This is an automated email from the ASF dual-hosted git repository.
ffang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/master by this push:
new 8217be3 [KARAF-5541]ensure check the compulsory.roles even there's no
ACL for a specific command scope
8217be3 is described below
commit 8217be365f317d8ecb8ec429b67ed0c669223d1c
Author: Freeman Fang <[email protected]>
AuthorDate: Wed Dec 13 10:40:51 2017 +0800
[KARAF-5541]ensure check the compulsory.roles even there's no ACL for a
specific command scope
---
.../service/guard/tools/ACLConfigurationParser.java | 6 ++++++
.../console/osgi/secured/SecuredSessionFactoryImpl.java | 16 +++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git
a/service/guard/src/main/java/org/apache/karaf/service/guard/tools/ACLConfigurationParser.java
b/service/guard/src/main/java/org/apache/karaf/service/guard/tools/ACLConfigurationParser.java
index bca31a2..dbc2ee1 100644
---
a/service/guard/src/main/java/org/apache/karaf/service/guard/tools/ACLConfigurationParser.java
+++
b/service/guard/src/main/java/org/apache/karaf/service/guard/tools/ACLConfigurationParser.java
@@ -109,6 +109,12 @@ public class ACLConfigurationParser {
}
}
+
+ public static void getCompulsoryRoles(List<String> roles) {
+ if (compulsoryRoles != null) {
+ roles.addAll(ACLConfigurationParser.parseRoles(compulsoryRoles));
+ }
+ }
private static Specificity getRolesBasedOnSignature(String methodName,
Object[] params, String[] signature,
Dictionary<String,
Object> properties, List<String> roles) {
diff --git
a/shell/core/src/main/java/org/apache/karaf/shell/impl/console/osgi/secured/SecuredSessionFactoryImpl.java
b/shell/core/src/main/java/org/apache/karaf/shell/impl/console/osgi/secured/SecuredSessionFactoryImpl.java
index 0d9812c..b47594e 100644
---
a/shell/core/src/main/java/org/apache/karaf/shell/impl/console/osgi/secured/SecuredSessionFactoryImpl.java
+++
b/shell/core/src/main/java/org/apache/karaf/shell/impl/console/osgi/secured/SecuredSessionFactoryImpl.java
@@ -204,8 +204,8 @@ public class SecuredSessionFactoryImpl extends
SessionFactoryImpl implements Con
void checkSecurity(String scope, String name, List<Object> arguments) {
Dictionary<String, Object> config = getScopeConfig(scope);
+ boolean passCheck = false;
if (config != null) {
- boolean passCheck = false;
if (!isVisible(scope, name)) {
throw new CommandNotFoundException(scope + ":" + name);
}
@@ -222,6 +222,20 @@ public class SecuredSessionFactoryImpl extends
SessionFactoryImpl implements Con
if (!passCheck) {
throw new SecurityException("Insufficient credentials.");
}
+ } else {
+ List<String> roles = new ArrayList<>();
+ ACLConfigurationParser.getCompulsoryRoles(roles);
+ if (roles.size() == 0) {
+ passCheck = true;
+ }
+ for (String role : roles) {
+ if (currentUserHasRole(role)) {
+ passCheck = true;
+ }
+ }
+ if (!passCheck) {
+ throw new SecurityException("Insufficient credentials.");
+ }
}
AliasCommand aliasCommand = findAlias(scope, name);
if (aliasCommand != null) {
--
To stop receiving notification emails like this one, please contact
['"[email protected]" <[email protected]>'].
