fix #2079 add denied permission
This commit is contained in:
Shinsuke Sugaya
parent
af27fbb50c
commit
6339b97c86
6 changed files with 147 additions and 47 deletions
|
|
@ -304,11 +304,7 @@ public class SearchService {
|
|||
QueryBuilders.boolQuery().must(QueryBuilders.termQuery(fessConfig.getIndexFieldDocId(), docId));
|
||||
final Set<String> roleSet = ComponentUtil.getRoleQueryHelper().build(SearchRequestType.JSON); // TODO SearchRequestType?
|
||||
if (!roleSet.isEmpty()) {
|
||||
final BoolQueryBuilder roleQuery = QueryBuilders.boolQuery();
|
||||
roleSet.stream().forEach(name -> {
|
||||
roleQuery.should(QueryBuilders.termQuery(fessConfig.getIndexFieldRole(), name));
|
||||
});
|
||||
boolQuery.filter(roleQuery);
|
||||
ComponentUtil.getQueryHelper().buildRoleQuery(roleSet, boolQuery);
|
||||
}
|
||||
builder.setQuery(boolQuery);
|
||||
builder.setFetchSource(fields, null);
|
||||
|
|
@ -328,11 +324,7 @@ public class SearchService {
|
|||
if (searchRequestType != SearchRequestType.ADMIN_SEARCH) {
|
||||
final Set<String> roleSet = ComponentUtil.getRoleQueryHelper().build(searchRequestType);
|
||||
if (!roleSet.isEmpty()) {
|
||||
final BoolQueryBuilder roleQuery = QueryBuilders.boolQuery();
|
||||
roleSet.stream().forEach(name -> {
|
||||
roleQuery.should(QueryBuilders.termQuery(fessConfig.getIndexFieldRole(), name));
|
||||
});
|
||||
boolQuery.filter(roleQuery);
|
||||
ComponentUtil.getQueryHelper().buildRoleQuery(roleSet, boolQuery);
|
||||
}
|
||||
}
|
||||
builder.setQuery(boolQuery);
|
||||
|
|
|
|||
|
|
@ -20,6 +20,7 @@ import static org.codelibs.core.stream.StreamUtil.stream;
|
|||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import java.util.stream.Collectors;
|
||||
|
||||
import javax.annotation.Resource;
|
||||
|
|
@ -35,7 +36,6 @@ import org.slf4j.Logger;
|
|||
import org.slf4j.LoggerFactory;
|
||||
|
||||
import jcifs.SID;
|
||||
import jcifs.smb1.smb1.ACE;
|
||||
|
||||
public class PermissionHelper {
|
||||
private static final Logger logger = LoggerFactory.getLogger(PermissionHelper.class);
|
||||
|
|
@ -46,6 +46,10 @@ public class PermissionHelper {
|
|||
|
||||
protected String userPrefix = "{user}";
|
||||
|
||||
protected String allowPrefix = "(allow)";
|
||||
|
||||
protected String denyPrefix = "(deny)";
|
||||
|
||||
@Resource
|
||||
protected SystemHelper systemHelper;
|
||||
|
||||
|
|
@ -54,23 +58,38 @@ public class PermissionHelper {
|
|||
return null;
|
||||
}
|
||||
|
||||
final String permission = value.trim();
|
||||
final String lower = permission.toLowerCase(Locale.ROOT);
|
||||
String permission = value.trim();
|
||||
String lower = permission.toLowerCase(Locale.ROOT);
|
||||
final String aclPrefix;
|
||||
if (lower.startsWith(allowPrefix)) {
|
||||
lower = lower.substring(allowPrefix.length());
|
||||
permission = permission.substring(allowPrefix.length());
|
||||
aclPrefix = StringUtil.EMPTY;
|
||||
} else if (lower.startsWith(denyPrefix)) {
|
||||
lower = lower.substring(denyPrefix.length());
|
||||
permission = permission.substring(denyPrefix.length());
|
||||
aclPrefix = ComponentUtil.getFessConfig().getRoleSearchDeniedPrefix();
|
||||
} else {
|
||||
aclPrefix = StringUtil.EMPTY;
|
||||
}
|
||||
if (StringUtil.isBlank(permission)) {
|
||||
return null;
|
||||
}
|
||||
if (lower.startsWith(userPrefix)) {
|
||||
if (permission.length() > userPrefix.length()) {
|
||||
return systemHelper.getSearchRoleByUser(permission.substring(userPrefix.length()));
|
||||
