertFalse(checker.isConflictingAcl(cloudAclEntry1, cloudAclEntry2)); }
@Test public void testIsConflictingAclWillDetermineThatAnAllowAndDenyForTheSamePermissionsForAGroupConflicts() { GroupPrincipal group1 = new TestGroupImpl("group1"); GroupPrincipal group2 = new TestGroupImpl("group1"); CloudAclEntry<GroupPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .setPrincipal(group1) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); CloudAclEntry<GroupPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .setPrincipal(group2) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.ADD_SUBDIRECTORY) .build(); Assert.assertTrue(checker.isConflictingAcl(cloudAclEntry1, cloudAclEntry2)); }
@Test public void testIsConflictingAclWillDetermineThatAnAllowAndDenyForDifferentGroupsDoesNotConflict() { GroupPrincipal group1 = new TestGroupImpl("group1"); GroupPrincipal group2 = new TestGroupImpl("group2"); CloudAclEntry<GroupPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .setPrincipal(group1) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); CloudAclEntry<GroupPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .setPrincipal(group2) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.ADD_SUBDIRECTORY) .build(); Assert.assertFalse(checker.isConflictingAcl(cloudAclEntry1, cloudAclEntry2)); }
@Test public void testIsConflictingAclWillReturnFalseForAUserNotInAGroup() { UserPrincipal user1 = new TestUserImpl("user1"); GroupPrincipal group2 = new TestGroupImpl("group1"); CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user1) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); CloudAclEntry<GroupPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .setPrincipal(group2) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.ADD_SUBDIRECTORY) .build(); Assert.assertFalse(checker.isConflictingAcl(cloudAclEntry1, cloudAclEntry2)); }
@Test public void testIsConflictingAclWillReturnFalseByDefaultForAUserInAGroupWithConflictingPermissions() { UserPrincipal user1 = new TestUserImpl("user1"); TestGroupImpl group2 = new TestGroupImpl("group1"); group2.addMember(user1); Assert.assertTrue(group2.isMember(user1)); CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user1) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); CloudAclEntry<GroupPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .setPrincipal(group2) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.ADD_SUBDIRECTORY) .build(); Assert.assertFalse(checker.isConflictingAcl(cloudAclEntry1, cloudAclEntry2)); }
@Test public void testIsConflictingAclWillReturnTrueIfTheGroupMembershipCheckIsEnabledForAUserInAGroupWithConflictingPermissions() { checker = new DefaultCloudAclEntryConflictChecker(true); UserPrincipal user1 = new TestUserImpl("user1"); TestGroupImpl group2 = new TestGroupImpl("group1"); group2.addMember(user1); Assert.assertTrue(group2.isMember(user1)); CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user1) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); CloudAclEntry<GroupPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .setPrincipal(group2) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.ADD_SUBDIRECTORY) .build(); Assert.assertTrue(checker.isConflictingAcl(cloudAclEntry1, cloudAclEntry2)); }
@Test public void testMergeAclForTwoAllowRulesWillMergeThePermissionsAndFlagsOfTwoAclsForTheSameUser() { CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(new TestUserImpl("user1")) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .addFlag(AclEntryFlag.DIRECTORY_INHERIT) .build(); CloudAclEntry<UserPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(new TestUserImpl("user1")) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.DELETE) .addFlag(AclEntryFlag.FILE_INHERIT) .build(); CloudAclEntry<?> mergedAcl = checker.mergeAcl(new ConflictingCloudAclEntry(cloudAclEntry1, cloudAclEntry2)); Assert.assertEquals("user1", ((TestUserImpl)mergedAcl.getPrincipal()).getName()); Assert.assertEquals(AclEntryType.ALLOW, mergedAcl.getType()); Assert.assertEquals(EnumSet.of(AclEntryPermission.DELETE, AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY), mergedAcl.getPermissions()); Assert.assertEquals(EnumSet.of(AclEntryFlag.DIRECTORY_INHERIT, AclEntryFlag.FILE_INHERIT), mergedAcl.getFlags()); }
