This is an automated email from the ASF dual-hosted git repository. ahuber pushed a commit to branch spring6 in repository https://gitbox.apache.org/repos/asf/causeway.git
commit 9404a484231eb43cc51173c08253bc918932176e Merge: 36f6cfd2f9 25c3274d51 Author: andi-huber <[email protected]> AuthorDate: Fri Feb 10 11:45:06 2023 +0100 Merge remote-tracking branch 'origin/master' into spring6 .../core/config/CausewayConfiguration.java | 12 +++ .../specloader/SpecificationLoaderDefault.java | 20 +++- core/security/src/main/java/module-info.java | 1 + .../manager/ActionSemanticsResolver.java | 37 +++++++ .../manager/AuthorizationManager.java | 21 ++++ ...InteractionTest_notUsingAllowSafeSemantics.java | 105 ++++++++++++++++++++ ...ionInteractionTest_usingAllowSafeSemantics.java | 107 +++++++++++++++++++++ .../model/interaction/InteractionDemo.java | 13 +++ 8 files changed, 315 insertions(+), 1 deletion(-) diff --cc regressiontests/stable-interact/src/test/java/org/apache/causeway/testdomain/interact/ActionInteractionTest_notUsingAllowSafeSemantics.java index 0000000000,38cf65af1f..252c32d32a mode 000000,100644..100644 --- a/regressiontests/stable-interact/src/test/java/org/apache/causeway/testdomain/interact/ActionInteractionTest_notUsingAllowSafeSemantics.java +++ b/regressiontests/stable-interact/src/test/java/org/apache/causeway/testdomain/interact/ActionInteractionTest_notUsingAllowSafeSemantics.java @@@ -1,0 -1,105 +1,105 @@@ + /* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + package org.apache.causeway.testdomain.interact; + -import javax.inject.Named; ++import jakarta.inject.Named; + + import org.junit.jupiter.api.Test; + import org.springframework.beans.factory.annotation.Qualifier; + import org.springframework.boot.test.context.SpringBootTest; + import org.springframework.stereotype.Service; + import org.springframework.test.context.TestPropertySource; + + import static org.junit.jupiter.api.Assertions.assertEquals; + import static org.junit.jupiter.api.Assertions.assertFalse; + + import org.apache.causeway.applib.Identifier; + import org.apache.causeway.applib.annotation.PriorityPrecedence; + import org.apache.causeway.applib.annotation.Where; + import org.apache.causeway.applib.services.iactnlayer.InteractionContext; + import org.apache.causeway.core.config.presets.CausewayPresets; + import org.apache.causeway.core.security.authorization.Authorizor; + import org.apache.causeway.testdomain.conf.Configuration_headless; + import org.apache.causeway.testdomain.model.interaction.Configuration_usingInteractionDomain; + import org.apache.causeway.testdomain.model.interaction.InteractionDemo; + import org.apache.causeway.testdomain.util.interaction.InteractionTestAbstract; + + import lombok.val; + + @SpringBootTest( + classes = { + Configuration_headless.class, + Configuration_usingInteractionDomain.class, + ActionInteractionTest_notUsingAllowSafeSemantics.AuthorizorDenyUse.class + }, + properties = { + "causeway.security.actionsWithSafeSemanticsRequireOnlyViewingPermission=FALSE", + "causeway.core.meta-model.introspector.mode=FULL", + }) + @TestPropertySource({ + //CausewayPresets.DebugMetaModel, + //CausewayPresets.DebugProgrammingModel, + CausewayPresets.SilenceMetaModel, + CausewayPresets.SilenceProgrammingModel + }) + class ActionInteractionTest_notUsingAllowSafeSemantics extends InteractionTestAbstract { + + @Service + @Named("regressiontests.AuthorizorDenyUse") - @javax.annotation.Priority(PriorityPrecedence.EARLY) ++ @jakarta.annotation.Priority(PriorityPrecedence.EARLY) + @Qualifier("Testing") + public static class AuthorizorDenyUse implements Authorizor { + + @Override + public boolean isVisible(final InteractionContext authentication, final Identifier identifier) { + return true; // grant view of any action (for testing) + } + + @Override + public boolean isUsable(final InteractionContext authentication, final Identifier identifier) { + return false; // deny use of any action (for testing) + } + + } + + @Test + void assert_prereq() { + val config = super.objectManager.getConfiguration(); + assertFalse(config.getSecurity().isActionsWithSafeSemanticsRequireOnlyViewingPermission()); + } + + @Test + void whenSafeAction_shouldDenyUse() { + val actionInteraction = startActionInteractionOn(InteractionDemo.class, "actSafely", Where.OBJECT_FORMS) + .checkVisibility() + .checkUsability(); + val veto = actionInteraction.getInteractionVeto().orElseThrow(); // should not throw + assertEquals("Not