return aclPrefix + systemHelper.getSearchRoleByUser(permission.substring(userPrefix.length()));
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
} else if (lower.startsWith(groupPrefix)) {
|
||||
if (permission.length() > groupPrefix.length()) {
|
||||
return systemHelper.getSearchRoleByGroup(permission.substring(groupPrefix.length()));
|
||||
return aclPrefix + systemHelper.getSearchRoleByGroup(permission.substring(groupPrefix.length()));
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
} else if (lower.startsWith(rolePrefix)) {
|
||||
if (permission.length() > rolePrefix.length()) {
|
||||
return systemHelper.getSearchRoleByRole(permission.substring(rolePrefix.length()));
|
||||
return aclPrefix + systemHelper.getSearchRoleByRole(permission.substring(rolePrefix.length()));
|
||||
} else {
|
||||
return null;
|
||||
}
|
||||
|
|
@ -84,15 +103,30 @@ public class PermissionHelper {
|
|||
}
|
||||
|
||||
final FessConfig fessConfig = ComponentUtil.getFessConfig();
|
||||
if (value.startsWith(fessConfig.getRoleSearchUserPrefix()) && value.length() > fessConfig.getRoleSearchUserPrefix().length()) {
|
||||
return userPrefix + value.substring(fessConfig.getRoleSearchUserPrefix().length());
|
||||
} else if (value.startsWith(fessConfig.getRoleSearchGroupPrefix())
|
||||
&& value.length() > fessConfig.getRoleSearchGroupPrefix().length()) {
|
||||
return groupPrefix + value.substring(fessConfig.getRoleSearchGroupPrefix().length());
|
||||
} else if (value.startsWith(fessConfig.getRoleSearchRolePrefix()) && value.length() > fessConfig.getRoleSearchRolePrefix().length()) {
|
||||
return rolePrefix + value.substring(fessConfig.getRoleSearchRolePrefix().length());
|
||||
final String aclPrefix;
|
||||
final String permission;
|
||||
final String deniedPrefix = fessConfig.getRoleSearchDeniedPrefix();
|
||||
if (value.startsWith(deniedPrefix)) {
|
||||
permission = value.substring(deniedPrefix.length());
|
||||
aclPrefix = denyPrefix;
|
||||
} else {
|
||||
permission = value;
|
||||
aclPrefix = StringUtil.EMPTY;
|
||||
}
|
||||
return value;
|
||||
if (StringUtil.isBlank(permission)) {
|
||||
return null;
|
||||
}
|
||||
if (permission.startsWith(fessConfig.getRoleSearchUserPrefix())
|
||||
&& permission.length() > fessConfig.getRoleSearchUserPrefix().length()) {
|
||||
return aclPrefix + userPrefix + permission.substring(fessConfig.getRoleSearchUserPrefix().length());
|
||||
} else if (permission.startsWith(fessConfig.getRoleSearchGroupPrefix())
|
||||
&& permission.length() > fessConfig.getRoleSearchGroupPrefix().length()) {
|
||||
return aclPrefix + groupPrefix + permission.substring(fessConfig.getRoleSearchGroupPrefix().length());
|
||||
} else if (permission.startsWith(fessConfig.getRoleSearchRolePrefix())
|
||||
&& permission.length() > fessConfig.getRoleSearchRolePrefix().length()) {
|
||||
return aclPrefix + rolePrefix + permission.substring(fessConfig.getRoleSearchRolePrefix().length());
|
||||
}
|
||||
return permission;
|
||||
}
|
||||
|
||||
public void setRolePrefix(final String rolePrefix) {
|
||||
|
|
@ -111,37 +145,54 @@ public class PermissionHelper {
|
|||
final List<String> roleTypeList = new ArrayList<>();
|
||||
final FessConfig fessConfig = ComponentUtil.getFessConfig();
|
||||
if (fessConfig.isSmbRoleFromFile()) {
|
||||
final SambaHelper sambaHelper = ComponentUtil.getSambaHelper();
|
||||
final Map<String, Object> metaDataMap = responseData.getMetaDataMap();
|
||||
if (responseData.getUrl().startsWith("smb:")) {