@Test public void testMergeAclForTwoDenyRulesWillMergeThePermissionsAndFlagsOfTwoAclsForTheSameUser() { CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(new TestUserImpl("user1")) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .addFlag(AclEntryFlag.DIRECTORY_INHERIT) .build(); CloudAclEntry<UserPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(new TestUserImpl("user1")) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.DELETE) .addFlag(AclEntryFlag.FILE_INHERIT) .build(); CloudAclEntry<?> mergedAcl = checker.mergeAcl(new ConflictingCloudAclEntry(cloudAclEntry1, cloudAclEntry2)); Assert.assertEquals("user1", ((TestUserImpl)mergedAcl.getPrincipal()).getName()); Assert.assertEquals(AclEntryType.DENY, mergedAcl.getType()); Assert.assertEquals(EnumSet.of(AclEntryPermission.DELETE, AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY), mergedAcl.getPermissions()); Assert.assertEquals(EnumSet.of(AclEntryFlag.DIRECTORY_INHERIT, AclEntryFlag.FILE_INHERIT), mergedAcl.getFlags()); }
@Test public void testCloneProducesACloneEqualsToTheOriginalSet() throws NotOwnerException { UserPrincipal user1 = new TestUserImpl("user1"); TestGroupImpl group1 = new TestGroupImpl("group1"); CloudAclEntrySet acls = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE); CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user1) .setType(AclEntryType.DENY) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY) .build(); CloudAclEntry<GroupPrincipal> cloudAclEntry2 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .setPrincipal(group1) .setType(AclEntryType.ALLOW) .addPermissions(AclEntryPermission.ADD_SUBDIRECTORY) .build(); Assert.assertTrue(acls.addAllEntries(AnonymousUserPrincipal.INSTANCE, Arrays.asList(new CloudAclEntry<?>[] {cloudAclEntry1, cloudAclEntry2}))); CloudAclEntrySet clone = acls.clone(); Assert.assertEquals(acls, clone); }
@Test public void testGetAclEntriesUsesClonedEntriesAndDoesNotModifyTheUnderlyingAclEntry() throws NotOwnerException { UserPrincipal user1 = new TestUserImpl("user1"); CloudAclEntry<UserPrincipal> cloudAclEntry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .setPrincipal(user1) .setType(AclEntryType.ALLOW) .addPermissions(AclConstants.ALL_DIRECTORY_READ_PERMISSIONS) .build(); CloudAclEntrySet acls = new CloudAclEntrySet(user1, cloudAclEntry1); Set<CloudAclEntry<?>> aclEntries = acls.getAclEntries(); Assert.assertEquals(1, aclEntries.size()); CloudAclEntry<?> cloudAclEntryClone = aclEntries.stream().findFirst().get(); Assert.assertEquals(cloudAclEntry1, cloudAclEntryClone); Assert.assertFalse(cloudAclEntry1 == cloudAclEntryClone); cloudAclEntryClone.setPermissions(AclConstants.ALL_FILE_WRITE_PERMISSIONS); Assert.assertEquals(AclConstants.ALL_FILE_WRITE_PERMISSIONS, cloudAclEntryClone.getPermissions()); Assert.assertNotEquals(AclConstants.ALL_DIRECTORY_READ_PERMISSIONS, cloudAclEntryClone.getPermissions()); Assert.assertEquals(AclConstants.ALL_DIRECTORY_READ_PERMISSIONS, cloudAclEntry1.getPermissions()); Assert.assertNotEquals(AclConstants.ALL_FILE_WRITE_PERMISSIONS, cloudAclEntry1.getPermissions()); }
/** * Add the proper File-System permissions to a file so that SQL Server can run a RESTORE query. * * @param username The username that SQL Server runs as, e.g. "NETWORK SERVICE" * @param file The file whose permissions will be modified. * @throws IOException */ public static void addRestorePermissions(String username, Path file) throws IOException { AclFileAttributeView aclAttr = Files.getFileAttributeView(file, AclFileAttributeView.class); UserPrincipalLookupService currULS = file.getFileSystem().getUserPrincipalLookupService(); UserPrincipal principal = currULS.lookupPrincipalByName(username); AclEntry.Builder builder = AclEntry.newBuilder(); builder.setPermissions(EnumSet.of(AclEntryPermission.READ_DATA, AclEntryPermission.READ_ACL, AclEntryPermission.READ_ATTRIBUTES, AclEntryPermission.READ_NAMED_ATTRS, AclEntryPermission.EXECUTE, AclEntryPermission.SYNCHRONIZE)); builder.setPrincipal(principal); builder.setType(AclEntryType.ALLOW); aclAttr.setAcl(Collections.singletonList(builder.build())); }
