Skip to content

Commit

Permalink
fix privilege checker when toCheck is empty
Browse files Browse the repository at this point in the history
  • Loading branch information
joshua-roberts committed Oct 8, 2024
1 parent eea7697 commit 91ed8f3
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 2 deletions.
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ import gov.nist.csd.pm.pap.graph.relationship.AccessRightSet;
import gov.nist.csd.pm.pap.prohibition.ContainerCondition;
import gov.nist.csd.pm.pap.prohibition.ProhibitionSubject;
import gov.nist.csd.pm.pap.query.model.context.UserContext;
import gov.nist.csd.pm.pap.query.model.context.TargetContext;
import gov.nist.csd.pm.pdp.PDP;

import java.util.List;
Expand Down Expand Up @@ -156,7 +157,7 @@ public class Main {
pap.executePML(new UserContext("u1")), pml);
*/

AccessRightSet privileges = pap.query().access().computePrivileges(new UserContext("u1"), "o1");
AccessRightSet privileges = pap.query().access().computePrivileges(new UserContext("u1"), new TargetContext("o1"));
System.out.println(privileges);
// expected output: {associate, read, create_object_attribute, associate_to}

Expand Down
2 changes: 1 addition & 1 deletion src/main/java/gov/nist/csd/pm/pap/op/PrivilegeChecker.java
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ public void check(UserContext userCtx, String target, Collection<String> toCheck
TargetContext targetContext = new TargetContext(target);

AccessRightSet computed = pap.query().access().computePrivileges(userCtx, targetContext);
if (!computed.containsAll(toCheck)) {
if (!computed.containsAll(toCheck) || (toCheck.isEmpty() && computed.isEmpty())) {
if (explain) {
throw new UnauthorizedException(pap.query().access().explain(userCtx, targetContext), userCtx, target, toCheck);
} else {
Expand Down
40 changes: 40 additions & 0 deletions src/test/java/gov/nist/csd/pm/pap/op/PrivilegeCheckerTest.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
package gov.nist.csd.pm.pap.op;

import gov.nist.csd.pm.impl.memory.pap.MemoryPAP;
import gov.nist.csd.pm.pap.exception.PMException;
import gov.nist.csd.pm.pap.query.model.context.UserContext;
import gov.nist.csd.pm.pap.serialization.pml.PMLDeserializer;
import org.junit.jupiter.api.Test;

import java.util.List;

import static org.junit.jupiter.api.Assertions.*;

class PrivilegeCheckerTest {

@Test
void testEmptyToCheck() throws PMException {
String pml = """
set resource operations ["read"]
create pc "pc1"
create ua "ua1" in ["pc1"]
create ua "ua2" in ["pc1"]
create oa "oa1" in ["pc1"]
associate "ua1" and "oa1" with ["read"]
create u "u1" in ["ua1"]
create u "u2" in ["ua2"]
create o "o1" in ["oa1"]
""";

MemoryPAP pap = new MemoryPAP();
pap.deserialize(new UserContext("u1"), pml, new PMLDeserializer());

PrivilegeChecker checker = new PrivilegeChecker(pap);
assertDoesNotThrow(() -> checker.check(new UserContext("u1"), "o1", List.of()));
assertThrows(PMException.class, () -> checker.check(new UserContext("u2"), "o1", List.of()));
}

}

0 comments on commit 91ed8f3

Please sign in to comment.