|
||||
final SambaHelper sambaHelper = ComponentUtil.getSambaHelper();
|
||||
final SID[] sids = (SID[]) responseData.getMetaDataMap().get(SmbClient.SMB_ALLOWED_SID_ENTRIES);
|
||||
if (sids != null) {
|
||||
for (final SID sid : sids) {
|
||||
final SID[] allowedSids = (SID[]) metaDataMap.get(SmbClient.SMB_ALLOWED_SID_ENTRIES);
|
||||
if (allowedSids != null) {
|
||||
for (final SID sid : allowedSids) {
|
||||
final String accountId = sambaHelper.getAccountId(sid);
|
||||
if (accountId != null) {
|
||||
roleTypeList.add(accountId);
|
||||
}
|
||||
}
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("smbUrl:" + responseData.getUrl() + " roleType:" + roleTypeList.toString());
|
||||
}
|
||||
}
|
||||
final SID[] deniedSids = (SID[]) metaDataMap.get(SmbClient.SMB_DENIED_SID_ENTRIES);
|
||||
if (deniedSids != null) {
|
||||
for (final SID sid : deniedSids) {
|
||||
final String accountId = sambaHelper.getAccountId(sid);
|
||||
if (accountId != null) {
|
||||
roleTypeList.add(fessConfig.getRoleSearchDeniedPrefix() + accountId);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("smbUrl:" + responseData.getUrl() + " roleType:" + roleTypeList.toString());
|
||||
}
|
||||
} else if (responseData.getUrl().startsWith("smb1:")) {
|
||||
final SambaHelper sambaHelper = ComponentUtil.getSambaHelper();
|
||||
final ACE[] aces =
|
||||
(ACE[]) responseData.getMetaDataMap().get(
|
||||
org.codelibs.fess.crawler.client.smb1.SmbClient.SMB_ACCESS_CONTROL_ENTRIES);
|
||||
if (aces != null) {
|
||||
for (final ACE item : aces) {
|
||||
final jcifs.smb1.smb1.SID sid = item.getSID();
|
||||
final jcifs.smb1.smb1.SID[] allowedSids =
|
||||
(jcifs.smb1.smb1.SID[]) metaDataMap.get(org.codelibs.fess.crawler.client.smb1.SmbClient.SMB_ALLOWED_SID_ENTRIES);
|
||||
if (allowedSids != null) {
|
||||
for (final jcifs.smb1.smb1.SID sid : allowedSids) {
|
||||
final String accountId = sambaHelper.getAccountId(sid);
|
||||
if (accountId != null) {
|
||||
roleTypeList.add(accountId);
|
||||
}
|
||||
}
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("smbUrl:" + responseData.getUrl() + " roleType:" + roleTypeList.toString());
|
||||
}
|
||||
final jcifs.smb1.smb1.SID[] deniedSids =
|
||||
(jcifs.smb1.smb1.SID[]) metaDataMap.get(org.codelibs.fess.crawler.client.smb1.SmbClient.SMB_DENIED_SID_ENTRIES);
|
||||
if (deniedSids != null) {
|
||||
for (final jcifs.smb1.smb1.SID sid : deniedSids) {
|
||||
final String accountId = sambaHelper.getAccountId(sid);
|
||||
if (accountId != null) {
|
||||
roleTypeList.add(fessConfig.getRoleSearchDeniedPrefix() + accountId);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (logger.isDebugEnabled()) {
|
||||
logger.debug("smb1Url:" + responseData.getUrl() + " roleType:" + roleTypeList.toString());
|
||||
}
|
||||
}
|
||||
}
|
||||
return roleTypeList;
|
||||
|
|
@ -184,4 +235,12 @@ public class PermissionHelper {
|
|||
}
|
||||
return roleTypeList;
|
||||
}
|
||||
|
||||
public void setAllowPrefix(String allowPrefix) {
|
||||
this.allowPrefix = allowPrefix;
|
||||
}
|
||||
|
||||
public void setDenyPrefix(String denyPrefix) {
|
||||
this.denyPrefix = denyPrefix;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -372,17 +372,21 @@ public class QueryHelper {
|
|||
if (queryContext.roleQueryEnabled()) {
|
||||
final Set<String> roleSet = ComponentUtil.getRoleQueryHelper().build(searchRequestType);
|
||||
if (!roleSet.isEmpty()) {
|
||||
queryContext.addQuery(boolQuery -> {
|
||||
