From 05041cb1ea17b4bad14f92abbea74a1072c3adb5 Mon Sep 17 00:00:00 2001
From: Mohamed Mohideen Abdul Rasheed <mohideen@umd.edu>
Date: Tue, 1 Sep 2015 11:09:13 -0400
Subject: [PATCH] Add FedoraWebACUserSecurityContext - Move
 FedoraUserSecurityContext instantiation to fad

Partial resolution of: https://jira.duraspace.org/browse/FCREPO-1714
---
 pom.xml                                       |  7 ++
 .../webac/FedoraWebACUserSecurityContext.java | 75 +++++++++++++++++++
 .../webac/WebACAuthorizationDelegate.java     |  7 ++
 .../FedoraWebACUserSecurityContextTest.java   | 59 +++++++++++++++
 4 files changed, 148 insertions(+)
 create mode 100644 src/main/java/org/fcrepo/auth/webac/FedoraWebACUserSecurityContext.java
 create mode 100644 src/test/java/org/fcrepo/auth/webac/FedoraWebACUserSecurityContextTest.java

diff --git a/pom.xml b/pom.xml
index 40a4708..03228d4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -112,6 +112,13 @@
       <type>test-jar</type>
     </dependency>
 
+    <dependency>
+      <groupId>org.fcrepo</groupId>
+      <artifactId>fcrepo-auth-common</artifactId>
+      <version>4.3.1-SNAPSHOT</version>
+      <scope>test</scope>
+      <type>test-jar</type>
+    </dependency>
     <dependency>
       <groupId>org.fcrepo</groupId>
       <artifactId>fcrepo-auth-roles-common</artifactId>
diff --git a/src/main/java/org/fcrepo/auth/webac/FedoraWebACUserSecurityContext.java b/src/main/java/org/fcrepo/auth/webac/FedoraWebACUserSecurityContext.java
new file mode 100644
index 0000000..5b2420b
--- /dev/null
+++ b/src/main/java/org/fcrepo/auth/webac/FedoraWebACUserSecurityContext.java
@@ -0,0 +1,75 @@
+/**
+ * Copyright 2015 DuraSpace, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.fcrepo.auth.webac;
+
+import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_APPEND_VALUE;
+import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_CONTROL_VALUE;
+import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_READ_VALUE;
+import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_WRITE_VALUE;
+
+import java.security.Principal;
+
+import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
+import org.fcrepo.auth.common.FedoraUserSecurityContext;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * The security context for Fedora WebAC servlet users. These users are not
+ * necessarily authenticated by the container, i.e. users may include the
+ * general public. This security context delegates all access decisions to the
+ * configured authorization delegate.
+ *
+ * @author mohideen
+ */
+public class FedoraWebACUserSecurityContext extends FedoraUserSecurityContext {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(FedoraWebACUserSecurityContext.class);
+
+    /**
+     * Constructs a new security context.
+     *
+     * @param userPrincipal the user principal associated with this security context
+     * @param fad the authorization delegate
+     */
+    protected FedoraWebACUserSecurityContext(final Principal userPrincipal,
+                                             final FedoraAuthorizationDelegate fad) {
+        super(userPrincipal, fad);
+    }
+
+    /**
+     * {@inheritDoc}
+     *
+     * @see org.modeshape.jcr.security.SecurityContext#hasRole(String)
+     */
+    @Override
+    public final boolean hasRole(final String roleName) {
+        LOGGER.debug("Checking hasRole({})", roleName);
+
+        if (WEBAC_MODE_READ_VALUE.equals(roleName)) {
+            return true;
+        } else if (WEBAC_MODE_WRITE_VALUE.equals(roleName)) {
+            return true;
+        } else if (WEBAC_MODE_APPEND_VALUE.equals(roleName)) {
+            return true;
+        } else if (WEBAC_MODE_CONTROL_VALUE.equals(roleName)) {
+            return true;
+        }
+        return false;
+    }
+
+}
diff --git a/src/main/java/org/fcrepo/auth/webac/WebACAuthorizationDelegate.java b/src/main/java/org/fcrepo/auth/webac/WebACAuthorizationDelegate.java
index b0a1f89..d15ffce 100644
--- a/src/main/java/org/fcrepo/auth/webac/WebACAuthorizationDelegate.java
+++ b/src/main/java/org/fcrepo/auth/webac/WebACAuthorizationDelegate.java
@@ -22,7 +22,9 @@
 
 import javax.jcr.Session;
 
+import org.fcrepo.auth.common.FedoraUserSecurityContext;
 import org.fcrepo.auth.roles.common.AbstractRolesAuthorizationDelegate;
+
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -76,4 +78,9 @@ public Principal getEveryonePrincipal() {
         return EVERYONE;
     }
 
+    @Override
+    public FedoraUserSecurityContext getFedoraUserSecurityContext(final Principal userPrincipal) {
+        return new FedoraWebACUserSecurityContext(userPrincipal, this);
+    }
+
 }
diff --git a/src/test/java/org/fcrepo/auth/webac/FedoraWebACUserSecurityContextTest.java b/src/test/java/org/fcrepo/auth/webac/FedoraWebACUserSecurityContextTest.java
new file mode 100644
index 0000000..16cf7f2
--- /dev/null
+++ b/src/test/java/org/fcrepo/auth/webac/FedoraWebACUserSecurityContextTest.java
@@ -0,0 +1,59 @@
+/**
+ * Copyright 2015 DuraSpace, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.fcrepo.auth.webac;
+
+import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_READ_VALUE;
+import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_WRITE_VALUE;
+import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_APPEND_VALUE;
+import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_CONTROL_VALUE;
+
+import java.security.Principal;
+
+import javax.servlet.http.HttpServletRequest;
+
+import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
+import org.fcrepo.auth.common.FedoraUserSecurityContext;
+import org.fcrepo.auth.common.FedoraUserSecurityContextTest;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.mockito.Mock;
+
+/**
+ * @author mohideen
+ * @since 9/1/15.
+ */
+public class FedoraWebACUserSecurityContextTest extends FedoraUserSecurityContextTest {
+
+    @Mock
+    private FedoraAuthorizationDelegate fad;
+    @Mock
+    private Principal principal;
+    @Mock
+    private HttpServletRequest request;
+
+    @Test
+    public void testHasRole() {
+        final FedoraUserSecurityContext context = new FedoraWebACUserSecurityContext(this.principal, this.fad);
+        Assert.assertTrue(context.hasRole(WEBAC_MODE_READ_VALUE));
+        Assert.assertTrue(context.hasRole(WEBAC_MODE_WRITE_VALUE));
+        Assert.assertTrue(context.hasRole(WEBAC_MODE_APPEND_VALUE));
+        Assert.assertTrue(context.hasRole(WEBAC_MODE_CONTROL_VALUE));
+        Assert.assertFalse(context.hasRole(null));
+        Assert.assertFalse(context.hasRole("other"));
+    }
+
+}