private AclEntry createConfigurationAccessACLEntry(UserPrincipal user) { AclEntry entry = AclEntry .newBuilder() .setType(AclEntryType.ALLOW) .setPrincipal(user) .setPermissions( AclEntryPermission.WRITE_NAMED_ATTRS, AclEntryPermission.WRITE_DATA, AclEntryPermission.WRITE_ATTRIBUTES, AclEntryPermission.READ_ATTRIBUTES, AclEntryPermission.APPEND_DATA, AclEntryPermission.READ_DATA, AclEntryPermission.READ_NAMED_ATTRS, AclEntryPermission.READ_ACL, AclEntryPermission.SYNCHRONIZE, AclEntryPermission.DELETE) .setFlags(AclEntryFlag.FILE_INHERIT) .build(); return entry; }
/** * Finds all ACL's with any of the specified type and with <em>all</em> of the permissions * type. * @param aclOwner * @param type * @return */ public Set<CloudAclEntry<?>> findAclsOfTypeWithAllPermissions(Principal aclOwner, AclEntryType type, Set<AclEntryPermission> permissions) { return findAcls(a -> type.equals(a.getType()) && aclOwner.equals(a.getPrincipal()) && SetUtils.difference(permissions, a.getPermissions()).isEmpty()); }
/** * Finds all ACL's with any of the specified type and with <em>any</em> of the permissions * type. * @param aclOwner * @param type * @return */ public Set<CloudAclEntry<?>> findAclsOfTypeWithAnyPermissions(Principal aclOwner, AclEntryType type, Set<AclEntryPermission> permissions) { return findAcls(a -> type.equals(a.getType()) && aclOwner.equals(a.getPrincipal()) && SetUtils.difference(permissions, a.getPermissions()).size() < permissions.size()); }
@Override public boolean setWritable(boolean writable, boolean ownerOnly) { try { return setPermissionsForCurrentCloudPath(ownerOnly, writable ? AclEntryType.ALLOW : AclEntryType.DENY, ALL_FILE_WRITE_PERMISSIONS, ALL_DIRECTORY_WRITE_PERMISSIONS); } catch (NotOwnerException e) { LOG.warn("Cannot set write state, current user does not own the file ACL for {}", cloudPath); return false; } }
@Override public boolean setReadable(boolean readable, boolean ownerOnly) { try { return setPermissionsForCurrentCloudPath(ownerOnly, readable ? AclEntryType.ALLOW : AclEntryType.DENY, ALL_FILE_READ_PERMISSIONS, ALL_DIRECTORY_READ_PERMISSIONS); } catch (NotOwnerException e) { LOG.warn("Cannot set read state, current user does not own the file ACL for {}", cloudPath); return false; } }
@Override public boolean setExecutable(boolean executable, boolean ownerOnly) { try { return setPermissionsForCurrentCloudPath(ownerOnly, executable ? AclEntryType.ALLOW : AclEntryType.DENY, ALL_FILE_EXEC_PERMISSIONS, ALL_FILE_EXEC_PERMISSIONS); } catch (NotOwnerException e) { LOG.warn("Cannot set execute state, current user does not own the file ACL for {}", cloudPath); return false; } }
@Test public void testDoesUserHaveAccessSucceedsForAUserPrincipalWithAnAllowRule() { UserPrincipal user = new TestUserImpl("user1"); CloudAclEntry<UserPrincipal> entry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(user) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAUserPrincipalWithAnAnonymousAllowRule() { UserPrincipal user = new TestUserImpl("user1"); CloudAclEntry<UserPrincipal> entry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(new AnonymousUserPrincipal()) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAnAnonymousUserWithAnAnonymousAllowRule() { CloudAclEntry<UserPrincipal> entry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(new AnonymousUserPrincipal()) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, null, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAUserWithAnAnonymousGroupAllowRule() { UserPrincipal user = new TestUserImpl("user1"); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(AnonymousGroupPrincipal.INSTANCE) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAnAnonymousUserWithAnAnonymousGroupAllowRule() { CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(AnonymousGroupPrincipal.INSTANCE) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, null, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAUsersGroupWithAnAllowRule() { UserPrincipal user = new TestUserImpl("user1"); GroupPrincipal group1 = new TestGroupImpl("group1"); GroupPrincipal group2 = new TestGroupImpl("group2"); Set<GroupPrincipal> userGroups = Sets.newHashSet(group1, group2); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(group2) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, user, userGroups, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAGroupWithAnAllowRule() { GroupPrincipal group = new TestGroupImpl("group1"); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(group) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, group, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAGroupWithAnAnonymousGroupAllowRule() { GroupPrincipal