authorized to edit", veto.getReason()); + } + + @Test + void whenNonSafeAction_shouldDenyUse() { + val actionInteraction = startActionInteractionOn(InteractionDemo.class, "actUnsafely", Where.OBJECT_FORMS) + .checkVisibility() + .checkUsability(); + val veto = actionInteraction.getInteractionVeto().orElseThrow(); // should not throw + assertEquals("Not authorized to edit", veto.getReason()); + } + + } diff --cc regressiontests/stable-interact/src/test/java/org/apache/causeway/testdomain/interact/ActionInteractionTest_usingAllowSafeSemantics.java index 0000000000,139af68ba5..2945aebb33 mode 000000,100644..100644 --- a/regressiontests/stable-interact/src/test/java/org/apache/causeway/testdomain/interact/ActionInteractionTest_usingAllowSafeSemantics.java +++ b/regressiontests/stable-interact/src/test/java/org/apache/causeway/testdomain/interact/ActionInteractionTest_usingAllowSafeSemantics.java @@@ -1,0 -1,107 +1,107 @@@ + /* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + package org.apache.causeway.testdomain.interact; + -import javax.inject.Named; ++import jakarta.inject.Named; + + import org.junit.jupiter.api.Test; + import org.springframework.beans.factory.annotation.Qualifier; + import org.springframework.boot.test.context.SpringBootTest; + import org.springframework.stereotype.Service; + import org.springframework.test.context.TestPropertySource; + + import static org.junit.jupiter.api.Assertions.assertEquals; + import static org.junit.jupiter.api.Assertions.assertTrue; + + import org.apache.causeway.applib.Identifier; + import org.apache.causeway.applib.annotation.PriorityPrecedence; + import org.apache.causeway.applib.annotation.SemanticsOf; + import org.apache.causeway.applib.annotation.Where; + import org.apache.causeway.applib.services.iactnlayer.InteractionContext; + import org.apache.causeway.core.config.presets.CausewayPresets; + import org.apache.causeway.core.security.authorization.Authorizor; + import org.apache.causeway.testdomain.conf.Configuration_headless; + import org.apache.causeway.testdomain.model.interaction.Configuration_usingInteractionDomain; + import org.apache.causeway.testdomain.model.interaction.InteractionDemo; + import org.apache.causeway.testdomain.util.interaction.InteractionTestAbstract; + + import lombok.val; + + @SpringBootTest( + classes = { + Configuration_headless.class, + Configuration_usingInteractionDomain.class, + ActionInteractionTest_usingAllowSafeSemantics.AuthorizorDenyUse.class + }, + properties = { + "causeway.security.actionsWithSafeSemanticsRequireOnlyViewingPermission=TRUE", + "causeway.core.meta-model.introspector.mode=FULL", + }) + @TestPropertySource({ + //CausewayPresets.DebugMetaModel, + //CausewayPresets.DebugProgrammingModel, + CausewayPresets.SilenceMetaModel, + CausewayPresets.SilenceProgrammingModel + }) + class ActionInteractionTest_usingAllowSafeSemantics extends InteractionTestAbstract { + + @Service + @Named("regressiontests.AuthorizorDenyUse") - @javax.annotation.Priority(PriorityPrecedence.EARLY) ++ @jakarta.annotation.Priority(PriorityPrecedence.EARLY) + @Qualifier("Testing") + public static class AuthorizorDenyUse implements Authorizor { + + @Override + public boolean isVisible(final InteractionContext authentication, final Identifier identifier) { + return true; // grant view of any action (for testing) + } + + @Override + public boolean isUsable(final InteractionContext authentication, final Identifier identifier) { + return false; // deny use of any action (for testing) + } + + } + + @Test + void assert_prereq() { + val config = super.objectManager.getConfiguration(); + assertTrue(config.getSecurity().isActionsWithSafeSemanticsRequireOnlyViewingPermission()); + } + + @Test + void whenSafeAction_shouldAllowUse() { + val actionInteraction = startActionInteractionOn(InteractionDemo.class, "actSafely", Where.OBJECT_FORMS) + .checkVisibility() + .checkUsability(); + val managedAction = actionInteraction.getManagedAction().get(); // should not throw + val actionMeta = managedAction.getAction(); + assertEquals(SemanticsOf.SAFE, actionMeta.getSemantics()); + } + + @Test + void whenNonSafeAction_shouldDenyUse() { + val actionInteraction = startActionInteractionOn(InteractionDemo.class, "actUnsafely", Where.OBJECT_FORMS) + .checkVisibility() + .checkUsability(); + val veto = actionInteraction.getInteractionVeto().orElseThrow(); // should not throw + assertEquals("Not authorized to edit", veto.getReason()); + } + + }