final BoolQueryBuilder roleQuery = QueryBuilders.boolQuery();
|
||||
roleSet.stream().forEach(name -> {
|
||||
roleQuery.should(QueryBuilders.termQuery(ComponentUtil.getFessConfig().getIndexFieldRole(), name));
|
||||
});
|
||||
boolQuery.filter(roleQuery);
|
||||
});
|
||||
queryContext.addQuery(boolQuery -> buildRoleQuery(roleSet, boolQuery));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public void buildRoleQuery(final Set<String> roleSet, final BoolQueryBuilder boolQuery) {
|
||||
final BoolQueryBuilder roleQuery = QueryBuilders.boolQuery();
|
||||
final FessConfig fessConfig = ComponentUtil.getFessConfig();
|
||||
final String roleField = fessConfig.getIndexFieldRole();
|
||||
roleSet.stream().forEach(name -> roleQuery.should(QueryBuilders.termQuery(roleField, name)));
|
||||
final String deniedPrefix = fessConfig.getRoleSearchDeniedPrefix();
|
||||
roleSet.stream().forEach(name -> roleQuery.mustNot(QueryBuilders.termQuery(roleField, deniedPrefix + name)));
|
||||
boolQuery.filter(roleQuery);
|
||||
}
|
||||
|
||||
protected void buildBoostQuery(final QueryContext queryContext) {
|
||||
queryContext.addFunctionScore(list -> {
|
||||
list.add(new FilterFunctionBuilder(ScoreFunctionBuilders.fieldValueFactorFunction(ComponentUtil.getFessConfig()
|
||||
|
|
|
|||
|
|
@ -857,6 +857,9 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
|
|||
/** The key of the configuration. e.g. R */
|
||||
String ROLE_SEARCH_ROLE_PREFIX = "role.search.role.prefix";
|
||||
|
||||
/** The key of the configuration. e.g. D */
|
||||
String ROLE_SEARCH_DENIED_PREFIX = "role.search.denied.prefix";
|
||||
|
||||
/** The key of the configuration. e.g. / */
|
||||
String COOKIE_DEFAULT_PATH = "cookie.default.path";
|
||||
|
||||
|
|
@ -3983,6 +3986,13 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
|
|||
*/
|
||||
String getRoleSearchRolePrefix();
|
||||
|
||||
/**
|
||||
* Get the value for the key 'role.search.denied.prefix'. <br>
|
||||
* The value is, e.g. D <br>
|
||||
* @return The value of found property. (NotNull: if not found, exception but basically no way)
|
||||
*/
|
||||
String getRoleSearchDeniedPrefix();
|
||||
|
||||
/**
|
||||
* Get the value for the key 'cookie.default.path'. <br>
|
||||
* The value is, e.g. / <br>
|
||||
|
|
@ -7220,6 +7230,10 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
|
|||
return get(FessConfig.ROLE_SEARCH_ROLE_PREFIX);
|
||||
}
|
||||
|
||||
public String getRoleSearchDeniedPrefix() {
|
||||
return get(FessConfig.ROLE_SEARCH_DENIED_PREFIX);
|
||||
}
|
||||
|
||||
public String getCookieDefaultPath() {
|
||||
return get(FessConfig.COOKIE_DEFAULT_PATH);
|
||||
}
|
||||
|
|
@ -8508,6 +8522,7 @@ public interface FessConfig extends FessEnv, org.codelibs.fess.mylasta.direction
|
|||
defaultMap.put(FessConfig.ROLE_SEARCH_USER_PREFIX, "1");
|
||||
defaultMap.put(FessConfig.ROLE_SEARCH_GROUP_PREFIX, "2");
|
||||
defaultMap.put(FessConfig.ROLE_SEARCH_ROLE_PREFIX, "R");
|
||||
defaultMap.put(FessConfig.ROLE_SEARCH_DENIED_PREFIX, "D");
|
||||
defaultMap.put(FessConfig.COOKIE_DEFAULT_PATH, "/");
|
||||
defaultMap.put(FessConfig.COOKIE_DEFAULT_EXPIRE, "3600");
|
||||
defaultMap.put(FessConfig.COOKIE_ETERNAL_EXPIRE, "86400");
|
||||
|
|
|
|||
|
|
@ -448,6 +448,7 @@ role.search.guest.permissions={role}guest
|
|||
role.search.user.prefix=1
|
||||
role.search.group.prefix=2
|
||||
role.search.role.prefix=R
|
||||
role.search.denied.prefix=D
|
||||
|
||||
# ----------------------------------------------------------
|