group = new TestGroupImpl("group1"); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.ALLOW) .setPrincipal(AnonymousGroupPrincipal.INSTANCE) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, group, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessFailsForAUserPrincipalWithADenyRule() { UserPrincipal user = new TestUserImpl("user1"); CloudAclEntry<UserPrincipal> entry1 = new CloudAclEntryBuilder<UserPrincipal>(UserPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.DENY) .setPrincipal(user) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertFalse(mgr.doesUserHaveAccess(assetPermissions, user, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessFailsForAUsersGroupWithADenyRule() { UserPrincipal user = new TestUserImpl("user1"); GroupPrincipal group1 = new TestGroupImpl("group1"); GroupPrincipal group2 = new TestGroupImpl("group2"); Set<GroupPrincipal> userGroups = Sets.newHashSet(group1, group2); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.DENY) .setPrincipal(group2) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertFalse(mgr.doesUserHaveAccess(assetPermissions, user, userGroups, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessFailsForAGroupWithADenyRule() { GroupPrincipal group = new TestGroupImpl("group1"); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermission(AclEntryPermission.ADD_FILE) .setType(AclEntryType.DENY) .setPrincipal(group) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertFalse(mgr.doesUserHaveAccess(assetPermissions, group, null, EnumSet.of(AclEntryPermission.ADD_FILE))); }
@Test public void testDoesUserHaveAccessSucceedsForAGroupWithMultipleCheckPermissionsAndMultipleAssetPermissionsAllowed() { GroupPrincipal group = new TestGroupImpl("group1"); CloudAclEntry<GroupPrincipal> entry1 = new CloudAclEntryBuilder<GroupPrincipal>(GroupPrincipal.class) .addPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.WRITE_ACL) .setType(AclEntryType.ALLOW) .setPrincipal(group) .build(); CloudAclEntrySet assetPermissions = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, entry1); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, group, null, EnumSet.of(AclEntryPermission.ADD_FILE))); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, group, null, EnumSet.of(AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.WRITE_ACL))); Assert.assertTrue(mgr.doesUserHaveAccess(assetPermissions, group, null, EnumSet.of(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.WRITE_ACL))); }
@Test public void testCloudFileAttributesViewAllowsThePublicPrivateAccessAclToBeModified() throws IOException, NotOwnerException { String originalContent = "This is some content"; String testFileName = "cloud-file-channel-test.txt"; CloudPath testFilePath = new CloudPath(containerPath, testFileName); createRawContent(testFileName, BlobAccess.PUBLIC_READ, originalContent.getBytes("UTF-8")); // Get the view CloudFileAttributesView fileAttributeView = impl.getFileAttributeView(blobStoreContext, CloudFileAttributesView.class, testFilePath); // Read the ACL's CloudAclFileAttributes readAclFileAttributes = fileAttributeView.readAttributes(); CloudAclEntrySet cloudAclEntrySet = readAclFileAttributes.getAclSet(); assertPublicPrivateAccessAcl(cloudAclEntrySet, BlobAccess.PUBLIC_READ); // Change the access CloudAclEntrySet newCloudAclEntrySet = new CloudAclEntrySet(AnonymousUserPrincipal.INSTANCE, DefaultCloudAclEntryConflictChecker.INSTANCE); CloudAclEntry<PublicPrivateCloudPermissionsPrincipal> privateAccessEntry = new CloudAclEntryBuilder<PublicPrivateCloudPermissionsPrincipal>(PublicPrivateCloudPermissionsPrincipal.class) .setPrincipal(new PublicPrivateCloudPermissionsPrincipal(BlobAccess.PRIVATE)) .setType(AclEntryType.ALLOW) .build(); newCloudAclEntrySet.addAclEntry(AnonymousUserPrincipal.INSTANCE, privateAccessEntry); Assert.assertEquals(1, newCloudAclEntrySet.size()); Assert.assertTrue(fileAttributeView.setAclFileAttributes(newCloudAclEntrySet).isEmpty()); // Check by reading the ACL back again readAclFileAttributes = fileAttributeView.readAttributes(); cloudAclEntrySet = readAclFileAttributes.getAclSet(); assertPublicPrivateAccessAcl(cloudAclEntrySet, BlobAccess.PRIVATE); }
