nosu
/
taskana
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

TSK-1029: Test and fix privilege for runasadmin is only temporary

This commit is contained in:
Benjamin Eckstein 2020-01-21 16:59:57 +01:00 committed by Holger Hagen
parent 1d15f5102f
commit 0262121041
3 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/taskana-core/src/main/java/pro/taskana/security/CurrentUserContext.java
View File

@ -8,6 +8,7 @@ import java.security.Principal;
import java.security.PrivilegedAction; import java.security.PrivilegedAction;
import java.security.acl.Group; import java.security.acl.Group;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashSet;
import java.util.List; import java.util.List;
import java.util.Set; import java.util.Set;
import java.util.function.Supplier; import java.util.function.Supplier;
@ -94,12 +95,14 @@ public final class CurrentUserContext {
// dont add authorisation if none is available. // dont add authorisation if none is available.
return supplier.get(); return supplier.get();
} }
Set<Principal> principals = subject.getPrincipals();
Set<Object> privateCredentials = subject.getPrivateCredentials();
Set<Object> publicCredentials = subject.getPublicCredentials();
principals.add(new GroupPrincipal("admin")); Set<Principal> principalsCopy = new HashSet<>(subject.getPrincipals());
Subject subject1 = new Subject(true, principals, privateCredentials, publicCredentials); Set<Object> privateCredentialsCopy = new HashSet<>(subject.getPrivateCredentials());
Set<Object> publicCredentialsCopy = new HashSet<>(subject.getPublicCredentials());
principalsCopy.add(new GroupPrincipal("admin"));
Subject subject1 =
new Subject(true, principalsCopy, privateCredentialsCopy, publicCredentialsCopy);
return Subject.doAs(subject1, (PrivilegedAction<T>) supplier::get); return Subject.doAs(subject1, (PrivilegedAction<T>) supplier::get);
} }

15
lib/taskana-core/src/test/java/acceptance/security/TaskEngineAccTest.java
View File

@ -10,6 +10,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
import pro.taskana.TaskanaRole; import pro.taskana.TaskanaRole;
import pro.taskana.exceptions.NotAuthorizedException; import pro.taskana.exceptions.NotAuthorizedException;
import pro.taskana.security.CurrentUserContext;
import pro.taskana.security.JaasExtension; import pro.taskana.security.JaasExtension;
import pro.taskana.security.WithAccessId; import pro.taskana.security.WithAccessId;
@ -30,6 +31,20 @@ class TaskEngineAccTest extends AbstractAccTest {
() -> taskanaEngine.checkRoleMembership(TaskanaRole.BUSINESS_ADMIN)); () -> taskanaEngine.checkRoleMembership(TaskanaRole.BUSINESS_ADMIN));
} }
@WithAccessId(
userName = "user_1_1",
groupNames = {"businessadmin"})
@Test
void testRunAsAdminIsOnlyTemporary() {
assertTrue(taskanaEngine.isUserInRole(TaskanaRole.BUSINESS_ADMIN));
assertFalse(taskanaEngine.isUserInRole(TaskanaRole.ADMIN));
CurrentUserContext.runAsAdmin(() -> {
assertTrue(taskanaEngine.isUserInRole(TaskanaRole.ADMIN));
return true;
});
assertFalse(taskanaEngine.isUserInRole(TaskanaRole.ADMIN));
}
@WithAccessId(userName = "user_1_1") // , groupNames = {"businessadmin"}) @WithAccessId(userName = "user_1_1") // , groupNames = {"businessadmin"})
@Test @Test
void testUser() throws NotAuthorizedException { void testUser() throws NotAuthorizedException {

2
rest/taskana-rest-spring/src/test/java/pro/taskana/rest/WorkbasketControllerIntTest.java
View File

@ -114,7 +114,7 @@ class WorkbasketControllerIntTest {
* restrictions. * restrictions.
*/ */
@Test @Test
void testDeleteWorkbasketPermissionWithBusinessAdmin() { void testDeleteWorkbasketAsBusinessAdminWithoutExplicitReadPermission() {
String workbasketID = "WBI:100000000000000000000000000000000005"; String workbasketID = "WBI:100000000000000000000000000000000005";