||||
# Cookie
|
||||
|
|
|
|||
|
|
@ -37,6 +37,14 @@ public class PermissionHelperTest extends UnitFessTestCase {
|
|||
assertNull(permissionHelper.encode("{user}"));
|
||||
assertNull(permissionHelper.encode("{role}"));
|
||||
assertNull(permissionHelper.encode("{group}"));
|
||||
assertNull(permissionHelper.encode("(allow)"));
|
||||
assertNull(permissionHelper.encode("(allow){user}"));
|
||||
assertNull(permissionHelper.encode("(allow){group}"));
|
||||
assertNull(permissionHelper.encode("(allow){group}"));
|
||||
assertNull(permissionHelper.encode("(deny)"));
|
||||
assertNull(permissionHelper.encode("(deny){user}"));
|
||||
assertNull(permissionHelper.encode("(deny){group}"));
|
||||
assertNull(permissionHelper.encode("(deny){group}"));
|
||||
|
||||
assertEquals("1guest", permissionHelper.encode("{user}guest"));
|
||||
assertEquals("Rguest", permissionHelper.encode("{role}guest"));
|
||||
|
|
@ -44,6 +52,18 @@ public class PermissionHelperTest extends UnitFessTestCase {
|
|||
assertEquals("1guest", permissionHelper.encode("{USER}guest"));
|
||||
assertEquals("Rguest", permissionHelper.encode("{ROLE}guest"));
|
||||
assertEquals("2guest", permissionHelper.encode("{GROUP}guest"));
|
||||
assertEquals("1guest", permissionHelper.encode("(allow){user}guest"));
|
||||
assertEquals("Rguest", permissionHelper.encode("(allow){role}guest"));
|
||||
assertEquals("2guest", permissionHelper.encode("(allow){group}guest"));
|
||||
assertEquals("1guest", permissionHelper.encode("(allow){USER}guest"));
|
||||
assertEquals("Rguest", permissionHelper.encode("(allow){ROLE}guest"));
|
||||
assertEquals("2guest", permissionHelper.encode("(allow){GROUP}guest"));
|
||||
assertEquals("D1guest", permissionHelper.encode("(deny){user}guest"));
|
||||
assertEquals("DRguest", permissionHelper.encode("(deny){role}guest"));
|
||||
assertEquals("D2guest", permissionHelper.encode("(deny){group}guest"));
|
||||
assertEquals("D1guest", permissionHelper.encode("(deny){USER}guest"));
|
||||
assertEquals("DRguest", permissionHelper.encode("(deny){ROLE}guest"));
|
||||
assertEquals("D2guest", permissionHelper.encode("(deny){GROUP}guest"));
|
||||
|
||||
assertEquals("guest", permissionHelper.encode("guest"));
|
||||
|
||||
|
|
@ -83,10 +103,14 @@ public class PermissionHelperTest extends UnitFessTestCase {
|
|||
assertNull(permissionHelper.decode(null));
|
||||
assertNull(permissionHelper.decode(""));
|
||||
assertNull(permissionHelper.decode(" "));
|
||||
assertNull(permissionHelper.decode("D"));
|
||||
|
||||
assertEquals("{user}guest", permissionHelper.decode("1guest"));
|
||||
assertEquals("{role}guest", permissionHelper.decode("Rguest"));
|
||||
assertEquals("{group}guest", permissionHelper.decode("2guest"));
|
||||
assertEquals("(deny){user}guest", permissionHelper.decode("D1guest"));
|
||||
assertEquals("(deny){role}guest", permissionHelper.decode("DRguest"));
|
||||
assertEquals("(deny){group}guest", permissionHelper.decode("D2guest"));
|
||||
|
||||
assertEquals("guest", permissionHelper.decode("guest"));
|
||||
|
||||
|
|
@ -108,6 +132,11 @@ public class PermissionHelperTest extends UnitFessTestCase {
|
|||
public String getRoleSearchRolePrefix() {
|
||||
return "";
|
||||
}
|
||||
|
||||
@Override
|
||||
public String getRoleSearchDeniedPrefix() {
|
||||
return "D";
|
||||
}
|
||||
});
|
||||
try {
|
||||
assertEquals("{role}guest", permissionHelper.decode("guest"));
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue